Thanks Normis, have a nice weekend and thanks for your hard work.ab57 is newer than beta2
Really hoping that this fix the IPTV issues we are having with Movistar Spain (SUP-152693)*) igmp-proxy - refactored IGMP querier;
*) wifi - added multi-passphrase (PPSK) support (CLI only);
Oh! 😳!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
Nice!*) wifi-qcom - added Superchannel country profile;
CAP failed to join MikroTik (::ffff:127.0.0.1:5246)
CAP connect to MikroTik (::ffff:127.0.0.1:5246) failed: timeout
you will have to enable this feature with the button or a cold reboot (power unplug), then you can switch partitions againOh!!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
I have some remote Chateau (and other) devices with partitions. After update to 7.17beta2 and later I can not switch the active partition if the backup partition booted for what ever reason?
This is huge, anyone has any performance improvement numbers?*) mpls - added fast-path support for VPLS;
My illusion vanished. Tested and still having the TV cuts.Really hoping that this fix the IPTV issues we are having with Movistar Spain (SUP-152693)*) igmp-proxy - refactored IGMP querier;
Sure, I got that... But devices are remote and I do not have physical access...you will have to enable this feature with the button or a cold reboot (power unplug), then you can switch partitions again
!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;Oh!!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
I have some remote Chateau (and other) devices with partitions. After update to 7.17beta2 and later I can not switch the active partition if the backup partition booted for what ever reason?
/system/device-mode/update partitions=yes
*) wifi - show authentication type and wireless standard used by each client in registration table;
Refactoring does not change functionality or fix bugs. It is just a process of "restructuring"/cleanup source code.My illusion vanished. Tested and still having the TV cuts.
Really hoping that this fix the IPTV issues we are having with Movistar Spain (SUP-152693)
Only supported on wifi-qcom interfaces, if wifi-qcom-ac AP has a client that uses a passphrase that has vlan-id associated with it, the client will not be able to join.
How then should we understand this?No. You will have to enable downgrade in device-mode, after that it works as before.
Note, downgrade mode does not allow to run /system package downgrade command, but you can switch between RouterOS release channels (stable, testing, etc.) and change RouterOS versions.
Since y'all making changing in device-mode... One request is there be some netinstall option (or another tool) to set the device-mode upon provisioning, since it not the convenient to set if you deal with many routers. Since physical access is required for netinstall, I don't think that changes the security modem. For CPEs, it be nice to restrict more in device-mode...but that not so easily automated. For my case, being able to set device-mode, without a power-cycle, from a netinstall/branding defconf (/system/default-configuration) be ideal.!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
The device-mode can be changed by the user, but remote access to the device is not enough to change it.
Is there any updated documentation on fast-path? The information I could find is very outdated (https://help.mikrotik.com/docs/pages/vi ... S-FastPath).*) mpls - added fast-path support for VPLS;
It will be missing because ibgp-rr-client had no special meaning, it is the same as ibgp.BGP still missing ibgp-rr-client local.role since 7.16
You can still downgrade from 7.17beta2 to 7.16 by switching the channel from testing to stable. That works for the versions channels only.How then should we understand this?
From https://help.mikrotik.com/docs/display/ROS/Device-modeNote, downgrade mode does not allow to run /system package downgrade command, but you can switch between RouterOS release channels (stable, testing, etc.) and change RouterOS versions.
I'm losing l2vpn routes ever since 7.16It will be missing because ibgp-rr-client had no special meaning, it is the same as ibgp.BGP still missing ibgp-rr-client local.role since 7.16
> routing/route/print where afi=l2vpn
Flags: H - HW-OFFLOADED
Columns: DST-ADDRESS, AFI
DST-ADDRESS AFI
H 56286:100 l2vpn
> routing/route/print where afi=l2vpn
Flags: U - UNREACHABLE, A - ACTIVE; b - BGP; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TARGET-SCOPE IMMEDIATE-GW
bH+ 56286:100 10.1.4.1 l2vpn 200 40 30 100.121.4.5%vlan2142
100.122.4.5%vlan2242
AbH+ 56286:100 10.1.4.1 l2vpn 200 40 30 100.121.4.5%vlan2142
100.122.4.5%vlan2242
AbH+ 56286:100 10.1.4.2 l2vpn 200 40 30 100.121.4.5%vlan2142
100.122.4.5%vlan2242
bH+ 56286:100 10.1.4.2 l2vpn 200 40 30 100.121.4.5%vlan2142
100.122.4.5%vlan2242
UbH 56286:100 10.2.4.2 l2vpn 200 40 30
UbH 56286:100 10.2.4.2 l2vpn 200 40 30
H 56286:100 l2vpn 0
UbH 56286:100 10.2.4.2 l2vpn 200 40 30
H 56286:100 l2vpn 0
UbH 56286:100 10.2.4.2 l2vpn 200 40 30
UbH 56286:100 10.2.4.2 l2vpn 200 40 30
H 56286:100 l2vpn 0
bH+ 56286:100 10.3.4.1 l2vpn 200 40 30 100.121.4.5%vlan2142
100.122.4.5%vlan2242
AbH+ 56286:100 10.3.4.1 l2vpn 200 40 30 100.121.4.5%vlan2142
100.122.4.5%vlan2242
[admin@roca] /interface> print group-by=running
group-by is to be used with count-only or show-ids
[admin@roca] /interface> /ip route
[admin@roca] /ip/route> print group-by=vpn
group-by is to be used with count-only or show-ids
[admin@roca] /ip/route>
What a pity. Assigning VLAN ID is a major use case. I hope that wifi-qcom-ac overcomes this restriction here and also in datapath one day."So PPSK is available only on ax devices" - no the limitation is only if you use vlan-id. You can still use multi-passphrase feature on wifi-qcom-ac interfaces, it's just that you can't use entries that would assign vlan-id. "vlan-id" will only work with wifi-qcom interfaces.
We have ~2000 devices high up on towers, some of them hundreds of kilometers away. Are you saying that once we upgrade to v7.17, we won't be able to downgrade them to an older version? That's a big yikes.you will have to enable this feature with the button or a cold reboot (power unplug), then you can switch partitions again
The width of the current terminal does affect how many columns it outputs.... sure it ain't that?on 7.16 and above
before 7.16Code: Select all> routing/route/print where afi=l2vpn Flags: H - HW-OFFLOADED Columns: DST-ADDRESS, AFI DST-ADDRESS AFI
Code: Select all> routing/route/print where afi=l2vpn Flags: U - UNREACHABLE, A - ACTIVE; b - BGP; H - HW-OFFLOADED; + - ECMP Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TARGET-SCOPE IMMEDIATE-GW
Understood, but as @infabo stated assigning VLANs is a major use case here. But in my case it doesn't matter much. All of my devices at home are ax."So PPSK is available only on ax devices" - no the limitation is only if you use vlan-id. You can still use multi-passphrase feature on wifi-qcom-ac interfaces, it's just that you can't use entries that would assign vlan-id. "vlan-id" will only work with wifi-qcom interfaces.
+1Thanks for ZT update, have a good weekend all.
*) zerotier - upgraded to version 1.14.0;
I'm interested too! :PThis is huge, anyone has any performance improvement numbers?*) mpls - added fast-path support for VPLS;
+½+1*) zerotier - upgraded to version 1.14.0;
I agree that this is BAD. I always put a second partition on routers, and do all upgrades remotely.Sure, I got that... But devices are remote and I do not have physical access...you will have to enable this feature with the button or a cold reboot (power unplug), then you can switch partitions again
Definitely something to be handled with care.
Very sure
The width of the current terminal does affect how many columns it outputs.... sure it ain't that?
Yes, Mikrotik, thank you! This was needed for so long.*) mpls - added MPLS mangle support;
Hmm, I couldn't repo in 7.17beta, RB1100AHx, WinBox4 terminal:Very sureThe width of the current terminal does affect how many columns it outputs.... sure it ain't that?
routing/route/print where afi~"ip6"
Flags: U - UNREACHABLE, A - ACTIVE; c - CONNECT, d - DHCP; H - HW-OFFLOADED; B - BLACKHOLE
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TARGET-SCOPE IMMEDIATE-GW
Ac ::1/128 lo ip6 0 10 5 lo
May you please make some samples, how to?*) dns - DoH whitelist support for adlist using static FWD entries;
*) dns - whitelist support for adlist using static FWD entries;
Would be nice if you added the ability to disable LEDs on CRS310-8G+2S+, if that is possible.*) leds - fixed issue where interface LEDs might not properly disable in some cases;
What's new in 7.17beta2 (2024-Sep-27 10:07):Awsome Change log Mikrotik Team.
Wish if we can get MPLS/VPLS and PPPOE Multi core processing feature will be a real game changer
I've just upgraded my RB5009, hAP ax3 and hAP ac3 from v7.16rc5 to v7.17beta2 and so far so good.
I just noticed that:
- An OpenVPN server was created during the upgrade. Fixed that with /interface/ovpn-server/servers/remove [find]; and
- /zerotier now shows disabled=no disabled=no.
Other than that, a very clean upgrade despite the lengthy changelog. Good work MikroTik!
My case is for BGP signaled VPLS, using Cisco route reflectorHmm, I couldn't repo in 7.17beta, RB1100AHx, WinBox4 terminal:
Very sureCode: Select allrouting/route/print where afi~"ip6" Flags: U - UNREACHABLE, A - ACTIVE; c - CONNECT, d - DHCP; H - HW-OFFLOADED; B - BLACKHOLE Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TARGET-SCOPE IMMEDIATE-GW Ac ::1/128 lo ip6 0 10 5 lo
Still I'd try winbox, or ssh if already using winbox... Maybe something broke here, dunno... just your TERMCAPS be my first bet.
why?*) health - removed board-temperature on RB5009UPr+S+IN device;
Well, I noticed that the value is ridiculous. On most devices it is higher than CPU temperature, one one device even 10 degrees higher.why?*) health - removed board-temperature on RB5009UPr+S+IN device;
1. what does bootloader restriction do?!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
Same also for me, I will wait for the new beta with CAPsMAN working 😅*) adlist - optimized import on system with low disk space;
Worked well on my hap ac2's. 260+ entry list.
However, they would no longer operate as caps, so i reverted back for the time being.
Hurray! Hurray!*) dhcpv4-client - respect Renewal-Time (58) and Rebinding-Time (59) options;
*) dhcpv6-client/server - added support for DHCPv6 reconfigure messages;
*) dhcpv6-server - include all existing prefixes (with lifetime 0) in renew reply and new prefix if RADIUS returns different prefix;
Hi,
v7.17Beta2 and v7.17ab57. They cause me a "high" CPU consumption, IPSEC process. Reverting to v7.16 "stabilizes" the CPU, but policies may become stuck again, we'll see over the weekend.
*) crypto - improve crypto speeds;
it is huge!*) pppoe - added support for PPPoE server over 802.1Q VLANs;
Can we please get some documentation on this feature. Its potentially a game changer...
*) zerotier - upgraded to version 1.14.0;
Thanks for ZT update, have a good weekend all.
+1
Has anyone checked if private moons support is really working?There are also newer options in ZeroTier too that are not exposed... yet? i.e. be nice to control multipath and enable low-bandwidth mode
Both requests are well-founded!Wish if we can get MPLS/VPLS and PPPOE Multi core processing feature will be a real game changer
*) mpls - added fast-path support for VPLS;
Sounds like the "stacked-vlan-ranges dynamic-profile" for vlan demux of Junos, or the "user-vlan any-other" of Huawei.it is huge!*) pppoe - added support for PPPoE server over 802.1Q VLANs;
Can we please get some documentation on this feature. Its potentially a game changer...
we tested in the lab.
No need to have the vlan interfaces created on the ethernet interface, just one pppoe-server specifying all the vlan id where it could work and applied on the ethernet interface.
And all the pppoe-client on the vlans get authenticated!
I don't need this but I can see in ISP world how this be handy: benefits of VLANs for switching and PPPoE for accounting/etc.What if I want that one specific vlan on a range operates on a different profile?No need to have the vlan interfaces created on the ethernet interface, just one pppoe-server specifying all the vlan id where it could work and applied on the ethernet interface.
What if I want that one specific vlan dot not listen PPPoE?
It is still advertised as having PCB temperature monitor:Well, I noticed that the value is ridiculous. On most devices it is higher than CPU temperature, one one device even 10 degrees higher.
why?
Probably someone has researched that and concluded that the circuitry is wrong and the value cannot be used.
Hey @Amm0, It probably will sound weird... hahaMy crystal ball tells me there is...
Impossible for wifi-qcom-ac?*) wifi-qcom - added Superchannel country profile;
That already works with RADIUS.What a pity. Assigning VLAN ID is a major use case. I hope that wifi-qcom-ac overcomes this restriction here and also in datapath one day.
Hi,Hi,
v7.17Beta2 and v7.17ab57. They cause me a "high" CPU consumption, IPSEC process. Reverting to v7.16 "stabilizes" the CPU, but policies may become stuck again, we'll see over the weekend.🤔Code: Select all*) crypto - improve crypto speeds;
/ip/ipsec/installed-sa/print
Is there any info on cases when this can cause crashes? We observed some hangs and it appears to be related to time changes, but since they're very infrequent it's hard to debug.*) bth - improved stability on system time change;
Is this maybe a preparation to support prefix mask, similarly to how ip6tables allows it, or am I reading too far? ;)*) dhcpv6-client - added prefix-address-list parameter
*) firewall - added none-dynamic and none-static arguments for IPv6 address-list-timout settings
Is there any device support matrix, or any device with hardware ACLs can utilize that? Is it possible to copy-and-forward instead of just forwarding to CPU?*) ptp - added dynamic switch ACL rules in order to trap PTP packets to CPU instead of forwarding
@Coughy: Welcome to the open Internet - if you're not hosting anything on these ports just DROP on WAN. If you are, just ignore it and accept automatic scanners are normal nowadays.Possible SYN FLOODING on ports?
shouold i be worried or is it normal
Wow! This is an another great release, congratulations to the whole team!
---
Is there any info on cases when this can cause crashes? We observed some hangs and it appears to be related to time changes, but since they're very infrequent it's hard to debug.*) bth - improved stability on system time change;
Overall, it would be amazing if changelogs could contain or link to some information about what "improved stability of X" actually means. Naturally I'm not asking for a full writeup, as this would be horrendously time consuming, but a single sentence of approximately what scenarios this can apply to.
Is this maybe a preparation to support prefix mask, similarly to how ip6tables allows it, or am I reading too far? ;)*) dhcpv6-client - added prefix-address-list parameter
*) firewall - added none-dynamic and none-static arguments for IPv6 address-list-timout settings
Is there any device support matrix, or any device with hardware ACLs can utilize that? Is it possible to copy-and-forward instead of just forwarding to CPU?*) ptp - added dynamic switch ACL rules in order to trap PTP packets to CPU instead of forwarding
---
@Coughy: Welcome to the open Internet - if you're not hosting anything on these ports just DROP on WAN. If you are, just ignore it and accept automatic scanners are normal nowadays.Possible SYN FLOODING on ports?
shouold i be worried or is it normal
You can add a script that will be run when the DHCP server issues a lease, and in that script you can add a static DNS entry.Would be great if MikroTik had rDNS for DHCP clients, I miss being able to identify the clients making requests to my Adguard Home server.
possible SYN flooding on tcp port 8291
Setup up a firewall rule to log addresses trying to reach these portsStrange, but I got this error on devices inside the local network (wireless access points and switches):
Code: Select allpossible SYN flooding on tcp port 8291
I had same problems as you, disabling WPA3 solved the problem. WiFi is now really rock solid. I hope Mikrotik solve this in the future.7.17beta2 does not solve the problem of disconnecting wifi on AX devices. I am very disappointed, I really wanted to buy a Mikrotik router, because it provides great flexibility of settings, but now I see that Mikrotik engineers can not cope even with basic tasks. Why should I, like an idiot, go through the firmware in the hope that they fixed the banal problem of disconnecting wifi on AX devices, which everyone has known about for a long time.Again, this was broken after 7.15beta8. Everything that was there before works fine. It's been more than half a year...If you can not solve it yourself, roll back the Qualcom driver. I am very disappointed. I use more than 400 Mikrotik devices in my work as a system administrator, and I always recommended them to my clients, but apparently this has come to an end.
What your logs say ? If you are experiencing a problem please create supout.rif file and open a ticket with support so they can fix the bug.Anyone got problems with DHCP on this version ? Seems that addressed are not getting assigned, had to revert back to 7.16
*) wifi - added multi-passphrase (PPSK) support (CLI only);
I Guess it can be done with scripting on DHCP leases.Would be great if MikroTik had rDNS for DHCP clients, I miss being able to identify the clients making requests to my Adguard Home server.
have seen that happen especially when wan dhcp renews and my wireguard connections freak out and some will not connect again. no amount of disable/enable of peer/interface works. your best option is delete interface and recreate it. i have a script now to recreate all my wireguard connections.Something strange happens with wireguard.
Only 2 of 5 wireguard peer connections connects.
Copy paste keys from scratch but no connection at all
https://help.mikrotik.com/docs/display/ ... Propertiesany documentation ? example ?Code: Select all*) wifi - added multi-passphrase (PPSK) support (CLI only);
Strange, but I got this error on devices inside the local network (wireless access points and switches):
Code: Select allpossible SYN flooding on tcp port 8291
https://help.mikrotik.com/docs/display/ ... Propertiesany documentation ? example ?Code: Select all*) wifi - added multi-passphrase (PPSK) support (CLI only);
Scroll down / search for "multi-passphrase".
Set an address list call it "support" add IP range you wish to be able to access the router from then add ruleok so fun fact i dropped to wan these ports
guess what i cant log into the router via winbox with the ip address??
i can only log in via the mac id
so it is winbox trying to open /connect to ports in the router
i disabled the ports i was dropping to wan and i can now log in to the router again with the ip from winbox
EDIT PORT 8291 is the one dropping for winbox deleted it now i can login via ip from winbox
Strange, but I got this error on devices inside the local network (wireless access points and switches):
Code: Select allpossible SYN flooding on tcp port 8291
Vlan Demux Interface - auto decapsule vlansWhat's new in 7.17beta2 (2024-Sep-27 10:07):
*) pppoe - added support for PPPoE server over 802.1Q VLANs;
Set an address list call it "support" add IP range you wish to be able to access the router from then add ruleok so fun fact i dropped to wan these ports
guess what i cant log into the router via winbox with the ip address??
i can only log in via the mac id
so it is winbox trying to open /connect to ports in the router
i disabled the ports i was dropping to wan and i can now log in to the router again with the ip from winbox
EDIT PORT 8291 is the one dropping for winbox deleted it now i can login via ip from winbox
/ip firewall address-list
add address=X.X.X.X/X list=support
/ip firewall filter
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=tcp src-address-list=support
Or you could use port knock
/ip firewall filter
add action=add-src-to-address-list address-list=port:1778 \
address-list-timeout=15s chain=input dst-port=6789 protocol=tcp
add action=add-src-to-address-list address-list=support address-list-timeout=\
5m chain=input dst-port=1778 protocol=udp src-address-list=port:6789
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=\
tcp src-address-list=support
I feel like they solved the right problem the wrong way...
Very good, you could also put before the winbox accept rule below;cheers My GURU
did the address list version see if i did it correctly and if it works for me lol
so far it is give it a couple days to test more
but ty for the help thats above my pay grade
i have created a drop to wan like this
add action=drop chain=input comment="Blocked ports" protocol=tcp Dst-Port 8728,53,2828
Is this the way to do it?
cheeers pete
Set an address list call it "support" add IP range you wish to be able to access the router from then add rule
/ip firewall address-list
add address=X.X.X.X/X list=support
/ip firewall filter
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=tcp src-address-list=support
Or you could use port knock
/ip firewall filter
add action=add-src-to-address-list address-list=port:1778 \
address-list-timeout=15s chain=input dst-port=6789 protocol=tcp
add action=add-src-to-address-list address-list=support address-list-timeout=\
5m chain=input dst-port=1778 protocol=udp src-address-list=port:6789
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=\
tcp src-address-list=support
Just like PPPoE is an ephemeral interface that exists while tunnel is active, a dynamic sub-if of a stacked vlan is an ephemeral interface that exist while exists traffic that specifies it.I feel like they solved the right problem the wrong way...
PPPoE is a special case as it's not IP on the physical interface side ... so they can easily add VLAN ID handling to pppoe process. And tge feature is (currently) only available for PPPoE server, which may serve multiple VLANs and hence handling of VLAN internally really is handy (one server for nany VLANs instead of many servers one per VLAN).
With IPoE it's much harder ... because it's not DHCP client which handles all the traffic, DHCP client could only configure VLAN interface instead of you (but then who is going to remove it when it's not needed any more? Etc.). Not the way to go IMO. If setting of VLAN ID for internet service is so hard, then MT should add possibiliry to set it in QuickSet (or the "provisioning for dummies" app) ... if that's not a thing yet.
I have made several forum posts and support requests to MikroTik to open the box a bit...This is pure control-plane.
- Trigger -> Any specified type of packet
- Action -> Create a sub-if, bind the specified service(PPPoE or DHCP) on it.
- Trigger -> Mac in sub-if = 0
- Action -> Remove sub-if.
Sorry, I simply don't agree that having plethora of dynamic interfaces is a good thing ... just to work around a bit of (manual / scripted) configuration.Just like PPPoE is an ephemeral interface that exists while tunnel is active, a dynamic sub-if of a stacked vlan is an ephemeral interface that exist while exists traffic that specifies it.
Okay! You have the right to disagree!Sorry, I simply don't agree that having plethora of dynamic interfaces is a good thing ... just to work around a bit of (manual / scripted) configuration.
I totally agree :)On the stats from 7.16 to 7.17beta2, there are +74 new commands and +803 new attributes (although the "group-by" gins up the numbers since that in a lot of places ;))
+½
+1
There are also newer options in ZeroTier too that are not exposed... yet? i.e. be nice to control multipath and enable low-bandwidth mode
Open a ticket with a support file this should help resolve this!7.17beta2 does not solve the problem of disconnecting wifi on AX devices. I am very disappointed, I really wanted to buy a Mikrotik router, because it provides great flexibility of settings, but now I see that Mikrotik engineers can not cope even with basic tasks. Why should I, like an idiot, go through the firmware in the hope that they fixed the banal problem of disconnecting wifi on AX devices, which everyone has known about for a long time.Again, this was broken after 7.15beta8. Everything that was there before works fine. It's been more than half a year...If you can not solve it yourself, roll back the Qualcom driver. I am very disappointed. I use more than 400 Mikrotik devices in my work as a system administrator, and I always recommended them to my clients, but apparently this has come to an end.
?*) wifi - added multi-passphrase (PPSK) support (CLI only);
That doesn't seem related to RouterOS version upgrade, it never changes essential configuration such as disabling ethernet interfaces.
----EDIT-----
Managed to reach it by changing the port on the RB5009 to which the CAP is connected to 'admit all' frame types instead of only tagged.
After I managed to login to it I noticed that the CAP AX had it ETH1 disabled and also the default route. Enabled those and it seemed to start working again, but reverted back to 6.16 stable.
Will keep it that way for a couple of beta versions more I guess
https://help.mikrotik.com/docs/display/ ... passphraseIs there documentation for?*) wifi - added multi-passphrase (PPSK) support (CLI only);
Found the issue, I had to change the interfaces for other relays (up/down) - when I had all set to bridge, it stopped working on 7.17 beta.What your logs say ? If you are experiencing a problem please create supout.rif file and open a ticket with support so they can fix the bug.Anyone got problems with DHCP on this version ? Seems that addressed are not getting assigned, had to revert back to 7.16
I have few devices on 7.17beta and i experience no problems with dhcp server.
In case of some failed upgrade, I use "partitions" to recover. But you are blocking that by making it part of device-mode settings.ofca, I understand your concern, but if you do not have any kind of backup access to these devices, how are you recovering in case of some failed upgrade? An alternative to push-button is cold reboot (power cycle).
They are NOT. As far as I understand, the new 7.17 release will disallow the use of partitions (and some other things) unless you have enabled their use in device-mode. Which you can only do in physical presence of the device.**I would like to stress, that device-mode settings are entirely optional. Do your CPEs require traffic generator? If no, there is no need for this operation. **
Would this be applied to all devices or only to devices which have their device-mode at default setting prior to update? It would be madness if it is applied to all devices - this would even enable some features disabled by user...What's new in 7.17beta2 (2024-Sep-27 10:07):
!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
https://help.mikrotik.com/docs/display/ ... xplanatoryDisabled list feature is self-explanatory
On my test RB1100AHx4 with 7.17beta2, it showed partitioning menu (with device-mode showing "mode: advanced" and container=yes".I sure hope there will be a clear explanation of what happens to existing devices that use those features, for all reasonable existing device-mode settings.
/system/device-mode/update mode=enterprise traffic-gen=yes
I also tried to set partition 2 as active, in case that's where it put (or maybe, I thought, it made TWO copies when you change the partition count). Same bootloop.Press any key within 2 seconds to enter setup..
writing settings to flash... OK
loading kernel partition 1... kernel not found or data is corrupted
writing settings to flash... OK
loading kernel partition 0... OK
setting up elf image... OK
jumping to kernel code
opendir: No such file or directory
opendir: No such file or directory
ERROR: no system package found!
[ 1.664332][ T1] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000000
[ 1.672676][ C2] CPU2: stopping
[ 1.676077][ C2] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.6.3 #2
[ 1.682592][ C2] Hardware name: Annapurna Labs Alpine
[ 1.687901][ C2] {bf099f34} _stext+0x9888/0x4fd230
[ 1.692944][ C2] {bf099f3c} _stext+0x4e902c/0x4fd230
[ 1.698161][ C2] {bf099f4c} _stext+0xbfd0/0x4fd230
[ 1.703204][ C2] {bf099f64} _stext+0x1fe26c/0x4fd230
[ 1.708420][ C2] {bf099f7c} _stext+0x1acc/0x4fd230
[ 1.713461][ C2] Exception stack(0xbf099f80 to 0xbf099fc8)
[ 1.719199][ C2] 9f80: 00000c0c 00000000 00000c0c 80114760 bf098000 00000004 80904eec 80904f28
[ 1.728054][ C2] 9fa0: 0004406a 412fc0f4 00000000 00000000 00000000 bf099fd0 8010700c 80106ffc
[ 1.736908][ C2] 9fc0: 60000013 ffffffff
[ 1.741085][ C2] {bf099fcc} _stext+0x6ffc/0x4fd230
[ 1.746127][ C2] {bf099fd4} _stext+0x4c120/0x4fd230
[ 1.751256][ C2] {bf099fec} _stext+0x4c3b0/0x4fd230
[ 1.756384][ C2] {bf099ff4} 0x10246c
[ 1.760214][ C1] CPU1: stopping
[ 1.763616][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.3 #2
[ 1.770130][ C1] Hardware name: Annapurna Labs Alpine
[ 1.775435][ C1] {bf097f34} _stext+0x9888/0x4fd230
[ 1.780478][ C1] {bf097f3c} _stext+0x4e902c/0x4fd230
[ 1.785695][ C1] {bf097f4c} _stext+0xbfd0/0x4fd230
[ 1.790737][ C1] {bf097f64} _stext+0x1fe26c/0x4fd230
[ 1.795952][ C1] {bf097f7c} _stext+0x1acc/0x4fd230
[ 1.800994][ C1] Exception stack(0xbf097f80 to 0xbf097fc8)
[ 1.806732][ C1] 7f80: 00001038 00000000 00001038 80114760 bf096000 00000002 80904eec 80904f28
[ 1.815587][ C1] 7fa0: 0004406a 412fc0f4 00000000 00000000 00000000 bf097fd0 8010700c 80106ffc
[ 1.824440][ C1] 7fc0: 60000013 ffffffff
[ 1.828617][ C1] {bf097fcc} _stext+0x6ffc/0x4fd230
[ 1.833658][ C1] {bf097fd4} _stext+0x4c120/0x4fd230
[ 1.838786][ C1] {bf097fec} _stext+0x4c3b0/0x4fd230
[ 1.843915][ C1] {bf097ff4} 0x10246c
[ 1.847744][ C3] CPU3: stopping
[ 1.851145][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 5.6.3 #2
[ 1.857660][ C3] Hardware name: Annapurna Labs Alpine
[ 1.862964][ C3] {bf09bf34} _stext+0x9888/0x4fd230
[ 1.868008][ C3] {bf09bf3c} _stext+0x4e902c/0x4fd230
[ 1.873222][ C3] {bf09bf4c} _stext+0xbfd0/0x4fd230
[ 1.878265][ C3] {bf09bf64} _stext+0x1fe26c/0x4fd230
[ 1.883480][ C3] {bf09bf7c} _stext+0x1acc/0x4fd230
[ 1.888521][ C3] Exception stack(0xbf09bf80 to 0xbf09bfc8)
[ 1.894258][ C3] bf80: 00000b80 00000000 00000b80 80114760 bf09a000 00000008 80904eec 80904f28
[ 1.903114][ C3] bfa0: 0004406a 412fc0f4 00000000 00000000 00000000 bf09bfd0 8010700c 80106ffc
[ 1.911967][ C3] bfc0: 60000013 ffffffff
[ 1.916144][ C3] {bf09bfcc} _stext+0x6ffc/0x4fd230
[ 1.921186][ C3] {bf09bfd4} _stext+0x4c120/0x4fd230
[ 1.926314][ C3] {bf09bfec} _stext+0x4c3b0/0x4fd230
[ 1.931442][ C3] {bf09bff4} 0x10246c
[ 1.935283][ T1] Rebooting in 5 seconds..
:00000050
AL31400X-140
I'll add that /system/device-mode print should have a "detail" option that shows all the =yes / =no as resolved by the mode and other switches. AFAIK it takes consulting the docs to see what mode= means – with the meaning of mode= change between version.Code: Select all/system/device-mode/update mode=enterprise traffic-gen=yes
We don't only use CPEs, and yes, we sometimes use debugging features like bw-test or traffic gen to communicate with for example Eltek PSUs. We also have hundreds of CCRs. You are effectively taking features away from us, unless we allocate manpower to drive around the city and needlessly waste time pushing buttons, instead of making money to buy more MikroTik devices. Please figure out a better way that isn't a regression. It's not a question of backup access. It's a question of scale. We are not talking about two routers here.ofca, I understand your concern, but if you do not have any kind of backup access to these devices, how are you recovering in case of some failed upgrade? An alternative to push-button is cold reboot (power cycle).
**I would like to stress, that device-mode settings are entirely optional. Do your CPEs require traffic generator? If no, there is no need for this operation. **
# select count(id) from devman.devices where devtype='managed-mt';
count
-------
7271
```
Actually, this change needs to not happen at all, in my opinion. I'm really glad, that MikroTik guys changed the dev model, and now we have long-running betas, so we can help avoiding such disastrous design choices.I agree that this change (and its ramifications) needs to be spelled out better
That be my take. I only went down the rabbit hole since the RB1100 had a physical serial port. Clearly it shouldn't end up in a bootloop.So it seems that when you try to setup partitions while not having that device-mode option set, it just corrupts the device?
That is even worse than being unable to switch partitions after upgrade...
The knee-jerk reaction of most SoHo, and supermarket IT people would be to set this, defeating it's purposeWhy there is no device-mode called "this-is-my-router-and-I-want-everything-to-be-enabled-always-and-forever"?
Very off-topic, but can you share why would you need to hit those PSU's with traffic-gen?We don't only use CPEs, and yes, we sometimes use debugging features like bw-test or traffic gen to communicate with for example Eltek PSUs.
Yes, this exactly. We are using traffic gen to detect presence and current config of a device, to avoid bridging and using proprietary windows app.Very off-topic, but can you share why would you need to hit those PSU's with traffic-gen?We don't only use CPEs, and yes, we sometimes use debugging features like bw-test or traffic gen to communicate with for example Eltek PSUs.
Emulating some kind of magic-packet maybe?
Yeah, sure; we've also started in a garage; luckily, today we are way past that. If device requires any power-cycling to keep working, it's replaced as failed. If it's "normal behavior", then it's decommissioned and vendor is banned. I sincerely hope you were just making a joke about adding point of failures to "always on" setups. MikroTik devices are quite robust and, with exception of first batch(es) of CRS317 switches, I don't remember any cases that would consistently require power interventions ;)Coordinated button press is not the only option. Power cycle / remove power from device is an alternative.
Deploy your devices from now on with some remote-controlled powerplug and you're good to go. future proof kind of....
....what if these remote-controlled powerplugs are online and somehow easily accessible (backdoor, unsecured, auth bypass, etc.) by "evil people" as well? Ransomware gangs triggering power plugs to unlock ROS device mode....🤯🤯🤯
😂😂😂
I hope this is clear now.The device-mode can be changed by the user, but remote access to the device is not enough to change it. After changing the device-mode, you need to confirm it, by pressing a button on the device itself, or perform a "cold reboot" - that is, unplug the power.
Well, I should mention that I was quite surprised the first time when I confirmed a device mode change with pressing the reset button that the device actually cold booted...I don't know what you understood. In simple words: any change you make to device-mode settings can be either commited/confirmed by pusing reset-button or a cold reboot.
update: please activate by turning power off or pressing reset or mode button in 4m27s
That would be one solution.So how about adding a kind of "grace period" for post-7.16 updates? The newly introduced device modes could be activated without physical interaction for a period of something like 24 hours after that update. If no action is taken in that time the modes become locked, just as they are now. Does that help most of us?
Maybe for you? For me that is not clear. When I press reset or mode button, it will activate the setting. But will it also reboot???The message shown on CLI is quite clear and does not leave room for interpretations:
Code: Select allupdate: please activate by turning power off or pressing reset or mode button in 4m27s
Well, I should mention that I was quite surprised the first time when I confirmed a device mode change with pressing the reset button that the device actually cold booted...
Point taken. I don't know either what happens on button press. That's a bad thing I have to admit. Last time I changed device-mode was to enable "container" flag - but pressing the reset-button did not confirm it. Don't know why it did not work. So I had to do the other thing: "turning power off".Maybe for you? For me that is not clear. When I press reset or mode button, it will activate the setting. But will it also reboot???
It does not tell that.
I want to prepare a site of which I don’t have physical access to in the next months.Documentation of device-mode has been updated with more info. If anyone has any doubts or questions, please post them here and we will answer them in the documentation
Please, what will happen to the running containers after the update to 7.17?
Nothing should happen, on my ax3 everything is working. Do you have an issue ?
But it's still not clear what I need to do to make sure I can still use all features (including traffic-gen, container, partitions, bootloader and downgrade) on our 2000+ devices in the field without having to physically visit each one of them and do a powercycle.We have added to the manual some more info about device mode, including that it will reboot in any case.
The console message will also be amended in future betas.
It's not ok on my RB5009.Nothing should happen, on my ax3 everything is working. Do you have an issue ?
Home and Advanced mode are like presets, that allow certain list of features. Groups of features, that are listed next to them in the manual.But it's still not clear what I need to do to make sure I can still use all features (including traffic-gen, container, partitions, bootloader and downgrade) on our 2000+ devices in the field without having to physically visit each one of them and do a powercycle.We have added to the manual some more info about device mode, including that it will reboot in any case.
The console message will also be amended in future betas.
Also, the documentation is still confusing. It first mentions (under 'Available device-mode modes') that traffic-gen, container, partitions, bootloader, downgrade are disabled for 'advanced mode'. But then under 'List of available properties' it says "Default: yes, for advanced mode" describing properties that also include traffic-gen, container, partitions, bootloader and downgrade?
Any hints in log?Were do I need to look then ?
I never said it was related to device mode.If your containers stopped working after upgrade to 7.17, it might not be related to device mode at all.
Missing exec. Only thing which shows in log after start and then immediately stop.Any hints in log?Were do I need to look then ?
Undoubtably a noble persuit. I'm not a home user, so I shouldn't be affected by these changes.Device mode, as clarified in the manual, is meant to protect home users who have their routers taken over by attackers and are using them for botnet purposes.
I've read the documentation multiple times, but it seems to describe some mythical state where everyone is already using hardware shipped with v7.17 and pre-"device-mode" times didn't exist. I'm asking this for the third time now: how can I make sure I do not lose any features on our devices in the field when I upgrade them to v7.17? The only thing in the docs regarding <v7.17 mentions devices running older versions will have the 'advanced' mode by default. It doesn't say whether features such as partitioning or downgrade will be enabled or disabled for these devices. If they are disabled, you're not only directly contradicting yourself (I thought it was 'entirely optional' and 'to protect the home users'?), you're also arbitrarily taking away people's device functionality in an attempt to embellish your security posture (which is frankly unacceptable).Home and Advanced mode are like presets, that allow certain list of features. Groups of features, that are listed next to them in the manual.
BUT there is no mode that allows ALL features, if you have Advanced and also need some additional features, you have to enable them one by one. I suggest reading the entire documentation page, it clarifies this further in the text.
/ip dns static
add forward-to=10.6.10.220 match-subdomain=yes name=my.internal.lan type=FWD
add forward-to=10.6.10.221 match-subdomain=yes name=my.internal.lan type=FWD
/ip dns forwarders
add dns-server=10.6.10.220 name=my.internal.lan
### and then try to add another forwarder for internal lan.
add dns-server=10.6.10.221 name=my.internal.lan
failure: name not unique
From 7.16. The problem is that the forwarder will not try to ask 10.6.10.221 when 220 is not answering.
!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
and:[D]evices running versions prior to RouterOS version 7.17, all devices use the advanced/enterprise mode
and, as mentioned in another post:(Disabled features in advanced mode) traffic-gen, container, partitions, bootloader
Despite MikroTik's own documentation, container has never been "default=yes", some options don't exist prior to 7.17, and the table above this section lists a bunch of stuff that is "no" by default. A bit of cleanup is needed.container, fetch, scheduler, traffic-gen,
ipsec, pptp, smb, l2tp, proxy, sniffer, zerotier, bandwidth-test, email, hotspot, romon, socks, partitions, downgrade, bootloader. (yes | no; Default: yes, for advanced mode)
This either needs to be reconsidered, or an upgrade MOP (method of procedure) needs to be added to the upgrade from <7.17 to 7.17 to keep users from losing access to previously available features. I use routerboard/settings and partitions after deployment all the time.How I understand this, in other words: after upgrade to 7.17 you won't be able to use traffic-gen, not able to change active partition (/partitions/activate), not able to make changes to /system/routerboard/settings and you won't be able to use /system/package/downgrade.
"Yes"
Yes they do, but the point in having two servers to forward to, is that if one of them goes down, routeros should use the second one. As the link I linked to above, it does not work perfectly.From 7.16. The problem is that the forwarder will not try to ask 10.6.10.221 when 220 is not answering.
The basic premise in whole DNS system is that if there are more than one DNS server available (configured), it is assumed that all of them would give the same answer. And answer "no such domain" is answer (albeit negative). DNS client may use available server in round-robin manner, but most use single server until it stops replying altogether.
So which kind of behaviour is that you observe from 19.6.10.220 ?
It is time for a long-term channel. Then you could at least have this "last resort" when stable reveals some issues.I'm not upgrading to any beta's. What worries me are releases presented as stable, containing bugs we didn't anticipate and won't be able to fix as we can't downgrade to an older version anymore.FezzFest: Downgrade is still offered via switching of release channels. Don't upgrade to a beta you have no access to.
Should not "downgrade" be in the table of the disabled features of the "advanced" line? https://help.mikrotik.com/docs/display/ROS/Device-modeI have posted further updates to the manual, so all your Device mode questions should be answered in there .
Now I'll be damned ...Missing exec. Only thing which shows in log after start and then immediately stop.
Any hints in log?
At first sight (quickly logged in via wireguard during lunch break) disk is mounted correctly (it did cause problems in the past with some USB3 drives on Rb5009 but it seems it gets recognized ok now each time after reboot), folders are still there from what I can see. Mounts are present as expected.
On itself not a real issue since those containers are pretty easy to setup again from scratch but I am simply wondering why it broke all of a sudden.
...is not yet implemented in 7.17b2.*) container - clear VETH address on container exit and mark interface as running only when VETH is in use;
Similar question... under "bandwidth-test" ... it does not discuss /tool/speed-test. I guess it's not included if one believes the recent docs... but since you could set the interval= very high, it can act like bandwidth-test.https://help.mikrotik.com/docs/display/ROS/Device-modeI have posted further updates to the manual, so all your Device mode questions should be answered in there .
Thanks for clarifying that!No, we do not plan to implement annual licensing or any other licensing changes.
Device mode, as clarified in the manual, is meant to protect home users who have their routers taken over by attackers and are using them for botnet purposes.
EVEN THOUGH we have no known security issues in RouterOS AND we have added default passwords out of the box, improved security will ensure the devices stay secure for a long time. Home user does not need traffic generator.
device-mode is an existing feature that was introduced a couple of versions ago, and it provides a global enable/disable of features that are deemed to be "dangerous".Sorry I am a bit unclear about something regarding device mode. Is/will it become mandatory to use:
Documentation on device-mode is still useless as we don't know which "certain EOL devices" must have cold reboot i.e. do not respond to button - and it still is not clear which devices are set to 'basic' and which to 'home' mode as default. Definition by "home routers" and "other devices" is not acceptable as we have many devices that are not routers yet default configuration is as a router (best example is wAP ac).I don't think there is any indication that they are planning to change this. All responses are only directed at clarifying and documenting the new situation, there isn't any hint at all that they may reconsider the decision.
How about disallowing downgrade to ROS versions with known security vulnerabilities? This needs no device mode to be honest.The issue with downgrade is that any attack script can immediatelly issue downgrade command to some version with known security issue and take over the device. See viewtopic.php?p=1101208 as an example of how smart these scripts are.
If I can help it, we're never physically touching any of our equipment, ever. That's a philosophy you may not like, but we've got a network to run and we like to spend our time deploying new customers rather than dancing to the tunes of a developer in Latvia that cares more deeply about defending his ideas than implementing ones that'd solve the problem.please do not mass change anything that can't be accessed.
Unknown today might become known some other day.How about disallowing downgrade to ROS versions with known security vulnerabilities? This needs no device mode to be honest.The issue with downgrade is that any attack script can immediatelly issue downgrade command to some version with known security issue and take over the device. See viewtopic.php?p=1101208 as an example of how smart these scripts are.
Well, I don't really like that either. When I want to netinstall a device that is not completely dead, I use "try-ethernet-once-then-nand" mode to force it to go to netinstall, instead of fiddling with the button. I even netinstalled a device remotely that way. Just to be sure that some strange phenomenon I was seeing was not caused by configuration database corruption.It seems like nobody complaining about "bootloader" device-mode flag.
Well, at least we could plan that as a task to be performed during other visits to each location in the months before the upgrade.And even if it would exist: you would need to press button or power off. hahha
Mikrotik could make these device mode properties available in 7.16.1 already. 7.17 final release is months away.Well, at least we could plan that as a task to be performed during other visits to each location in the months before the upgrade.And even if it would exist: you would need to press button or power off. hahha
Let me remind you that you guys are adding both fixes and features in RouterOS 7 at a fast, steady pace (for which we are grateful). That "some need" for switching between partitions is because new versions can test out fine in the lab or on a couple of field devices, but introduce breaking changes elsewhere in the field, some of which we may not notice for days or weeks. Switching back to the previous partition gets us back to a known state (version + config) quickly.Let me remind you, that if your device has some need to be routinely switched between partitions all the time, send somebody to unplug it from power ONCE in it's lifetime, to enable device mode setting for this.
Agree 100%. But using channels to upgrade/downgrade when facing a potential bug is also very quick too ;). But unfortunately that has problems here too, with the "downgrade=no" device-mode.[...] you guys are adding both fixes and features in RouterOS 7 at a fast, steady pace (for which we are grateful). [...] Switching back to the previous partition gets us back to a known state (version + config) quickly.device-mode [...] send somebody to unplug it from power ONCE in it's lifetime [...]
I support this idea 1000% - because I use "previous-stable" version on production devices myself in its' last version i.e updated all to 7.14.3 when 7.15 came out and did next updata to 7.15.3 when 7.16 came out. This way it would be easy to maintain this channel as well because it is updated only when next "major" release comes out.Can we at least get a new "previous-stable" channel if there is not going to be a long-term? - this already be useful outside the beta.
At my work many years ago, I did setup several Wifi links on mountain tops. Some times they just stopped working or we just like to reboot them.Let's look at my mountaintop CCR2116 as an example. We can get there relatively easily from June to October.
Also seeing this. Tried with 7.17beta2 on both cap and capsman - would not work. Same with 7.16 on capsman and 7.17beta2 on cap.. timeouts.After update CAPsMAN with wireless package stopped working, in the log there are tons of:
Code: Select allCAP failed to join MikroTik (::ffff:127.0.0.1:5246) CAP connect to MikroTik (::ffff:127.0.0.1:5246) failed: timeout
Please tell me your mikrotik suppor ticket number and I will see if there is any progress in your case.Developers of Mikrotik
There are so many AP AX that are unusable in 5G because of SA query timeout, and you have just reword this?
Are you serious?
Do not complain that for the market share of Ubiquiti in Wifi... unacceptable for months not to be able to connect my business laptop to wifi
There is no need to do this at all. What makes you think that?This is a fu__ng function the need to press a button to manage device mode features.
It's very fun with remote site at fews hundreds/thousands kilometers.
How this new device mode will be handled with upgrade/downgrade OR partitions switch with differents versions ?
Are you serious? I am directly answering your question about bootloader settings./system/device-mode/update partition=yesYou can set this option today in 7.16, and it will remain after upgrade.
Existing config is not affected by device mode limitations.
expected end of command (line 1 column 28)
you cannot. 7.16 does not know about device-mode "partition".
For devices currently running <= 7.16.x which currently have device-mode = "enterprise", an upgrade to >= 7.17 will switch the mode to "advanced", but with the extra features still enabled (except for container, unless it was already enabled under the older version). The extra features, however, can each be switched to "no" once (by running the commands) without requiring physical access. Further switching, as well as changing the device mode, will require physical access.
The scheduler script does that. It is configured to run e.g. 5min after startup. It does switching partition. If bmann can log in, he just disables the scheduler. All good.if your tunnel is down, you can't switch partitons anyway. you need access for that.
I think several people here agree that YOU are the one here that is trolling.Are you serious? I am directly answering your question about bootloader settings.
/system/device-mode/update partition=yes
expected end of command (line 1 column 28)
you cannot. 7.16 does not know about device-mode "partition".
If you are not interested in real answers, only trolling, you are welcome to join some other online community instead.
Because "try-ethernet-once-then-nand" switches itself back to "nand" afterwards. pe1chl can change that one time on 7.16 when upgrading to 7.17. Afterwards he won't be able to do that anymore. Except: allow "bootloader" in device-mode which involves physical access.pe1chl, why is this so hard to understand? your complaint is about routerboot settings, that you can't switch to "try-ethernet-once-then-nand". You can, switch now and upgrade later.
pe1chl, why is this so hard to understand? your complaint is about routerboot settings, that you can't switch to "try-ethernet-once-then-nand". You can, switch now and upgrade later.
about partitions, their purpose is to reboot into backup, when device fails to boot. this works without any device mode changes or settings. if you have such a setup, nothing has to be done after upgrade. you can create partitions, copy active partition to backup partition etc. and it will fallback to backup, if device fails. no button press necessary.
My complaint is NOT about routerboot settings!!!pe1chl, why is this so hard to understand? your complaint is about routerboot settings
You may not know that setting bootloader to "try-ethernet-once-then-nand" does not stick, it only remains active until thethat you can't switch to "try-ethernet-once-then-nand". You can, switch now and upgrade later.
But you do not cover the situation where we have version X in active partition, version X-1 in backup partition, it has beenabout partitions, their purpose is to reboot into backup, when device fails to boot. this works without any device mode changes or settings. if you have such a setup, nothing has to be done after upgrade. you can create partitions, copy active partition to backup partition etc. and it will fallback to backup, if device fails. no button press necessary.
Not really. It does not matter if it is now or later version, but the new device mode should not force you to go and physically visit all running devices.Yes, that is also why I suggested that the device-mode settings are made available earlier than that they are enforced.
You cannot "save config" from an inactive partition to the actively running partition, right?above quoted line from the manual
> "you can use the "save config" button to copy it over to other partitions.""
this can be done without any device mode changes, limitation only is applied to manual re-booting to other partition, if main one is still working
The major problem I forsee ahead is the fact, that - I have no evidence - only 3/10 people read changelogs.Rough timeline for v7.16 beta1 to v7.16 release was from June 5th to September 24th. Beta period can be considered grace period.
!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
But you need to have physical access to the device!!! For new devices this is OK and everyone will count with it.I already explained, that if you have access to this device and are able to issue commands, you can also fix your config in other ways, not just by partition change. And if a script can do things in your router, so could an attacker. Those people that have thousands of routers that all use partitions and automated upgrades, that switch to backup partitions, when something can't be pinged (netwatch), yes, will have to manually enable partition mode for this to be possible. But I personally think there are better ways to protect a device against failed upgrades.
Also, a home user doesn’t need BGP, MPLS, OSPF, RIP, or 99% of the functionality of ROS. What a home user needs is one big button — "Make everything work." I appreciate your concern for home users, but how about releasing a separate firmware for them and not touching the professional devices?No, we do not plan to implement annual licensing or any other licensing changes.
Device mode, as clarified in the manual, is meant to protect home users who have their routers taken over by attackers and are using them for botnet purposes.
EVEN THOUGH we have no known security issues in RouterOS AND we have added default passwords out of the box, improved security will ensure the devices stay secure for a long time. Home user does not need traffic generator.
I think you don't understand (just like you pretend to not understand ANYTHING in this matter) what a grace period would be.Rough timeline for v7.16 beta1 to v7.16 release was from June 5th to September 24th. Beta period can be considered grace period.
Please describe your specific use case, so we can see how to improve it. Not theory, real use.It starts to look like some at Mikrotik are not exactly familiar with the concept of managing devices in inaccessible locations or located in other country (or even continent)....
Except when config is internally f*cked up by an upgrade and manually fixing the issue is no longer possible. The only solutions in this case is either switching to a still working partition or doing netinstall.I already explained, that if you have access to this device and are able to issue commands, you can also fix your config in other ways, not just by partition change.
This won't work with the options that did not exist before 7.17.You can set this option today in 7.16, and it will remain after upgrade.
Existing config is not affected by device mode limitations.
which ones did not exist?This won't work with the options that did not exist before 7.17.You can set this option today in 7.16, and it will remain after upgrade.
Existing config is not affected by device mode limitations.
Maybe, release a version where partition, downgrade and bootloader are known, but have no effect and can be updated remotely, let people who need these features on a remote devices update them, and then start enforcing them in the next major release?
partition, downgrade and bootloaderwhich ones did not exist?
I discovered the same issue. 7.17B2 will not provision wireless capsman controlled AC CAPs (mipsbe) access points. It shows the interfaces but shows no remote CAPs. I upgraded one CAP to 7.17B but it still does not work. Also, as you report, 7.16 capsman does not work with 7.17B2 access points.Also seeing this. Tried with 7.17beta2 on both cap and capsman - would not work. Same with 7.16 on capsman and 7.17beta2 on cap.. timeouts.After update CAPsMAN with wireless package stopped working, in the log there are tons of:
Code: Select allCAP failed to join MikroTik (::ffff:127.0.0.1:5246) CAP connect to MikroTik (::ffff:127.0.0.1:5246) failed: timeout
Normis, do you want a use case? Here you go. There’s a war in my country. The equipment is located in a place where bombs are currently falling. Right now, I don’t need the notorious traffic-gen there. I updated the firmware, and suddenly I needed that very traffic-gen. I think the best solution would be to send one of the MikroTik employees (for example, you) over there to press the button or turn the power off/on. After the first nearby explosion, that employee will stop asking silly questions.Please describe your specific use case, so we can see how to improve it. Not theory, real use.It starts to look like some at Mikrotik are not exactly familiar with the concept of managing devices in inaccessible locations or located in other country (or even continent)....
To check the quality of the connection after a bombing, for example. I'll repeat what I’ve already written — please, don’t touch professional equipment. The industry already has the opinion about MikroTik: "Try not to update firmware — they’re bound to break something in the process."What will you be using traffic gen for, in this remote router? There is no need for theoretic, like I said
I think that you (Mikrotik) think wrong... There are countless devices inside company networks that are not exposed to The Internet in any way, but also not easily reachable/available for power-off or button press during day/normal working time. Some even require special permissions to enter the room at any time, not to mention more special permission and at least two people to get in during the night (I personaly have only a few, but most of my clients are not that paranoid). Luckily, I don't have any devices left on hotel roofs, stadium light poles or similar hard to reach places, I was lucky to have them replaced with optical cables a few years ago :)I already explained, that if you have access to this device and are able to issue commands, you can also fix your config in other ways, not just by partition change. And if a script can do things in your router, so could an attacker. Those people that have thousands of routers that all use partitions and automated upgrades, that switch to backup partitions, when something can't be pinged (netwatch), yes, will have to manually enable partition mode for this to be possible. But I personally think there are better ways to protect a device against failed upgrades.
!) device-mode - after upgrade, mode "advanced" is set by default and traffic-gen, changing active partitions, bootloader and downgrade features will be disabled;
Sure .. but you can't enable NOW for future version/policy. So double damage, they enable all features and those who need them can't do that ;-)I think MikroTik will achieve the opposite result. Now everyone will enable everything right from the initial setup stage because that's easier than thinking, "Will I need this or not, and will I have to climb onto the roof in the middle of the night?" Well done.
I see that people are giving very specific situations from real life, there is nothing "theoretical" here: devices that are not easily accessible, on which they WANT to enable downgrade or other features they already had before (for whatever reason, my is that I want to be sure that I'll be able to downgrade in case some problem appears days or weeks after an upgrade, in spite all the testing I did in advance - would not be the first time I need this!).I do understand these theoretical situations. There are two types of posts here:
- People who want to know what exactly will happen, and who have not yet read the previous posts. I try to answer them.
- People who have theoretical "what if ..." concerns for highly improbable scenarios. Sure, they are true, but how critical is this really in real life.
- People with very specific use cases that MikroTik did not imagine before.
I am trying to help the first people and to better understand the other two. If you post your specific use cases, we can understand it better and try and find other kind of solutions to the original security issues.
And this is the problem. There are plenty of us who manually switch between them for various reasons. In particular, the newly loaded version may "work" just fine, but have enough bugs in it that we don't want to stay on that version. I want to be able to manually switch back to my backup version if the new version under test has OSPF/BGP/ISIS/L3HW stability issues, for example.above quoted line from the manual
> "you can use the "save config" button to copy it over to other partitions.""
this can be done without any device mode changes, limitation only is applied to manual re-booting to other partition, if main one is still working
How about when device is both physically inaccessible and situated in a really complicated location?Please describe your specific use case, so we can see how to improve it. Not theory, real use.It starts to look like some at Mikrotik are not exactly familiar with the concept of managing devices in inaccessible locations or located in other country (or even continent)....
I read the update as anything you currently have configured/is running won't change, but your ability to configure things that require the advanced mode functionality will no longer be possible. Is that a misunderstanding on my part? I'm suggesting that the default behavior can be to lock down _new_ configuration of those options, but that an upgrade should have the option to choose _not_ to lock these things down for _new_ configuration on existing devices that were pre-7.17. This would remove the need for any physical visits for those who choose to opt out of the new default mode, as long as the option was selected properly on update.ormandj
"It seems like the upgrade should have an option to leave all pre7.17 devices in the same state they were post upgrade"
That's exactly as it is. I already explained it. Your running config is not affected.
I think about 90% of the heat from this future change comes from people that DO use partitioning. Because we DO use it: the ability to have more than one partition, and do either a failover or a manual switch, is a godsend blessing. I really can't imagine how Mikrotik would downplay something SO vital to a basic networking block as a router.
Please describe your specific use case, so we can see how to improve it. Not theory, real use.
Using CLI/scripting – say from defconf or netinstall script – how do you check if a particular "device-mode" is activate?- People who want to know what exactly will happen, and who have not yet read the previous posts. I try to answer them.
/system/device-mode/print
# mode: advanced
# container: yes
/system/device-mode/print <tab>
# as-value file interval without-paging
:put [/system/device-mode/get]
# container=true;mode=advanced
authorized-public-key-hash = (type: nil)
bandwidth-test = (type: nil)
bootloader = (type: nil)
container = true (type: bool)
do = (type: nil)
downgrade = (type: nil)
email = (type: nil)
fetch = (type: nil)
flagged = (type: nil)
flagging-enabled = (type: nil)
hotspot = (type: nil)
ipsec = (type: nil)
l2tp = (type: nil)
mode = advanced (type: str)
partitions = (type: nil)
pptp = (type: nil)
proxy = (type: nil)
romon = (type: nil)
scheduler = (type: nil)
smb = (type: nil)
sniffer = (type: nil)
socks = (type: nil)
traffic-gen = (type: nil)
zerotier = (type: nil)
On Audience running 7.16:Those features existed previously and if you used them, they are still working. Only new configuration requires approval by button press, for remotely connected user, to protect against remote intruder.
[andrew@MikroTik] > /system/device-mode/update partitions=yes
expected end of command (line 1 column 28)
[andrew@MikroTik] > /system/device-mode/update downgrade=yes
expected end of command (line 1 column 28)
[andrew@MikroTik] > /system/device-mode/update bootloader=yes
expected end of command (line 1 column 28)
There have been a couple of case in my experience with RouterOS, when after a version upgrade some services did not work as expected, and no change in configuration could fix that. The exact same configuration then worked as expected after being applied to the same device after the configuration reset.what could be so f***ed up that you can't fix it from the fully working command line, but you can type "partition activate" command?
Lets talk about Hardware Offload?
No news about BGP Flowspec progress on this 7.17?
What about TR-101 on PPPoE/IPoE support?
Any ETA to adding the possibility to do the Username Replacement for the string that comes on Circuit-ID ou Remote-ID?
I reiterate my suggestion that RouterOS should start exporting some Hooks that allow triggers to be triggered.
Perhaps an Intra-RouterOS Hook management tool?
Where events that have a hook would start asking this tool: "I'm doing this, I'm doing that, is there a hook here or can I go straight ahead?"
A DHCP request becoming a Radius Query is exactly an example of how this could be used.
A DHCP event asks this question to the Hooks Center:
- If it receives a "Nothing here! You can go ahead" the DHCP event sends it to the Radius-Client Process as is.
- If it doesn't receive a response in 500ms, the DHCP event sends it to the Radius-Client process as is.
- If it receives a "run this script", it executes it, reprocesses it, and then sends it to the Radius-Client process after having changed it.
When do MikroTik team intend to start showing that:
/ip/route/print
/ipv6/route/print
/routing/route/print
They all deal with the same route table?
I feel like the effort they make to separate this in Winbox and in the CLI is hindering more than helping.
When will all RouterOS processes be placed inside their respective containers (behind the scenes), and thus allow these processes to be easily controlled by Cgroups, limiting the maximum resource usage for each container, and at the same time ensuring that each resource has its respective priority?
This would prevent processes that get out of control from affecting other processes and also the forwarding plane. At the same time, it would prevent grotesque things like a BGP/OSPF/BFD process from crashing when there is such a large amount of packets that it takes up all the computational resources of the box.
When will we be able to enable uRPF per interface?
When will it be possible to use VRF without losing Fast-Path and Hardware Offload features?
Have you MikroTik guys considered splitting the DNS service as was done with the Wifi packages?
Separating different things of different interest into Packages?
Embedded in RouterOS DNS being just a regular AND SIMPLE DNS relay/recursive.
Focused on attending to the requirements of scenarios of home and basic device-modes.
An extra dns.npk designed to be a more complex DNS service, with all the more advanced features that already exist on actual DNS, and other ones that were not included because it complicates much of the basic.
It would reduce the probability of simple issues affecting a huge number of devices.
Would make it easier to do some demands that are a pain to deploy in the current scenario(like VRF on outgoing queries).
It would also prevent less experienced users from getting into trouble by messing with settings that don't need to exist in more basic scenarios.
About User-Manager:
Any plans to allow it to be configured to query LDAP databases?
What about allowing the UserManager Radius to be configured to act as a Radius-Proxy for other Radius-Servers?
Any chance of DHCPv6 Circuit-ID(Option18) and Remote-ID(Option37) start to be forwarded as AVP in Radius Requests of DHCPv6 server?
And what about Vlan Demuxing?
Equivalent to "stacked-vlan-ranges dynamic-profile" in Junos.
Can we expect that to be earlier than 12 months?
Not theoretical - related to "downgrade" device modewhat could be so f***ed up that you can't fix it from the fully working command line, but you can type "partition activate" command?
I've actually have seen 802.3 LAG interfaces die , because some other process was hogging the CPU, and the system could not honor the "hardware keepalive" messagesWhen will all RouterOS processes be placed inside their respective containers (behind the scenes), and thus allow these processes to be easily controlled by Cgroups, limiting the maximum resource usage for each container, and at the same time ensuring that each resource has its respective priority?
This would prevent processes that get out of control from affecting other processes and also the forwarding plane. At the same time, it would prevent grotesque things like a BGP/OSPF/BFD process from crashing when there is such a large amount of packets that it takes up all the computational resources of the box.
need moons ,too*) zerotier - upgraded to version 1.14.0;Thanks for ZT update, have a good weekend all.+1Has anyone checked if private moons support is really working?There are also newer options in ZeroTier too that are not exposed... yet? i.e. be nice to control multipath and enable low-bandwidth mode