Software-update: RouterOS 7.23

MikroTik heeft versie 7.23 van RouterOS uitgebracht, een besturingssysteem dat zich richt op het uitvoeren van routertaken en meer. Denk daarbij natuurlijk aan het routeren van netwerkverkeer, maar ook aan bandbreedtemanagement, een firewall, het aansturen van draadlozeaccesspoints, een hotspotgateway en een vpn-server. Het kan zowel op de hardware van MikroTik als op x86- of virtuele machines zijn werk doen. Voor het gebruik is een licentie nodig, die bij de aankoop van MikroTik-hardware is inbegrepen. De changelog voor deze uitgave kan hieronder worden gevonden.

What's new in 7.23:

• upgrade - use HTTPS by default when connecting to MikroTik upgrade servers
• app - added "network-outgoing-access=yes/no" setting to prevent containers from initiating outbound traffic
• app - added birdnet-go, cryptpad, diagrams-net, lorawan-stack, metube, mikrodash, nextcloud-whiteboard, paperless-ngx, wbo, zulip apps
• app - added docker-with-dockge, docker-with-komodo, docker-with-portainer, HA-otbr-matter, odoo, otbr, stalwart, trip apps
• app - added possibility to set app command-line parameter from CLI
• app - added restart command
• app - allow apps on XFS file systems
• app - allow filtering by installed apps
• app - allow overriding default stop signal
• app - allow parsing DNS in YAML
• app - allow passing stop signal from YAML and passing it to container as default
• app - allow picking app category from drop-down
• app - allow updating name parameter from YAML for custom apps
• app - allow updating YAML for existing custom app, forces cleanup
• app - apps now check for port availability, apps will not start on "internal" if app masks existing service
• app - automatically pass any required devices to container, such as otbr
• app - automatically restart app when required hardware device is changed
• app - bundled ollama with openwebui
• app - check if certificate already exists before creating a new one
• app - disabled PiHole syncing NTP to host
• app - fixed issue where XFS disks did not appear in the app disk drop-down
• app - fixed saving custom apps
• app - fixed showing ui-url for apps
• app - fixed some apps not containing the full repository URL
• app - fixed stability issue when running cleanup on many apps
• app - fixed store issue when adding a custom app
• app - fixed YAML not exported for custom apps
• app - improved app network and port behavior
• app - improved automatic hardware device passing to container
• app - improved YAML error message
• app - make sure all layer .tar.gz files are deleted after extraction finishes
• app - on file-based devices, swap is enabled on the file itself instead of creating another and enabling it on that
• app - stability fixes for the "/app" menu
• app - swap file is now created based on the mount-point it is attached to
• app - updated uptime-kuma image
• arm64,x86 - updated Broadcom bnxt Ethernet driver for 200G support
• bfd - fixed source address selection for IPv6 multihop sessions
• bridge - added ability to set custom Option 82 with dhcp-agent-circuit-id, dhcp-agent-remote-id settings (replaces add-dhcp-option82 setting; configuration is automatically updated after upgrade)
• bridge - added DHCPv6 snooping feature with ability to set custom Option 18 and Option 37
• bridge - fixed dynamic VLAN update for WiFi interfaces
• bridge - improved MAC synchronization for MLAG
• bridge - recognize more DHCP message types when dhcp-snooping is enabled
• bth - fixed WireGuard client config IP address netmask
• certificate - added "ISRG Root X1" and "DigiCert Global Root G2" to SMIPS built-in root certificate authorities store
• certificate - allow deleting ACME certificate that failed to generate
• certificate - improved ACME logging
• certificate - improved ACME status reporting
• certificate - set Let's Encrypt as default ACME directory
• chr - improved guest tool config for arm64 CHR
• cloud - cloud backup file management now requires "policy" policy
• cloud - show error if cloud services are not supported on the device
• console - added comment in "/ip/dhcp-server/option/sets" and "/ipv6/dhcp-server/option/sets" menus
• console - added path parameter to export
• console - added syntax highlight for script properties in some menus (e.g. dhcp-client, dhcp-server, ppp/profile, interface/vrrp)
• console - export mentions custom defconf script presence in header
• console - fixed "/log/print follow on-event" to work with "where" (introduced in v7.22)
• console - fixed output when oversized completion present
• console - removed redundant keepalive for the serial-terminal, ensure that the device no longer periodically outputs /0 while using "/system/serial-terminal"
• console - show "/system/resource/hardware/usb-power-reset" only on x86
• console - show warning in print header when terminal is too narrow to show any columns
• console - treat non-existent command parameters as runtime errors
• container - added restart-policy=no/always/on-failure, stop-on-unhealthy, restart-count, restart-interval, restart-max-count properties
• container - added support for noexec option to mounts
• container - added support for USB audio devices for containers
• container - allow disabling individual container environment variables without deleting them
• container - allow picking mount source directories with the file picker in WinBox
• container - allow setting memory-max globally and per container
• container - allow user-defined mounts overriding /sys and /dev
• container - check if root-dir does not exist before adding a container
• container - clean up layers of non-existing containers
• container - detect and show containers killed by out-of-memory killer
• container - do not allow starting container/shell with non-existing user or group
• container - draw graphs in container stats
• container - fixed container entrypoint and shell override by user
• container - fixed container layer size calculation
• container - fixed container shell not working with multi-arg commands
• container - fixed repull if root-dir of container was in tmpfs
• container - fixed running "/container shell" with the correct user, if container user is set or overridden
• container - improved errors at container start
• container - improved running container instance memory usage
• container - layers are now accessible under "Layers" tab
• container - pass any container startup error message back to "run" and make it exit immediately
• container - remove container backup directory if import fails
• container - removed "Layers" button
• container - show container size and container data size
• container - show default DNS servers
• container - show layer size calculation status
• container - updated /dev/net/tun permissions
• crypto - fixed fallback flag loss in qcrypto
• crypto - fixed stability issue
• crypto - improved safexcel driver with upstream changes and patches
• dhcpv4-server - added "add-dns-entries" and "add-dns-entries-suffix" properties for creating local DNS entries
• dhcpv4-server - changed lease agent-circuit-id and agent-remote-id format to hex
• dhcpv4-server - do not raise an alert when receiving a packet originating from the same device
• dhcpv4-server - do not suggest bogus pools when using setup command (e.g. when address is /31 or /32)
• dhcpv4-server - fixed an issue where renew packets without giaddr were sometimes not processed
• discovery - added "add-dns-entries" and "add-dns-entries-suffix" properties for creating local DNS entries
• discovery - added option to disable/enable LLDP MED
• discovery - added separate read-only menu "/ip/neighbor/lldp" for neighbors discovered by LLDP (CLI only)
• discovery - dynamically update advertised "interface-name"
• discovery - fixed LLDP MAC/PHY TLV
• disk - added "/disk" smart-info
• disk - added disk check and repair for ext4, Btrfs and XFS file systems
• disk - improved device name tracking in "/system/resource/hardware" menu
• disk - show disk io errors in "/disk" menu
• dns - added HTTP/2 support to DoH on ARM64 and x86/CHR devices
• ethernet - improved system stability for RB3011, L009, NetMetal ax, hAP ax lite devices
• ethernet - improved system stability on devices with Alpine CPUs
• fetch - fixed non-working idle-timeout in some cases
• file - added copy, tail, head commands (CLI only)
• firewall - added "action=drop" to mangle
• firewall - improved stability for SIP helper
• firewall - matcher "in-bridge-port" does not require "use-ip-firewall=yes"
• graphing - improved service stability when storing data
• hardware - report the correct state of PCI devices in "/system/resource/hardware" menu
• health - hide health menu for RB951ui-2nD
• ike2 - fixed child SA cleanup during flush operation
• ike2 - fixed pending responder connection cleanup after peer removal
• ike2 - fixed SA delete handling on initiator during rekey
• ike2 - improved HMAC size validation checks
• interface - show warning when same MAC address is used on more than one virtual interface
• iot - added LoRa Tx delay setting
• iot - added MQTT subscribe message real-time monitoring option
• iot - added Wiliot support
• iot - fixed LoRa LBT issues, which caused Tx packets not getting delivered
• iot - fixed LoRa lockpack preventing lock from applying
• iot - improved LoRa stability
• iot - improved LoRa Tx handling
• iot - improved LoRa Tx scheduling
• ip - added IPv6 and VRF support for reverse-proxy
• ip - added SNI logging for reverse-proxy
• ip - fixed hanging connections for reverse-proxy
• ip-settings - added ipv4-fragment-time and ipv4-high-fragment-thresh settings, use default values based on total device memory
• ipip - disabled IPv6 link-local address generation
• ippool - fixed issue when changing pool with already used addresses
• ippool6 - allow variable length pool
• ippool6 - properly follow pool changes for already used prefixes
• ipsec - added netlink-based SA and policy handling
• ipsec - fixed SA proto parameter conversion and policy "none" type handling
• ipsec - improved NAT encapsulation parameter forwarding
• ipsec – fixed expired SA handling to prevent “no such item” errors during listing
• ipv6 - added from-pool-policy address property that controls how address is acquired from the pool
• ipv6 - added without-acquire address property
• ipv6 - always ensure that prefix length matches the one given by the pool even if address was set to 0
• ipv6,ra - added option to ignore MTU and DNS servers
• ipv6,ra - added router-advertisement-route-distance setting
• ipv6,ra - allow receiving DNS servers over multiple interfaces
• ipv6,ra - clamp valid-lifetime to minimum of 2h on deprecation
• ipv6,ra - extend processed RA logging
• ipv6,ra - fixed advertised DNS parameter logging
• ipv6,ra - fixed changing default "all" interface configuration
• ipv6,ra - fixed DNS and pref64 property unset
• ipv6,ra - fixed sending only DNS or MTU when prefix is set to "none"
• ipv6,ra - improved service stability
• ipv6,ra - warn when interface is under the bridge
• isis - allow to configure metric-type
• l3hw - added HW offloaded VRF support on CRS8xx switches
• l3hw - added VRF assignment via switch ACL rules on CRS8xx switches (CLI only)
• l3hw - fixed VXLAN packet matching by local IP
• leds - added new PoE fault LED cases (bad fw, PoE card power cable disconnected, PoE card not inserted)
• leds - fixed power LED turning off while LTE interface is inactive (introduced in v7.22)
• log - added "discover" topic and log events for discovered local DNS entries
• log - added CC option for e-mail action
• log - added ssld error logging
• log - added TLS support
• lte - added fast SIM switchover support using AT channel for MBIM modems without MBIM_CID_MS_UICC_RESET firmware support
• lte - configure IP address for AT modems even if no DNS is received from the network
• lte - delete CID profiles one by one instead of "delete all" for QMI modems, as command does not work for all modems
• lte - do not duplicate primary-band also in ca-band for QMI modems in 5G SA network
• lte - do not reconfigure modem in passthrough mode if passthrough cannot be activated because of slave interface
• lte - emit RS every 60s on LTE interface
• lte - filter packets by MAC in multi-apn setup for EC200A-EU modem
• lte - fixed automatic modeswitch for "Chateau 5G R16" and "Chateau 5G"
• lte - fixed broken network scan after being interrupted by reconfiguration
• lte - fixed operator setting for QMI modems
• lte - fixed rare cases where the Tx queue could stop and never wake up on multi-core CPU devices
• lte - fixed RSSI signal monitor for 3rd party modems where AT+CSQ responses are not parsed
• lte - fixed user set MTU not applied to LTE interface
• lte - improved system stability for devices with QMI modems
• lte - improved system stability when modem configured in passthrough mode with VLANs for "Chateau 5G R16" and "Chateau 5G"
• lte - improved system stability
• lte - improvements for passthrough mode in IPv6 only setup
• lte - keep MAC persistent across reboots for QMI modems
• lte - read subscriber number also for QMI modems
• lte - removed LTE external-antenna scan
• lte - set SMS send timeout to 180s
• lte - show external-antenna as "none" before actual scan is done instead of empty value
• lte - show MTU as "auto" also on interface level if "auto" used
• lte - SIMCom modems, skip error state when modem sends improperly formatted CREG response/URC
• lte - stop network scan on interruption for QMI modems
• lte - unify "modem-init" for all driver types
• macsec - added aes-gcm-xpn-128 cipher support
• netwatch - fixed memory leak when using HTTP/HTTPS GET probe with invalid src-address
• ospf - allow adding interface configuration manually, bypassing interface-template
• ospf - change virtual link configuration to use OSPF interface directly
• ospf - fixed missing interface-template configuration which previously was converted by upgrading from RouterOS v6
• ospf - fixed nssa bit check
• ospf - fixed routes not being installed on ABRs
• pimsm - do not ignore priority when selecting RP from BSR
• pimsm - fixed possible BSR loop
• pimsm - improved stability
• ping - resolve domain name to IPv6 if src-address is IPv6 address
• ping - show time in microseconds for flood-ping
• poe-out - firmware update for 802.3at capable boards (the update will cause a brief power interruption to poe-out interfaces)
• port - added support for "tcp-client" and "udp" modes for "remote-access"
• port - expose RG650E-EU diagnostics channel
• port - remove unused serial port on RB1100AHx4
• pppoe - do not reset pppoe-client interface when adding a comment
• ptp - added support for CRS812, CRS804
• ptp - fixed crash during initialization on some devices
• qos-hw - added automap setting to QoS Profiles (enabled by default)
• qos-hw - added ECN and PFC support on CRS8xx
• qos-hw - added new default "auto" value to mirror-buffers, multicast-buffers, shared-buffers QoS Settings (old defaults are shown in export after upgrade)
• qos-hw - added queueX-byte-max stats to port usage on CRS8xx
• qos-hw - fixed CPU traffic mapping to queues on CRS8xx switches
• qos-hw - introduced lossless-traffic-class and lossless-buffers settings
• qos-hw - removed shared-pool-index setting
• route - fixed link-local interface check when resolving IPv6 nexthops
• route - revert to old routing rule priorities for containers (introduced in v7.22)
• routerboot - fixed Netinstall failure when using multiple partitions on AL73400, AL52400, AL32400 CPUs ("/system routerboard upgrade" required)
• sftp - fixed path canonicalization request
• smb - do not start /ip smb server on container interfaces
• sniffer - added IP ECN field
• sniffer - fixed missing VLAN tag in the TZSP packets
• snmp - added missing BRIDGE-MIB OIDs (dot1dBaseNumPorts, dot1dBaseType, dot1dStpDesignatedRoot, dot1dStpPortDesignatedBridge, dot1dStpRootCost, dot1dStpRootPort, dot1dStpHoldTime, dot1dStpBridgeMaxAge, dot1dStpBridgeHelloTime, dot1dStpBridgeForwardDelay, dot1dStpPortForwardTransitions, dot1dTpAgingTime)
• snmp - added missing LLDP-MIB OIDs (lldpMessageTxInterval, lldpMessageTxHoldMultiplier, lldpLocManAddrTable)
• snmp - enforce minimum password length
• snmp - fixed compliance of LLDP-MIB lldpRemManAddrTable
• snmp - fixed connection tracking counter OID
• snmp - fixed dot1dStpPortDesignatedPort, dot1dStpPortDesignatedRoot OIDs
• snmp - fixed ifSpeed and ifHighSpeed OIDs for 802.3ad and balance-xor bonding interfaces
• snmp - fixed lldpLocSysDesc OID
• snmp - implemented LTE firmware upgrade option
• snmp - use "/ip/neighbor/lldp" for lldpRemTable and lldpRemManAddrTable (fixes lldpRemTable showing neighbors discovered by MNCP or CDP)
• ssh - do not advertise password login method when it is disabled
• ssh - improved host resolve error logging
• switch - fixed issue with MAC table for RB2011 (introduced in v7.21)
• switch - fixed missing ethernet counters for non-running interfaces on CRS8xx switches (introduced in v7.22)
• switch - improved FDB operations on QCA8337, Atheros8327
• switch - rework how IEEE reserved MAC addresses are handled on QCA8337, Atheros8327
• switch - updated switch-marvell.npk driver
• switch - use names instead of numbers in switch menu configuration export
• system - improved handling of HTTP/2 connection closure
• system - improved RouterOS package download over slow connection
• system - improved switching to HTTP/1 if HTTP/2 is not supported by remote host
• system - keep HTTP/2 connection open if it is not closed by system or server
• system - make default identity based on board name
• timezone - updated timezone information from "tzdata2026b" release
• upgrade - added the option to configure HTTP/HTTPS modes when connecting to MikroTik upgrade servers
• upgrade - changed status message for scheduled installs
• upgrade - check for available packages when opening System/Packages in GUI
• usb - added ax88179_178a driver
• usb - improved USB Ethernet adapter recognition
• usb - show USB device reported maximum power
• user-manager - improved stability when removing user-profile while session updates counters
• veth - fixed link-local address not being configurable as a gateway
• vxlan - fixed fast-path when using "checksum=no" (introduced in v7.20)
• vxlan - improved system stability
• webfig - added postfix byte value support (e.g. "/ip/settings/ipv4-high-fragment-thresh")
• webfig - added support for filter in tables
• wifi - improved interface provisioning for WiFi 7 access points
• wifi - improved on-capsman traffic processing
• wifi-mediatek - fixed multicast-enhance functionality
• wifi-mediatek - fixed stability issue getting regulatory information and during initialization
• wifi-qcom-be - fixed incorrect channel info for punctured channels
• wifi-qcom-be - fixed stability issue during initialization
• wifi-qcom-be,mediatek - correctly advertise RRM capabilities when 802.11k neighbor reports are enabled
• winbox - added "MLD Static" and "MLD Datapath" properties under the "WiFi/CAP" menu
• winbox - added "Multipath" property under the "Routing/BGP/Instance" menu
• winbox - added “Remove” action under "System/Certificates/Requests" menu
• winbox - added comment for DHCPv6 relay
• winbox - added group numbers for DH and PFS groups for IPsec
• winbox - allow setting "CAPsMAN address" for CAP as domain name
• winbox - do not accept interface without specifying IP or MAC in "Ping To" field
• winbox - improved "External Antenna" property display
• winbox - improved Routing/PIM SM menu
• winbox - move bridge IGMP Snooping checkbox to IGMP tab
• winbox - rename DHCPv6 server binding "Peer Address" to "Client Address"
• winbox - show "Directory URL" field for ACME certificates in Certificate view
• winbox - show "IPv6 Address" property by default under the "IP/Neighbors" menu
• winbox - show accepted connections in tree view under "IP/Services" menu
• winbox - updated socksify icon for firewall NAT rules
• wireguard - improved system stability
• www - added partial content (HTTP 206) support
• www - improved REST API user cache processing
• www - improved system stability
• zerotier - switch to 1.14.2 version