What's new in 7.21beta2 (2025-Oct-06 16:06):

*) arm64 - allow enabling receive packet steering on /system/resource/irq/rps menu in order to overcome unbalanced CPU load;
*) bgp - added output.network-blackhole setting;
*) bgp - allow duplicate router-ids for eBGP sessions (RFC-6286);
*) bgp - always advertise extended nexthop cap for all supported address families;
*) bgp - do not allow iBGP with non-equal ASNs;
*) bgp - do not auto-generate blackhole routes by default (introduced in v7.20);
*) bgp - fixed inactive flag in GUI after instance disable/enable;
*) bgp - fixed route refresh subcode 0 warning;
*) bgp - fixed selection of received BGP VPN routes;
*) bgp - implement RFC 9234 route leak prevention and detection using roles;
*) bonding - added lacp-system-id and lacp-system-priority settings;
*) bonding - fixed lacp-mode=passive;
*) bonding - improved stability for 802.3ad LACP;
*) bridge - fixed filter and NAT matching with "mac-protocol=length";
*) bridge - fixed missing local MAC after changing protocol-mode setting;
*) bridge - fixed static host and MDB entry updates on VLAN add/remove;
*) bridge - improved DHCP Option 82 values (circuit-id:"interface-name:vid", remote-id:"bridge MAC address");
*) bridge - improved stability after failed protocol-mode=mstp change;
*) bth - added file-share link preview;
*) bth - fixed big file upload;
*) bth - fixed file-share expire after reboot;
*) certificate - added SHA384, SHA512 support for SCEP;
*) certificate - allow ca-crl-host parameter for issued certificates;
*) certificate - improved Let's Encrypt logging;
*) certificate - on certificate import, added the "issued" flag if the certificate store contains the imported certificate's CA and its private key;
*) certificate - refactored Certificate internal processes;
*) chr - fixed guest OS type "Other Linux (64-bit)";
*) console - added "mvrp" to mac-protocol setting;
*) console - added changelog to /system/package/update/check-for-updates;
*) console - added delimiter parameter to :toarray command;
*) console - added reset command to settings directories;
*) console - added sensitive flag to QR code in WireGuard "show-client-config";
*) console - added show-sensitive option for print command, hide sensitive settings in print output by default;
*) console - do not set values when "setup" command is interrupted;
*) console - fixed :convert from=num on MIPSBE;
*) console - fixed ".id" printing when using "group-by" (introduced in v7.20);
*) console - fixed "special-login" setting incorrect channel;
*) console - fixed autocomplete in fullscreen editor to append tabs, spaces, etc;
*) console - fixed ip6-prefix visual representation;
*) console - fixed relative path printing (introduced in v7.20);
*) console - improved help for address arguments;
*) console - improved printing visuals (column layout and paging);
*) console - improved stability;
*) console - remove unnecessary commands from /ip/hotspot/active menu;
*) console - removed /quickset menu;
*) console - return error values for certain commands if action failed (e.g. /system/routerboard/upgrade);
*) console - show fullscreen script editor completions above hintbar;
*) console - updated "Change your password" to "Change your password (Ctrl-C to skip)";
*) container - added "/app" menu for simple containerized app installation (requires "container" package);
*) container - added CPU usage;
*) container - added hosts setting;
*) container - added kill command to send signals (CLI only);
*) container - added option to limit CPUs used by containers;
*) container - added root dir size;
*) container - added run command to allow interactive mode (CLI only);
*) container - added stop-time setting;
*) container - added update command (CLI only);
*) container - allow to configure extra ENV variables directly in container;
*) container - allow to disable/enable envs and mounts;
*) container - allow to specify mounts directly in container;
*) container - calculate volume sizes;
*) container - convert container mounts setting to mountlists, old mount name becomes list name, list name can map to multiple mounts;
*) container - enable relevant kernel features to support more container apps;
*) container - fixed error for starting container which consists of large number of layers;
*) container - fixed extract issues;
*) container - fixed VETH when using long interface name;
*) container - have per container layer-dir setting to be able to have separate layer stores for different sets of containers;
*) container - improved stability and fixed other issues;
*) container - show detailed import status, helps understand long imports;
*) container - show image-id field (CLI only);
*) container - store image import data (allows keeping container after netinstall);
*) detnet - do not try detection on slave interfaces;
*) detnet - fixed unnecessary process starting even when feature is not enabled;
*) dhcp - allow to set other gateway types not just IP for dhcp lease "routes" parameter;
*) dhcp-server - added "support-broadcom-tr101" setting to pass additional Option 82 suboptions to RADIUS server;
*) dhcp6-server - attempt to extract MAC from DUID for dual-stack purposes when client uses DUID-EN type of DUID;
*) dhcpv4-client - don't stop client on unsuccessful client option value change;
*) dhcpv4-server - added setting allowing to select client-id, MAC address or both for dynamic lease addition;
*) dhcpv4-server - improved logging;
*) dhcpv4-server - improved setup wizard prompts relating to DNS;
*) dhcpv4-server - respond with hlen 0 when htype is 8;
*) dhcpv4-server - send RADIUS Accounting Stop messages when interim-update is zero;
*) dhcpv6 - improved console hints;
*) dhcpv6-client - do not show I flag for disabled client;
*) dhcpv6-client - fixed misleading "couldn't acquire address, continue with prefix only" error when prefix is not even requested;
*) dhcpv6-relay - added "about" error message option;
*) dhcpv6-relay - enable configuration of options that are added to relayed DHCPv6 requests;
*) dhcpv6-server - added accounting to use-radius setting, similar to DHCPv4 server;
*) dhcpv6-server - improved event logging messages;
*) dhcpv6-server - improved service stability when receiving DHCP requests for PPP service clients without included IA_PD;
*) dhcpv6-server - include traffic usage statistics when accounting is stopped due to binding expiry and removal;
*) discovery - correctly report PoE dual signature per-pair class;
*) discovery - fixed MNDP IPv6 status reporting;
*) discovery - send out neighbor discovery immediately on IPv4/IPv6 changes;
*) disk - added nvme-tcp-server-nqn setting to be able to explicitly configure NQN, will default to "nqn.2000-02.com.mikrotik:slot" for new configurations;
*) disk - allow ":" and "." in slot name;
*) disk - allow only lowercase chars in iscsi-server-iqn;
*) disk - allow to have type=file devices without rose-storage (needed for file based swap);
*) disk - allow to set smb-share only for type=smb;
*) disk - consolidate client states into single field, as each item can be only one type of "client";
*) disk - do not allow setting raid-master when have filesystem;
*) disk - do not allow starting Btrfs replace when replace is suspended;
*) disk - do not delete partition configs on device remove and eject (fixes lost config with unstable hardware);
*) disk - fixed for SMB mount to be writable by container;
*) disk - fixed iscsi client;
*) disk - fixed iscsi export disable;
*) disk - fixed issue with double "/" in SMB share path for some clients;
*) disk - fixed SATA eject/scan;
*) disk - fixed write RAID superblock;
*) disk - improved cleanup order to avoid waiting for timeouts on shutdown;
*) disk - improved RDS2216 SATA controller;
*) disk - improved system stability;
*) disk - rename nvme-tcp client name to nqn everywhere symmetrically with server;
*) disk - show NVMe critical warnings;
*) disk - unshare iscsi and nfs client/server ids, add iscsi-server-iqn;
*) disk - update interface type/speed after scan;
*) disk - use default label when nothing specified when formatting from WinBox;
*) dns - added VRF support for ":resolve" command;
*) dns - added VRF support for DNS servers;
*) email - return all errors to console when executed from console;
*) eoipv6,gre6,ipip6 - added "dont-fragment" setting and allow packet fragmentation for packet sizes exceeding underlay interface MTU;
*) ethernet - added "unsupported speed" for forced 1Gbps modes;
*) ethernet - change default L2MTU 1518 to 1596 for RB5009;
*) ethernet - fixed 2.5G-baseT link-partner-advertising on RB5009, hAP ax3, Chateau ax devices;
*) evpn - fixed Ethernet Segment (ES) routes;
*) fetch - added "http-percent-encoding" parameter;
*) fetch - fixed http headers appearance when received payload is empty;
*) fetch - send http-data for any http method;
*) file - distinguish empty mount points from disks;
*) firewall - added "h" flag indicating that firewall service helper is applied for particular connection;
*) firewall - added support for TOS/mask matching for raw rules;
*) firewall - fixed hotspot value loss on rule enable/disable;
*) firewall - fixed strip-ipv4-options always passthrough;
*) firewall - hide hw-offload setting from devices that do not support it;
*) firewall - improved system stability and memory allocation when using firewall services;
*) firewall - make hw-offload=yes default setting in /ip/firewall/filter menu;
*) firewall - use the highest TTL as timeout value for domain address list entries if multiple domain names resolve to same IP;
*) health - upgraded fan controller firmware to latest version;
*) hotspot - added TOTP support for local hotspot users;
*) hotspot - improved system stability;
*) ike2 - adapt rekey procedure for compatibility with Libreswan;
*) iot - added mqtt disconnect/connect GUI options;
*) ip-service - do not duplicate entries for containers running in same netns;
*) ip-settings - limit IPv4/IPv6 max-neighbor-entries maximum value;
*) ippool6 - added "Valid Lifetime" and "Preferred Lifetime" options and use them when constructing IPv6 address;
*) ippool6 - fixed minor memory leak;
*) ippool6 - log address removal;
*) ippool6 - take into account "subnet-id" when specified on address;
*) ipsec - fixed CHACHA20 typo in log messages;
*) ipsec - support Post-Quantum Pre-shared Key (PPK) with QKD integration;
*) ipv6 - added "none" option for IPv6/ND/Prefix when advertising just options, not prefix;
*) ipv6 - added "self" option for IPv6/ND DNS advertise settings;
*) ipv6 - allow to specify on which interfaces to accept Router-Advertisements;
*) ipv6 - do not disable/enable Router-Advertisements functionality based on IPv6/ND configuration;
*) ipv6 - remove SLAAC installed DNS server and route on expire;
*) isis - improved stability;
*) l3hw - added per-VLAN "l3-hw-offloading" setting and "H" flag for /intervace/vlan menu;
*) l3hw - display warning when partial offloading is active (suggest users to use suppress-hw-offloading to control which routes gets HW offloaded and which are CPU processed);
*) l3hw - fixed partial offloading with /31 routes;
*) l3hw - fixed per-VLAN counters when packets are going through CPU;
*) l3hw - fixed VLAN and VXLAN counters for CRS520 device;
*) l3hw - improved stability and performance during L3HW enable with many routes;
*) l3hw - improvements and optimizations for IPv4 /32 and IPv6 /128 route offloading;
*) l3hw - prioritize local IP address over ARP/neighbor entry with same IP (fixes incorrect packet flow);
*) log - fixed ISO8601 time format;
*) log - fixed remote logging on remote-protocol configuration change;
*) log - fixed unnecessary file creation when configuring a disabled log action with "target=disk";
*) log - hide irrelevant log action parameters;
*) log - limit firewall log prefix length;
*) log - limit log socket buffer memory size;
*) lte - added "force-delete" command to allow deletion of active eSIM profiles;
*) lte - added additional logging for error reported by modem during APN profile setup;
*) lte - added command to send out EUICC generated notifications manually;
*) lte - added confirmation prompt when deleting eSIM profile (CLI only);
*) lte - added support for additional D-Link DWM-222 variation (vendor-id="0x2001" device-id="0x7e46");
*) lte - added support for additional Huawei E3372-325 variation (vendor-id="0x3566" device-id="0x2001");
*) lte - added support for R11e-LTE6 v039 firmware release and availability notification;
*) lte - ask for user confirmation before installing eSIM profile (CLI only);
*) lte - clear SIM not present error when performing modem FW upgrade;
*) lte - discontinued support for RBSXTLTE3-7, further versions will use v7.20 LTE firmware package;
*) lte - fixed cases where LTE monitor could show abnormalities;
*) lte - fixed issue with firmware update for FG621-EA modem;
*) lte - force sms-protocol to AT for FG621-EA modem;
*) lte - improved AT modems at-chat control channel handling after modem has closed AT channel unexpectedly;
*) lte - improved modem recovery for Chateau 5G and Chateau 5G R16;
*) lte - improved stability for FG621-EA modem;
*) lte - improved system stability when receiving SMS messages;
*) lte - relay EUICC generated notifications after profile enable/disable/remove/provision;
*) lte - rework multiapn support for AT modems;
*) lte - unify "SIM not present" status for all modems;
*) macsec - work on hardware-offloaded support (available only on QCA8081 PHY: RB5009, hAP ax3, Chateau ax ether1 port);
*) media - fixed console autocomplete for path parameter;
*) mpls - fixed LDP filter upgrade from v6 where neighbor parameter is not specified;
*) mpls - fixed LDP label binding if nexthop is link-local address;
*) netinstall - fixed install with old RouterBOOT;
*) ospf - changed nssa-translator default value from no to candidate;
*) ospf - improved stability;
*) ospf - show interface as separate prop for interface and neighbor;
*) ovpn-server - added support for pushing IPv6 routes;
*) poe-out - added input name hint to poe max-power settings;
*) poe-out - added LED blink on error for RB5009;
*) poe-out - firmware update for 802.3at capable boards (the update will cause brief power interruption to poe-out interfaces);
*) poe-out - firmware update for 802.3bt capable boards (the update will cause brief power interruption to poe-out interfaces);
*) poe-out - improved firmware update stability;
*) poe-out - improved power-on mechanism for 802.3at capable boards;
*) port - added comment for /port/remote-access (CLI only);
*) port - added support for additional baudrates for USB to serial adapters;
*) port - do not show serial port for ATL 5G R16;
*) port - fixed export for default serial port name;
*) port - give "gps" prefix for R11e-LR8G and R11e-LR9G GPS ports;
*) qos-hw - added "default" flags to default entries;
*) qos-hw - added "mirror-profile" which allows to select profile (traffic-class) for mirrored traffic;
*) qos-hw - always show usage and PFC counters, even when they are zero (CLI only);
*) qos-hw - fixed counters for ports that are configured with "offline" tx-manager;
*) qos-hw - fixed profile add/remove for CRS812;
*) qos-hw - fixed shared-pools for CRS812;
*) qos-hw - remove unnecessary "offline" tx-manager for CRS812 (not supported by hardware);
*) queue - improved system stability when using SFQ kind of queues;
*) quickset - fixed issue where routes set by Quickset did not appear in export;
*) route - added options in /routing/settings to adjust check-gateway=ping timers;
*) route - fixed SNMP output for ECMP routes having interface gateways;
*) route - hide suppress-hw-offload setting from devices that do not support it;
*) route - improved stability;
*) route - improved system stability with multicast routing;
*) route - make check-gateway=ping work on p2p interface gateways;
*) route - removed /routing stats mem-blocks;
*) routerboot - fixed boot MAC for CRS305-1G-4S+ and CRS328-4C-20S-4S+ switches ("/system routerboard upgrade" required);
*) sfp - expose sfp-cmis-module-state to monitor;
*) sfp - filter out non-breakout modes for breakout modules;
*) sfp - fixed combo-mode change for CRS326-4C+20G+2Q+;
*) sfp - fixed missing link up/down notifies;
*) sfp - improved initialization and linking for 25G DAC on CRS812;
*) sfp - improved system stability with some GPON modules for CRS418, CCR2004 and CCR2116 devices;
*) sfp - recognize 40G Active Cable (XLPPI);
*) sfp - remove 40G-baseCR4, 40G-baseSR4-LR4 from sfp-supported list for qsfp28-x-3 interfaces;
*) snmp - added lldpLocChassisId OID;
*) snmp - count only "bound" leases for mtxrDHCPLeaseCount OID;
*) snmp - make lldpLocPortId and lldpLocPortDesc OIDs information consistent with LLDP TLVs;
*) ssh  - renamed User SSH keys "key-owner" field to "info";
*) ssh - "always-allow-password-login" replaced with "password-authentication" in SSH settings;
*) ssh - added support for ED25519-SK keys;
*) ssh - improved logging of failed login attempts;
*) ssh - refactored SSH service internal processes;
*) supout - added info log entry when autosupout.rif is generated;
*) switch - added dynamic "copy-to-cpu" ACL rule for loop-protecct;
*) switch - automatically add local bridge MAC to switch FDB;
*) switch - improved stability on MediaTek switch chips;
*) swos - fixed "allow-from" setting for MIPSBE devices;
*) system - added disks to /system/resource/hardware list;
*) system - fixed local update package filename generation;
*) system - fixed network header offset for interfaces with MAC (fixes VRRP Tx on IGMP snooping bridge);
*) system - fixed potential configuration loss when available disk space was insufficient;
*) system - fixed saving panic logs to autosupout.rif for ARM CRS3xx devices;
*) system - improved incoming TCP connection responsiveness;
*) system - improved system stability when processing GRE packets on TILE devices;
*) system - improved system stability when using hardware-offloaded encryption on RB3011 and hAP ac2 (introduced in v7.20);
*) system - improved system stability;
*) system - limit number of interface-lists to 244;
*) tr069-client - added LTE link recovery timer setting;
*) tr069-client - allow disabling Device.WiFi.AccessPoint;
*) traffic-generator - added support for injecting pcapng files;
*) undo - do not show internally issued commands in /system/history;
*) undo - show console commands in winbox/webfig for /system/history entries;
*) usb - LTE modem and USB-Serial Controller enumeration fix;
*) usb - support video capture devices for arm64 and x86, for passthrough to containers;
*) user-manager - added RadSec support;
*) veth - add container-mac-address setting;
*) veth - added default print brief table mode;
*) veth - added dhcp setting that allows to auto-configure IPv4 address, works when VETH is bridged with other interfaces and there is a DHCP server running somewhere on that network;
*) veth - complain immediately when VETH gateway not reachable, more detailed error message when network setup fails;
*) veth - show only when container package installed;
*) vrf - added read-only property to IPv4/IPv6 addresses, ARP and IPv6 neighbor;
*) vrf - allow setting comment on default "lo" interface;
*) vrrp - do not show "ttl not 255" warning when received VRRP VRID does not match with configured VRID;
*) vrrp - fixed gratuitous ARP being sent after VRRP is disabled (fixes packet forwarding on HW offloaded bridge after VRRP is disabled);
*) webfig - added a hint for Undo/Redo buttons;
*) webfig - added Apps menu to login;
*) webfig - added capability to check/uncheck entry tree in skin designer;
*) webfig - added Copy capability;
*) webfig - added missing PPP types to Skin Designer;
*) webfig - added TCP State column for connection tracking table;
*) webfig - check if device is still reachable before disconnect on error;
*) webfig - fixed container config memory high input;
*) webfig - fixed form closing with saving when pressing Enter key (introduced in v7.20);
*) webfig - fixed interface settings and graphs (introduced in v7.20);
*) webfig - fixed issue where routes and PIM table did not load;
*) webfig - fixed issue where Torch stops running;
*) webfig - fixed name and title store in skins;
*) webfig - fixed new item window name when using skins;
*) webfig - improved container form loading performance when router has a lot of files;
*) webfig - improved mikrotik_logo.svg;
*) webfig - increase graph width for better scaling;
*) webfig - increase maximum number size in forms;
*) webfig - make close button a button instead of link;
*) webfig - make combobox accessible to screen readers;
*) webfig - remember last user in login page;
*) webfig - turn off auto-capitalize and auto-correct for on-screen keyboards;
*) wifi - added "CAP" information field on interfaces view;
*) wifi - added CAPsMAN forwarding support (datapath.traffic-processing=on-capsman);
*) wifi - enable configuration of "3gpp-info-raw" and "realms-raw" interworking parameters;
*) wifi - fixed issue when trying to use interface as bonding slave;
*) wifi - fixed multi-passphrase usage in combination with access-list;
*) wifi - fixed possible memory leak when failing to start AP on chosen channel;
*) wifi - fixed some CAPsMAN settings to be optional;
*) wifi - improved formatting of FT request action frames;
*) wifi - improved stability when capturing data at high rates with wifi sniffer;
*) wifi - increased accounting interval, maximum client entry count for 2.4GHz probe response delay feature;
*) wifi - rename ft-wpa2-eap authentication type to "ft-eap";
*) wifi - split access-list time property in days and time;
*) wifi-qcom - added Unsolicited BSS Transition Management Request support;
*) wifi-qcom - enable forcing RTS/CTS hardware protection modes;
*) wifi-qcom - improved default RTS/CTS policy for CPE station radios;
*) wifi-qcom - multicast-enhance will no longer apply for station mode configured devices;
*) winbox - added file selector for BTH files;
*) winbox - added support for new settings and fixed several existing ones;
*) winbox - Bandwith test, Speed test, Ping, Traceroute tools use RouterOS DNS service to resolve domain names;
*) winbox - fixed "Too many entries" not showing in WinBox v4;
*) winbox - fixed Disk iscsi/smb configuration;
*) winbox - fixed Disk NVMe-TCP configuration;
*) winbox - fixed Dude/Tools appearance after Apply action;
*) winbox - fixed graphs in some forms with big numbers;
*) winbox - fixed WinBox 3 application failure when opening IPv6/Firewall/Connection entry (introduced in v7.20);
*) winbox - hide IPv6 addresses for IP neighbors that no longer have them;
*) winbox - make multiple address fields required;
*) winbox - make separate inputs for WiFi Interworking "Authentication Types" and "Connection Capabilities" fields;
*) winbox - move VRF from Ethernet to generic Interface table;
*) winbox - restore route max object 10000 limit;
*) winbox - show warnings in Disk menu;
*) winbox - updated and shortened window titles (e.g. Address List -> Addresses);
*) wireguard - added VRF option (CLI only);
*) wireless - added last-ip parameter for the CAPSMAN registration-table tab;
*) www - added option to disable individual web services in /ip/service/webserver and IP>Services>Web Server;
*) www - improved stability (CVE-2025-10948);
*) www - removed ability to publish directories via "/files" www service;