Mikrotik

I bought a mAP lite to hook up to my POE security camera (that's DC powered) so I didn't have to run ethernet cable in my attic. I'm configuring the mAP lite with it plugged into my laptop, but I did try it directly connected to my router. I've searched and searched, and I think I've gotten close to how to set it up, but I still need help.

In the web portal I choose the CEP option, join the wifi network, switch to bridge mode, then apply the static IP settings and hit apply. Every time, it changes back to router mode and everything on my network joins the 192.168.88.0/24 network, even though my Mikrotik RB5009UPr+S+in (the POE home lab one) is already set up and running.

I am still using my old TP-link router as an AP until I get around to installing my cAP ax, so I know I need to use the psuedo station option for now.

Any help on getting this set up would be great.

This a colllection of videos that explores a variety of topics around creating scripts for the Mikrotik platform. It includes step-by-step lessions and tutorials showing you how to create your own MikroTik scripts.

The videos presented provide a hands-on, learn-by-example approach rather than being formal-training style presentations. They dip in to various scripting topics as we meet them using real-world scripting examples.

Up until version 6.49.8 (July 20, 2023), MikroTik RouterOS Long-term was vulnerable to CVE-2023-30799. Remote and authenticated attackers can use the vulnerability to get a root shell on the router.

• certificate - allow to import certificate with DNS name constraint
• certificate - require CRL presence when using "crl-use=yes" setting;
• conntrack - fixed "active-ipv4" property;
• console - added ":convert" command;
• dhcp-server - fixed setting "bootp-lease-time=lease-time";
• ike2 - log "reply ignored" as non-debug log message;
• modem - added initial support for BG77 modem DFOTA firmware update;
• modem - changed Quectel EC25 portmap to expose DM (diag port), DM channel=0, GPS channel=1;
• ovpn - do not try to use the "bridge" setting from PPP/Profile, if the OVPN server is used in IP mode (introduced in v7.10);
• ovpn - improved key renegotiation process;
• ovpn - include "connect-retry 1" and "reneg-sec" parameters into the OVPN configuration export file;
• routerboot - increased etherboot bootp timeout to 40s on MIPSBE and MMIPS devices ("/system routerboard upgrade" required);
• ssh - fixed private key import (introduced in v7.9);
• user - added "sensitive" policy requirement for SSH key and certificate export;
• webfig - fixed gray-out italic font for entries after enable

MikroTik RouterOS comes with a default firewall configuration designed to provide basic network security. As a new user, comprehending these default firewall rules is essential to evaluate the initial level of protection for your network. In this technical guide, we will break down the default firewall rules and teach you how to interpret them to ensure your network's security is optimized.

Accessing the Firewall Configuration

To access the firewall configuration in MikroTik RouterOS, follow these steps:

Step 1: Log in to the MikroTik RouterOS Web Interface or connect via the Terminal (SSH or Telnet).

Step 2: Access the firewall settings by entering the following command in the terminal:

Interpreting Default Firewall Rules

By executing the above command, you will see a list of rules with columns representing essential parameters. Here's how to interpret the default firewall rules:

Column Headers:

• CHAIN: Specifies the traffic direction the rule applies to (input, forward, or output).
• SRC-ADDRESS: Defines the source IP address or IP range the rule affects.
• DST-ADDRESS: Indicates the destination IP address or IP range the rule applies to.
• PROTOCOL: Specifies the protocol (e.g., TCP, UDP) or all for any protocol.
• ACTION: Determines what action the rule takes (accept, drop, reject, etc.).
• COMMENT: Provides a description or comment for the rule (optional).

Default Input Chain Rule

The default rule in the input chain ensures the router itself is protected. It allows established connections (marked as "ESTABLISHED") to be accepted, so responses to outgoing traffic are allowed. It also permits related connections (marked as "RELATED"), enabling protocols like FTP to function correctly. Finally, the rule drops all incoming traffic with an invalid state.

Example Default Input Chain Rule:

0   ;;; defconf: drop all not coming from LAN
    chain=input action=drop in-interface=!yourLANinterface connection-state=new

Default Forward Chain Rule

The default rule in the forward chain controls traffic traversing between different networks. It accepts established and related connections (similar to the input chain) while blocking any new connections from external sources to the router.

Example Default Forward Chain Rule:

0   ;;; defconf: drop all from WAN not DSTNATed
    chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=!yourWANinterface

Default Output Chain Rule

The default rule in the output chain allows all outgoing traffic from the router to external destinations.

Example Default Output Chain Rule:

0   ;;; defconf: accept all from LAN
    chain=output action=accept out-interface=!yourLANinterface

Enhancing Firewall Rules

To enhance your network security, consider adding custom rules. For example, you can create rules to block specific incoming traffic, allow access to specific services, or implement Layer 7 protocol filtering.

Understanding the default firewall rules in MikroTik RouterOS is crucial to assess the initial level of network security. By interpreting the rules provided in the default configuration, you can evaluate and enhance your network's protection as per your specific requirements. Take advantage of custom firewall rules, connection tracking, and Layer 7 protocol filtering to strengthen your network's defenses and ensure a secure and robust network environment.

Is it now possible to deploy containers in mipsbe arch?

While RouterOS is pretty complete, sometimes a few handy scripts can be useful to configure certain things on your firewall / router. The linked repository holds a number of scripts to manage RouterOS devices or extend their functionality.

Find and remove access list duplicates
Upload backup to Mikrotik cloud
Send backup via e-mail
Save configuration to fallback partition
Upload backup to server
Download packages for CAP upgrade from CAPsMAN
Run rolling CAP upgrades from CAPsMAN
Renew locally issued certificates
Renew certificates and notify on expiration
Notify about health state
Notify on LTE firmware upgrade
Notify on RouterOS update
Collect MAC addresses in wireless access list
Use wireless network with daily psk
Comment DHCP leases with info from access list
Create DNS records for DHCP leases
Automatically upgrade firmware and reboot
Download, import and update firewall address-lists
Wait for global functions und modules
Send GPS position to server
Use WPA2 network with hotspot credentials
Create DNS records for IPSec peers
Update configuration on IPv6 prefix change
Manage IP addresses with bridge status
Run other scripts on DHCP lease
Manage LEDs dark mode
Forward log messages via notification
Mode button with multiple presses
Manage DNS and DoH servers from netwatch
Notify on host up and down
Visualize OSPF state via LEDs
Manage system update
Run scripts on ppp connection
Act on received SMS
Forward received SMS
Play Super Mario theme
Chat with your router and send commands via Telegram bot
Install LTE firmware upgrade
Update GRE configuration with dynamic addresses
Update tunnelbroker configuration

The scripts come highly recommended

What's new in 7.11beta5 (2023-Jul-17 10:07):

Changes in this release:

*) bridge - added warning when VLAN interface list contains ports that are not bridged; *) bth - added "Back To Home" VPN service for 802.11ax devices with wifiwave2 package; *) console - fixed incorrect date when printing "value-list" with multiple entries; *) console - improved stability when using fullscreen editor; *) container - added IPv6 support for VETH interface; *) container - adjust the ownership of volume mounts that fall outside the container's UID range; *) hotspot - allow number as a first symbol in the Hotspot server DNS name; *) lora - added uplink message filtering option using NetID or JoinEUI; *) qos-hw - keep VLAN priority in packets that are sent from CPU; *) resource - fixed erroneous CPU usage values; *) sfp - reduce CPU load due to SFP interface handling for CCR2116, CCR2216, CCR2004-12S+2XS, CRS312, CRS518 devices (introduced in v7.9) *) webfig - fixed "Connect To" configuration changes for L2TP client; *) wifiwave2 - automatically add wifi interfaces to appropriate bridge VLAN when wireless clients with new VLAN IDs connect; *) wifiwave2 - fixed multicast frame delivery (introduced in v7.11beta2); *) wifiwave2 - fixed registration table statistics (introduced in v7.11beta4);

Other changes since v7.10:

*) api - disallow executing commands without required parameters; *) bfd - fixed "actual-tx-interval" value and added "remote-min-tx" (CLI only); *) bluetooth - added "decode-ad" command for decoding raw Bluetooth payloads (CLI only); *) bluetooth - added "Peripheral devices" section which displays decoded Eddystone TLM and UID, iBeacon and MikroTik Bluetooth payloads; *) bluetooth - added new AD structure type "service-data" for Bluetooth advertisement; *) bridge - added more STP-related logging; *) bridge - fixed MSTP BPDU aging; *) bridge - fixed MSTP synchronization after link down; *) bridge - prevent bridging the VLAN interface created on the same bridge; *) certificate - fixed PEM import; *) certificate - restored RSA with SHA512 support; *) console - added default value for "rndstr" command (16 characters from 0-9a-zA-Z); *) console - fixed incorrect default value of ":return" command (introduced in v7.11beta2); *) console - fixed minor typos; *) console - fixed missing "parent" for script jobs (introduced in v7.9); *) console - fixed missing return value for ping command in certain cases; *) console - fixed printing interval when resizing terminal; *) console - improved flag printing in certain menus; *) console - improved stability and responsiveness; *) console - improved timeout for certain commands and menus; *) console - improved VPLS "cisco-id" argument validation; *) container - added option to use overlayfs layers; *) container - fixed duplicate image name; *) discovery - fixed "lldp-med-net-policy-vlan" (introduced in v7.8); *) dns - improved system stability when processing static DNS entries with specified address-list; *) ethernet - improved interface stability for CRS312 device; *) fetch - improved timeout detection; *) firewall - added warning when PCC divider argument is smaller than remainder; *) firewall - fixed mangle "mark-connection" with "passthrough=yes" rule for TCP RST packets; *) graphing - added paging support; *) health - added more gradual control over fans for CRS3xx, CRS5xx, CCR2xxx devices; *) health - fixed configuration export for "/system/health/settings" menu; *) ike2 - improved system stability when closing phase1; *) ike2 - improved system stability when making configuration changes on active setup; *) ipsec - improved IKE2 rekey process; *) ipsec - properly check ph2 approval validity when using IKE1 exchange mode; *) l3hw - changed minimal supported values for "neigh-discovery-interval" and "neigh-keepalive-interval" properties; *) l3hw - fixed /32 and /128 route offloading after nexthop change; *) l3hw - fixed incorrect source MAC usage for offloaded bonding interface; *) l3hw - improved system responsiveness during partial offloading; *) l3hw - improved system stability during IPv6 route offloading; *) l3hw - improved system stability; *) led - fixed manually configured user LED for RB2011; *) leds - blink red system-led when LTE is not connected to the network on D53 devices; *) leds - fixed system-led color for "GSM EGPRS" RAT on D53 devices; *) lora - added new EUI field; *) lora - moved LoRa service to IoT package; *) lora - properly apply configuration changes when multiple LoRa cards are used; *) lora - updated LoRa firmware for R11e-LR8, R11e-LR9 and R11e-LR2 cards; *) lte - added "at-chat" support for Dell DW5821e-eSIM modem; *) lte - added extended support for Neoway N75 modem; *) lte - fixed Dell DW5221E "at-chat" support; *) lte - fixed NR SINR reporting for Chateau 5G; *) lte - fixed Telit LE910C4 "at-chat" support; *) lte - improved initial interface startup time for SXT LTE 3-7; *) lte - only listen to DHCP packets for LTE passtrough interface in auto mode when looking for the host; *) mpls - improved MPLS TCP performance; *) mqtt - added more MQTT publish configuration options; *) mqtt - added new MQTT subscribe feature; *) netwatch - added "src-address" property; *) netwatch - changed "thr-tcp-conn-time" argument to time interval; *) ovpn - fixed OVPN server peer-id negotiation; *) ovpn - fixed session-timeout when using UDP mode; *) ovpn - properly close OVPN session on the server when client gets disconnected; *) package - treat disabled packages as enabled during upgrade; *) poe - fixed missing PoE configuration section under specific conditions; *) pppoe - fixed PPPoE client trying to establish connection when parent interface is inactive; *) profile - added "container" process classifier; *) profile - properly classify "console" related processes; *) quickset - correctly apply configuration when using "DHCP Server Range" property; *) rose-storage - added "scsi-scan" command (CLI only); *) rose-storage - added disk stats for ramdisks; *) rose-storage - fixed RAID 0 creation; *) rose-storage - limit striped RAID element size to smallest disk size; *) route - added comment for BFD configuration (CLI only); *) route - convert BFD timers from milliseconds to microseconds after upgrade; *) routerboard - fixed "gpio-function" setting on RBM33G ("/system routerboard upgrade" required); *) routerboard - improved RouterBOOT stability for Alpine CPUs ("/system routerboard upgrade" required); *) routerboard - removed unnecessary serial port for netPower16P and hAP ax lite devices ("/system routerboard upgrade" required); *) sfp - improved interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 based switches; *) sfp - improved optical QSFP interface handling for 98DX8332, 98DX3257, 98DX4310, 98DX8525 switches; *) ssh - fixed user RSA private key import; *) switch - fixed "reset-counters" for "switch-cpu"; *) system - disallow setting a non-existing CPU core number for system IRQ; *) system - increased maximum supported CPU core count to 512 on CHR and x86; *) system - reduced RAM usage for SMIPS devices; *) w60g - improved stability for Cube 60Pro ac and CubeSA 60Pro ac devices; *) webfig - added option to enable wide view in item list; *) webfig - use router time zone for date and time; *) wifiwave2 - added "steering" parameters and menu to set up and monitor AP neighbor groups (CLI only); *) wifiwave2 - added more information on roaming candidates to BSS transition management requests (802.11v) and neighbor report responses (802.11k); *) wifiwave2 - added option to filter frames captured by the sniffer command (CLI only); *) wifiwave2 - changed default behavior for handling duplicate client MAC addresses, added settings for changing it (CLI only); *) wifiwave2 - enabled PMK caching with EAP authentication types; *) wifiwave2 - fixed "reg-info" information for several countries; *) wifiwave2 - fixed "security.sae-max-failure" rate not limiting authentications correctly in some cases; *) wifiwave2 - fixed clearing CAPsMAN Common Name when disabling "lock-to-caps-man"; *) wifiwave2 - fixed interface hangs on IPQ6010-based boards (introduced in v7.9); *) wifiwave2 - improved stability when changing interface settings; *) wifiwave2 - improved stability when receiving malformed WPA3-PSK authentication frames; *) wifiwave2 - make info log less verbose during client roaming (some info moved to wireless,debug log); *) wifiwave2 - rename "reg-info" country argument from "Macedonia" to "North Macedonia"; *) wifiwave2 - use correct status code when rejecting WPA3-PSK re-association; *) winbox - added missing status values for Ethernet and Cable Test; *) winbox - added warning about non-running probe due to "startup-delay"; *) winbox - fixed "Storm Rate" property under "Switch/Port" menu; *) winbox - fixed BGP affinity display; *) winbox - fixed default "Ingress Filtering" value under "Bridge" menu; *) winbox - improved supout.rif progress display; *) winbox - rename "Group Master" property to "Group Authority" under "Interface/VRRP" menu; *) wireguard - fixed peer connection using DNS name on IP change; *) wireless - ignore EAPOL Logoff frames; *) x86 - updated e1000 driver;

For those of you who have invested in a MikroTik router, have you also incorporated MikroTik wireless devices into your network setup? What has been your experience with MikroTik wireless products? Are they a good choice in terms of performance, range, and reliability? Or would you advise to look for other vendors?

What made you choose MikroTik over other networking vendors for your home network setup? Was it performance, affordability, ease of use, or specific features that stood out to you?

I have a 1 Gbps fiber connection and want to maximize its performance, including IPv6 routing. Considering that IPv6 routing is not accelerated on the MikroTik RB750Gr3, should I still expect it to handle the load effectively, or would it be more suitable to explore other router options?

When it comes to home routers, do you prefer using the testing or stable firmware versions? Share your experiences, reasons behind your choice, and any noteworthy benefits or challenges you’ve encountered with either option.

Is the default firewall provided by MikroTik sufficient for home users, or should additional firewall configurations be implemented to enhance security? Share your experiences, recommendations, and any noteworthy vulnerabilities you've encountered.

What’s your most effective MikroTik networking tip or trick that has saved you time or improved your network performance?

Back To Home is a convenience feature, that configures your device for secure VPN access from anywhere in the world to your router and your network, even if your router does not have a public IP address, is behind NAT or Firewall.

Configuration can be done manually, or with our MikroTik VPN companion app (Android, iPhone (coming soon)).

If the VPN server (your home router) has a public IP address, the VPN app will create a direct VPN connection between the phone and the router. However, if the router is not directly reachable from the internet, the connection will be made through the MikroTik relay server. The connection is always end-to-end encrypted, the relay server or any other device does not have access to the encryption keys. In case of going through relay, speed could be limited.

This feature is a convenient option to access your home network or view content available in your home country, from locations, where some content is not available. It is not meant for anonymity, it is for simple one click access to your home network. For more granular security controls, we recommend to manually configure and secure a VPN connection using the advanced RouterOS options.

More configuration https://help.mikrotik.com/docs/display/ROS/Back+To+Home

RouterOS version 7.11beta has been released on the "v7 testing" channel!

Before an upgrade:

1. Remember to make backup/export files before an upgrade and save them on another storage device;
2. Make sure the device will not lose power during upgrade process;
3. Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.11beta4 (2023-Jul-05 13:33):

*) bluetooth - added "decode-ad" command for decoding raw Bluetooth payloads (CLI only); *) bluetooth - added "Peripheral devices" section which displays decoded Eddystone TLM and UID, iBeacon and MikroTik Bluetooth payloads; *) bridge - added warning when VLAN interface list contains ports that are not bridged; *) bridge - prevent bridging the VLAN interface created on the same bridge; *) console - fixed incorrect default value of ":return" command (introduced in v7.11beta2); *) console - improved stability and responsiveness; *) container - fixed duplicate image name; *) dns - improved system stability when processing static DNS entries with specified address-list; *) ipsec - improved IKE2 rekey process; *) ipsec - properly check ph2 approval validity when using IKE1 exchange mode; *) l3hw - changed minimal supported values for "neigh-discovery-interval" and "neigh-keepalive-interval" properties; *) l3hw - fixed /32 and /128 route offloading after nexthop change; *) l3hw - fixed incorrect source MAC usage for offloaded bonding interface; *) l3hw - improved system responsiveness during partial offloading; *) l3hw - improved system stability; *) leds - blink red system-led when LTE is not connected to the network on D53 devices; *) leds - fixed system-led color for "GSM EGPRS" RAT on D53 devices; *) lte - fixed Dell DW5221E "at-chat" support; *) lte - only listen to DHCP packets for LTE passtrough interface in auto mode when looking for the host; *) package - treat disabled packages as enabled during upgrade; *) profile - added "container" process classifier; *) profile - properly classify "console" related processes; *) quickset - correctly apply configuration when using "DHCP Server Range" property; *) rose-storage - added "scsi-scan" command (CLI only); *) route - added comment for BFD configuration (CLI only); *) route - convert BFD timers from milliseconds to microseconds after upgrade; *) sfp - improved optical QSFP interface handling for 98DX8332, 98DX3257, 98DX4310, 98DX8525 switches; *) wifiwave2 - fixed "reg-info" information for several countries; *) wifiwave2 - fixed interface hangs on IPQ6010-based boards (introduced in v7.9); *) wifiwave2 - rename "reg-info" country argument from "Macedonia" to "North Macedonia"; *) winbox - fixed "Storm Rate" property under "Switch/Port" menu; *) winbox - fixed BGP affinity display; *) wireless - ignore EAPOL Logoff frames; *) x86 - updated e1000 driver;

What's new in 7.11beta2 (2023-Jun-21 14:39):

*) api - disallow executing commands without required parameters; *) bfd - fixed "actual-tx-interval" value and added "remote-min-tx" (CLI only); *) bluetooth - added new AD structure type "service-data" for Bluetooth advertisement; *) bridge - added more STP-related logging; *) bridge - fixed MSTP BPDU aging; *) bridge - fixed MSTP synchronization after link down; *) certificate - fixed PEM import; *) certificate - restored RSA with SHA512 support; *) console - added default value for "rndstr" command (16 characters from 0-9a-zA-Z); *) console - fixed minor typos; *) console - fixed missing "parent" for script jobs (introduced in v7.9); *) console - fixed missing return value for ping command in certain cases; *) console - fixed printing interval when resizing terminal; *) console - improved flag printing in certain menus; *) console - improved stability and responsiveness; *) console - improved timeout for certain commands and menus; *) console - improved VPLS "cisco-id" argument validation; *) container - added option to use overlayfs layers; *) discovery - fixed "lldp-med-net-policy-vlan" (introduced in v7.8 ); *) ethernet - improved interface stability for CRS312 device; *) fetch - improved timeout detection; *) firewall - added warning when PCC divider argument is smaller than remainder; *) firewall - fixed mangle "mark-connection" with "passthrough=yes" rule for TCP RST packets; *) graphing - added paging support; *) health - added more gradual control over fans for CRS3xx, CRS5xx, CCR2xxx devices; *) health - fixed configuration export for "/system/health/settings" menu; *) ike2 - improved system stability when closing phase1; *) ike2 - improved system stability when making configuration changes on active setup; *) l3hw - improved system stability during IPv6 route offloading; *) led - fixed manually configured user LED for RB2011; *) lora - added new EUI field; *) lora - moved LoRa service to IoT package; *) lora - properly apply configuration changes when multiple LoRa cards are used; *) lora - updated LoRa firmware for R11e-LR8, R11e-LR9 and R11e-LR2 cards; *) lte - added "at-chat" support for Dell DW5821e-eSIM modem; *) lte - added extended support for Neoway N75 modem; *) lte - fixed NR SINR reporting for Chateau 5G; *) lte - fixed Telit LE910C4 "at-chat" support; *) lte - improved initial interface startup time for SXT LTE 3-7; *) mpls - improved MPLS TCP performance; *) mqtt - added more MQTT publish configuration options; *) mqtt - added new MQTT subscribe feature; *) netwatch - added "src-address" property; *) netwatch - changed "thr-tcp-conn-time" argument to time interval; *) ovpn - fixed OVPN server peer-id negotiation; *) ovpn - fixed session-timeout when using UDP mode; *) ovpn - properly close OVPN session on the server when client gets disconnected; *) poe - fixed missing PoE configuration section under specific conditions; *) pppoe - fixed PPPoE client trying to establish connection when parent interface is inactive; *) rose-storage - added disk stats for ramdisks; *) rose-storage - fixed RAID 0 creation; *) rose-storage - limit striped RAID element size to smallest disk size; *) routerboard - fixed "gpio-function" setting on RBM33G ("/system routerboard upgrade" required); *) routerboard - improved RouterBOOT stability for Alpine CPUs ("/system routerboard upgrade" required); *) routerboard - removed unnecessary serial port for netPower16P and hAP ax lite devices ("/system routerboard upgrade" required); *) sfp - improved interface stability for 98DX8208, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 based switches; *) ssh - fixed user RSA private key import; *) switch - fixed "reset-counters" for "switch-cpu"; *) system - disallow setting a non-existing CPU core number for system IRQ; *) system - increased maximum supported CPU core count to 512 on CHR and x86; *) system - reduced RAM usage for SMIPS devices; *) w60g - improved stability for Cube 60Pro ac and CubeSA 60Pro ac devices; *) webfig - added option to enable wide view in item list; *) webfig - use router time zone for date and time; *) wifiwave2 - added "steering" parameters and menu to set up and monitor AP neighbor groups (CLI only); *) wifiwave2 - added more information on roaming candidates to BSS transition management requests (802.11v) and neighbor report responses (802.11k); *) wifiwave2 - added option to filter frames captured by the sniffer command (CLI only); *) wifiwave2 - changed default behavior for handling duplicate client MAC addresses, added settings for changing it (CLI only); *) wifiwave2 - enabled PMK caching with EAP authentication types; *) wifiwave2 - fixed "security.sae-max-failure" rate not limiting authentications correctly in some cases; *) wifiwave2 - fixed clearing CAPsMAN Common Name when disabling "lock-to-caps-man"; *) wifiwave2 - improved stability when changing interface settings; *) wifiwave2 - improved stability when receiving malformed WPA3-PSK authentication frames; *) wifiwave2 - make info log less verbose during client roaming (some info moved to wireless,debug log); *) wifiwave2 - use correct status code when rejecting WPA3-PSK re-association; *) winbox - added missing status values for Ethernet and Cable Test; *) winbox - added warning about non-running probe due to "startup-delay"; *) winbox - fixed default "Ingress Filtering" value under "Bridge" menu; *) winbox - improved supout.rif progress display; *) winbox - rename "Group Master" property to "Group Authority" under "Interface/VRRP" menu; *) wireguard - fixed peer connection using DNS name on IP change;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to [email protected]. File must be generated while a router is not working as suspected or after some problem has appeared on the device

On 10/05/2023 (May 10th, 2023) MikroTik received information about a new vulnerability, which is assigned the ID CVE-2023-32154. The report stated, that vendor (MikroTik) was contacted in December, but we did not find record of such communication. The original report also says, that vendor was informed in person in an event in Toronto, where MikroTik was not present in any capacity.

What this issue affects: The issue affects devices running MikroTik RouterOS versions v6.xx and v7.xx with enabled IPv6 advertisement receiver functionality. You are only affected if one of the below settings is applied:

ipv6/settings/ set accept-router-advertisements=yes

or

ipv6/settings/set forward=no accept-router-advertisements=yes-if-forwarding-disabled

If the above settings are not set up like in the example, you are not affected. Note that the vulnerable setting combination is not normally found in routers and is rarely used.

What this issue can cause: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Mikrotik RouterOS. Authentication is not required to exploit this vulnerability.

Recommended course of action: You can disable IPv6 advertisements, or upgrade to RouterOS 7.9.1, 6.49.8, 6.48.7, 7.10beta8 (all versions already released), and of course newer versions afterwards.

7.10.2 is out

*) wifiwave2 - fixed interface hangs on IPQ6010-based boards (introduced in v7.9);

https://mikrotik.com/download/changelogs