Component: firewall – MikroTik Changelog Tracker

7.21 Stable 2026-Jan-12 (1 month ago)

added "h" flag indicating that firewall service helper is applied for particular connection;
added support for TOS/mask matching for raw rules;
clear relevant masqueraded connection tracking entries on IP address change;
fixed "tls-host" not matching expected hosts;
fixed hotspot value loss on rule enable/disable;
fixed strip-ipv4-options always passthrough;
hide hw-offload setting from devices that do not support it;
improved system stability and memory allocation when using firewall services;
make hw-offload=yes default setting in /ip/firewall/filter menu;
use the highest TTL as timeout value for domain address list entries if multiple domain names resolve to same IP;

7.20.7 Long-term 2026-Jan-08 (1 month ago)

clear relevant masqueraded connection tracking entries on IP address change;

7.20.2 Stable 2025-Oct-21 (4 months ago)

reduce maximum connection tracking entry count;

7.20 Stable 2025-Sep-29 (5 months ago)

added "liberal-tcp-tracking" connection tracking setting;
added connection tracking "total-ip4-entries" and "total-ip6-entries" counters;
allow "dst-limit" matcher to work properly above value 10000;
fixed IPv6 firewall interface matchers not matching VRF interfaces;
improved IPv6 connection tracking lookup responsiveness;
improved system stability when processing connections on multicore systems;
reorganized firewall connection tracking table values and make them persistent between IPv4 and IPv6;

7.19 Stable 2025-May-22 (9 months ago)

always show "passthrough" when exporting mangle table;
detect VRF addresses as local;
fixed IP/Settings "ipv4-fasttrack-active" status showing as inactive when it is active;

7.18 Stable 2025-Feb-24 (1 year ago)

allow in-interface/in-bridge-port/in-bridge matching in postrouting chains;
fixed incorrectly inverted hotspot value configuration;
increased maximum connection tracking entry count based on device total RAM size;

7.17 Stable 2025-Jan-16 (1 year ago)

added none-dynamic and none-static arguments for IPv6 address-list-timout settings;
added support for random external port allocation;
added warning log for TCP SYN flood;
fixed "dst-limit" and "limit" mathers when using zero value for burst argument;
improved matching from deeply nested interface-lists;
removed default mangle passthrough=yes configuration from export;

7.16 Stable 2024-Sep-20 (1 year ago)

added message when interface belonging to VRF is added in filter rules;
fixed an issue with unsetting src-address-type;
fixed IPv6 "nth" matcher showing up twice in help;
fixed issue that prevents restoring src-address-list and dst-addres-list properties using undo command;
removed unnecessary TLS host matcher from NAT tables;

7.14 Stable 2024-Feb-29 (2 years ago)

added "creation-time" parameter for IPv6 address list entries;
fixed underlying CAPsMAN tunnel reusing packet marks of encapsulated packets;
fixed underlying VXLAN/EoIP tunnel reusing packet marks of encapsulated packets;
increased default "udp-timeout" value from 10s to 30s;

7.13 Stable 2023-Dec-14 (2 years ago)

added "nat-pmp" support;
added new IPv6 filter arguments "icmp-err-src-routing-header" and "icmp-headers-too-long" for "reject-with" setting;
do not mark all IPv6 GRE packets as invalid;
fixed IPv6 address-list timeout;
fixed altered address-list when upgrading from RouterOS v6;
fixed connections being tracked when tracking is disabled;
removed "prohibited" and "unreachable" IPv4 address-type arguments;

7.12 Stable 2023-Nov-09 (2 years ago)

added "ein-snat" and "ein-dnat" connection NAT state matchers for filter and mangle rules;

7.11 Stable 2023-Aug-15 (2 years ago)

added warning when PCC divider argument is smaller than remainder;
fixed mangle "mark-connection" with "passthrough=yes" rule for TCP RST packets;
improved system stability when using "endpoint-independent-nat";

6.49.8 Long-term 2023-Jul-19 (2 years ago)

fixed IRC NAT helper (CVE-2022-2663);

7.10 Stable 2023-Jun-15 (2 years ago)

added "endpoint-independent-nat" support;
added "nth" option for IPv6 firewall;

6.48.7 Long-term 2023-May-23 (2 years ago)

fixed IRC NAT helper (CVE-2022-2663);

7.9 Stable 2023-May-02 (2 years ago)

added "connection-nat-state" to IPv6 mangle and filter rules;

7.8 Stable 2023-Feb-24 (3 years ago)

fixed bridge priority target;
fixed DSCP priority target for IPv6 Mangle;
fixed netmap range maximum address calculation for IPv6 NAT;

7.7 Stable 2023-Jan-12 (3 years ago)

added "set-priority" option for IPv6 mangle firewall;
made "dynamic" parameter settable for IPv4 address lists;

7.6 Stable 2022-Oct-17 (3 years ago)

added "src/dst-address-type" parameter under "IPv6/Firewall/Mangle" menu;
disable IRC NAT helper on upgrade;
fixed IPv6 filtering with "in/out-interface" matcher that is in VRF;
fixed IRC NAT helper (CVE-2022-2663);
fixed usage of "netmap" action for IPv6 source NAT;

7.5 Stable 2022-Aug-30 (3 years ago)

added support for RTSP helper;

7.4.1 Stable 2022-Aug-04 (3 years ago)

fixed "in-interface-list" matcher when VRF is used;

7.4 Stable 2022-Jul-19 (3 years ago)

added "srcnat" and "dstnat" flags to IPv6/Firewall/Connection table;
added support for IPv6/Firewall/NAT action=src-nat rules;
fixed IPv6 NAT functionality when processing GRE traffic on TILE devices;
fixed IPv6/Firewall/RAW functionality;
include "connection-mark", "connection-state", and "packet-mark" when packet logging is enabled;
properly handle interface matcher when VRF interface is specified;

7.2 Stable 2022-Mar-31 (3 years ago)

improved available port lookup for source NAT when free port range is exhausted;

6.49 Stable 2021-Oct-06 (4 years ago)

fixed "ingress-priority" matcher;
fixed GRE protocol packets considered invalid when PPTP helper is disabled;

6.44.5 Long-term 2019-Jul-04 (6 years ago)

fixed fragmented packet processing when only RAW firewall is configured;
process packets by firewall when accepted by RAW with disabled connection tracking;

Releases by channel (stacked)