Version: 7.23
Stable286 changelog entries across 73 component(s)
2026-May-25 (3 weeks ago)
| Component | Change |
|---|---|
| app | added "network-outgoing-access=yes/no" setting to prevent containers from initiating outbound traffic; |
| app | added birdnet-go, cryptpad, diagrams-net, lorawan-stack, metube, mikrodash, nextcloud-whiteboard, paperless-ngx, wbo, zulip apps; |
| app | added docker-with-dockge, docker-with-komodo, docker-with-portainer, HA-otbr-matter, odoo, otbr, stalwart, trip apps; |
| app | added possibility to set app command-line parameter from CLI; |
| app | added restart command; |
| app | allow apps on XFS file systems; |
| app | allow filtering by installed apps; |
| app | allow overriding default stop signal; |
| app | allow parsing DNS in YAML; |
| app | allow passing stop signal from YAML and passing it to container as default; |
| app | allow picking app category from drop-down; |
| app | allow updating name parameter from YAML for custom apps; |
| app | allow updating YAML for existing custom app, forces cleanup; |
| app | apps now check for port availability, apps will not start on "internal" if app masks existing service; |
| app | automatically pass any required devices to container, such as otbr; |
| app | automatically restart app when required hardware device is changed; |
| app | bundled ollama with openwebui; |
| app | check if certificate already exists before creating a new one; |
| app | disabled PiHole syncing NTP to host; |
| app | fixed issue where XFS disks did not appear in the app disk drop-down; |
| app | fixed saving custom apps; |
| app | fixed showing ui-url for apps; |
| app | fixed some apps not containing the full repository URL; |
| app | fixed stability issue when running cleanup on many apps; |
| app | fixed store issue when adding a custom app; |
| app | fixed YAML not exported for custom apps; |
| app | improved app network and port behavior; |
| app | improved automatic hardware device passing to container; |
| app | improved YAML error message; |
| app | make sure all layer .tar.gz files are deleted after extraction finishes; |
| app | on file-based devices, swap is enabled on the file itself instead of creating another and enabling it on that; |
| app | stability fixes for the "/app" menu; |
| app | swap file is now created based on the mount-point it is attached to; |
| app | updated uptime-kuma image; |
| arm64,x86 | updated Broadcom bnxt Ethernet driver for 200G support; |
| bfd | fixed source address selection for IPv6 multihop sessions; |
| bridge | added ability to set custom Option 82 with dhcp-agent-circuit-id, dhcp-agent-remote-id settings (replaces add-dhcp-option82 setting; configuration is automatically updated after upgrade); |
| bridge | added DHCPv6 snooping feature with ability to set custom Option 18 and Option 37; |
| bridge | fixed dynamic VLAN update for WiFi interfaces; |
| bridge | improved MAC synchronization for MLAG; |
| bridge | recognize more DHCP message types when dhcp-snooping is enabled; |
| bth | fixed WireGuard client config IP address netmask; |
| certificate | added "ISRG Root X1" and "DigiCert Global Root G2" to SMIPS built-in root certificate authorities store; |
| certificate | allow deleting ACME certificate that failed to generate; |
| certificate | improved ACME logging; |
| certificate | improved ACME status reporting; |
| certificate | set Let's Encrypt as default ACME directory; |
| chr | improved guest tool config for arm64 CHR; |
| cloud | cloud backup file management now requires "policy" policy; |
| cloud | show error if cloud services are not supported on the device; |
| console | added comment in "/ip/dhcp-server/option/sets" and "/ipv6/dhcp-server/option/sets" menus; |
| console | added path parameter to export; |
| console | added syntax highlight for script properties in some menus (e.g. dhcp-client, dhcp-server, ppp/profile, interface/vrrp); |
| console | export mentions custom defconf script presence in header; |
| console | fixed "/log/print follow on-event" to work with "where" (introduced in v7.22); |
| console | fixed output when oversized completion present; |
| console | removed redundant keepalive for the serial-terminal, ensure that the device no longer periodically outputs /0 while using "/system/serial-terminal"; |
| console | show "/system/resource/hardware/usb-power-reset" only on x86; |
| console | show warning in print header when terminal is too narrow to show any columns; |
| console | treat non-existent command parameters as runtime errors; |
| container | added restart-policy=no/always/on-failure, stop-on-unhealthy, restart-count, restart-interval, restart-max-count properties; |
| container | added support for noexec option to mounts; |
| container | added support for USB audio devices for containers; |
| container | allow disabling individual container environment variables without deleting them; |
| container | allow picking mount source directories with the file picker in WinBox; |
| container | allow setting memory-max globally and per container; |
| container | allow user-defined mounts overriding /sys and /dev; |
| container | check if root-dir does not exist before adding a container; |
| container | clean up layers of non-existing containers; |
| container | detect and show containers killed by out-of-memory killer; |
| container | do not allow starting container/shell with non-existing user or group; |
| container | draw graphs in container stats; |
| container | fixed container entrypoint and shell override by user; |
| container | fixed container layer size calculation; |
| container | fixed container shell not working with multi-arg commands; |
| container | fixed repull if root-dir of container was in tmpfs; |
| container | fixed running "/container shell" with the correct user, if container user is set or overridden; |
| container | improved errors at container start; |
| container | improved running container instance memory usage; |
| container | layers are now accessible under "Layers" tab; |
| container | pass any container startup error message back to "run" and make it exit immediately; |
| container | remove container backup directory if import fails; |
| container | removed "Layers" button; |
| container | show container size and container data size; |
| container | show default DNS servers; |
| container | show layer size calculation status; |
| container | updated /dev/net/tun permissions; |
| crypto | fixed fallback flag loss in qcrypto; |
| crypto | fixed stability issue; |
| crypto | improved safexcel driver with upstream changes and patches; |
| dhcpv4-server | added "add-dns-entries" and "add-dns-entries-suffix" properties for creating local DNS entries; |
| dhcpv4-server | changed lease agent-circuit-id and agent-remote-id format to hex; |
| dhcpv4-server | do not raise an alert when receiving a packet originating from the same device; |
| dhcpv4-server | do not suggest bogus pools when using setup command (e.g. when address is /31 or /32); |
| dhcpv4-server | fixed an issue where renew packets without giaddr were sometimes not processed; |
| discovery | added "add-dns-entries" and "add-dns-entries-suffix" properties for creating local DNS entries; |
| discovery | added option to disable/enable LLDP MED; |
| discovery | added separate read-only menu "/ip/neighbor/lldp" for neighbors discovered by LLDP (CLI only); |
| discovery | dynamically update advertised "interface-name"; |
| discovery | fixed LLDP MAC/PHY TLV; |
| disk | added "/disk" smart-info; |
| disk | added disk check and repair for ext4, Btrfs and XFS file systems; |
| disk | improved device name tracking in "/system/resource/hardware" menu; |
| disk | show disk io errors in "/disk" menu; |
| dns | added HTTP/2 support to DoH on ARM64 and x86/CHR devices; |
| ethernet | improved system stability for RB3011, L009, NetMetal ax, hAP ax lite devices; |
| ethernet | improved system stability on devices with Alpine CPUs; |
| fetch | fixed non-working idle-timeout in some cases; |
| file | added copy, tail, head commands (CLI only); |
| firewall | added "action=drop" to mangle; |
| firewall | improved stability for SIP helper; |
| firewall | matcher "in-bridge-port" does not require "use-ip-firewall=yes"; |
| general | ipsec – fixed expired SA handling to prevent “no such item” errors during listing; |
| graphing | improved service stability when storing data; |
| hardware | report the correct state of PCI devices in "/system/resource/hardware" menu; |
| health | hide health menu for RB951ui-2nD; |
| ike2 | fixed child SA cleanup during flush operation; |
| ike2 | fixed pending responder connection cleanup after peer removal; |
| ike2 | fixed SA delete handling on initiator during rekey; |
| ike2 | improved HMAC size validation checks; |
| interface | show warning when same MAC address is used on more than one virtual interface; |
| iot | added LoRa Tx delay setting; |
| iot | added MQTT subscribe message real-time monitoring option; |
| iot | added Wiliot support; |
| iot | fixed LoRa LBT issues, which caused Tx packets not getting delivered; |
| iot | fixed LoRa lockpack preventing lock from applying; |
| iot | improved LoRa stability; |
| iot | improved LoRa Tx handling; |
| iot | improved LoRa Tx scheduling; |
| ip | added IPv6 and VRF support for reverse-proxy; |
| ip | added SNI logging for reverse-proxy; |
| ip | fixed hanging connections for reverse-proxy; |
| ip-settings | added ipv4-fragment-time and ipv4-high-fragment-thresh settings, use default values based on total device memory; |
| ipip | disabled IPv6 link-local address generation; |
| ippool | fixed issue when changing pool with already used addresses; |
| ippool6 | allow variable length pool; |
| ippool6 | properly follow pool changes for already used prefixes; |
| ipsec | added netlink-based SA and policy handling; |
| ipsec | fixed SA proto parameter conversion and policy "none" type handling; |
| ipsec | improved NAT encapsulation parameter forwarding; |
| ipv6 | added from-pool-policy address property that controls how address is acquired from the pool; |
| ipv6 | added without-acquire address property; |
| ipv6 | always ensure that prefix length matches the one given by the pool even if address was set to 0; |
| ipv6,ra | added option to ignore MTU and DNS servers; |
| ipv6,ra | added router-advertisement-route-distance setting; |
| ipv6,ra | allow receiving DNS servers over multiple interfaces; |
| ipv6,ra | clamp valid-lifetime to minimum of 2h on deprecation; |
| ipv6,ra | extend processed RA logging; |
| ipv6,ra | fixed advertised DNS parameter logging; |
| ipv6,ra | fixed changing default "all" interface configuration; |
| ipv6,ra | fixed DNS and pref64 property unset; |
| ipv6,ra | fixed sending only DNS or MTU when prefix is set to "none"; |
| ipv6,ra | improved service stability; |
| ipv6,ra | warn when interface is under the bridge; |
| isis | allow to configure metric-type; |
| l3hw | added HW offloaded VRF support on CRS8xx switches; |
| l3hw | added VRF assignment via switch ACL rules on CRS8xx switches (CLI only); |
| l3hw | fixed VXLAN packet matching by local IP; |
| leds | added new PoE fault LED cases (bad fw, PoE card power cable disconnected, PoE card not inserted); |
| leds | fixed power LED turning off while LTE interface is inactive (introduced in v7.22); |
| log | added "discover" topic and log events for discovered local DNS entries; |
| log | added CC option for e-mail action; |
| log | added ssld error logging; |
| log | added TLS support; |
| lte | added fast SIM switchover support using AT channel for MBIM modems without MBIM_CID_MS_UICC_RESET firmware support; |
| lte | configure IP address for AT modems even if no DNS is received from the network; |
| lte | delete CID profiles one by one instead of "delete all" for QMI modems, as command does not work for all modems; |
| lte | do not duplicate primary-band also in ca-band for QMI modems in 5G SA network; |
| lte | do not reconfigure modem in passthrough mode if passthrough cannot be activated because of slave interface; |
| lte | emit RS every 60s on LTE interface; |
| lte | filter packets by MAC in multi-apn setup for EC200A-EU modem; |
| lte | fixed automatic modeswitch for "Chateau 5G R16" and "Chateau 5G"; |
| lte | fixed broken network scan after being interrupted by reconfiguration; |
| lte | fixed operator setting for QMI modems; |
| lte | fixed rare cases where the Tx queue could stop and never wake up on multi-core CPU devices; |
| lte | fixed RSSI signal monitor for 3rd party modems where AT+CSQ responses are not parsed; |
| lte | fixed user set MTU not applied to LTE interface; |
| lte | improved system stability for devices with QMI modems; |
| lte | improved system stability when modem configured in passthrough mode with VLANs for "Chateau 5G R16" and "Chateau 5G"; |
| lte | improved system stability; |
| lte | improvements for passthrough mode in IPv6 only setup; |
| lte | keep MAC persistent across reboots for QMI modems; |
| lte | read subscriber number also for QMI modems; |
| lte | removed LTE external-antenna scan; |
| lte | set SMS send timeout to 180s; |
| lte | show external-antenna as "none" before actual scan is done instead of empty value; |
| lte | show MTU as "auto" also on interface level if "auto" used; |
| lte | SIMCom modems, skip error state when modem sends improperly formatted CREG response/URC; |
| lte | stop network scan on interruption for QMI modems; |
| lte | unify "modem-init" for all driver types; |
| macsec | added aes-gcm-xpn-128 cipher support; |
| netwatch | fixed memory leak when using HTTP/HTTPS GET probe with invalid src-address; |
| ospf | allow adding interface configuration manually, bypassing interface-template; |
| ospf | change virtual link configuration to use OSPF interface directly; |
| ospf | fixed missing interface-template configuration which previously was converted by upgrading from RouterOS v6; |
| ospf | fixed nssa bit check; |
| ospf | fixed routes not being installed on ABRs; |
| pimsm | do not ignore priority when selecting RP from BSR; |
| pimsm | fixed possible BSR loop; |
| pimsm | improved stability; |
| ping | resolve domain name to IPv6 if src-address is IPv6 address; |
| ping | show time in microseconds for flood-ping; |
| poe-out | firmware update for 802.3at capable boards (the update will cause a brief power interruption to poe-out interfaces); |
| port | added support for "tcp-client" and "udp" modes for "remote-access"; |
| port | expose RG650E-EU diagnostics channel; |
| port | remove unused serial port on RB1100AHx4; |
| pppoe | do not reset pppoe-client interface when adding a comment; |
| ptp | added support for CRS812, CRS804; |
| ptp | fixed crash during initialization on some devices; |
| qos-hw | added automap setting to QoS Profiles (enabled by default); |
| qos-hw | added ECN and PFC support on CRS8xx; |
| qos-hw | added new default "auto" value to mirror-buffers, multicast-buffers, shared-buffers QoS Settings (old defaults are shown in export after upgrade); |
| qos-hw | added queueX-byte-max stats to port usage on CRS8xx; |
| qos-hw | fixed CPU traffic mapping to queues on CRS8xx switches; |
| qos-hw | introduced lossless-traffic-class and lossless-buffers settings; |
| qos-hw | removed shared-pool-index setting; |
| route | fixed link-local interface check when resolving IPv6 nexthops; |
| route | revert to old routing rule priorities for containers (introduced in v7.22); |
| routerboot | fixed Netinstall failure when using multiple partitions on AL73400, AL52400, AL32400 CPUs ("/system routerboard upgrade" required); |
| sftp | fixed path canonicalization request; |
| smb | do not start /ip smb server on container interfaces; |
| sniffer | added IP ECN field; |
| sniffer | fixed missing VLAN tag in the TZSP packets; |
| snmp | added missing BRIDGE-MIB OIDs (dot1dBaseNumPorts, dot1dBaseType, dot1dStpDesignatedRoot, dot1dStpPortDesignatedBridge, dot1dStpRootCost, dot1dStpRootPort, dot1dStpHoldTime, dot1dStpBridgeMaxAge, dot1dStpBridgeHelloTime, dot1dStpBridgeForwardDelay, dot1dStpPortForwardTransitions, dot1dTpAgingTime); |
| snmp | added missing LLDP-MIB OIDs (lldpMessageTxInterval, lldpMessageTxHoldMultiplier, lldpLocManAddrTable); |
| snmp | enforce minimum password length; |
| snmp | fixed compliance of LLDP-MIB lldpRemManAddrTable; |
| snmp | fixed connection tracking counter OID; |
| snmp | fixed dot1dStpPortDesignatedPort, dot1dStpPortDesignatedRoot OIDs; |
| snmp | fixed ifSpeed and ifHighSpeed OIDs for 802.3ad and balance-xor bonding interfaces; |
| snmp | fixed lldpLocSysDesc OID; |
| snmp | implemented LTE firmware upgrade option; |
| snmp | use "/ip/neighbor/lldp" for lldpRemTable and lldpRemManAddrTable (fixes lldpRemTable showing neighbors discovered by MNCP or CDP); |
| ssh | do not advertise password login method when it is disabled; |
| ssh | improved host resolve error logging; |
| switch | fixed issue with MAC table for RB2011 (introduced in v7.21); |
| switch | fixed missing ethernet counters for non-running interfaces on CRS8xx switches (introduced in v7.22); |
| switch | improved FDB operations on QCA8337, Atheros8327; |
| switch | rework how IEEE reserved MAC addresses are handled on QCA8337, Atheros8327; |
| switch | updated switch-marvell.npk driver; |
| switch | use names instead of numbers in switch menu configuration export; |
| system | improved handling of HTTP/2 connection closure; |
| system | improved RouterOS package download over slow connection; |
| system | improved switching to HTTP/1 if HTTP/2 is not supported by remote host; |
| system | keep HTTP/2 connection open if it is not closed by system or server; |
| system | make default identity based on board name; |
| timezone | updated timezone information from "tzdata2026b" release; |
| upgrade | added the option to configure HTTP/HTTPS modes when connecting to MikroTik upgrade servers; |
| upgrade | changed status message for scheduled installs; |
| upgrade | check for available packages when opening System/Packages in GUI; |
| usb | added ax88179_178a driver; |
| usb | improved USB Ethernet adapter recognition; |
| usb | show USB device reported maximum power; |
| user-manager | improved stability when removing user-profile while session updates counters; |
| veth | fixed link-local address not being configurable as a gateway; |
| vxlan | fixed fast-path when using "checksum=no" (introduced in v7.20); |
| vxlan | improved system stability; |
| webfig | added postfix byte value support (e.g. "/ip/settings/ipv4-high-fragment-thresh"); |
| webfig | added support for filter in tables; |
| wifi | improved interface provisioning for WiFi 7 access points; |
| wifi | improved on-capsman traffic processing; |
| wifi-mediatek | fixed multicast-enhance functionality; |
| wifi-mediatek | fixed stability issue getting regulatory information and during initialization; |
| wifi-qcom-be | fixed incorrect channel info for punctured channels; |
| wifi-qcom-be | fixed stability issue during initialization; |
| wifi-qcom-be,mediatek | correctly advertise RRM capabilities when 802.11k neighbor reports are enabled; |
| winbox | added "MLD Static" and "MLD Datapath" properties under the "WiFi/CAP" menu; |
| winbox | added "Multipath" property under the "Routing/BGP/Instance" menu; |
| winbox | added “Remove” action under "System/Certificates/Requests" menu; |
| winbox | added comment for DHCPv6 relay; |
| winbox | added group numbers for DH and PFS groups for IPsec; |
| winbox | allow setting "CAPsMAN address" for CAP as domain name; |
| winbox | do not accept interface without specifying IP or MAC in "Ping To" field; |
| winbox | improved "External Antenna" property display; |
| winbox | improved Routing/PIM SM menu; |
| winbox | move bridge IGMP Snooping checkbox to IGMP tab; |
| winbox | rename DHCPv6 server binding "Peer Address" to "Client Address"; |
| winbox | show "Directory URL" field for ACME certificates in Certificate view; |
| winbox | show "IPv6 Address" property by default under the "IP/Neighbors" menu; |
| winbox | show accepted connections in tree view under "IP/Services" menu; |
| winbox | updated socksify icon for firewall NAT rules; |
| wireguard | improved system stability; |
| www | added partial content (HTTP 206) support; |
| www | improved REST API user cache processing; |
| www | improved system stability; |
| zerotier | switch to 1.14.2 version; |