RouterOS 7.24rc1
Pre-releaseBuild Time:1783051151
What's new in 7.24rc1 (2026-Jul-01 16:53):
*) bridge - fixed forwarding through peer-port after disabling MLAG;
*) bridge - fixed stability issue when using DHCPv4 snooping;
*) bridge - improved STP, BPDU and topology change handling with MLAG, ensure dual-connected port STP state is in sync with MLAG peer;
*) console - added comparison operators for array type (additional fixes);
*) console - improved script handling and error logging when running scripts from external sources (e.g. DHCP, SNMP, Netwatch, etc.) (additional fixes);
*) dhcpv4-server - set "ciaddr" in forcerenew messages so a relay, if used, can unicast such messages;
*) discovery - added "dying-gasp" feature for LLDP, MNDP, CDP that sends packet with "TTL=0" before graceful reboot/shutdown/upgrade;
*) discovery - clear neighbor entry when receiving "dying-gasp" packet;
*) l3hw - added HW offloaded VRF support on 98DX8208, 98DX8216, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98CX8410 switches (additional fixes);
*) l3hw - allow VLAN tagged traffic inside VXLAN tunnel;
*) l3hw - fixed VTEP offload on IPv4 /32 route changes;
*) lte - added force-confirmation parameter for eSIM provision command;
*) lte - do not query 5G neighbor cell info until RG650E-EU FW fixed;
*) lte - fixed cases where R11l-LTE7 modem would not display correct cell info after handover;
*) netinstall - added Netinstall package (additional fixes);
*) ospf - fixed stability issue during interface flaps;
*) ppp - added iccid field to ppp info command for BG77 and BG770 modems;
*) ppp - always show current FW version when running firmware-upgrade;
*) ppp - get IPv6 configuration via RA for modems using PPP emulation mode;
*) ppp - toggle radio state on interface disable/enable;
*) wifi-mediatek - improved stability during MLO channel switching;
*) winbox - do not pre-fill "Allowed Address" and "Client Allowed Address" with "::/0" when adding new WireGuard Peer;
Other changes since v7.23:
*) adlist - improved service stability when adjusting adlist configuration;
*) app - added "HF_TOKEN" env to openwebui;
*) app - added "network-outgoing-access" parameter which does not allow app to make outgoing connections;
*) app - added hermes-agent, inventree, opencloud, opencloud-extended apps;
*) app - allow "reset" even if disk not configured;
*) app - allow HTTP for Gitea when "check-certificate=no";
*) app - allow setting "working_dir" in app YAML;
*) app - changed pmacct-netflow YAML;
*) app - fixed "reset" not working with certain apps;
*) app - fixed apps not updating firewall redirects when changed in YAML;
*) app - fixed apps sometimes getting stuck on "waiting for layer";
*) app - fixed home-assistant default config files;
*) app - make secrets sensitive to avoid polluting configuration export;
*) app - only generate secrets for enabled apps;
*) app - removed healthcheck from opencloud-extended-collabora;
*) app - resolved issue where duplicate swaps are created;
*) app - show CHR's address instead of the container's;
*) app - use randomly generated secrets in new apps;
*) bfd - fixed delay on session print;
*) bgp - added option to add BGP VPLS created interfaces in interface-list;
*) bgp - fixed advertisement print handling by "dst" when destination is in VRF;
*) bgp - fixed EVPN label corruption and correct EVPN type-5 output;
*) bgp - fixed IPv6 End-of-Route processing;
*) bgp - improved stability on MP (multiprotocol) parsing;
*) bgp - improved stability when receiving malformed packets;
*) bgp - removed "save-to" from "resend" command;
*) bgp-vpn - fixed blackhole route export;
*) bridge - added "querier-uses-bridge-address" setting to use bridge source IP address for IGMP querier;
*) bridge - added DHCPv4 snooping IP binding table;
*) bridge - added scheduling point during VLAN processing to prevent soft lockups when flushing FDB over large VLAN ranges;
*) bridge - fixed local static host entries;
*) bridge - fixed MLAG MAC address handling issues related to aging, flushing and moving;
*) bridge - fixed stuck MLAG session when using mismatched L2MTU (introduced in v7.23);
*) bridge - improved bridge and port STP "priority" setting (warn when a non-compliant value is used and allow selecting a value from a list);
*) btest - added VRF support for bandwidth-test and speed-test;
*) certificate - added "acme-renew" command;
*) certificate - always use all trust stores for downloaded CRL validation;
*) certificate - general improvements in certificate handling;
*) certificate - use AES encryption when exporting certificates in PKCS#12 format;
*) console - added "days" to scheduler;
*) console - added "in" and "has" operators for array types;
*) console - added "order-by" parameter to "print" command, allowing sorting by up to three arguments in ascending or descending order;
*) console - added log tracing when scripts fail to start due to permissions;
*) console - do not terminate self-removing scripts;
*) console - fixed "print follow on-event" script runner command not showing all argument values in some cases;
*) console - fixed argument mappings in "do" block for monitor commands;
*) console - fixed proplist order in monitor commands;
*) console - fixed script import/export with empty "policy" setting;
*) console - fixed stability issue in full-screen editor;
*) console - fixed UTF-8 comparisons on some architectures;
*) console - improved "print detail" mode;
*) console - make "mac-auth-password" sensitive in "/ip/hotspot/profile";
*) console - make "password" sensitive in "/system/package/local-update/mirror";
*) console - produce runtime errors for bad command parameters;
*) console - prompt about and offer to stop already existing serial terminal session when opening new one;
*) console - renamed "address" to "available-from" in "/ip/service" (backwards compatible via deprecation);
*) console - renamed "reauth-timeout" to "reauth-period" in "/interface/dot1x/server" (backwards compatible via deprecation);
*) console - restrict editing comments in WiFi registration table;
*) container - added "save" command to allow saving container images;
*) container - added "swap-current" usage;
*) container - added "swap-max" global and per-container limit;
*) container - added ability to run containers in privileged mode;
*) container - added initial support for RKE2;
*) container - do not allow starting with empty default DNS list and no DNS override;
*) container - do not print environment variables in log on container startup;
*) container - fixed "start-on-boot" not retrying on certain startup errors;
*) container - fixed container "devices" override to appear under "/dev";
*) container - fixed missing config.json issue when upgrading from version 7.20.8 or older;
*) container - improved layer size calculation to avoid potential loops;
*) container - improved support for containers;
*) container - reduced writes to flash when running health check;
*) container - use env "TERM=xterm" if no TERM variable provided when running shell;
*) defconf - set "configuration.dtim-period=3" for WiFi;
*) defconf - use "add-dns-entries=yes" on devices with DHCP server;
*) dhcp - fixed processing of DHCP options that are longer than 255 bytes;
*) dhcpv4-relay - fixed stability issue when creating duplicate relays;
*) dhcpv4-server - do not reset "class-id" parameter when lease loses "bound" status;
*) dhcpv6-relay - fixed non-working relay when adding from WinBox;
*) dhcpv6-server - fixed invalid flag;
*) discovery - added "address6" column to default "/ip/neighbor" print view;
*) discovery - added "discovery" logging topic;
*) discovery - improved service stability when sending discovery packets on interfaces that have hundreds of IP addresses;
*) disk - added "last-seen" property that displays disk model and serial when removed;
*) disk - added "raid-scrub-cancel" command;
*) disk - added error message when disk state transitions from good to bad;
*) disk - do not consider USB drives as self-encryption capable;
*) disk - fixed "smart-info" not showing information on certain storage devices;
*) disk - limited maximum swap size to be no more than 10x of device RAM;
*) disk - resolved issue where storage device may change information upon reboot;
*) ethernet - fixed stability issue for Chateau PRO ax devices;
*) ethernet - fixed stability issue for devices with Alpine CPU;
*) ethernet - removed "1G-baseT-half" link mode on RTL8367 switch;
*) fetch - added "ip-type" parameter;
*) fetch - added option to force HTTP/2 only (only for ARM64 and x86/CHR devices);
*) fetch - fixed false "bad request" response when trying to fetch URL with IPv6 address in it;
*) fetch - hint file list for "src-path" and "dst-path" parameters;
*) hardware - renamed "max-power" to "manufacturer-reported-max-power";
*) interface - fixed duplicate MAC warning for wireless, wifi, macsec, w60g interfaces (introduced in v7.23);
*) iot - added LoRa keep alive logic for UDP protocol;
*) iot - added missing LoRa US radio plans;
*) iot - added Wiliot USB dongle support;
*) iot - allow maximum Modbus "timeout" property to 10 seconds;
*) iot - monitor LoRa worker state (watchdog);
*) iot - pass Wiliot certification;
*) ip-service - remove reverse-proxy for SMIPS;
*) ip-service - show service name for "l2tp";
*) ipsec - fixed policy move handling;
*) ipsec,ike1 - fixed negotiated PFS validation;
*) ipsec,ike2 - fixed active connection termination;
*) ipsec,ike2 - fixed SA payload validation;
*) ipsec,ike2 - improved KE generation validation during initial setup and child SA creation;
*) ipsec,ike2 - improved logging when remote ID is specified;
*) ipsec,ike2 - improved pending child SA cleanup and removal of dangling SAs during Phase 2 deletion;
*) ipsec,ike2 - improved PPK handling by always using it when authorized, including additional Child SAs, and moved PPK processing to the Child SA task;
*) ipsec,qkd - moved QKD to "/system/keymat-provider" menu and made it a generic key material provider;
*) ipv6 - added "status" column to default "/ipv6/neighbor" print view;
*) ipv6,ra - changed default "router-advertisement-route-distance" to 1;
*) ipv6,ra - correctly process RAs advertising previously expired prefix;
*) ipv6,ra - fixed prefix invalidation;
*) ipv6,ra - use lowest value between IPv6/Pool and IPv6/ND/Prefix/Default as dynamic prefix lifetime;
*) isis - fixed missing "l2.lsp-refresh-interval" parameter;
*) l2tp - allow fragmentation of large IPv6 packets;
*) l3hw - added HW offloaded support for VLAN interfaces created directly on Ethernet for CRS8xx series switches;
*) leds - added dark mode support for L009, hAP ax2, hAP ax3, hEX refresh, hEX S (2025), hAP ax S and Chateau ax devices;
*) leds - fixed missing wireless LED configuration (introduced in v7.21);
*) leds - improved interface stats activity for devices with Marvell Prestera switch chip;
*) lte - cap IPv6 prefix lifetime for ipv6-interface;
*) lte - do not add extra /128 IPv6 address for ipv6-interface;
*) lte - enabled AT registration unsolicited event reporting for EG25-G and EC25-EU boards;
*) lte - fixed cases where EC25-EU and EG25-G boards would receive packets with missing last 4 bytes;
*) lte - fixed EC/IO scale in CLI and GUI;
*) lte - fixed EC25-EU, EG25-G traffic to 67 UDP;
*) lte - fixed IPv6 RA handling for multiapn non-primary interface;
*) lte - fixed third-party modems ICCID decoding for eSIM;
*) lte - improved Cinterion PLS8-E roaming;
*) lte - improved deregistration handling for AT modems;
*) lte - improved system stability when no APN specified;
*) lte - limit IPv6 prefix lifetime only when lifetime is advertised as infinity;
*) lte - make modem MAC persistent for R11e-LTE6 and R11l-LTE7 modems;
*) lte - remove site local DNS for ipv6-interface;
*) lte - removed extra restart after firmware upgrade for EC200A-EU modem;
*) lte - report short cell ID in 3G network mode also for AT modems;
*) lte - restrict incoming calls for FG621-EU;
*) lte - show "+CME ERROR: 10" as "SIM not present";
*) lte - show "data-class" in LTE monitor instead of "access-technology" also for 5G AT modems;
*) lte - show "primary-band" instead of "earfcn" in LTE monitor also for modems without CA support;
*) lte - show RSCP and EC/IO parameter in 3G network mode for R11e-LTE6, R11l-LTE7 and FG621-EA modems;
*) mesh - fixed missing FDB entries from wireless ports;
*) mpls - added ICMP time exceeded handler for IPv6;
*) mpls - make FastPath work with expl-null;
*) netinstall - improved architecture detection;
*) netinstall-cli - added "help" parameter;
*) netinstall-cli - added "reboot" and "shutdown" flags to control reboot after installation;
*) netwatch - fixed an issue with DNS probe "timeout" parameter;
*) netwatch - fixed HTTP GET probe over IPv6;
*) netwatch - fixed inaccurate "rtt-stdev" value;
*) netwatch - fixed issue where ICMP probes did not accept TTL exceeded packets when "accept-icmp-time-exceeded" was enabled;
*) netwatch - increased maximum packet size to 65535;
*) ospf - allow comments on static interfaces;
*) ospf - fixed interface passive flag update in WinBox;
*) ospf - force passive for VRF interface;
*) pim - added comment for "/routing/gmp" entries;
*) pimsm - make "hash-mask-length" parameter naming consistent and fixed typos;
*) poe-in - added PoE-in monitoring and LLDP-based PoE negotiation support for newer devices (e.g. CRS504, CRS510, hEX S 2025, hAP be3 Media);
*) poe-out - firmware update for 802.3at capable boards (the update will cause a brief power interruption to poe-out interfaces);
*) poe-out - firmware update for 802.3bt capable boards (the update will cause a brief power interruption to poe-out interfaces);
*) ppp - added "MT-Address-List" to IPv6 address list when received from RADIUS and using DHCP for IPv6 configuration;
*) ppp - disable/enable modem radio state depending on ppp interface state;
*) ppp - fixed cases where BG77 or BG770 firmware upgrade was not available;
*) ppp - fixed ppp-out stability issue;
*) ppp - improved "info" command for BG77 and BG770 modems;
*) ppp - improved OVPN underlying SSL connection management;
*) ppp - only show pin in export with "show-sensitive" flag;
*) ppp - report actual network data usage statistics instead of "0" for all IPv6 RADIUS accounting parameters on accounting "Stop" packet;
*) queue - fixed "undo" command for simple queues;
*) rip - do not export authentication keys by default;
*) route - allow to add route with link-local destination address;
*) route - fixed memory leak when flapping addresses or interfaces with routing protocols running;
*) route - fixed potential race condition;
*) route - fixed static route flag handling by WinBox on disable;
*) route - respect the "interface" property when pinging IPv6 addresses over ECMP;
*) routerboard - renamed "ipq53xx" firmware type to "ipq5300";
*) sfp - fixed linking for hAP ax S and hEX S (2025) with "1G-baseX" link-mode;
*) sfp - removed unsupported "2.5G-baseX" speed on CRS312-4C+8XG and CRS326-4C+20G+2Q+;
*) sftp - fixed branding package upload;
*) sms - added some GSM7 symbols to SMS tool;
*) ssh - added mlkem768x25519-sha256 key exchange support;
*) ssh - do not attempt automatic empty password login when RADIUS is used;
*) ssh - fixed SSH tunnel with IPv6 link-local address on non-ethernet interfaces;
*) ssh - make SSH packet validation more strict;
*) supout - added interface monitor-traffic;
*) supout - added LTE eSIM section;
*) switch - fixed IEEE reserved MAC handling for CRS1xx, CRS2xx switches;
*) switch - increase "ingress-rate" and "egress-rate" maximum value to 400G;
*) system - renamed "factory-software" to "minimum-version" and "factory-firmware" to "minimum-firmware";
*) system - restrict RouterOS processes using swap;
*) system - show who is using "/system serial-terminal";
*) traffic-generator - fixed injecting pcap/pcapng files on MIPSBE architecture;
*) tunnel - fixed stability issue caused by a misconfigured routing loop under bridge (introduced in v7.22);
*) upgrade - prevent package scheduling from interfering with the upgrade feature;
*) vpls - added transmit loop detection;
*) vrrp - added "v3-checksum-as-v2" setting;
*) vrrp - fixed stability issue when "sync-connection-tracking" is enabled;
*) vxlan - fixed missing L2MTU property when VRF is specified;
*) vxlan - ignore disabled interfaces when checking for configuration conflicts;
*) webfig - fixed issue with increasing keep-alive traffic;
*) webfig - improved underlying encryption and stability processing;
*) webfig - improvements to graphs;
*) wifi - added "Preamble Puncturing" under "WiFi/Channel" menu;
*) wifi - added dash when CAPsMAN generates interface name and prefix ends with digit;
*) wifi - improved roaming/steering behavior for WiFi 7 MLO;
*) wifi - improved stability;
*) wifi - improved station-bridge mode;
*) wifi - updated radio regulatory information;
*) wifi - upgraded wifi-qcom driver;
*) wifi-mediatek - fixed broken interfaces on startup;
*) wifi-mediatek - fixed some channel definitions for certain countries;
*) wifi-mediatek - improved channel switching;
*) winbox - added "Network" configuration menu for WiFi;
*) winbox - added "Preferred Architecture" setting for L009;
*) winbox - added "SIM PIN" under "Tools/SMS";
*) winbox - added missing values to "AFI" setting under "Routing/BGP" menus;
*) winbox - fixed "Connection Bytes" field under "IP/Firewall" menu;
*) winbox - fixed "EC/IO" scaling for LTE interface;
*) winbox - fixed "Use Ipsec" and "Ipsec Secret" under "Interfaces/L2TP Ether" menu;
*) winbox - fixed empty value in "Immediate Gateway" under "IP/Routes" menu;
*) winbox - fixed sort for "Address List" under "IPv6/Firewall" menu;
*) winbox - fixed value unset under "MPLS/LDP Neighbor" menu;
*) winbox - make LoRa "Auth key" and MQTT "Password" sensitive;
*) winbox - move "EAP" under "Security" tab for WiFi;
*) winbox - show "Any. Port" column by default under "IP/Firewall" menu;
*) winbox - show preferred and valid lifetime of IPv6 address also on static IPs;
*) winbox - show priority bits in "VLAN ID" field under "Tools/Packet Sniffer" menu;
*) wireguard - fixed peer recreation on interface change;
*) x86 - fixed IRQ displaying per CPU on Intel 700 series NIC;