RouterOS 7.22 [stable]

What's new in 7.22 (2026-Mar-09 10:38):

!) certificate - added support for multiple ACME certificates (services that use a previously generated certificate need to be reconfigured after the certificate expires);

!) device-mode - added option to configure device-mode via Netinstall or FlashFig using a “mode script”;

*) app - added configurable app-store URL for custom apps;

*) app - added health check for apps, which automatically rewrites the composed YAML;

*) app - added jupyter-notebook, livebook, myip, and rustfs apps;

*) app - added support for custom apps;

*) app - allow configuring bridge port pvid for app;

*) app - changed ui-url parameter for Smokeping and Nextcloud;

*) app - clean the backup directory after container repull;

*) app - do not show duplicate entries of required-mounts;

*) app - enable swap on all devices that use apps to help with performance;

*) app - fixed /app/export;

*) app - fixed apps constantly polling the cloud;

*) app - fixed elasticsearch, element, pmacct-netflow apps failing to start;

*) app - fixed issue with Cinny not being able to create a root-dir;

*) app - fixed missing reverse-proxy URL;

*) app - fixed potential port collisions between apps;

*) app - show app URL only when it is running;

*) app - show DNS URL for app only if it has a reverse-proxy;

*) bgp - added BGP unnumbered support;

*) bgp - changed multipath to number argument;

*) bgp - fixed BGP output sometimes not being cleaned after session restart;

*) bgp - fixed early-cut not working properly;

*) bgp - fixed ignore-as-path-len not being used;

*) bgp - fixed update messages not being sent on default-prepend value change;

*) bgp - implemented add-path;

*) bgp - implemented multipath (ability for BGP best path to select ECMP routes);

*) bgp - make remote.address parameter optional;

*) bgp-vpn - allow modifying scopes with routing filters;

*) bgp-vpn - use target scope for imported route;

*) bridge - added local and static MAC synchronization for MLAG;

*) bridge - added MLAG support per bridge interface (/interface/bridge/mlag menu is moved to /interface/bridge; configuration is automatically updated after upgrade; downgrading to an older version will result in MLAG configuration loss);

*) bridge - added MLAG-specific aged and aged-peer flags to host table;

*) bridge - added RA guard feature;

*) bridge - fixed MAC moving between regular ports and bonds for MLAG;

*) bridge - fixed MLAG state being permanently disabled when changing bridge interface settings;

*) bridge - fixed performance regression in complex setups with vlan-filtering (introduced in v7.20);

*) bridge - improved logic for interface remove;

*) bridge - improved MAC synchronization for MLAG;

*) bridge - improved VRRP MAC address handling;

*) bridge - removed vlan-filtering check when changing the MVRP setting (allows disabling MVRP through WinBox);

*) bth - use separate Let's Encrypt certificate for file-share;

*) certificate - improved certificate export process;

*) certificate - improved logging;

*) chr - improved fast-path stability when using vmxnet3 driver;

*) console - added :continue and :break commands for various loops;

*) console - added :exit command to terminate scripts;

*) console - added "comments" parameter to print command to control comment and error output;

*) console - added comparison operators for ID values;

*) console - added Ctrl+Left/Right word navigation;

*) console - added Ctrl+w word deletion;

*) console - added hint for dry-run import parameter;

*) console - added left shift (<<) and right shift (>>) support for IPv6 addresses;

*) console - added on-event script runner support to print follow/follow-only;

*) console - added timestamp support to print follow/follow-only;

*) console - allow undefined variables in dry-run import;

*) console - changed autocomplete expansion criteria;

*) console - disable follow command in /ip/firewall/connection menu;

*) console - fixed brief print for entries with multiple comments;

*) console - fixed setting of /interface/wireless/scan-list;

*) console - fixed time drift for interface last-link-down-time and last-link-up-time;

*) console - fixed value type names in comparison errors;

*) console - implemented string casting in :tobool command;

*) console - improved command decoding to drop extraneous commands (visible in history logging);

*) console - improved error tracing when using find command;

*) console - improved export command to avoid empty [find];

*) console - improved history logging when performing object rename with set/reset;

*) console - improved set/remove command handling in /file menu;

*) console - look up variable in global scope if argument scope lookup failed;

*) console - parse width parameter for non-interactive SSH commands;

*) console - show smaller QR codes where possible;

*) console - use the same flag output format for both print brief and detail;

*) container - added support for zstd extraction;

*) container - automatically stop/repull/start the container on repull or remote-image change;

*) container - fixed issue where the container may not start after upgrading if root-dir was not set;

*) container - improved error message if container fails to start;

*) container - internal stability improvements;

*) container - use the user-defined envs and envlist for container shell command;

*) defconf - fixed L009 configuration (introduced in v7.21);

*) detnet - added request-interval setting;

*) detnet - changed default port from MNDP to a random unused UDP port;

*) dhcp-server - improved failure/error logging for both IPv4 and IPv6;

*) dhcpv4-client - fixed inability to reference disabled DHCP client by interface name;

*) dhcpv4-client - request DOMAINNAME (15) option from the server;

*) dhcpv4-server - improved DHCP option handling;

*) dhcpv4-server - improved logging;

*) dhcpv4-server - send all found lease options in reply to DHCPINFORM;

*) dhcpv6-client - allow unsetting "pool-prefix-length" parameter;

*) dhcpv6-client - improved log messages;

*) dhcpv6-relay - fixed link-layer address inconsistency with the original link-layer address in relay-forward packets;

*) dhcpv6-server - swap input and output RADIUS accounting statistics counters;

*) disk - added support for file-based swap space;

*) disk - added trim command which functions similarly to fstrim;

*) disk - fixed issue where iSCSI did not work with ESXi and XEN hypervisors;

*) disk - fixed issue with disks not mounting after swapping devices;

*) disk - fixed opening a drive in read-only mode if it became locked;

*) disk - improved BTRFS stability on TILE devices;

*) disk - renamed format file-system=trim and trim-secure to format file-system=discard and discard-secure;

*) disk - show if drive is encrypted and locked;

*) email - use default port if not specified;

*) ethernet - increased Rx buffer size for devices with Alpine CPUs (reduces packet rx-drop in certain cases);

*) fetch - added HTTP/2 support on ARM64 and x86/CHR devices;

*) fetch - fixed fetch treating relative paths from redirects as hostnames;

*) fetch - increased default maximum redirect count to 2;

*) fetch - return error code and HTTP headers to :onerror script;

*) fetch - treat HTTP 304 return code as success;

*) gps - fixed GPS port disappearance after reboot for EC25-EU&KNe;

*) health - added CPU temperature monitoring to L009 with ARM64;

*) hotspot - allow WireGuard interface type;

*) hotspot - check validity of base32 for otp-secret;

*) hotspot - do not invalidate static ARP entries;

*) hotspot - fixed www response after login by cookie;

*) hotspot - set sensitive flag on /ip/hotspot/user otp-secret;

*) ike1 - added ChaCha20-Poly1305 ESP encryption support;

*) ike1,ike2 - improved netlink update handling;

*) iot - added Bluetooth extended scanning and 1M/2M PHY support for the RB924i KNOT devices;

*) iot - added Bluetooth extended scanning, advertising, and 1M/2M/CODED PHY support for EC25 KNOT devices;

*) iot - added modbus delay using interframe-gap setting;

*) iot - improved LoRa FSK modulation downlinking;

*) ip - added error messages to reverse-proxy rules;

*) ip - added reverse-proxy;

*) ip-service - properly disable IP/Service on manual disable;

*) ippool6 - allow creating sub-pool by specifying "from-pool";

*) ipsec - added "none" option to IPsec key QKD certificate field;

*) ipsec - added IKEv2 DDoS cookie activation setting;

*) ipsec - added logging for IPsec policy template group;

*) ipsec - added logging of IKEv2 connection SPI and initiator address;

*) ipsec - adjusted minimum generated PSK key length;

*) ipsec - fixed IKEv2 child policy reqid lost on rekey;

*) ipsec - fixed IKEv2 child reqid handling on traffic selector update;

*) ipsec - improved aes256-ctr stability on L009;

*) ipsec - removed modp8192 proposal on MIPS architectures;

*) ipv6 - added dhcp6-pd-preferred to /ipv6/nd/prefix to control P flag in Prefix Info Option RFC 9762;

*) ipv6 - delete SLAAC default route if there are no active SLAAC prefixes present and no new RAs received;

*) ipv6 - do not generate duplicate dynamic link-local addresses on tunnel type interfaces;

*) ipv6 - enable IPv6 fast-path after removing firewall rules;

*) ipv6 - improved system stability when manipulating IPv6 configuration that was added while IPv6 was disabled;

*) isis - improved stability and fixed a small memory leak;

*) l2tp - improved system stability on TILE architecture;

*) l3hw - fixed missing VLAN counters on reboot (introduced in v7.21);

*) l3hw - improved system stability on device shutdown/reboot;

*) l3hw - improved system stability when enabling VLAN offloading under active traffic (introduced in v7.21);

*) log - added comment support to rule entries;

*) log - added option to clear echo logs;

*) log - added option to prepend topics to BSD syslog message;

*) log - added script target for log actions;

*) log - fixed incorrect log message shown after canceling supout.rif creation;

*) log - fixed minor spelling issues;

*) log - fixed missing ID in trace logs after removing logging rule;

*) log - log "Secret must be set to run scripts from SMS" error only if ":cmd" prefix is used in SMS message;

*) log - use uppercase MAC address in firewall logging;

*) lte - added "auto" MTU option for LTE interfaces to use network-advertised MTU on supported devices;

*) lte - added AT command timeout for EC25-EU&KNe;

*) lte - added multi-apn and framed routing support for EC200A-EU modem (requires latest FW version);

*) lte - added roaming barring field to LTE "show-capabilities" menu;

*) lte - added subscriber number to monitor command for MBIM modems;

*) lte - added USB tethering support using iOS devices;

*) lte - clear about field status on firmware upgrade;

*) lte - do not allow modem firmware-upgrade on "inactive" interface;

*) lte - do not allow setting unsupported roaming barring settings for R11e-4G;

*) lte - do not flap LTE passthrough assigned interface on modem link state change;

*) lte - do not reconfigure LTE interface on configuration change error;

*) lte - enable DHCP relay packet forwarding to the cellular network for EG120K-EA and RG650E-AU;

*) lte - fixed "allow-roaming" setting to return error for modems that do not support roaming barring;

*) lte - fixed cases where AT dialer could get stuck in "modem not ready" state;

*) lte - fixed cases where incorrect network modes and bands could be suggested for active interface;

*) lte - fixed chained firmware update for Chateau 5G;

*) lte - fixed changing eSIM profile nickname;

*) lte - fixed changing MAC address for EC200A-EU modem;

*) lte - fixed crash on LTE passthrough interface deactivation;

*) lte - fixed displaying operator name for Chateau ax R17;

*) lte - fixed eSIM errors appearing on devices without eSIM support;

*) lte - fixed firmware update and status refresh for R11eL-EC200A-EU modem;

*) lte - fixed LTE interface IPv6 address generation to use EUI-64 for EC25-EU&KNe;

*) lte - fixed missing notifications to eSIM provider when eSIM provisioning canceled;

*) lte - fixed tethering support for Google Pixel Pro 8;

*) lte - fixed wrong MTU reading/setting for config-less modems;

*) lte - hide external antenna selection menu for the Chateau AX R17;

*) lte - improved APN IP type handling by enabling only the IP protocols defined in the assigned APN profile for config-less modems;

*) lte - make inactive LTE interface settable, LTE interface settings can be set without waiting for modem initial initialization;

*) lte - removed delay before querying modem status for config-less modems with info channel;

*) lte - show ICCID and IMSI also when the interface is disabled;

*) lte - strip modem reported padding characters for SIM card (ICCID) on Chateau ax R17;

*) mac-telnet - added interface property;

*) macsec - fixed hardware offload on S53 and C53 devices;

*) mesh - fixed missing S flag on interfaces after mesh disable/enable;

*) ospf - fixed typos in log messages;

*) ping - added IPv6 support for flood-ping;

*) poe-out - added LLDP support for dual-signature PDs;

*) poe-out - firmware update for 802.3at capable boards (the update will cause a brief power interruption to poe-out interfaces);

*) poe-out - firmware update for 802.3bt capable boards (the update will cause a brief power interruption to poe-out interfaces);

*) poe-out - firmware update for CRS354-48P-4S+2Q+ (the update will cause a brief power interruption to poe-out interfaces);

*) poe-out - fixed controller-error for CRS354-48P-4S+2Q+;

*) port - fixed baud rate change for TILE architecture devices;

*) ppp - added initial support for BG770A-GL modem firmware update;

*) ppp - fixed Framed-Route attribute not being applied to correct VRF;

*) profiler - split "management" process into different smaller process groups;

*) radius - fixed initialization of incoming UDP socket in some situations;

*) radius - fixed RadSec SSL CPU usage increase on closed connections;

*) radius - improved incoming RadSec packet processing on busy service;

*) radius - improved logging;

*) rip,pimsm - separate the interface property from the address in /routing/rip/interface and /routing/pimsm/interface menus;

*) rose-storage - added XFS support;

*) route - added logs for check-gateway state changes;

*) route - added routing/settings policy-rules;

*) route - added SLAAC route redistribution for IPv6 capable routing protocols;

*) route - do not set blackhole flag for synthetic routes;

*) route - fixed route removal after unexpected safe mode termination;

*) route - fixed routes when scope was less than 10;

*) routerboard - allow changing /system/routerboard/settings via Netinstall or FlashFig using a "mode script";

*) routerboot - allow installing ARM64 on L009 device ("/system routerboard upgrade" required; configure "/system/routerboard/settings set preferred-architecture=arm64 boot-device=try-ethernet-once-then-nand"; start Netinstall with ARM64 image and reboot the device (DO NOT load the backup routerboot with reset button); downgrading to older versions must be avoided);

*) routerboot - fixed linking to 1000M-half for KNOT Embedded LTE4 ("/system routerboard upgrade" required);

*) routerboot - fixed possible Netinstall failure for KNOT Embedded LTE4 ("/system routerboard upgrade" required);

*) routing-filter - added possibility to match SLAAC and bgp-mpls-vpn route types;

*) sfp - improved initialization and linking for some QSFP modules;

*) smips - reduced package size and removed ip-scan, mac-scan, ping-speed, flood-ping features;

*) snmp - added 5G NSA connection signal indications: nr-rsrp, nr-rsrq, nr-sinr;

*) snmp - fixed CA band indication;

*) snmp - fixed issue where bulk walk might skip the first OID;

*) snmp - fixed minor memory leak when changing SNMP authentication/encryption passwords;

*) snmp - fixed reply for empty snmpbulkwalk requests;

*) snmp - report maximum "ifSpeed" value if out of bounds;

*) snmp - report RouterOS version in SNMPv2-MIB::sysDescr;

*) ssh - improved logging;

*) supout - wait up to 5 minutes for export to complete and show incomplete output in case of timeout;

*) switch - fixed missing switch-cpu port counters;

*) switch - improved system stability when changing bridge multicast-router property on CRS1xx/2xx (introduced in v7.19);

*) switch - updated switch-marvell.npk driver;

*) system - added reset-configuration keep-apps=yes;

*) system - display serial ports in the /system/resource/hardware menu;

*) system - improved upgrade service stability when the server is unreachable;

*) undo - show user when configuring DHCP server or hotspot with setup command;

*) upgrade - added "password" parameter to "local-upgrade" feature when configuring through CLI;

*) upgrade - added IPv6 support for local package source and mirror;

*) upgrade - fixed local package mirror check interval;

*) upgrade - removed redundant commands from local package menu;

*) usb - updated device ids for ax88179_178a driver;

*) user - properly apply login delay (introduced in v7.20);

*) user-manager - added support for NAS-Identifier attribute;

*) user-manager - always respond to accounting requests;

*) user-manager - do not send Disconnect-Message for unknown usernames for Accounting-Request;

*) user-manager - do not send invalid NAS-Port-Type on CoA/PoD messages;

*) user-manager - fixed unauthenticated access to /PRIVATE/ userman web files;

*) user-manager - show empty value for session NAS-IP-Address if empty;

*) webfig - added missing icons for Firewall table;

*) webfig - added new section "Common names" in skin designer;

*) webfig - added support for collapsible tree view for menus like Interfaces, Files, Queues;

*) webfig - added support for URL fields;

*) webfig - fixed ability to set interworking.realms-raw WiFi interface attribute;

*) webfig - fixed skin designer mobile view for QuickSet and Terminal;

*) webfig - fixed Torch Filters default values;

*) webfig - improved address type field input value validation;

*) wifi - added keepalive message in CAPsMAN data channel;

*) wifi - added optional show-frame=radiotap parameter value to make sniffer display the radiotap header of captured frames;

*) wifi - allow specifying hostname to caps-man-addresses;

*) wifi - fixed channel switching for MediaTek access points;

*) wifi - fixed FT support with wpa2-psk-sha2;

*) wifi - fixed functionality of the wireless-signal-strength LED trigger;

*) wifi - fixed possible certificate failure after CAPsMAN disable/enable;

*) wifi - improved spectral-history width for console;

*) wifi - improved stability and fixed multiple issues;

*) wifi - improved stability of interfaces in station mode during roaming;

*) wifi - improved support for 802.11be access points;

*) wifi - improved system stability when using spectral-scan;

*) wifi - introduced /interface/wifi/network menu for higher level network configuration (CLI only);

*) wifi - quicker re-connections to APs for interfaces in station mode;

*) wifi - updated regulatory information for Malaysia;

*) wifi-mediatek - fixed rx chains functionality;

*) wifi-mediatek - updated driver and firmware;

*) winbox - added "Force Check" for local upgrade;

*) winbox - added comment in "System/Ports/Remote Access" menu;

*) winbox - added confirmation message to Format Drive;

*) winbox - added Container Repull command;

*) winbox - added error reporting to CAPsMAN Manager menu;

*) winbox - added GUI support for IPsec QDK;

*) winbox - added missing LoRa channel fields;

*) winbox - added missing route flags;

*) winbox - added route ISIS tab;

*) winbox - added socsify icon for firewall NAT rules;

*) winbox - added SwOS Allow From field;

*) winbox - added warning when changing global script variables;

*) winbox - allow using specified skin without the sensitive policy;

*) winbox - fixed applying a skin to a user authenticated with RADIUS;

*) winbox - fixed applying a skin to WinBox if it was uploaded via the branding package;

*) winbox - fixed default flag in certain menus;

*) winbox - fixed empty "Realm Raw" value processing and value inheritance from configuration template (requires WinBox 4);

*) winbox - fixed L3HW default value for VLAN interface (introduced in v7.21);

*) winbox - fixed modem firmware-upgrade for the RG650E-EU modem;

*) winbox - fixed the "New QoS Profile" field for switch rules;

*) winbox - make File Share URL field clickable;

*) winbox - move "Default" panel from "IPv6/ND/Proxy" to "IPv6/ND/Prefixes";

*) winbox - rearrange filter wizard parameters in tabs;

*) winbox - recognize imported certificate key size;

*) winbox - rename "Change Now" to "Change" button in "System/Password" menu;

*) winbox - replace "DHCP" with "DHCPv6" in IPv6 menus;

*) winbox - set "Mount Filesystem" by default under "System/Disk" menu;

*) winbox - show MPLS tab only to relevant routes;

*) winbox - show separator after "Protocol" field for IPv6 Firewall rules;

*) winbox - show warnings in "MPLS/Traffic Eng/Tunnel" menu;

*) winbox - updated some setting and title names;

*) winbox - updated various WiFi properties;

*) wireguard - fixed private key generation when creating a WireGuard interface;

*) wireguard - improved stability;

*) wireguard - merged upstream fixes and improvements;

*) wireless - avoid joining BSS that previously failed until all other options tried;

*) wireless - improved system stability when changing nstreme mode;

*) wireless - improved system stability when eap-method=passthrough configured for station;

*) x86 - added JME network driver;

*) x86 - fixed interface hang on RTL8125 when processing IP-fragmented UDP traffic;

*) x86 - improved link establishing on Intel X710 series NIC;