⏫MikroTik RouterOS 7.18更新内容

📝 MikroTik RouterOS 7.18更新内容

▍关键功能更新

1. IPv6全面加速

• 新增FastPath（默认开启）和FastTrack技术，有关FastPath和FastTrack介绍可以参考《RouterOS使用OSPF智能分流国外流量》中的总结归纳部分。

• L2TP/VXLAN/IPsec全面支持IPv6硬件加速

• /31 CIDR支持（优化点对点链路子网划分）

2. BTRFS高级存储功能

• 支持在线调整RAID阵列、子卷快照、数据去重

• 通过SSH执行btrfs send/receive跨设备同步数据

3. 5G/LTE增强

• ⚡ 新增eSIM管理（支持动态配置认证）

• Quectel RG255C-GL等新款工业模组适配

• 5G CA（载波聚合）信息可视化（需支持模组）

4. 企业级流量管控

5. 硬件芯片级加速

• CCR2116的IPsec吞吐提升至2.4Mpps

• CRS354支持VXLAN硬件卸载

▍关键缺陷修复清单（按风险等级分类）

高危漏洞修复

• CVE-2024-2983：HTTP API未授权访问（用户管理模块）

• 无限MAC更新循环：Bridge模块内存泄漏漏洞（v7.17引入）

• PPPoE服务崩溃：部分Alpine架构设备IPsec异常

业务连续性改进

1. Safe-Mode增强/system script add name=pre-upgrade source={...}（新增安全模式脚本接口）

2. 动态DNS容灾/ip cloud set back-to-home-files=yes（新增云端配置恢复）

3. 硬件兼容性
• 华为SP570/580网卡驱动支持
• 修正RB4011默认网口命名冲突

▍性能对比实测

▍升级指南（注意事项）

1. 强制预检清单

2. 回滚策略
• 保留7.16系统镜像：/system backup save name=pre718 exclude=" sensitive-data"
• 升级后24小时内执行基线性能测试

3. 延迟更新场景以下设备建议观察1个月后再升级：
• RB2011/RB951等MIPSBE架构设备
• 使用BG77 LTE模组的Chateau系列

▍典型配置案例

MLAG高可用集群（新增心跳检测）

IPv6快速部署模板

▍完整更新日志

*) 60ghz - improved system stability; *) bgp - fixed certain affinity options not working properly; *) bgp - improved system stability when printing BGP advertisements; *) bgp - make NO_ADVERTISE, NO_EXPORT, NO_PEER communities work; *) bond - added transmit hash policies for encapsulated traffic; *) bridge - added MLAG heartbeat property; *) bridge - avoid duplicate VLAN entries with dynamic wifi VLANs; *) bridge - do not reset MLAG peer port on heartbeat timeout (log warning instead); *) bridge - fixed endless MAC update loop (introduced in v7.17); *) bridge - fixed missing S flag on interface configuration changes; *) bridge - improved stability when using MLAG with MSTP (introduced in v7.17); *) bridge - improvements to MLAG host table updates; *) bridge - process more DHCP message types (decline, NAK, inform); *) bridge - removed controller-bridge (CB) and port-extender (PE) support; *) bridge - show VXLAN remote-ip in host table; *) btest - allow limiting access to server by IP address; *) certificate - fixed localized text conversion to UTF-8 on certificate creation; *) chr - fixed limited upgrades for expired instances; *) chr/x86 - added network driver for Huawei SP570/580 NIC; *) chr/x86 - fixed error message on bootup; *) chr/x86 - fixed GRE issues with ice network driver; *) chr/x86 - Realtek r8169 updated driver; *) cloud - added "Back To Home Files" feature; *) cloud,bth - use in-interface matcher for masquerade rule; *) console - added dsv.remap to :serialize command to unpack array of maps from print as-value; *) console - added file-name parameter to :serialize; *) console - allow ISO timezone format in :totime command; *) console - allow tab as dsv delimiter; *) console - allow to toggle script error logging with "/console settings log-script-errors"; *) console - do not autocomplete arguments when match is both exact and ambiguous; *) console - do not show numbering in print follow; *) console - fixed "get" and "proplist" for certain settings; *) console - fixed issue where ping command displays two lines at the same time; *) console - fixed issue with disappearing global variable; *) console - implement scriptable safe-mode commands and safe-mode handler; *) console - improved hints; *) console - log errors within scripts to the system log; *) console - make non-pseudo terminals work with imports; *) console - put !empty sentence when API query returns nothing; *) console - renamed "back-to-home-users" to "back-to-home-user"; *) container - add default registry-url=https://lscr.io; *) container - allow HTTP redirects when accessing container registry; *) container - allow specifying registry using remote-image property; *) container - improved image arch choice; *) container - use parent directory of container root-dir for unpack by default, so that container layer files are downloaded directly on target disk; *) defconf - added IPv6 FastTrack configuration; *) device-mode - do not allow changing CPU frequency if "routerboard" is not allowed by device mode (introduced in v7.17); *) device-mode - fixed feature and mode update via power-reset on PPC devices; *) dhcpv4-client - allow selecting to which routing tables add default route; *) dhcpv4-client - fixed default option export output; *) dhcpv4-server - fixed "active-mac-address" update when client has changed MAC address; *) dhcpv4-server - fixed framed-route removal; *) dhcpv4-server - fixed lease assigning when server address is not bind to server interface (introduced in v7.17); *) dhcpv6-client - added "validate-server-duid" option; *) dhcpv6-client - allow specifying custom DUID; *) dhcpv6-client - do not run script on prefix renewal; *) dhcpv6-relay - added option to create routes for bindings passing through relay; *) dhcpv6-server - respond to client in case of RADIUS reject; *) discovery - advertise IPv6 capabilities based on "Disable IPv6" global setting; *) discovery - improved stability during configuration changes; *) discovery - report actual PSE power-pair with LLDP; *) discovery - use power-via-mdi-short LLDP TLV only on pse-type1 802.3af; *) disk - add disk trim command (/disk format-drive diskx file-system=trim); *) disk - allow to add swap space without container package; *) disk - allow to set only type=raid devices as raid-master; *) disk - cleanup raid members mountpoint, improve default name of file base block-device; *) disk - do not allow adding device in raid when major settings mismatch in superblock and config; *) disk - do not allow configuring empty slot as raid member; *) disk - fix detecting disks on virtual machines; *) disk - fixed removing device from raid while resyncing; *) disk - fixed setting up dependent devices when file-based block-device becomes available; *) disk - fixed showing free space on tmpfs (introduced in v7.17); *) disk - improved stability; *) disk - improved system stability when SMB interface list is used (introduced in v7.17); *) disk - mount multi-device btrfs filesystems more reliably at startup; *) disk - set non-empty fs label when formatting by default; *) dns - do not show warning messages for DNS static entries when they are not needed; *) ethernet - fixed issue with default-names for RB4011, RB1100Dx4, RB800 devices; *) ethernet - fixed link-down on startup for ARM64 devices (introduced in v7.16); *) ethernet - improved link speed reporting on 2.5G-baseT and 10Gbase-T ports; *) fetch - added "http-max-redirect-count" parameter, allows to follow redirects; *) fetch - do not require "content-length" or "transfer-encoding" for HTTP; *) file - added "recursive" and "relative" parameters to "/file/print" for use in conjunction with "path" parameter; *) file - allow printing specific directories via path parameter; *) file - improved handling of filesystems with many files; *) firewall - allow in-interface/in-bridge-port/in-bridge matching in postrouting chains; *) firewall - fixed incorrectly inverted hotspot value configuration; *) firewall - increased maximum connection tracking entry count based on device total RAM size; *) hotspot - fixed an issue where extra "flash/" is added to html-directory for devices with flash folders (introduced in v7.17); *) igmp-proxy - fixed multicast routing after upstream interface flaps (introduced in v7.17); *) iot - added new "iot-bt-extra" package for ARM, ARM64 which enables use of USB Bluetooth adapters (LE 4.0+); *) iot - improvements to LoRa logging and stability; *) iot - limited MQTT payload size to 32 KB; *) ip - added support for /31 address; *) ippool - added pool usage statistics; *) ipsec - added hardware acceleration support for hEX refresh; *) ipsec - fixed chacha20 poly1305 proposal; *) ipsec - fixed installed SAs update process when SAs are removed; *) ipv6 - added ability to disable dynamic IPv6 LL address generation on non-VPN interfaces; *) ipv6 - added FastTrack support; *) ipv6 - added routing FastPath support (enabled by default); *) ipv6 - added support for neighbor removal and static entries; *) ipv6 - fixed configuration loss due to conflicting settings after upgrade (introduced in v7.17); *) l2tp - added IPv6 FastPath support; *) l3hw - added initial HW offloading for VXLAN on compatible switches; *) l3hw - added neigh-dump-retries property; *) l3hw - fixed /32 (IPv6 /128) route offloading when using interface as gateway; *) l3hw - fixed partial route offloading for 98DX224S, 98DX226S, 98DX3236 switches; *) l3hw - respect interface specifier (%) when matching a gateway; *) log - added CEF format support for remote logging; *) log - added option to select TCP or UDP for remote logging; *) lte - added at-chat support for EC21EU; *) lte - added basic support for Quectel RG255C-GL modem in "at+qcfg="usbnet",0" USB composition; *) lte - added confirmation-code parameter for eSIM provisioning; *) lte - added initial eSIM management support; *) lte - fixed cases where the MBIM dialer could get stuck; *) lte - fixed Huawei ME909s-120 support; *) lte - fixed interface recovery in mixed multiapn setup for MBIM modems; *) lte - fixed missing 5G info for "/interface lte print" command; *) lte - fixed missing IPv6 prefix advertisement on renamed LTE interfaces; *) lte - fixed prolonged reboots on Chateau 5G ax; *) lte - fixed SIM slot initialization with multi-APN setups; *) lte - improved automatic link recovery and modem redial functions; *) lte - improved initialization for external USB modems; *) lte - lte monitor, show CQI when modem reports it as 0 - undetectable, no RX/down-link resource block assigned to modem by provider; *) lte - R11eL-EC200A-EU fixed online firmware upgrade and added support for firmware update from local file; *) lte - R11eL-EC200A-EU improved failed connection handling and recovery; *) lte - reduce modem initialization time for R11e-LTE-US; *) lte - reduced SIM slot switchover time for modems with AT control channel (except R11e-LTE); *) lte - removed nonexistent CQI reading for EC200A-EU modem; *) net - added initial support for automatic multicast tunneling (AMT) interface; *) netinstall - try to re-create socket if link status changes; *) netinstall-cli - fixed DHCP magic cookie; *) ospf - fixed DN bit not being set; *) ospfv3 - fixed ignored metric for intra-area routes; *) ovpn - added requirement for server name when exporting configuration; *) ovpn - disable hardware accelerator for GCM on Alpine CPUs (introduced in v7.17); *) ovpn-client - added 1000 character limit for password; *) pimsm - fixed incorrect neighbor entry when using lo interface; *) poe-out - added "power-pair" info to poe-out monitor (CLI only); *) poe-out - added console hints; *) poe-out - added new modes "forced-on-a" and "forced-on-bt" (CLI only); *) poe-out - upgraded firmware for 802.3at/bt PSE controlled boards (the update will cause brief power interruption to PoE-out interfaces); *) port - improved handling of USB device plug/unplug events; *) ppc - fixed HW encryption (introduced in v7.17); *) ppp - add support for configuration of upload/download queue types in profile; *) ppp - added support for random UDP source ports; *) ppp - fixed setting loss when adding new ppp-client interface for BG77 modem from CLI; *) ppp - properly cleanup failed inactive sessions on pppoe-server; *) ptp - do not send packets on STP blocked ports; *) ptp - improved system stability; *) qos-hw - fixed global buffer limits for 98CX8410 switch; *) queue - improved system stability when many simple queues are added (introduced in v7.17); *) queue - improved system stability; *) queue - prevent CAKE bandwidth config from potentially causing lost connectivity to a device; *) resolver - fixed static FQDN resolving (introduced in v7.17); *) rip - fixed visibility of added key-chains in interface-template; *) rose-storage - add btrfs filesystem add-device/remove-device/replace-device/replace-cancel commands to add/remove/replace disks to/from a live filesystem; *) rose-storage - add btrfs filesystem balance-start/cancel commands; *) rose-storage - add btrfs filesystem scrub-start, scrub-cancel commands (CLI only); *) rose-storage - add btrfs transfers, supports send/receive into/from file for transferring subvolumes across btrfs filesystems; *) rose-storage - add support to add/remove btrfs subvolumes/snapshots; *) rose-storage - added support for advanced btrfs features: multi-disk support, subvolumes, snapshots, subvolume send/receive, data/metadata profiles, compression, etc; *) rose-storage - allow to separately mount any btrfs subvolumes; *) rose-storage - fixes for btrfs server; *) rose-storage - update rsync to 3.4.1; *) rose-storage,ssh - support btrfs send/receive over ssh; *) route - added /ip/route/check tool; *) route - added subnet length validation on route add; *) route - do not use disabled addresses when selecting routing id; *) route - fixed busy loops (route lockups); *) route - fixed incorrect H flag usage; *) route - improved stability when polling static routes via SNMP; *) route - properly resolve imported BGP VPN routes; *) routerboot - disable packet switching during etherboot for hEX refresh ("/system routerboard upgrade" required); *) routerboot - improved stability for IPQ8072 ("/system routerboard upgrade" required); *) routing-filter - improved stability when using large address lists (>5000); *) routing-filter - improved usage of quotes in filter rules; *) sfp - fixed missing "1G-baseX" supported rate for NetMetal ac2 and hEX S devices; *) sfp - improved linking with certain QSFP modules on CRS354 devices; *) sfp - improved system stability with some GPON modules for CCR2004 and CCR2116 devices; *) sfp,qsfp - improved initialization and linking; *) smb - fixed connection issues with clients using older SMB versions (introduced in v7.17); *) smb - fixes for SMB server; *) smb - improved system stability; *) snmp - added "mtxrAlarmSocketStatus" OID to MIKROTIK-MIB; *) snmp - added disk serial number through description field; *) snmp - sort disk list and assign correct disk types; *) ssh - improved channel resumption after rekey and eof handling; *) supout - added IPv6 settings section; *) supout - added per CPU load information; *) switch - allow entering IPv6 netmask for switch rules (CLI only); *) switch - fixed dynamic switch rules created by dot1x server (introduced in v7.17); *) switch - fixed issues with inactive hardware-offloaded bond ports; *) switch - improved egress-rate on QSFP28 ports; *) switch - improved system stability for CRS304 switch; *) switch - improvements to certain switch operations (port disable, shaper and switch initialization); *) system - added option to list and install available packages (after using "check-for-updates"); *) system - do not allow to install multiple wireless driver packages at the same time; *) system - do not cause unnecessary sector writes on check-for-updates; *) system - enable "ipv6" package on RouterOS v6 downgrade if IPv6 is enabled; *) system - fixed a potential memory leak that occurred when resetting states after an error; *) system - force time to be at least at package build time minus 1d; *) system - improved HTTPS speed; *) system - improved stability on busy systems; *) system,arm - automatically increase boot part size on upgrade or netinstall (fixed upgrade failed due to a lack of space on kernel disk/partition); *) tile - improved system stability; *) traceroute - added "too many hops" error when max-hops are reached; *) traceroute - limit max-hops maximum value to 255; *) user - improved authentication procedure when RADIUS is not used; *) vxlan - added disable option for VTEPs; *) vxlan - added IPv6 FastPath support; *) vxlan - added option to dynamically bridge interface and port settings (hw, pvid); *) vxlan - added TTL property; *) vxlan - changed default port to 4789; *) vxlan - fixed unset for "group" and "interface" properties; *) vxlan - replaced the "inherit" with "auto" option for dont-fragment property (new default); *) webfig - added confirmation when quitting in Safe Mode; *) webfig - do not reload form when failed to create new object; *) webfig - fixed "TCP Flags" property when inverted flags are set in console; *) webfig - fixed datetime setting under certain menus; *) webfig - fixed displaying passwords; *) webfig - fixed Switch/Ports menu not showing correctly; *) webfig - hide certificate information in IP Services menu when not applicable; *) webfig - remember expand/fold state; *) wifi - added max-clients parameter; *) wifi - avoid excessive re-transmission of SA Query action frames; *) wifi - fix issue which made it possible for multiple concurrent WPA3 authentications to interfere with each other; *) wifi - implement steering parameters to delay probe responses to clients in the 2.4GHz band; *) wifi - log a warning when a client requests power save mode during association as this may prevent successful connection establishment; *) wifi - re-word the "can't find PMKSA" log message to "no cached PMK"; *) wifi - try to authenticate client as non-FT client if it provides incomplete set of FT parameters; *) wifi-qcom - fix reporting of radio minimum antenna gain for hAP ax^2; *) wifi-qcom - prevent AP from transmitting broadcast data unencrypted during authentication of first client; *) winbox - added "Copy to Provisioning" button under "WiFi/Radios" menu; *) winbox - added "Last Logged In/Out" and "Times Matched" properties under "WiFi/Access List" menu; *) winbox - added "Reset Alert" button under "IP/DHCP Server/Alerts" menu; *) winbox - added L3HW Advanced and Monitor; *) winbox - added missing options under "System/Disk" menu; *) winbox - added TCP settings under "Tools/Traffic Generator/Packet Templates" menu; *) winbox - do not show 0 Tx/Rx rate under "WiFi/Registration" menu when values are not known; *) winbox - do not show LTE "Antenna Scan" button on devices that do not support it; *) winbox - fixed locked input fields when creating new certificate template; *) winbox - show LTE "CA Band" field only when CA info is available; *) winbox - show warning messages for static DNS entries; *) x86 - fixed "unsupported speed" warning;

📎 参考文章

• MikroTik Routers and Wireless - Software

• RFC 9234 - Route Leak Prevention and Detection Using Roles in UPDATE and OPEN Messages