MikroTik RouterOS ARM64 Firmware 6.48 RC 58

Changes in this release:

- arm - improved system stability;
- bgp - treat route target with AS 65535 as two byte AS;
- bonding - added LACP monitoring;
- branding - fixed imported skin presence;
- bridge - use "frame-types=admit-all" by default for extended bridge ports;
- certificate - fixed CRL URL length limit;
- certificate - generate CRL even when CRL URL not specified;
- certificate - properly flush expired SCEP OTP entries;
- chr - fixed SSH key import on Azure;
- crs3xx - fixed booting issues on CRS354 devices (introduced in v6.48beta48);
- crs3xx - fixed bridge port-extender for CRS318 devices;
- crs3xx - fixed switch-cpu VLAN membership removal (introduced in v6.48beta40);
- crs3xx - improved system stability on CRS354 devices;
- defconf - fixed default configuration loading on RBcAP-2nD and RBwAP-2nD;
- defconf - fixed static IP address setting in case default configuration loading fails;
- dhcp - fixed DHCP packet forwarding to IPsec policies;
- dhcpv6 server - added support for "Delegated-IPv6-Prefix" for PPP services;
- dhcpv6-server - added support for "option18" and "option37" for RADIUS managed clients;
- dhcpv6-server - allow loose static binding "pool" parameter (introduced in v6.46.8);
- dhcpv6-server - make sure that calling station ID always contains DUID;
- discovery - added "lldp-med-net-policy-vlan" property for assigning VLAN ID;
- discovery - allow choosing which discovery protocol is used;
- disk - fixed external EXT3 disk mounting on x86 systems;
- disk - improved disk management service stability when receiving bogus packets;
- dns - end ongoing queries when changing DoH configuration;
- dns - improved stability with large table of static records;
- dot1x - fixed reauthentication after server rejects a client into VLAN;
- dot1x - fixed unicast destination EAP packet receiving when a client is running on a bridge port;
- dude - fixed configuration menu presence on ARM64 devices;
- filesystem - improved long-term filesystem stability and data integrity;
- hotspot - fixed "html-directory" parameter export;
- ike2 - improved EAP message integrity checking;
- interface - fixed pwr-line running state (introduced in v6.45);
- lora - limited output power in RU region for range 868.7 MHz - 869.2 MHz according to regulations;
- lte - increased "at+cops" reply timeout to 1 minute;
- metarouter - allow creating RouterOS metarouter instances on devices with 16MB flash storage;
- metarouter - fixed directory entry reporting;
- metarouter - fixed memory leak when tearing down metarouter instance;
- ppp - added "bridge-learning" parameter support;
- ppp - store "last-caller-id" for PPP secrets;
- ppp - store "last-disconnect-reason" for PPP secrets;
- profile - fixed process classification on x86 systems (introduced in v6.47);
- quickset - fixed wireless client "uptime" counter in "Home Mesh" mode;
- sstp - fixed "idle-timeout" on TILE and CHR devices;
- supout - improved autosupout.rif file generation process;
- timezone - updated timezone information from "tzdata2020d" release;
- tr069-client - added branding package version parameter;
- upgrade - do not try installing packages if download was not completed;
- webfig - allow hiding and renaming inline buttons;
- webfig - allow hiding QuickSet mode selector;
- webfig - properly stop background processes when switching away from QuickSet tab;
- winbox - added "operator" parameter under "Interface/LTE" menu;
- winbox - added "reformat-hold-button-max" parameter under "System/RouterBOARD/Settings" menu;
- winbox - added "tls-mode" parameter under "CAPsMAN/Security Cfg." menu;
- winbox - added "tx-rx-1024-max" counter under "Interface/Overall-Stats" for CRS3xx devices;
- winbox - allow adding bonding interface with one slave interface;
- winbox - do not allow MAC address changes on LTE interfaces;
- winbox - do not show "network-mode" parameter for LTE interfaces that do not support it;
- winbox - fixed "interface" and "on-interface" parameter presence under "Bridge/Hosts" menu;
- winbox - provide sane default values for bridge "VLAN IDs" parameter;
- winbox - show "System/Health" only on boards that have health monitoring;
- winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature;
- winbox - show "usb-bus" option on all boards that have it;
- winbox - show "usb-type" option on all boards that have it;
- winbox - sort IPv6 firewall "chain" parameter entries alphabetically;
- wireless - added U-NII-2 support for US and Canada country profiles for mANTBox series devices;
- wireless - increased "group-key-update" maximum value to 1 day;

Other changes since v6.47.7:

- arm64 - improved reboot reason reporting in log;
- arm - added support for automatic CPU frequency stepping for IPQ4018/IPQ4019 devices;
- arm - improved watchdog and kernel panic reporting in log after reboots on IPQ4018/IPQ4019 devices;
- bonding - added LACP monitoring (CLI only);
- bonding - removed "sys-id" and "sys-priority" from monitor-slaves command;
- bridge - added minor fixes and improvements for IGMP snooping with HW offloading;
- bridge - added warning message when port is disabled by the BPDU guard;
- bridge - allow to exclude interfaces from extended ports (CLI only);
- bridge - automatically remove extended interfaces when deleting PE device from CB;
- bridge - correctly remove dynamic VLAN assignment for bridge ports;
- bridge - fixed BPDU guard port disable/enable on HW offloaded interfaces;
- bridge - fixed dynamic VLAN assignment when changing port "frame-type" property (introduced in v6.46);
- bridge - fixed dynamic VLAN assignment when changing port to tagged VLAN member;
- bridge - fixed link-local multicast forwarding when IGMP snooping and HW offloading is enabled;
- bridge - fixed local MAC address removal from host table when deleting bridge interface;
- bridge - fixed MDB entry removal when using bridge port "fast-leave" property;
- bridge - fixed multicast table printing;
- bridge - fixed packet forwarding for CAP and BCP controlled interfaces (introduced in v6.48beta12);
- bridge - improved BPDU guard logging;
- bridge - increased multicast table size to 4K entries;
- bridge - show error when switch do not support controlling bridge or port extension (CLI only);
- bridge - show "H" flag for extended bridge ports;
- cap - fixed L2MTU setting from CAPsMAN;
- certificate - clear challenge password on renew;
- certificate - fixed private key verification for CA certificate during signing process;
- chr - improved interface loading on startup on XEN;
- chr - improved system stability when changing flow control settings on e1000;
- cloud - improved backup generation process;
- conntrack - automatically reduce connection tracking timeouts when table is full;
- console - allow "once" parameter for bonding monitoring;
- crs3xx - added initial Bridge Port Extender support (CLI only);
- crs3xx - added initial Controlling Bridge support for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices (CLI only);
- crs3xx - added switch-cpu port VLAN filtering (switch-cpu port is now mapped with bridge interface VLAN membership when vlan-filtering is enabled);
- crs3xx - fixed CDP packet forwarding for CRS305, CRS318, CRS326-24G-2S+, CRS328 devices;
- crs3xx - fixed "custom-drop-packet" and "not-learned" switch stats for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
- crs3xx - fixed duplicate host entries when creating static switch hosts;
- crs3xx - fixed "mirror-source" property on switch port disable for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices;
- crs3xx - fixed port-isolation for CRS305, CRS318, CRS326-24G-2S+, CRS328 devices (introduced in v6.48beta35);
- crs3xx - fixed port isolation for "switch-cpu" port for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices;
- crs3xx - fixed port isolation removal for "switch-cpu" port on CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
- crs3xx - fixed "storm-rate" traffic limiting for switch-cpu port on CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
- crs3xx - fixed switch "copy-to-cpu" property for CRS305, CRS318, CRS326-24G-2S+, CRS328 devices;
- crs3xx - fixed switch "not-learned" stats for CRS305, CRS326-24G-2S+, CRS328-24P-4S+, CRS328-4C-20S-4S+, CRS318 devices;
- crs3xx - fixed VLAN tagged packet forwarding on "switch-cpu" port for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices (introduced in v6.48beta12);
- defconf - improved CAP interface bridging;
- defconf - improved default configuration generation on devices with non-default wireless interface names;
- detnet - fixed malformed dummy DHCP User Class option;
- detnet - use MAC address from bridge interface instead of slave port;
- dhcpv4-server - improved "client-id" value parsing;
- dhcpv6-server - added ability to generate binding on first request;
- discovery - added "lldp-med-net-policy-vlan" property for assigning VLAN ID (CLI only);
- discovery - allow choosing which discovery protocol is used (CLI only);
- discovery - fixed discovery on mesh ports;
- discovery - fixed discovery packet sending on newly bridged port with "protocol-mode=none";
- discovery - fixed discovery when enabled only on master port;
- discovery - fixed occasional wrong Chassis-ID for LLDP packets (introduced in v6.48beta35);
- discovery - send the same "Chassis ID" on all interfaces for LLDP packets;
- discovery - use interface MAC address when sending MNDP from slave port;
- dns - added IPv6 support for DoH;
- dns - do not use type "A" for static entries with unspecified type;
- dns - fixed listening for DNS queries when only dynamic static entries exist (introduced in v6.47);
- dot1x - accept priority tagged (VLAN 0) EAP packets on dot1x client;
- export - fixed RouterBOARD USB "type" parameter export;
- filesystem - fixed repartition on non-first partition;
- filesystem - fixed repartition on RB4011 series devices;
- filesystem - improved long-term filesystem stability and data integrity;
- gps - fixed "init-channel" release when not used;
- health - changed PSU state parameter type to read-only;
- health - removed unused "heater-control" and "heater-threshold" parameters;
- hotspot - added support for captive portal advertising using DHCP (RFC7710);
- hotspot - added "vlan-id" parameter support for hosts and HTML pages;
- hotspot - improved management service stability when receiving bogus packets;
- ike1 - fixed "my-id=address" parameter usage together with certificate authentication;
- ike1 - fixed policy update with and without mode configuration;
- ike1 - rekey phase 1 as responder for Windows initiators;
- ike2 - added "prf-algorithm" support for phase 1;
- ike2 - added support for IKEv2 Message Fragmentation (RFC7383);
- ike2 - fixed EAP MSK length validation;
- ike2 - fixed too small payload parsing;
- ike2 - improved child SA rekeying process;
- interface - added temperature warning and interface disable on overheat for SFP and SFP+ interfaces (CLI only);
- ipsec - added SHA384 hash algorithm support for phase 1 (CLI only);
- ipsec - do not kill connection when peer's "name" or "comment" is changed;
- ipsec - fixed client certificate usage when certificate is renewed with SCEP;
- ipsec - fixed multiple warning message display for peers;
- ipsec - inactivate peer's policy on disconnect;
- ipsec - refresh peer's DNS only when phase 1 is down;
- kidcontrol - allow creating static device entries without assigned user;
- led - fixed state persistence after device reboot on NetMetal 5 ac devices;
- lora - fixed device going into "ERROR" state caused by FSK modulated downlinks;
- lte - added "age" column and "max-age" parameter to "cell-monitor" (CLI only);
- lte - added "comment" parameter for APN profiles;
- lte - added support for Alcatel IK41VE1;
- lte - fixed "band" value reporting;
- m33g - added support for "/system gpio" menu (CLI only);
- ppp - added "ipv6-routes" parameter to "secrets" menu;
- ppp - added support for "Framed-IPv6-Route" RADIUS attribute;
- profile - improved idle process detection on x86 processors;
- profile - improved process classification on ARM devices;
- quickset - added "Port Mapping" to QuickSet;
- quickset - fixed local IP address setting on master interface;
- route - improved stability when 6to4 interface is configured with disabled IPv6 package;
- routerboard - fixed PCIe bus reset during power-on on MMIPS devices ("/system routerboard upgrade" required);
- routerboard - force power-down on PCIe bus during reboot on LHGR devices ("/system routerboard upgrade" required);
- script - added error message in the logs if startup script runtime limit was exceeded;
- snmp - added information from IPsec "active-peers" menu to MIKROTIK-MIB;
- snmp - added new LTE monitoring OID's to MIKROTIK-MIB;
- snmp - fixed value types for "dot1dStp";
- snmp - fixed value types for "dot1qPvid";
- ssh - fixed returned output saving to file when "output-to-file" parameter is used;
- ssh - skip interactive authentication when not running in interactive mode;
- supout - added bonding interface monitor information;
- system - replace "3" in superscript to "^3" on RBD53GR devices;
- tr069-client - added additional wireless registration table parameters;
- tr069-client - added LTE model and revision parameters;
- tr069-client - added wireless "noise-floor" and "overall-tx-ccq" information parameters;
- tr069-client - added "X_MIKROTIK_MimoRSRP" parameter for LTE RSRP value reporting;
- tr069-client - allow passing LTE firmware update URL as XML;
- tr069-client - fixed RouterOS downgrade procedure;
- tr069-client - send correct "ConnectionRequestURL" when using IPv6;
- traffic-flow - added NAT event logging support for IPFIX;
- traffic-flow - added "sys-init-time" parameter support;
- traffic-generator - fixed 32Gbps limitation;
- user-manager - do not allow creating limitation that crosses midnight;
- user-manager - updated PayPal's root certificate authorities;
- webfig - fixed default value presence when creating new entries under "IP->Kid Control";
- winbox - allow performing "USB Power Reset" on "0" bus on RBM33G;
- winbox - fixed "IP->Kid Control->Devices" table automatic refreshing;
- winbox - fixed minor typo in "Users" menu;
- winbox - fixed "receive-errors" setting persistence under "Wireless/Wireless Sniffer/Settings" menu;
- winbox - fixed "tls-version" parameter setting under "IP/Services" menu;
- winbox - use health values reported by gauges for "System/Health" menu;
- wireless - create "connect-list" rule when address specified for "setup-repeater";
- wireless - do not override MTU and ARP values from CAPsMAN with local forwarding;
- wireless - improved WPS process stability;
- wireless - updated "no_country_set" regulatory domain information;

About Router Firmware:

Before you consider downloading this firmware, go to the system information page of the router and make sure that the currently installed version isn't either newer or matching this release.

Due to the large variety of router models and different methods for upgrading the device, it is highly recommended that you read and, above all, understand the installation steps before you apply the new firmware, even if you are a power user.

In theory, these steps shouldn't be much of a hassle for anyone, because manufacturers try to make them as easy as possible, even if they don't always succeed. Basically, you must upload the new firmware to the router through its administration page and allow it to upgrade.

If you install a new version, you can expect increased security levels, different vulnerability issues to be resolved, improved overall performance and transfer speeds, enhanced compatibility with other devices, added support for newly developed technologies, as well as several other changes.

If you're looking for certain safety measures, remember that it would be best if you perform the upload using an Ethernet cable rather than a wireless connection, which can be interrupted easily. Also, make sure you don't power off the router or use its buttons during the installation, if you wish avoid any malfunctions.

If this firmware meets your current needs, get the desired version and apply it to your router unit; if not, check with our website as often as possible so that you don't miss the update that will improve your device.