MikroTik RouterOS ARM64 Firmware 6.48 RC 1

Changes in this release:

- arm - improved system stability;
- bgp - fixed VPNV4 RD byte order;
- bonding - added LACP monitoring;
- branding - fixed LCD logo loading from new style branding package;
- bridge - added "multicast-router" monitoring value for bridge interface (CLI only);
- bridge - added fixes and improvements for IGMP and MLD snooping;
- bridge - fixed "multicast-router" setting on bridge enable;
- capsman - fixed authentication when using CAPsMAN forwarding (introduced in v6.48beta48);
- certificate - properly flush expired SCEP OTP entries;
- chr - fixed VLAN tagged packet transmit on bridge for Hyper-V installations;
- crs3xx - added initial Bridge Port Extender support;
- crs3xx - fixed "switch-cpu" VLAN membership on bridge disable;
- crs3xx - fixed "tag-stacking" for CRS305, CRS318, CRS326-24G-2S+ and CRS328 devices (introduced in v6.48beta58);
- crs3xx - fixed bridge "port-extender" for CRS318 devices;
- crs3xx - fixed ingress rate policer for CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices (introduced in v6.48beta35);
- discovery - added "lldp-med-net-policy-vlan" property for assigning VLAN ID;
- ethernet - fixed IP connectivity on SFP/SFP+ interfaces for CCR2004-1G-12S+2XS device (introduced in v6.48beta58);
- ike1 - fixed 'rsa-signature-hybrid' authentication method;
- ike1 - fixed memory leak on multiple CR payloads;
- ipsec - added SHA384 hash algorithm support for phase 1;
- lte - increased "at+cops" reply timeout to 90 seconds;
- profile - added "lcd" process classificator;
- tr069-client - fixed TotalBytesReceived parameter value;
- winbox - added "src-mac-address" parameter under "IP/DHCP-Server/Leases" menu;
- winbox - added missing IGMP Snooping settings to "Bridge" menu;
- winbox - added missing MSTP settings to "Bridge" menu;
- winbox - added support for LTE Cell Monitor;
- wireless - increased "group-key-update" maximum value to 1 day;
- wireless - updated "indonesia5" regulatory domain information;

Other changes since 6.47.8:

- arm - added support for automatic CPU frequency stepping for IPQ4018/IPQ4019 devices;
- arm - improved watchdog and kernel panic reporting in log after reboots on IPQ4018/IPQ4019 devices;
- arm64 - improved reboot reason reporting in log;
- bonding - added LACP monitoring;
- bonding - removed "sys-id" and "sys-priority" from monitor-slaves command;
- bridge - added minor fixes and improvements for IGMP snooping with HW offloading;
- bridge - added warning message when port is disabled by the BPDU guard;
- bridge - allow to exclude interfaces from extended ports (CLI only);
- bridge - automatically remove extended interfaces when deleting PE device from CB;
- bridge - correctly remove dynamic VLAN assignment for bridge ports;
- bridge - fixed MDB entry removal when using bridge port "fast-leave" property;
- bridge - fixed dynamic VLAN assignment when changing port "frame-type" property (introduced in v6.46);
- bridge - fixed dynamic VLAN assignment when changing port to tagged VLAN member;
- bridge - fixed link-local multicast forwarding when IGMP snooping and HW offloading is enabled;
- bridge - fixed local MAC address removal from host table when deleting bridge interface;
- bridge - fixed multicast table printing;
- bridge - fixed packet forwarding for CAP and BCP controlled interfaces (introduced in v6.48beta12);
- bridge - improved BPDU guard logging;
- bridge - increased multicast table size to 4K entries;
- bridge - show "H" flag for extended bridge ports;
- bridge - show error when switch do not support controlling bridge or port extension (CLI only);
- bridge - use "frame-types=admit-all" by default for extended bridge ports;
- cap - fixed L2MTU setting from CAPsMAN;
- certificate - clear challenge password on renew;
- certificate - fixed CRL URL length limit;
- certificate - fixed private key verification for CA certificate during signing process;
- certificate - generate CRL even when CRL URL not specified;
- certificate - properly flush expired SCEP OTP entries;
- chr - fixed SSH key import on Azure;
- chr - improved interface loading on startup on XEN;
- chr - improved system stability when changing flow control settings on e1000;
- cloud - improved backup generation process;
- conntrack - automatically reduce connection tracking timeouts when table is full;
- console - allow "once" parameter for bonding monitoring;
- crs3xx - added initial Bridge Port Extender support (CLI only);
- crs3xx - added initial Controlling Bridge support for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices (CLI only);
- crs3xx - added switch-cpu port VLAN filtering (switch-cpu port is now mapped with bridge interface VLAN membership when vlan-filtering is enabled);
- crs3xx - fixed "custom-drop-packet" and "not-learned" switch stats for CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
- crs3xx - fixed "mirror-source" property on switch port disable for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices;
- crs3xx - fixed "storm-rate" traffic limiting for switch-cpu port on CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
- crs3xx - fixed CDP packet forwarding for CRS305, CRS318, CRS326-24G-2S+, CRS328 devices;
- crs3xx - fixed VLAN tagged packet forwarding on "switch-cpu" port for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices (introduced in v6.48beta12);
- crs3xx - fixed booting issues on CRS354 devices (introduced in v6.48beta48);
- crs3xx - fixed bridge port-extender for CRS318 devices;
- crs3xx - fixed duplicate host entries when creating static switch hosts;
- crs3xx - fixed port isolation for "switch-cpu" port for CRS305, CRS326-24G-2S+, CRS328, CRS318 devices;
- crs3xx - fixed port isolation removal for "switch-cpu" port on CRS317, CRS309, CRS312, CRS326-24S+2Q+ and CRS354 devices;
- crs3xx - fixed port-isolation for CRS305, CRS318, CRS326-24G-2S+, CRS328 devices (introduced in v6.48beta35);
- crs3xx - fixed switch "copy-to-cpu" property for CRS305, CRS318, CRS326-24G-2S+, CRS328 devices;
- crs3xx - fixed switch "not-learned" stats for CRS305, CRS326-24G-2S+, CRS328-24P-4S+, CRS328-4C-20S-4S+, CRS318 devices;
- crs3xx - fixed switch-cpu VLAN membership removal (introduced in v6.48beta40);
- crs3xx - improved system stability on CRS354 devices;
- defconf - fixed default configuration loading on RBcAP-2nD and RBwAP-2nD;
- defconf - fixed static IP address setting in case default configuration loading fails;
- defconf - improved CAP interface bridging;
- defconf - improved default configuration generation on devices with non-default wireless interface names;
- detnet - fixed malformed dummy DHCP User Class option;
- detnet - use MAC address from bridge interface instead of slave port;
- dhcp - fixed DHCP packet forwarding to IPsec policies;
- dhcpv4-server - improved "client-id" value parsing;
- dhcpv6 server - added support for "Delegated-IPv6-Prefix" for PPP services;
- dhcpv6-server - added ability to generate binding on first request;
- dhcpv6-server - added support for "option18" and "option37" for RADIUS managed clients;
- dhcpv6-server - allow loose static binding "pool" parameter (introduced in v6.46.8);
- dhcpv6-server - make sure that calling station ID always contains DUID;
- discovery - added "lldp-med-net-policy-vlan" property for assigning VLAN ID;
- discovery - allow choosing which discovery protocol is used;
- discovery - fixed discovery on mesh ports;
- discovery - fixed discovery packet sending on newly bridged port with "protocol-mode=none";
- discovery - fixed discovery when enabled only on master port;
- discovery - fixed occasional wrong Chassis-ID for LLDP packets (introduced in v6.48beta35);
- discovery - send the same "Chassis ID" on all interfaces for LLDP packets;
- discovery - use interface MAC address when sending MNDP from slave port;
- disk - fixed external EXT3 disk mounting on x86 systems;
- dns - added IPv6 support for DoH;
- dns - do not use type "A" for static entries with unspecified type;
- dns - end ongoing queries when changing DoH configuration;
- dns - fixed listening for DNS queries when only dynamic static entries exist (introduced in v6.47);
- dot1x - accept priority tagged (VLAN 0) EAP packets on dot1x client;
- dot1x - fixed reauthentication after server rejects a client into VLAN;
- dot1x - fixed unicast destination EAP packet receiving when a client is running on a bridge port;
- dude - fixed configuration menu presence on ARM64 devices;
- export - fixed RouterBOARD USB "type" parameter export;
- filesystem - fixed repartition on RB4011 series devices;
- filesystem - fixed repartition on non-first partition;
- filesystem - improved long-term filesystem stability and data integrity;
- gps - fixed "init-channel" release when not used;
- health - changed PSU state parameter type to read-only;
- health - removed unused "heater-control" and "heater-threshold" parameters;
- hotspot - added "vlan-id" parameter support for hosts and HTML pages;
- hotspot - added support for captive portal advertising using DHCP (RFC7710);
- hotspot - fixed "html-directory" parameter export;
- hotspot - improved management service stability when receiving bogus packets;
- ike1 - fixed "my-id=address" parameter usage together with certificate authentication;
- ike1 - fixed policy update with and without mode configuration;
- ike1 - rekey phase 1 as responder for Windows initiators;
- ike2 - added "prf-algorithm" support for phase 1;
- ike2 - added support for IKEv2 Message Fragmentation (RFC7383);
- ike2 - fixed EAP MSK length validation;
- ike2 - fixed too small payload parsing;
- ike2 - improved EAP message integrity checking;
- ike2 - improved child SA rekeying process;
- interface - added temperature warning and interface disable on overheat for SFP and SFP+ interfaces (CLI only);
- interface - fixed pwr-line running state (introduced in v6.45);
- ipsec - added SHA384 hash algorithm support for phase 1 (CLI only);
- ipsec - do not kill connection when peer's "name" or "comment" is changed;
- ipsec - fixed client certificate usage when certificate is renewed with SCEP;
- ipsec - fixed multiple warning message display for peers;
- ipsec - inactivate peer's policy on disconnect;
- ipsec - refresh peer's DNS only when phase 1 is down;
- kidcontrol - allow creating static device entries without assigned user;
- led - fixed state persistence after device reboot on NetMetal 5 ac devices;
- lora - fixed device going into "ERROR" state caused by FSK modulated downlinks;
- lora - limited output power in RU region for range 868.7 MHz - 869.2 MHz according to regulations;
- lte - added "age" column and "max-age" parameter to "cell-monitor" (CLI only);
- lte - added "comment" parameter for APN profiles;
- lte - added support for Alcatel IK41VE1;
- lte - fixed "band" value reporting;
- lte - increased "at+cops" reply timeout to 1 minute;
- m33g - added support for "/system gpio" menu (CLI only);
- metarouter - allow creating RouterOS metarouter instances on devices with 16MB flash storage;
- metarouter - fixed memory leak when tearing down metarouter instance;
- ppp - added "bridge-learning" parameter support;
- ppp - added "ipv6-routes" parameter to "secrets" menu;
- ppp - added support for "Framed-IPv6-Route" RADIUS attribute;
- ppp - store "last-caller-id" for PPP secrets;
- ppp - store "last-disconnect-reason" for PPP secrets;
- profile - improved idle process detection on x86 processors;
- profile - improved process classification on ARM devices;
- quickset - added "Port Mapping" to QuickSet;
- quickset - fixed local IP address setting on master interface;
- route - improved stability when 6to4 interface is configured with disabled IPv6 package;
- routerboard - fixed PCIe bus reset during power-on on MMIPS devices ("/system routerboard upgrade" required);
- routerboard - force power-down on PCIe bus during reboot on LHGR devices ("/system routerboard upgrade" required);
- script - added error message in the logs if startup script runtime limit was exceeded;
- snmp - added information from IPsec "active-peers" menu to MIKROTIK-MIB;
- snmp - added new LTE monitoring OID's to MIKROTIK-MIB;
- snmp - fixed value types for "dot1dStp";
- snmp - fixed value types for "dot1qPvid";
- ssh - fixed returned output saving to file when "output-to-file" parameter is used;
- ssh - skip interactive authentication when not running in interactive mode;
- supout - added bonding interface monitor information;
- supout - improved autosupout.rif file generation process;
- timezone - updated timezone information from "tzdata2020d" release;
- tr069-client - added "X_MIKROTIK_MimoRSRP" parameter for LTE RSRP value reporting;
- tr069-client - added LTE model and revision parameters;
- tr069-client - added additional wireless registration table parameters;
- tr069-client - added branding package version parameter;
- tr069-client - added wireless "noise-floor" and "overall-tx-ccq" information parameters;
- tr069-client - allow passing LTE firmware update URL as XML;
- tr069-client - fixed RouterOS downgrade procedure;
- tr069-client - send correct "ConnectionRequestURL" when using IPv6;
- traffic-flow - added "sys-init-time" parameter support;
- traffic-flow - added NAT event logging support for IPFIX;
- traffic-generator - fixed 32Gbps limitation;
- user-manager - do not allow creating limitation that crosses midnight;
- user-manager - updated PayPal's root certificate authorities;
- webfig - allow hiding QuickSet mode selector;
- webfig - allow hiding and renaming inline buttons;
- webfig - fixed default value presence when creating new entries under "IP->Kid Control";
- webfig - properly stop background processes when switching away from QuickSet tab;
- winbox - allow adding bonding interface with one slave interface;
- winbox - allow performing "USB Power Reset" on "0" bus on RBM33G;
- winbox - do not show "network-mode" parameter for LTE interfaces that do not support it;
- winbox - fixed "IP->Kid Control->Devices" table automatic refreshing;
- winbox - fixed "interface" and "on-interface" parameter presence under "Bridge/Hosts" menu;
- winbox - fixed "receive-errors" setting persistence under "Wireless/Wireless Sniffer/Settings" menu;
- winbox - fixed "tls-version" parameter setting under "IP/Services" menu;
- winbox - fixed minor typo in "Users" menu;
- winbox - provide sane default values for bridge "VLAN IDs" parameter;
- winbox - use health values reported by gauges for "System/Health" menu;
- wireless - added U-NII-2 support for US and Canada country profiles for mANTBox series devices;
- wireless - create "connect-list" rule when address specified for "setup-repeater";
- wireless - do not override MTU and ARP values from CAPsMAN with local forwarding;
- wireless - improved WPS process stability;
- wireless - increased "group-key-update" maximum value to 1 day;
- wireless - updated "no_country_set" regulatory domain information;

About Router Firmware:

Before you consider downloading this firmware, go to the system information page of the router and make sure that the currently installed version isn't either newer or matching this release.

Due to the large variety of router models and different methods for upgrading the device, it is highly recommended that you read and, above all, understand the installation steps before you apply the new firmware, even if you are a power user.

In theory, these steps shouldn't be much of a hassle for anyone, because manufacturers try to make them as easy as possible, even if they don't always succeed. Basically, you must upload the new firmware to the router through its administration page and allow it to upgrade.

If you install a new version, you can expect increased security levels, different vulnerability issues to be resolved, improved overall performance and transfer speeds, enhanced compatibility with other devices, added support for newly developed technologies, as well as several other changes.

If you're looking for certain safety measures, remember that it would be best if you perform the upload using an Ethernet cable rather than a wireless connection, which can be interrupted easily. Also, make sure you don't power off the router or use its buttons during the installation, if you wish avoid any malfunctions.

If this firmware meets your current needs, get the desired version and apply it to your router unit; if not, check with our website as often as possible so that you don't miss the update that will improve your device.

  It is highly recommended to always use the most recent driver version available.

Try to set a system restore point before installing a device driver. This will help if you installed an incorrect or mismatched driver. Problems can arise when your hardware device is too old or not supported any longer.