MikroTik Solutions

Configuration Flotsam

The Problem

Defaults sometimes change in RouterOS between one version and another. When you install a prior version, then upgrade from there to the new one, RouterOS sees the old default in the configuration and preserves it out of a wish to avoid breaking your prior working configuration.

This article collects methods for removing this flotsam from your configuration, with the primary motivation of keeping your backups clean. No sense backing up old defaults for items you want left unconfigured, now is there?


The way you clean these bits of flotsam out of your configuration varies with the item.

OpenVPN Server

The old default for the OpenVPN server was:

/interface ovpn-server server
set auth=sha1,md5

That default changed in RouterOS 7.2 when they added SHA-2 support, so that if you upgrade from a prior version, you now get the above in your /export output even if you don't have an OpenVPN server set up on that RouterOS box.

If you reset this item to its new default so:

/interface ovpn-server server
set auth=sha1,md5,sha256,sha512

…it will no longer appear in your /export output.


Relatively few devices in MikroTik's lineup have slots for LTE modems built in. More have the option of adding an external USB modem, but that must be a minority use case. Why, then, do you get this noise in the /export output on LTE-free devices starting with RouterOS 7.2?

/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no

It's because the default changed to ip-type=auto and use-network-apn=yes. While you can set those new defaults to make the noise disappear in /export output, if you don't use LTE at all, it's quicker to say:

/interface/lte/apn reset [find default]


If you aren't using OSPF in your configuration, you might be surprised to get this in the /export output:

/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2

The simple fix is:

/routing ospf instance
remove [find instance=default-v2]
/routing ospf area
remove [find instance=default-v2]


Similar to the OSPF case above, those not using BGP may get this in the /export output after an upgrade:

/routing bgp template
set default disabled=no output.network=bgp-networks

Removal is different from OSPF, though:

/routing bgp template
remove [find default]

Wireless Supplicant

For several releases prior to 7.13, the following appeared on CRS3xx class devices even though they don't have built-in WiFi:

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

There was no way to clear that out until 7.13, when they did the big wireless package reorg. At that point, you could remove the "wireless" package to clear this, provided you didn't want your CRS3xx to act as a CAPSMAN controller.

Bridge Interface Path Costs

In RouterOS 7.13beta1, they changed how STP path costs worked so that the new default meant that upgraded switches had to have their values all set to the old default, 10. This causes a bunch of new noise in the export output which you can clear with:

set port-cost-mode=long
unset value-name=path-cost [find where path-cost=10]
unset value-name=internal-path-cost [find where internal-path-cost=10]

This causes the switch to take the new behavior.

Switch QoS Queue Shared Buffers

This began appearing in RouterOS 7.13:

/interface ethernet switch qos tx-manager queue
set 1 use-shared-buffers=no
set 2 use-shared-buffers=no

Squish it with:

/interface ethernet switch qos tx-manager queue
set [find] use-shared-buffers=yes

SMB Server Moves into Core

When they replaced the old SMB server in the core RouterOS package with the one from the ROSE package in v7.14, these began appearing:

/ip smb users set [ find default=yes ] disabled=yes read-only=yes
/ip smb shares set [ find default=yes ] directory=/flash/pub

Squish them with:

/ip smb users remove [ find name=guest ]
/ip smb shares remove [ find name=pub ]

Firewall Connection Tracking UDP Timeout

When they increased this timeout from 10 to 30 seconds in RouterOS 7.14, this began appearing:

/ip firewall connection tracking set udp-timeout=10s

Setting that to the new default value of 30s removes the flotsam:

/ip firewall connection tracking set udp-timeout=30s

Improved SSTP Algorithms

When they added GCM support for SSTP in RouterOS 7.14, this began appearing:

/interface sstp-server server set ciphers=aes256-sha

You can squish that by enabling the new algorithm alongside the old:

/interface sstp-server server set ciphers=aes256-gcm-sha384,aes256-sha 


I plan to extend this article as I find new flotsam appearing in my local configurations. Since I have only a small subset of the wide variety of devices that can run RouterOS, I may miss new ones if they do not occur on my devices, and I may also fail to notice someone having that trouble on the MikroTik Forum.

Being relatively new to RouterOS, I've doubtless also missed many past instances.

Since the MikroTik forum doesn't have a chat function, you are welcome to send updates to me via the local Forum here instead.

Until these lacunae are filled, the above solutions may suggest solutions to new problems you encounter:

  1. Try a "reset" on the configuration item.
  2. Try to "remove" it entirely, if you aren't using that feature of RouterOS.
  3. Install a fresh CHR matching your device's RouterOS version, then navigate to the item in question and say /export verbose to find the new default. Try applying that to the device showing an unwanted difference relative to the new defaults.


This work is © 2022-2024 by Warren Young and is licensed under CC BY-NC-SA 4.0