The Problem
Defaults sometimes change in RouterOS between one version and another. When you install a prior version, then upgrade from there to the new one, RouterOS sees the old default in the configuration and preserves it out of a wish to avoid breaking your prior working configuration.
That’s a sensible default policy, but there’s a problem that comes up when you were accepting the defaults previously because you hadn’t made a decision to configure something at all. For instance, you might not be using OSPF dynamic routing, but when they changed the way that worked early in the v7 series, it preserved the old defaults that you weren’t even using!
Other times, you want to accept the new default as a sensible change, abandoning the old.
I characterize these cases as flotsam, as opposed to preserving working, desired configurations. This article collects methods for cleaning this flotsam out, with the primary motivation of keeping your backups clean. No sense backing up old defaults for items you want left unconfigured, now is there?
Solutions
The way you clean these bits of flotsam out of your configuration varies with the item.
OpenVPN Server
The default for the OpenVPN server in early versions of RouterOS 7 was:
/interface ovpn-server server
set auth=sha1,md5
That default changed in RouterOS 7.2 when they added SHA-2 support, so that if you upgrade from a prior version, you now get the above in your /export
output even if you don’t have an OpenVPN server set up on that RouterOS box.
If you reset this item to its new default so:
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512
…it will no longer appear in your /export
output.
Another OpenVPN change occurred in 7.17, where it now says something like this:
/interface ovpn-server servers add mac-address=AA:BB:CC:DD:EE:FF name=ovpn-server1
…where the MAC address is something random. Remove it by saying:
/interface ovpn-server servers remove [find where name=ovpn-server1]
LTE APN
Relatively few devices in MikroTik’s lineup have slots for LTE modems built in. More have the option of adding an external USB modem, but that must be a minority use case. Why, then, do you get this noise in the /export
output on LTE-free devices starting with RouterOS 7.2?
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
It’s because the default changed to ip-type=auto
and use-network-apn=yes
. While you can set those new defaults to make the noise disappear in /export
output, if you don’t use LTE at all, it’s quicker to say:
/interface/lte/apn reset [find default]
OSPF
If you aren’t using OSPF in your configuration, you might be surprised to get this in the /export
output:
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
The simple fix is:
/routing ospf instance
remove [find instance=default-v2]
/routing ospf area
remove [find instance=default-v2]
BGP
Similar to the OSPF case above, those not using BGP may get this in the /export
output after an upgrade:
/routing bgp template
set default disabled=no output.network=bgp-networks
Removal is different from OSPF, though:
/routing bgp template
remove [find default]
Wireless Supplicant
For several releases prior to 7.13, the following appeared on CRS3xx class devices even though they don’t have built-in WiFi:
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
There was no way to clear that out until 7.13, when they did the big wireless package reorg. At that point, you could remove the “wireless” package to clear this, provided you didn’t want your CRS3xx to act as a CAPSMAN controller.
Bridge Interface Path Costs
In RouterOS 7.13beta1, they changed how STP path costs worked so that the new default meant that upgraded switches had to have their values all set to the old default, 10. This causes a bunch of new noise in the export output which you can clear with:
/interface/bridge
set port-cost-mode=long
/interface/bridge/port
unset value-name=path-cost [find where path-cost=10]
unset value-name=internal-path-cost [find where internal-path-cost=10]
This causes the switch to take the new behavior.
Switch QoS Queue Shared Buffers
This began appearing in RouterOS 7.13:
/interface ethernet switch qos tx-manager queue
set 1 use-shared-buffers=no
set 2 use-shared-buffers=no
Squish it with:
/interface ethernet switch qos tx-manager queue
set [find] use-shared-buffers=yes
In 7.17, you need to add this:
set 0 use-shared-buffers=no
SMB Server Moves into Core
When they replaced the old SMB server in the core RouterOS package with the one from the ROSE package in v7.14, these began appearing:
/ip smb users set [ find default=yes ] disabled=yes read-only=yes
/ip smb shares set [ find default=yes ] directory=/flash/pub
Squish them with:
/ip smb users remove [ find name=guest ]
/ip smb shares remove [ find name=pub ]
Firewall Connection Tracking UDP Timeout
When they increased this timeout from 10 to 30 seconds in RouterOS 7.14, this began appearing:
/ip firewall connection tracking set udp-timeout=10s
Setting that to the new default value of 30s removes the flotsam:
/ip firewall connection tracking set udp-timeout=30s
Improved SSTP Algorithms
When they added GCM support for SSTP in RouterOS 7.14, this began appearing:
/interface sstp-server server set ciphers=aes256-sha
You can squish that by enabling the new algorithm alongside the old:
/interface sstp-server server set ciphers=aes256-gcm-sha384,aes256-sha
IPsec Profile
This began appearing in the 7.16 betas:
/ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
This is due to changes in the default values of the dpd-*
parameters, which you can update to the new values with:
/ip ipsec profile set [ find default=yes ] dpd-interval=8s dpd-maximum-failures=4
Hotspot HTML Directory
This one I learned of from @KatsuroKurosaki on the MikroTik Discord Server. The symptom is:
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
Reportedly, it appears on devices with low amounts of free flash, and the solution is to point it back to the flash. The method seems to vary depending on the device and the RouterOS version. Try either:
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
or:
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
Updates
I extend this article as I find new flotsam appearing in my local configurations, but since I have only a small subset of the wide variety of devices that can run RouterOS, I’m liable to miss new ones if they do not occur on my devices. Sometimes I notice it happen to others on the MikroTik Forum and update this article, but not always.
Since the MikroTik forum doesn’t have a chat function, you are welcome to send updates to me via the local Forum here instead.
Until these lacunae are filled, the above solutions may suggest solutions to new problems you encounter:
- Try a “
reset
” on the configuration item. RouterOS syntax isn’t as uniform on this as it ought to be, so you might instead have to “unset
” it or use the awkward “set=!VALUE
” construct. I’ve even seen cases where setting it to a blank value — “set=""
” — drops the item from future/export
output. - Try to “
remove
” it entirely, if you aren’t using that feature of RouterOS. - Install a fresh CHR matching your device’s RouterOS version, then navigate to the item in question and say
/export verbose
to find the new default. Applying that to the device will often remove the flotsam from/export
output.
License
This work is © 2022-2024 by Warren Young and is licensed under CC BY-NC-SA 4.0