MikroTik Solutions

Configuration Flotsam
Login

Configuration Flotsam

The Problem

Defaults sometimes change in RouterOS between one version and another. When you install a prior version, then upgrade from there to the new one, RouterOS sees the old default in the configuration and preserves it out of a wish to avoid breaking your prior working configuration.

That’s a sensible default policy, but there’s a problem that comes up when you were accepting the defaults previously because you hadn’t made a decision to configure something at all. For instance, you might not be using OSPF dynamic routing, but when they changed the way that worked early in the v7 series, it preserved the old defaults that you weren’t even using!

Other times, you want to accept the new default as a sensible change, abandoning the old.

I characterize these cases as flotsam, as opposed to preserving working, desired configurations. This article collects methods for cleaning this flotsam out, with the primary motivation of keeping your backups clean. No sense backing up old defaults for items you want left unconfigured, now is there?

Solutions

The way you clean these bits of flotsam out of your configuration varies with the item.

OpenVPN Server

The default for the OpenVPN server in early versions of RouterOS 7 was:

/interface ovpn-server server
set auth=sha1,md5

That default changed in RouterOS 7.2 when they added SHA-2 support, so that if you upgrade from a prior version, you now get the above in your /export output even if you don’t have an OpenVPN server set up on that RouterOS box.

If you reset this item to its new default so:

/interface ovpn-server server
set auth=sha1,md5,sha256,sha512

…it will no longer appear in your /export output.

Another OpenVPN change occurred in 7.17, where it now says something like this:

/interface ovpn-server servers add mac-address=AA:BB:CC:DD:EE:FF name=ovpn-server1

…where the MAC address is something random. Remove it by saying:

/interface ovpn-server servers remove [find where name=ovpn-server1]

LTE APN

Relatively few devices in MikroTik’s lineup have slots for LTE modems built in. More have the option of adding an external USB modem, but that must be a minority use case. Why, then, do you get this noise in the /export output on LTE-free devices starting with RouterOS 7.2?

/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no

It’s because the default changed to ip-type=auto and use-network-apn=yes. While you can set those new defaults to make the noise disappear in /export output, if you don’t use LTE at all, it’s quicker to say:

/interface/lte/apn reset [find default]

OSPF

If you aren’t using OSPF in your configuration, you might be surprised to get this in the /export output:

/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2

The simple fix is:

/routing ospf instance
remove [find instance=default-v2]
/routing ospf area
remove [find instance=default-v2]

BGP

Similar to the OSPF case above, those not using BGP may get this in the /export output after an upgrade:

/routing bgp template
set default disabled=no output.network=bgp-networks

Removal is different from OSPF, though:

/routing bgp template
remove [find default]

Wireless Supplicant

For several releases prior to 7.13, the following appeared on CRS3xx class devices even though they don’t have built-in WiFi:

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

There was no way to clear that out until 7.13, when they did the big wireless package reorg. At that point, you could remove the “wireless” package to clear this, provided you didn’t want your CRS3xx to act as a CAPSMAN controller.

Bridge Interface Path Costs

In RouterOS 7.13beta1, they changed how STP path costs worked so that the new default meant that upgraded switches had to have their values all set to the old default, 10. This causes a bunch of new noise in the export output which you can clear with:

/interface/bridge
set port-cost-mode=long
/interface/bridge/port
unset value-name=path-cost [find where path-cost=10]
unset value-name=internal-path-cost [find where internal-path-cost=10]

This causes the switch to take the new behavior.

Switch QoS Queue Shared Buffers

This began appearing in RouterOS 7.13:

/interface ethernet switch qos tx-manager queue
set 1 use-shared-buffers=no
set 2 use-shared-buffers=no

Squish it with:

/interface ethernet switch qos tx-manager queue
set [find] use-shared-buffers=yes

In 7.17, you need to add this:

set 0 use-shared-buffers=no

SMB Server Moves into Core

When they replaced the old SMB server in the core RouterOS package with the one from the ROSE package in v7.14, these began appearing:

/ip smb users set [ find default=yes ] disabled=yes read-only=yes
/ip smb shares set [ find default=yes ] directory=/flash/pub

Squish them with:

/ip smb users remove [ find name=guest ]
/ip smb shares remove [ find name=pub ]

Firewall Connection Tracking UDP Timeout

When they increased this timeout from 10 to 30 seconds in RouterOS 7.14, this began appearing:

/ip firewall connection tracking set udp-timeout=10s

Setting that to the new default value of 30s removes the flotsam:

/ip firewall connection tracking set udp-timeout=30s

Improved SSTP Algorithms

When they added GCM support for SSTP in RouterOS 7.14, this began appearing:

/interface sstp-server server set ciphers=aes256-sha

You can squish that by enabling the new algorithm alongside the old:

/interface sstp-server server set ciphers=aes256-gcm-sha384,aes256-sha 

IPsec Profile

This began appearing in the 7.16 betas:

/ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5

This is due to changes in the default values of the dpd-* parameters, which you can update to the new values with:

/ip ipsec profile set [ find default=yes ] dpd-interval=8s dpd-maximum-failures=4

Hotspot HTML Directory

This one I learned of from @KatsuroKurosaki on the MikroTik Discord Server. The symptom is:

/ip hotspot profile set [ find default=yes ] html-directory=hotspot

Reportedly, it appears on devices with low amounts of free flash, and the solution is to point it back to the flash. The method seems to vary depending on the device and the RouterOS version. Try either:

/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot

or:

/ip hotspot profile set [ find default=yes ] html-directory=hotspot 

Updates

I extend this article as I find new flotsam appearing in my local configurations, but since I have only a small subset of the wide variety of devices that can run RouterOS, I’m liable to miss new ones if they do not occur on my devices. Sometimes I notice it happen to others on the MikroTik Forum and update this article, but not always.

Since the MikroTik forum doesn’t have a chat function, you are welcome to send updates to me via the local Forum here instead.

Until these lacunae are filled, the above solutions may suggest solutions to new problems you encounter:

  1. Try a “reset” on the configuration item. RouterOS syntax isn’t as uniform on this as it ought to be, so you might instead have to “unset” it or use the awkward “set=!VALUE” construct. I’ve even seen cases where setting it to a blank value — “set=""” — drops the item from future /export output.
  2. Try to “remove” it entirely, if you aren’t using that feature of RouterOS.
  3. Install a fresh CHR matching your device’s RouterOS version, then navigate to the item in question and say /export verbose to find the new default. Applying that to the device will often remove the flotsam from /export output.

License

This work is © 2022-2024 by Warren Young and is licensed under CC BY-NC-SA 4.0