MikroTik Changelog Tracker
← Back to search All components

Component: firewall

159 changelog entries across 58 version(s)

Activity over time (changelog entries per month)

7.21 Stable 2026-Jan-12 (3 weeks ago)
  • added "h" flag indicating that firewall service helper is applied for particular connection;
  • added support for TOS/mask matching for raw rules;
  • clear relevant masqueraded connection tracking entries on IP address change;
  • fixed "tls-host" not matching expected hosts;
  • fixed hotspot value loss on rule enable/disable;
  • fixed strip-ipv4-options always passthrough;
  • hide hw-offload setting from devices that do not support it;
  • improved system stability and memory allocation when using firewall services;
  • make hw-offload=yes default setting in /ip/firewall/filter menu;
  • use the highest TTL as timeout value for domain address list entries if multiple domain names resolve to same IP;
7.20.7 Long-term 2026-Jan-08 (3 weeks ago)
  • clear relevant masqueraded connection tracking entries on IP address change;
7.20.2 Stable 2025-Oct-21 (3 months ago)
  • reduce maximum connection tracking entry count;
7.20 Stable 2025-Sep-29 (4 months ago)
  • added "liberal-tcp-tracking" connection tracking setting;
  • added connection tracking "total-ip4-entries" and "total-ip6-entries" counters;
  • allow "dst-limit" matcher to work properly above value 10000;
  • fixed IPv6 firewall interface matchers not matching VRF interfaces;
  • improved IPv6 connection tracking lookup responsiveness;
  • improved system stability when processing connections on multicore systems;
  • reorganized firewall connection tracking table values and make them persistent between IPv4 and IPv6;
7.19 Stable 2025-May-22 (8 months ago)
  • always show "passthrough" when exporting mangle table;
  • detect VRF addresses as local;
  • fixed IP/Settings "ipv4-fasttrack-active" status showing as inactive when it is active;
7.18 Stable 2025-Feb-24 (11 months ago)
  • allow in-interface/in-bridge-port/in-bridge matching in postrouting chains;
  • fixed incorrectly inverted hotspot value configuration;
  • increased maximum connection tracking entry count based on device total RAM size;
7.17 Stable 2025-Jan-16 (1 year ago)
  • added none-dynamic and none-static arguments for IPv6 address-list-timout settings;
  • added support for random external port allocation;
  • added warning log for TCP SYN flood;
  • fixed "dst-limit" and "limit" mathers when using zero value for burst argument;
  • improved matching from deeply nested interface-lists;
  • removed default mangle passthrough=yes configuration from export;
7.16 Stable 2024-Sep-20 (1 year ago)
  • added message when interface belonging to VRF is added in filter rules;
  • fixed an issue with unsetting src-address-type;
  • fixed IPv6 "nth" matcher showing up twice in help;
  • fixed issue that prevents restoring src-address-list and dst-addres-list properties using undo command;
  • removed unnecessary TLS host matcher from NAT tables;
7.14 Stable 2024-Feb-29 (1 year ago)
  • added "creation-time" parameter for IPv6 address list entries;
  • fixed underlying CAPsMAN tunnel reusing packet marks of encapsulated packets;
  • fixed underlying VXLAN/EoIP tunnel reusing packet marks of encapsulated packets;
  • increased default "udp-timeout" value from 10s to 30s;
7.13 Stable 2023-Dec-14 (2 years ago)
  • added "nat-pmp" support;
  • added new IPv6 filter arguments "icmp-err-src-routing-header" and "icmp-headers-too-long" for "reject-with" setting;
  • do not mark all IPv6 GRE packets as invalid;
  • fixed IPv6 address-list timeout;
  • fixed altered address-list when upgrading from RouterOS v6;
  • fixed connections being tracked when tracking is disabled;
  • removed "prohibited" and "unreachable" IPv4 address-type arguments;
7.12 Stable 2023-Nov-09 (2 years ago)
  • added "ein-snat" and "ein-dnat" connection NAT state matchers for filter and mangle rules;
7.11 Stable 2023-Aug-15 (2 years ago)
  • added warning when PCC divider argument is smaller than remainder;
  • fixed mangle "mark-connection" with "passthrough=yes" rule for TCP RST packets;
  • improved system stability when using "endpoint-independent-nat";
6.49.8 Long-term 2023-Jul-19 (2 years ago)
  • fixed IRC NAT helper (CVE-2022-2663);
7.10 Stable 2023-Jun-15 (2 years ago)
  • added "endpoint-independent-nat" support;
  • added "nth" option for IPv6 firewall;
6.48.7 Long-term 2023-May-23 (2 years ago)
  • fixed IRC NAT helper (CVE-2022-2663);
7.9 Stable 2023-May-02 (2 years ago)
  • added "connection-nat-state" to IPv6 mangle and filter rules;
7.8 Stable 2023-Feb-24 (2 years ago)
  • fixed bridge priority target;
  • fixed DSCP priority target for IPv6 Mangle;
  • fixed netmap range maximum address calculation for IPv6 NAT;
7.7 Stable 2023-Jan-12 (3 years ago)
  • added "set-priority" option for IPv6 mangle firewall;
  • made "dynamic" parameter settable for IPv4 address lists;
7.6 Stable 2022-Oct-17 (3 years ago)
  • added "src/dst-address-type" parameter under "IPv6/Firewall/Mangle" menu;
  • disable IRC NAT helper on upgrade;
  • fixed IPv6 filtering with "in/out-interface" matcher that is in VRF;
  • fixed IRC NAT helper (CVE-2022-2663);
  • fixed usage of "netmap" action for IPv6 source NAT;
7.5 Stable 2022-Aug-30 (3 years ago)
  • added support for RTSP helper;
7.4.1 Stable 2022-Aug-04 (3 years ago)
  • fixed "in-interface-list" matcher when VRF is used;
7.4 Stable 2022-Jul-19 (3 years ago)
  • added "srcnat" and "dstnat" flags to IPv6/Firewall/Connection table;
  • added support for IPv6/Firewall/NAT action=src-nat rules;
  • fixed IPv6 NAT functionality when processing GRE traffic on TILE devices;
  • fixed IPv6/Firewall/RAW functionality;
  • include "connection-mark", "connection-state", and "packet-mark" when packet logging is enabled;
  • properly handle interface matcher when VRF interface is specified;
7.2 Stable 2022-Mar-31 (3 years ago)
  • improved available port lookup for source NAT when free port range is exhausted;
6.49 Stable 2021-Oct-06 (4 years ago)
  • fixed "ingress-priority" matcher;
  • fixed GRE protocol packets considered invalid when PPTP helper is disabled;
6.44.5 Long-term 2019-Jul-04 (6 years ago)
  • fixed fragmented packet processing when only RAW firewall is configured;
  • process packets by firewall when accepted by RAW with disabled connection tracking;
6.45.1 Stable 2019-Jun-27 (6 years ago)
  • fixed fragmented packet processing when only RAW firewall is configured;
  • process packets by firewall when accepted by RAW with disabled connection tracking;
6.41.3 Stable 2018-Mar-08 (7 years ago)
  • fixed "tls-host" firewall feature (introduced in v6.41);
6.40.6 Long-term 2018-Feb-20 (7 years ago)
  • limited maximum "address-list-timeout" value to “35w3d13h13m56s”;
6.41.1 Stable 2018-Jan-30 (8 years ago)
  • fixed "tls-host" firewall feature (introduced v6.41);
  • limited maximum "address-list-timeout" value to 35w3d13h13m56s;
6.41 Stable 2017-Dec-22 (8 years ago)
  • added "tls-host" firewall matcher;
6.40.5 Stable 2017-Oct-31 (8 years ago)
  • do not NAT address to 0.0.0.0 after reboot if to-address is used but not specified;
6.39.3 Long-term 2017-Oct-12 (8 years ago)
  • fixed bridge "action=log" rules;
  • fixed crash on fasttrack dummy rule manual change attempt;
  • properly remove "address-list" entry after timeout ends;
  • removed unique address list name limit;
6.40.1 Stable 2017-Aug-03 (8 years ago)
  • properly remove "address-list" entry after timeout ends;
6.38.7 Long-term 2017-Jun-20 (8 years ago)
  • do not allow to set "rate" value to 0 for "limit" parameter;
  • fixed "address-list" entry "creation-time" adjustment to timezone;
  • fixed "address-list" entry changing from IP to DNS and vice versa;
  • fixed cosmetic "invalid" flag when item was disabled;
6.39.2 Stable 2017-Jun-01 (8 years ago)
  • fixed "address-list" entry "creation-time" adjustment to timezone;
  • do not allow to set "rate" value to 0 for "limit" parameter;
  • fixed "address-list" entry changing from IP to DNS and vice versa;
6.37.5 Long-term 2017-Mar-09 (8 years ago)
  • do not allow to set "time" parameter to 0s for "limit" option;
  • fixed import of exported configuration that had updated "limit" setting;
6.38.4 Stable 2017-Mar-08 (8 years ago)
  • do not allow to set "time" parameter to 0s for "limit" option;
6.38.3 Stable 2017-Feb-07 (8 years ago)
  • added "fasttrack" dummy rule to "/ip firewall raw" table;
  • do not show IPv4 “fastpath” as active if “route-cache” is disabled;
  • fixed import of exported configuration that had updated "limit" setting;
6.38.1 Stable 2017-Jan-13 (9 years ago)
  • nat action "netmap" now requires to-addresses to be specified;
6.37.4 Long-term 2017-Jan-13 (9 years ago)
  • do not defragment packets which are marked with "notrack" in raw firewall;
  • fixed "time" option by recognizing weekday properly (introduced in v6.37.2);
  • fixed dynamic raw rule behaviour;
  • fixed rule activation if "time" option is used and no other active rules are present;
  • nat action "netmap" now requires to-addresses to be specified;
6.38 Stable 2016-Dec-30 (9 years ago)
  • added "creation-time" to address list entries;
  • added sctp/dccp/udp-lite support for "src-port", "dst-port", "port" and "to-ports" firewall options;
  • do not defragment packets which are marked with "notrack" in raw firewall;
  • fixed "time" option by recognizing weekday properly (introduced in v6.37.2);
  • fixed dynamic raw rule behaviour;
  • fixed rule activation if "time" option is used and no other active rules are present;
  • increased max size of connection tracking table to 1048576;
  • new faster "connection-limit" option implementation;
  • significantly improved large firewall rule set import performance;
6.37.3 Stable 2016-Nov-28 (9 years ago)
  • fixed filter rule "limit" parameter by making it visible again;
  • fixed interface slave state recognition (broken in 6.37.2);
  • fixed timeout option on address lists with domain name;
6.37.2 Stable 2016-Nov-08 (9 years ago)
  • do not allow to increase/decrease ttl and hop-limit by 0;
  • fixed "connection-state" value disappearance in rules that were created before v6.22;
  • fixed compact export (introduced in 6.37rc14);
  • improved "time" option (ranges like 22h-10h now are acceptable);
6.37.1 Stable 2016-Sep-30 (9 years ago)
  • fixed dynamic dummy firewall rules appearance in raw tables;
6.37 Stable 2016-Sep-23 (9 years ago)
  • added additional matchers for firewall raw rules;
  • fixed time based rules on time/timezone changes (again);
6.36.1 Stable 2016-Aug-05 (9 years ago)
  • fixed time based rules on time/timezone changes;
6.36 Stable 2016-Jul-20 (9 years ago)
  • added "/interface list" menu which allows to create list of interfaces which can be used as in/out-interface-list matcher in firewall and use as a filter in traffic-flow;
  • added pre-connection tracking filter - "raw" table, that allow to protect connection-tracking from unnecessary traffic;
  • allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);
  • added udplite, dccp, sctp connection tracking helpers;
  • do not show disabled=no in export;
  • fixed spelling in built-in firewall commentary;
6.35.4 Stable 2016-Jun-09 (9 years ago)
  • do not show disabled=no in export;
6.35.2 Stable 2016-May-02 (9 years ago)
  • fixed policy routing configurations (introduced in 6.35rc38);
6.35 Stable 2016-Apr-14 (9 years ago)
  • added experimental "action=route" in mangle prerouting - that forces packets to specific gateway by ignoring routing decisions (CLI only);
6.34 Stable 2016-Jan-29 (10 years ago)
  • added inversion support for "limit" option;
  • added bit rate matching for "limit" option;
  • improved performance for "limit" option;
  • do not allow to add new rule before built-in (reverted);
  • SIP helper update for newer Cisco phones;
6.32.3 Long-term 2015-Oct-19 (10 years ago)
  • fixed connection-rate matcher;
6.32.1 Stable 2015-Sep-07 (10 years ago)
  • do not lose firewall mangle rules on start-up;
6.32 Stable 2015-Aug-31 (10 years ago)
  • fixed limit and dst-limit options.
6.30 Stable 2015-Jul-08 (10 years ago)
  • sip helper improved, large packets no longer dropped;
  • added ipsec-policy matcher to check wheather packet
6.29 Stable 2015-May-27 (10 years ago)
  • fixed sector writes rising starting since 6.28;
6.19 Stable 2014-Aug-26 (11 years ago)
  • packet defragmenting will only happen with connection tracking enabled;
  • optimized option matching order with-in a rule;
  • rules that require CONNTRACK to work will now have Invalid flag
  • rules that require use-ip-firewall to work will now have invalid flag
  • rules that have interface with "Slave" flag specified as in-/out-interface
  • rules that have interface without "Slave" flag specified as in-/out-bridge-port
  • rules with Invalid flags will now be auto-commented to explain why;
5.13 Stable 2012-Feb-14 (13 years ago)
  • to-address can be specified as ip address with mask in addition to