RouterOS 7.20.2 [stable] released

What's new in 7.20.2 (2025-Oct-21 10:28):

* bridge - fixed incorrectly blocked ports by STP (introduced in v7.20);
* console - fixed incorrect ids in /file/print relative mode (introduced in v7.20);
* console - improved stability when printing ids for a non-existent directory (introduced in v7.20)
* dhcpv6-client - improved system stability when DHCPv6 client uses "rapid-commit=no", "accept-prefix-without-address=no" and receives only prefix from the server;
* dhcpv6-server - do not force set "address-pool" on static bindings with unset pool option after system reboot;
* evpn - added basic logging support;
* evpn - fixed MAC mobility;
* firewall - reduce maximum connection tracking entry count;
* iot - fixed an issue preventing LoRa downlink packets from being broadcasted;
* ip - removed duplicate CLI parameters for socksify;
* log - cleaned up older config by removing leading slashes from "disk-file-name" values;
* mpls - fixed LDP label binding if nexthop is link-local address;
* poe-out - fixed RB5009 PoE-in indication on cold-boot with no other power source;
* routing-filter - change "^$" regexp to bgp-path-len=0 on upgrade from v6 to v7;
* routing-filter - use bgp-out-med for set bgp-med on upgrade from v6 to v7;
* snmp - fixed SNMP SET operation (introduced in v7.20);
* snmp - set maximum message size to 8 KB;
* system - fixed ".auto.rsc" file execution (introduced in v7.20);
* system - fixed package list fetch from local upgrade server;
* system - fixed Windows executable compatibility with Microsoft AppLocker;
* winbox - added IP/Socksify menu;
* winbox - added support for 200Gbps/400Gbps Rate fields;
* winbox - fixed Ethernet Tx Stats (introduced in v7.20);

The latest beta support Post Quantum Cryptography for IPSec now
*) ipsec - support Post-Quantum Pre-shared Key (PPK) with QKD integration (CLI only) (additional fixes);

Just in time after this year's DEFCON warning.
Anyone interested of Quantum computing progress in breaking cryptography can watch it here

mikrotik can track website URL HTTP and HTTPS FULL history multiple PC ???
few PCS each ip i can do but each PC track URL HTTP and HTTPS FULL history
its possible ???

if found website we want block too

This post has been edited by tng55: Oct 30 2025, 01:31 PM

You use packet matcher but it's very leaky.

My suggestion is just use NextDNS as DoH resolver in Mikrotik.
In the forwarding rule, block dst port 53 and 853.

You then proceed to add your blocking rule inside NextDNS.
Then you review the log regularly to identify anyone trying to bypass like using VPN or whatnot.

You still cannot prevent people who bypass by not doing domain lookup when they connect to their VPN.

no worry multiple PC don't have VPN i aware

my office staff always use google chrome Incognito
that why i wanna check history what he use

NextDNS need purchase not free hmmmm

packet matcher but it's very leaky
why very leaky

This post has been edited by tng55: Oct 30 2025, 01:57 PM

Then NextDNS easiest and most robust when combined with Mikrotik forward chain rules.
They got option to prevent usage of Apple Private Relay and other DNS too so it's very easy to configure. Basically don't need to know very in-depth how things work.

Free for 300k query. Not enough then rm8 per month. Bayar jer.

i not sure 300k query enough or not due office multiple PC

packet matcher but it's very leaky
why very leaky any issue leaky

Try first, decide later. Maybe your staff didn't actually do anything then you don't pay loh.
You can continue using even if you exceed 300k and don't pay. NextDNS just won't do any filtering.
Unless your staff only do bad shit at the end of month when you already exceeded 300k.

RM8 very expensive for your business meh? Can claim as company expenses.
One burger special at those tepi jalan how much already?
Mixed rice how much?
Per month bro. Not per day.

Packet matching is stateless and only recognize header, options and payload using regex.
If there is fragmentation, it won't work.
If it is QUIC or HTTP/3, it won't work because the SNI is "encrypted".
If any of the keyword appear in any packet due to your filter being too generic, then it will have a lot of false positive.
Packet matcher is a data plane operation, meaning it must punt to control plane for logging, which is very CPU intensive.
It will definitely fill up your router log.
You won't gain any insight with how router log is being displayed.
You need solid knowledge and lots of testing to even make it work properly.

Finally I am not gonna offer any support for packet matcher in your use case. Tell you upfront first.
It is normally used at the edge for ACL use case, not URL filtering use case.

tng55 if you are really kedekut then run a PiHole container inside your Mikrotik router.
Then proceed to add the forward chain rule to block dst port 53 and 853.
You will need to recreate all the ruleset that NextDNS already has.

I am not providing free tech support for this setup as well. You are on your own.

how can exceed 300k for 300K is URL history ? i never try before

many big company they also can trance fully http and https let say big company 100 computer but they easy trance http and https hmmm i not sure what they are use

i am not kedekut but i saw NextDNS business 1 year RM790 but not lifetime
ever year RM790 wow expensive can't claim

300k is the queries, not history. You can set log duration separately.
How many computer do you have? Use the free one first and then personal.

There are many types:
1. DLP, which log at the endpoint
2. SIEM, which log flow at the network, and also can mirror traffic if you install a tap
3. MITM proxy, where you install a root CA on every computer and decrypt all traffic

You can pick one, or a combination of them. But damn how big is your business?
If you are the boss and you have to ask this in a forum, don't need to consider.
Those solution requires full tech team to run.
For SIEM, SOAR, EDR, you need a fully staffed Security Operation Center.

EDIT:
You didn't tell me what you are looking specifically. You suspect he steal your data? Upload to cloud? Or just snaking around?
Very different scenario you know.

This post has been edited by kwss: Oct 30 2025, 10:21 PM

not steal data and not upload to clud
my office computer 5PCS
i saw staff use google chrome Incognito that he use surfing to much so i can't trance website visit HTTP OR HTTPS
that why i want trance his usage browser internet
once i found we will block like faceook and whatsapp and etc and google search and personal use website

that only very imported
that why i asking mikrotik can trance history website i will set block

This post has been edited by tng55: Oct 31 2025, 01:17 AM

Look, the stuff you want is simple.
So make it simple.

Just get started in nextdns and use it as your DNS server now.
Don't need Mikrotik.
Don't need blocking.
Just see what website gets logged.
See how many requests you used a month from now.

What router you using in your office?

my office is ASUS ROUTER AC68U lol not yet to get mikrotik

you are sure nextdns enough 300k for 5PCS ???
can view usage history then can i set some site block

I already said go register an account, put it into your Asus and monitor.
You don't waste my time keep asking the same thing with zero progress.

Abang, im using NextDNS as secondary DNS. Primary is recursive.

Got 15+ device connected and suprisingly 2025, only on Feb and July i hit the limit as i remembered lah
Just follow kwss step lah. Dont worry about reach the limit. If limit reach, still can use but no blocking etc etc jer.

have fun!

This post has been edited by ahlong: Oct 31 2025, 07:21 AM

ohhh i will do register free site https://nextdns.io/ its correct

Okay so you go to your Asus and configure DoT.
You should see the logs starts showing.
You can also starts blocking already.

What's new in 7.20.4 (2025-Nov-05 14:07):

*) bgp - improved instance upgrade from versions prior to v7.20;

*) console - fixed file id conversion operations;

*) pppoe-server - fixed client disconnects when multiple servers are active (introduced in v7.20);

*) rip - fixed RIP configuration conversion on upgrade from v6 to v7;

*) route - fixed gateway print when gateway is equal to BGP peers address;

*) routing-filter - check AFI when setting pref-src;

*) routing-filter - fixed default route destination matcher behavior for different AFIs;

*) webfig - fixed button handling in skin designer;

*) winbox - show "Bus" parameter for "USB Power Reset" on Chateau LTE6/LTE18 ax devices;

*) winbox - show "System/RouterBOARD/Mode Button" on devices that have such a button;

This post has been edited by jusbella: Nov 6 2025, 08:21 PM