SwOS has Broadcast Storm Control: http://wiki.mikrotik.com/images/9/9c/Sw ... arding.png. You can limit how many broadcast frames per second will be forwarded by each port (e.g. 1k f/s, 2k f/s etc.).How will if I use RB250 (SwOS) with RouterOS? Does SwOS can do this?
switching happens in hardware, you can't do everything that a hardware switch does, also in software. that's why there are switches! nobody would make switches, if all of the same could be done with softwareHi, kirshteins. Good. But please include this feature into RouterOS itself, if possible. Thanks
Did you ever find a solution to this problem?Woow... Normis. You answer like a auto-answer.
I mean that I want RouterOS (Maybe only routerboards) detects layer2 network loop. Now RouterOS doesn`t alert or do action when loop occurs. It just tries to process all packets and CPU increases to 100%.
You need to choose a HUB that has such feature, Router can't do anything if packets are sent to it. It can just drop them if you like. If you know of some standard that implements functionality you need, let us know.
First I created mangle rule that counts only broadcast packets on each interfaces. Then I made script that checks counted packets of this mangle rule every second. If broadcast packets increases suddenly, script will disable physical interface. It`s like a broadcast storm control .
Did you ever find a solution to this problem?
Can you please share that mangle rule and script here..
thnx
::::MANGLE RULE::::
#Need to add mangle rule on all interfaces
/ip firewall mangle
add action=passthrough chain=input comment=Protectionether1 disabled=no \
dst-address-type=broadcast in-interface=ether1
add action=passthrough chain=input comment=Protectionether2 disabled=no \
dst-address-type=broadcast in-interface=ether2
add action=passthrough chain=input comment=Protectionether3 disabled=no \
dst-address-type=broadcast in-interface=ether3
add action=passthrough chain=input comment=Protectionether4 disabled=no \
dst-address-type=broadcast in-interface=ether4
::::Detect&Disable_Interface_Script::::
#Run every 1 minutes. Start at 00:00:00
/ip firewall mangle;
:foreach EachMangle in=[find where comment~"Protectionether"] do={
:local PacketStatus1 [get $EachMangle packets];
:delay 1s;
:local PacketStatus2 [get $EachMangle packets];
:local PacketThreshold [($PacketStatus2-$PacketStatus1)];
:if ($PacketThreshold>=4000) do={:local InterfaceName [get $EachMangle in-interface];
/interface ethernet;
:local OldComments [get [find where name=$InterfaceName] comment];
/interface ethernet set [find where name=$InterfaceName] disabled=yes comment="LOOPGUARDED:: $OldComments";
:log error "Loop detected (maybe broadcast storm) on interface, Disabled $InterfaceName"}}
::::Recovery_Interface_Script::::
#Run ever 5 minutes. Start at 00:00:10
/interface ethernet;
:foreach EachEthernet in=[find where comment~"LOOPGUARDED"] do={
:local InterfaceName1 [get $EachEthernet name];
:local OldComments1 [:pick [get $EachEthernet comment] 14 100];
/interface ethernet set $EachEthernet disabled=no comment=$OldComments1;
:log warning "Recovering Loopguarded interface $InterfaceName1"}
Hello, thank you for idea(and script). I try to use it on RouterOS 6.5, but seems "dst-address-type=broadcast" not working, nothing to count...Can you please share that mangle rule and script here..
thnxCode: Select all::::MANGLE RULE:::: #Need to add mangle rule on all interfaces /ip firewall mangle add action=passthrough chain=input comment=Protectionether1 disabled=no \ dst-address-type=broadcast in-interface=ether1 add action=passthrough chain=input comment=Protectionether2 disabled=no \ dst-address-type=broadcast in-interface=ether2 add action=passthrough chain=input comment=Protectionether3 disabled=no \ dst-address-type=broadcast in-interface=ether3 add action=passthrough chain=input comment=Protectionether4 disabled=no \ dst-address-type=broadcast in-interface=ether4 ::::Detect&Disable_Interface_Script:::: #Run every 1 minutes. Start at 00:00:00 /ip firewall mangle; :foreach EachMangle in=[find where comment~"Protectionether"] do={ :local PacketStatus1 [get $EachMangle packets]; :delay 1s; :local PacketStatus2 [get $EachMangle packets]; :local PacketThreshold [($PacketStatus2-$PacketStatus1)]; :if ($PacketThreshold>=4000) do={:local InterfaceName [get $EachMangle in-interface]; /interface ethernet; :local OldComments [get [find where name=$InterfaceName] comment]; /interface ethernet set [find where name=$InterfaceName] disabled=yes comment="LOOPGUARDED:: $OldComments"; :log error "Loop detected (maybe broadcast storm) on interface, Disabled $InterfaceName"}} ::::Recovery_Interface_Script:::: #Run ever 5 minutes. Start at 00:00:10 /interface ethernet; :foreach EachEthernet in=[find where comment~"LOOPGUARDED"] do={ :local InterfaceName1 [get $EachEthernet name]; :local OldComments1 [:pick [get $EachEthernet comment] 14 100]; /interface ethernet set $EachEthernet disabled=no comment=$OldComments1; :log warning "Recovering Loopguarded interface $InterfaceName1"}
/interface print detail
/ip firewall mangle print detail
3 S name="ether4-slave-local" default-name="ether4" type="ether" mtu=1500 l2mtu=1588 max-l2mtu=4064 mac-address=D4:CA:6D:CD:FF:67 fast-path=yes
0 ;;; Protect_ether4
chain=input action=passthrough dst-address-type=broadcast in-interface=ether4-slave-local
ether2... 17.23 11030 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.23 11031 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.23 11032 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.23 11033 <- 192.168.3.125:63777 224.0.0.252:5355 ip:udp 50
ether2... 17.23 11034 <- fe80::b560:10a1:b419:877a:63777 ff02::1:3:5355 ipv6:udp 70
ether2... 17.23 11035 <- fe80::b560:10a1:b419:877a:57710 ff02::1:3:5355 ipv6:udp 70
ether2... 17.23 11036 <- 192.168.3.125:57710 224.0.0.252:5355 ip:udp 50
ether2... 17.231 11037 <- fe80::b560:10a1:b419:877a:57087 ff02::1:3:5355 ipv6:udp 70
ether2... 17.231 11038 <- 192.168.3.70:138 (netbios-dgm) 192.168.3.255:138 (netbios-dgm) ip:udp 221
ether2... 17.231 11039 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11040 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11041 <- fe80::b560:10a1:b419:877a:58907 ff02::1:3:5355 ipv6:udp 70
ether2... 17.231 11042 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11043 <- 192.168.3.70:138 (netbios-dgm) 192.168.3.255:138 (netbios-dgm) ip:udp 221
ether2... 17.231 11044 <- fe80::b183:f8f:c8e9:65fd:62829 ff02::1:3:5355 ipv6:udp 70
ether2... 17.231 11045 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11046 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11047 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11048 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11049 <- 192.168.3.125:63777 224.0.0.252:5355 ip:udp 50
/ip firewall mangle add chain=input action=passthrough comment=loopstorm disabled=no in-interface=ether2-master-local
/ip firewall mangle add chain=input action=passthrough comment=loopstorm disabled=no in-interface=ether6-slave-local
/ip firewall mangle> :foreach A in=[find comment="loopstorm"] do={:local B1 [get $A packets]; :delay 1s;
:local B2 [get $A packets]; :global TH [($B2-$B1)];
:put [get $A in-interface];:put $B1;:put $B2; :put $TH;}}
/tool sniffer quick interface=etherX-slave-local
because slave interfaces use hardware for switching, and CPU does not see any packets from it, all packets go to CPU from master interfaceWhy ether6 empty?
And sniffer:nothing catch, only on ether2-master-localCode: Select all/tool sniffer quick interface=etherX-slave-local
Please, tell me what i do wrong?
/tool sniffer quick interface=eth24
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE
eth24 6.204 155 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.21 156 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.21 157 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.21 158 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.21 159 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.216 160 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60