Loopguard
Please add feature that detects loop and does action.Is there anyone with me?
Re: Loopguard
what kind of loop do you mean? where?
Re: Loopguard
Woow... Normis. You answer like a auto-answer. 
I mean that I want RouterOS (Maybe only routerboards) detects layer2 network loop. Now RouterOS doesn`t alert or do action when loop occurs. It just tries to process all packets and CPU increases to 100%.
I mean that I want RouterOS (Maybe only routerboards) detects layer2 network loop. Now RouterOS doesn`t alert or do action when loop occurs. It just tries to process all packets and CPU increases to 100%.
Re: Loopguard
Already exists. Enable RSTP in all bridges of your network.
Re: Loopguard
Great. What will if I do not use any bridge configuration?
Re: Loopguard
How can you get a L2 loop then, if you don't use bridge?
Re: Loopguard
Hi Normis. I tried to describe my meaning on the attached picture. Maybe I wrote here wrong. It is physical loop.
You do not have the required permissions to view the files attached to this post.
Re: Loopguard
You need to choose a HUB that has such feature, Router can't do anything if packets are sent to it. It can just drop them if you like. If you know of some standard that implements functionality you need, let us know.
Re: Loopguard
yeppers - get propper switches...
Re: Loopguard
offtopic: savage, change your avatar please. current one only works in your local network, we see message "Connection refused". this has been so forever already. http://home.savage.za.org/lib/images/TN_psd0013.png doesn't work outside your network it seems
Re: Loopguard
whoops. ta Normis.
Re: Loopguard
How will if I use RB250 (SwOS) with RouterOS? Does SwOS can do this?
-
-
kirshteins
MikroTik Support
- Posts: 592
- Joined:
Re: Loopguard
SwOS has Broadcast Storm Control: http://wiki.mikrotik.com/images/9/9c/Sw ... arding.png. You can limit how many broadcast frames per second will be forwarded by each port (e.g. 1k f/s, 2k f/s etc.).How will if I use RB250 (SwOS) with RouterOS? Does SwOS can do this?
Re: Loopguard
Hi, kirshteins. Good. But please include this feature into RouterOS itself, if possible. Thanks
Re: Loopguard
It would be a very usefull feature apllied to the wireless and ethernet interfaces, would help protect a mikrotik network against customer causing loops by mistakes in their internal network....
Re: Loopguard
switching happens in hardware, you can't do everything that a hardware switch does, also in software. that's why there are switches! nobody would make switches, if all of the same could be done with softwareHi, kirshteins. Good. But please include this feature into RouterOS itself, if possible. Thanks
Re: Loopguard
Thanks normis, understood. 
-
-
plankanater
Member Candidate
- Posts: 172
- Joined:
Re: Loopguard
Did you ever find a solution to this problem?Woow... Normis. You answer like a auto-answer.
I mean that I want RouterOS (Maybe only routerboards) detects layer2 network loop. Now RouterOS doesn`t alert or do action when loop occurs. It just tries to process all packets and CPU increases to 100%.
Re: Loopguard
This "HUB" is maybe user's lowcost switch. There is no real change each device for home users.
This feature is named "loopback-detection" and every better switch have it. This is a protection against trouble users. And every routerboard has switch chip. The outlined situation it is necessary to insert an additional switch that will ensure that protection.
This feature is named "loopback-detection" and every better switch have it. This is a protection against trouble users. And every routerboard has switch chip. The outlined situation it is necessary to insert an additional switch that will ensure that protection.
You need to choose a HUB that has such feature, Router can't do anything if packets are sent to it. It can just drop them if you like. If you know of some standard that implements functionality you need, let us know.
Re: Loopguard
First I created mangle rule that counts only broadcast packets on each interfaces. Then I made script that checks counted packets of this mangle rule every second. If broadcast packets increases suddenly, script will disable physical interface. It`s like a broadcast storm control
Did you ever find a solution to this problem?
.Re: Loopguard
Can you please share that mangle rule and script here..
thnx
thnx
Re: Loopguard
Can you please share that mangle rule and script here..
thnx
Code: Select all
::::MANGLE RULE::::
#Need to add mangle rule on all interfaces
/ip firewall mangle
add action=passthrough chain=input comment=Protectionether1 disabled=no \
dst-address-type=broadcast in-interface=ether1
add action=passthrough chain=input comment=Protectionether2 disabled=no \
dst-address-type=broadcast in-interface=ether2
add action=passthrough chain=input comment=Protectionether3 disabled=no \
dst-address-type=broadcast in-interface=ether3
add action=passthrough chain=input comment=Protectionether4 disabled=no \
dst-address-type=broadcast in-interface=ether4
::::Detect&Disable_Interface_Script::::
#Run every 1 minutes. Start at 00:00:00
/ip firewall mangle;
:foreach EachMangle in=[find where comment~"Protectionether"] do={
:local PacketStatus1 [get $EachMangle packets];
:delay 1s;
:local PacketStatus2 [get $EachMangle packets];
:local PacketThreshold [($PacketStatus2-$PacketStatus1)];
:if ($PacketThreshold>=4000) do={:local InterfaceName [get $EachMangle in-interface];
/interface ethernet;
:local OldComments [get [find where name=$InterfaceName] comment];
/interface ethernet set [find where name=$InterfaceName] disabled=yes comment="LOOPGUARDED:: $OldComments";
:log error "Loop detected (maybe broadcast storm) on interface, Disabled $InterfaceName"}}
::::Recovery_Interface_Script::::
#Run ever 5 minutes. Start at 00:00:10
/interface ethernet;
:foreach EachEthernet in=[find where comment~"LOOPGUARDED"] do={
:local InterfaceName1 [get $EachEthernet name];
:local OldComments1 [:pick [get $EachEthernet comment] 14 100];
/interface ethernet set $EachEthernet disabled=no comment=$OldComments1;
:log warning "Recovering Loopguarded interface $InterfaceName1"}
Re: Loopguard
I also want to say. It`s not loopguard. It`s just simple broadcast storm protection. As Normis said loopguard can be done on switching chip or Spanning tree protocol of the Bridge.
Re: Loopguard
Hello, thank you for idea(and script). I try to use it on RouterOS 6.5, but seems "dst-address-type=broadcast" not working, nothing to count...Can you please share that mangle rule and script here..
thnxCode: Select all::::MANGLE RULE:::: #Need to add mangle rule on all interfaces /ip firewall mangle add action=passthrough chain=input comment=Protectionether1 disabled=no \ dst-address-type=broadcast in-interface=ether1 add action=passthrough chain=input comment=Protectionether2 disabled=no \ dst-address-type=broadcast in-interface=ether2 add action=passthrough chain=input comment=Protectionether3 disabled=no \ dst-address-type=broadcast in-interface=ether3 add action=passthrough chain=input comment=Protectionether4 disabled=no \ dst-address-type=broadcast in-interface=ether4 ::::Detect&Disable_Interface_Script:::: #Run every 1 minutes. Start at 00:00:00 /ip firewall mangle; :foreach EachMangle in=[find where comment~"Protectionether"] do={ :local PacketStatus1 [get $EachMangle packets]; :delay 1s; :local PacketStatus2 [get $EachMangle packets]; :local PacketThreshold [($PacketStatus2-$PacketStatus1)]; :if ($PacketThreshold>=4000) do={:local InterfaceName [get $EachMangle in-interface]; /interface ethernet; :local OldComments [get [find where name=$InterfaceName] comment]; /interface ethernet set [find where name=$InterfaceName] disabled=yes comment="LOOPGUARDED:: $OldComments"; :log error "Loop detected (maybe broadcast storm) on interface, Disabled $InterfaceName"}} ::::Recovery_Interface_Script:::: #Run ever 5 minutes. Start at 00:00:10 /interface ethernet; :foreach EachEthernet in=[find where comment~"LOOPGUARDED"] do={ :local InterfaceName1 [get $EachEthernet name]; :local OldComments1 [:pick [get $EachEthernet comment] 14 100]; /interface ethernet set $EachEthernet disabled=no comment=$OldComments1; :log warning "Recovering Loopguarded interface $InterfaceName1"}
Can you help me with some advice?
Thank you.
Re: Loopguard
I never tried it on 6.X version. But it should work. Could you please type below commands to post your cfg.
Code: Select all
/interface print detail
/ip firewall mangle print detailRe: Loopguard
For test use ether4.
What i do:
For ssh and web iface connect to ether2.
Make loop on enother switch and connect it to ether4(fast, 1-3 sec).
Nothing...
But when i use /tool sniffer quick
(yes, it almost "kill" router and network)
It means another type of packets?
Seems i do(and understand) something wrong...
Code: Select all
3 S name="ether4-slave-local" default-name="ether4" type="ether" mtu=1500 l2mtu=1588 max-l2mtu=4064 mac-address=D4:CA:6D:CD:FF:67 fast-path=yes
Code: Select all
0 ;;; Protect_ether4
chain=input action=passthrough dst-address-type=broadcast in-interface=ether4-slave-local
For ssh and web iface connect to ether2.
Make loop on enother switch and connect it to ether4(fast, 1-3 sec).
Nothing...
But when i use /tool sniffer quick
Code: Select all
ether2... 17.23 11030 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.23 11031 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.23 11032 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.23 11033 <- 192.168.3.125:63777 224.0.0.252:5355 ip:udp 50
ether2... 17.23 11034 <- fe80::b560:10a1:b419:877a:63777 ff02::1:3:5355 ipv6:udp 70
ether2... 17.23 11035 <- fe80::b560:10a1:b419:877a:57710 ff02::1:3:5355 ipv6:udp 70
ether2... 17.23 11036 <- 192.168.3.125:57710 224.0.0.252:5355 ip:udp 50
ether2... 17.231 11037 <- fe80::b560:10a1:b419:877a:57087 ff02::1:3:5355 ipv6:udp 70
ether2... 17.231 11038 <- 192.168.3.70:138 (netbios-dgm) 192.168.3.255:138 (netbios-dgm) ip:udp 221
ether2... 17.231 11039 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11040 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11041 <- fe80::b560:10a1:b419:877a:58907 ff02::1:3:5355 ipv6:udp 70
ether2... 17.231 11042 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11043 <- 192.168.3.70:138 (netbios-dgm) 192.168.3.255:138 (netbios-dgm) ip:udp 221
ether2... 17.231 11044 <- fe80::b183:f8f:c8e9:65fd:62829 ff02::1:3:5355 ipv6:udp 70
ether2... 17.231 11045 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11046 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11047 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11048 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11049 <- 192.168.3.125:63777 224.0.0.252:5355 ip:udp 50
It means another type of packets?
Seems i do(and understand) something wrong...
Re: Loopguard
Update with new test:
simple marker without filtering
simple script
shows:
ether6-slave-local
0
0
0
ether2-master-local
8508
8514
6
Why ether6 empty?
And sniffer: nothing catch, only on ether2-master-local
Please, tell me what i do wrong?
simple marker without filtering
Code: Select all
/ip firewall mangle add chain=input action=passthrough comment=loopstorm disabled=no in-interface=ether2-master-local
/ip firewall mangle add chain=input action=passthrough comment=loopstorm disabled=no in-interface=ether6-slave-local
Code: Select all
/ip firewall mangle> :foreach A in=[find comment="loopstorm"] do={:local B1 [get $A packets]; :delay 1s;
:local B2 [get $A packets]; :global TH [($B2-$B1)];
:put [get $A in-interface];:put $B1;:put $B2; :put $TH;}}
ether6-slave-local
0
0
0
ether2-master-local
8508
8514
6
Why ether6 empty?
And sniffer:
Code: Select all
/tool sniffer quick interface=etherX-slave-localPlease, tell me what i do wrong?
Re: Loopguard
because slave interfaces use hardware for switching, and CPU does not see any packets from it, all packets go to CPU from master interfaceWhy ether6 empty?
And sniffer:nothing catch, only on ether2-master-localCode: Select all/tool sniffer quick interface=etherX-slave-local
Please, tell me what i do wrong?
Re: Loopguard
Yes. If u use switching (hardware) feature, that firewall rules don`t work. Try to use Bridging instead of Switching. When u use bridge, don`t forget to check use-ip-firewall=yes or you can implement those mangle rules on filter of Bridge itself.
Re: Loopguard
Thank you. I try it now.
I will write about the results.
I will write about the results.
-
-
NetworkPro
Forum Guru
- Posts: 1376
- Joined:
- Location: bit.ly/the-qos
- Contact:
Re: Loopguard
Actually CRS crashed and had to be unplugged and plugged back in when I made an L2 loop
I had similar problems on a bunch of other routerboard throughout the years
I had similar problems on a bunch of other routerboard throughout the years
Re: Loopguard
Not working:(
/interface bridge add name=BR1
/interface bridge port add bridge=BR1 interface=ether24-slave-local
/interface bridge settings set use-ip-firewall=yes
/ip address add address=192.168.11.1/24 interface=ether24-slave-local
Mikrotik-24<-->switch<-->PC_192.168.11.3
Making loop on switch
All pings on PC freezed, Mikrotik freezed...
/tool sniffer quick interface=BR1 still don't catch...
Can you give me more hint?
/interface bridge add name=BR1
/interface bridge port add bridge=BR1 interface=ether24-slave-local
/interface bridge settings set use-ip-firewall=yes
/ip address add address=192.168.11.1/24 interface=ether24-slave-local
Mikrotik-24<-->switch<-->PC_192.168.11.3
Making loop on switch
All pings on PC freezed, Mikrotik freezed...
/tool sniffer quick interface=BR1 still don't catch...
Can you give me more hint?
Re: Loopguard
Hello again...
That is why i can't catch "loopstorm"
01:80:C2:00:00:00 - MAC looped switch, hundreds packs per second
How mark this?
Maybe another way to check hi-load activity?
That is why i can't catch "loopstorm"
Code: Select all
/tool sniffer quick interface=eth24
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE
eth24 6.204 155 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.21 156 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.21 157 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.21 158 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.21 159 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.216 160 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
How mark this?
Maybe another way to check hi-load activity?
Re: Loopguard
how can i control broadcast on my mikrotik router plz explain it step by step.
Who is online
Users browsing this forum: Google [Bot], lif2k3 and 120 guests