Bug? Simple queue causes reboot failure

Willi · Sat Feb 17, 2024 9:20 pm

Hi, I think I might have hit a bug in ROS 7.13. I have an installation with 3 hap ax2 devices (2 APs and 1 router). When I add a simple queue to the configuration to limit the bandwidth of the guest network and then reboot the router, the router does not restart. If I restore a previous configuration in which the queue does not appear, the router reboots without any problem. After applying the queue, the queue also functions perfectly. The problem thus occurs after a software reboot or hard reboot. The only way to get the router functional again is to reset it and restore a backup.

The config of my router (without the simple queue implemented) looks like:

# 2024-02-17 20:12:01 by RouterOS 7.13
# software id = 7Z28-IETK
#
# model = C52iG-5HaxD2HaxD
# serial number = HEP099KCHF8
/interface bridge
add comment=WAN name=br_WAN_ISP port-cost-mode=short
add comment=WAN name=br_WAN_LTE port-cost-mode=short
add comment="Guest network" ingress-filtering=no name=br_guest \
    port-cost-mode=short vlan-filtering=yes
add comment="LAN network" ingress-filtering=no name=br_lan port-cost-mode=\
    short vlan-filtering=yes
add comment=OOB name=br_local port-cost-mode=short
/interface wireguard
add comment=back-to-home-vpn listen-port=43955 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=ether1 name=ether1_vl_GUEST vlan-id=70
add interface=ether1 name=ether1_vl_LAN vlan-id=60
add interface=ether1 name=ether1_vl_WAN_LTE vlan-id=50
add interface=ether3 name=ether3_vl_GUEST vlan-id=70
add interface=ether3 name=ether3_vl_LAN vlan-id=60
add interface=ether4 name=ether4_vl_GUEST vlan-id=70
add interface=ether4 name=ether4_vl_LAN vlan-id=60
add interface=ether5 name=ether5_vl_local vlan-id=70
add interface=br_guest name="vl_GUEST on br_GUEST" vlan-id=70
add interface=br_lan name="vl_LAN on br_LAN" vlan-id=60
/interface list
add name=LEASES
add name=UNTRUSTED
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=ch_2.4Ghz width=20mhz
add band=5ghz-ax disabled=no name=ch_5Ghz width=20/40/80mhz
/interface wifi datapath
add bridge=br_lan disabled=no name="br_LAN - VLAN 60" vlan-id=60
add bridge=br_guest disabled=no name="br_GUEST - VLAN 70" vlan-id=70
/interface wifi security
add authentication-types=wpa2-psk connect-priority=0 disabled=no ft=yes \
    ft-over-ds=yes name=seccfg_Cussangy
add authentication-types=wpa2-psk connect-priority=0 disabled=no name=\
    seccfg_Cussangy_guest
/interface wifi
set [ find default-name=wifi2 ] configuration.country=France .mode=ap .ssid=\
    Cussangy datapath.bridge=br_lan disabled=no name=Router_Cussangy_2.4Ghz \
    security=seccfg_Cussangy security.connect-priority=0
set [ find default-name=wifi1 ] configuration.country=France .mode=ap .ssid=\
    Cussangy datapath.bridge=br_lan disabled=no name=Router_Cussangy_5Ghz \
    security=seccfg_Cussangy security.connect-priority=0
add configuration.mode=ap .ssid=Cussangy_guest datapath.bridge=br_guest \
    disabled=no mac-address=7A:9A:18:01:AE:31 master-interface=\
    Router_Cussangy_2.4Ghz name=Router_Cussangy_guest_2.4Ghz security=\
    seccfg_Cussangy_guest security.connect-priority=0
add configuration.mode=ap .ssid=Cussangy_guest datapath.bridge=br_guest \
    disabled=no mac-address=7A:9A:18:01:AE:2F master-interface=\
    Router_Cussangy_5Ghz name=Router_Cussangy_guest_5Ghz security=\
    seccfg_Cussangy_guest security.connect-priority=0
/interface wifi configuration
add datapath="br_LAN - VLAN 60" disabled=no mode=ap name=cfg_Cussangy_2.4Ghz \
    security=seccfg_Cussangy security.connect-priority=0 ssid=Cussangy
add channel=ch_5Ghz country=France datapath="br_LAN - VLAN 60" disabled=no \
    mode=ap name=cfg_Cussangy_5Ghz security=seccfg_Cussangy \
    security.connect-priority=0 ssid=Cussangy
add channel=ch_2.4Ghz country=France datapath="br_GUEST - VLAN 70" disabled=\
    no mode=ap name=cfg_Cussangy_guest_2.4Ghz security=seccfg_Cussangy_guest \
    security.connect-priority=0 ssid=Cussangy_guest
add channel=ch_5Ghz country=France datapath="br_GUEST - VLAN 70" disabled=no \
    mode=ap name=cfg_Cussangy_guest_5Ghz security=seccfg_Cussangy_guest \
    security.connect-priority=0 ssid=Cussangy_guest
add comment=test country=France disabled=no mode=ap name=cfg24Cussangy \
    security=seccfg_Cussangy security.connect-priority=0 ssid=Cussangy
add comment=test country=France datapath="br_LAN - VLAN 60" disabled=no mode=\
    ap name=cfg5Cussangy security=seccfg_Cussangy security.connect-priority=0 \
    ssid=Cussangy
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
    profile1 proposal-check=strict
/ip ipsec peer
add address=bpnet.duckdns.org exchange-mode=ike2 name=bpnet profile=profile1
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-128-gcm lifetime=1h name=proposal1 \
    pfs-group=modp2048
/ip pool
add name=dhcp_local ranges=192.168.77.10-192.168.77.250
add name=dhcp_lan ranges=192.168.60.10-192.168.60.250
add name=dhcp_guest ranges=192.168.70.10-192.168.70.250
/ip dhcp-server
add address-pool=dhcp_local interface=br_local lease-time=1h name=dhcp_local
add address-pool=dhcp_lan interface=br_lan lease-time=1d name=dhcp_lan
add address-pool=dhcp_guest interface=br_guest name=dhcp_guest
/user group
add name=homeassistant policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,\
    !write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
    zt1 name=zerotier1 network=XXXX
/interface bridge port
add bridge=br_WAN_ISP disabled=yes interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=br_WAN_LTE interface=ether1_vl_WAN_LTE internal-path-cost=10 \
    path-cost=10
add bridge=br_lan interface=ether3_vl_LAN internal-path-cost=10 path-cost=10
add bridge=br_lan interface=ether4_vl_LAN internal-path-cost=10 path-cost=10
add bridge=br_local interface=ether5_vl_local internal-path-cost=10 \
    path-cost=10
add bridge=br_guest interface=ether3_vl_GUEST internal-path-cost=10 \
    path-cost=10
add bridge=br_guest interface=ether4_vl_GUEST internal-path-cost=10 \
    path-cost=10
add bridge=br_local disabled=yes interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=br_lan disabled=yes interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=br_lan disabled=yes interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=br_guest interface=ether1_vl_GUEST internal-path-cost=10 \
    path-cost=10
add bridge=br_lan interface=ether1_vl_LAN internal-path-cost=10 path-cost=10
add bridge=br_local interface=ether5 internal-path-cost=10 path-cost=10
add bridge=br_lan interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set wan-interface-list=WAN
/interface list member
add disabled=yes interface=br_guest list=LEASES
add interface=br_WAN_LTE list=UNTRUSTED
add interface=br_WAN_ISP list=UNTRUSTED
add disabled=yes interface=br_guest list=UNTRUSTED
add interface=br_WAN_ISP list=WAN
add interface=br_WAN_LTE list=WAN
/interface wifi access-list
add action=accept comment="Accept rule" disabled=yes signal-range=-90..-10 \
    time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject comment="Reject rule" disabled=yes signal-range=-120..-90 \
    time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/interface wifi cap
set caps-man-names=2.4-Cussangy discovery-interfaces=all enabled=yes
/interface wifi capsman
set enabled=yes interfaces=all package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled comment=APCussangyBureau5Ghz disabled=no \
    master-configuration=cfg_Cussangy_5Ghz name-format=AP_Bureau_5Ghz \
    radio-mac=48:A9:8A:92:7B:F5 slave-configurations=cfg_Cussangy_guest_5Ghz
add action=create-dynamic-enabled comment=APCussangyBureau2.4Ghz disabled=no \
    master-configuration=cfg_Cussangy_2.4Ghz name-format=AP_Bureau_2.4Ghz \
    radio-mac=48:A9:8A:92:7B:F6 slave-configurations=\
    cfg_Cussangy_guest_2.4Ghz
add action=create-dynamic-enabled comment=APCussangyBoven5Ghz disabled=no \
    master-configuration=cfg_Cussangy_5Ghz name-format=AP_Boven_5Ghz \
    radio-mac=48:A9:8A:B8:F2:29 slave-configurations=cfg_Cussangy_guest_5Ghz
add action=create-dynamic-enabled comment=APCussangyBoven2.4Ghz disabled=no \
    master-configuration=cfg_Cussangy_2.4Ghz name-format=AP_Boven_2.4Ghz \
    radio-mac=48:A9:8A:B8:F2:2A slave-configurations=\
    cfg_Cussangy_guest_2.4Ghz
/interface wireguard peers
add allowed-address=192.168.216.3/32,fc00:0:0:216::3/128 client-address=\
    192.168.216.3/32,fc00:0:0:216::3/128 client-dns=192.168.216.1 \
    client-endpoint=XX.vpn.mynetname.net client-keepalive=30s \
    comment="RouterCussangy | samsung SM-S901B" interface=back-to-home-vpn \
    persistent-keepalive=30s private-key=\
    "XX" public-key=\
    "XX"
add allowed-address=192.168.216.5/32,fc00:0:0:216::5/128 client-address=\
    192.168.216.5/32,fc00:0:0:216::5/128 client-dns=192.168.216.1 \
    client-endpoint=XX.vpn.mynetname.net client-keepalive=30s \
    comment="BjornPC | samsung SM-S901B" interface=back-to-home-vpn \
    persistent-keepalive=30s private-key=\
    "XX=" public-key=\
    "XX"
add allowed-address=192.168.216.4/32,fc00:0:0:216::4/128 client-address=\
    192.168.216.4/32,fc00:0:0:216::4/128 client-dns=192.168.216.1 \
    client-endpoint=XX.vpn.mynetname.net client-keepalive=30s \
    comment="BjornPC | samsung SM-S901B" interface=back-to-home-vpn \
    persistent-keepalive=30s private-key=\
    "XX=" public-key=\
    "XX="
/ip address
add address=192.168.77.254/24 interface=br_local network=192.168.77.0
add address=192.168.60.254/24 interface=br_lan network=192.168.60.0
add address=192.168.70.254/24 interface=br_guest network=192.168.70.0
add address=192.168.80.1/24 interface=*16 network=192.168.80.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=br_WAN_ISP use-peer-dns=no
add interface=br_WAN_LTE
/ip dhcp-server lease
add address=192.168.60.250 client-id=1:48:a9:8a:92:7b:f0 mac-address=\
    48:A9:8A:92:7B:F0 server=dhcp_lan
add address=192.168.60.251 client-id=1:48:a9:8a:b8:f2:24 mac-address=\
    48:A9:8A:B8:F2:24 server=dhcp_lan
add address=192.168.60.35 client-id=1:ec:62:60:b5:72:78 mac-address=\
    EC:62:60:B5:72:78 server=dhcp_lan
add address=192.168.60.37 mac-address=7C:87:CE:BA:50:71 server=dhcp_lan
add address=192.168.60.38 mac-address=7C:87:CE:B4:B2:A7 server=dhcp_lan
/ip dhcp-server network
add address=192.168.60.0/24 comment=net_lan dns-server=192.168.60.254 domain=\
    lan.cussangy.local gateway=192.168.60.254 netmask=24
add address=192.168.70.0/24 comment=net_guest dns-server=192.168.70.254 \
    domain=guest.cussangy.local gateway=192.168.70.254 netmask=24
add address=192.168.77.0/24 comment=net_oob dns-server=192.168.77.1 gateway=\
    192.168.77.1
/ip dns
set allow-remote-requests=yes servers=193.190.198.14,1.1.1.1
/ip firewall address-list
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
add address=10.0.0.0/8 list=RFC1918
add address=bpnet.duckdns.org list="VPN sources"
/ip firewall filter
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=passthrough chain=forward comment=\
    "special dummy rule to show fasttrack counters"
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Accept OOB Access" in-interface=\
    br_local
add action=accept chain=input comment="General - Established Input"
add action=accept chain=input comment="Allow Wireguard VPN" disabled=yes \
    src-address=192.168.80.0/24
add action=accept chain=input comment="Allow Wireguard VPN" disabled=yes \
    dst-port=13231 protocol=udp
add action=accept chain=input comment="VPN - Accept incoming IKE" disabled=\
    yes dst-port=500,4500 in-interface=br_WAN_LTE log-prefix=IKE protocol=udp \
    src-address-list="VPN sources"
add action=accept chain=input disabled=yes in-interface=br_WAN_LTE protocol=\
    ipsec-esp src-address-list="VPN sources"
add action=accept chain=forward comment=\
    "OPENVPN forward to Raspberry Pi static adress" disabled=yes dst-address=\
    192.168.60.33 dst-port=1194 protocol=udp
add action=accept chain=input comment="HomeAssistant Integration" \
    dst-address=192.168.60.254 dst-port=8728 in-interface=br_lan protocol=tcp
add action=accept chain=input comment="FW - Accept ICMP to FW" in-interface=\
    !br_WAN_ISP protocol=icmp src-address-list=RFC1918
add action=accept chain=input comment="FW - Accept ICMP to FW" in-interface=\
    !br_WAN_LTE protocol=icmp src-address-list=RFC1918
add action=accept chain=input comment="FW - DNS to FW" dst-port=53 \
    in-interface=!br_WAN_ISP protocol=udp
add action=accept chain=input comment="FW - DNS to FW" dst-port=53 \
    in-interface=!br_WAN_LTE protocol=udp
add action=accept chain=input comment="FW - Accept incoming from LAN" \
    dst-address=192.168.60.254 in-interface=br_lan src-address=\
    192.168.60.0/24
add action=accept chain=input comment=\
    "FW - accept incoming Veemarkt over ISP" disabled=yes dst-address=\
    192.168.60.254 in-interface=br_WAN_ISP src-address=192.168.205.0/24
add action=accept chain=input comment=\
    "FW - Accept incoming Veemarkt over LTE" disabled=yes dst-address=\
    192.168.60.254 in-interface=br_WAN_LTE src-address=192.168.205.0/24
add action=accept chain=input comment=\
    "FW - Accept incoming from PBNET over ISP" disabled=yes dst-address=\
    192.168.60.254 in-interface=br_WAN_ISP src-address=192.168.1.0/24
add action=accept chain=input comment=\
    "FW - Accept incoming from PBNET over LTE" disabled=yes dst-address=\
    192.168.60.254 in-interface=br_WAN_LTE src-address=192.168.1.0/24
add action=drop chain=input comment="FW - Drop Input UDP - silent" dst-port=\
    123,137,138 protocol=udp
add action=drop chain=input comment="FW - Drop Incoming WAN over ISP" \
    in-interface=br_WAN_ISP
add action=drop chain=input comment="FW - Drop incoming WAN over LTE" \
    in-interface=br_WAN_LTE
add action=drop chain=input comment="FW - Drop all IN"
add action=drop chain=input comment="General - Broadcast silent drop" \
    dst-address=255.255.255.255
add action=drop chain=input comment="General - Drop Invalid Input"
add action=accept chain=forward comment="Allow Wireguard to LAN" disabled=yes \
    in-interface=*16 out-interface="vl_LAN on br_LAN"
add action=accept chain=forward comment="VPN: accept incoming IPSEC" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="VPN: accept outgoing IPSEC" \
    disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward comment="LAN - Allow Internet over ISP" \
    dst-address-list=!RFC1918 in-interface=br_lan out-interface=br_WAN_ISP \
    src-address=192.168.60.0/24
add action=accept chain=forward comment="LAN - Allow Internet over LTE" \
    dst-address-list=!RFC1918 in-interface=br_lan out-interface=br_WAN_LTE \
    src-address=192.168.60.0/24
add action=accept chain=forward comment="GUEST - Allow Internet over ISP" \
    dst-address-list=!RFC1918 in-interface=br_guest out-interface=br_WAN_ISP \
    src-address=192.168.70.0/24
add action=accept chain=forward comment="GUEST - Allow Internet over LTE" \
    dst-address-list=!RFC1918 in-interface=all-wireless out-interface=\
    br_guest src-address=192.168.70.0/24
add action=accept chain=forward comment=Statefull connection-state=\
    established
add action=accept chain=output comment="Outgoing DNS over ISP" dst-port=53 \
    out-interface=br_WAN_ISP protocol=udp
add action=accept chain=output comment="Outgoing DNS over LTE" dst-port=53 \
    out-interface=br_WAN_LTE protocol=udp
add action=accept chain=forward comment="VPN IN from PBNET" disabled=yes \
    dst-address=192.168.60.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment="VPN IN from Veemarkt" disabled=yes \
    dst-address=192.168.60.0/24 src-address=192.168.205.0/24
add action=accept chain=forward comment="VPN - LAN out to PBNET" disabled=yes \
    dst-address=192.168.1.0/24 src-address=192.168.60.0/24
add action=accept chain=forward comment="VPN - LAN out to Veemarkt" disabled=\
    yes dst-address=192.168.205.0/24 src-address=192.168.60.0/24
add action=accept chain=forward comment=\
    "General - Accept established forward"
add action=drop chain=forward comment="General - Drop invalid forward"
add action=accept chain=forward comment="LAN - ping not ISP" in-interface=\
    br_lan out-interface=!br_WAN_ISP protocol=icmp src-address=\
    192.168.60.0/24
add action=accept chain=forward comment="LAN - ping not LTE" in-interface=\
    br_lan out-interface=!br_WAN_LTE protocol=icmp src-address=\
    192.168.60.0/24
add action=accept chain=forward comment="LAN - Allow internet over ISP" \
    disabled=yes dst-address-list=!RFC1918 in-interface=br_lan out-interface=\
    br_WAN_ISP src-address=192.168.60.0/24
add action=accept chain=forward comment="LAN - Allow internet over LTE" \
    disabled=yes dst-address-list=!RFC1918 in-interface=br_lan out-interface=\
    br_WAN_LTE src-address=192.168.60.0/24
add action=accept chain=forward comment="GUEST - Allow internet over ISP" \
    disabled=yes dst-address-list=!RFC1918 in-interface=br_guest \
    out-interface=br_WAN_ISP src-address=192.168.70.0/24
add action=accept chain=forward comment="GUEST - Allow internet over LTE" \
    disabled=yes dst-address-list=!RFC1918 in-interface=br_guest \
    out-interface=br_WAN_LTE src-address=192.168.70.0/24
add action=drop chain=forward comment="DROP ALL - Silent Drop" dst-port=\
    123,137,138 protocol=udp
add action=drop chain=forward comment="DROP ALL"
/ip firewall mangle
add action=clear-df chain=postrouting disabled=yes out-interface=br_WAN_ISP \
    passthrough=yes
add action=clear-df chain=postrouting disabled=yes out-interface=br_WAN_LTE \
    passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment="IPsec No-NAT" ipsec-policy=out,ipsec
add action=src-nat chain=srcnat comment="NAT OpenVPN server" disabled=yes \
    dst-address=192.168.60.33 dst-port=1194 protocol=udp to-addresses=\
    192.168.60.254
add action=dst-nat chain=dstnat comment="NAT OpenVPN server" disabled=yes \
    dst-port=1194 protocol=udp to-addresses=192.168.60.33 to-ports=1104
add action=masquerade chain=srcnat disabled=yes log=yes out-interface=\
    br_WAN_ISP
add action=masquerade chain=srcnat out-interface=br_WAN_LTE
add action=masquerade chain=srcnat comment="Masquerade out LAN to WAN" \
    disabled=yes out-interface-list=WAN src-address=192.168.60.0/24
add action=masquerade chain=srcnat comment="Masquerade out guest to WAN" \
    out-interface-list=WAN src-address=192.168.70.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate=cert01-vpn-cussangy \
    generate-policy=port-strict match-by=certificate peer=bpnet \
    remote-certificate=cert02-vpn-bpnet.crt_0
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.1.0/24 peer=bpnet proposal=proposal1 src-address=\
    192.168.60.0/24 tunnel=yes
/ip route
add comment="Route to PBNET over ISP" disabled=yes distance=1 dst-address=\
    192.168.1.0/24 gateway=br_WAN_ISP pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Route to PBNET over LTE" disabled=no distance=2 dst-address=\
    192.168.1.0/24 gateway=br_WAN_LTE pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Route to Veemarkt over ISP" disabled=yes distance=1 dst-address=\
    192.168.205.0/24 gateway=br_WAN_ISP pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
add comment="Route to Veemarkt over LTE" disabled=no distance=2 dst-address=\
    192.168.205.0/24 gateway=br_WAN_LTE pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
add comment="To WAN over br_WAN_ISP" disabled=yes distance=1 dst-address=\
    0.0.0.0/0 gateway=br_WAN_ISP pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="To WAN over br_WAN_LTE" disabled=no distance=2 dst-address=\
    0.0.0.0/0 gateway=br_WAN_LTE pref-src="" routing-table=main \
    suppress-hw-offload=no
add comment="Recursive routing: check route over WAN_ISP" disabled=yes \
    distance=1 dst-address=8.8.8.8/32 gateway=br_WAN_ISP pref-src="" \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add comment="Recursive routing: check route over WAN_LTE" disabled=yes \
    distance=1 dst-address=1.1.1.1/32 gateway=br_WAN_LTE pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Recursive routing over WAN_ISP" disabled=yes \
    distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Recursive routing over WAN_LTE" disabled=yes \
    distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=RouterCussangy
/system logging
add topics=wireless,debug
/system note
set show-at-login=no
/system scheduler
add comment="schedule duckdns cussangylte" interval=1d name=cussangylte \
    on-event="DuckDNS CussangyLTE" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2023-11-17 start-time=00:00:00
add comment="schedule duckdns cussangyisp" interval=1d name=cussangyisp \
    on-event="DuckDNS CussangyISP" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2023-11-17 start-time=00:00:00
/system script
add dont-require-permissions=no name="DUCKDNS Update CussangyLTE" owner=admin \
    policy=read,write,policy,test,password,sniff,sensitive,romon source="# Get\
    \_the actual public IP from the br_WAN_LTE interface\
    \n:global actualIP value=[/ip address get [find where interface=br_WAN_LTE\
    ] value-name=address];\
    \n\
    \n# Remove the subnet from the result, so only the IP is left\
    \n:global actualIP value=[:pick \$actualIP -1 [:find \$actualIP \"/\" -1] \
    ];\
    \n\
    \n# If there is no ipstore.txt file yet, create it\
    \n:if ([:len [/file find where name=ipstore.txt]] < 1 ) do={\
    \n   /file print file=ipstore.txt where name=ipstore.txt;\
    \n   /delay delay-time=2;\
    \n   /file set ipstore.txt contents=\"0.0.0.0\";\
    \n};\
    \n\
    \n# Get the previousIP from the ipstore.txt file\
    \n:global previousIP value=[/file get [find where name=ipstore.txt ] value\
    -name=contents];\
    \n\
    \n# Compare previousIP with actualIP\
    \n# If not the same, update duckdns.org with the new actualIP\
    \n# Update ipstore.txt with the new actualIP\
    \n:if (\$previousIP != \$actualIP) do={\
    \n   :log info message=(\"DuckDNS: try to Update DuckDNS with actual IP \"\
    .\$actualIP.\" -  Previous IP is \".\$previousIP);\
    \n   \
    \n   /tool fetch mode=https keep-result=yes dst-path=duckdns-result.txt ad\
    dress=[:resolve www.duckdns.org] port=443 host=www.duckdns.org src-path=(\
    \"/update\?domains=cussangylte&token=5ffed588-8f82-4c38-9db5-6e058a20c5c0&\
    ip=\".\$actualIP);\
    \n   \
    \n   /delay delay-time=5;\
    \n \
    \n   :global lastChange value=[/file get [find where name=duckdns-result.t\
    xt ] value-name=contents];\
    \n   :global previousIP value=\$actualIP;\
    \n   /file set ipstore.txt contents=\$actualIP;\
    \n \
    \n   :if (\$lastChange = \"OK\") do={:log warning message=(\"DuckDNS: upda\
    te successfull with IP \".\$actualIP);};\
    \n   :if (\$lastChange = \"KO\") do={:log error message=(\"DuckDNS: failed\
    \_to update DuckDNS with new IP \".\$actualIP);};\
    \n} else={\
    \n   :log info message=(\"DuckDNS: no update required. Actual IP: \".\$act\
    ualIP);\
    \n}"
add dont-require-permissions=no name="DUCKDNS Update CussangyISP" owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="# Get the actual public IP from the bridge_PUB interface\
    \n:global actualIP value=[/ip address get [find where interface=br_WAN_ISP\
    ] value-name=address];\
    \n\
    \n# Remove the subnet from the result, so only the IP is left\
    \n:global actualIP value=[:pick \$actualIP -1 [:find \$actualIP \"/\" -1] \
    ];\
    \n\
    \n# If there is no ipstoreISP.txt file yet, create it\
    \n:if ([:len [/file find where name=ipstoreISP.txt]] < 1 ) do={\
    \n   /file print file=ipstoreISP.txt where name=ipstoreISP.txt;\
    \n   /delay delay-time=2;\
    \n   /file set ipstoreISP.txt contents=\"0.0.0.0\";\
    \n};\
    \n\
    \n# Get the previousIP from the ipstore.txt file\
    \n:global previousIP value=[/file get [find where name=ipstoreISP.txt ] va\
    lue-name=contents];\
    \n\
    \n# Compare previousIP with actualIP\
    \n# If not the same, update duckdns.org with the new actualIP\
    \n# Update ipstoreISP.txt with the new actualIP\
    \n:if (\$previousIP != \$actualIP) do={\
    \n   :log info message=(\"DuckDNS: try to Update DuckDNS with actual IP \"\
    .\$actualIP.\" -  Previous IP is \".\$previousIP);\
    \n   \
    \n   /tool fetch mode=https keep-result=yes dst-path=duckdns-result.txt ad\
    dress=[:resolve www.duckdns.org] port=443 host=www.duckdns.org src-path=(\
    \"/update\?domains=cussangyisp&token=5ffed588-8f82-4c38-9db5-6e058a20c5c0&\
    ip=\".\$actualIP);\
    \n   \
    \n   /delay delay-time=5;\
    \n \
    \n   :global lastChange value=[/file get [find where name=duckdns-result.t\
    xt ] value-name=contents];\
    \n   :global previousIP value=\$actualIP;\
    \n   /file set ipstoreISP.txt contents=\$actualIP;\
    \n \
    \n   :if (\$lastChange = \"OK\") do={:log warning message=(\"DuckDNS: upda\
    te successfull with IP \".\$actualIP);};\
    \n   :if (\$lastChange = \"KO\") do={:log error message=(\"DuckDNS: failed\
    \_to update DuckDNS with new IP \".\$actualIP);};\
    \n} else={\
    \n   :log info message=(\"DuckDNS: no update required. Actual IP: \".\$act\
    ualIP);\

erlinden · Sat Feb 17, 2024 10:59 pm

As you seem to understand the concept of VLAN...why do you use mutliple bridges?
I would like to advise you this topic, which gives really great suggestions on VLAN:
viewtopic.php?t=143620

Will continue reading your config for reasons having this problem.

Can you add the way you add the queue to this router?

Willi · Sun Feb 18, 2024 8:31 am

As you seem to understand the concept of VLAN...why do you use mutliple bridges?
I would like to advise you this topic, which gives really great suggestions on VLAN:
viewtopic.php?t=143620

Will continue reading your config for reasons having this problem.

Can you add the way you add the queue to this router?

Hi Erlinden, thanks for your help. The way I add the queue can be seen in the screenshot below:

Willi · Sun Feb 18, 2024 8:35 am

I just realized that if I disable the rule, the router reboots just fine. If I enable the queue rule, the router bricks at reboot.

bonedaddy4538 · Mon Feb 19, 2024 9:41 pm

Adding my two cents. Recently got a hex router RB750gr3 and from a factory reset I only enable a simple queue and the router crashes. I think theres a bug on 7.13. I am on 7.13.5 currently and the router basically bricks when enabling simple queue for me. I have to factory reset to get going again. I also disable fasttrack right before the queue application.

Willi · Wed Feb 21, 2024 8:19 am

@MikrotikSupport Could you please have a look at this?

Wed Feb 21, 2024 9:12 am

Willi - Please do the following:

1) Upgrade your router to v7.14rc or later (if one is available when you decide to do this);
2) Generate supout file before you add queue;
3) Add queue;
4) Generate another supout file;
5) Execute reboot command, make sure that the problem is still there, generate third supout file;
6) Send all of these files to support@mikrotik.com.

infabo · Wed Feb 21, 2024 9:16 am

Might be difficult to get "third supout file"

Willi · Wed Feb 21, 2024 9:41 am

Willi - Please do the following:

1) Upgrade your router to v7.14rc or later (if one is available when you decide to do this);
2) Generate supout file before you add queue;
3) Add queue;
4) Generate another supout file;
5) Execute reboot command, make sure that the problem is still there, generate third supout file;
6) Send all of these files to support@mikrotik.com.

Thank you for your support already. I generated the supout files as requested and mailed them to the indicated address.

Willi · Sat Mar 02, 2024 3:58 pm

Willi - Please do the following:

1) Upgrade your router to v7.14rc or later (if one is available when you decide to do this);
2) Generate supout file before you add queue;
3) Add queue;
4) Generate another supout file;
5) Execute reboot command, make sure that the problem is still there, generate third supout file;
6) Send all of these files to support@mikrotik.com.
Thank you for your support already. I generated the supout files as requested and mailed them to the indicated address.

@MikrotikSupport any feedback on this issue?

Bug? Simple queue causes reboot failure

Bug? Simple queue causes reboot failure

Re: Bug? Simple queue causes reboot failure

Re: Bug? Simple queue causes reboot failure

Re: Bug? Simple queue causes reboot failure

Re: Bug? Simple queue causes reboot failure

Re: Bug? Simple queue causes reboot failure

Re: Bug? Simple queue causes reboot failure

Re: Bug? Simple queue causes reboot failure

Re: Bug? Simple queue causes reboot failure

Re: Bug? Simple queue causes reboot failure

Who is online