133c & v3.17/3.16/3.14 Firewall NAT Failure

mstead · December 4, 2008, 4:23am

Hi,

Is anyone else having issues with the 133c and v3.16. I am being driven crazy with random failures all over my network. The same thing every time - customer calls saying there is no internet access and when I log into the box the NAT rule has zero hits - even though everything else works either side of it. A reboot will SOMETIMES bring it back but more often it takes several tries.

Further testing with filter rules shows that none of the firewall is working. Conntrack is on so that is not the issue.

Seems to me like there is some kind of race condition in the code for mipsle that is only failing randomly during startup.

Anyone else with this? It does not seem to affect the 411.

Malcolm

mstead · December 6, 2008, 2:49am

This is still present in v3.17. RB133c users BEWARE!!

Malcolm

Equis · December 6, 2008, 6:50am

I think I ran into this problem with v4 also today…

zerocool86 · December 6, 2008, 11:47am

me too!

i’ve seen on x86 and 133c, not yet on 433a. From 3.14 to 3.17 it’s the same, 3.13 it’s ok for me.

dwa · December 6, 2008, 12:41pm

The same problem on RB112 and RB133C (FW is upgaded to last v2.18.).

Tanker · December 6, 2008, 1:48pm

/sys route upgrade

y

reboot

T

mstead · December 6, 2008, 8:22pm

This seems to be only a problem with mipsle boards.

I have a ticket open with support but was suprised I had not heard anyone else report the problem. I am baselining at 3.10 until its fixed.

If anyone has 3.16 on an RB133c it is vital they dont try to downgrade to an older version via wireless. The result loses the wireless package. To downgrade install v3.17 first and then go back from there - I have done this with several boards now.

Malcolm

Equis · December 6, 2008, 8:41pm

Mine was a 133c also.

Equis · December 6, 2008, 8:42pm

Is 3.13 OK?

That’s what I am at now for most of our clients.

mstead · December 6, 2008, 8:51pm

I am told by a reliable source that 3.11 is ok. Someone mentions 3.13 being ok earlier in the thread but I don’t know them personally so would not want to rely on the information myself.

I might try 3.13 out on my test rig - basically a script that reboots the 133c board if the firewall works and halts when it fails - with each test result sent to kiwi syslog. If its still rebooting after an hour or so then I’m happy the firmware is ok. This is what I used to verify 3.10 is ok:

:local bytes;

:if ([/interface wireless get [find name=“wlan1”] running] = yes) do={

/ping 208.67.222.222 count=1

:delay 1s;

:set bytes [/ip firewall nat get [find out-interface=“wlan1”] bytes];

:if ($bytes < 1) do={
:log error “FAIL”;
};

:if ($bytes > 0) do={
:log error “PASS”;
/system reboot
};

};

Tanker · December 7, 2008, 3:39pm

Upgrade the firmware

T

mstead · December 7, 2008, 5:15pm

Already upgraded to 2.18. That makes no difference.

Malcolm

ArcticKnyght · December 7, 2008, 11:26pm

routeros 3.x just isnt stable on rb133c, use 2.9 instead.

Equis · December 7, 2008, 11:35pm

For me, 3.13 “seems OK”

I must admit, we did have fewer support calls with 2.9

It seems with v3 we are telling our customers to power cycle often, we almost never had to do this before.

I’m sure MT will sort it out, they always do

Equis · December 9, 2008, 10:05pm

I had this again today on the beta.

I had to downgrade to make it work to 3.13

I could not make the out file, router was disconnected when I tried.

I did not not traffic was being counted on the masq rule if that helps.

mstead · December 9, 2008, 11:34pm

The good news is that Mikrotik have now confirmed the problem in an email to me and can create the same in their lab. So now we just need to wait for 3.18…

Until then its 3.10 for me:-)

Malcolm

Equis · December 9, 2008, 11:41pm

Thanks for that

I use 3.11 and 3.13 to be stable

bradg · December 10, 2008, 6:23am

We’ve run into this as well - the unit is associated, can be accessed from either wireless or ethernet, but absolutely no traffic passes through the NAT rule. All thus far have been RB133C units - we’ve not logged any calls from clients with RB411’s.

My counterpart swears that rebooting the unit from the CLI works every time (warm boot), but power cycling it doesn’t (cold boot). I also noticed on one unit that disabling the NAT rule and re-enabling it brought functionality back, so it would lend some credibility to the software race idea.

It’s not happened often enough to crank off too many customers, but we’ve not been able to reproduce it on the bench either. But we did start getting calls about it after an upgrade of all clients from 3.9 to 3.15.

So, now that it’s a confirmed issue, when can we expect 3.18? I’d rather not wait a month for a new release and have customers cranked off at us over a known and presumably fixable software bug.

Brad

mstead · December 12, 2008, 2:59am

This is how I am getting round the problem at the moment. These commands will keep rebooting the box until the firewall starts to work!!

/ip firewall filter add chain=input action=accept dst-address=127.0.0.1 comment=“firewall-test-rule” place-before=0

/system script add name=“check-firewall-script” policy=reboot,read,test source=“:local bytes;\r\n/ping 127.0.0.1 count=1\r\n:delay 1s;\r\n:set bytes [/ip firewall filter get [find dst-address="127.0.0.1"] bytes];\r\n:if (bytes < 1) do={\r\n/system reboot\r\n};”

/system scheduler add name=“check-firewall-scheduler” on-event=“check-firewall-script” start-date=“jan/01/1970” start-time=00:01:00 interval=0s

Ozelo · December 12, 2008, 1:47pm

When booting, sometimes RB133c seems to run out of memory with ROS 3.17 and NAT stop working. Ive also seen the wireless interface vanish too.