After Upgrade Stupid Routting problem, or Not?

FOV · January 23, 2006, 9:21pm

Hi guys, after a lot of work, I could be able to put on line my MTK over version 2.9.5 Lvl 5 Router board 532

After that, i upgrade to 2.9.11

Now, the situation is with the same config:

I can pingo from MTK to the outside world, but from any machine connected to the MTK i could not see the Internet world.

here is the config:

Othe curious situation is CPU: 100% EVER

Any ideas or sudgestios? PLS, I know that this could be a IDOT sittuation, but for me, neewbie albosulte, is a hudge problem.

Thansk in advance

################ IP ADDRESS ##############################################

[fvazquez@Nodo pilar] ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 192.168.0.1/24 192.168.0.0 192.168.0.255 Mirador
1 200.81.235.131/28 200.81.235.128 200.81.235.143 Publica_Main
2 10.1.1.1/24 10.1.1.0 10.1.1.255 wlan1

################ IP ROUTE ##############################################

[fvazquez@Nodo pilar] ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf

DST-ADDRESS PREFSRC G GATEWAY DIS INTERFACE

0 ADC 10.1.1.0/24 10.1.1.1 wlan1
1 ADC 192.168.0.0/24 192.168.0.1 Mirador
2 ADC 200.81.235.128/28 200.81.235.131 Publica_Main
3 A S 0.0.0.0/0 r 200.81.235.129 Publica_Main

################ Firewall Rules ##############################################

[fvazquez@Nodo pilar] ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; sta regla es para jugar
chain=forward action=log log-prefix=""

1 X chain=input action=log log-prefix=""

2 X chain=output action=log log-prefix=""

3 ;;; Accept established connections
chain=input connection-state=established dst-limit=0,5,dst-address/1m40s
action=accept

4 ;;; Accept related connections
chain=input connection-state=related dst-limit=0,5,dst-address/1m40s
action=accept

5 ;;; Drop invalid connections
chain=input connection-state=invalid dst-limit=0,5,dst-address/1m40s
action=drop

6 ;;; !!! Check for well-known viruses !!!
chain=input dst-limit=0,5,dst-address/1m40s action=jump
jump-target=virus

7 ;;; UDP
chain=input protocol=udp dst-limit=0,5,dst-address/1m40s action=accept

8 ;;; Allow limited pings
chain=input protocol=icmp limit=50/5s,2 action=accept

9 chain=input protocol=icmp icmp-options=0:0 action=accept

10 ;;; Drop excess pings
chain=input protocol=icmp dst-limit=0,5,dst-address/1m40s action=drop

11 ;;; SSH for Management purposes
chain=input protocol=tcp dst-port=22 dst-limit=0,5,dst-address/1m40s
action=accept

12 ;;; Telnet for demo purposes
chain=input protocol=tcp dst-port=23 dst-limit=0,5,dst-address/1m40s
action=accept

13 X ;;; http for demo purposes
chain=input protocol=tcp dst-port=80 dst-limit=0,5,dst-address/1m40s
action=accept

14 ;;; Winbox for Management purposes - Por MAC
chain=input protocol=tcp dst-port=20561 dst-limit=0,5,dst-address/1m40s
action=accept

15 ;;; Winbox for Management purposes - Por IP
chain=input protocol=tcp dst-port=8291 dst-limit=0,5,dst-address/1m40s
action=accept

16 ;;; PPTP for VPN purposes
chain=input protocol=tcp dst-port=1723 dst-limit=0,5,dst-address/1m40s
action=accept

17 ;;; VPN IPSEC purposes
chain=input protocol=ipsec-esp action=accept

18 ;;; From Mirador Network
chain=input src-address=192.168.0.0/24 dst-limit=0,5,dst-address/1m40s
action=accept

19 ;;; Log and drop everything else
chain=input dst-limit=0,5,dst-address/1m40s action=log log-prefix=""

20 ;;; Log and drop everything else
chain=input dst-limit=0,5,dst-address/1m40s action=drop

21 ;;; Established Connections
chain=forward connection-state=established
dst-limit=0,5,dst-address/1m40s action=accept

22 ;;; Related connections
chain=forward connection-state=related dst-limit=0,5,dst-address/1m40s
action=accept

23 ;;; Drop invalid connections
chain=forward connection-state=invalid dst-limit=0,5,dst-address/1m40s
action=drop

24 ;;; !!! Check for well-known viruses !!!
chain=forward dst-limit=0,5,dst-address/1m40s action=jump
jump-target=virus

25 ;;; UDP
chain=forward protocol=udp dst-limit=0,5,dst-address/1m40s action=accept

26 ;;; Allow limited Pings
chain=forward protocol=icmp limit=50/5s,2 action=accept

27 ;;; Drop excess pings
chain=forward protocol=icmp dst-limit=0,5,dst-address/1m40s action=drop

28 chain=output dst-limit=0,5,dst-address/1m40s action=log log-prefix=""

29 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=135-139 action=drop

30 ;;; Drop Messenger Worm
chain=virus protocol=udp dst-port=135-139 action=drop

31 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=445 action=drop

32 ;;; Drop Blaster Worm
chain=virus protocol=udp dst-port=445 action=drop

33 ;;; ________
chain=virus protocol=tcp dst-port=593 action=drop

34 ;;; ________
chain=virus protocol=tcp dst-port=1024-1030 action=drop

35 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=1080 action=drop

36 ;;; ________
chain=virus protocol=tcp dst-port=1214 action=drop

37 ;;; ndm requester
chain=virus protocol=tcp dst-port=1363 action=drop

38 ;;; ndm server
chain=virus protocol=tcp dst-port=1364 action=drop

39 ;;; screen cast
chain=virus protocol=tcp dst-port=1368 action=drop

40 ;;; hromgrafx
chain=virus protocol=tcp dst-port=1373 action=drop

41 ;;; cichlid
chain=virus protocol=tcp dst-port=1377 action=drop

42 ;;; Worm
chain=virus protocol=tcp dst-port=1433-1434 action=drop

43 ;;; Bagle Virus
chain=virus protocol=tcp dst-port=2745 action=drop

44 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=2283 action=drop

45 ;;; Drop Beagle
chain=virus protocol=tcp dst-port=2535 action=drop

46 ;;; Drop Beagle.C-K
chain=virus protocol=tcp dst-port=2745 action=drop

47 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=3127-3128 action=drop

48 ;;; Drop Backdoor OptixPro
chain=virus protocol=tcp dst-port=3410 action=drop

49 ;;; Worm
chain=virus protocol=tcp dst-port=4444 action=drop

50 ;;; Worm
chain=virus protocol=udp dst-port=4444 action=drop

51 ;;; Drop Sasser
chain=virus protocol=tcp dst-port=5554 action=drop

52 ;;; Drop Beagle.B
chain=virus protocol=tcp dst-port=8866 action=drop

53 ;;; Drop Dabber.A-B
chain=virus protocol=tcp dst-port=9898 action=drop

54 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=10000 action=drop

55 ;;; Drop MyDoom.B
chain=virus protocol=tcp dst-port=10080 action=drop

56 ;;; Drop NetBus
chain=virus protocol=tcp dst-port=12345 action=drop

57 ;;; Drop Kuang2
chain=virus protocol=tcp dst-port=17300 action=drop

58 ;;; Drop SubSeven
chain=virus protocol=tcp dst-port=27374 action=drop

59 ;;; Drop PhatBot, Agobot, Gaobot
chain=virus protocol=tcp dst-port=65506 action=drop

################ Firewall NAT ##############################################

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Nat para VPN
chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.1.0/24
action=accept

1 ;;; Masquerade para Salida de PC's
chain=srcnat src-address=192.168.0.0/24 action=masquerade

2 ;;; Redireccionamiento de Proxy
chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080

################ Firewall Mangle ############################################

[fvazquez@Nodo pilar] ip firewall mangle> pri
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1360

################ Queue #####################################################

[fvazquez@Nodo pilar] queue simple> pri
Flags: X - disabled, I - invalid, D - dynamic
0 name="queue1" target-addresses=0.0.0.0/0 dst-address=0.0.0.0/0
interface=all parent=none direction=both priority=8
queue=default/default limit-at=0/0 max-limit=0/0 total-queue=default

################ Transparent Proxy #########################################

[fvazquez@Nodo pilar] ip proxy> print
enabled: yes
ports: 8080
parent-proxy: 0.0.0.0:1
maximal-client-connecions: 1000
maximal-server-connectons: 1000
cache-administrator: "webmaster"
max-object-size: 4000KiB
max-disk-cache-size: none
max-ram-cache-size: 8000KiB
disk-database: yes

################ System Resources ##########################################

[fvazquez@Nodo pilar] system resource> monito
cpu-used: 100
free-memory: 13040

################ Ping FROM Mikrotik to Outside World #######################
[fvazquez@Nodo pilar] > ping http://www.abentus.com
200.62.54.104 64 byte ping: ttl=55 time=275 ms
200.62.54.104 64 byte ping: ttl=55 time=253 ms
200.62.54.104 64 byte ping: ttl=55 time=268 ms
200.62.54.104 64 byte ping: ttl=55 time=248 ms
200.62.54.104 64 byte ping: ttl=55 time=257 ms
200.62.54.104 64 byte ping: ttl=55 time=258 ms
200.62.54.104 64 byte ping: ttl=55 time=278 ms
200.62.54.104 64 byte ping: ttl=55 time=248 ms
200.62.54.104 64 byte ping: ttl=55 time=247 ms
9 packets transmitted, 9 packets received, 0% packet loss
round-trip min/avg/max = 247/259.1/278 ms

############## Ping From a PC connected on Mirador Network #################

C:\Documents and Settings\Fernando>ping http://www.abentus.com

Haciendo ping a http://www.abentus.com [200.62.54.104] con 32 bytes de datos:

Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.

Estadísticas de ping para 200.62.54.104:
Paquetes: enviados = 4, recibidos = 0, perdidos = 4
(100% perdidos),

C:\Documents and Settings\Fernando>

############### IPCONFIG /all taken from Mikrotik DHCP-Server #####################

C:\Documents and Settings\Fernando>ipconfig /all

Configuración IP de Windows

Nombre del host . . . . . . . . . : fvazquez
Sufijo DNS principal . . . . . . :
Tipo de nodo . . . . . . . . . . : desconocido
Enrutamiento habilitado. . . . . .: No
Proxy WINS habilitado. . . . . : No

Adaptador Ethernet Conexión de área local :

Sufijo de conexión específica DNS :
Descripción. . . . . . . . . . . : Adaptador Fast Ethernet VIA PCI 10/1
00Mb
Dirección física. . . . . . . . . : 00-0A-E6-D1-15-22
DHCP habilitado. . . . . . . . . : No
Autoconfiguración habilitada. . . : Sí
Dirección IP. . . . . . . . . . . : 192.168.0.10
Máscara de subred . . . . . . . . : 255.255.255.0
Puerta de enlace predeterminada : 192.168.0.1
Servidor DHCP . . . . . . . . . . : 192.168.0.1
Servidores DNS . . . . . . . . . .: 192.168.0.1
200.51.211.7
209.99.224.25
Concesión obtenida . . . . . . . : Lunes, 23 de Enero de 2006 15:27:01
Concesión expira . . . . . . . . .: Martes, 24 de Enero de 2006 15:27:01

C:\Documents and Settings\Fernando>

FOV · January 24, 2006, 6:32pm

Any body can explain to me why is not routing?

Thanks

Hellbound · January 24, 2006, 8:02pm

I think have the same problem like yours, when I disable the hotspot it wil be fine… and it mak mikrotik routeros totaly useless without the hotspot.

any idea is highly appreciated

FOV · January 25, 2006, 12:58pm

Any Help?

GJS · January 25, 2006, 4:55pm

If your CPU is running at 100% continuously, I would suspect a corrupt software installation. I have had this several times. To reload the same software version you have to upload the packages to the router with ftp (binary mode) and use the downgrade command: /system package downgrade.

'Hope that helps.

FOV · January 25, 2006, 7:35pm

Ok, thx for your time, I’ll try this, now,

Fernando

FOV · February 6, 2006, 4:46pm

Guys, no way

I reinstall the soft, and the problem persist

I reset all soft config, and start again, reducing the CPU load, with no policies.

Now, the system is not routing.

Any ideas?

FOV · February 6, 2006, 6:49pm

Upgraded to 2.9.12, WITHOUT any modification, the system is UP now

All rules has been activated, NAT, QUEUES and DHCP’s are enabled.

New web-proxy is working fine

Could be excelent if any guy of support team give some idea of what happends.

THX SUPPORT TEAM, may be the problem was not bigger enoght in order to some of yuo involves on the solution.

Now, the VPN is DOWN I’ll try to resolve this remanent issue.

THX AGAIN, for all your effot.