CCR-1009 crashes when OVPN Client and Firewall enabled

theradioguy · March 9, 2022, 5:27am

I have been experiencing some very problematic behavior with ROS 7.1.3. Whenever I create an OVPN client, add any firewall rules and then try to send a TCP packet over the VPN tunnel, the router crashes and kernel panics. The behavior only seems to occur on the CCR1009 and I have confirmed this is a problem on 2 seperate routers. Other routers (RB2011, HeX) do not exhibit this behavior.

In order to replicate, I take the default configuration, add a dhcp client (to get internet):
/ip dhcp-client add interface=ether2

Add the ovpn client
/interface ovpn-client add certificate=cert_export_client.crt_0 cipher=aes128 connect-to=w.x.y.z mac-address=02:50:2C:A8:2C:C6 name=ovpn-out1 profile=default-encryption protocol=udp user=username password=password

and add a single firewall rule
/ip firewall filter add action=accept chain=input

And then try to telnet to the VPN server (over the VPN):
/system telnet 10.2.1.130 port=179

At this point the router kernel panics, and reboots. I can ping across the tunnel no problem, the issue seems to be limited to TCP packets

If I remove all firewall rules, I am able to telnet to the server without issue. if the firewall rule is disabled (but still present) the same kernel panic happens.

I think this is a fairly serious bug and I have not yet managed to find a workaround (other then removing all firewall rules, which is not possible due to security concerns)

theradioguy · March 12, 2022, 4:06am

As an update to this, the issue seems to occur when connection tracking is enabled (set to on, or auto) in the firewall settings. Unfortunately I need connection tracking enabled on this router to do NAT.

The issue occurs regardless if TCP or UDP protocol is used and regardless of what encryption settings are used on the tunnel

theradioguy · March 12, 2022, 5:28am

A workaround seems to be to add a ‘notrack’ rule to the ‘raw’ firewall table for the ovpn interface:

/ip firewall raw
add action=notrack chain=prerouting in-interface=ovpn-out1
add action=notrack chain=output out-interface=ovpn-out1

Going to run this router overnight and see if it crashes at all

Larsa · March 12, 2022, 8:26am

Report this as a bug to Mikrotik and supply a supout.rif file:
How to report issues in v7 beta
Creating Support Output file

theradioguy · March 12, 2022, 4:24pm

Thanks for the suggestion I have emailed them and will be sending a supout file shortly.

theradioguy · March 12, 2022, 7:02pm

Just to keep posting updates as I find them, Fixing the TCP issue has uncovered a new issue. Any packets that enter through an OVPN interface (all packets, ICMP, TCP, UDP) and try to egress through a bridge interface also cause a kernel panic. Disabling connection tracking has no effect and I have been unable to come up with a workaround.

Hopefully Mikrotik will be able to fix these critical bugs with OVPN on the CCR routers.

oberdansoares · March 14, 2022, 9:00pm

I had the same problem with the update of my CCR1009 to version 7.1.3 “stable” where this failure occurs when I change the ovpn protocol from tcp to udp the routeros crashes and it is necessary to recover via netinstall.

theradioguy · March 22, 2022, 7:47pm

In my case I was able to recover by disconnecting the WAN interface so the tunnel was never able to establish, might be something to try if you need to recover again.

I have received some beta firmware from Mikrotik which solves the firewall issue, and another piece of beta firmware which is supposed to resolve the bridge issue, but I have not tested the second one yet. Hope to do so this weekend.

oberdansoares · March 22, 2022, 9:07pm

I believe it wouldn’t solve, with access via serial it presents a Kernel Panic message and restarts, I’m a little afraid to perform a new update, yesterday the “stable” version 7.1.4 came out, today they released "7.15