CCR1009 & Ubiquiti issues! Need your help experts!!

RouterOS General
1

Hi Mikrotik Experts,
I’ve an issue makes me crazy for almost 4 months now! , I’ll write down the details of my network plus the codes I’m using now.. I really appreciate your help!

{CCR1009-8G-1S-1S+} Connected to 2 internet lines: 20MB & 30MB, 3 Ubiquiti (UNIFI APs) and 1 normal TP-Link access point they are covering decent area of the building without interferance. We have almost 70 devices are connected all the time

here’s the codes I’m using :

/interface ethernet
set 0 name=WAN1
set 1 name=WAN2

/interface bridge
add mtu=1500 name=Local-Bridge

/interface bridge port
add bridge=Local-Bridge interface=ether3
add bridge=Local-Bridge interface=ether4
add bridge=Local-Bridge interface=ether5
add bridge=Local-Bridge interface=ether8
add bridge=Local-Bridge interface=ether6
add bridge=Local-Bridge interface=ether7
add bridge=Local-Bridge interface=ether8

/ip address
add address=172.16.0.1/16 broadcast=172.16.255.255 comment="Port 3 To 8" disabled=no interface=Local-Bridge network=172.16.0.0
add address=192.168.1.10/24 broadcast=192.168.1.255 comment="" disabled=no interface=WAN1 network=192.168.1.0
add address=192.168.2.10/24 broadcast=192.168.2.255 comment="" disabled=no interface=WAN2 network=192.168.2.0

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=10000KiB max-udp-packet-size=512 servers=208.67.222.123,208.67.220.123

/ip pool
add name=dhcp_pool1 ranges=172.16.0.50-172.16.0.254

/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=static disabled=yes interface=Local-Bridge lease-time=1h name="My DHCP Server"

/ip dhcp-server network
add address=172.16.0.0/16 comment="" dns-server=172.16.0.1 gateway=172.16.0.1
 
/interface vlan
add comment=Maxis interface=WAN1 l2mtu=1584 name=Maxis-VLAN-621 vlan-id=621
add comment=Unifi interface=WAN2 l2mtu=1584 name=Unifi-VLAN-500 vlan-id=500
 
/interface pppoe-client
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment=Maxis dial-on-demand=no disabled=no interface=Maxis-VLAN-621 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out1 password=2023061 \
profile=default service-name="" use-peer-dns=no user=202306@sme.maxis.com.my
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment=Unifi dial-on-demand=no disabled=no interface=Unifi-VLAN-500 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out2 password=5s7smuzM2QNhG \
profile=default service-name="" use-peer-dns=no user=unit19@unifibiz
 

/ip firewall mangle
 
add action=accept chain=prerouting disabled=no in-interface=pppoe-out1
add action=accept chain=prerouting disabled=no in-interface=pppoe-out2
 
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local hotspot=auth new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 src-address=172.16.0.0/16
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local hotspot=auth new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 src-address=172.16.0.0/16

add action=mark-routing chain=prerouting connection-mark=wan1_conn disabled=no new-routing-mark=to_wan1 passthrough=yes src-address=172.16.0.0/16
add action=mark-routing chain=prerouting connection-mark=wan2_conn disabled=no new-routing-mark=to_wan2 passthrough=yes src-address=172.16.0.0/16
 
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1 src-address=172.16.0.0/16
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out2 src-address=172.16.0.0/16
 
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_wan1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_wan2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 scope=30 target-scope=10

Once I implemented the codes, everything was working great, load balancing, hotspot and everything… after few days people start to have issues like internet comes and go every 10 mins in some part of the day!

I was programming the the routerboard to be shutdown everyday night then i have timer cut the electricity for the modems same time, then they start again in the morning through the timer.
Some people told me its not good to shutdown the system everyday, these equipment has been made to work 24 hours!, So i took the timer off then I’ve rested the routerboard and they were working 24/7 just fine

The same issue happened again.. People doesn’t have stable internet

Pleass help!!

2

Do you have anything unusual in the logs? Like port flapping or pppoe disconnects? Are you running the latest RouterOS and RouterBOOT versions?

You will have to repeat the problem yourself and use troubleshooting tools like ping and traceroute to detect which device is the culprit. It may be the CCR, wan connections, APs or even the client device.

3

Thank you so much for your fast reply, so basically only a few out of of 70 connected users has been disconnected for few mins then they connect again but some times it happens many times a day.

So i just restart both the Access points & Server, then it will be oki for some time. But i am not sure where’s the problem first of all? is it the Access points or the Routerband?

For instance, just now 4 users out of the 70 has been disconnected, and i see that everything in the server is just fine except the attached log pic. , then i only restarted the Ubiquiti APs, the it worked just fine!

4

What RouterOS and RouterBOOT versions are you running?

Judging by the last few lines in your image, it could be a DHCP issue. Is it possible that you have another DHCP server in your network? Perhaps one of the access points may have it and probably giving wrong addresses to some clients before the CCR.

5

The DHCP Server log lines are normal behavior, based on what we see on our v6.x MikroTik equipment.

First, and foremost, you have two URGENT security problems.

  1. Your router is open to the world for remote login attempts. Hence, all those “login failure for user…” messages in the log. You need to modify your INPUT firewall rules to restrict login access to only trusted IP addresses. It’s very important that you use Safe Mode when making this change, so that you don’t inadvertently lock yourself out of the unit.

  2. The configuration file you posted has your PPPoE settings in plain-text, including the passwords. You need to contact your provider(s) and get those passwords changed ASAP.

I’m inferring from your original post that the Ubiquiti and TP-Link access points are accepting connections from regular computers – laptops & such? Are the logs on the access points showing any wireless disconnections around the time that the connected device loses Internet access? Does the MikroTik show any of the routes as disabled when connected devices are losing Internet access?

Your configuration shows “add bridge=Local-Bridge interface=ether8” twice. While I would expect that the MikroTik should ignore/reject the duplicated entry, that’s probably worth cleaning up.

On our network, we have had problems with DNS caching with a max-udp-packet-size of only 512. We changed our /ip dns settings to max-udp-packet-size of 4096 and have had better performance after that. Prior to the change, we would intermittently have some pages not load (seemed to be concentrated around sites that have DNSSEC implemented).

6

Judging by the last few lines in your image, it could be a DHCP issue. Is it possible that you have another DHCP server in your network? Perhaps one of the access points may have it and probably giving wrong addresses to some clients before the CCR.

Thanx for replying.. But Actually no its not the problem. it happened before via DHCP in the TP-Link A.. But i’ve disabled it.

7

Thank you so much DLNoah for your deep observation for the Log!

  1. Your router is open to the world for remote login attempts. Hence, all those “login failure for user…” messages in the log. You need to modify your INPUT firewall rules to restrict login access to only trusted IP addresses. It’s very important that you use Safe Mode when making this change, so that you don’t inadvertently lock yourself out of the unit.

I wanna know more details how to do that!, Ccuz I notice that issue all the time. Iam accessing the network via Computer connected directly to RCC in port 3, also some time I access remotely via http://121.121.10.5/

Your configuration shows “add bridge=Local-Bridge interface=ether8” twice. While I would expect that the MikroTik should ignore/reject the duplicated entry, that’s probably worth cleaning up.

Noted!. Anyhow i wasn’t using this port.

I’m inferring from your original post that the Ubiquiti and TP-Link access points are accepting connections from regular computers – laptops & such? Are the logs on the access points showing any wireless disconnections around the time that the connected device loses Internet access? Does the MikroTik show any of the routes as disabled when connected devices are losing Internet access?

Every user in the network has access to two devices only.. So most of them use Mobile and Laptop/Desktop only.
I also always notice that the number of the devices connected to APs is higher than the active Users whom are using the network, as you can see in the attached pics

One More thing, i dont Understand why there are so many users are in the Active Session but their bandwidth is 0/0 for long time. Do you think is it something related to keepalive timeout As I’ve posted in the original post?

8

The wiki has a number of articles, such as Firewall Filter Rules, that can help for securing your router.

As referenced by emils, we really can’t tell just from your configuration what’s going on. You’re going to need to replicate the problem and gather troubleshooting information:

  1. What exact error messages or other symptoms are showing up for the client when the Internet is “down”?
  2. When the Internet drops, can the client ping the router? Can the client ping an Internet location by IP (such as 8.8.8.8, Google’s DNS)? If you can’t ping, are you getting “Request timed out”, or a specific error?
  3. When the Internet drops, how much total traffic is going out your WAN connections (are you overloaded)? Are your PPPoE sessions disconnecting? Is one or more ports on your router going down during the disconnects?
  4. Is the connection more reliable if you have the clients get their DNS from a public DNS (such as 8.8.8.8, 8.8.4.4) instead of the router’s DNS cache?
9

Thank you so much for all of this info! , helped me a lot.

I tried to resolve as much as I can, and by keeping monitoring everything is quite stable!

I can’t understand why DHCP keep doing this error as attached in the Pic

10

It seems that something is misconfigured on the hotspot interface.
Do you require login by mac? Are you using internal database or radius for mac authentication?

Please export your hotspot settings with
/ip hotspot export hide-sensitive

11

It seems that something is misconfigured on the hotspot interface.
Do you require login by mac? Are you using internal database or radius for mac authentication?

Please export your hotspot settings with
/ip hotspot export hide-sensitive

Yes, login by mac is enabled for few devices and users.

here’s the print of hotspot, I didn’t copy all the users.


/ip hotspot profile
add dns-name=Wifi.sols hotspot-address=172.16.0.1 html-directory=solstech \
    login-by=mac,cookie,http-chap mac-auth-password=password name=hsprof1
/ip hotspot
add disabled=no interface=Local-Bridge name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] shared-users=50
add insert-queue-before=first mac-cookie-timeout=1d name="Guest 512K/512K" \
    rate-limit=512K/512K shared-users=50
add insert-queue-before=first mac-cookie-timeout=1d name="Stuff 512K/1M" \
    rate-limit=512K/1M shared-users=2
add insert-queue-before=first mac-cookie-timeout=1d name="Managers 752K/2M" \
    rate-limit=752K/2M shared-users=2
add insert-queue-before=first name="Directors 2M/5M" rate-limit=2M/5M \
    shared-users=4
/ip hotspot user
add disabled=yes name=adam profile="Directors 2M/5M"
add name=jon profile="Managers 752K/2M"
add name=sara profile="Stuff 512K/1M"
add name=ahmed profile="Stuff 512K/1M"
add disabled=yes name=cdoo profile="Guest 512K/512K"
add comment=hieoNew iPhone" name=54:9F:13:8A:CD:65
add comment="jii iMac" name=C8:E0:EB:15:1C:2D
add comment="sara PC" name=C4:6E:1F:00:A6:F3
add name=hwp profile="Stuff 512K/1M"
add name= omar
add name= omar2
12

Also what is the best keep alive time out value ?

13

Hey guys Iam really appreciating your wonderful Support so far :slight_smile:

Iam counting on your replays to make the system stable and secure

Appreciate it

14

Hi Everyone,

It would be helpful you help me to troubleshoot the problem.

I faced the same issue here.
The same scenario. Like I am using CCR and Ubiquiti. At some time end user is not able to access internet. Even we are not able to ping the user ip address until we remove them from host or reboot the ubiquiti device.

I couldn’t find the root cause.

15

You told that. Ubnt needs to be rebooted…

16

Are you using a Ubiquiti switch for the APs also? In some recent testing I found the UniFi switch didn’t like me having a hotspot bridge connected to it with RSTP enabled, it would administratively block the port until I toggled it physically. So it would show connected but not pass any traffic.

With that said my suggestion would be to try disabling rstp on the hotspot bridge if you only have 1 Port connected back to the rest of the network

Sent from my Pixel using Tapatalk