I have a newer CCR2004 (latest revision) and am seeing some strange freezing issues that are presenting and I ultimately noticed in zoom conference sessions as I work from home and manifesting as lost packets/timeouts.

Quick background -

• Newest CCR revision
• Homelab/residential implementation, occurs with only me using the network, while CPU is nearly always below 5%
• CCR is on 7.20.3 rOS and Firmware - occurred also on 7.20.2
• I have 4G symmetrical fiber connection, with mikrotik rj+s10 module in sfp+ 1 as WAN
• I have a 10g trunk going to a CRS305 switch, which serves a nas at 10g, desktop machine at 10g, and a brocade icx 6450 gigabit switch with 10g connection
• No other ports used on CCR2004.
• I have rebuilt the configuration already from scratch, using netinstall to reinstall both ccr and crs, which much less set up on it (no wireguard, minimal firewall rules, etc) - issue still occurs
• I have removed CRS and Brocade switch to isolate to the CCR, still occurs.
• I have used an old netgear nighthawk r7000 router, problem goes away completely.
• Upon rebuild, I tried creating a zoom specific traffic prioritization simple queue, still occurs.
• I also created an interface level cake queue to be able to utilize fasttrack firewall rule, still occurs. Bufferbloat score on waveform test is A+.
• Occurs with no firewall rules running.
• No useful info in log.
• Have tried different SFP+ modules, occurs on all three including Mikrotik branded one.
• Tried clamping the MSS right before posting this (you will see a mangle rule below for this) to see if I had an MTU issue, but doesn’t seem like that’s it either.

How this presents -

• When in zoom, I’m getting periodic freezes in audio/video.

• When this happens, I can see if I’m running a pingplotter from another machine to zoom that I’m getting packet loss at the same time with a lost ping packet. (I know pingplotter can be misleading, however using old router I see absolutely zero packet loss doing the same test from the same endpoint)

• If I ping zoom from the CCR, I also see timeouts at the same time that this happens

• If I look at the queue traffic, as well as WAN/LAN interfaces, I also see it present there with gaps in the traffic graph, where it occurs across ALL interfaces (see attached screenshot for the blank line almost in middle) - note that this blank line in the graphs does not show as tx/rx drops or errors in either interface.

  

  Screenshot 2025-12-01 1327471482×1086 43.3 KB

image1806×418 129 KB

Config Export - (not sure why some text got bigger, sorry!)

2025-12-01 14:29:18 by RouterOS 7.20.3

software id = 11HY-RQZL

model = CCR2004-1G-12S+2XS

serial number = XXXXXXXXX

/interface bridge
add name=LAN_BRIDGE
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] comment=WAN name=sfp-sfpplus1-WAN
set [ find default-name=sfp-sfpplus10 ] comment="TRUNK TO CRS" name=sfp-sfpplus10-TRUNK
/interface list
add name=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.0.20-192.168.0.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN_BRIDGE lease-time=8h name=dhcp1
/port
set 0 name=serial0
/queue type
add cake-bandwidth=4.0Gbps cake-diffserv=diffserv4 cake-nat=yes cake-overhead=18 cake-rtt-scheme=internet kind=cake name=Cake-Up
add cake-bandwidth=4.0Gbps cake-diffserv=diffserv4 cake-overhead=18 cake-rtt-scheme=internet kind=cake name=Cake-Dn
/queue interface
set sfp-sfpplus1-WAN queue=Cake-Up
set sfp-sfpplus2 queue=Cake-Dn
set sfp-sfpplus3 queue=Cake-Dn
set sfp-sfpplus4 queue=Cake-Dn
set sfp-sfpplus5 queue=Cake-Dn
set sfp-sfpplus6 queue=Cake-Dn
set sfp-sfpplus7 queue=Cake-Dn
set sfp-sfpplus8 queue=Cake-Dn
set sfp-sfpplus9 queue=Cake-Dn
set sfp-sfpplus10-TRUNK queue=Cake-Dn
set sfp-sfpplus11 queue=Cake-Dn
set sfp-sfpplus12 queue=Cake-Dn
set sfp28-1 queue=Cake-Dn
set sfp28-2 queue=Cake-Dn
/queue simple

CAKE type with bandwidth setting detected, configure traffic limits within queue itself

add disabled=yes max-limit=4G/4G name=Parent_Queue queue=Cake-Up/Cake-Dn target=192.168.0.0/24

CAKE type with bandwidth setting detected, configure traffic limits within queue itself

add disabled=yes max-limit=500M/500M name=Zoom-Queue packet-marks=Zoom-Packets parent=Parent_Queue priority=1/1 queue=Cake-Up/Cake-Dn target=192.168.0.0/24

CAKE type with bandwidth setting detected, configure traffic limits within queue itself

add disabled=yes max-limit=3500M/3500M name=Other-Queue packet-marks=no-mark parent=Parent_Queue queue=Cake-Up/Cake-Dn target=192.168.0.0/24
/interface bridge port
add bridge=LAN_BRIDGE interface=sfp-sfpplus2
add bridge=LAN_BRIDGE interface=sfp-sfpplus3
add bridge=LAN_BRIDGE interface=sfp-sfpplus4
add bridge=LAN_BRIDGE interface=sfp-sfpplus5
add bridge=LAN_BRIDGE interface=sfp-sfpplus6
add bridge=LAN_BRIDGE interface=sfp-sfpplus7
add bridge=LAN_BRIDGE interface=sfp-sfpplus8
add bridge=LAN_BRIDGE interface=sfp-sfpplus9
add bridge=LAN_BRIDGE interface=sfp-sfpplus10-TRUNK
add bridge=LAN_BRIDGE interface=sfp-sfpplus11
add bridge=LAN_BRIDGE interface=sfp-sfpplus12
add bridge=LAN_BRIDGE interface=sfp28-1
add bridge=LAN_BRIDGE interface=sfp28-2
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=LAN_BRIDGE list=LAN
/ip address
add address=192.168.0.1/24 interface=LAN_BRIDGE network=192.168.0.0
/ip dhcp-client
add default-route-tables=main interface=sfp-sfpplus1-WAN use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.0.35 mac-address=DC:0E:A1:69:43:02
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=192.168.0.35
/ip firewall address-list
add address=192.168.0.0/24 list=ALLOWED_HOSTS
add address=3.7.35.0/25 list=Zoom
add address=3.235.82.0/23 list=Zoom
add address=3.235.96.0/23 list=Zoom
add address=4.34.125.128/25 list=Zoom
add address=4.35.64.128/25 list=Zoom
add address=8.5.128.0/23 list=Zoom
add address=15.220.80.0/24 list=Zoom
add address=15.220.81.0/25 list=Zoom
add address=18.254.23.128/25 list=Zoom
add address=18.254.61.0/25 list=Zoom
add address=20.203.158.80/28 list=Zoom
add address=20.203.190.192/26 list=Zoom
add address=50.239.202.0/23 list=Zoom
add address=50.239.204.0/24 list=Zoom
add address=52.61.100.128/25 list=Zoom
add address=64.125.62.0/24 list=Zoom
add address=64.211.144.0/24 list=Zoom
add address=64.224.32.0/19 list=Zoom
add address=65.39.152.0/24 list=Zoom
add address=69.174.57.0/24 list=Zoom
add address=69.174.108.0/22 list=Zoom
add address=101.36.167.0/24 list=Zoom
add address=101.36.170.0/23 list=Zoom
add address=103.122.166.0/23 list=Zoom
add address=111.33.115.0/25 list=Zoom
add address=111.33.181.0/25 list=Zoom
add address=115.110.154.192/26 list=Zoom
add address=115.114.56.192/26 list=Zoom
add address=115.114.115.0/26 list=Zoom
add address=115.114.131.0/26 list=Zoom
add address=120.29.148.0/24 list=Zoom
add address=121.244.146.0/27 list=Zoom
add address=134.224.0.0/16 list=Zoom
add address=137.66.128.0/17 list=Zoom
add address=144.195.0.0/16 list=Zoom
add address=147.124.96.0/19 list=Zoom
add address=149.137.0.0/17 list=Zoom
add address=156.45.0.0/17 list=Zoom
add address=159.124.0.0/16 list=Zoom
add address=160.1.56.128/25 list=Zoom
add address=161.199.136.0/22 list=Zoom
add address=162.12.232.0/22 list=Zoom
add address=162.255.36.0/22 list=Zoom
add address=165.254.88.0/23 list=Zoom
add address=166.108.64.0/18 list=Zoom
add address=168.140.0.0/17 list=Zoom
add address=170.114.0.0/16 list=Zoom
add address=173.231.80.0/20 list=Zoom
add address=192.204.12.0/22 list=Zoom
add address=198.251.128.0/17 list=Zoom
add address=202.177.207.128/27 list=Zoom
add address=203.200.219.128/27 list=Zoom
add address=204.80.104.0/21 list=Zoom
add address=204.141.28.0/22 list=Zoom
add address=206.247.0.0/16 list=Zoom
add address=207.226.132.0/24 list=Zoom
add address=209.9.211.0/24 list=Zoom
add address=209.9.215.0/24 list=Zoom
add address=213.19.144.0/24 list=Zoom
add address=213.19.153.0/24 list=Zoom
add address=213.244.140.0/24 list=Zoom
add address=221.122.63.0/24 list=Zoom
add address=221.122.64.0/24 list=Zoom
add address=221.122.88.64/27 list=Zoom
add address=221.122.88.128/25 list=Zoom
add address=221.122.89.128/25 list=Zoom
add address=221.123.139.192/27 list=Zoom
add address=192.168.0.0/24 list=LanBridge
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Fasttrack established connections" hw-offload=yes
add action=accept chain=input src-address-list=ALLOWED_HOSTS
add action=drop chain=input connection-state=!established
/ip firewall mangle
add action=add-dst-to-address-list address-list=Zoom address-list-timeout=4d chain=prerouting comment="Zoom TCP Add new server to zoom address list" disabled=yes dst-port=
3478,3479,5090,5091,8801-8810 protocol=tcp
add action=add-dst-to-address-list address-list=Zoom address-list-timeout=4d chain=prerouting comment="Zoom UDP Add new server to zoom address list" disabled=yes dst-port=
3478,3479,5090,5091,8801-8810 protocol=udp
add action=mark-connection chain=prerouting comment="Zoom Mark connections to zoom servers - TCP" disabled=yes dst-address-list=Zoom dst-port=3478,3479,5090,5091,8801-8810
new-connection-mark=Zoom-Connection protocol=tcp
add action=mark-connection chain=prerouting comment="Zoom Mark connections to zoom servers - UDP" disabled=yes dst-address-list=Zoom dst-port=3478,3479,5090,5091,8801-8810
new-connection-mark=Zoom-Connection protocol=udp
add action=mark-connection chain=prerouting comment="Zoom Mark connections to zoom servers - HTTPS" disabled=yes dst-address-list=Zoom dst-port=80,443 new-connection-mark=
Zoom-Connection protocol=tcp
add action=mark-packet chain=prerouting comment="Zoom - Mark Zoom Packets" connection-mark=Zoom-Connection disabled=yes new-packet-mark=Zoom-Packets passthrough=no
add action=change-ttl chain=postrouting comment="TTL set" disabled=yes new-ttl=set:64 out-interface=sfp-sfpplus1-WAN
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=sfp-sfpplus1-WAN protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1-WAN
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
/system clock
set time-zone-name=America/Denver
/system identity
set name=CCR
/system ntp client
set enabled=yes
/system ntp client servers
add address=us.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN

One other item to point out - these packet losses/timeouts can be observed no matter what I am pinging. I see them also pinging 8.8.8.8, and I have zoom freezing when those timeouts are seen in the ping utility as well, so it’s not a zoom issue I don’t think, that’s just what got me to notice this issue overall.

I believe this to be a hardware issue. I replaced the CCR2004 with an RB4011 I have on hand and configured the same, and since it has an SFP+ port I was able to swap the same two cables (Cat6 WAN cable, and SFP+ DAC trunk to my CRS and Brocade switches), keeping the exact same cabling in place to rule them out as a cause.

RB4011 did over 2k pings without a lost one, where the CCR would have lost 20-40 of those and service interrupted. Today during work, no zoom issues all day. I will update when I replace with a new CCR just to close it out in case someone else runs into this.

Well, I got a different CCR2004, and it does absolutely the same thing with barebones config and stock firmware.

I am beginning to believe this is a hardware issue with ALL CCR2004s, at least revision 4s.

Both my RB4011, old Netgear r7000 running tomato, and my ISP router they provided do not have this issue. How frustrating!

I’ve recorded a video of this issue so that I can send to Mikrotik, posting in case this may help others troubleshoot the same issue -

https://www.youtube.com/watch?v=qm2jXH2GFlc