CRS125-24G-1S: Bootloop and Package drops

Hi all,

I’m new to MikroTik and have spend the past few months getting to know the basics, but I’m stuck.

I have packed drops between my MikroTik router and the ISP, they say the problem is on our site…

I used traffic-monitor and mtr to narrow the problem down and it seems only to happen with high bandwidth consumption or many people in the office( 12 maximum).

The router also bootloops, but netinstall recovers it. Not sure if the update to 6.46 caused this.(Packet drops are not new)

# software id = TSG9-S8B9
#
# model = CRS125-24G-1S
# serial number = xxx
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no name=ether1-WAN speed=100Mbps
set [ find default-name=ether2 ] name=ether2-LAN speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
set [ find default-name=ether14 ] speed=100Mbps
set [ find default-name=ether15 ] speed=100Mbps
set [ find default-name=ether16 ] speed=100Mbps
set [ find default-name=ether17 ] speed=100Mbps
set [ find default-name=ether18 ] speed=100Mbps
set [ find default-name=ether19 ] speed=100Mbps
set [ find default-name=ether20 ] speed=100Mbps
set [ find default-name=ether21 ] speed=100Mbps
set [ find default-name=ether22 ] speed=100Mbps
set [ find default-name=ether23 ] speed=100Mbps
set [ find default-name=ether24 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.111.2-192.168.111.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=1w3d10m name=dhcp1
/system logging action
add memory-lines=500 name=eyzadmin target=memory
/interface bridge port
add bridge=bridge1 interface=ether2-LAN
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=ether1-WAN
add bridge=bridge1 interface=ether24
/ip settings
set icmp-rate-limit=100
/interface list member
add interface=ether1-WAN list=WAN
add interface=ether2-LAN list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp1 list=LAN
/ip address
add address=xxx/29 interface=ether1-WAN network=xxx
add address=192.168.111.1/24 interface=ether2-LAN network=192.168.111.0
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server network
add address=192.168.111.0/24 dns-server=xxx,xxx,8.8.8.8 gateway=192.168.111.1
/ip dns
set servers=xxx,8.8.4.4
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Accept EST / REL" connection-state=established,related
add action=accept chain=input comment="Accept EST / REL" connection-state=established,related
add action=accept chain=input comment="Accept Input" src-address=192.168.111.0/24
add action=accept chain=forward comment="Accept Forward" connection-state=established,related
add action=accept chain=input comment="Accept IMCP from  Router" protocol=icmp src-address=xxx
add action=drop chain=input comment="Drop all INPUT"
/ip firewall mangle
add action=mark-connection chain=forward dst-address=xxx/24 dst-port=5060 new-connection-mark=sip-connection passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=sip-connection new-packet-mark=SIP passthrough=yes
add action=mark-connection chain=forward connection-state=new dst-address=xxx/24 log-prefix=RTP-Con new-connection-mark=rtp-connection passthrough=yes port=10000-20000 protocol=udp
add action=mark-packet chain=forward connection-mark=rtp-connection log=yes log-prefix=RTP-Packet new-packet-mark=RTP passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=5060 protocol=udp to-ports=5060
/ip route
add distance=1 gateway=xxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no interfaces=ether2-LAN
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip tftp
add ip-addresses=192.168.1.1
/ip traffic-flow target
add dst-address=192.168.111.172 port=1234 version=5
/ip upnp
set show-dummy-rule=no
/lcd
set default-screen=stat-slideshow
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=interneyz
/system logging
add action=eyzadmin topics=warning
add action=eyzadmin topics=error
add action=eyzadmin topics=critical
/system ntp client
set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org
/system package update
set channel=long-term
/system scheduler
add interval=2w name=BACKUP on-event=BACKUP policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jul/27/2018 start-time=02:00:00
add disabled=yes interval=5m name=Notification on-event=Notification policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
add name="Router Startup" on-event="{\r\
    \n:delay 60\r\
    \n\r\r\
    \n:log warning \"STARTUP one minute ago\"\r\
    \n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
/system script
add dont-require-permissions=no name=BACKUP owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="{\r\r\
    \n# setup mailinfo...\r\r\
    \n:global cfgRouterID [/system identity get name]\r\r\
    \n:global cfgEmailAddresses {\"\"}\r\r\
    \n:global cfgLastProcessedHistoryID\r\r\
    \n\r\r\
    \n# get cfg history \r\r\
    \n:global cfgHistory [:toarray [/system history find]]\r\r\
    \n:global cfgLatestHistoryID [:pick \$cfgHistory 0]\r\r\
    \n\r\r\
    \n# do filename\r\r\
    \n:local date [/system clock get date]\r\r\
    \n:local monthas [:toarray \"jan,feb,mar,apr,may,jun,jul,aug,sep,oct,nov,dec\"]\r\r\
    \n:local monthad [:toarray \"01,02,03,04,05,06,07,08,09,10,11,12\"]\r\r\
    \n\r\r\
    \n:local monthc [:pick \$date 0 3]\r\r\
    \n:local day [:pick \$date 4 6]\r\r\
    \n:local year [:pick \$date 7 11]\r\r\
    \n:local month\r\r\
    \n\r\r\
    \n:for mindex from=0 to=[:len \$monthas] do={\r\r\
    \n  :if ([:pick \$monthas \$mindex] = \$monthc) do={:set month ([:pick \$monthad \$mindex]) }\r\r\
    \n}\r\r\
    \n\r\r\
    \n:local timestr [/system clock get time]\r\r\
    \n:local time ([:pick \$timestr 0 2] . [:pick \$timestr 3 5] . [:pick \$timestr 6 8])\r\r\
    \n\r\r\
    \n:global backupfilename\r\r\
    \n:set backupfilename ([/system identity get name]. \"-\" . \$year . \$month . \$day . \"-\" . \$time)\r\r\
    \n\r\r\
    \n\r\r\
    \n# if cfg has changed process \r\r\
    \n:if (\$cfgLastProcessedHistoryID != \$cfgLatestHistoryID) do={\r\r\
    \n [/ system backup save name=\$backupfilename]\r\r\
    \n :delay 1\r\r\
    \n :delay 9 \r\r\
    \n [/export hide-sensitive file=(\$backupfilename.\"_AutoExportCFG\".\".rsc\")]\r\r\
    \n :delay 1\r\r\
    \n :delay 9\r\r\
    \n :foreach mail in=\$cfgEmailAddresses do={ [/tool e-mail send to=\$mail subject=\"\$cfgRouterID CFG Export - \$[/system clock get date]\" body=\"CFG attached\" file=(\$backupfilename.\"_AutoExportCFG\".\".rsc\")]  }\r\r\
    \n :foreach mail in=\$cfgEmailAddresses do={ [/tool e-mail send to=\$mail subject=\"\$cfgRouterID BACKUP - \$[/system clock get date]\" body=\"BACKUP attached\" file=(\$backupfilename.\".backup\")] }\r\r\
    \n :log info \"CONF DIFF - Daily Check: -> CFG Export and BACKUP processed and mailed out\"\r\r\
    \n :set cfgLastProcessedHistoryID \$cfgLatestHistoryID\r\r\
    \n}\r\r\
    \n}\r\r\
    \n\r\r\
    \n"
add dont-require-permissions=no name=Notification owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="{\r\r\
    \n# setup mailinfo\r\r\
    \n:global emailAddresses {\"\"}\r\r\
    \n\r\r\
    \n\r\r\
    \n:global routerID \"interneyz\"\r\r\
    \n\r\r\
    \n# operational parameters\r\r\
    \n:global addtopics true\r\r\
    \n:global excludetopics4push {\"ipsec;error\";\"ovpn;debug;error\"}\r\r\
    \n\r\r\
    \n# get msgs and msgcount\r\r\
    \n:global msgs [:toarray [/log find buffer=\"eyzadmin\"]]\r\r\
    \n\r\r\
    \n:global msgcount [:len \$msgs]\r\r\
    \n\r\r\
    \n# setup vars\r\r\
    \n:global latestmsgpushed\r\r\
    \n:global latestmsgprocessed\r\r\
    \n:global latestmsgid\r\r\
    \n:global oldestmsgid\r\r\
    \n:global mailtextarray\r\r\
    \n:global pushtextarray\r\r\
    \n\r\r\
    \n:global mailtext\r\r\
    \n:global pushtext\r\r\
    \n\r\r\
    \n# clear vars\r\r\
    \n:set latestmsgid\r\r\
    \n:set oldestmsgid\r\r\
    \n:set pushtext\r\r\
    \n:set mailtext\r\r\
    \n:set mailtextarray\r\r\
    \n:set pushtextarray\r\r\
    \n\r\r\
    \n\r\r\
    \n# start msg processing\r\r\
    \n:if (\$msgcount > 0) do {\r\r\
    \n :local message\r\r\
    \n :local time\r\r\
    \n :local msgnum\r\r\
    \n :local msgid\r\r\
    \n\r\r\
    \n :local topics \"\"\r\r\
    \n :local msgtopics \"\"\r\r\
    \n \r\r\
    \n :global latestmsgid [:pick \$msgs (\$msgcount-1)]\r\r\
    \n :global oldestmsgid [:pick \$msgs 0]\r\r\
    \n :set latestmsgprocessed \$latestmsgid\r\r\
    \n\r\r\
    \n :local msgnum (\$msgcount-1)\r\r\
    \n :local doloop true\r\r\
    \n \r\r\
    \n :while ((\$msgnum >= 0) and (\$doloop = true)) do={\r\r\
    \n  :set msgid [:pick \$msgs [:tonum \$msgnum]]\r\r\
    \n  :if (\$msgid != \$latestmsgpushed) do={\r\r\
    \n   :set message [/log get \$msgid message]\r\r\
    \n   :set time [/log get \$msgid time]\r\r\
    \n   :set topics ([:tostr [/log get \$msgid topics]])\r\r\
    \n\r\r\
    \n   :if (addtopics = true) do={\r\r\
    \n     :set msgtopics (\" \".\$topics)\r\r\
    \n   }\r\r\
    \n   \r\r\
    \n   :set mailtextarray ((\$time.\$msgtopics.\":\\r\\n\".\$message.\"\\r\\n-\\r\\n\"), \$mailtextarray)\r\r\
    \n   \r\r\
    \n   :if ([:len [:find \$excludetopics4push \$topics]] = 0) do={\r\r\
    \n    :set pushtextarray ((\$time.\$msgtopics.\":\\r\\n\".\$message.\"\\r\\n-\\r\\n\"), \$pushtextarray)\r\r\
    \n   }\r\r\
    \n   :set msgnum (\$msgnum - 1)\r\r\
    \n   } else={ :set doloop false }\r\r\
    \n }\r\r\
    \n  \r\r\
    \n :if ([:len \$mailtextarray] != 0) do={\r\r\
    \n  :set mailtext\r\r\
    \n  :foreach mailtextelement in=\$mailtextarray do={\r\r\
    \n   :set mailtext (\$mailtextelement.\$mailtext)\r\r\
    \n   #check text len, if 900 then stop processing to not reach push msg limit\r\r\
    \n   :if ([:len \$mailtext] > 900) do={\r\r\
    \n    :foreach mail in=\$emailAddresses do={ /tool e-mail send to=\$mail subject=(\$routerID) body=(\$mailtext . \"####\") }\r\r\
    \n    :set mailtext\r\r\
    \n    :delay 2\r\r\
    \n    }\r\r\
    \n  }\r\r\
    \n  :if ([:len \$mailtext] != 0) do={\r\r\
    \n   :foreach mail in=\$emailAddresses do={ /tool e-mail send to=\$mail subject=(\$routerID) body=(\$mailtext . \"####\") }\r\r\
    \n  }\r\r\
    \n }\r\r\
    \n\r\r\
    \n :if ([:len \$pushtextarray] != 0) do={\r\r\
    \n  :set pushtext\r\r\
    \n  :foreach pushtextelement in=\$pushtextarray do={\r\r\
    \n   :set pushtext (\$pushtextelement.\$pushtext)\r\r\
    \n   #check text len, if 900 then stop processing to not reach push msg limit\r\r\
    \n   :if ([:len \$pushtext] > 900) do={\r\r\
    \n    :foreach mail in=\$pushAddresses do={ /tool e-mail send to=\$mail subject=(\$routerID) body=(\$pushtext . \"####\") }\r\r\
    \n    :set pushtext\r\r\
    \n    :delay 2\r\r\
    \n    }\r\r\
    \n  }\r\r\
    \n  :if ([:len \$pushtext] != 0) do={\r\r\
    \n   :foreach mail in=\$pushAddresses do={ /tool e-mail send to=\$mail subject=(\$routerID) body=(\$pushtext . \"####\") }\r\r\
    \n  }\r\r\
    \n }\r\r\
    \n\r\r\
    \n :set latestmsgpushed \$latestmsgprocessed\r\r\
    \n\r\r\
    \n}\r\r\
    \n}\r\r\
    \n\r\r\
    \n"
/tool bandwidth-server
set authenticate=no enabled=no
/tool traffic-monitor
add interface=ether1-WAN name=tmon1 threshold=0
############################################## Packets usually drop all along the route
 :~$ mtr --report --report-cycles  100 1.1.1.1
HOST: 		            Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- _gateway                   0.0%  1000    0.2   0.6   0.2   4.9   0.9
  2.|-- xxx			              0.2%  1000    2.3   3.7   0.8  34.7   2.9
  3.|-- bei-b2-link.telia.net      0.7%  1000    5.8   4.3   0.8  32.2   3.3
  4.|-- bei-b2-link.telia.net      0.1%  1000    6.6   4.0   1.4  47.0   2.9
  5.|-- cloudflare-ic-323372-bei-  0.3%  1000   10.9   7.1   1.2  41.6   4.4
  6.|-- one.one.one.one            0.1%  1000    7.7   3.0   1.0  49.4   2.5

What is your WAN speed? You should be aware that CRS is basically a switch with L3 functionality, although L3 capacity is nowhere wire-speed.

The WAN is 100/100 .

Would it help to spread the connections over the available port groups? (PHYs)

I’d say 100/100 is a tad too much for CRS’ routing capacity … specially so since your firewall setup isn’t the most straight forward one (firewall complexity hits performance). What I’m saying is that you might want to invest in a more powerful router (any ARM-based unit will perform much better than your CRS) and keep using CRS as a very decent ethernet switch.