Can you please share that mangle rule and script here..
thnx
::::MANGLE RULE::::
#Need to add mangle rule on all interfaces
/ip firewall mangle
add action=passthrough chain=input comment=Protectionether1 disabled=no \
dst-address-type=broadcast in-interface=ether1
add action=passthrough chain=input comment=Protectionether2 disabled=no \
dst-address-type=broadcast in-interface=ether2
add action=passthrough chain=input comment=Protectionether3 disabled=no \
dst-address-type=broadcast in-interface=ether3
add action=passthrough chain=input comment=Protectionether4 disabled=no \
dst-address-type=broadcast in-interface=ether4
::::Detect&Disable_Interface_Script::::
#Run every 1 minutes. Start at 00:00:00
/ip firewall mangle;
:foreach EachMangle in=[find where comment~"Protectionether"] do={
:local PacketStatus1 [get $EachMangle packets];
:delay 1s;
:local PacketStatus2 [get $EachMangle packets];
:local PacketThreshold [($PacketStatus2-$PacketStatus1)];
:if ($PacketThreshold>=4000) do={:local InterfaceName [get $EachMangle in-interface];
/interface ethernet;
:local OldComments [get [find where name=$InterfaceName] comment];
/interface ethernet set [find where name=$InterfaceName] disabled=yes comment="LOOPGUARDED:: $OldComments";
:log error "Loop detected (maybe broadcast storm) on interface, Disabled $InterfaceName"}}
::::Recovery_Interface_Script::::
#Run ever 5 minutes. Start at 00:00:10
/interface ethernet;
:foreach EachEthernet in=[find where comment~"LOOPGUARDED"] do={
:local InterfaceName1 [get $EachEthernet name];
:local OldComments1 [:pick [get $EachEthernet comment] 14 100];
/interface ethernet set $EachEthernet disabled=no comment=$OldComments1;
:log warning "Recovering Loopguarded interface $InterfaceName1"}
I also want to say. Its not loopguard. Its just simple broadcast storm protection. As Normis said loopguard can be done on switching chip or Spanning tree protocol of the Bridge.
Hello, thank you for idea(and script). I try to use it on RouterOS 6.5, but seems “dst-address-type=broadcast” not working, nothing to count…
Can you help me with some advice?
Thank you.
I never tried it on 6.X version. But it should work. Could you please type below commands to post your cfg.
/interface print detail
/ip firewall mangle print detail
For test use ether4.
3 S name="ether4-slave-local" default-name="ether4" type="ether" mtu=1500 l2mtu=1588 max-l2mtu=4064 mac-address=D4:CA:6D:CD:FF:67 fast-path=yes
0 ;;; Protect_ether4
chain=input action=passthrough dst-address-type=broadcast in-interface=ether4-slave-local
What i do:
For ssh and web iface connect to ether2.
Make loop on enother switch and connect it to ether4(fast, 1-3 sec).
Nothing…
But when i use /tool sniffer quick
ether2... 17.23 11030 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.23 11031 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.23 11032 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.23 11033 <- 192.168.3.125:63777 224.0.0.252:5355 ip:udp 50
ether2... 17.23 11034 <- fe80::b560:10a1:b419:877a:63777 ff02::1:3:5355 ipv6:udp 70
ether2... 17.23 11035 <- fe80::b560:10a1:b419:877a:57710 ff02::1:3:5355 ipv6:udp 70
ether2... 17.23 11036 <- 192.168.3.125:57710 224.0.0.252:5355 ip:udp 50
ether2... 17.231 11037 <- fe80::b560:10a1:b419:877a:57087 ff02::1:3:5355 ipv6:udp 70
ether2... 17.231 11038 <- 192.168.3.70:138 (netbios-dgm) 192.168.3.255:138 (netbios-dgm) ip:udp 221
ether2... 17.231 11039 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11040 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11041 <- fe80::b560:10a1:b419:877a:58907 ff02::1:3:5355 ipv6:udp 70
ether2... 17.231 11042 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11043 <- 192.168.3.70:138 (netbios-dgm) 192.168.3.255:138 (netbios-dgm) ip:udp 221
ether2... 17.231 11044 <- fe80::b183:f8f:c8e9:65fd:62829 ff02::1:3:5355 ipv6:udp 70
ether2... 17.231 11045 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11046 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11047 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11048 <- 192.168.3.125:137 (netbios-ns) 192.168.3.255:137 (netbios-ns) ip:udp 78
ether2... 17.231 11049 <- 192.168.3.125:63777 224.0.0.252:5355 ip:udp 50
(yes, it almost “kill” router and network)
It means another type of packets?
Seems i do(and understand) something wrong…
Update with new test:
simple marker without filtering
/ip firewall mangle add chain=input action=passthrough comment=loopstorm disabled=no in-interface=ether2-master-local
/ip firewall mangle add chain=input action=passthrough comment=loopstorm disabled=no in-interface=ether6-slave-local
simple script
/ip firewall mangle> :foreach A in=[find comment="loopstorm"] do={:local B1 [get $A packets]; :delay 1s;
:local B2 [get $A packets]; :global TH [($B2-$B1)];
:put [get $A in-interface];:put $B1;:put $B2; :put $TH;}}
shows:
ether6-slave-local
0
0
0
ether2-master-local
8508
8514
6
Why ether6 empty?
And sniffer:
/tool sniffer quick interface=etherX-slave-local
nothing catch, only on ether2-master-local
Please, tell me what i do wrong?
because slave interfaces use hardware for switching, and CPU does not see any packets from it, all packets go to CPU from master interface
Yes. If u use switching (hardware) feature, that firewall rules dont work. Try to use Bridging instead of Switching. When u use bridge, dont forget to check use-ip-firewall=yes or you can implement those mangle rules on filter of Bridge itself.
Thank you. I try it now.
I will write about the results.
Actually CRS crashed and had to be unplugged and plugged back in when I made an L2 loop 
I had similar problems on a bunch of other routerboard throughout the years
Not working:(
/interface bridge add name=BR1
/interface bridge port add bridge=BR1 interface=ether24-slave-local
/interface bridge settings set use-ip-firewall=yes
/ip address add address=192.168.11.1/24 interface=ether24-slave-local
Mikrotik-24<–>switch<–>PC_192.168.11.3
Making loop on switch
All pings on PC freezed, Mikrotik freezed…
/tool sniffer quick interface=BR1 still don’t catch…
Can you give me more hint?
Hello again…
That is why i can’t catch “loopstorm”
/tool sniffer quick interface=eth24
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE
eth24 6.204 155 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.21 156 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.21 157 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.21 158 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.21 159 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
eth24 6.216 160 <- D4:CA:6D:CD:FF:7B 01:80:C2:00:00:00 802.2 60
01:80:C2:00:00:00 - MAC looped switch, hundreds packs per second
How mark this?
Maybe another way to check hi-load activity?
how can i control broadcast on my mikrotik router plz explain it step by step.
This is already implied in 6.37.3