Network behind CRS112 unavailable after main power failure

Hi,

I have weird problem in home network, after my main power goes down (UPS shut down) and when main returns, I can not see everything behind CRS112. My main router is RB4011: from rb4011.eth9 goes cable to CRS112.eth2 and I can’t see any problems within router config. One bridge LAN with eth6..eth10 , basic firewall with set to not replay to anything that comes from PPPOE only…
Here is my network:

If I plug cable from my computer to CRS112 then I can see, but I don’t have any network connection router or lan. If I connect CRS112 to any other switch than it’s the same.

If I power off CRS112 for about 30min then power it back on - everything starts to work just perfect (i can see everything behind CRS112 ok). But even if I do factory-reset (which I did) this don’t change anything - i have to leave CRS powered off for some time…

Here is config of CRS112:

[admin@CRS112] > export
# 1970-01-02 00:21:43 by RouterOS 7.10.2
#
# model = CRS112-8G-4S
/interface bridge
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=LAN interface=ether1
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=ether6
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
add bridge=LAN interface=sfp9
add bridge=LAN interface=sfp10
add bridge=LAN interface=sfp11
add bridge=LAN interface=sfp12
/ip neighbor discovery-settings
set discover-interface-list=all
/ip address
add address=192.168.2.240/24 interface=LAN network=192.168.2.0
/ip dhcp-client
add comment=defconf interface=*D
/ip dns
set servers=192.168.2.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main suppress-hw-offload=no
/ip service
set winbox address=192.168.2.0/24
/system identity
set name=CRS112
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.2.1

(I skipped some parts that I do not want to share (dhcp entries, SSIDs, vpn,…) or not important like CAPsMAN)
Here is my main router RB4011 config:

[admin@ROUTER] > export
# 2023-09-24 18:35:01 by RouterOS 7.10.2
#
# model = RB4011iGS+
/interface bridge
add ingress-filtering=no name=LAN protocol-mode=stp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=DSL
set [ find default-name=ether2 ] name=FIBER
set [ find default-name=ether3 ] name=eth3
set [ find default-name=ether4 ] name=eth4
set [ find default-name=ether5 ] name=eth5
set [ find default-name=ether6 ] name=eth6 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether7 ] name=eth7 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether8 ] name=eth8 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether9 ] name=eth9 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether10 ] name=eth10 poe-out=off
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no disabled=yes rx-flow-control=auto speed=1Gbps tx-flow-control=auto
/interface pppoe-client
add interface=DSL keepalive-timeout=30 name=pppoe-dsl service-name=****** user=******
add add-default-route=yes disabled=no interface=FIBER name=pppoe-netia user=*******
/interface vlan
add interface=LAN name=vlan101 vlan-id=101
/ip pool
add name=dhcp-lan ranges=192.168.2.8-192.168.2.63
add name=openvpn ranges=192.168.2.232/29
/ip dhcp-server
add address-pool=dhcp-lan interface=LAN lease-time=9h name=dhcp-lan
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add bridge=LAN change-tcp-mss=yes dns-server=192.168.2.180 local-address=192.168.2.1 name=OpenVPN remote-address=openvpn
add change-tcp-mss=yes dns-server=192.168.2.1,192.168.2.180 name=profile1 use-encryption=yes
set *FFFFFFFE dns-server=192.168.2.1,192.168.2.180
/queue simple
add disabled=yes max-limit=2M/10M name=Guests target=172.16.30.0/24
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/system logging action
set 0 memory-lines=20000
/interface bridge port
add bridge=LAN ingress-filtering=no interface=eth6
add bridge=LAN ingress-filtering=no interface=eth7
add bridge=LAN ingress-filtering=no interface=eth8 trusted=yes
add bridge=LAN ingress-filtering=no interface=eth9 trusted=yes
add bridge=LAN interface=eth10 trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=profile1 use-ipsec=required
/ip address
add address=192.168.2.1/24 comment=ROUTER interface=LAN network=192.168.2.0
add address=192.168.100.100/24 interface=FIBER network=192.168.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m
/ip dhcp-server
add address-pool=dhcp-lan interface=LAN lease-time=9h name=dhcp-lan
/ip dhcp-server lease
...
/ip dhcp-server network
add address=10.23.139.0/24 dns-server=8.8.8.8 gateway=10.23.139.1
add address=192.168.2.0/24 dns-server=192.168.2.180 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=192.168.2.180
/ip dns static
add address=192.168.2.180 name=pihole
/ip firewall address-list
add address=192.168.2.0/24 list=safe
add address=94.102.56.235 list=PermanentBlackList
add address=82.102.173.71 list=PermanentBlackList
add address=37.195.222.7 list=PermanentBlackList
add address=185.156.177.0/24 list=PermanentBlackList
add address=45.136.108.0/24 list=PermanentBlackList
add address=192.168.1.0/30 disabled=yes list=safe
add address=104.16.248.249 list=dns_doh_block
...
add address=81.29.143.0/24 list=PermanentBlackList
add address=185.156.72.0/24 comment=UA list=PermanentBlackList
add address=195.226.194.0/24 comment=RU list=PermanentBlackList
/ip firewall filter
add action=drop chain=forward comment="Midea ban" disabled=yes dst-address=18.193.57.254 protocol=tcp
add action=drop chain=forward comment="Midea ban" disabled=yes protocol=tcp src-address=18.193.57.254
add action=accept chain=input comment="accept established connection packets" connection-state=established
add action=accept chain=input comment="accept related connection packets" connection-state=related
add action=drop chain=input comment="drop invalid packets" connection-state=invalid
add action=accept chain=input comment="Allow access to router from known network (addresses): safe" src-address-list=safe
add action=add-src-to-address-list address-list=black_list_port_scan address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=black_list_port_scan address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=\
    fin,syn
add action=add-src-to-address-list address-list=black_list_port_scan address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=\
    syn,rst
add action=add-src-to-address-list address-list=black_list_port_scan address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=black_list_port_scan address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=black_list_port_scan address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=black_list_port_scan address-list-timeout=2w chain=input comment=\
    "detect port scan connections and add them to black_list_port_scan" log=yes log-prefix=port-scan-detected-blacklist protocol=tcp psd=21,2s,3,1
add action=drop chain=input comment="dropping port scanners" src-address-list=black_list_port_scan
add action=drop chain=input comment="detect and drop port scan connections" log=yes log-prefix=port-scan-detected protocol=tcp psd=21,2s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 log=yes log-prefix=DoS-TARPIT protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=\
    tcp
add action=jump chain=input comment="jump: services" jump-target=services
add action=jump chain=input comment="jump: ICMP" jump-target=ICMP protocol=icmp
add action=accept chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add action=log chain=input disabled=yes log-prefix=Filter:
add action=drop chain=input comment="Block(drop) everything that is not destined to open port, or connection is not init by router" connection-state=\
    !established,related disabled=yes in-interface=pppoe-dsl
add action=drop chain=input comment="Block(drop) everything that is not destined to open port, or connection is not init by router" connection-state=\
    !established,related in-interface=pppoe-netia
add action=drop chain=input comment="Drop anything else" log-prefix=in-drop-
add action=jump chain=forward comment="Go to chain for banning computers access" jump-target=internet_ban
add action=accept chain=ICMP comment="0:0 and limit for 5p/sec" icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Block all ICMP from PermBanList" icmp-options=8:0-255 protocol=icmp src-address-list=PermanentBlackList
add action=drop chain=ICMP comment="Drop PINGs" disabled=yes icmp-options=8:0-255 in-interface=pppoe-dsl limit=3,3:packet log-prefix=PING-DROP-DSL \
    protocol=icmp
add action=drop chain=ICMP comment="Drop PINGs" icmp-options=8:0-255 in-interface=pppoe-netia limit=3,3:packet log-prefix=PING-DROP-DSL protocol=icmp
add action=drop chain=ICMP comment="Drop PINGs from NETIA ROUTER" icmp-options=8:0-255 in-interface=FIBER limit=3,3:packet log-prefix=PING-DROP-DSL \
    protocol=icmp
add action=drop chain=ICMP comment="8:0 and limit for 5pac/s [Ping response] - DROP" icmp-options=8:0-255 limit=5,5:packet log=yes log-prefix=PING-REPL- \
    protocol=icmp src-address-list=!safe
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
add action=return chain=ICMP
add action=accept chain=services comment="accept localhost" dst-address=127.0.0.1 src-address=127.0.0.1
add action=accept chain=services comment="allow MACwinbox " dst-port=20561 in-interface=LAN protocol=udp
add action=accept chain=services comment="Bandwidth server" disabled=yes dst-port=2000 protocol=tcp
add action=accept chain=services comment=" MT Discovery Protocol" dst-port=5678 in-interface=LAN protocol=udp
add action=accept chain=services comment="allow SNMP" dst-port=161 in-interface=LAN protocol=tcp
add action=accept chain=services comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
add action=accept chain=services comment="allow BGP" disabled=yes dst-port=5000-5100 protocol=udp
add action=accept chain=services comment="Allow NTP" dst-port=123 in-interface=LAN protocol=udp
add action=accept chain=services comment="Allow PPTP" disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=services comment="allow PPTP and EoIP" disabled=yes protocol=gre
add action=accept chain=services comment="allow OpenVPN" dst-port=29734 protocol=tcp
add action=accept chain=services comment="allow DNS request" dst-port=53 in-interface=LAN protocol=tcp
add action=accept chain=services comment="Allow DNS request" dst-port=53 in-interface=LAN protocol=udp
add action=accept chain=services comment=UPnP disabled=yes dst-port=1900 protocol=udp
add action=accept chain=services comment=UPnP disabled=yes dst-port=2828 protocol=tcp
add action=accept chain=services comment="allow DHCP" dst-port=67-68 in-interface=LAN protocol=udp
add action=accept chain=services comment="allow Web Proxy" disabled=yes dst-port=8080 protocol=tcp
add action=accept chain=services comment="allow IPIP" disabled=yes protocol=ipencap
add action=accept chain=services comment="allow https for Hotspot" disabled=yes dst-port=443 protocol=tcp
add action=accept chain=services comment="allow Socks for Hotspot" disabled=yes dst-port=1080 protocol=tcp
add action=accept chain=services comment="allow IPSec connections" disabled=yes dst-port=500 protocol=udp
add action=accept chain=services comment="allow BTest server connection" disabled=yes dst-port=2000 protocol=udp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol=ipsec-esp
add action=accept chain=services comment="allow L2TP/IPSec" disabled=yes dst-port=500,1701,4500 protocol=udp
add action=accept chain=services comment="allow RIP" disabled=yes dst-port=520-521 protocol=udp
add action=accept chain=services comment="allow OSPF" disabled=yes protocol=ospf
add action=accept chain=services comment="Allow remote WinBox IP" disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=services comment="COMPUTER: XXX - xxx" disabled=yes dst-port=20001 protocol=tcp
add action=return chain=services comment="end: SERVICES"
add action=reject chain=internet_ban comment="BAN: PC_NAME internet" disabled=yes reject-with=icmp-net-prohibited src-mac-address=11:22:33:44:55:66
add action=reject chain=internet_ban comment="BAN: HP10 internet" disabled=yes reject-with=icmp-net-prohibited src-mac-address=8C:25:05:A2:FC:B2
add action=reject chain=internet_ban comment="BAN: N10D internet" disabled=yes reject-with=icmp-net-prohibited src-mac-address=6C:2B:59:37:7C:40
add action=return chain=internet_ban comment="END BAN LIST"
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN 2 NAT" out-interface=pppoe-netia
add action=masquerade chain=srcnat comment="OpenPortTemplate [HAIRPIN], dst-addr/port=LAN dev, need dst and src ports SAME." disabled=yes dst-address=192.168.2.2 dst-port=20001 out-interface=LAN protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="DSL Modem response MASQ" dst-address=192.168.100.1 out-interface=FIBER protocol=tcp
add action=dst-nat chain=dstnat dst-address=192.168.2.1 dst-port=10000 protocol=tcp to-addresses=192.168.100.1 to-ports=80 comment="DSL Modem forward to Web Panel"
/ip firewall raw
add action=drop chain=prerouting comment="Permanent Black List" in-interface=pppoe-netia log-prefix=PERM-BAN src-address-list=PermanentBlackList
add action=drop chain=prerouting comment="Temp black list port scan" in-interface=pppoe-netia log-prefix=TEMP-BAN src-address-list=black_list_port_scan
add action=drop chain=prerouting comment="DoH block" in-interface=pppoe-netia log-prefix=TEMP-BAN src-address-list=dns_doh_block
add action=drop chain=prerouting comment="Midea ban" disabled=yes dst-address=18.193.57.254
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=no
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add comment="VPN to clients route" disabled=no dst-address=10.9.8.7/24 gateway=192.168.2.256
/ip service
set telnet disabled=yes
set ftp address=192.168.2.0/24
set www address=192.168.2.0/24
set ssh address=192.168.2.0/24
set api address=192.168.2.0/24
set winbox address=192.168.2.0/24
set api-ssl disabled=yes
/ip smb
set allow-guests=no comment=ROUTER domain=SAPER_HOME interfaces=LAN
/ip upnp
set show-dummy-rule=no
/ip upnp interfaces
add interface=LAN type=internal
add interface=pppoe-dsl type=external
/ppp secret
...
/routing bfd configuration
add disabled=no
/snmp
set enabled=yes location=Home
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Warsaw
/system identity
set name=ROUTER
/system logging
set 0 topics=info,ddns
add topics=route,debug,!calc
add topics=pptp
add disabled=yes topics=pppoe
add topics=ovpn
add topics=caps,error
add disabled=yes topics=certificate,debug
add topics=manager
add topics=debug,store
add topics=info
add topics=caps
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=194.146.251.100
add address=194.146.251.101
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool graphing interface
add allow-address=192.168.2.0/24 interface=LAN
/tool graphing resource
add

One thing that I noticed: I see in bridge/ports that this port with CRS112 get role ‘root port’ , if I disconnect CRS then it move it to eth6 - this cause my computer lose connection for a short moment (I see this by winbox trying to reconnect to rb4011), and role ‘root port’ moves to eth6.

If somebody have some ideas - I’m open for suggestions. For now I bumped up ROS to v7.11.2 in CRS and done a factory-reset too, and after that 30min being powered off it works for now.

I’m not a pro, but a bit of networking I know, at least enough to tinker with Mikrotik/RouterOS…

When a ROS device develops such an inexplicable behaviour, sometimes netinstalling device helps. But beware, restoring previous configuration by using binary backups often taints device again … so after netinstall, configure device manually (you can use text export from previous installation as inspiration).

Which one
CRS and/or RB?

The 2nd is a bit of PITA to reflasah because I have there openvpn server and set-up anew clients will be annoying task to do (but maybe i’ll switch to WG)

maybe I’ll try netinstall on CRS first.

And config I often use only text, beside CRS have not much config anyway so I can click-it-up with mouse (ok, adding all eth to bri is a bit annoying thing to do…)

The way you described the problem and the work around, it seems that CRS is the one misbehaving …

I’m a CLI guy as well … so after netinstalling a device, I use winbox to open up a terminal and then proceed using CLI.