I’m performing throughput testing with iperf on a PC and when testing upstream UDP the router crashes instantly.
When testing downstream UDP, there are no issues.
PC->RB(nat)->Internet
The packet rate I try doesn’t matter, even few KB/s cause the same issue.
RB has NAT masquerade configured.
Running latest 6.10 sw and latest firmware.
I noticed the same thing on 5.x so that’s why I updated to 6.x.
Routerboard: rb2011uas-2hnd-in
RouterBoard model? RB2011…?
Try last 6.11
Remember to upgrade BIOS [firmware], the last are 3.13 on 6.11 [or 3.10 or 3.12 on some models]
If do not solve the problem, put on the forum the rresult of
/export > compact
on the terminal.
Remember to remove sensible data, if any is present!!!
It’s a RB2011UiAS-2HnD-IN with firmware 3.12
# mar/21/2014 20:29:39 by RouterOS 6.10
# software id = GZAT-21EX
#
/interface bridge
add l2mtu=1598 name=bridge-local protocol-mode=none
add name=loopback protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master-local
set [ find default-name=ether2 ] master-port=ether1-master-local name=\
ether2-slave-local
set [ find default-name=ether3 ] master-port=ether1-master-local name=\
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether1-master-local name=\
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether1-master-local name=\
ether5-slave-local
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
ether9-slave-local
set [ find default-name=ether10 ] mac-address=28:10:7B:66:1F:63 name=\
ether10-gateway
set [ find default-name=sfp1 ] disabled=yes
/interface 6to4
add local-address=178.200.47.x name=sit1 remote-address=216.66.80.30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wpa2-aes \
supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
static-keys-required name=wep static-algo-0=40bit-wep \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \
frequency=2437 l2mtu=2290 mode=ap-bridge multicast-helper=full \
security-profile=wpa2-aes ssid=x wireless-protocol=802.11
/ip firewall layer7-protocol
add name="x.net DNS" regexp=\
"intr.x.net|[0-9]+.[0-9]+.1.10.in-addr.arpa"
add name=httpvideo regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5][0-9][0-\
9][\\x09-\\x0d -~]*(content-type: video)"
add name=youtube_1 regexp=.*videoplayback.*
add name=ebay-url regexp=.*ebay.com.*
add name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
e\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\
\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add comment="from http://l7-filter.sourceforge.net/layer7-protocols/protocols/\
skypetoskype.pat" name=skype regexp="^..\\x02............."
add name=facebook-url regexp=.*facebook.com.*
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add enc-algorithms=aes-128-cbc,aes-128-ctr name=site2site
/ip pool
add name=default-dhcp ranges=10.4.0.11-10.4.0.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local lease-time=\
1d name=default
/port
set 0 name=serial0
/interface l2tp-client
add add-default-route=no allow=chap,mschap1,mschap2 connect-to=93.136.120.68 \
dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=1450 max-mtu=\
1450 mrru=1600 name=l2tp-outgw profile=default-encryption user=gw4
add add-default-route=no allow=chap,mschap1,mschap2 connect-to=88.207.107.231 \
dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=1450 max-mtu=\
1450 mrru=1600 name=l2tp-outgw2 profile=default-encryption user=gw4
add add-default-route=no allow=chap,mschap1,mschap2 connect-to=\
x.x.net dial-on-demand=no disabled=no keepalive-timeout=60 \
max-mru=1420 max-mtu=1420 mrru=disabled name=l2tp-outnagato profile=\
default-encryption user=gw4
/routing ospf instance
set [ find default=yes ] router-id=172.16.255.4
/interface bridge port
add bridge=bridge-local interface=ether1-master-local
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=10.4.0.1/24 comment="default configuration" interface=\
bridge-local network=10.4.0.0
add address=172.16.255.4/32 interface=loopback network=172.16.255.4
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=ether10-gateway
/ip dhcp-server network
add address=10.4.0.0/24 comment="default configuration" dns-server=10.4.0.1 \
domain=x.net. gateway=10.4.0.1 ntp-server=\
10.4.0.1,161.53.160.4,161.53.160.5
/ip dns
set allow-remote-requests=yes
/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input src-address=10.0.0.0/12
add chain=input comment="default configuration" protocol=icmp
add chain=input protocol=ipsec-esp
add chain=input protocol=ipsec-ah
add chain=input protocol=ipv6 src-address=216.66.80.98
add chain=input protocol=gre
add chain=input dst-port=1701 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=input dst-port=500 protocol=udp
add action=drop chain=input dst-port=5001 protocol=udp
add action=reject chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp reject-with=tcp-reset src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=5d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input dst-port=22 protocol=tcp \
src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add chain=input comment="accept ssh connections from anywhere" dst-port=22 \
protocol=tcp
add chain=input comment="accept connections to http from anywhere" dst-port=\
80 protocol=tcp
add chain=input comment="accept https connections from anywhere" dst-port=443 \
protocol=tcp
add chain=input comment="accept winbox connections from anywhere" dst-port=\
8291 protocol=tcp
add chain=input comment="accept SNMP/trap connections from anywhere" \
disabled=yes dst-port=161,162 protocol=udp
add action=drop chain=input comment="default configuration" disabled=yes \
in-interface=sfp1
add action=drop chain=input comment="default configuration" in-interface=\
ether10-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether10-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment="RDP to yamato" dst-port=3389 \
in-interface=ether10-gateway protocol=tcp to-addresses=10.4.0.11
add action=dst-nat chain=dstnat comment="iperf to yamato / TESTING!!!" \
dst-port=5001 in-interface=ether10-gateway protocol=tcp to-addresses=\
10.4.0.11
add action=dst-nat chain=dstnat comment="iperf to yamato / TESTING!!!" \
dst-port=5001 in-interface=ether10-gateway protocol=udp to-addresses=\
10.4.0.11
add action=dst-nat chain=dstnat comment="hack for intr.x.net DNS" \
dst-port=53 in-interface=bridge-local layer7-protocol="x.net DNS" \
protocol=udp to-addresses=10.1.0.1
/ip ipsec peer
add address=195.154.211.x/32 comment=nagato dpd-interval=disable-dpd
add address=93.136.120.68/32 comment=gw dpd-interval=disable-dpd \
enc-algorithm=3des
add address=88.207.107.231/32 comment=gw2 dpd-interval=disable-dpd \
exchange-mode=main-l2tp nat-traversal=yes
/ip ipsec policy
add comment=gwlink dst-address=195.154.211.x/32 dst-port=1701 \
proposal=site2site protocol=udp sa-dst-address=195.154.211.101 \
sa-src-address=178.200.47.137 src-address=178.200.47.137/32
add comment=gw dst-address=93.136.120.68/32 dst-port=1701 proposal=site2site \
protocol=udp sa-dst-address=93.136.120.68 sa-src-address=178.200.47.137 \
src-address=178.200.47.137/32
add comment=gw2 dst-address=88.207.107.231/32 dst-port=1701 proposal=\
site2site protocol=udp sa-dst-address=88.207.107.231 sa-src-address=\
178.200.47.137 src-address=178.200.47.137/32
/ip service
set telnet disabled=yes
set ftp address=10.0.0.0/12
set www address=10.0.0.0/12
set www-ssl certificate=cert_1 disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=no
/ipv6 address
add address=xxxxxxxxxxx advertise=no interface=sit1
add address=xxxxxxxxxxxxxxx advertise=no interface=bridge-local
/ipv6 firewall filter
add action=drop chain=input connection-state=invalid disabled=yes
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input src-address=x::/64
add chain=input src-address=2001:470:x::/64
add chain=input src-address=2001:470:x::/64
add chain=input disabled=yes protocol=udp
add chain=input protocol=icmpv6
add chain=input dst-port=80 protocol=tcp
add chain=input dst-port=1723 protocol=tcp
add chain=input dst-port=8291 protocol=tcp
add action=reject chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp reject-with=tcp-reset src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=5d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add chain=input dst-port=22 protocol=tcp
add action=drop chain=input
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
add chain=forward connection-state=new src-address=2001:470:x::/64
add chain=forward connection-state=new src-address=2001:470:x::/64
add chain=forward connection-state=new src-address=2001:470:x::/64
add chain=forward protocol=udp
add chain=forward protocol=icmpv6
add chain=forward comment="allow identd" dst-port=113 protocol=tcp
add chain=forward comment="accept connections from outside to ip camera" \
disabled=yes dst-address=2001:470:x::240:8cff:fea6:157b/128
add chain=forward comment="accept connections from outside to yamato" \
dst-address=2001:470:x::11/128 dst-port=3389 protocol=tcp
add chain=forward comment="IPERF test" dst-address=2001:470:x::11/128 \
dst-port=5001 protocol=tcp
add action=drop chain=forward
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=yes hop-limit=64 interface=bridge-local
/ipv6 route
add check-gateway=ping distance=1 dst-address=2000::/3 gateway=\
2001:470:x:919::1
/lcd
set backlight-timeout=never default-screen=stats
/lcd pin
set hide-pin-number=yes pin-number=0606
/lcd interface
set sfp1 interface=sfp1
set ether1-master-local interface=ether1-master-local
set ether2-slave-local interface=ether2-slave-local
set ether3-slave-local interface=ether3-slave-local
set ether4-slave-local interface=ether4-slave-local
set ether5-slave-local interface=ether5-slave-local
set ether6-master-local interface=ether6-master-local
set ether7-slave-local interface=ether7-slave-local
set ether8-slave-local interface=ether8-slave-local
set ether9-slave-local interface=ether9-slave-local
set ether10-gateway interface=ether10-gateway
set wlan1 interface=wlan1
/routing ospf network
add area=backbone network=10.4.0.0/24
add area=backbone network=172.16.0.0/17
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=gw4
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set l2tp-outnagato disabled=yes display-time=5s
set l2tp-outgw disabled=yes display-time=5s
set l2tp-outgw2 disabled=yes display-time=5s
set bridge-local disabled=yes display-time=5s
set loopback disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set ether1-master-local disabled=yes display-time=5s
set ether2-slave-local disabled=yes display-time=5s
set ether3-slave-local disabled=yes display-time=5s
set ether4-slave-local disabled=yes display-time=5s
set ether5-slave-local disabled=yes display-time=5s
set ether6-master-local disabled=yes display-time=5s
set ether7-slave-local disabled=yes display-time=5s
set ether8-slave-local disabled=yes display-time=5s
set ether9-slave-local disabled=yes display-time=5s
set ether10-gateway disabled=yes display-time=5s
set sit1 disabled=yes display-time=5s
/system ntp client
set enabled=yes primary-ntp=161.53.160.4 secondary-ntp=161.53.160.5
/system ntp server
set enabled=yes multicast=yes
/tool graphing interface
add
/tool graphing resource
add
/tool netwatch
add comment=gw down-script=\
"/system scheduler enable update_ipsec_dst_gw_sched" host=172.16.0.13 \
interval=15s timeout=5s up-script=\
"/system scheduler disable update_ipsec_dst_gw_sched"
add comment=gw2 down-script=\
"/system scheduler enable update_ipsec_dst_gw2_sched" host=172.16.0.17 \
interval=15s timeout=5s up-script=\
"/system scheduler disable update_ipsec_dst_gw2_sched"
/tool sniffer
set filter-interface=bridge-local,l2tp-outgw filter-ip-protocol=icmp
Anyone?
Issue still very present…
Steps to reproduce:
Please send it to support@mikrotik.com