RB5009 troubles with USB disk/SMB sharing

8577 · August 24, 2023, 9:02pm

Since updating my RB5009 to ROS 7.11 (from 7.4) I have been experiencing random outages where the router will just crash where traffic is no longer flowing, and I have to hard power cycle to get back into it. It does apparently keep logging though some of the time, at least according to the logs.

I noticed this started showing up in the logs after the update:

RB5009 _err: cannot connect to invalid share SSD

Even though it was working fine from remote nodes.

So I removed the SSD drive that was plugged into the USB port and disabled SMB shares. This was not critical and I can live without it, but I have yet to find the root cause of the crashing. Today it was down most of the day, however it was logging from about 2pm today to now (4:40pm). So it’s like all the ports just stop working. The SFP uplink is connected to a CRS317 switch, and another POE CRS112 that powers the cameras and a CAP. No issues on the switches that I can see.

Just kind of odd, as this setup has been VERY solid for the past year and a half or so. Not sure if there may be a bug in 7.11 with disk sharing? or maybe the drive died. Will keep it unplugged with SMB sharing off for now and see how it does.

Update: Just as I was posting this it died again…

For reference here is the config: (as it was during the condition)

# 2023-08-24 16:11:59 by RouterOS 7.11
# software id = GJYP-PF1L
#
# model = RB5009UG+S+
# serial number = xxxxxxxxxx
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=1000M-full,2500M-full comment=EPB-GIG
set [ find default-name=ether5 ] comment=Trunk
set [ find default-name=sfp-sfpplus1 ] comment=Trunk
/interface wireguard
add listen-port=13231 mtu=1420 name=MikroTik-WG
/interface vlan
add comment=Users interface=bridge name=VLAN10 vlan-id=10
add comment=CCTV interface=bridge name=VLAN20 vlan-id=20
add comment=Guest interface=bridge name=VLAN30 vlan-id=30
add comment=IoT interface=bridge name=VLAN40 vlan-id=40
add comment=SRV interface=bridge name=VLAN50 vlan-id=50
add comment=MGMT interface=bridge name=VLAN99 vlan-id=99
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1
add authentication-types=wpa2-psk encryption=aes-ccm name=Guest
/caps-man configuration
add country="united states" datapath.bridge=bridge .local-forwarding=no .vlan-id=10 .vlan-mode=use-tag distance=indoors installation=indoor mode=ap name=Trusted-WLAN \
    security=security1 security.authentication-types=wpa2-psk .encryption=aes-ccm ssid=Mikrotik-2
add country="united states" datapath.bridge=bridge .vlan-id=30 .vlan-mode=use-tag distance=indoors installation=indoor name=Guest-WLAN security=Guest ssid=MT-Guest
/disk
set usb1 type=hardware
/interface list
add comment=DJ name=WAN
add comment=DJ name=LAN
add comment=DJ name=VLAN
add comment=DJ name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.120.2-192.168.120.254
add comment=MGMT name=VLAN99_POOL ranges=192.168.0.50-192.168.0.240
add comment=Users name=VLAN10_POOL ranges=192.168.1.15-192.168.1.220
add comment=CCTV name=VLAN20_POOL ranges=192.168.2.10-192.168.2.240
add comment=Guest name=VLAN30_POOL ranges=192.168.3.10-192.168.3.240
add name=vpn-pool ranges=192.168.5.10-192.168.5.25
add comment=SRV name=VLAN50_POOL ranges=192.168.50.60-192.168.50.240
add comment=IoT name=VLAN40_POOL ranges=192.168.4.10-192.168.4.240
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether8 lease-time=10m name=dhcp1
add address-pool=VLAN10_POOL interface=VLAN10 lease-time=10m name=VLAN10_DHCP
add address-pool=VLAN20_POOL interface=VLAN20 lease-time=10m name=VLAN20_DHCP
add address-pool=VLAN30_POOL interface=VLAN30 lease-time=10m name=VLAN30_DHCP
add address-pool=VLAN99_POOL interface=VLAN99 lease-time=10m name=VLAN99_DHCP
add address-pool=vpn-pool disabled=yes interface=bridge lease-time=10m name=vpn-DHCP
add address-pool=VLAN50_POOL interface=VLAN50 lease-time=10m name=VLAN50_DHCP
add address-pool=VLAN40_POOL interface=VLAN40 lease-time=10m name=VLAN40_DHCP
/system logging action
set 3 bsd-syslog=yes remote=192.168.50.35 remote-port=5140 syslog-facility=syslog
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether4
add disabled=no interface=ether5
add disabled=no interface=VLAN10
add disabled=no interface=VLAN30
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Trusted-WLAN slave-configurations=Guest-WLAN
add action=create-dynamic-enabled disabled=yes master-configuration=Guest-WLAN
/interface bridge port
add bridge=bridge comment=Trunk frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge comment=Trunk frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge comment=Trunk frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge comment=Trunk frame-types=admit-only-vlan-tagged interface=ether7
add bridge=bridge comment=Access frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=Access frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=Access frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether5,ether6,ether7 vlan-ids=30
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether5,ether6,ether7 untagged=ether2,ether3 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether5,ether6,ether7 untagged=ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether5,sfp-sfpplus1,ether6,ether7 vlan-ids=99
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether7,ether6,ether5 vlan-ids=40
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether7,ether6,ether5 vlan-ids=50
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=VLAN99 list=MGMT
add interface=VLAN10 list=VLAN
add interface=VLAN20 list=VLAN
add interface=VLAN30 list=VLAN
add interface=VLAN40 list=VLAN
add interface=MikroTik-WG list=LAN
add interface=VLAN50 list=VLAN
/interface wireguard peers
add allowed-address=192.168.5.11/32 comment=Moto-G interface=MikroTik-WG public-key="xxxxx="
add allowed-address=192.168.5.12/32 comment=X13 interface=MikroTik-WG public-key="xxxxx="
add allowed-address=192.168.5.13/32 comment=UMPC interface=MikroTik-WG public-key="xxxxxs="
/ip address
add address=192.168.120.1/24 interface=ether8 network=192.168.120.0
add address=192.168.0.1/24 interface=VLAN99 network=192.168.0.0
add address=192.168.1.1/24 interface=VLAN10 network=192.168.1.0
add address=192.168.2.1/24 interface=VLAN20 network=192.168.2.0
add address=192.168.3.1/24 interface=VLAN30 network=192.168.3.0
add address=192.168.5.1/24 interface=MikroTik-WG network=192.168.5.0
add address=192.168.50.1/24 interface=VLAN50 network=192.168.50.0
add address=192.168.4.1/24 interface=VLAN40 network=192.168.4.0
/ip dhcp-client
add comment=DJcfg interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,192.168.50.50 domain=example1.com gateway=192.168.0.1
add address=192.168.1.0/24 comment=LAN dns-server=192.168.1.1,192.168.50.50 domain=example1.com gateway=192.168.1.1 ntp-server=192.168.1.1
add address=192.168.2.0/24 comment=CCTV dns-server=192.168.2.1,192.168.50.50 domain=example1.com gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=1.1.1.1 gateway=192.168.3.1
add address=192.168.50.0/24 dns-server=192.168.50.50 domain=example1.lan gateway=192.168.50.1
add address=192.168.120.0/24 gateway=192.168.120.1
/ip dns
set allow-remote-requests=yes servers=192.168.50.50
/ip dns static
add address=192.168.50.50 name=pihole
add address=192.168.0.10 name=M920.example1.com
add address=192.168.1.245 name=cctv
add address=192.168.0.1 name=router
add address=192.168.0.2 name=switch
add address=192.168.0.3 name=poe-switch
add address=192.168.1.248 name=sip
add address=192.168.50.20 name=www.example2.com
add address=192.168.50.22 name=mail.example2.com
add address=192.168.50.20 name=example2.com
add address=192.168.50.20 name=www.example1.com
add address=192.168.50.35 name=Graylog
add address=192.168.50.22 name=mail.example3.us
add address=192.168.50.22 name=mail.example1.com
add address=192.168.50.20 name=cloud.example1.com
add address=192.168.0.22 name=xoa.example1.com
add address=192.168.0.14 name=xen1.example1.com
add address=192.168.0.16 name=xen2.example1.com
add address=192.168.50.10 name=lxd1
add address=192.168.50.11 name=lxd2
add address=192.168.50.22 name=mailadmin.example1.com
add address=192.168.50.20 name=docs.example1.com
add address=192.168.50.136 name=test.example1.com
add address=192.168.50.127 name=lamp3
add address=192.168.50.32 name=meet.example1.com
add address=192.168.50.32 name=turn.example1.com
/ip firewall address-list
add address=47.96.64.138 list=CobaltStrike
add address=114.132.229.76 list=CobaltStrike
add address=1.12.241.17 list=CobaltStrike
add address=45.63.90.109 list=CobaltStrike
add address=23.224.177.147 list=CobaltStrike
add address=106.55.51.55 list=CobaltStrike
add address=74.119.192.230 list=CobaltStrike
add address=23.224.177.148 list=CobaltStrike
add address=83.97.20.104 list=CobaltStrike
add address=198.2.253.142 list=CobaltStrike
add address=50.112.32.141 list=CobaltStrike
add address=111.229.90.183 list=CobaltStrike
add address=139.180.147.62 list=CobaltStrike
add address=185.215.113.53 list=CobaltStrike
add address=162.33.179.242 list=CobaltStrike
add address=43.252.209.252 list=CobaltStrike
add address=91.229.91.116 list=CobaltStrike
add address=162.33.178.10 list=CobaltStrike
add address=45.147.179.211 list=CobaltStrike
add address=179.60.150.24 list=CobaltStrike
add address=101.34.128.238 list=CobaltStrike
add address=149.248.2.93 list=CobaltStrike
add address=103.30.43.90 list=CobaltStrike
add address=106.52.27.83 list=CobaltStrike
add address=162.248.225.208 list=CobaltStrike
add address=69.46.15.155 list=CobaltStrike
add address=51.143.161.4 list=CobaltStrike
add address=106.52.197.95 list=CobaltStrike
add address=81.68.179.88 list=CobaltStrike
add address=34.125.71.18 list=CobaltStrike
add address=81.69.26.175 list=CobaltStrike
add address=139.180.217.181 list=CobaltStrike
add address=115.159.0.71 list=CobaltStrike
add address=111.229.93.8 list=CobaltStrike
add address=94.130.244.31 list=CobaltStrike
add address=120.78.197.8 list=CobaltStrike
add address=81.71.149.131 list=CobaltStrike
add address=23.254.243.69 list=CobaltStrike
add address=192.227.193.115 list=CobaltStrike
add address=188.166.213.201 list=CobaltStrike
add address=91.245.255.33 list=CobaltStrike
add address=185.140.250.61 list=CobaltStrike
add address=106.54.69.144 list=CobaltStrike
add address=1.117.180.42 list=CobaltStrike
add address=82.156.2.25 list=CobaltStrike
add address=47.100.62.21 list=CobaltStrike
add address=35.76.8.52 list=CobaltStrike
add address=185.244.150.52 list=CobaltStrike
add address=139.198.108.26 list=CobaltStrike
add address=138.197.39.59 list=CobaltStrike
add address=121.5.36.45 list=CobaltStrike
add address=106.12.85.54 list=CobaltStrike
add address=103.72.146.180 list=CobaltStrike
add address=1.117.93.65 list=CobaltStrike
add address=193.56.146.100 list=CobaltStrike
add address=52.175.122.61 list=CobaltStrike
add address=45.117.102.139 list=CobaltStrike
add address=173.82.201.37 list=CobaltStrike
add address=109.236.81.61 list=CobaltStrike
add address=81.70.229.78 list=CobaltStrike
add address=82.156.241.148 list=CobaltStrike
add address=47.106.135.101 list=CobaltStrike
add address=39.108.62.177 list=CobaltStrike
add address=35.229.143.172 list=CobaltStrike
add address=208.92.93.25 list=CobaltStrike
add address=185.70.184.83 list=CobaltStrike
add address=172.104.164.209 list=CobaltStrike
add address=81.70.144.120 list=CobaltStrike
add address=43.129.251.5 list=CobaltStrike
add address=43.128.10.184 list=CobaltStrike
add address=155.94.178.9 list=CobaltStrike
add address=47.113.192.46 list=CobaltStrike
add address=178.254.42.220 list=CobaltStrike
add address=156.255.2.197 list=CobaltStrike
add address=144.217.207.29 list=CobaltStrike
add address=140.82.33.69 list=CobaltStrike
add address=121.36.65.50 list=CobaltStrike
add address=110.40.129.108 list=CobaltStrike
add address=108.160.137.158 list=CobaltStrike
add address=103.228.111.60 list=CobaltStrike
add address=103.143.40.242 list=CobaltStrike
add address=45.112.206.18 list=CobaltStrike
add address=59.63.224.101 list=CobaltStrike
add address=8.140.150.177 list=CobaltStrike
add address=39.99.173.55 list=CobaltStrike
add address=185.153.199.164 list=CobaltStrike
add address=194.165.16.60 list=CobaltStrike
add address=87.120.8.67 list=CobaltStrike
add address=147.139.4.69 list=CobaltStrike
add address=39.99.147.117 list=CobaltStrike
add address=182.92.103.213 list=CobaltStrike
add address=142.93.152.156 list=CobaltStrike
add address=81.70.155.208 list=CobaltStrike
add address=47.110.90.89 list=CobaltStrike
add address=122.10.52.70 list=CobaltStrike
add address=129.226.15.142 list=CobaltStrike
add address=154.208.76.59 list=CobaltStrike
add address=206.166.251.75 list=CobaltStrike
add address=49.235.158.131 list=CobaltStrike
add address=45.146.165.142 list=CobaltStrike
add address=104.238.205.44 list=CobaltStrike
add address=100.24.56.227 list=CobaltStrike
add address=156.255.3.224 list=CobaltStrike
add address=178.162.199.36 list=CobaltStrike
add address=167.179.66.246 list=CobaltStrike
add address=201.127.21.60 comment="mail hacker" list=CobaltStrike
add address=141.98.10.0/24 list=CobaltStrike
add address=141.98.11.0/24 list=CobaltStrike
add address=45.12.253.0/24 list=CobaltStrike
/ip firewall filter
add action=drop chain=input comment="Drop ALL invalid" connection-state=invalid log=yes log-prefix=invalid_
add action=drop chain=input comment="drop dns" connection-state=new dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="Drop dns" dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="Drop SSH/WinBox WAN." dst-port=22,8291 in-interface=ether1 protocol=tcp
add action=drop chain=forward comment="CobaltStrike - Block Ingress" dst-address-list=CobaltStrike
add action=drop chain=forward comment="CobaltStrike Block - Engress" src-address-list=CobaltStrike
add action=drop chain=input comment="drop icmp wan" in-interface=ether1 protocol=icmp
add action=drop chain=input comment="Drop SSH/WinBox coming from WAN" dst-port=22,8291,80 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Allow VPN traffic" src-address=192.168.5.0/24
add action=accept chain=forward comment="Allow VPN to forward" src-address=192.168.5.0/24
add action=accept chain=input comment="Accept CAPsMAN" dst-port=5246-5247 protocol=udp
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow MGMT Full Access" in-interface=VLAN99
add action=drop chain=input comment=Drop log=yes log-prefix=drop_
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="p2p in" disabled=yes dst-port=52138 protocol=tcp to-addresses=192.168.1.10 to-ports=0-65535
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.1.230 out-interface=VLAN10 protocol=tcp src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.50.22 out-interface=VLAN50 protocol=tcp src-address=192.168.50.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.1.231 out-interface=VLAN10 protocol=tcp src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.50.20 out-interface=VLAN50 protocol=tcp src-address=192.168.50.0/24
add action=dst-nat chain=dstnat comment="email submission to Mail - From Sendgrid relay" dst-port=587 in-interface=ether1 protocol=tcp to-addresses=192.168.50.22 \
    to-ports=587
add action=dst-nat chain=dstnat comment="pop3 to Mail" dst-port=110 in-interface=ether1 protocol=tcp to-addresses=192.168.50.22 to-ports=110
add action=dst-nat chain=dstnat comment=smtp dst-port=25 protocol=tcp to-addresses=192.168.50.22
add action=dst-nat chain=dstnat comment="pop3s to Mail" dst-port=995 in-interface=ether1 protocol=tcp to-addresses=192.168.50.22 to-ports=995
add action=dst-nat chain=dstnat comment="IMAP to Mail" dst-port=143 in-interface=ether1 protocol=tcp to-addresses=192.168.50.22 to-ports=143
add action=dst-nat chain=dstnat comment="IMAPs to Mail" dst-port=993 in-interface=ether1 protocol=tcp to-addresses=192.168.50.22 to-ports=993
add action=dst-nat chain=dstnat comment="www to Nginx" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.50.20 to-ports=80
add action=dst-nat chain=dstnat comment="SSL to Nginx" dst-port=443 in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.50.20 to-ports=443
add action=dst-nat chain=dstnat comment=XMPP dst-port=10000 in-interface=ether1 log=yes protocol=udp to-addresses=192.168.50.32 to-ports=10000
add action=dst-nat chain=dstnat comment="SSH 5777" dst-port=5777 in-interface=ether1 log=yes protocol=tcp src-port="" to-addresses=192.168.0.15 to-ports=22
/ip route
add comment=lxdbr0 disabled=yes distance=1 dst-address=10.163.84.0/24 gateway=192.168.2.10 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=Containers disabled=no distance=1 dst-address=10.10.45.0/24 gateway=192.168.0.14 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24,192.168.1.0/24
set ssh address=192.168.0.0/24,192.168.1.0/24
set api disabled=yes
set winbox address=192.168.0.0/24,192.168.1.0/24
set api-ssl disabled=yes
/ip smb
set allow-guests=no comment=RouterSMB domain=WORKGROUP enabled=yes
/ip smb shares
add directory=/disk1 name=share1
add comment="Should point to usb1-part1 as of vers 7.11" directory=usb1-part1 name=SSD
/ip smb users
add name=user1 read-only=no
add name=test read-only=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=RB5009
/system logging
set 0 action=remote prefix=_info
set 1 action=remote prefix=_err
set 2 action=remote prefix=_warn
set 3 action=remote prefix=_critical
/system note
set show-at-login=no
/tool romon
set enabled=yes

8577 · August 24, 2023, 9:05pm

Is it possible to roll back to 7.4? I tried the downgrade button in the packages menu, but it just stays the same 7.11 version.

Thanks!

8577 · August 24, 2023, 9:28pm

Ok disk and SMB share ruled out, still crashing without them.

Will research on getting the 7.4 package back on it, in the meantime I backed up the config and copied it to a fresh RB5009UPr+s with 7.8 on it and will swap it out on the next crash.

8577 · August 24, 2023, 10:17pm

Ok the new router (RB5009UPr+s ) is in place running 7.8, and I rolled the primary/main router back to 7.10.2 for now. If the new router is stable, I will revert back to my first unit to see if it is still sketchy. Don’t think anything in my config should cause crashes like that. Leaving the SSD disconnected for a day or so. Not sure, maybe the 5009 just died, I didn’t think we work it too hard, it serves up 5 cloud instances with light traffic, maybe 20 users max at times. The uplink is a 10G Gtek SFP module connected to the 317, so nothing fancy here. Wan uplink is 1Gbit to the CPE. The CPU is normally around 2% and 836MB of memory.

Thanks