SSH connection issues with "fasttrack" switched off.

Chateau C12 LTE, ROS v7.1beta1, LTE modem firmware EG12EAPAR01A06M4G.

I have switched off default fasttrack for FORWARD chain in order to use QoS and prioritizing traffic.

In default setup, I can connect to my SSH servers. If I switch off fasttrack, I will get an error after timeout:

packet_write_wait: Connection to x.x.x.x port 22: Broken pipe

I see nothing in firewall logs. If I terminate connection manually, I see dropped INVALID connection.

SSH connection with -v parameter is always stuck at:

debug1: Sending environment.

…followed by above by mentioned session error.

Is it misconfiguration or a bug. please?

Its your firewall rules blocking it.
The reason it works with fastrack enabled is that FastTracked packets bypass the firewall.

forward accepts ESTABLISHED, RELATED as in default config.

new connections from LAN accepted as in default.

there is no reason for firewall to block it. I have on all DROP rules logging and there is nothing in logs???

what happens if you disable all firewall rules?
does it work?

with default Mikrotik firewall rules everything works.

Once, I switch off FORWARD fasttrack…SSH doesn’t work anymore.

post and

 /export hide-sensitive

here

SSH issue are not problem at Mikrotik router but ISP problem.

I have switched ISP - from laggy, lossy LTE to cable Internet.

Without changing anything in configuration (except WAN interface), SSH works again.

LTE Internet latency over 100ms with at least 10% packet loss
Cable Internet 10-20ms (local vs worldwide)

My guess is my SSH server simply dropped connection due crap connection and timeout. Fasttrack bypassed firewall and most likely connection timeout was already on the limit…with fasttrack off…connection timed out.

I have this problem as well. SSH negotiates everything it needs with the server, but times out when opening the final channel.

It only works when activating fasttrack for the connection in the firewall.

I haven’t done extensive testing yet, but I can share a few observations:

• Somehow this only affects linux clients
• Ubuntu PC (ethernet) and Ubuntu Notebook (wifi): ssh client does not work
• Windows VM running on Linux (virtualbox on ubuntu, bridge interface): Putty does NOT work
• Windows PC: SSH works from Putty and WSL
• connecting to an ssh server over VPN works
• This started to happen suddenly after upgrading to 7.1beta2 (from stock 7.0beta6), but I still have it with 7.0beta8 (had to downgrade because of routing issues)
• Fasttrack solves the problem
• My internet connection is flawless (thanks to the fantastic Chateau)

This is the end of the output of ssh -vvv:

debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768

There is a serverfault thread with exactly the same issue, just not mkrotik related. I tried about everything suggested there. The only fix/workaround in my case is fasttrack.

I’ve the same issue - with LMT Mikrotik LTE18 router. Despite “fasttrack” turned on - SSH doesn’t work.

Average latency on LTE connection is 13-25ms. Before that I was using Huawei LTE modem and everything worked fine. So that should be Mikrotik RouterOS related issue.

I’m running standard RouterOS v7.0 that came on the router. Didn’t tried upgrade to beta or development.

can you clarify how you are attempting the connection, from where to where? does it not work always, or sometimes? does something else not work too?

I recently got 7.0beta6 from mikrotik support and downgraded my Chateau, but SSH was still not working without fasttrack. This is getting strange now.
I upgraded back to 7.1beta2 and now SSH was not even working with fasttrack. 7.1beta1 is working (with fasttrack) again.

Additionally, with the fasttrack workaround ssh connections have lots of TCP retransmissions, which make the connection lag. Folder listings and longer output in general hangs after a few lines until i press a key to make ssh notice the lost packets. This looks like a typical MTU issue, but it’s not. I tried with many MTU sizes, even very small ones like 900.

Everything works fine over a VPN connection established from the PC (tried ssl-vpn to the office and a commercial vpn provider).

I will try to do some tests with ssh debugging and wireshark later and report back.

Connection is done from PCs inside of the network to outside servers.

If I do connection to any SSH host - it just ends with Broken pipe.

What’s strange that if I do

git push

or

ansible-playbook

application - that mostly works.

As per @normis request I’m posting config from my router:

# sep/30/2020 09:38:53 by RouterOS 7.0
# software id = 0JTV-JCJG
#
# model = RBD53G-5HacD2HnD&EG18-EA
# serial number = CB280CC4670B
/interface bridge
add admin-mac=48:8F:5A:9A:21:12 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=latvia disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=Tikls wireless-protocol=802.11 wps-mode=\
    push-button-5s
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=latvia disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge skip-dfs-channels=10min-cac ssid=\
    "Tikls 5G" wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.lmt.lv ipv6-interface=bridge name=\
    "LMT Internet" use-network-apn=no
add apn=static1.lmt.lv ip-type=ipv4 name=LMT-static1.lmt.lv use-network-apn=\
    no
add apn=static2.lmt.lv ip-type=ipv4 name=LMT-static2.lmt.lv use-network-apn=\
    no
add apn=internet1.lmt.lv ip-type=ipv4 name=LMT-internet1.lmt.lv \
    use-network-apn=no
add apn=static61.lmt.lv ipv6-interface=bridge name=LMT-static61.lmt.lv \
    use-network-apn=no
add apn=static62.lmt.lv ipv6-interface=bridge name=LMT-static62.lmt.lv \
    use-network-apn=no
/interface lte
set [ find ] allow-roaming=no apn-profiles=LMT-static1.lmt.lv name=lte1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=4A:8F:5A:9A:21:18 master-interface=wlan2 name=\
    wlan5 security-profile=profile ssid="Tikls Viesi"
add disabled=no mac-address=4A:8F:5A:9A:21:17 master-interface=wlan1 name=\
    wlan6 security-profile=profile ssid="Tikls Viesi"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.8.10-192.168.8.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12h name=\
    defconf
/ip vrf
add list=all name=main
/interface bridge filter
add action=drop chain=forward in-interface=wlan5
add action=drop chain=forward out-interface=wlan5
add action=drop chain=forward in-interface=wlan6
add action=drop chain=forward out-interface=wlan6
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan5
add bridge=bridge interface=wlan6
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.8.1/24 comment=defconf interface=ether1 network=\
    192.168.8.0
/ip dhcp-server network
add address=192.168.8.0/24 comment=defconf gateway=192.168.8.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.8.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept LMT provisioning" \
    dst-port=8081 protocol=tcp src-address=212.93.97.83
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.8.0/24
set ssh address=192.168.8.0/24
set www-ssl address=192.168.8.0/24 certificate=router.lan \
    disabled=no
set api disabled=yes
set winbox address=192.168.8.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Riga
/system identity
set name="LMT LTE18"
/system package update
set channel=development
/system routerboard settings
set cpu-frequency=716MHz
/system routerboard reset-button
set enabled=yes hold-time=5s..10s on-event=reset-configuration
/system script
add dont-require-permissions=yes name=reset-configuration owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/system reset-configuration"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tr069-client
set acs-url=https://acs.lmt.lv:8049 check-certificate=no \
    connection-request-port=8081 connection-request-username=fEj7xzTVrCGb \
    enabled=yes periodic-inform-interval=12h username=LMT

Today router suddenly stoped working at all. After reboot - just power lights on and nothing else happens.

UPDATE:
Actually there is happening something. Rooter reboots itself every ~30 seconds, but after that stays in the same “power on” mode.

UPDATE 2:
Turned out the router was dead, so I returned yesterday to LMT and got another one in exchange. And in this new one situation is the same - no SSH is passing through.

Hello zxpower,

please contact LMT support so they could update your router with the new test RotuerOS version that could potentially fix this problem.
If that doesn’t help then please provide some information how we could reproduce this problem locally. We could try to reproduce this problem locally if you could tell where we need to try to make the SSH connection. You can send that information to the support@mikrotik.com and refer to this Forum topic.

Hi,
I can confirm and have the same issue with ssh to a server in the Internet.
V7.1beta2

chris

Here some some information:

I am running: RouterOS v7.1beta2.

The issue I have is that ssh to a server on the internet. It aborts with “broken pipe”
As you can see in the ssh -v debug Info, it stops in the last phase

OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/ch/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to ********.com port 22.
debug1: Connection established.
debug1: identity file /Users/ch/.ssh/id_rsa type 0
debug1: identity file /Users/ch/.ssh/id_rsa-cert type -1
debug1: identity file /Users/ch/.ssh/id_dsa type -1
debug1: identity file /Users/ch/.ssh/id_dsa-cert type -1
debug1: identity file /Users/ch/.ssh/id_ecdsa type -1
debug1: identity file /Users/ch/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/ch/.ssh/id_ed25519 type -1
debug1: identity file /Users/ch/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/ch/.ssh/id_xmss type -1
debug1: identity file /Users/ch/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to ***.com:22 as 'ch'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:wxLJ.....
debug1: Host '*****.com' is known and matches the ED25519 host key.
debug1: Found key in /Users/ch/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/ch/.ssh/id_rsa RSA SHA256:f1XWK....
debug1: Will attempt key: /Users/ch/.ssh/id_dsa
debug1: Will attempt key: /Users/ch/.ssh/id_ecdsa
debug1: Will attempt key: /Users/ch/.ssh/id_ed25519
debug1: Will attempt key: /Users/ch/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512....
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/ch/.ssh/id_rsa RSA SHA256:f1XWKDZEy......
debug1: Server accepts key: /Users/ch/.ssh/id_rsa RSA SHA256:f1XWKDZEy......
debug1: Authentication succeeded (publickey).
Authenticated to *****.com ([*.*.*.11]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /home/ch/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/ch/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
client_loop: send disconnect: Broken pipe

Everything else, web, email, … is working fine. with the Huawei router everything was fine. So no issue at provder or SSH server.

We have confirmed from few customers that the RouterOS v7.0.1 test that was provided for the LMT fixes the SSH issue as well.
This fix will be included also in the RotuerOS v7.1beta3.

same issue here.. LTAP mini, LTE WAN, all opther protocols work, SSH fails..

same point as others who have posted. .. post neogitaion but before terminal environment establishes.

what is the work around? to downgrade to beta 1?
how can I get the new Test version to try?

-Christopher

I had identical issue with LTE18 router with default configuration by LMT technician.

In my case the ssh sessions started working when SSH client is started with -o IPQoS=0 option. I’ve disabled the IPQoS in /etc/ssh_config for now.