Community discussions

MikroTik App
 
haj3s29a
newbie
Topic Author
Posts: 30
Joined: Sun Jul 05, 2020 5:02 pm

SSH connection issues with "fasttrack" switched off.

Sun Aug 02, 2020 8:47 pm

Chateau C12 LTE, ROS v7.1beta1, LTE modem firmware EG12EAPAR01A06M4G.

I have switched off default fasttrack for FORWARD chain in order to use QoS and prioritizing traffic.

In default setup, I can connect to my SSH servers. If I switch off fasttrack, I will get an error after timeout:
packet_write_wait: Connection to x.x.x.x port 22: Broken pipe

I see nothing in firewall logs. If I terminate connection manually, I see dropped INVALID connection.

SSH connection with -v parameter is always stuck at:
debug1: Sending environment.

...followed by above by mentioned session error.

Is it misconfiguration or a bug. please?
 
marklodge
Member Candidate
Member Candidate
Posts: 250
Joined: Sun Jun 21, 2009 6:15 pm

Re: SSH connection issues with "fasttrack" switched off.

Sun Aug 02, 2020 10:35 pm

Chateau C12 LTE, ROS v7.1beta1, LTE modem firmware EG12EAPAR01A06M4G.

I have switched off default fasttrack for FORWARD chain in order to use QoS and prioritizing traffic.

In default setup, I can connect to my SSH servers. If I switch off fasttrack, I will get an error after timeout:
packet_write_wait: Connection to x.x.x.x port 22: Broken pipe

I see nothing in firewall logs. If I terminate connection manually, I see dropped INVALID connection.

SSH connection with -v parameter is always stuck at:
debug1: Sending environment.

...followed by above by mentioned session error.

Is it misconfiguration or a bug. please?
Its your firewall rules blocking it.
The reason it works with fastrack enabled is that FastTracked packets bypass the firewall.
 
haj3s29a
newbie
Topic Author
Posts: 30
Joined: Sun Jul 05, 2020 5:02 pm

Re: SSH connection issues with "fasttrack" switched off.

Sun Aug 02, 2020 10:43 pm

forward accepts ESTABLISHED, RELATED as in default config.

new connections from LAN accepted as in default.

there is no reason for firewall to block it. I have on all DROP rules logging and there is nothing in logs???
 
marklodge
Member Candidate
Member Candidate
Posts: 250
Joined: Sun Jun 21, 2009 6:15 pm

Re: SSH connection issues with "fasttrack" switched off.

Wed Aug 05, 2020 1:34 am

what happens if you disable all firewall rules?
does it work?
 
haj3s29a
newbie
Topic Author
Posts: 30
Joined: Sun Jul 05, 2020 5:02 pm

Re: SSH connection issues with "fasttrack" switched off.

Sat Aug 08, 2020 7:01 pm

with default Mikrotik firewall rules everything works.

Once, I switch off FORWARD fasttrack...SSH doesn't work anymore.
 
marklodge
Member Candidate
Member Candidate
Posts: 250
Joined: Sun Jun 21, 2009 6:15 pm

Re: SSH connection issues with "fasttrack" switched off.

Thu Aug 13, 2020 11:18 pm

post and
 /export hide-sensitive
here
 
haj3s29a
newbie
Topic Author
Posts: 30
Joined: Sun Jul 05, 2020 5:02 pm

Re: SSH connection issues with "fasttrack" switched off.  [SOLVED]

Fri Aug 14, 2020 6:56 pm

SSH issue are not problem at Mikrotik router but ISP problem.

I have switched ISP - from laggy, lossy LTE to cable Internet.

Without changing anything in configuration (except WAN interface), SSH works again.

LTE Internet latency over 100ms with at least 10% packet loss
Cable Internet 10-20ms (local vs worldwide)

My guess is my SSH server simply dropped connection due crap connection and timeout. Fasttrack bypassed firewall and most likely connection timeout was already on the limit...with fasttrack off...connection timed out.
 
sknx
just joined
Posts: 4
Joined: Tue Jun 02, 2020 11:39 pm

Re: SSH connection issues with "fasttrack" switched off.

Fri Sep 18, 2020 1:01 pm

I have this problem as well. SSH negotiates everything it needs with the server, but times out when opening the final channel.

It only works when activating fasttrack for the connection in the firewall.

I haven't done extensive testing yet, but I can share a few observations:
- Somehow this only affects linux clients
- Ubuntu PC (ethernet) and Ubuntu Notebook (wifi): ssh client does not work
- Windows VM running on Linux (virtualbox on ubuntu, bridge interface): Putty does NOT work
- Windows PC: SSH works from Putty and WSL
- connecting to an ssh server over VPN works
- This started to happen suddenly after upgrading to 7.1beta2 (from stock 7.0beta6), but I still have it with 7.0beta8 (had to downgrade because of routing issues)
- Fasttrack solves the problem
- My internet connection is flawless (thanks to the fantastic Chateau)

This is the end of the output of ssh -vvv:
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
There is a serverfault thread with exactly the same issue, just not mkrotik related. I tried about everything suggested there. The only fix/workaround in my case is fasttrack.
 
zxpower
just joined
Posts: 5
Joined: Thu Sep 24, 2020 11:38 am

Re: SSH connection issues with "fasttrack" switched off.

Thu Sep 24, 2020 11:41 am

I've the same issue - with LMT Mikrotik LTE18 router. Despite "fasttrack" turned on - SSH doesn't work.

Average latency on LTE connection is 13-25ms. Before that I was using Huawei LTE modem and everything worked fine. So that should be Mikrotik RouterOS related issue.

I'm running standard RouterOS v7.0 that came on the router. Didn't tried upgrade to beta or development.
Last edited by zxpower on Fri Sep 25, 2020 4:33 pm, edited 2 times in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26294
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: SSH connection issues with "fasttrack" switched off.

Tue Sep 29, 2020 11:54 am

can you clarify how you are attempting the connection, from where to where? does it not work always, or sometimes? does something else not work too?
 
sknx
just joined
Posts: 4
Joined: Tue Jun 02, 2020 11:39 pm

Re: SSH connection issues with "fasttrack" switched off.

Tue Sep 29, 2020 12:26 pm

I recently got 7.0beta6 from mikrotik support and downgraded my Chateau, but SSH was still not working without fasttrack. This is getting strange now.
I upgraded back to 7.1beta2 and now SSH was not even working with fasttrack. 7.1beta1 is working (with fasttrack) again.

Additionally, with the fasttrack workaround ssh connections have lots of TCP retransmissions, which make the connection lag. Folder listings and longer output in general hangs after a few lines until i press a key to make ssh notice the lost packets. This looks like a typical MTU issue, but it's not. I tried with many MTU sizes, even very small ones like 900.

Everything works fine over a VPN connection established from the PC (tried ssl-vpn to the office and a commercial vpn provider).

I will try to do some tests with ssh debugging and wireshark later and report back.
 
zxpower
just joined
Posts: 5
Joined: Thu Sep 24, 2020 11:38 am

Re: SSH connection issues with "fasttrack" switched off.

Tue Sep 29, 2020 8:09 pm

Connection is done from PCs inside of the network to outside servers.

If I do connection to any SSH host - it just ends with Broken pipe.

What's strange that if I do
git push
or
ansible-playbook
application - that mostly works.
 
zxpower
just joined
Posts: 5
Joined: Thu Sep 24, 2020 11:38 am

Re: SSH connection issues with "fasttrack" switched off.

Wed Sep 30, 2020 9:45 am

As per @normis request I'm posting config from my router:
# sep/30/2020 09:38:53 by RouterOS 7.0
# software id = 0JTV-JCJG
#
# model = RBD53G-5HacD2HnD&EG18-EA
# serial number = CB280CC4670B
/interface bridge
add admin-mac=48:8F:5A:9A:21:12 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=latvia disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=Tikls wireless-protocol=802.11 wps-mode=\
    push-button-5s
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=latvia disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge skip-dfs-channels=10min-cac ssid=\
    "Tikls 5G" wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.lmt.lv ipv6-interface=bridge name=\
    "LMT Internet" use-network-apn=no
add apn=static1.lmt.lv ip-type=ipv4 name=LMT-static1.lmt.lv use-network-apn=\
    no
add apn=static2.lmt.lv ip-type=ipv4 name=LMT-static2.lmt.lv use-network-apn=\
    no
add apn=internet1.lmt.lv ip-type=ipv4 name=LMT-internet1.lmt.lv \
    use-network-apn=no
add apn=static61.lmt.lv ipv6-interface=bridge name=LMT-static61.lmt.lv \
    use-network-apn=no
add apn=static62.lmt.lv ipv6-interface=bridge name=LMT-static62.lmt.lv \
    use-network-apn=no
/interface lte
set [ find ] allow-roaming=no apn-profiles=LMT-static1.lmt.lv name=lte1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=4A:8F:5A:9A:21:18 master-interface=wlan2 name=\
    wlan5 security-profile=profile ssid="Tikls Viesi"
add disabled=no mac-address=4A:8F:5A:9A:21:17 master-interface=wlan1 name=\
    wlan6 security-profile=profile ssid="Tikls Viesi"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.8.10-192.168.8.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12h name=\
    defconf
/ip vrf
add list=all name=main
/interface bridge filter
add action=drop chain=forward in-interface=wlan5
add action=drop chain=forward out-interface=wlan5
add action=drop chain=forward in-interface=wlan6
add action=drop chain=forward out-interface=wlan6
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan5
add bridge=bridge interface=wlan6
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.8.1/24 comment=defconf interface=ether1 network=\
    192.168.8.0
/ip dhcp-server network
add address=192.168.8.0/24 comment=defconf gateway=192.168.8.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.8.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept LMT provisioning" \
    dst-port=8081 protocol=tcp src-address=212.93.97.83
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.8.0/24
set ssh address=192.168.8.0/24
set www-ssl address=192.168.8.0/24 certificate=router.lan \
    disabled=no
set api disabled=yes
set winbox address=192.168.8.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Riga
/system identity
set name="LMT LTE18"
/system package update
set channel=development
/system routerboard settings
set cpu-frequency=716MHz
/system routerboard reset-button
set enabled=yes hold-time=5s..10s on-event=reset-configuration
/system script
add dont-require-permissions=yes name=reset-configuration owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/system reset-configuration"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tr069-client
set acs-url=https://acs.lmt.lv:8049 check-certificate=no \
    connection-request-port=8081 connection-request-username=fEj7xzTVrCGb \
    enabled=yes periodic-inform-interval=12h username=LMT
 
zxpower
just joined
Posts: 5
Joined: Thu Sep 24, 2020 11:38 am

Re: SSH connection issues with "fasttrack" switched off.

Tue Oct 06, 2020 3:51 pm

Today router suddenly stoped working at all. After reboot - just power lights on and nothing else happens.

UPDATE:
Actually there is happening something. Rooter reboots itself every ~30 seconds, but after that stays in the same "power on" mode.

UPDATE 2:
Turned out the router was dead, so I returned yesterday to LMT and got another one in exchange. And in this new one situation is the same - no SSH is passing through.
 
uldis
MikroTik Support
MikroTik Support
Posts: 3446
Joined: Mon May 31, 2004 2:55 pm

Re: SSH connection issues with "fasttrack" switched off.

Wed Oct 07, 2020 10:23 am

Hello zxpower,

please contact LMT support so they could update your router with the new test RotuerOS version that could potentially fix this problem.
If that doesn't help then please provide some information how we could reproduce this problem locally. We could try to reproduce this problem locally if you could tell where we need to try to make the SSH connection. You can send that information to the support@mikrotik.com and refer to this Forum topic.
Today router suddenly stoped working at all. After reboot - just power lights on and nothing else happens.

UPDATE:
Actually there is happening something. Rooter reboots itself every ~30 seconds, but after that stays in the same "power on" mode.

UPDATE 2:
Turned out the router was dead, so I returned yesterday to LMT and got another one in exchange. And in this new one situation is the same - no SSH is passing through.
 
cnbnjn
just joined
Posts: 2
Joined: Thu Oct 08, 2020 3:00 pm

Re: SSH connection issues with "fasttrack" switched off.

Thu Oct 08, 2020 3:05 pm

Hi,
I can confirm and have the same issue with ssh to a server in the Internet.
V7.1beta2

chris
 
cnbnjn
just joined
Posts: 2
Joined: Thu Oct 08, 2020 3:00 pm

Re: SSH connection issues with "fasttrack" switched off.

Thu Oct 08, 2020 4:28 pm

Here some some information:

I am running: RouterOS v7.1beta2.

The issue I have is that ssh to a server on the internet. It aborts with "broken pipe"
As you can see in the ssh -v debug Info, it stops in the last phase
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/ch/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to ********.com port 22.
debug1: Connection established.
debug1: identity file /Users/ch/.ssh/id_rsa type 0
debug1: identity file /Users/ch/.ssh/id_rsa-cert type -1
debug1: identity file /Users/ch/.ssh/id_dsa type -1
debug1: identity file /Users/ch/.ssh/id_dsa-cert type -1
debug1: identity file /Users/ch/.ssh/id_ecdsa type -1
debug1: identity file /Users/ch/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/ch/.ssh/id_ed25519 type -1
debug1: identity file /Users/ch/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/ch/.ssh/id_xmss type -1
debug1: identity file /Users/ch/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to ***.com:22 as 'ch'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:wxLJ.....
debug1: Host '*****.com' is known and matches the ED25519 host key.
debug1: Found key in /Users/ch/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/ch/.ssh/id_rsa RSA SHA256:f1XWK....
debug1: Will attempt key: /Users/ch/.ssh/id_dsa
debug1: Will attempt key: /Users/ch/.ssh/id_ecdsa
debug1: Will attempt key: /Users/ch/.ssh/id_ed25519
debug1: Will attempt key: /Users/ch/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512....
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/ch/.ssh/id_rsa RSA SHA256:f1XWKDZEy......
debug1: Server accepts key: /Users/ch/.ssh/id_rsa RSA SHA256:f1XWKDZEy......
debug1: Authentication succeeded (publickey).
Authenticated to *****.com ([*.*.*.11]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /home/ch/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/ch/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
client_loop: send disconnect: Broken pipe
Everything else, web, email, ... is working fine. with the Huawei router everything was fine. So no issue at provder or SSH server.
Last edited by cnbnjn on Tue Oct 13, 2020 11:26 am, edited 1 time in total.
 
uldis
MikroTik Support
MikroTik Support
Posts: 3446
Joined: Mon May 31, 2004 2:55 pm

Re: SSH connection issues with "fasttrack" switched off.

Fri Oct 09, 2020 11:01 am

We have confirmed from few customers that the RouterOS v7.0.1 test that was provided for the LMT fixes the SSH issue as well.
This fix will be included also in the RotuerOS v7.1beta3.
 
cadillackid
newbie
Posts: 30
Joined: Wed Oct 17, 2007 5:20 pm

Re: SSH connection issues with "fasttrack" switched off.

Mon Oct 12, 2020 10:07 pm

same issue here.. LTAP mini, LTE WAN, all opther protocols work, SSH fails..

same point as others who have posted. .. post neogitaion but before terminal environment establishes.

what is the work around? to downgrade to beta 1?
how can I get the new Test version to try?

-Christopher
 
reinisv
just joined
Posts: 5
Joined: Fri Oct 23, 2020 10:20 am

Re: SSH connection issues with "fasttrack" switched off.

Fri Oct 23, 2020 10:24 am

I had identical issue with LTE18 router with default configuration by LMT technician.

In my case the ssh sessions started working when SSH client is started with -o IPQoS=0 option. I've disabled the IPQoS in /etc/ssh_config for now.
 
infabo
Long time Member
Long time Member
Posts: 587
Joined: Thu Nov 12, 2020 12:07 pm

Re: SSH connection issues with "fasttrack" switched off.

Fri Nov 13, 2020 3:52 pm

v7.1beta2 here on a Chateau LTE12. Can't connect with "ssh" to any ssh-server. scp some file to a remote server works.
 
infabo
Long time Member
Long time Member
Posts: 587
Joined: Thu Nov 12, 2020 12:07 pm

Re: SSH connection issues with "fasttrack" switched off.

Fri Nov 13, 2020 3:55 pm

This fix will be included also in the RotuerOS v7.1beta3.
Workaround or when to expect beta3 to be available?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: SSH connection issues with "fasttrack" switched off.

Fri Nov 13, 2020 4:05 pm

when to expect beta3 to be available?
When they squash the bug which prevents 7.1beta3 from booting on CCR (presumably 1xxx, TILE-based) devices.
 
infabo
Long time Member
Long time Member
Posts: 587
Joined: Thu Nov 12, 2020 12:07 pm

Re: SSH connection issues with "fasttrack" switched off.

Mon Nov 16, 2020 12:12 pm

when to expect beta3 to be available?
When they squash the bug which prevents 7.1beta3 from booting on CCR (presumably 1xxx, TILE-based) devices.
From reading the forum it looks like they are hunting this bug for quite some weeks now. Must be a sneaky one...
 
infabo
Long time Member
Long time Member
Posts: 587
Joined: Thu Nov 12, 2020 12:07 pm

Re: SSH connection issues with "fasttrack" switched off.

Mon Nov 16, 2020 1:02 pm

I had identical issue with LTE18 router with default configuration by LMT technician.

In my case the ssh sessions started working when SSH client is started with -o IPQoS=0 option. I've disabled the IPQoS in /etc/ssh_config for now.
Thanks for this valuable workaround! A downgrade to even 7.0beta7 did not resolve the issue for me - but adjusting IPQoS did the trick!

~/.ssh/config
IPQoS reliability
 
upholder
Trainer
Trainer
Posts: 1
Joined: Wed Nov 03, 2010 6:38 pm

Re: SSH connection issues with "fasttrack" switched off.

Wed Nov 18, 2020 4:09 pm

As this is a problem with QoS and the TOS bit. To fix the SSH problem you can simply change the TOS bit with mangle rules. This works reliable with my SSH sessions.
/ip firewall mangle
add action=change-dscp chain=prerouting dst-port=22 new-dscp=1 passthrough=yes \
    protocol=tcp
 
fincreg
just joined
Posts: 1
Joined: Sun Jun 30, 2019 10:55 am

Re: SSH connection issues with "fasttrack" switched off.

Sun Nov 29, 2020 9:10 pm

As this is a problem with QoS and the TOS bit. To fix the SSH problem you can simply change the TOS bit with mangle rules. This works reliable with my SSH sessions.
/ip firewall mangle
add action=change-dscp chain=prerouting dst-port=22 new-dscp=1 passthrough=yes \
    protocol=tcp

Thank you. Tried both solutions "-oIPQoS=reliability" & mangle rule (separately), both resolved ssh issue from wsl.
What is interesting, ssh from windows power shell was not affected by this issue.
 
infabo
Long time Member
Long time Member
Posts: 587
Joined: Thu Nov 12, 2020 12:07 pm

Re: SSH connection issues with "fasttrack" switched off.

Fri Dec 04, 2020 10:30 am

With v7.1beta3 it works now without `IPQoS reliability` setting.
 
felixka
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Mon Oct 19, 2020 4:12 am
Location: Canada

Re: SSH connection issues with "fasttrack" switched off.

Sat Oct 16, 2021 9:14 am

I'm seeing this issue again on 7.1rc4. SSH works using the -oIPQoS=reliability workaround but not without it.
 
felixka
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Mon Oct 19, 2020 4:12 am
Location: Canada

Re: SSH connection issues with "fasttrack" switched off.

Sat Oct 16, 2021 8:56 pm

Somehow the workarounds do not work for IPsec encapsulated SSH traffic.
 
felixka
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Mon Oct 19, 2020 4:12 am
Location: Canada

Re: SSH connection issues with "fasttrack" switched off.

Tue Nov 02, 2021 1:58 am

So I figured out it had something to do with my PPPoE internet link being VLAN tagged in my router. Moved the VLAN tagging out to an external switch and put the PPPoE link directly on the ether1 interface untagged and the problem went away.
 
stanelie
newbie
Posts: 30
Joined: Sun Jun 03, 2012 9:32 pm

Re: SSH connection issues with "fasttrack" switched off.

Sat Feb 19, 2022 7:31 pm

@felixka ,

Did you ever figure this out? I have the exact same symptoms : I connect using a PPPoE session over a VLAN, and I am unable to do a port mapping for my ssh servers. If I use another external switch to take care of the VLAN (input tagged vlan to my fibre media converter to the ISP, output untagged vlan to the mikrotik router) and I patch the PPPoE connection to the physical port connected to that switch, my port mappings work!

This smell like a bug with Mikrotik, of I have no idea what I am doing and my use of VLAN tagging is wrong, even though every other mapping I have works flawlessly (web ports, other weird servers on my lan...)
 
felixka
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Mon Oct 19, 2020 4:12 am
Location: Canada

Re: SSH connection issues with "fasttrack" switched off.

Sat Feb 19, 2022 9:30 pm

Yes, this is a bug and Mikrotik is fixing it in one of the coming releases.
It is also discussed here: viewtopic.php?t=177984
 
stanelie
newbie
Posts: 30
Joined: Sun Jun 03, 2012 9:32 pm

Re: SSH connection issues with "fasttrack" switched off.

Sat Feb 19, 2022 9:43 pm

Thanks!

I will wait for the fix then.

P.S. I am also on Bell Canada Fibe.

Who is online

Users browsing this forum: No registered users and 18 guests