I have a fairly simple setup with a CRS125 for home use. I am having an issue with just my TV. Intermittently the internet does not work. When I look at the interface the TV is on, it appears to be passing traffic in both directions. For some strange reason is I torch the port, than internet starts working. If I turn the torch off, than the internet stops. I have tried everything, and I am at a loss. Any help would be appreciated. Let me know if you need additional info.

CRSs are mainly made for switching, they can also be used as routers, but I suggest to take a RB750 and let it do routing stuff, while CRS does only switching.

So, are you saying in general the CRS series is a little buggy when it comes to being a router? If I were to use an rb3011 for routing would it be less likely to exhibit some of these anomalies I have been encountering?

Please list your configuration (/export hide-sensitive compact) so it's clear what config you've got.

FYI: based on your description, sounds like a config issue.

Here is my config. Any help would be greatly appreciated. I have been pulling my hair our with this one device!

Here is my config. Any help would be greatly appreciated. I have been pulling my hair our with this one device!

Code: Select all

# dec/26/2018 18:12:51 by RouterOS 6.42.10
# software id = RUX4-KZDK
#
# model = CRS125-24G-1S
# serial number = 63220561215C
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether8 ] advertise=100M-half,100M-full
set [ find default-name=ether24 ] disabled=yes
/caps-man datapath
add bridge=bridge1 client-to-client-forwarding=yes local-forwarding=no name=\
    datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip name=Main
/caps-man configuration
add channel.band=2ghz-b/g/n country="united states3" datapath=datapath1 mode=\
    ap name=JVL_2GEXT rx-chains=0,1,2 security=Main ssid=JVL_2GEXT tx-chains=\
    0,1,2
add channel.band=5ghz-a/n/ac country="united states3" datapath=datapath1 \
    datapath.client-to-client-forwarding=no mode=ap name=JVL_5GEXT rx-chains=\
    0,1,2 security=Main ssid=JVL_5GEXT tx-chains=0,1,2
/caps-man interface
add channel.extension-channel=Ce configuration=JVL_2GEXT disabled=no l2mtu=\
    1600 mac-address=CC:2D:E0:02:C5:86 master-interface=none name=AP1-1 \
    radio-mac=CC:2D:E0:02:C5:86
add channel.extension-channel=eeeC configuration=JVL_5GEXT disabled=no l2mtu=\
    1600 mac-address=CC:2D:E0:02:C5:87 master-interface=none name=AP1-2 \
    radio-mac=CC:2D:E0:02:C5:87
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=26 name=1400MTU value="'5c0'"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-128-cbc pfs-group=none
/ip pool
add name=dhcp ranges=192.168.0.200-192.168.0.254
add name=vpn_pool ranges=192.168.1.2-192.168.1.10
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 name=openvpn-test \
    use-encryption=yes
/interface l2tp-client
add connect-to=turk.torguardvpnaccess.com disabled=no name="TorGuard L2TP" \
    profile=default use-ipsec=yes user=**************************
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-enabled master-configuration=JVL_2GEXT name-format=identity
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 disabled=yes interface=ether24
add bridge=bridge1 interface=sfp1
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set default-profile=openvpn-test use-ipsec=yes
/interface list member
add interface=ether1-WAN list=WAN
add interface=bridge1 list=LAN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
/ip dhcp-server lease
add address=192.168.0.80 comment="Vera1 - Home Automation Controller" \
    mac-address=D4:21:22:C0:2A:8A server=dhcp1
add address=192.168.0.25 client-id=1:0:c:29:6f:8f:2b comment=\
    "Trinity - Webserver" mac-address=00:0C:29:6F:8F:2B server=dhcp1
add address=192.168.0.150 comment="Website Gateway - Owncloud" mac-address=\
    00:0C:29:B2:0B:44 server=dhcp1
add address=192.168.0.60 client-id=1:0:c:29:c0:cc:b5 comment=\
    "APOC - HMail Server" mac-address=00:0C:29:C0:CC:B5 server=dhcp1
add address=192.168.0.20 comment=OnlyOffice mac-address=00:0C:29:F6:10:39 \
    server=dhcp1
add address=192.168.0.75 comment="Media - Plex, Subsonic" mac-address=\
    00:0C:29:A3:7C:C5 server=dhcp1
add address=192.168.0.15 client-id=1:0:e0:81:b7:7:12 comment=Zion \
    mac-address=00:E0:81:B7:07:12 server=dhcp1
add address=192.168.0.110 client-id=1:0:c:29:b:16:90 comment=\
    "SVN - Visual SVN Server" mac-address=00:0C:29:0B:16:90 server=dhcp1
add address=192.168.0.35 comment=Wordpress mac-address=00:0C:29:17:9F:34 \
    server=dhcp1
add address=192.168.0.135 comment=Download mac-address=00:0C:29:59:CA:C2 \
    server=dhcp1
add address=192.168.0.200 mac-address=3C:EF:8C:68:BF:36 server=dhcp1
add address=192.168.0.235 mac-address=C4:34:6B:41:4C:39 server=dhcp1
add address=192.168.0.190 client-id=1:ac:9b:a:ae:48:5 mac-address=\
    AC:9B:0A:AE:48:05 server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.10,8.8.8.8,8.8.4.4 domain=\
    core.joshandmonique.com gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.0.10,8.8.8.8,8.8.4.4
/ip firewall address-list
add address=XXX.XXX.XXX.XXX list=NMSLabs
add address=192.168.0.0/24 list="Internal Network"
add address=192.168.0.130-192.168.0.135 list="Route TorGuard"
/ip firewall filter
add action=drop chain=forward comment=\
    "OUTSIDE - drop invalid connection states" connection-state=invalid \
    in-interface=ether1-WAN log=yes log-prefix="INVALID -->"
add action=fasttrack-connection chain=forward comment=\
    "OUTSIDE -  accept valid connection states" connection-mark=!ipsec \
    connection-state=established,related log-prefix=VALID
add action=accept chain=forward comment=\
    "OUTSIDE -  accept valid connection states" connection-state=\
    established,related in-interface=ether1-WAN log-prefix=VALID
add action=accept chain=forward dst-port=80,443,85,8085 in-interface=\
    ether1-WAN protocol=tcp
add action=accept chain=forward dst-port=3389 in-interface=ether1-WAN \
    protocol=tcp src-address-list=NMSLabs
add action=accept chain=forward dst-port=22 in-interface=ether1-WAN protocol=\
    tcp src-address-list=NMSLabs
add action=accept chain=forward dst-port=143,2500 in-interface=ether1-WAN \
    protocol=tcp
add action=accept chain=forward dst-port=31099 in-interface=ether1-WAN \
    protocol=tcp
add action=accept chain=forward dst-port=32400 protocol=tcp
add action=accept chain=forward dst-port=554,8888 in-interface=ether1-WAN \
    protocol=tcp
add action=drop chain=forward comment=\
    "OUTSIDE - drop traffic that does not have a rule" in-interface=\
    ether1-WAN log=yes log-prefix="DROPED ----->"
add action=drop chain=input comment="TO_ROUTER - Drop Invalid connections" \
    connection-state=invalid in-interface=ether1-WAN log=yes log-prefix=\
    "DROP INVALID (INPUT) -->"
add action=accept chain=input comment=\
    "TO_ROUTER - Accept Related/Established connections" connection-state=\
    established,related in-interface=ether1-WAN
add action=accept chain=input disabled=yes dst-port=22 in-interface=\
    ether1-WAN protocol=tcp src-address-list=NMSLabs
add action=accept chain=input dst-port=8080 in-interface=ether1-WAN protocol=\
    tcp src-address-list=NMSLabs
add action=accept chain=input src-address-list="Internal Network"
add action=drop chain=input comment="INPUT - Drop all other traffic" \
    in-interface=ether1-WAN log=yes log-prefix="DROP (INPUT) --->"
/ip firewall mangle
add action=mark-connection chain=input ipsec-policy=in,ipsec log-prefix=\
    "MARK CONNECTION ---->" new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=output ipsec-policy=out,ipsec log-prefix=\
    "MARK CONNECTION ---->" new-connection-mark=ipsec passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=TORGUARD \
    passthrough=yes src-address-list="Route TorGuard"
/ip firewall nat
add action=masquerade chain=srcnat out-interface="TorGuard L2TP"
add action=masquerade chain=srcnat disabled=yes src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address-type=local dst-port=3389 \
    protocol=tcp to-addresses=192.168.0.15 to-ports=3389
add action=dst-nat chain=dstnat dst-address-type=local dst-port=143 protocol=\
    tcp to-addresses=192.168.0.60 to-ports=143
add action=masquerade chain=srcnat comment="Email Rules" dst-address=\
    192.168.0.60 out-interface=bridge1 protocol=tcp src-port=143,2500
add action=dst-nat chain=dstnat dst-address-type=local dst-port=2500 \
    protocol=tcp to-addresses=192.168.0.60 to-ports=2500
add action=dst-nat chain=dstnat dst-address-type=local dst-port=22 protocol=\
    tcp to-addresses=192.168.0.35 to-ports=22
add action=masquerade chain=srcnat comment=\
    "Website Rules - Owncloud, Plex, Subsonic, Webmail" dst-address=\
    192.168.0.150 out-interface=bridge1 protocol=tcp src-port=80,443
add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 protocol=\
    tcp to-addresses=192.168.0.150 to-ports=80
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 protocol=\
    tcp to-addresses=192.168.0.150 to-ports=443
add action=dst-nat chain=dstnat comment="SageTV - Placeshifter" \
    dst-address-type=local dst-port=31099 protocol=tcp to-addresses=\
    192.168.0.15 to-ports=31099
add action=dst-nat chain=dstnat comment=Plex dst-address-type=local dst-port=\
    32400 protocol=tcp to-addresses=192.168.0.15 to-ports=32400
add action=dst-nat chain=dstnat comment=Wishingwell dst-address-type=local \
    dst-port=8085 protocol=tcp to-addresses=192.168.0.25 to-ports=8085
add action=dst-nat chain=dstnat comment=Signoutloud dst-address-type=local \
    dst-port=85 protocol=tcp to-addresses=192.168.0.25 to-ports=85
add action=dst-nat chain=dstnat comment=Camera disabled=yes dst-address-type=\
    local dst-port=554 protocol=tcp to-addresses=192.168.0.200 to-ports=554
add action=dst-nat chain=dstnat comment=Camera disabled=yes dst-address-type=\
    local dst-port=8888 protocol=tcp to-addresses=192.168.0.200 to-ports=80
/ip ipsec peer
add address=0.0.0.0/0 generate-policy=port-override passive=yes
/ip route
add distance=1 gateway="TorGuard L2TP" routing-mark=TORGUARD
add distance=2 routing-mark=TORGUARD type=blackhole
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24 port=8080
set api address=192.168.0.0/24
set winbox address=192.168.0.0/24
set api-ssl address=192.168.0.0/24
/system clock
set time-zone-name=America/New_York
/system logging
add disabled=yes prefix="L2TPDBG===>" topics=l2tp
add disabled=yes prefix="IPSECDBG===>" topics=ipsec
add prefix="OpenVPN ---->" topics=ovpn
/system package update
set channel=long-term
/system routerboard settings
set silent-boot=no

I think it's because you have both wpa and wpa2 configured.
With both configured, for example, sometimes iPhones disconnects and don't reconnect.
Try to remove wpa and tkip.

I will make that change. But the issue is for wired connection not wifi.

Is your tv going over the torguard vpn connection? Current setup is relying in mangling for route selection, BUT once it's fasttracked mangling can't be applied and connection will die...

Some other remarks:
* "local-forwarding=no" intentional? all traffic needs to go through capsman
* "/interface detect-internet" is often causing issues, unless needed disable

I will make that change. But the issue is for wired connection not wifi.

Except for firewall rules I don't see nothing strange or that can block your TV.
You can:
1. Try to disable firewall and see if the problem happens again
2. Try to disable "Bridge fast path" in /bridge settings, I had some problems with it enabled.

Is your tv going over the torguard vpn connection? Current setup is relying in mangling for route selection, BUT once it's fasttracked mangling can't be applied and connection will die...

Some other remarks:
* "local-forwarding=no" intentional? all traffic needs to go through capsman
* "/interface detect-internet" is often causing issues, unless needed disable

You nailed it!!! "/interface detect-internet" was the issue. Thank you so much. I have been looking into this issue for months. Not sure why this was causing such sporadic issues. Most of my devices were able to get to the internet without issue. I removed the the detect internet. Added the dhcp client to ether-1 manually, Added default route to ether-1 and bingo, the TV was working fine. My wifi internet even increased in speed by 30-40 mbps????

Next I will see if I can get the local forwarding working on the wifi. I am thinking I could not get it to work properly because of the internet issues I was having.

Thank you again!!!!