This is the first problem I've run into where searching and testing have not been able to solve it. So time to create a forum account...
The scenario: having configured a CRS125-24G-1S [running versions 6.45.3 (firmware) 6.45.3 (packages)] following https://wiki.mikrotik.com/wiki/Manual:C ... ith_Trunks and https://wiki.mikrotik.com/wiki/Manual:C ... s_examples I noticed very poor performance to devices attached to access ports (in this case 1-6). As a step in debugging I put a sniffer inline between the port and the device I was trying to access and got the following dumps (examples, timestamps might not line up exactly).
Code: Select all
15:02:59.766778 IP 10.250.15.100 > 10.250.2.151: ICMP echo request, id 58486, seq 1868, length 64
15:02:59.767019 IP 10.250.2.151 > 10.250.15.100: ICMP echo reply, id 58486, seq 1868, length 64
15:03:00.783420 IP 10.250.15.100 > 10.250.2.151: ICMP echo request, id 58486, seq 1869, length 64
15:03:00.783667 IP 10.250.2.151 > 10.250.15.100: ICMP echo reply, id 58486, seq 1869, length 64
15:03:01.618009 IP 10.250.2.151.443 > 10.250.15.100.40260: Flags [.], seq 138:1598, ack 1136, win 4074, length 1460
15:03:01.618601 IP 10.250.15.100.40260 > 10.250.2.151.443: Flags [.], ack 1598, win 501, length 0
15:03:01.618900 IP 10.250.2.151.443 > 10.250.15.100.40260: Flags [.], seq 3058:4518, ack 1136, win 4074, length 1460
15:03:01.619099 IP 10.250.2.151.443 > 10.250.15.100.40260: Flags [P.], seq 4518:4650, ack 1136, win 4074, length 132
15:03:01.619143 IP 10.250.2.151.443 > 10.250.15.100.40260: Flags [F.], seq 4650, ack 1136, win 4074, length 0
15:03:01.619473 IP 10.250.15.100.40260 > 10.250.2.151.443: Flags [.], ack 1598, win 501, options [nop,nop,sack 1 {4650:4651}], length 0
15:03:01.619781 IP 10.250.2.151.443 > 10.250.15.100.40260: Flags [.], seq 1598:3058, ack 1136, win 4074, length 1460
15:03:01.619843 IP 10.250.2.151.443 > 10.250.15.100.40260: Flags [.], seq 3058:4518, ack 1136, win 4074, length 1460
15:03:01.619898 IP 10.250.2.151.443 > 10.250.15.100.40260: Flags [P.], seq 4518:4650, ack 1136, win 4074, length 132
15:03:01.620217 IP 10.250.15.100.40260 > 10.250.2.151.443: Flags [.], ack 3058, win 494, options [nop,nop,sack 1 {4650:4651}], length 0
15:03:01.620417 IP 10.250.15.100.40260 > 10.250.2.151.443: Flags [.], ack 4651, win 495, length 0
15:03:01.620551 IP 10.250.15.100.40260 > 10.250.2.151.443: Flags [F.], seq 1136, ack 4651, win 501, length 0
15:03:01.620757 IP 10.250.2.151.443 > 10.250.15.100.40260: Flags [.], ack 1137, win 4074, length 0
15:03:01.639097 IP 10.250.15.100.40280 > 10.250.2.151.443: Flags [S], seq 2242431770, win 64240, options [mss 1460,sackOK,TS val 805512331 ecr 0,nop,wscale 7], length 0
15:03:01.639323 IP 10.250.15.100.40282 > 10.250.2.151.443: Flags [S], seq 2511092398, win 64240, options [mss 1460,sackOK,TS val 805512332 ecr 0,nop,wscale 7], length 0
15:03:01.639357 IP 10.250.2.151.443 > 10.250.15.100.40280: Flags [S.], seq 298937959, ack 2242431771, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
15:03:01.639523 IP 10.250.15.100.40284 > 10.250.2.151.443: Flags [S], seq 3369204088, win 64240, options [mss 1460,sackOK,TS val 805512332 ecr 0,nop,wscale 7], length 0
15:03:01.639542 IP 10.250.2.151.443 > 10.250.15.100.40282: Flags [S.], seq 302644790, ack 2511092399, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
15:03:01.639677 IP 10.250.15.100.40280 > 10.250.2.151.443: Flags [.], ack 1, win 502, length 0
15:03:01.639757 IP 10.250.2.151.443 > 10.250.15.100.40284: Flags [S.], seq 293523206, ack 3369204089, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
15:03:01.639814 IP 10.250.15.100.40282 > 10.250.2.151.443: Flags [.], ack 1, win 502, length 0
15:03:01.640104 IP 10.250.15.100.40284 > 10.250.2.151.443: Flags [.], ack 1, win 502, length 0
15:03:01.783401 IP 10.250.15.100 > 10.250.2.151: ICMP echo request, id 58486, seq 1870, length 64
15:03:01.783643 IP 10.250.2.151 > 10.250.15.100: ICMP echo reply, id 58486, seq 1870, length 64
15:03:02.806749 IP 10.250.15.100 > 10.250.2.151: ICMP echo request, id 58486, seq 1871, length 64
15:03:02.806987 IP 10.250.2.151 > 10.250.15.100: ICMP echo reply, id 58486, seq 1871, length 64
Code: Select all
15:02:06.306721 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 575: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40146 > 10.250.2.151.443: Flags [P.], seq 0:517, ack 1, win 502, length 517
15:02:06.320055 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 575: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40148 > 10.250.2.151.443: Flags [P.], seq 0:517, ack 1, win 502, length 517
15:02:06.510098 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 575: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40146 > 10.250.2.151.443: Flags [P.], seq 0:517, ack 1, win 502, length 517
15:02:06.523914 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 575: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40148 > 10.250.2.151.443: Flags [P.], seq 0:517, ack 1, win 502, length 517
15:02:06.916732 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 575: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40146 > 10.250.2.151.443: Flags [P.], seq 0:517, ack 1, win 502, length 517
15:02:06.940033 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 575: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40148 > 10.250.2.151.443: Flags [P.], seq 0:517, ack 1, win 502, length 517
15:02:07.753921 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40146 > 10.250.2.151.443: Flags [.], ack 138, win 501, length 0
15:02:07.754119 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 109: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40146 > 10.250.2.151.443: Flags [P.], seq 517:568, ack 138, win 501, length 51
15:02:07.754365 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 509: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40146 > 10.250.2.151.443: Flags [P.], seq 568:1019, ack 138, win 501, length 451
15:02:07.766791 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 509: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40146 > 10.250.2.151.443: Flags [P.], seq 568:1019, ack 138, win 501, length 451
15:02:07.781233 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40148 > 10.250.2.151.443: Flags [.], ack 138, win 501, length 0
15:02:07.781488 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 109: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40148 > 10.250.2.151.443: Flags [P.], seq 517:568, ack 138, win 501, length 51
15:02:07.781707 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 549: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40148 > 10.250.2.151.443: Flags [P.], seq 568:1059, ack 138, win 501, length 491
15:02:07.793356 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 549: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40148 > 10.250.2.151.443: Flags [P.], seq 568:1059, ack 138, win 501, length 491
15:02:09.338971 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40132 > 10.250.2.151.443: Flags [.], ack 4619, win 501, length 0
15:02:09.422452 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40146 > 10.250.2.151.443: Flags [.], ack 1598, win 501, length 0
15:02:09.422464 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40146 > 10.250.2.151.443: Flags [.], ack 3058, win 495, length 0
15:02:09.423180 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40146 > 10.250.2.151.443: Flags [.], ack 5978, win 501, length 0
15:02:09.423363 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40146 > 10.250.2.151.443: Flags [.], ack 10358, win 479, length 0
15:02:09.437161 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40148 > 10.250.2.151.443: Flags [.], ack 1598, win 501, length 0
15:02:14.229096 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40146 > 10.250.2.151.443: Flags [.], ack 11818, win 501, length 0
15:02:14.229151 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40146 > 10.250.2.151.443: Flags [.], ack 13278, win 501, length 0
15:02:23.849161 4c:5e:0c:90:0a:41 > 0c:c4:7a:ad:b8:d2, ethertype 802.1Q (0x8100), length 64: vlan 2, p 0, ethertype IPv4, 10.250.15.100.40146 > 10.250.2.151.443: Flags [.], ack 16198, win 495, length 0
This is on a port which is supposed to be configured with no tagged traffic (equivalent to a vlan 2 PVID). Something of possible note here: I have never seen ICMP traffic in the tagged traffic
The configuration of the CRS follows:
Code: Select all
/interface bridge
add admin-mac=4C:5E:0C:90:0A:41 auto-mac=no comment=defconf name=bridge protocol-mode=none
add name=system1
/interface vlan
add interface=bridge name=vlan2 vlan-id=2
add interface=bridge name=vlan3 vlan-id=3
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan15 vlan-id=15
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan4001 vlan-id=4001
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6
/interface ethernet switch trunk
add member-ports=ether23,ether24 name=3938trunk
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp1
/interface ethernet switch egress-vlan-tag
add tagged-ports=3938trunk,switch1-cpu vlan-id=2
add tagged-ports=3938trunk,switch1-cpu vlan-id=3
add tagged-ports=3938trunk,switch1-cpu vlan-id=10
add tagged-ports=3938trunk,switch1-cpu vlan-id=15
add tagged-ports=3938trunk,switch1-cpu vlan-id=20
add tagged-ports=3938trunk,switch1-cpu vlan-id=4001
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=2 ports=ether1,ether2,ether3,ether4,ether5,ether6
add customer-vid=0 new-customer-vid=4001 ports=ether22
add customer-vid=0 new-customer-vid=10 ports=ether20,ether19
/interface ethernet switch vlan
add ports=3938trunk,ether1,ether2,ether3,ether4,ether5,ether6,ether22,switch1-cpu vlan-id=2
add ports=3938trunk,switch1-cpu vlan-id=3
add ports=3938trunk,ether19,ether20,switch1-cpu vlan-id=10
add ports=3938trunk,switch1-cpu vlan-id=15
add ports=3938trunk,switch1-cpu vlan-id=20
add comment="Cell Fallback" ports=3938trunk,ether22,switch1-cpu vlan-id=4001
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.250.2.5 interface=vlan2 network=10.250.2.0
add address=10.250.3.12/24 interface=vlan3 network=10.250.3.0
add address=10.250.15.5 comment="ip for dhcp server" interface=vlan15 network=10.250.15.5
add address=10.250.10.5 comment="ip for dhcp server" interface=vlan10 network=10.250.10.5
add address=10.250.20.5 comment="ip for dhcp" interface=vlan20 network=10.250.20.5
add address=10.250.10.2 interface=vlan10 network=10.250.10.2
add address=10.250.10.3/24 interface=vlan10 network=10.250.10.0
add address=10.250.2.3/24 interface=vlan2 network=10.250.2.0
add address=10.250.15.2 comment="dns ip" interface=vlan15 network=10.250.15.2
add address=10.250.20.3/24 interface=vlan20 network=10.250.20.0
[admin@LinksCRS] >
I'm unsure if this is a Mikrotik bug or if it's an outdated wiki page or if I've made an error here, help narrowing down those possibilities would be appreciated.