Community discussions

MikroTik App
 
sprinciu
just joined
Topic Author
Posts: 12
Joined: Tue Oct 12, 2021 7:57 pm

Problems with CRS125-24G-1S-2HnD

Sun Oct 24, 2021 11:00 pm

Hello Forum,

I ws try to look for some solution for my problem but i was not able to find any similar problem.
This is my first post here and to be honest I'm basicaly have only basic knolwage about Mikrotik config. I have currently CRS125-24G-1S-2HnD and I faced with some wierd problem which apear in different no logical for me reasons.
Some times problem apear few times per day some times once per few days, but i do not remember that this not apear more than 1 week.
Basicaly internet via cable and WiFi work fine until a problem apear. When it apear whole internet slow down on all connections cable and WiFi. My conenction base statistics are around 150/15 Mbps, when problem apear it drop to around 1,5-4/15 Mbps as i check it at speedtest.net. Wierd is that part that always download speed drop and upload looks good, pings usualy also are correct.

As i mention above i'm not to good in troubleshooting mikrotiks so please give me some instruction how to set logs which will be helpfull and how to store them then i will be able to provide all nesesery configuration and statistic data.

Also if i add this post in incorrect place please move that to aprotiate place.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Problems with CRS125-24G-1S-2HnD

Mon Oct 25, 2021 6:05 am

The diagnostic of an intermittent fault is usually more art than science :D

Assuming you have a small Office-Environment , my best bet would be "Heavy Traffic"
Somewhere a User or a Computer is hogging your Network-Bandwidth
For exemple:
-> Windows-Update (Quite active at the moment with Win11-Rollout)
-> Dropbox, OneDrive, etc (are allways a PAIN without QoS)
-> YouTube, Netflix, etc (usually a Problem during lunch-Breaks)

Mikrotik as a lot of diagnostic and Logging tools....
The Mikrotik's Wiki explains a lot of them!

But i recommand using Winbox for the first diagnostic.
You will have to observe 3 basic parameters when the problem occurs
- if Download usage of the internet-Interface nears 150
- if Upload usage of the internet-Interface nears 10
- If CPU usage Router/Switch >80%

I uploaded a Screenshot from Winbox to help you get oriented (https://ibb.co/TmWxzfw)
The Yellow-Rectangle is the actual (in real time) CPU-Usage of the Router/Switch.
The Red-Rectangle is the actual (in real time) upload usage of all interfaces.
The Green-Rectangle is the actual (in real time) download usage of all interfaces.

In my exemple "ether1" is the WAN interface and both Upload and download are saturated (150/10).
 
sprinciu
just joined
Topic Author
Posts: 12
Joined: Tue Oct 12, 2021 7:57 pm

Re: Problems with CRS125-24G-1S-2HnD

Mon Oct 25, 2021 10:48 am

Conny,

Thank yoou for your input. In answare:
1. this is home network, but i have few TV, 4 computers, 3 phones, ipad, nas, network printer
2. traffick managed by users -this is not a problem
3. traffick regarding windos 11 - no i do not proceed that as im admin of all computers
4. Youtube i belive it is not a problem with standard isp speed 150/15

I normaly config and manage my mikrotik with winbox.

CPU is always around 10-15%, ram this device have 128, and free is always around 101-102M

But i will check in next problem time upload and download as you mention and attached ss.
 
sprinciu
just joined
Topic Author
Posts: 12
Joined: Tue Oct 12, 2021 7:57 pm

Re: Problems with CRS125-24G-1S-2HnD

Mon Oct 25, 2021 11:47 pm

Conny,

My mikrotik had similar issue some minutes ago. Interfaces was looks like in link with also attached performance.
https://ibb.co/CV8SCdB
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Problems with CRS125-24G-1S-2HnD

Tue Oct 26, 2021 12:27 am

Good Evening,

Do you see anything out of the ordinary in the LOG-File?

Is it possible to Post the config of the Mikrotik device?
/export hide-sensitive file=anynameyouwish
 
sprinciu
just joined
Topic Author
Posts: 12
Joined: Tue Oct 12, 2021 7:57 pm

Re: Problems with CRS125-24G-1S-2HnD

Tue Oct 26, 2021 1:09 am

Conny this is my current config:

was config log here

Regarding Log.... I do not know exactly which choose to get and how to set save it to disk becouse in current config after restart i do not have anyhting in log. Current config looks like here https://ibb.co/BPfSwSr
Last edited by sprinciu on Tue Oct 26, 2021 9:23 am, edited 1 time in total.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Problems with CRS125-24G-1S-2HnD

Tue Oct 26, 2021 1:21 am

You have a lot of Public-Addresses...

I have a copy of your config, you can remove the Export !
 
sprinciu
just joined
Topic Author
Posts: 12
Joined: Tue Oct 12, 2021 7:57 pm

Re: Problems with CRS125-24G-1S-2HnD

Tue Oct 26, 2021 7:20 pm

As far as i know and i checked, that my isp addresses are assigned via dhcp client on mikrotik. And from ISP i have only one usable publick ip for my useage.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Problems with CRS125-24G-1S-2HnD

Tue Oct 26, 2021 8:22 pm

Good Evening,

0. Bad News first ...
I didn't find anything in the Config, that would explain your Problems.


1. Sensitive Information (Export)
I just wanted to take the time and explain my Warning =)
The Export-File contained a WAN IP-Pool , WAN IP in the Firewall and the Mikrotik Serial-Number**.

**The Mikrotik serial-number is used with the "/IP Cloud" feature (DDNS)
XXXXXXXXXXXX.sn.mynetname.net

---------------------------------------------------------------------------
2. old config ?
I found this in your Export and i don't think it does anything..
If that is the case, maybe delete them !
/ip dhcp-server network
add address=31.11.XXX.XXX/21 gateway=31.11.XXX.XXX

/ip pool
add name=dhcp_pool1 ranges=31.11.XXX.XXX-31.11.XXX.XXX
---------------------------------------------------------------------------
3. Firewall Problem 1
I think a lot of your Firewall rules don't work properly....

Firewall rule # 33
Blocks everything from WAN (Input)
add action=drop chain=input comment="drop all from WAN" in-interface=ether1
Yet Firewall Rules #37 thru #46 are Input-Rules
or do you have Problems with Portsanners and brute-force attackes from inside your network? =)

---------------------------------------------------------------------------
4. NAT
I am not 100% sure what this does ...
Do you ?

add action=dst-nat chain=dstnat comment="lokal przez public ip do lokala na 80"
add action=dst-nat chain=dstnat dst-address=!10.1.1.1 dst-address-type=local dst-port=80 log-prefix=\"\" protocol=tcp to-addresses=10.1.1.10\_to-ports=80" dst-address=!10.1.1.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=10.1.1.10 to-ports=80
add action=dst-nat chain=dstnat comment="lokal przez public ip do lokala na 1280
add action=dst-nat chain=dstnat dst-address=!10.1.1.1 dst-address-type=local dst-port=1280 log-prefix=\"\" protocol=tcp to-addresses=10.1.1.10 to-ports=1280" dst-address=!10.1.1.1 dst-address-type=local dst-port=1280 protocol=tcp to-addresses=10.1.1.10 to-ports=1280
add action=dst-nat chain=dstnat comment="lokal przez public ip do lokala na 8081" dst-address=!10.1.1.1 dst-address-type=local dst-port=8081 protocol=tcp to-addresses=10.1.1.10 to-ports=8081
add action=dst-nat chain=dstnat comment="lokal przez public ip do lokala na 1443" dst-address=!10.1.1.1 dst-address-type=local dst-port=1443 protocol=tcp to-addresses=10.1.1.10 to-ports=1443
 
sprinciu
just joined
Topic Author
Posts: 12
Joined: Tue Oct 12, 2021 7:57 pm

Re: Problems with CRS125-24G-1S-2HnD

Tue Oct 26, 2021 9:06 pm

Hi Conny again.

0. :)
1. i didnt know that SN can be used some how with ddns
2. i think it is some olde config - i will delete it to see what gona be
3. yes i have lot of FW rules, and #2 is for block my dougther computer, and #3-14 are also some old config before i try do anything with a problem.
#33 work somehow becouse even now after 6h from last reboot it have 12.6MiB and 186 930 packets - so i belive this are block connections somehow?
#37 #46 can be somehow wrong configured - i was trying to cover my network as much as possible, maybe i did something wrong, also it was wierd for me that my blck listed address list do not have too many address
4. NAT yes i know what is this, what for, and i know it work :) basicaly this is special config for special shared drive


So to summarize maybe problem exist becouse as we both know there is lot of some scanners in publick network, and as far as my rules at point #37 and #46 are not properly configured maybe eth1 is overloaded by this kind actions?

And one more i think there is no one rule in config export the default one "special dummy rule to show fasttrack counters" Chain: forward, Action: passthrough
Maybe this cused some problems?
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Problems with CRS125-24G-1S-2HnD

Tue Oct 26, 2021 9:36 pm

If you want, i can make you a suggestion for a new Firewall

-> Simple and Clear
-> Protection against Brute-Force and Port-Scanner
-> Easely expandable

Would you like that ?



P. S: Maja and Wiola are beautiful names by the way!
 
sprinciu
just joined
Topic Author
Posts: 12
Joined: Tue Oct 12, 2021 7:57 pm

Re: Problems with CRS125-24G-1S-2HnD

Tue Oct 26, 2021 11:57 pm

If you can suggest something it will be great I have opened mind for anything what can help with this problems with my connection. I would like to keep that all blocked address are added to black lists :)

What do you think about mentioned default rule "special dummy rule to show fasttrack counters" it can cuesd some problem? Is there any other way to delete it than "zero reset"?

P.S. Thank U :)
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Problems with CRS125-24G-1S-2HnD

Wed Oct 27, 2021 1:27 am

Here is a basic Firewall for you Router
This is how it look's in Winbox : https://ibb.co/HzB6XC9

The Firewall is focused for ease of use and Diagnostic.
Yet, I don't think you will see a Performance difference.

Input (Internet--> Router)
Filter-Rules 0 thru 7 are the Filters for Internet--> Router
The Firewall will automatically block all Traffic to the Router, if
someone tries to Scan or start unwanted communication with you.
So a Scanner schouldn't even be able to see that you have ICMP and PPTP opened.
The IP of the Scanner will stay blocked until the Router restarts.

If you need to add new "accept" rules, please insert them before "Accept: Established & Related (Internet --> Router)"

Foward (Internet --> Network)
Filter-Rules 9 thru 17 are the Filters for Internet--> Network
The Firewall will show you how much Traffic each Opened Protocol generates and Block unwanted Clients.
But don't forget to create a Firewall-Rule, if you want the Blacklist to work



Firewall-Script :
/ip firewall filter
add action=passthrough chain=input comment="Traffic-Counter (Internet --> Router) " in-interface-list=WAN
add action=drop chain=input comment="Drop: Invalid (Internet --> Router) " connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="Drop: Blacklisted (Internet --> Router) " in-interface-list=WAN src-address-list=IP-Blacklist
add action=accept chain=input comment="Accept: ICMP (Internet --> Router) " connection-state=established,related,new in-interface-list=WAN protocol=icmp
add action=accept chain=input comment="Accept: PPTP (Internet --> Router) " connection-state=established,related,new dst-port=1723 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Accept: Established & Related (Internet --> Router) " connection-state=established,related in-interface-list=WAN
add action=add-src-to-address-list address-list=IP-Blacklist address-list-timeout=none-dynamic chain=input comment="Identify and Blacklist (Internet --> Router) " in-interface-list=WAN src-address-list=!IP-Whitelist
add action=drop chain=input comment="Drop: Everything else (Internet --> Router) " in-interface-list=WAN
add action=passthrough chain=output comment="Traffic-Counter (Router --> Internet) " out-interface-list=WAN
add action=passthrough chain=forward comment="Traffic-Counter (Internet --> Network) " in-interface-list=WAN out-interface-list=LAN
add action=drop chain=forward comment="Drop: Invalid (Internet --> Network) " connection-state=invalid in-interface-list=WAN out-interface-list=LAN
add action=drop chain=forward comment="Drop: !DSTNATed (Internet --> Network) " connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop: DMZ-Blacklist (Internet --> Network) " dst-port=22,80,1280,1443,8081 in-interface-list=WAN out-interface-list=LAN protocol=tcp
add action=accept chain=forward comment="Accept: SSH (Internet --> Network) " connection-state=established,related,new dst-port=22 in-interface-list=WAN out-interface-list=LAN protocol=tcp src-address-list=!DMZ-Blacklist
add action=accept chain=forward comment="Accept: Web-Service (Internet --> Network) " connection-state=established,related,new dst-port=80 in-interface-list=WAN out-interface-list=LAN protocol=tcp src-address-list=!DMZ-Blacklist
add action=accept chain=forward comment="Accept: \?\?\?-Service (Internet --> Network) " connection-state=established,related,new dst-port=1280 in-interface-list=WAN out-interface-list=LAN protocol=tcp src-address-list=!DMZ-Blacklist
add action=accept chain=forward comment="Accept: \?\?\?-Service (Internet --> Network) " connection-state=established,related,new dst-port=1443 in-interface-list=WAN out-interface-list=LAN protocol=tcp src-address-list=!DMZ-Blacklist
add action=accept chain=forward comment="Accept: \?\?\?-Service (Internet --> Network) " connection-state=established,related,new dst-port=8081 in-interface-list=WAN out-interface-list=LAN protocol=tcp src-address-list=!DMZ-Blacklist
add action=passthrough chain=forward comment="Traffic-Counter (Network --> Internet) " in-interface-list=LAN out-interface-list=WAN
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Problems with CRS125-24G-1S-2HnD

Wed Oct 27, 2021 1:29 am

What do you think about mentioned default rule "special dummy rule to show fasttrack counters" it can cuesd some problem? Is there any other way to delete it than "zero reset"?
You have Fasttrack enabled at the moment.
That is why the dummy rule is showing.
If you use my Firewall it will disappear after a Reboot.
 
sprinciu
just joined
Topic Author
Posts: 12
Joined: Tue Oct 12, 2021 7:57 pm

Re: Problems with CRS125-24G-1S-2HnD

Wed Oct 27, 2021 6:33 pm

Conny,

I will try to fallow your firewall rules.

In meanwhile i have delete this 2 settings:
/ip dhcp-server network
add address=31.11.XXX.XXX/21 gateway=31.11.XXX.XXX

/ip pool
add name=dhcp_pool1 ranges=31.11.XXX.XXX-31.11.XXX.XXX

and..... after reboot becouse problem apear again internet dosent back. I was waiting longer then usualy upt to 5 min (normaly around 15 sec), also performed reboot few times, and also rebooted isp modem and nothing work, after readd mentioned settings internet back immiediatly.

Any idea?
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Problems with CRS125-24G-1S-2HnD

Wed Oct 27, 2021 9:31 pm

Didn't quite understand the last part ...

As soon as you deleted theses Rules, you didn't have internet access anymore ?
/ip dhcp-server network
add address=31.11.XXX.XXX/21 gateway=31.11.XXX.XXX

/ip pool
add name=dhcp_pool1 ranges=31.11.XXX.XXX-31.11.XXX.XXX
 
sprinciu
just joined
Topic Author
Posts: 12
Joined: Tue Oct 12, 2021 7:57 pm

Re: Problems with CRS125-24G-1S-2HnD

Wed Oct 27, 2021 11:48 pm

26.10 around 11.50pm i have delete mentioned settings and i did not make a rooboot of device
27.10 aroun 9am so after 9 h i had similar internet issue like before - massive slowdown.

Normaly in this situation i jsur click reboot on winbox, wait 15 sek and everything work again.
But when i make reboot internet did not apear again. i was wasiting even 5min without effect. I make another reboot - still nothing. I reboot another mikrotik and isp device reboot - still nothing. I readd deleted part - internet back immiediatly.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: Problems with CRS125-24G-1S-2HnD

Wed Oct 27, 2021 11:50 pm

:lol:
That's weird !
That doesn't make any sense !
 
sprinciu
just joined
Topic Author
Posts: 12
Joined: Tue Oct 12, 2021 7:57 pm

Re: Problems with CRS125-24G-1S-2HnD

Sat Oct 30, 2021 9:04 pm

Becouse this config was made basicaly with default configuration changes to adjust it for my purpose, and becouse of this wan speed periodical i decide to reset device and configure that again. I did not yet decide which way i will go - reset to zero or reset to default.
My point is here maybe wan speed is some deep problem becuse of some stage was some configuration which is not support by newer OS and thats why i ahve this WAN problems... As far as u dont see any problems in config file, and as u mention it is wierd that i lost wan connection after delete this two hipoteticaly not needed records about dhcp and pool i think it is some good point to move somehow from point where i currently stuck...

You already provide me firewall config, i belive that i should be able to just paste this in to terminal and all configuration will be added automaticaly - am i rigth?

I'm also not sure that i will be able to correctly define whole structure of bridge and ethernet ports but there is alwasy option to reset to default settings.

Also I think from config which i share to u i will be able to cut out part about nat and statick ip/dhcp lease and also paste it to terminal to add it automaticaly - i hope i'm rigth with it also
 
sprinciu
just joined
Topic Author
Posts: 12
Joined: Tue Oct 12, 2021 7:57 pm

Re: Problems with CRS125-24G-1S-2HnD

Mon Nov 08, 2021 6:06 pm

:lol:
That's weird !
That doesn't make any sense !
As i mntion before i decide to reset to default my device. I also get a conntect with one of my collegue which suggest me to use netinstall to refresh firmware on device which i also made.
For this moment device is after netinstall, reseted to default configuration, and adjusted to my configuration network. I also decide to use another fw rules.
It was looks like it should solve the problems.... Unfortunetly today again problem ocure....

Do u have any suggestion regarding how to set log getting from device to be able to find where is a problem?

Who is online

Users browsing this forum: 0xAA55, Ahrefs [Bot] and 37 guests