Hi

first time user of mikrotik, I was super excited when they announce the router since I was schedule for a 40g internet installed with a 100g LAN.
CCR2216-1G-12XS-2XQ firmware version 7.2.3 and downgraded to 7.1.5 still same issues
unfortunately the router keeps rebooting, and without even pushing it, im a home user and my highest speed in any pc is 10g.

the router reboots with a 2% load cpu and a traffic of 20MB/s

WHAT TO DO??????

thank you very much for any pointers, I have never had such a failure in a unit like this.
very disappointing

Are there any hints in the log? Kernel panic? Watchdog reboot? Out of memory condition?

Did you submit autosupout.rif to support?

I am experiencing reboots on 7.2.3 on smaller devices and they are gone in 7.3rc2.. not sure why.

Are there any hints in the log? Kernel panic? Watchdog reboot? Out of memory condition?

Did you submit autosupout.rif to support?

I am experiencing reboots on 7.2.3 on smaller devices and they are gone in 7.3rc2.. not sure why.

I just tried with the 7.2.3 fw as well
same result it did reboot at the 12 minute mark

this is my firt experience with mikrotik, I will submit a ticket with the autosuport.rif
no idea how to vie log before the crash or what causes it


log says the following error
router rebooted without proper shutdown, probably power outage

Did you upgrade both RouterOS and firmware?
Could it be power related? Have you tried with a different power cable?

You try to change PSU used or both are powered?

I am experiencing reboots on 7.2.3 on smaller devices and they are gone in 7.3rc2.. not sure why.

Because newer versions usually contains improvements and fixes.
For mercer2, please try latest 7.3 and see if issue is still there.

You try to change PSU used or both are powered?

both psu are powered in different power strips

with 2 x eaton 9px3000rt online ups
and 2 x eaton epdu g3 managed pdu's

I am experiencing reboots on 7.2.3 on smaller devices and they are gone in 7.3rc2.. not sure why.

Because newer versions usually contains improvements and fixes.
For mercer2, please try latest 7.3 and see if issue is still there.

I have tried:

7.1.5
7.2.3
7.3rc2

only thing left to try is a 7.4beta2
should I try that beta?

Because newer versions usually contains improvements and fixes.
For mercer2, please try latest 7.3 and see if issue is still there.

I have tried:

7.1.5
7.2.3
7.3rc2

only thing left to try is a 7.4beta2
should I try that beta?

Ok I tried the beta same results?


anything else I can proactively try, while waiting for support to answer my request from yesterday?

do not alter or change the order:
1a) export backup on .rsc file and save on another support
1b) make also unencrypted .backup and save on another support
1c) export certificates, if any, dude database, if any, user-manager database, if any, ssh host key, if any, any other file, if any, on another support
2) install last 7.3 "stable"
3) upgrade RouterBOOT on System / RouterBOARD to 7.3
4) With NetInstall 7.3 netinstall the RouterBOARD again with 7.3 "stable" (yes, again, but is all clean inside, on this way)
5) Import MANUALLY section-by-section the .rsc back to RouterBOARD, do not use "import" or similar.
Using section-by-section if you have some import error, you read it on terminal clearly, and you can fix that.

do not alter or change the order:
1a) export backup on .rsc file and save on another support
1b) make also unencrypted .backup and save on another support
1c) export certificates, if any, dude database, if any, user-manager database, if any, ssh host key, if any, any other file, if any, on another support
2) install last 7.3 "stable"
3) upgrade RouterBOOT on System / RouterBOARD to 7.3
4) With NetInstall 7.3 netinstall the RouterBOARD again with 7.3 "stable" (yes, again, but is all clean inside, on this way)
5) Import MANUALLY section-by-section the .rsc back to RouterBOARD, do not use "import" or similar.
Using section-by-section if you have some import error, you read it on terminal clearly, and you can fix that.

Thank you rextended I will try it tonight when family is sleeping

ok was able to do the netinstall firware
did section by section.no errors

same results. reboots once i do a bit of traffic and cpu reaches 10% or more

also the booting gets more frequent as time goes by. until a do a firmware install

Can you export and post your config so others can see what is configured on the device?

here
did the export file=backup on cli terminal

# jun/09/2022 10:31:30 by RouterOS 7.1.5
# software id = 7FVH-2MA8
#
# model = CCR2216-1G-12XS-2XQ
# serial number = HCB086xxxxxxxxx
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=qsfp28-1-1 ] auto-negotiation=no speed=40Gbps
set [ find default-name=qsfp28-1-4 ] speed=40Gbps
set [ find default-name=qsfp28-2-1 ] fec-mode=fec91 rx-flow-control=auto \
tx-flow-control=auto
/interface vlan
add interface=bridge1 name=Audio vlan-id=10
add interface=bridge1 name=CCTV vlan-id=8
add interface=bridge1 name=Power vlan-id=2
add interface=bridge1 name=Servers vlan-id=3
add interface=bridge1 name=VOIP vlan-id=7
add interface=bridge1 name=ioT vlan-id=4
add interface=bridge1 name=vlan1 vlan-id=1
/interface list
add name=WAN
add name=LAN
add name=Guest
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool2 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool3 ranges=192.168.4.2-192.168.4.254
add name=dhcp_pool4 ranges=192.168.7.2-192.168.7.254
add name=dhcp_pool5 ranges=192.168.8.2-192.168.8.254
add name=dhcp_pool6 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
add address-pool=dhcp_pool1 interface=Power name=dhcp2
add address-pool=dhcp_pool2 interface=Servers name=dhcp3
add address-pool=dhcp_pool3 interface=ioT name=dhcp4
add address-pool=dhcp_pool4 interface=VOIP name=dhcp5
add address-pool=dhcp_pool5 interface=CCTV name=dhcp6
add address-pool=dhcp_pool6 interface=Audio name=dhcp7
/port
set 0 name=serial0
/system logging action
set 3 remote=192.168.1.217
add name=syslogserver remote=192.168.1.254 remote-port=1468 src-address=\
192.168.1.1 target=remote
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=qsfp28-2-1
add bridge=bridge1 interface=qsfp28-2-2
add bridge=bridge1 interface=qsfp28-2-3
add bridge=bridge1 interface=qsfp28-2-4
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
add bridge=bridge1 interface=sfp28-3
add bridge=bridge1 interface=sfp28-4
add bridge=bridge1 interface=sfp28-5
add bridge=bridge1 interface=sfp28-6
add bridge=bridge1 interface=sfp28-7
add bridge=bridge1 interface=sfp28-8
add bridge=bridge1 interface=sfp28-9
add bridge=bridge1 interface=sfp28-10
add bridge=bridge1 interface=sfp28-11
add bridge=bridge1 interface=sfp28-12
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all internet-interface-list=all wan-interface-list=\
dynamic
/interface list member
add interface=qsfp28-1-1 list=WAN
add interface=bridge1 list=LAN
add interface=ether1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=xxxxmy wan static IP addresssxxxxx/29 interface=qsfp28-1-1 network=xxxxmy wan static IP addresssxxxxx
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.2.1/24 interface=Power network=192.168.2.0
add address=192.168.3.1/24 interface=Servers network=192.168.3.0
add address=192.168.4.1/24 interface=ioT network=192.168.4.0
add address=192.168.7.1/24 interface=VOIP network=192.168.7.0
add address=192.168.8.1/24 interface=CCTV network=192.168.8.0
add address=192.168.10.1/24 interface=Audio network=192.168.10.0
/ip dhcp-server lease
add address=192.168.1.124 mac-address=00:0D:5D:18:2B:7C
add address=192.168.1.6 mac-address=5C:F9:DD:FE:0A:02
add address=192.168.1.14 mac-address=D0:B5:C2:E4:1F:2F
add address=192.168.1.23 mac-address=34:AF:B3:31:87:57
add address=192.168.1.45 mac-address=E0:DA:DC:07:12:80
add address=192.168.1.46 mac-address=00:90:27:ED:D6:FC
add address=192.168.1.49 mac-address=00:0C:29:FF:9A:4F
add address=192.168.1.50 mac-address=A4:BB:6D:40:64:03
add address=192.168.1.54 mac-address=00:15:26:05:76:B5
add address=192.168.1.58 mac-address=D0:B5:C2:E3:07:DA
add address=192.168.1.89 mac-address=00:08:9B:DB:87:7D
add address=192.168.1.93 mac-address=7C:1E:B3:01:E4:F2
add address=192.168.1.111 mac-address=D0:B5:C2:E3:08:A4
add address=192.168.1.132 mac-address=CC:D2:81:6A:DF:F9
add address=192.168.1.142 mac-address=D0:B5:C2:E3:03:08
add address=192.168.1.157 mac-address=14:2F:FD:14:AE:A7
add address=192.168.1.174 mac-address=D0:B5:C2:E4:23:05
add address=192.168.1.175 mac-address=DC:56:E7:4D:5F:2E
add address=192.168.1.178 mac-address=3C:61:05:E4:E3:63
add address=192.168.1.182 mac-address=D0:B5:C2:E3:0A:0A
add address=192.168.1.197 mac-address=20:91:48:29:57:6C
add address=192.168.1.213 mac-address=E8:DB:84:D6:3B:B2
add address=192.168.1.215 mac-address=00:15:26:05:59:80
add address=192.168.1.216 mac-address=30:E2:83:E1:2B:FD
add address=192.168.1.218 mac-address=00:08:9B:E5:D1:60
add address=192.168.1.226 mac-address=20:91:48:29:60:80
add address=192.168.1.227 mac-address=E8:DB:84:D6:44:AE
add address=192.168.1.230 mac-address=00:50:58:70:04:F0
add address=192.168.1.231 mac-address=00:08:7B:1A:41:17
add address=192.168.1.232 mac-address=7C:1E:B3:F0:ED:72
add address=192.168.1.233 mac-address=7C:1E:B3:02:69:23
add address=192.168.1.240 mac-address=40:CB:C0:BC:EF:7F
add address=192.168.1.241 mac-address=00:08:E1:05:B6:1D
add address=192.168.1.244 mac-address=3C:61:05:E3:A9:8C
add address=192.168.2.4 mac-address=00:20:85:E7:80:3B
add address=192.168.2.5 mac-address=00:20:85:E0:48:EF
add address=192.168.2.9 mac-address=00:20:85:E9:DA:BB
add address=192.168.2.10 mac-address=00:20:85:E9:DA:CD
add address=192.168.3.2 client-id=1:24:5e:be:37:70:2e mac-address=\
24:5E:BE:37:70:2E server=dhcp3
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.3.0/24 gateway=192.168.3.1
add address=192.168.4.0/24 gateway=192.168.4.1
add address=192.168.7.0/24 gateway=192.168.7.1
add address=192.168.8.0/24 gateway=192.168.8.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.200.0/24 gateway=192.168.200.0 netmask=24
/ip dns
set servers=1.1.1.1
/ip firewall filter
add action=reject chain=input dst-address=xxxxmy wan static IP addresssxxxxx dst-port=80 \
protocol=tcp reject-with=icmp-network-unreachable
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=CCTV dst-address=xxxxmy wan static IP addresssxxxxx \
dst-port=81 protocol=tcp to-addresses=192.168.1.50 to-ports=81
add action=dst-nat chain=dstnat comment=RTI dst-address=xxxxmy wan static IP addresssxxxxx \
dst-port=4110 protocol=tcp to-addresses=192.168.1.215 to-ports=4110
add action=dst-nat chain=dstnat comment="cloud key 2" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=8843 protocol=tcp to-addresses=192.168.1.15 \
to-ports=8843
add action=dst-nat chain=dstnat comment="crestron processor 3" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=41800 protocol=tcp to-addresses=192.168.1.200 \
to-ports=41800
add action=dst-nat chain=dstnat comment=RTRR dst-address=xxxxmy wan static IP addresssxxxxx \
dst-port=8899 protocol=tcp to-addresses=192.168.3.2 to-ports=8899
add action=dst-nat chain=dstnat comment=plex dst-address=xxxxmy wan static IP addresssxxxxx \
dst-port=32400 protocol=tcp to-addresses=192.168.1.49 to-ports=32400
add action=dst-nat chain=dstnat comment="crestron processor 4" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=41622 protocol=tcp to-addresses=192.168.1.200 \
to-ports=41622
add action=dst-nat chain=dstnat comment="crestron processor 2" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=41794-41799 protocol=tcp to-addresses=\
192.168.1.201 to-ports=41794-41799
add action=dst-nat chain=dstnat comment="crestron processor 1" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=8081 protocol=tcp to-addresses=192.168.1.200 \
to-ports=8081
add action=dst-nat chain=dstnat comment="cloud key 4" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=1001 protocol=tcp to-addresses=192.168.1.15 \
to-ports=1001
add action=dst-nat chain=dstnat comment="cloud key qnap" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=8080 protocol=tcp to-addresses=192.168.1.15 \
to-ports=8080
add action=dst-nat chain=dstnat comment="cloud key 3" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=3478 protocol=tcp to-addresses=192.168.1.15 \
to-ports=3478
/ip firewall service-port
set ftp disabled=yes
/ip route
add comment="Just Add Power" disabled=no distance=1 dst-address=10.0.0.0/8 \
gateway=192.168.1.100 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\
xxxxmy wan static IP addresssxxxxx routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=America/Chicago
/system logging
set 3 action=remote
add action=remote topics=critical,debug,error,system,info
/system package update
set channel=long-term
/tool graphing interface
add
/tool graphing resource
add
/tool traffic-monitor
add interface=qsfp28-1-1 name=tmon1 threshold=1000000000

I see that your 192.168.1.x pool includes 192.168.1.1 which is already assigned to the router itself. It would not cause reboots, but should be fixed.

The CCR devices do not come with a default firewall and so you must add one. I only see one firewall rule so you should work on that

https://help.mikrotik.com/docs/display/ ... t+Firewall

If somehow your router is already compromised, you might want to clean up and secure your config then netinstall the device with the clean/secure config (while not connected to the internet).

consider retiring ether1 from bridge, i think is a best practice not mix this cpu management interface with hardware-accelerated ones in a bridge

try action=drop instead reject on firewall rule

try disabling traffic-monitor

Try disabling detect-internet

ok fixed the firewall,
fixed the dhcp ip pool
change to drop
disabled internet

had a mikrotik consultant help me fixed it, and no reboots in 24 hours so far.

thank you all very much

is possible to have an export for compare the two configurations, before and after?

is possible to have an export for compare the two configurations, before and after?

sure here it is

Grazie mille per il vostro aiuto

# jun/11/2022 02:40:13 by RouterOS 7.1.5
# software id = 7FVH-2MA8
#
# model = CCR2216-1G-12XS-2XQ
# serial number = xxxxxxxxxx
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=qsfp28-1-1 ] auto-negotiation=no speed=40Gbps
set [ find default-name=qsfp28-1-4 ] speed=40Gbps
set [ find default-name=qsfp28-2-1 ] fec-mode=fec91 rx-flow-control=auto \
tx-flow-control=auto
/interface vlan
add interface=bridge1 name=Audio vlan-id=10
add interface=bridge1 name=CCTV vlan-id=8
add interface=bridge1 name="Main Network" vlan-id=1
add interface=bridge1 name=Power vlan-id=2
add interface=bridge1 name=Servers vlan-id=3
add interface=bridge1 name=VOIP vlan-id=7
add interface=bridge1 name=ioT vlan-id=4
/interface list
add name=WAN
add name=LAN
add name=Guest
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool2 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool3 ranges=192.168.4.2-192.168.4.254
add name=dhcp_pool4 ranges=192.168.7.2-192.168.7.254
add name=dhcp_pool5 ranges=192.168.8.2-192.168.8.254
add name=dhcp_pool6 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
add address-pool=dhcp_pool1 interface=Power name=dhcp2
add address-pool=dhcp_pool2 interface=Servers name=dhcp3
add address-pool=dhcp_pool3 interface=ioT name=dhcp4
add address-pool=dhcp_pool4 interface=VOIP name=dhcp5
add address-pool=dhcp_pool5 interface=CCTV name=dhcp6
add address-pool=dhcp_pool6 interface=Audio name=dhcp7
/port
set 0 name=serial0
/queue simple
add disabled=yes max-limit=4G/4G name=queue1 target=192.168.1.106/32
/system logging action
set 3 remote=192.168.1.217
add name=syslogserver remote=192.168.1.254 remote-port=1468 src-address=\
192.168.1.1 target=remote
/interface bridge port
add bridge=bridge1 interface=qsfp28-2-1
add bridge=bridge1 interface=qsfp28-2-2
add bridge=bridge1 interface=qsfp28-2-3
add bridge=bridge1 interface=qsfp28-2-4
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
add bridge=bridge1 interface=sfp28-3
add bridge=bridge1 interface=sfp28-4
add bridge=bridge1 interface=sfp28-5
add bridge=bridge1 interface=sfp28-6
add bridge=bridge1 interface=sfp28-7
add bridge=bridge1 interface=sfp28-8
add bridge=bridge1 interface=sfp28-9
add bridge=bridge1 interface=sfp28-10
add bridge=bridge1 interface=sfp28-11
add bridge=bridge1 interface=sfp28-12
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=qsfp28-1-1 list=WAN
add interface=bridge1 list=LAN
add interface=ether1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=xxxxmy wan static IP addresssxxxxx/29 interface=qsfp28-1-1 network=2xxxxxxxxxxxx
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.2.1/24 interface=Power network=192.168.2.0
add address=192.168.3.1/24 interface=Servers network=192.168.3.0
add address=192.168.4.1/24 interface=ioT network=192.168.4.0
add address=192.168.7.1/24 interface=VOIP network=192.168.7.0
add address=192.168.8.1/24 interface=CCTV network=192.168.8.0
add address=192.168.10.1/24 interface=Audio network=192.168.10.0
/ip dhcp-server lease
add address=192.168.1.124 mac-address=00:0D:5D:18:2B:7C
add address=192.168.1.6 mac-address=5C:F9:DD:FE:0A:02
add address=192.168.1.14 mac-address=D0:B5:C2:E4:1F:2F
add address=192.168.1.23 mac-address=34:AF:B3:31:87:57
add address=192.168.1.45 mac-address=E0:DA:DC:07:12:80
add address=192.168.1.46 mac-address=00:90:27:ED:D6:FC
add address=192.168.1.49 mac-address=00:0C:29:FF:9A:4F
add address=192.168.1.50 mac-address=A4:BB:6D:40:64:03
add address=192.168.1.54 mac-address=00:15:26:05:76:B5
add address=192.168.1.58 mac-address=D0:B5:C2:E3:07:DA
add address=192.168.1.89 mac-address=00:08:9B:DB:87:7D
add address=192.168.1.93 mac-address=7C:1E:B3:01:E4:F2
add address=192.168.1.111 mac-address=D0:B5:C2:E3:08:A4
add address=192.168.1.132 mac-address=CC:D2:81:6A:DF:F9
add address=192.168.1.142 mac-address=D0:B5:C2:E3:03:08
add address=192.168.1.157 mac-address=14:2F:FD:14:AE:A7
add address=192.168.1.174 mac-address=D0:B5:C2:E4:23:05
add address=192.168.1.175 mac-address=DC:56:E7:4D:5F:2E
add address=192.168.1.178 mac-address=3C:61:05:E4:E3:63
add address=192.168.1.182 mac-address=D0:B5:C2:E3:0A:0A
add address=192.168.1.197 mac-address=20:91:48:29:57:6C
add address=192.168.1.213 mac-address=E8:DB:84:D6:3B:B2
add address=192.168.1.215 mac-address=00:15:26:05:59:80
add address=192.168.1.216 mac-address=30:E2:83:E1:2B:FD
add address=192.168.1.218 mac-address=00:08:9B:E5:D1:60
add address=192.168.1.226 mac-address=20:91:48:29:60:80
add address=192.168.1.227 mac-address=E8:DB:84:D6:44:AE
add address=192.168.1.230 mac-address=00:50:58:70:04:F0
add address=192.168.1.231 mac-address=00:08:7B:1A:41:17
add address=192.168.1.232 mac-address=7C:1E:B3:F0:ED:72
add address=192.168.1.233 mac-address=7C:1E:B3:02:69:23
add address=192.168.1.240 mac-address=40:CB:C0:BC:EF:7F
add address=192.168.1.241 mac-address=00:08:E1:05:B6:1D
add address=192.168.1.244 mac-address=3C:61:05:E3:A9:8C
add address=192.168.2.4 mac-address=00:20:85:E7:80:3B
add address=192.168.2.5 mac-address=00:20:85:E0:48:EF
add address=192.168.2.9 mac-address=00:20:85:E9:DA:BB
add address=192.168.2.10 mac-address=00:20:85:E9:DA:CD
add address=192.168.3.2 client-id=1:24:5e:be:37:70:2e mac-address=\
24:5E:BE:37:70:2E server=dhcp3
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.3.0/24 gateway=192.168.3.1
add address=192.168.4.0/24 gateway=192.168.4.1
add address=192.168.7.0/24 gateway=192.168.7.1
add address=192.168.8.0/24 gateway=192.168.8.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.200.0/24 gateway=192.168.200.0 netmask=24
/ip dns
set servers=1.1.1.1
/ip firewall address-list
add address=192.168.1.0/24 list=allow-ip
/ip firewall filter
add action=drop chain=input dst-address=xxxxmy wan static IP addresssxxxxx dst-port=80 protocol=\
tcp
add action=tarpit chain=input dst-port=30553 protocol=tcp
add action=add-src-to-address-list address-list=allow-ip \
address-list-timeout=1h chain=input packet-size=1083 protocol=icmp
add action=accept chain=input src-address-list=allow-ip
add action=accept chain=input comment="CCTV Blue Irisi" dst-port=81 protocol=\
tcp
add action=accept chain=input comment=RTI dst-port=4110 protocol=tcp
add action=accept chain=input comment="Bria VOIP" dst-port=5060 protocol=tcp
add action=accept chain=input comment=Plex dst-port=32400 protocol=tcp
add action=drop chain=input dst-port=53 protocol=udp
add action=drop chain=input dst-port=53,8728,8729,21,22,23,80,443,8291 \
protocol=tcp
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid,new,untracked
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=CCTV dst-address=xxxxmy wan static IP addresssxxxxx \
dst-port=81 protocol=tcp to-addresses=192.168.1.50 to-ports=81
add action=dst-nat chain=dstnat comment="Bria VOIP" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=5060 log=yes protocol=tcp to-addresses=\
192.168.1.46 to-ports=5060
add action=dst-nat chain=dstnat comment=RTI dst-address=xxxxmy wan static IP addresssxxxxx \
dst-port=4110 protocol=tcp to-addresses=192.168.1.215 to-ports=4110
add action=dst-nat chain=dstnat comment="cloud key 2" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=8843 protocol=tcp to-addresses=192.168.1.15 \
to-ports=8843
add action=dst-nat chain=dstnat comment="crestron processor 3" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=41800 protocol=tcp to-addresses=192.168.1.200 \
to-ports=41800
add action=dst-nat chain=dstnat comment=RTRR dst-address=xxxxmy wan static IP addresssxxxxx \
dst-port=8899 protocol=tcp to-addresses=192.168.3.2 to-ports=8899
add action=dst-nat chain=dstnat comment=plex dst-address=xxxxmy wan static IP addresssxxxxx \
dst-port=32400 log=yes protocol=tcp to-addresses=192.168.1.49 to-ports=\
32400
add action=dst-nat chain=dstnat comment="crestron processor 4" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=41622 protocol=tcp to-addresses=192.168.1.200 \
to-ports=41622
add action=dst-nat chain=dstnat comment="crestron processor 2" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=41794-41799 protocol=tcp to-addresses=\
192.168.1.201 to-ports=41794-41799
add action=dst-nat chain=dstnat comment="crestron processor 1" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=8081 protocol=tcp to-addresses=192.168.1.200 \
to-ports=8081
add action=dst-nat chain=dstnat comment="cloud key 4" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=1001 protocol=tcp to-addresses=192.168.1.15 \
to-ports=1001
add action=dst-nat chain=dstnat comment="cloud key qnap" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=8080 protocol=tcp to-addresses=192.168.1.15 \
to-ports=8080
add action=dst-nat chain=dstnat comment="cloud key 3" dst-address=\
xxxxmy wan static IP addresssxxxxx dst-port=3478 protocol=tcp to-addresses=192.168.1.15 \
to-ports=3478
/ip firewall service-port
set ftp disabled=yes
/ip route
add comment="Just Add Power" disabled=no distance=1 dst-address=10.0.0.0/8 \
gateway=192.168.1.100 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\
xxxxmy wan static IP addresssxxxxx routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=America/Chicago
/system logging
set 3 action=remote
add action=remote topics=critical,debug,error,system,info
/system package update
set channel=long-term
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool graphing interface
add
/tool graphing resource
add
/tool traffic-monitor
add interface=qsfp28-1-1 name=tmon1 threshold=1000000000

This thread is old but I wish to share our experience in case it helps someone else. When we switched to Mikrotik 5 years ago, our CCR1036 routers would randomly reboot, no supout created, logs indicated watchdog reboot. CPUs were a bit warm but nothing out of spec. Downclocking solved the problem on every one of them. CPUs ran a normal temperature that better matched what our CCR1072's and CCR1009's ran. Was never sure if temp was the issue, but that was the fix and 5 years solid operation so far.

Imagine my surprise when one of our new to us this year CCR2216's began doing the very same thing: random reboots, health stats good, no autosupouts created, watchdog fingered in the logs. The other six 2216's had no problem. What was different about this one is we had a bunch of SRJ-10's inserted closely together for cabling reasons. Those run pretty warm; I can't hold one just pulled in my hand. When we spread the SRJ-10's out so no two were juxtaposed; the reboots stopped. That was the fix. It wasn't a config thing or ROS version in our case. Since then we've found a page on the support wiki where Mikrotik strongly recommends spreading SRJ-10's out on CCR2216 ports to distribute the heat more evenly. They even included pictures to make sure dummies like me get it.

Wish I could solve the backorder problem this easily (sigh). A 2216 with L2 and L3 HW offload is a wild and beautiful thing.

Sorry, here's the link: https://wiki.mikrotik.com/wiki/S%2BRJ10 ... l_guidance