Community discussions

MikroTik App
 
theradioguy
just joined
Topic Author
Posts: 13
Joined: Wed Dec 22, 2021 4:59 am

CCR-1009 crashes when OVPN Client and Firewall enabled

Wed Mar 09, 2022 7:27 am

I have been experiencing some very problematic behavior with ROS 7.1.3. Whenever I create an OVPN client, add any firewall rules and then try to send a TCP packet over the VPN tunnel, the router crashes and kernel panics. The behavior only seems to occur on the CCR1009 and I have confirmed this is a problem on 2 seperate routers. Other routers (RB2011, HeX) do not exhibit this behavior.

In order to replicate, I take the default configuration, add a dhcp client (to get internet):
/ip dhcp-client add interface=ether2

Add the ovpn client
/interface ovpn-client add certificate=cert_export_client.crt_0 cipher=aes128 connect-to=w.x.y.z mac-address=02:50:2C:A8:2C:C6 name=ovpn-out1 profile=default-encryption protocol=udp user=username password=password

and add a single firewall rule
/ip firewall filter add action=accept chain=input

And then try to telnet to the VPN server (over the VPN):
/system telnet 10.2.1.130 port=179

At this point the router kernel panics, and reboots. I can ping across the tunnel no problem, the issue seems to be limited to TCP packets

If I remove all firewall rules, I am able to telnet to the server without issue. if the firewall rule is disabled (but still present) the same kernel panic happens.

I think this is a fairly serious bug and I have not yet managed to find a workaround (other then removing all firewall rules, which is not possible due to security concerns)
 
theradioguy
just joined
Topic Author
Posts: 13
Joined: Wed Dec 22, 2021 4:59 am

Re: CCR-1009 crashes when OVPN Client and Firewall enabled

Sat Mar 12, 2022 6:06 am

As an update to this, the issue seems to occur when connection tracking is enabled (set to on, or auto) in the firewall settings. Unfortunately I need connection tracking enabled on this router to do NAT.

The issue occurs regardless if TCP or UDP protocol is used and regardless of what encryption settings are used on the tunnel
 
theradioguy
just joined
Topic Author
Posts: 13
Joined: Wed Dec 22, 2021 4:59 am

Re: CCR-1009 crashes when OVPN Client and Firewall enabled

Sat Mar 12, 2022 7:28 am

A workaround seems to be to add a 'notrack' rule to the 'raw' firewall table for the ovpn interface:

/ip firewall raw
add action=notrack chain=prerouting in-interface=ovpn-out1
add action=notrack chain=output out-interface=ovpn-out1

Going to run this router overnight and see if it crashes at all
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: CCR-1009 crashes when OVPN Client and Firewall enabled

Sat Mar 12, 2022 10:26 am

Report this as a bug to Mikrotik and supply a supout.rif file:
How to report issues in v7 beta
Creating Support Output file
 
theradioguy
just joined
Topic Author
Posts: 13
Joined: Wed Dec 22, 2021 4:59 am

Re: CCR-1009 crashes when OVPN Client and Firewall enabled

Sat Mar 12, 2022 6:24 pm

Thanks for the suggestion I have emailed them and will be sending a supout file shortly.
 
theradioguy
just joined
Topic Author
Posts: 13
Joined: Wed Dec 22, 2021 4:59 am

Re: CCR-1009 crashes when OVPN Client and Firewall enabled

Sat Mar 12, 2022 9:02 pm

Just to keep posting updates as I find them, Fixing the TCP issue has uncovered a new issue. Any packets that enter through an OVPN interface (all packets, ICMP, TCP, UDP) and try to egress through a bridge interface also cause a kernel panic. Disabling connection tracking has no effect and I have been unable to come up with a workaround.

Hopefully Mikrotik will be able to fix these critical bugs with OVPN on the CCR routers.
 
oberdansoares
just joined
Posts: 4
Joined: Mon Feb 15, 2021 1:04 pm

Re: CCR-1009 crashes when OVPN Client and Firewall enabled

Mon Mar 14, 2022 11:00 pm

I had the same problem with the update of my CCR1009 to version 7.1.3 "stable" where this failure occurs when I change the ovpn protocol from tcp to udp the routeros crashes and it is necessary to recover via netinstall.
 
theradioguy
just joined
Topic Author
Posts: 13
Joined: Wed Dec 22, 2021 4:59 am

Re: CCR-1009 crashes when OVPN Client and Firewall enabled

Tue Mar 22, 2022 9:47 pm

In my case I was able to recover by disconnecting the WAN interface so the tunnel was never able to establish, might be something to try if you need to recover again.

I have received some beta firmware from Mikrotik which solves the firewall issue, and another piece of beta firmware which is supposed to resolve the bridge issue, but I have not tested the second one yet. Hope to do so this weekend.
 
oberdansoares
just joined
Posts: 4
Joined: Mon Feb 15, 2021 1:04 pm

Re: CCR-1009 crashes when OVPN Client and Firewall enabled

Tue Mar 22, 2022 11:07 pm

I believe it wouldn't solve, with access via serial it presents a Kernel Panic message and restarts, I'm a little afraid to perform a new update, yesterday the "stable" version 7.1.4 came out, today they released "7.15

Who is online

Users browsing this forum: No registered users and 30 guests