Hey everyone,
Some time ago, I bought the CRS125-24G-1S-RM as a second-hand device. I am happy with it so far. It is running with an SFP fibre module from the Deutsche Telekom and I have no issues with internet in general.
However, when I have video calls, I get lag spikes. To test where they come from, I ran ping from my machine and from the router. See https://gist.github.com/boxcee/4cdb1aaa ... 2c9d1e7761. From my perspective, it looks like they are okay(ish) from the router, but lag spikes are clearly visible from my machine.
What can I do about this?
EDIT: I started with the QoS setup, because I read it might be related. Unfortunately, I didn't understand which setup was best, and the guide for my device is also a bit older. This section here: https://help.mikrotik.com/docs/pages/vi ... rvice(QoS).
EDIT2: The connection tested is on LAN. Direct connection to the CRS.
Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging
From router to 8.8.8.8:
From my machine to 8.8.8.8 (through router):
From my machine to router:
Looks like it bottlenecks in irregular intervals. Is this a CPU issue?
Code: Select all
sent=232 received=219 packet-loss=5% min-rtt=6ms690us avg-rtt=10ms141us max-rtt=38ms349us
Code: Select all
435 packets transmitted, 422 packets received, 3.0% packet loss
round-trip min/avg/max/stddev = 6.493/919.693/2961.925/997.422 ms
Code: Select all
694 packets transmitted, 681 packets received, 1.9% packet loss
round-trip min/avg/max/stddev = 0.348/664.882/2925.632/928.375 ms
Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging
Can you check CPU usage? (think it is on /system health)
You are currently using a switch as router, though it can be confiugured as one, it is not designed to do so.
You are currently using a switch as router, though it can be confiugured as one, it is not designed to do so.
Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging
This isCan you check CPU usage? (think it is on /system health)
Code: Select all
/system resource printCode: Select all
uptime: 20h12m58s
version: 7.16.1 (stable)
build-time: 2024-10-10 14:03:32
free-memory: 74.0MiB
total-memory: 128.0MiB
cpu: MIPS 74Kc V4.12
cpu-count: 1
cpu-frequency: 600MHz
cpu-load: 16%
free-hdd-space: 111.3MiB
total-hdd-space: 128.0MiB
write-sect-since-reboot: 11560
write-sect-total: 336058
bad-blocks: 0%
architecture-name: mipsbe
board-name: CRS125-24G-1S
platform: MikroTik
Can you elaborate a bit on this? CRS is Cloud Router Switch, isn't it?You are currently using a switch as router, though it can be confiugured as one, it is not designed to do so.
You do not have the required permissions to view the files attached to this post.
Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging
Can you elaborate on the Cloud part of the name?Can you elaborate a bit on this? CRS is Cloud Router Switch, isn't it?
If you have a look at test results:
https://mikrotik.com/product/crs125_24g ... estresults
You would see that when used as router (it is a switch) you would be able to get around 245Mbps at max.
My assumption, especially on the graph you shared, is limited CPU power.
Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging
Wouldn't 245Mbps be enough for home use. And how would this be related to the lag spikes?You would see that when used as router (it is a switch) you would be able to get around 245Mbps at max.
What devices should I be looking at?
Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging
I would be more worried about the packet loss instead of spikes.
Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging
I ordered a RB4011iGS+RM now. Will update once its here.
Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging
For the record, my config.
Code: Select all
# 2024-10-17 08:53:04 by RouterOS 7.16.1
# software id = REDACTED
#
# model = CRS125-24G-1S
# serial number = 6244054AD9DA
/interface bridge
add admin-mac=REDACTED auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp1 ] auto-negotiation=no speed=1G-baseT-full
/interface wireguard
add listen-port=13232 mtu=1420 name=REDACTED
add listen-port=21841 mtu=1420 name=REDACTED
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=sfp1 name=sfp1-v7 vlan-id=7
/interface bonding
add mode=802.3ad name=nas slaves=ether23,ether24
add name=switch slaves=ether21,ether22
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=\
sfp1-v7 name=telekom use-peer-dns=yes user=REDACTED
/interface ethernet switch qos-group
add name=group1 priority=1
/interface list
add name=WAN
add name=LAN
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no \
name=family-sec
/interface wifi configuration
add channel.reselect-interval=5m..10m disabled=no mode=ap name=family \
security=family-sec security.connect-priority=0 .ft=yes .ft-over-ds=yes \
ssid=REDACTED
/ip pool
add name=pool_ipv4 ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add address-pool=pool_ipv4 interface=bridge name=dhcp_ipv4
/ipv6 pool
add name=local-ipv6 prefix=fd27:a5c9:3073::/48 prefix-length=64
add name=wireguard-ipv6 prefix=fdc5:fe4d:2037::/48 prefix-length=64
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=nas
add bridge=bridge interface=switch
/interface list member
add interface=bridge list=LAN
add interface=sfp1 list=WAN
add interface=sfp1-v7 list=WAN
add interface=wireguard1 list=LAN
add interface=REDACTED list=LAN
/interface wifi capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=family \
supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=family \
supported-bands=2ghz-ax
/interface wireguard peers
add allowed-address=192.168.87.10/32,fdc5:fe4d:2037::10/64 client-address=\
192.168.87.10/32,fdc5:fe4d:2037::10/64 client-dns=\
192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=pixel \
preshared-key=REDACTED private-key=REDACTED public-key=\
"NgDH4twpj5SBFq/ljF9WXRVRplqXKQ/ty/CpySH8aE4="
add allowed-address=192.168.87.11/32,fdc5:fe4d:2037::11/64 client-address=\
192.168.87.11/32,fdc5:fe4d:2037::11/64 client-dns=\
192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=tuxedo \
preshared-key=REDACTED private-key=REDACTED public-key=\
"GYvw4WCigXf+TK3TJuhNAxah6pbuvjZwFUW0yPUi7ko="
add allowed-address=192.168.87.12/32,fdc5:fe4d:2037::12/64 client-address=\
192.168.87.12/32,fdc5:fe4d:2037::12/64 client-dns=\
192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=travelrouter \
preshared-key=REDACTED private-key=REDACTED public-key=\
"QnvegVgvyGZKxss2hRs9146Pgqpm7aYnkUWLSZd5OTk="
add allowed-address=192.168.87.13/32,fdc5:fe4d:2037::13/64 client-address=\
192.168.87.13/32,fdc5:fe4d:2037::13/64 client-dns=\
192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=iphone \
preshared-key=REDACTED public-key=\
"wd+L4MSrFOMopIe54J3SCiXHnUeOIYCNs2HJxVNG0H8="
add allowed-address=10.102.6.0/24 endpoint-address=REDACTED \
endpoint-port=51026 interface=REDACTED name=REDACTED public-key=\
"fhJZDlnX4q2WVktddXUuDmNYrgBGslbcezHpTgWx/x0="
add allowed-address=192.168.86.10/32,::1/64 client-address=\
192.168.86.10/32,::1/64 client-dns=192.168.86.1 client-endpoint=REDACTED endpoint-address="" interface=REDACTED name=REDACTED preshared-key=REDACTED \
public-key="t+fUxKQmQHNFUxYIFr9qzCMaRU5I5bvBSWDVdvf1Cko="
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.87.1/24 interface=wireguard1 network=192.168.87.0
add address=10.102.6.2/24 interface=REDACTED network=10.102.6.0
add address=192.168.86.1/24 interface=REDACTED network=192.168.86.0
/ip arp
add address=192.168.88.6 interface=bridge mac-address=REDACTED
add address=192.168.88.2 interface=bridge mac-address=REDACTED
add address=192.168.88.4 interface=bridge mac-address=REDACTED
add address=192.168.88.5 interface=bridge mac-address=REDACTED
/ip dhcp-client
# Interface not active
add interface=ether1
add disabled=yes interface=sfp1-v7
/ip dhcp-server lease
add address=192.168.88.254 mac-address=REDACTED server=dhcp_ipv4
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=\
24
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.88.1 name=router.lan type=A
add address=192.168.88.2 name=REDACTED type=A
add address=192.168.88.3 name=REDACTED type=A
add address=192.168.88.6 name=REDACTED type=A
add address=192.168.88.7 name=REDACTED type=A
add address=192.168.88.9 name=REDACTED type=A
add address=192.168.88.10 name=REDACTED type=A
add address=192.168.88.12 name=REDACTED type=A
add address=192.168.88.13 name=nginx.lan type=A
add cname=nginx.lan. name=REDACTED type=CNAME
add cname=nginx.lan. name=REDACTED type=CNAME
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.88.7 comment=REDACTED list=REDACTED
add address=192.168.88.12 comment=REDACTED list=REDACTED
add address=192.168.88.13 comment=nginx list=REDACTED
/ip firewall filter
add action=accept chain=input comment="allow Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow REDACTED (Wireguard)" dst-port=\
21841 protocol=udp
add action=accept chain=input comment="allow REDACTED (Wireguard)" dst-port=\
13232 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment=\
"drop REDACTED (Wireguard) from accessing router" in-interface=REDACTED
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="drop REDACTED forward to non-REDACTED" \
dst-address-list=!REDACTED in-interface=REDACTED
/ip firewall nat
add action=accept chain=srcnat comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=telekom
add action=masquerade chain=srcnat comment=REDACTED log=yes out-interface=REDACTED
/ip firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" disabled=yes dst-address=\
192.168.88.0/24 in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" disabled=yes \
in-interface-list=LAN src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest" disabled=\
yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip traffic-flow
set cache-entries=16k interfaces=*53
/ipv6 address
add from-pool=pool-ipv6 interface=bridge
add address=::1 from-pool=pool-ipv6 interface=telekom
add address=::1 from-pool=local-ipv6 interface=bridge
add address=::1 from-pool=wireguard-ipv6 interface=wireguard1
/ipv6 dhcp-client
add add-default-route=yes interface=telekom pool-name=pool-ipv6 request=\
prefix
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/lcd
set default-screen=stat-slideshow
/lcd interface
set ether1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
set ether11 disabled=yes
set ether12 disabled=yes
set ether13 disabled=yes
set ether14 disabled=yes
set ether15 disabled=yes
set ether16 disabled=yes
set ether17 disabled=yes
set ether18 disabled=yes
set ether19 disabled=yes
set ether20 disabled=yes
set ether21 disabled=yes
set ether22 disabled=yes
set ether23 disabled=yes
set ether24 disabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.de.pool.ntp.org
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=10m name=dyndns on-event="/system script run dyndns" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-09-05 start-time=07:24:43
/system script
add comment=dyndns dont-require-permissions=no name=strato owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source=":global ddnsuser \"REDACTED\"\
\n:global ddnspass \"REDACTED\"\
\n:global theinterface \"telekom\"\
\n:global ddnshost1 \"REDACTED\"\
\n\
\n:global ipddns\
\n:global ipfresh [/ip address get [find where interface=\$theinterface] v\
alue-name=address]\
\n:global ip6fresh [/ipv6 address get [find where interface=\$theinterface\
\_from-pool=\"pool-ipv6\"] value-name=address] \
\n\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\
\n\
\n :log info (\"DynDNS: No ip address on \$theinterface .\")\
\n\
\n} else={\
\n\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
\n\
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={ \
\n\
\n :set ipfresh [:pick \$ipfresh 0 \$i];\
\n\
\n } \
\n }\
\n\
\n \
\n :for i from=( [:len \$ip6fresh] - 1) to=0 do= {\
\n \
\n :if ( [:pick \$ip6fresh \$i] = \"/\") do={\
\n \
\n :set ip6fresh [:pick \$ip6fresh 0 \$i]; \
\n\
\n }\
\n\
\n }\
\n\
\n\
\n :log info (\"DynDNS: IP6-Fresh = \$ip6fresh\")\
\n\
\n :if (\$ipddns != \$ipfresh) do={\
\n\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
\n :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\
\n\
\n :global str1 \"/nic/update\\\?hostname=\$ddnshost1&myip=\$ipfres\
h\"\
\n /tool fetch address=dyndns.strato.com src-path=\$str1 user=\$ddn\
suser password=\$ddnspass mode=https dst-path=(\"/DynDNS.\".\$ddnshost1)\
\n\
\n :delay 1\
\n\
\n :global str1 [/file find name=\"DynDNS.\$ddnshost1\"];\
\n /file remove \$str1\
\n :global ipddns \$ipfresh\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\
\n\
\n } else={\
\n\
\n :log info \"DynDNS: dont need changes\";\
\n\
\n }\
\n}"
/tool graphing resource
add allow-address=192.168.0.0/16
Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging
CRS125 is great as a switch but that's as far as it goes. It used to even get latency spikes running the LCD screen! Keep it as a switch and route through your 4011 and you'll be fine.For the record, my config.Code: Select all# 2024-10-17 08:53:04 by RouterOS 7.16.1 # software id = REDACTED # # model = CRS125-24G-1S # serial number = 6244054AD9DA /interface bridge add admin-mac=REDACTED auto-mac=no comment=defconf name=bridge \ vlan-filtering=yes /interface ethernet set [ find default-name=sfp1 ] auto-negotiation=no speed=1G-baseT-full /interface wireguard add listen-port=13232 mtu=1420 name=REDACTED add listen-port=21841 mtu=1420 name=REDACTED add listen-port=13231 mtu=1420 name=wireguard1 /interface vlan add interface=sfp1 name=sfp1-v7 vlan-id=7 /interface bonding add mode=802.3ad name=nas slaves=ether23,ether24 add name=switch slaves=ether21,ether22 /interface pppoe-client add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=\ sfp1-v7 name=telekom use-peer-dns=yes user=REDACTED /interface ethernet switch qos-group add name=group1 priority=1 /interface list add name=WAN add name=LAN /interface wifi security add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no \ name=family-sec /interface wifi configuration add channel.reselect-interval=5m..10m disabled=no mode=ap name=family \ security=family-sec security.connect-priority=0 .ft=yes .ft-over-ds=yes \ ssid=REDACTED /ip pool add name=pool_ipv4 ranges=192.168.88.100-192.168.88.254 /ip dhcp-server add address-pool=pool_ipv4 interface=bridge name=dhcp_ipv4 /ipv6 pool add name=local-ipv6 prefix=fd27:a5c9:3073::/48 prefix-length=64 add name=wireguard-ipv6 prefix=fdc5:fe4d:2037::/48 prefix-length=64 /port set 0 name=serial0 /interface bridge port add bridge=bridge comment=defconf interface=ether1 add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge comment=defconf interface=ether5 add bridge=bridge comment=defconf interface=ether6 add bridge=bridge comment=defconf interface=ether7 add bridge=bridge comment=defconf interface=ether8 add bridge=bridge comment=defconf interface=ether9 add bridge=bridge comment=defconf interface=ether10 add bridge=bridge comment=defconf interface=ether11 add bridge=bridge comment=defconf interface=ether12 add bridge=bridge comment=defconf interface=ether13 add bridge=bridge comment=defconf interface=ether14 add bridge=bridge comment=defconf interface=ether15 add bridge=bridge comment=defconf interface=ether16 add bridge=bridge comment=defconf interface=ether17 add bridge=bridge comment=defconf interface=ether18 add bridge=bridge comment=defconf interface=ether19 add bridge=bridge comment=defconf interface=ether20 add bridge=bridge comment=defconf disabled=yes interface=sfp1 add bridge=bridge interface=nas add bridge=bridge interface=switch /interface list member add interface=bridge list=LAN add interface=sfp1 list=WAN add interface=sfp1-v7 list=WAN add interface=wireguard1 list=LAN add interface=REDACTED list=LAN /interface wifi capsman set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\ no upgrade-policy=suggest-same-version /interface wifi provisioning add action=create-dynamic-enabled disabled=no master-configuration=family \ supported-bands=5ghz-ax add action=create-dynamic-enabled disabled=no master-configuration=family \ supported-bands=2ghz-ax /interface wireguard peers add allowed-address=192.168.87.10/32,fdc5:fe4d:2037::10/64 client-address=\ 192.168.87.10/32,fdc5:fe4d:2037::10/64 client-dns=\ 192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=pixel \ preshared-key=REDACTED private-key=REDACTED public-key=\ "NgDH4twpj5SBFq/ljF9WXRVRplqXKQ/ty/CpySH8aE4=" add allowed-address=192.168.87.11/32,fdc5:fe4d:2037::11/64 client-address=\ 192.168.87.11/32,fdc5:fe4d:2037::11/64 client-dns=\ 192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=tuxedo \ preshared-key=REDACTED private-key=REDACTED public-key=\ "GYvw4WCigXf+TK3TJuhNAxah6pbuvjZwFUW0yPUi7ko=" add allowed-address=192.168.87.12/32,fdc5:fe4d:2037::12/64 client-address=\ 192.168.87.12/32,fdc5:fe4d:2037::12/64 client-dns=\ 192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=travelrouter \ preshared-key=REDACTED private-key=REDACTED public-key=\ "QnvegVgvyGZKxss2hRs9146Pgqpm7aYnkUWLSZd5OTk=" add allowed-address=192.168.87.13/32,fdc5:fe4d:2037::13/64 client-address=\ 192.168.87.13/32,fdc5:fe4d:2037::13/64 client-dns=\ 192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=iphone \ preshared-key=REDACTED public-key=\ "wd+L4MSrFOMopIe54J3SCiXHnUeOIYCNs2HJxVNG0H8=" add allowed-address=10.102.6.0/24 endpoint-address=REDACTED \ endpoint-port=51026 interface=REDACTED name=REDACTED public-key=\ "fhJZDlnX4q2WVktddXUuDmNYrgBGslbcezHpTgWx/x0=" add allowed-address=192.168.86.10/32,::1/64 client-address=\ 192.168.86.10/32,::1/64 client-dns=192.168.86.1 client-endpoint=REDACTED endpoint-address="" interface=REDACTED name=REDACTED preshared-key=REDACTED \ public-key="t+fUxKQmQHNFUxYIFr9qzCMaRU5I5bvBSWDVdvf1Cko=" /ip address add address=192.168.88.1/24 interface=bridge network=192.168.88.0 add address=192.168.87.1/24 interface=wireguard1 network=192.168.87.0 add address=10.102.6.2/24 interface=REDACTED network=10.102.6.0 add address=192.168.86.1/24 interface=REDACTED network=192.168.86.0 /ip arp add address=192.168.88.6 interface=bridge mac-address=REDACTED add address=192.168.88.2 interface=bridge mac-address=REDACTED add address=192.168.88.4 interface=bridge mac-address=REDACTED add address=192.168.88.5 interface=bridge mac-address=REDACTED /ip dhcp-client # Interface not active add interface=ether1 add disabled=yes interface=sfp1-v7 /ip dhcp-server lease add address=192.168.88.254 mac-address=REDACTED server=dhcp_ipv4 /ip dhcp-server network add address=0.0.0.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=\ 24 add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes servers=9.9.9.9 /ip dns static add address=192.168.88.1 name=router.lan type=A add address=192.168.88.2 name=REDACTED type=A add address=192.168.88.3 name=REDACTED type=A add address=192.168.88.6 name=REDACTED type=A add address=192.168.88.7 name=REDACTED type=A add address=192.168.88.9 name=REDACTED type=A add address=192.168.88.10 name=REDACTED type=A add address=192.168.88.12 name=REDACTED type=A add address=192.168.88.13 name=nginx.lan type=A add cname=nginx.lan. name=REDACTED type=CNAME add cname=nginx.lan. name=REDACTED type=CNAME /ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4 add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4 add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4 add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4 add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4 add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4 add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\ bad_ipv4 add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\ bad_ipv4 add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\ bad_ipv4 add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4 add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4 add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4 add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4 add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4 add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4 add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4 add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4 add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\ not_global_ipv4 add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4 add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4 add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4 add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4 add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4 add address=192.168.88.7 comment=REDACTED list=REDACTED add address=192.168.88.12 comment=REDACTED list=REDACTED add address=192.168.88.13 comment=nginx list=REDACTED /ip firewall filter add action=accept chain=input comment="allow Wireguard" dst-port=13231 \ protocol=udp add action=accept chain=input comment="allow REDACTED (Wireguard)" dst-port=\ 21841 protocol=udp add action=accept chain=input comment="allow REDACTED (Wireguard)" dst-port=\ 13232 protocol=udp add action=accept chain=input comment="defconf: accept ICMP after RAW" \ protocol=icmp add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment=\ "drop REDACTED (Wireguard) from accessing router" in-interface=REDACTED add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment=\ "defconf: accept all that matches IPSec policy" disabled=yes \ ipsec-policy=in,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yes add action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN add action=drop chain=forward comment="defconf: drop bad forward IPs" \ src-address-list=no_forward_ipv4 add action=drop chain=forward comment="defconf: drop bad forward IPs" \ dst-address-list=no_forward_ipv4 add action=drop chain=forward comment="drop REDACTED forward to non-REDACTED" \ dst-address-list=!REDACTED in-interface=REDACTED /ip firewall nat add action=accept chain=srcnat comment=\ "defconf: accept all that matches IPSec policy" disabled=yes \ ipsec-policy=out,ipsec add action=masquerade chain=srcnat comment="defconf: masquerade" \ out-interface=telekom add action=masquerade chain=srcnat comment=REDACTED log=yes out-interface=REDACTED /ip firewall raw add action=accept chain=prerouting comment=\ "defconf: enable for transparent firewall" disabled=yes add action=accept chain=prerouting comment="defconf: accept DHCP discover" \ dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\ udp src-address=0.0.0.0 src-port=68 add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ src-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ dst-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ src-address-list=bad_src_ipv4 add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ dst-address-list=bad_dst_ipv4 add action=drop chain=prerouting comment="defconf: drop non global from WAN" \ in-interface-list=WAN src-address-list=not_global_ipv4 add action=drop chain=prerouting comment=\ "defconf: drop forward to local lan from WAN" disabled=yes dst-address=\ 192.168.88.0/24 in-interface-list=WAN add action=drop chain=prerouting comment=\ "defconf: drop local if not from default IP range" disabled=yes \ in-interface-list=LAN src-address=!192.168.88.0/24 add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \ protocol=udp add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \ jump-target=icmp4 protocol=icmp add action=jump chain=prerouting comment="defconf: jump to TCP chain" \ jump-target=bad_tcp protocol=tcp add action=accept chain=prerouting comment=\ "defconf: accept everything else from LAN" in-interface-list=LAN add action=accept chain=prerouting comment=\ "defconf: accept everything else from WAN" in-interface-list=WAN add action=drop chain=prerouting comment="defconf: drop the rest" disabled=\ yes /ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 /ip traffic-flow set cache-entries=16k interfaces=*53 /ipv6 address add from-pool=pool-ipv6 interface=bridge add address=::1 from-pool=pool-ipv6 interface=telekom add address=::1 from-pool=local-ipv6 interface=bridge add address=::1 from-pool=wireguard-ipv6 interface=wireguard1 /ipv6 dhcp-client add add-default-route=yes interface=telekom pool-name=pool-ipv6 request=\ prefix /ipv6 firewall address-list add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\ no_forward_ipv6 add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6 /ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \ protocol=icmpv6 add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=accept chain=input comment="defconf: accept UDP traceroute" \ dst-port=33434-33534 protocol=udp add action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=\ udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udp add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\ ipsec-ah add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\ ipsec-esp add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment="defconf: drop bad forward IPs" \ src-address-list=no_forward_ipv6 add action=drop chain=forward comment="defconf: drop bad forward IPs" \ dst-address-list=no_forward_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \ protocol=icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept AH" protocol=\ ipsec-ah add action=accept chain=forward comment="defconf: accept ESP" protocol=\ ipsec-esp add action=accept chain=forward comment=\ "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN /lcd set default-screen=stat-slideshow /lcd interface set ether1 disabled=yes set ether2 disabled=yes set ether3 disabled=yes set ether4 disabled=yes set ether5 disabled=yes set ether6 disabled=yes set ether7 disabled=yes set ether8 disabled=yes set ether9 disabled=yes set ether10 disabled=yes set ether11 disabled=yes set ether12 disabled=yes set ether13 disabled=yes set ether14 disabled=yes set ether15 disabled=yes set ether16 disabled=yes set ether17 disabled=yes set ether18 disabled=yes set ether19 disabled=yes set ether20 disabled=yes set ether21 disabled=yes set ether22 disabled=yes set ether23 disabled=yes set ether24 disabled=yes /system clock set time-zone-name=Europe/Berlin /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=0.de.pool.ntp.org add address=1.de.pool.ntp.org add address=2.de.pool.ntp.org add address=3.de.pool.ntp.org /system routerboard settings set auto-upgrade=yes /system scheduler add interval=10m name=dyndns on-event="/system script run dyndns" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-date=2024-09-05 start-time=07:24:43 /system script add comment=dyndns dont-require-permissions=no name=strato owner=admin \ policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ source=":global ddnsuser \"REDACTED\"\ \n:global ddnspass \"REDACTED\"\ \n:global theinterface \"telekom\"\ \n:global ddnshost1 \"REDACTED\"\ \n\ \n:global ipddns\ \n:global ipfresh [/ip address get [find where interface=\$theinterface] v\ alue-name=address]\ \n:global ip6fresh [/ipv6 address get [find where interface=\$theinterface\ \_from-pool=\"pool-ipv6\"] value-name=address] \ \n\ \n:if ([ :typeof \$ipfresh ] = nil ) do={\ \n\ \n :log info (\"DynDNS: No ip address on \$theinterface .\")\ \n\ \n} else={\ \n\ \n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \ \n\ \n :if ( [:pick \$ipfresh \$i] = \"/\") do={ \ \n\ \n :set ipfresh [:pick \$ipfresh 0 \$i];\ \n\ \n } \ \n }\ \n\ \n \ \n :for i from=( [:len \$ip6fresh] - 1) to=0 do= {\ \n \ \n :if ( [:pick \$ip6fresh \$i] = \"/\") do={\ \n \ \n :set ip6fresh [:pick \$ip6fresh 0 \$i]; \ \n\ \n }\ \n\ \n }\ \n\ \n\ \n :log info (\"DynDNS: IP6-Fresh = \$ip6fresh\")\ \n\ \n :if (\$ipddns != \$ipfresh) do={\ \n\ \n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\ \n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\ \n :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\ \n\ \n :global str1 \"/nic/update\\\?hostname=\$ddnshost1&myip=\$ipfres\ h\"\ \n /tool fetch address=dyndns.strato.com src-path=\$str1 user=\$ddn\ suser password=\$ddnspass mode=https dst-path=(\"/DynDNS.\".\$ddnshost1)\ \n\ \n :delay 1\ \n\ \n :global str1 [/file find name=\"DynDNS.\$ddnshost1\"];\ \n /file remove \$str1\ \n :global ipddns \$ipfresh\ \n :log info \"DynDNS: IP updated to \$ipfresh!\"\ \n\ \n } else={\ \n\ \n :log info \"DynDNS: dont need changes\";\ \n\ \n }\ \n}" /tool graphing resource add allow-address=192.168.0.0/16
Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging [SOLVED]
Follow up.
Works fine now with the RB4011. CPU usage is almost always below 5% and package loss is gone.
Thanks for bearing with me.
Works fine now with the RB4011. CPU usage is almost always below 5% and package loss is gone.
Thanks for bearing with me.