MikroTik

Community discussions
https://forum.mikrotik.com/

Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging

https://forum.mikrotik.com/viewtopic.php?t=211767

Page 1 of 1

Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging

Posted: Tue Oct 15, 2024 11:31 am
by boxcee
Hey everyone,

Some time ago, I bought the CRS125-24G-1S-RM as a second-hand device. I am happy with it so far. It is running with an SFP fibre module from the Deutsche Telekom and I have no issues with internet in general.

However, when I have video calls, I get lag spikes. To test where they come from, I ran ping from my machine and from the router. See https://gist.github.com/boxcee/4cdb1aaa ... 2c9d1e7761. From my perspective, it looks like they are okay(ish) from the router, but lag spikes are clearly visible from my machine.

What can I do about this?

EDIT: I started with the QoS setup, because I read it might be related. Unfortunately, I didn't understand which setup was best, and the guide for my device is also a bit older. This section here: https://help.mikrotik.com/docs/pages/vi ... rvice(QoS).

EDIT2: The connection tested is on LAN. Direct connection to the CRS.

Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging

Posted: Wed Oct 16, 2024 10:17 am
by boxcee
From router to 8.8.8.8:
Code: Select all
sent=232 received=219 packet-loss=5% min-rtt=6ms690us avg-rtt=10ms141us max-rtt=38ms349us
From my machine to 8.8.8.8 (through router):
Code: Select all
435 packets transmitted, 422 packets received, 3.0% packet loss
round-trip min/avg/max/stddev = 6.493/919.693/2961.925/997.422 ms
From my machine to router:
Code: Select all
694 packets transmitted, 681 packets received, 1.9% packet loss
round-trip min/avg/max/stddev = 0.348/664.882/2925.632/928.375 ms
Looks like it bottlenecks in irregular intervals. Is this a CPU issue?

Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging

Posted: Wed Oct 16, 2024 10:49 am
by erlinden
Can you check CPU usage? (think it is on /system health)
You are currently using a switch as router, though it can be confiugured as one, it is not designed to do so.

Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging

Posted: Wed Oct 16, 2024 12:47 pm
by boxcee
Can you check CPU usage? (think it is on /system health)
This is
Code: Select all
/system resource print
:
Code: Select all
uptime: 20h12m58s
version: 7.16.1 (stable)
build-time: 2024-10-10 14:03:32
free-memory: 74.0MiB
total-memory: 128.0MiB
cpu: MIPS 74Kc V4.12
cpu-count: 1
cpu-frequency: 600MHz
cpu-load: 16%
free-hdd-space: 111.3MiB
total-hdd-space: 128.0MiB
write-sect-since-reboot: 11560
write-sect-total: 336058
bad-blocks: 0%
architecture-name: mipsbe
board-name: CRS125-24G-1S
platform: MikroTik
Here is the graph view:
Bildschirmfoto 2024-10-16 um 11.46.12.png
You are currently using a switch as router, though it can be confiugured as one, it is not designed to do so.
Can you elaborate a bit on this? CRS is Cloud Router Switch, isn't it?

Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging

Posted: Wed Oct 16, 2024 1:02 pm
by erlinden
Can you elaborate a bit on this? CRS is Cloud Router Switch, isn't it?
Can you elaborate on the Cloud part of the name? 8)

If you have a look at test results:
https://mikrotik.com/product/crs125_24g ... estresults

You would see that when used as router (it is a switch) you would be able to get around 245Mbps at max.

My assumption, especially on the graph you shared, is limited CPU power.

Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging

Posted: Wed Oct 16, 2024 3:06 pm
by boxcee
You would see that when used as router (it is a switch) you would be able to get around 245Mbps at max.
Wouldn't 245Mbps be enough for home use. And how would this be related to the lag spikes?

What devices should I be looking at?

Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging

Posted: Wed Oct 16, 2024 3:11 pm
by infabo
I would be more worried about the packet loss instead of spikes.

Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging

Posted: Wed Oct 16, 2024 3:30 pm
by boxcee
I ordered a RB4011iGS+RM now. Will update once its here.

Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging

Posted: Thu Oct 17, 2024 10:04 am
by boxcee
For the record, my config.
Code: Select all
# 2024-10-17 08:53:04 by RouterOS 7.16.1
# software id = REDACTED
#
# model = CRS125-24G-1S
# serial number = 6244054AD9DA
/interface bridge
add admin-mac=REDACTED auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp1 ] auto-negotiation=no speed=1G-baseT-full
/interface wireguard
add listen-port=13232 mtu=1420 name=REDACTED
add listen-port=21841 mtu=1420 name=REDACTED
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=sfp1 name=sfp1-v7 vlan-id=7
/interface bonding
add mode=802.3ad name=nas slaves=ether23,ether24
add name=switch slaves=ether21,ether22
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=\
    sfp1-v7 name=telekom use-peer-dns=yes user=REDACTED
/interface ethernet switch qos-group
add name=group1 priority=1
/interface list
add name=WAN
add name=LAN
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no \
    name=family-sec
/interface wifi configuration
add channel.reselect-interval=5m..10m disabled=no mode=ap name=family \
    security=family-sec security.connect-priority=0 .ft=yes .ft-over-ds=yes \
    ssid=REDACTED
/ip pool
add name=pool_ipv4 ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add address-pool=pool_ipv4 interface=bridge name=dhcp_ipv4
/ipv6 pool
add name=local-ipv6 prefix=fd27:a5c9:3073::/48 prefix-length=64
add name=wireguard-ipv6 prefix=fdc5:fe4d:2037::/48 prefix-length=64
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=nas
add bridge=bridge interface=switch
/interface list member
add interface=bridge list=LAN
add interface=sfp1 list=WAN
add interface=sfp1-v7 list=WAN
add interface=wireguard1 list=LAN
add interface=REDACTED list=LAN
/interface wifi capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
    no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=family \
    supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=family \
    supported-bands=2ghz-ax
/interface wireguard peers
add allowed-address=192.168.87.10/32,fdc5:fe4d:2037::10/64 client-address=\
    192.168.87.10/32,fdc5:fe4d:2037::10/64 client-dns=\
    192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=pixel \
    preshared-key=REDACTED private-key=REDACTED public-key=\
    "NgDH4twpj5SBFq/ljF9WXRVRplqXKQ/ty/CpySH8aE4="
add allowed-address=192.168.87.11/32,fdc5:fe4d:2037::11/64 client-address=\
    192.168.87.11/32,fdc5:fe4d:2037::11/64 client-dns=\
    192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=tuxedo \
    preshared-key=REDACTED private-key=REDACTED public-key=\
    "GYvw4WCigXf+TK3TJuhNAxah6pbuvjZwFUW0yPUi7ko="
add allowed-address=192.168.87.12/32,fdc5:fe4d:2037::12/64 client-address=\
    192.168.87.12/32,fdc5:fe4d:2037::12/64 client-dns=\
    192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=travelrouter \
    preshared-key=REDACTED private-key=REDACTED public-key=\
    "QnvegVgvyGZKxss2hRs9146Pgqpm7aYnkUWLSZd5OTk="
add allowed-address=192.168.87.13/32,fdc5:fe4d:2037::13/64 client-address=\
    192.168.87.13/32,fdc5:fe4d:2037::13/64 client-dns=\
    192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=iphone \
    preshared-key=REDACTED public-key=\
    "wd+L4MSrFOMopIe54J3SCiXHnUeOIYCNs2HJxVNG0H8="
add allowed-address=10.102.6.0/24 endpoint-address=REDACTED \
    endpoint-port=51026 interface=REDACTED name=REDACTED public-key=\
    "fhJZDlnX4q2WVktddXUuDmNYrgBGslbcezHpTgWx/x0="
add allowed-address=192.168.86.10/32,::1/64 client-address=\
    192.168.86.10/32,::1/64 client-dns=192.168.86.1 client-endpoint=REDACTED endpoint-address="" interface=REDACTED name=REDACTED preshared-key=REDACTED \
    public-key="t+fUxKQmQHNFUxYIFr9qzCMaRU5I5bvBSWDVdvf1Cko="
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.87.1/24 interface=wireguard1 network=192.168.87.0
add address=10.102.6.2/24 interface=REDACTED network=10.102.6.0
add address=192.168.86.1/24 interface=REDACTED network=192.168.86.0
/ip arp
add address=192.168.88.6 interface=bridge mac-address=REDACTED
add address=192.168.88.2 interface=bridge mac-address=REDACTED
add address=192.168.88.4 interface=bridge mac-address=REDACTED
add address=192.168.88.5 interface=bridge mac-address=REDACTED
/ip dhcp-client
# Interface not active
add interface=ether1
add disabled=yes interface=sfp1-v7
/ip dhcp-server lease
add address=192.168.88.254 mac-address=REDACTED server=dhcp_ipv4
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=\
    24
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.88.1 name=router.lan type=A
add address=192.168.88.2 name=REDACTED type=A
add address=192.168.88.3 name=REDACTED type=A
add address=192.168.88.6 name=REDACTED type=A
add address=192.168.88.7 name=REDACTED type=A
add address=192.168.88.9 name=REDACTED type=A
add address=192.168.88.10 name=REDACTED type=A
add address=192.168.88.12 name=REDACTED type=A
add address=192.168.88.13 name=nginx.lan type=A
add cname=nginx.lan. name=REDACTED type=CNAME
add cname=nginx.lan. name=REDACTED type=CNAME
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.88.7 comment=REDACTED list=REDACTED
add address=192.168.88.12 comment=REDACTED list=REDACTED
add address=192.168.88.13 comment=nginx list=REDACTED
/ip firewall filter
add action=accept chain=input comment="allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow REDACTED (Wireguard)" dst-port=\
    21841 protocol=udp
add action=accept chain=input comment="allow REDACTED (Wireguard)" dst-port=\
    13232 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment=\
    "drop REDACTED (Wireguard) from accessing router" in-interface=REDACTED
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="drop REDACTED forward to non-REDACTED" \
    dst-address-list=!REDACTED in-interface=REDACTED
/ip firewall nat
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=telekom
add action=masquerade chain=srcnat comment=REDACTED log=yes out-interface=REDACTED
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" disabled=yes dst-address=\
    192.168.88.0/24 in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" disabled=yes \
    in-interface-list=LAN src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest" disabled=\
    yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip traffic-flow
set cache-entries=16k interfaces=*53
/ipv6 address
add from-pool=pool-ipv6 interface=bridge
add address=::1 from-pool=pool-ipv6 interface=telekom
add address=::1 from-pool=local-ipv6 interface=bridge
add address=::1 from-pool=wireguard-ipv6 interface=wireguard1
/ipv6 dhcp-client
add add-default-route=yes interface=telekom pool-name=pool-ipv6 request=\
    prefix
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/lcd
set default-screen=stat-slideshow
/lcd interface
set ether1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
set ether11 disabled=yes
set ether12 disabled=yes
set ether13 disabled=yes
set ether14 disabled=yes
set ether15 disabled=yes
set ether16 disabled=yes
set ether17 disabled=yes
set ether18 disabled=yes
set ether19 disabled=yes
set ether20 disabled=yes
set ether21 disabled=yes
set ether22 disabled=yes
set ether23 disabled=yes
set ether24 disabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.de.pool.ntp.org
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=10m name=dyndns on-event="/system script run dyndns" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-09-05 start-time=07:24:43
/system script
add comment=dyndns dont-require-permissions=no name=strato owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source=":global ddnsuser \"REDACTED\"\
    \n:global ddnspass \"REDACTED\"\
    \n:global theinterface \"telekom\"\
    \n:global ddnshost1 \"REDACTED\"\
    \n\
    \n:global ipddns\
    \n:global ipfresh [/ip address get [find where interface=\$theinterface] v\
    alue-name=address]\
    \n:global ip6fresh [/ipv6 address get [find where interface=\$theinterface\
    \_from-pool=\"pool-ipv6\"] value-name=address]   \
    \n\
    \n:if ([ :typeof \$ipfresh ] = nil ) do={\
    \n\
    \n    :log info (\"DynDNS: No ip address on \$theinterface .\")\
    \n\
    \n} else={\
    \n\
    \n    :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
    \n\
    \n        :if ( [:pick \$ipfresh \$i] = \"/\") do={ \
    \n\
    \n            :set ipfresh [:pick \$ipfresh 0 \$i];\
    \n\
    \n        } \
    \n    }\
    \n\
    \n    \
    \n    :for i from=( [:len \$ip6fresh] - 1) to=0 do= {\
    \n    \
    \n        :if ( [:pick \$ip6fresh \$i] = \"/\") do={\
    \n    \
    \n            :set ip6fresh [:pick \$ip6fresh 0 \$i];   \
    \n\
    \n        }\
    \n\
    \n    }\
    \n\
    \n\
    \n    :log info (\"DynDNS: IP6-Fresh = \$ip6fresh\")\
    \n\
    \n    :if (\$ipddns != \$ipfresh) do={\
    \n\
    \n        :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
    \n        :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
    \n        :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\
    \n\
    \n        :global str1 \"/nic/update\\\?hostname=\$ddnshost1&myip=\$ipfres\
    h\"\
    \n        /tool fetch address=dyndns.strato.com src-path=\$str1 user=\$ddn\
    suser password=\$ddnspass mode=https dst-path=(\"/DynDNS.\".\$ddnshost1)\
    \n\
    \n        :delay 1\
    \n\
    \n        :global str1 [/file find name=\"DynDNS.\$ddnshost1\"];\
    \n        /file remove \$str1\
    \n        :global ipddns \$ipfresh\
    \n        :log info \"DynDNS: IP updated to \$ipfresh!\"\
    \n\
    \n    } else={\
    \n\
    \n        :log info \"DynDNS: dont need changes\";\
    \n\
    \n    }\
    \n}"
/tool graphing resource
add allow-address=192.168.0.0/16

Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging

Posted: Thu Oct 17, 2024 2:34 pm
by Steveocee
For the record, my config.
Code: Select all
# 2024-10-17 08:53:04 by RouterOS 7.16.1
# software id = REDACTED
#
# model = CRS125-24G-1S
# serial number = 6244054AD9DA
/interface bridge
add admin-mac=REDACTED auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp1 ] auto-negotiation=no speed=1G-baseT-full
/interface wireguard
add listen-port=13232 mtu=1420 name=REDACTED
add listen-port=21841 mtu=1420 name=REDACTED
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=sfp1 name=sfp1-v7 vlan-id=7
/interface bonding
add mode=802.3ad name=nas slaves=ether23,ether24
add name=switch slaves=ether21,ether22
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=\
    sfp1-v7 name=telekom use-peer-dns=yes user=REDACTED
/interface ethernet switch qos-group
add name=group1 priority=1
/interface list
add name=WAN
add name=LAN
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no \
    name=family-sec
/interface wifi configuration
add channel.reselect-interval=5m..10m disabled=no mode=ap name=family \
    security=family-sec security.connect-priority=0 .ft=yes .ft-over-ds=yes \
    ssid=REDACTED
/ip pool
add name=pool_ipv4 ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add address-pool=pool_ipv4 interface=bridge name=dhcp_ipv4
/ipv6 pool
add name=local-ipv6 prefix=fd27:a5c9:3073::/48 prefix-length=64
add name=wireguard-ipv6 prefix=fdc5:fe4d:2037::/48 prefix-length=64
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=nas
add bridge=bridge interface=switch
/interface list member
add interface=bridge list=LAN
add interface=sfp1 list=WAN
add interface=sfp1-v7 list=WAN
add interface=wireguard1 list=LAN
add interface=REDACTED list=LAN
/interface wifi capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
    no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=family \
    supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=family \
    supported-bands=2ghz-ax
/interface wireguard peers
add allowed-address=192.168.87.10/32,fdc5:fe4d:2037::10/64 client-address=\
    192.168.87.10/32,fdc5:fe4d:2037::10/64 client-dns=\
    192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=pixel \
    preshared-key=REDACTED private-key=REDACTED public-key=\
    "NgDH4twpj5SBFq/ljF9WXRVRplqXKQ/ty/CpySH8aE4="
add allowed-address=192.168.87.11/32,fdc5:fe4d:2037::11/64 client-address=\
    192.168.87.11/32,fdc5:fe4d:2037::11/64 client-dns=\
    192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=tuxedo \
    preshared-key=REDACTED private-key=REDACTED public-key=\
    "GYvw4WCigXf+TK3TJuhNAxah6pbuvjZwFUW0yPUi7ko="
add allowed-address=192.168.87.12/32,fdc5:fe4d:2037::12/64 client-address=\
    192.168.87.12/32,fdc5:fe4d:2037::12/64 client-dns=\
    192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=travelrouter \
    preshared-key=REDACTED private-key=REDACTED public-key=\
    "QnvegVgvyGZKxss2hRs9146Pgqpm7aYnkUWLSZd5OTk="
add allowed-address=192.168.87.13/32,fdc5:fe4d:2037::13/64 client-address=\
    192.168.87.13/32,fdc5:fe4d:2037::13/64 client-dns=\
    192.168.87.1,fdc5:fe4d:2037::1 client-endpoint=REDACTED interface=wireguard1 name=iphone \
    preshared-key=REDACTED public-key=\
    "wd+L4MSrFOMopIe54J3SCiXHnUeOIYCNs2HJxVNG0H8="
add allowed-address=10.102.6.0/24 endpoint-address=REDACTED \
    endpoint-port=51026 interface=REDACTED name=REDACTED public-key=\
    "fhJZDlnX4q2WVktddXUuDmNYrgBGslbcezHpTgWx/x0="
add allowed-address=192.168.86.10/32,::1/64 client-address=\
    192.168.86.10/32,::1/64 client-dns=192.168.86.1 client-endpoint=REDACTED endpoint-address="" interface=REDACTED name=REDACTED preshared-key=REDACTED \
    public-key="t+fUxKQmQHNFUxYIFr9qzCMaRU5I5bvBSWDVdvf1Cko="
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.87.1/24 interface=wireguard1 network=192.168.87.0
add address=10.102.6.2/24 interface=REDACTED network=10.102.6.0
add address=192.168.86.1/24 interface=REDACTED network=192.168.86.0
/ip arp
add address=192.168.88.6 interface=bridge mac-address=REDACTED
add address=192.168.88.2 interface=bridge mac-address=REDACTED
add address=192.168.88.4 interface=bridge mac-address=REDACTED
add address=192.168.88.5 interface=bridge mac-address=REDACTED
/ip dhcp-client
# Interface not active
add interface=ether1
add disabled=yes interface=sfp1-v7
/ip dhcp-server lease
add address=192.168.88.254 mac-address=REDACTED server=dhcp_ipv4
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=\
    24
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.88.1 name=router.lan type=A
add address=192.168.88.2 name=REDACTED type=A
add address=192.168.88.3 name=REDACTED type=A
add address=192.168.88.6 name=REDACTED type=A
add address=192.168.88.7 name=REDACTED type=A
add address=192.168.88.9 name=REDACTED type=A
add address=192.168.88.10 name=REDACTED type=A
add address=192.168.88.12 name=REDACTED type=A
add address=192.168.88.13 name=nginx.lan type=A
add cname=nginx.lan. name=REDACTED type=CNAME
add cname=nginx.lan. name=REDACTED type=CNAME
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.88.7 comment=REDACTED list=REDACTED
add address=192.168.88.12 comment=REDACTED list=REDACTED
add address=192.168.88.13 comment=nginx list=REDACTED
/ip firewall filter
add action=accept chain=input comment="allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow REDACTED (Wireguard)" dst-port=\
    21841 protocol=udp
add action=accept chain=input comment="allow REDACTED (Wireguard)" dst-port=\
    13232 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment=\
    "drop REDACTED (Wireguard) from accessing router" in-interface=REDACTED
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="drop REDACTED forward to non-REDACTED" \
    dst-address-list=!REDACTED in-interface=REDACTED
/ip firewall nat
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=telekom
add action=masquerade chain=srcnat comment=REDACTED log=yes out-interface=REDACTED
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" disabled=yes dst-address=\
    192.168.88.0/24 in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" disabled=yes \
    in-interface-list=LAN src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest" disabled=\
    yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip traffic-flow
set cache-entries=16k interfaces=*53
/ipv6 address
add from-pool=pool-ipv6 interface=bridge
add address=::1 from-pool=pool-ipv6 interface=telekom
add address=::1 from-pool=local-ipv6 interface=bridge
add address=::1 from-pool=wireguard-ipv6 interface=wireguard1
/ipv6 dhcp-client
add add-default-route=yes interface=telekom pool-name=pool-ipv6 request=\
    prefix
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/lcd
set default-screen=stat-slideshow
/lcd interface
set ether1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
set ether11 disabled=yes
set ether12 disabled=yes
set ether13 disabled=yes
set ether14 disabled=yes
set ether15 disabled=yes
set ether16 disabled=yes
set ether17 disabled=yes
set ether18 disabled=yes
set ether19 disabled=yes
set ether20 disabled=yes
set ether21 disabled=yes
set ether22 disabled=yes
set ether23 disabled=yes
set ether24 disabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.de.pool.ntp.org
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=10m name=dyndns on-event="/system script run dyndns" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-09-05 start-time=07:24:43
/system script
add comment=dyndns dont-require-permissions=no name=strato owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source=":global ddnsuser \"REDACTED\"\
    \n:global ddnspass \"REDACTED\"\
    \n:global theinterface \"telekom\"\
    \n:global ddnshost1 \"REDACTED\"\
    \n\
    \n:global ipddns\
    \n:global ipfresh [/ip address get [find where interface=\$theinterface] v\
    alue-name=address]\
    \n:global ip6fresh [/ipv6 address get [find where interface=\$theinterface\
    \_from-pool=\"pool-ipv6\"] value-name=address]   \
    \n\
    \n:if ([ :typeof \$ipfresh ] = nil ) do={\
    \n\
    \n    :log info (\"DynDNS: No ip address on \$theinterface .\")\
    \n\
    \n} else={\
    \n\
    \n    :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
    \n\
    \n        :if ( [:pick \$ipfresh \$i] = \"/\") do={ \
    \n\
    \n            :set ipfresh [:pick \$ipfresh 0 \$i];\
    \n\
    \n        } \
    \n    }\
    \n\
    \n    \
    \n    :for i from=( [:len \$ip6fresh] - 1) to=0 do= {\
    \n    \
    \n        :if ( [:pick \$ip6fresh \$i] = \"/\") do={\
    \n    \
    \n            :set ip6fresh [:pick \$ip6fresh 0 \$i];   \
    \n\
    \n        }\
    \n\
    \n    }\
    \n\
    \n\
    \n    :log info (\"DynDNS: IP6-Fresh = \$ip6fresh\")\
    \n\
    \n    :if (\$ipddns != \$ipfresh) do={\
    \n\
    \n        :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
    \n        :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
    \n        :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\
    \n\
    \n        :global str1 \"/nic/update\\\?hostname=\$ddnshost1&myip=\$ipfres\
    h\"\
    \n        /tool fetch address=dyndns.strato.com src-path=\$str1 user=\$ddn\
    suser password=\$ddnspass mode=https dst-path=(\"/DynDNS.\".\$ddnshost1)\
    \n\
    \n        :delay 1\
    \n\
    \n        :global str1 [/file find name=\"DynDNS.\$ddnshost1\"];\
    \n        /file remove \$str1\
    \n        :global ipddns \$ipfresh\
    \n        :log info \"DynDNS: IP updated to \$ipfresh!\"\
    \n\
    \n    } else={\
    \n\
    \n        :log info \"DynDNS: dont need changes\";\
    \n\
    \n    }\
    \n}"
/tool graphing resource
add allow-address=192.168.0.0/16
CRS125 is great as a switch but that's as far as it goes. It used to even get latency spikes running the LCD screen! Keep it as a switch and route through your 4011 and you'll be fine.

Re: Ping spikes with CRS125-24G-1S-RM on LAN, not sure where to start debugging  [SOLVED]

Posted: Tue Oct 29, 2024 6:24 am
by boxcee
Follow up.

Works fine now with the RB4011. CPU usage is almost always below 5% and package loss is gone.

Thanks for bearing with me.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/