So my device model is hAP ax3. My setup is simple - Port 1 is connected to the outer network and ports 2-5 connect to the local devices. Ports 2-5 are bridged and NAT/DHCP server are enabled.
When using hAP as a SSH ProxyJump host, transferring big files always fails with the below error in several minutes (the packet length varies):
Code: Select all
$ truncate -s 10G test_file
$ scp -o ProxyJump=192.168.87.1 test_file 192.168.87.11:/dev/null
...
Bad packet length 2946315134.
ssh_dispatch_run_fatal: Connection to 192.168.87.1 port 22: message authentication code incorrect
client_loop: send disconnect: Broken pipe
lost connection
It ONLY happens when the hAP's ssh is involved in the transfer:
- An outer network device transfers data to an inter network device, using hAP as the ProxyJump host -> FAIL
- An outer network device transfers data to an inter network device, hAP simply port forward -> SUCCESS
- Two inter network devices transfer data and use hAP as the ProxyJump host -> FAIL
- Two inter network devices transfer data directly -> SUCCESS
When the issue happens, other existing SSH connections on hAP won't be affected. But if SSH ControlMaster is set up (so they actually use the same connection), all SSH connection would be broken.
So far I've tried:
- Update the RouterOS - I just bought the device and it was 7.13.2. Updated to 7.14.2 and the issue persists.
- Setup MSS clamping or set MSS=1000 in /ip/firewall/mangle
- Decrease the MTU for all ethernet interfaces
- Explicitly specify the SSH MAC - hAP ax3 supports only 4 MACs and I tried each of them
- Shorter the SSH ServerAliveInterval option to 1
None of the above works. Here are my routerOS configuration:
Code: Select all
/ip/dhcp-client/print
Columns: INTERFACE, USE-PEER-DNS, ADD-DEFAULT-ROUTE, STATUS, ADDRESS
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 ether1 yes yes bound XXX.XX.XXX.XXX/XX
/ip/address/print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 192.168.87.1/24 192.168.87.0 bridge1
1 D XXX.XX.XXX.XXX/XX XXX.XX.XXX.XXX ether1
/ip/dhcp-server/print
Columns: NAME, INTERFACE, ADDRESS-POOL, LEASE-TIME
# NAME INTERFACE ADDRESS-POOL LEASE-TIME
0 dhcp1 bridge1 dhcp_pool0 30m
/interface/bridge/port/print
Flags: I - INACTIVE
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 ether2 bridge1 yes 1 0x80 10 10 none
1 I ether3 bridge1 yes 1 0x80 10 10 none
2 I ether4 bridge1 yes 1 0x80 10 10 none
3 ether5 bridge1 yes 1 0x80 10 10 none
4 wifi1 bridge1 1 0x80 10 10 none
5 I wifi2 bridge1 1 0x80 10 10 none
/ip/firewall/nat/print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1
