Since few years I have a mikrotik router acting as a PPoE server for couple of clinets. Everything was ok until last week. Clients started complain that are disconected after few hous, Reboot of router solve this problem for next few hours. Today I remaged (using netinstall) this device from version 6.43.2 to latest 6.44.6 because I've found that this version is vulnerable.
Could someone review my config and advice me what's wrong? How to fix it? This is serious problem for me...
Clients are tplink routers with dd-wrt on it
I will upload pictures with logs soon.# jan/02/1970 03:15:31 by RouterOS 6.44.6
# software id = MV38-X1JV
#
# model = RouterBOARD 750G r3
# serial number = 8AFF089D47AF
/interface ethernet
set [ find default-name=ether3 ] name=CCTV
set [ find default-name=ether4 ] name=CCTV2
set [ find default-name=ether2 ] name=PPoE
set [ find default-name=ether5 ] name=Trunk
set [ find default-name=ether1 ] name=WAN
/interface vlan
add comment="VLAN 1 - CCTV" interface=Trunk name=_CCTV vlan-id=1
add comment="VLAN 88 - PPoE" interface=Trunk name=_PPoE vlan-id=88
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=PPoE-pool ranges=192.168.88.10-192.168.88.99
add name=CCTV-pool ranges=192.168.0.20-192.168.0.200
/ip dhcp-server
add address-pool=PPoE-pool interface=_PPoE lease-time=1d name=dhcp1
add address-pool=CCTV-pool disabled=no interface=_CCTV lease-time=1d name=\
dhcp2
/ppp profile
add local-address=192.168.88.1 name=5Mbps rate-limit=1M/5M remote-address=\
PPoE-pool
add local-address=192.168.88.1 name=30Mbps rate-limit=5.1M/35M \
remote-address=PPoE-pool
add local-address=192.168.88.1 name=15Mbps rate-limit=2M/15M remote-address=\
PPoE-pool
add local-address=192.168.88.1 name=10Mbps rate-limit=2M/10M remote-address=\
PPoE-pool
add local-address=192.168.88.1 name=20Mbps rate-limit=5M/20M remote-address=\
PPoE-pool
add local-address=192.168.88.1 name=Unlimited rate-limit=150M/150M \
remote-address=PPoE-pool session-timeout=0s
add local-address=192.168.88.1 name=60Mbps rate-limit=10M/60M remote-address=\
PPoE-pool
/ip settings
set rp-filter=strict
/interface ethernet switch vlan
add independent-learning=no ports=CCTV,CCTV2,Trunk,switch1-cpu switch=switch1 \
vlan-id=1
add independent-learning=no ports=PPoE,Trunk,switch1-cpu switch=switch1 \
vlan-id=88
/interface pppoe-server server
add default-profile=5Mbps disabled=no interface=_PPoE service-name=\
PPoE_server
/ip accounting
set enabled=yes
/ip address
add address=192.168.0.1/24 comment="CCTV Gateway" interface=_CCTV network=\
192.168.0.0
add address=192.168.88.1/24 comment="PPoE Gateway" disabled=yes interface=\
_PPoE network=192.168.88.0
add address=My_IP/30 comment="WAN Gateway" interface=WAN network=\
My_network
/ip dhcp-server lease
add address=192.168.0.3 mac-address=4C:11:BF:C2:D2:52 server=dhcp2
add address=192.168.0.4 mac-address=4C:11:BF:C2:D2:84 server=dhcp2
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
add address=8.8.8.8 name=google
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=bogons
add address=qrba92lhcg1xh7sb.eu list=slawek_new
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid
add action=accept chain=input comment="Allow Established connections" \
connection-state=established,related
add action=accept chain=input comment="Allow ICMP" disabled=yes protocol=icmp
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
192.168.0.0/24
add action=accept chain=input dst-port=8291 in-interface=WAN protocol=tcp \
src-address=a.b.c.d
add action=accept chain=input dst-port=8291 in-interface=WAN protocol=tcp \
src-address-list=slawek_new
add action=drop chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
"Allow access to router from known network" src-address=192.168.0.0/24
add action=accept chain=input comment=\
"Allow access to router from known network" src-address=192.168.88.0/24
add action=drop chain=input comment="Drop anything else"
add action=accept chain=forward connection-state=new dst-address=192.168.0.3 \
dst-port=80 protocol=tcp src-address=a.b.c.d src-address-list=""
add action=accept chain=forward connection-state=new dst-address=\
192.168.0.250 dst-port=80 protocol=tcp src-address=a.b.c.d
add action=accept chain=forward connection-state=new dst-address=\
192.168.0.251 dst-port=80 protocol=tcp src-address=a.b.c.d
add action=accept chain=forward connection-state=new dst-address=192.168.0.11 \
dst-port=80 protocol=tcp src-address=a.b.c.d
add action=accept chain=forward connection-state=new dst-address=192.168.0.13 \
dst-port=80 protocol=tcp src-address=a.b.c.d
add action=accept chain=forward comment=\
"allow already established connections" connection-state=\
established,related
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
established,related in-interface=WAN
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=drop chain=forward disabled=yes in-interface=WAN
add action=accept chain=forward out-interface=WAN
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid protocol=tcp
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=WAN to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=8031 in-interface=WAN protocol=tcp \
to-addresses=192.168.0.3 to-ports=80
add action=dst-nat chain=dstnat dst-port=8032 in-interface=WAN protocol=tcp \
to-addresses=192.168.0.11 to-ports=80
add action=dst-nat chain=dstnat dst-port=8033 in-interface=WAN protocol=tcp \
to-addresses=192.168.0.250 to-ports=80
add action=dst-nat chain=dstnat dst-port=8034 in-interface=WAN protocol=tcp \
to-addresses=192.168.0.251 to-ports=80
add action=dst-nat chain=dstnat dst-port=8035 in-interface=WAN protocol=tcp \
to-addresses=192.168.0.13 to-ports=80
/ip route
add distance=1 gateway=GW_IP
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
[snipped]
add name=nm50 password=ro2cho profile=Unlimited service=pppoe
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=Router
/system note
set note=">>>> Authorized administrator only. Access to this device is monitor\
ed <<<<"
/system ntp client
set enabled=yes primary-ntp=212.244.36.227 secondary-ntp=212.244.36.228
Port 1 is connected to cable modem, port 5 (trunk) is connected to switch. Other Mikotik ports are not used as they are not properly working as untagged ports.
LAN 192.168.0.0 is working properly.
.