I have just installed one Mikrotik router to a customer. It is the first time I work with it, so I did some tests here at our office with the CCR1009-8g-1s-1s+ router with any problem.

But today two hours later to install the router on customer premises, they have phoned me because some PCs are having connectivity problems. They receive the DHCP configuration but they cannot access to internet (for example).

Making some pings to the router the situation is very strange, sometimes there is not answer, others we have a big latency with packet loss, and others after a very long ping time we have a normal ping without any packet loss (but with long ping time).

It is like we are having performance problems, perhaps I missed something at the configuration (I copy it bellow).

Please, I need any idea to fix the situation. Thanks in advance.

[admin@MikroTik] > export

# jul/10/2015 11:26:12 by RouterOS 6.30.2

# software id = 2SIC-ZGP8

#

/interface ethernet

set [ find default-name=ether1 ] name=ether1-gateway

set [ find default-name=ether2 ] name=ether2-master-local

set [ find default-name=ether3 ] master-port=ether2-master-local name=\

ether3-slave-local

set [ find default-name=ether4 ] master-port=ether2-master-local name=\

ether4-slave-local

/interface vlan

add interface=ether1-gateway l2mtu=1574 name=vlan3 vlan-id=3

add interface=ether1-gateway l2mtu=1574 name=vlan6 vlan-id=6

/interface pppoe-client

add add-default-route=yes allow=pap,chap default-route-distance=1 disabled=no \

interface=vlan6 max-mru=1492 max-mtu=1492 name=pppoe-out1 password=\

adslppp use-peer-dns=yes user=adslppp@telefonicanetpa

/ip pool

add name=dhcp ranges=10.10.2.1-10.10.3.254

add name=vpn ranges=192.168.3.10-192.168.3.20

/ip dhcp-server

add address-pool=dhcp disabled=no interface=ether2-master-local name=dhcp1

/ppp profile

set *FFFFFFFE dns-server=192.168.3.250 local-address=192.168.3.250 \

remote-address=vpn

/interface pptp-server server

set authentication=mschap2 enabled=yes

/ip address

add address=10.10.1.1/20 interface=ether2-master-local network=10.10.0.0

add address=192.168.100.10/24 interface=ether1-gateway network=192.168.100.0

/ip dhcp-client

add add-default-route=no dhcp-options=hostname,clientid disabled=no \

interface=vlan3 use-peer-ntp=no

/ip dhcp-server network

add address=10.10.0.0/20 dns-server=10.10.1.1 gateway=10.10.1.1 netmask=20

/ip dns

set allow-remote-requests=yes

/ip dns static

add address=10.10.1.1 name=router

/ip firewall filter

add chain=input comment="default configuration" protocol=icmp

add chain=input comment="default configuration" connection-state=established

add chain=input comment="default configuration" connection-state=related

add chain=input disabled=yes dst-port=23,80 in-interface=pppoe-out1 protocol=\

tcp

# pppoe-out1 not ready

add chain=input dst-port=8291 in-interface=pppoe-out1 protocol=tcp

# pppoe-out1 not ready

add chain=input dst-port=1723 in-interface=pppoe-out1 protocol=tcp

# pppoe-out1 not ready

add action=drop chain=input comment="default configuration" in-interface=\

pppoe-out1

add chain=forward comment="default configuration" connection-state=\

established

add chain=forward comment="default configuration" connection-state=related

add action=drop chain=forward comment="default configuration" \

connection-state=invalid

/ip firewall mangle

add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3

# pppoe-out1 not ready

add action=set-priority chain=postrouting new-priority=1 out-interface=\

pppoe-out1

/ip firewall nat

# pppoe-out1 not ready

add action=masquerade chain=srcnat comment="default configuration" \

out-interface=pppoe-out1

add action=masquerade chain=srcnat comment="default configuration" \

out-interface=ether1-gateway

add action=masquerade chain=srcnat comment="default configuration" \

out-interface=vlan3

add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=\

pppoe-out1 protocol=tcp to-addresses=192.168.1.125

add action=dst-nat chain=dstnat disabled=yes dst-port=21 in-interface=\

pppoe-out1 protocol=tcp to-addresses=192.168.1.125

add chain=dstnat dst-address=10.10.1.5 dst-port=554-557 protocol=tcp \

src-address=192.168.100.10

add chain=dstnat dst-address=10.10.1.2 dst-port=3389 protocol=tcp \

src-address=192.168.100.10

add chain=dstnat dst-address=10.10.1.2 dst-port=9191 protocol=tcp \

src-address=192.168.100.10

add chain=dstnat dst-address=10.10.1.9 dst-port=10000-10006 protocol=tcp \

src-address=192.168.100.10

add chain=dstnat dst-address=10.10.1.2 dst-port=1433 protocol=tcp \

src-address=192.168.100.10

add chain=dstnat dst-address=10.10.1.4 dst-port=1000 protocol=tcp \

src-address=192.168.100.10

/ip route

add distance=255 gateway=255.255.255.255

/ip upnp

set enabled=yes

/ip upnp interfaces

add interface=ether2-master-local type=internal

add interface=pppoe-out1 type=external

/routing rip interface

add interface=vlan3 passive=yes receive=v2

/routing rip network

add network=10.0.0.0/8

/system clock

set time-zone-name=Europe/Madrid

/system ntp client

set enabled=yes primary-ntp=163.117.202.33 secondary-ntp=89.248.104.162

/system resource irq rps

set sfp-sfpplus1 disabled=yes

set sfp1 disabled=yes

set ether5 disabled=yes

set ether6 disabled=yes

set ether7 disabled=yes

set ether8 disabled=yes

/system routerboard settings

set cpu-frequency=1000MHz memory-frequency=1066DDR

/tool romon port

add

But today two hours later to install the router on customer premises, they have phoned me because some PCs are having connectivity problems. They receive the DHCP configuration but they cannot access to internet (for example).

I have similar issues.

LK

We have the same problem!

We have (possibly) narrowed it down to the dst-nat firewall rule with port 80.
when the rule is ON (active) the router starts having problems in a hour or two. The solution is to disable the rule or change the to-ports number other than port 80. The problems are slow response from the router, very long pings, some websites do not work (we suspect the DNS server and cache)

What can be the problem? DNS maybe?

What settings do you have for www service?

http://192.168.1.1/webfig/#IP:Services

my 1009 has this lines very different

/system resource irq rps
set sfp-sfpplus1 disabled=no
set sfp1 disabled=no
set ether5 disabled=no
set ether6 disabled=no
set ether7 disabled=no
set ether8 disabled=no

we have theese settings for IP services, there is no conflict for port 80.

• # NAME PORT ADDRESS CERTIFICATE
  0 telnet 23
  1 ftp 21
  2 www 8090
  3 ssh 22
  4 X www-ssl 443 none
  5 api 8728
  6 winbox 8291
  7 api-ssl 8729 none