This box has been running in one company's network for around 5 years now. Little background about the topology: The RB2011 represents the core router of the building's network. There are 3 apartments with residents and the company. RB2011 is connected to ISP on port 1 (wireless connection, about (15/3 Mbps Down/Up). Port 2 is for the company network giving out addresses in 192.168.1.0/24 range. Ports 3-5 are for the 3 apartments, each with corresponding addresses (192.168.3-5.0/24). Port 2 is connected to company's gigabit L2 switch, ports for apartmens are connected to residents' small wireless routers (cheap TPlinks). Company's network is a small one, let's say 5 people, each one with laptop and phone, 1 network printer, 1 NAS and 1 server. This setup has been working for quite some time now.
Update Note: I added bridges for ports 3-5, each bridge with 1 port and IP addr/DHCP server. If interface ether2 (company connection) is removed from bridge and assigned address and DHCP running, internet for the company stops working after a while.
Now to the problem: Recently, users (mostly residents) have started complaining about poor internet connection. I went to see what's happening and saw quite strange behavior. I connected my laptop to one of the resident's port and tried ping to google DNS. First around 30 pings seemed fine, websites where loading, everithing OK. After a while, ping started to timeout and websites wouldn't load anymore. I then tried pinging google directly from MikroTik, no timeouts there. After connection to different port, the same thing happened. Few pings OK, then nothing. This has repeated for the entire troubleshooting session. After a while I figured it may be the mikrotik dying, so I brought my 2011 to replace it. However, the exact same issue appeared. Few seconds after connectiong device it's OK, then the connection dies. The connection from MikroTik to internet seems to be fine however.
Here is the configuration:
Code: Select all
# oct/03/2016 12:43:42 by RouterOS 6.37
# software id = VG6N-D9X3
#
/interface wireless
set [ find default-name=wlan1 ] country="czech republic" distance=indoors \
mode=ap-bridge wireless-protocol=802.11
/interface bridge
add name=bridge_01
add name=bridge_03
add name=bridge_04
add name=bridge_05
/interface ethernet
set [ find default-name=ether1 ] comment=Gateway name=ether1-gateway
set [ find default-name=sfp1 ] disabled=yes name=sfp1-gateway speed=100Mbps
/interface virtual-ethernet
add arp=enabled disabled=no mac-address=02:6C:B1:A9:26:CE mtu=1500 name=\
"Loopback 1"
/ip neighbor discovery
set ether1-gateway comment=Gateway
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik wpa-pre-shared-key=supersecretpassword\
wpa2-pre-shared-key=supersecretpassword
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha1 enc-algorithms=\
aes-256-ctr lifetime=8h pfs-group=none
/ip pool
add name=Pool1 ranges=192.168.1.10-192.168.1.99
add name=Pool3 ranges=192.168.3.10-192.168.3.99
add name=Pool4 ranges=192.168.4.10-192.168.4.99
add name=Pool5 ranges=192.168.5.10-192.168.5.99
add name=Pool99 ranges=192.168.99.2-192.168.99.10
/ip dhcp-server
add add-arp=yes address-pool=Pool1 disabled=no interface=bridge_01 \
lease-time=3d name=DHCP_01
add add-arp=yes address-pool=Pool3 disabled=no interface=bridge_03 \
lease-time=3d name=DHCP_03
add add-arp=yes address-pool=Pool4 disabled=no interface=bridge_04 \
lease-time=3d name=DHCP_04
add add-arp=yes address-pool=Pool5 disabled=no interface=bridge_05 \
lease-time=3d name=DHCP_05
add add-arp=yes address-pool=Pool99 disabled=no interface=ether10 lease-time=\
30m name=DHCP_99
/queue simple
add disabled=yes limit-at=512k/2M max-limit=5M/15M name=Bridge05 \
packet-marks=bridge05 priority=5/5 target=bridge_05
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge_01 interface=ether2
add bridge=bridge_01 interface=wlan1
add bridge=bridge_01 interface=ether6
add bridge=bridge_05 interface=ether5
add bridge=bridge_03 interface=ether3
add bridge=bridge_04 interface=ether4
/ip settings
set allow-fast-path=no
/ip address
add address=10.0.96.31/24 interface=ether1-gateway network=10.0.96.0
add address=192.168.3.1/24 interface=bridge_03 network=192.168.3.0
add address=192.168.4.1/24 interface=bridge_04 network=192.168.4.0
add address=192.168.5.1/24 interface=bridge_05 network=192.168.5.0
add address=192.168.1.1/24 comment=Company interface=bridge_01 network=\
192.168.1.0
add address=192.168.99.1/24 comment=Management interface=ether10 network=\
192.168.99.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
sfp1-gateway
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.1.100 comment="UniFi LR 1" mac-address=04:18:D6:2A:35:60 \
server=DHCP_01
/ip dhcp-server network
add address=192.168.1.0/24 comment=Company dns-server=192.168.1.1 \
gateway=192.168.1.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=192.168.4.1 gateway=192.168.4.1
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
add address=192.168.99.0/24 comment=Management dns-server=192.168.99.1 \
domain=mgmt.company gateway=192.168.99.1 netmask=24 ntp-server=\
192.168.99.1
/ip dns
set allow-remote-requests=yes servers=x.x.x.x,x.x.x.x
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=192.168.2.0/24 list=Najemnici
add address=192.168.3.0/24 list=Najemnici
add address=192.168.4.0/24 list=Najemnici
add address=192.168.5.0/24 list=Najemnici
/ip firewall filter
add action=accept chain=input comment="Reply to PING" protocol=icmp
add action=accept chain=input comment="Allow Established Traffic over WAN" \
connection-state=established in-interface=ether1-gateway
add action=accept chain=input comment="Allow Related Traffic over WAN" \
connection-state=related in-interface=ether1-gateway
add action=accept chain=forward comment="Allow Established Traffic over WAN" \
connection-state=established in-interface=ether1-gateway
add action=accept chain=forward comment="Allow Related Traffic over WAN" \
connection-state=related in-interface=ether1-gateway
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input in-interface=ether1-gateway protocol=tcp \
src-port=25
add action=accept chain=forward in-interface=ether1-gateway
add action=accept chain=forward in-interface=ether1-gateway
add action=accept chain=input dst-port=3389 in-interface=ether1-gateway \
protocol=tcp
add action=accept chain=input dst-port=5000 in-interface=ether1-gateway \
protocol=tcp
add action=accept chain=input dst-port=5005 in-interface=ether1-gateway \
protocol=tcp
add action=accept chain=input dst-port=5001 in-interface=ether1-gateway \
protocol=tcp
add action=drop chain=input comment="Drop input except DSTNAT" \
connection-nat-state=!dstnat in-interface=ether1-gateway
add action=drop chain=forward comment="Drop input except DSTNAT" \
connection-nat-state=!dstnat in-interface=ether1-gateway
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"Mark Revitalstav Connection" in-interface=bridge_01 new-connection-mark=\
revitalstav passthrough=yes
add action=mark-packet chain=prerouting comment="Mark Revitalstav Packets" \
connection-mark=revitalstav new-packet-mark=revitalstav passthrough=no
add action=mark-connection chain=prerouting comment=\
"Mark Bridge05 Connection" in-interface=bridge_05 new-connection-mark=\
bridge05 passthrough=yes
add action=mark-packet chain=prerouting comment="Mark Bridge05 Packets" \
connection-mark=bridge05 new-packet-mark=bridge05 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment=CloudStation dst-port=6690 \
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.200 \
to-ports=6690
add action=dst-nat chain=dstnat comment=WebDAV dst-port=5005 in-interface=\
ether1-gateway protocol=tcp to-addresses=192.168.1.200 to-ports=5005
add action=dst-nat chain=dstnat comment="DSM HTTP" dst-port=5000 \
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.200 \
to-ports=5000
add action=dst-nat chain=dstnat comment="Windows RD" dst-port=6000 \
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.40 \
to-ports=3389
add action=dst-nat chain=dstnat comment="DSM HTTPS" dst-port=5001 \
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.200 \
to-ports=5001
add action=dst-nat chain=dstnat comment="UniFi Controller" dst-port=8443 \
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.40
/ip firewall service-port
set ftp disabled=yes
/ip route
add distance=1 gateway=10.0.96.100
/ip service
set telnet disabled=yes
set www disabled=yes
set api address=0.0.0.0/0
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Prague
/system identity
set name=Revitalstav
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set "Loopback 1" disabled=yes display-time=5s
set bridge_01 disabled=yes display-time=5s
set bridge_05 disabled=yes display-time=5s
set bridge_03 disabled=yes display-time=5s
set bridge_04 disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set sfp1-gateway disabled=yes display-time=5s
set ether1-gateway disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
set ether6 disabled=yes display-time=5s
set ether7 disabled=yes display-time=5s
set ether8 disabled=yes display-time=5s
set ether9 disabled=yes display-time=5s
set ether10 disabled=yes display-time=5s
/system logging
add topics=firewall
/system note
set note=Company
/system ntp client
set enabled=yes primary-ntp=195.113.144.201 secondary-ntp=195.113.144.238
/system ntp server
set broadcast=yes broadcast-addresses=\
192.168.1.255,192.168.2.255,192.168.3.255,192.168.4.255,192.168.5.255 \
enabled=yes multicast=yes
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6
add interface=ether7
add interface=ether8
add interface=ether9
add interface=wlan1
add interface=bridge_01
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6
add interface=ether7
add interface=ether8
add interface=ether9
add interface=wlan1
add interface=bridge_01
/tool romon port
add
/tool sniffer
set memory-limit=1000KiB only-headers=yes
The problem remains after rebooting the device, ROS upgrade to 6.37 and downgrade to 6.34.4. This is obviously quite frustrating situation, as the people keep complaining about not being able to use the internet. I might be ovelooking something essential, though I've configured quite a few before and I'm using RB2011 in almost all of my networks. That is why I'm posting this, hoping someone might suggest what the problem is. The other problem being I had to leave already, so I only have remote access. Thaks in advance.
