MikroTik

Community discussions
https://forum.mikrotik.com/

Hardware Offload off and no Internet connection the first min/sek...

https://forum.mikrotik.com/viewtopic.php?t=151581

Page 1 of 1

Hardware Offload off and no Internet connection the first min/sek...

Posted: Tue Aug 27, 2019 10:39 pm
by Link100
I have the following problem with CRS326-24G Switcher running in bridge mode:
bridge1
Settings, Use IP Firewall: yes

ether 1: Linux Router/Server (DHCP, Gateway, DNS)
ether 2: LigoWave AP1
ether 3: LigoWave AP2
ether 3: Connect Client PC directly with LAN cable.

DHCP is disabled on MikroTik because the Linux router runs as a DCHP server.

When I disable hardware offload on ether2 and ether3, the firewall rules work. The problem is, if a client establishes a WLAN connection, it can't establish an Internet connection for the first minute (it's maybe two minutes), although the WLAN connection exists. If I activate hardware offload on ether2 and ether3, the internet connection works from the beginning.

Where is the problem?

Is it the firewall rule?
Code: Select all
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Block Bittorrent
      chain=forward action=add-src-to-address-list layer7-protocol=layer7-bittorrent src-address=192.168.0.0/24 
      src-address-list=!allow-ips address-list=Bittorrent_clients address-list-timeout=none-dynamic log=no log-prefix="" 

 1    chain=forward action=add-src-to-address-list layer7-protocol=layer7-bittorrent src-address=192.168.1.0/24 
      src-address-list=!allow-ips address-list=Bittorrent_clients address-list-timeout=none-dynamic log=no log-prefix="" 

 2    chain=forward action=drop protocol=tcp src-address-list=Bittorrent_clients
      dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 log=no log-prefix="" 

 3    chain=forward action=drop protocol=udp src-address-list=Bittorrent_clients 
      dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 log=no log-prefix="" 

 4    ;;; Block Apple
      chain=forward action=drop protocol=tcp dst-address=17.0.0.0/8 src-address-list=LIGOWAVE dst-port=80,443,5223 log=no 
      log-prefix="" 

 5    ;;; Block WindowsUpdate
      chain=forward action=drop layer7-protocol=layer7-windowsupdate protocol=tcp src-address-list=LIGOWAVE
      dst-port=80,443 log=no log-prefix="" 

 6    ;;; Block Google Play
      chain=forward action=drop layer7-protocol=layer7-googleplay protocol=tcp src-address-list=LIGOWAVE dst-port=80,443 
      log=no log-prefix=""
As soon as the internet connection is established (i.e. after a few minutes), the firewall works as it should. So that's not the problem?

Re: Hardware Offload off and no Internet connection the first min/sek...

Posted: Wed Aug 28, 2019 9:07 am
by mkx
The firewall rules you posted don't warrant use of "use IP firewall" on bridge ... as they all affect the connectivity towards internet and my personal view is that firewall should be running on main router (which ever it is).

In addition to that, layer7 rules are very CPU intensive while CRS3xx have (relatively) slow CPU ...

Re: Hardware Offload off and no Internet connection the first min/sek...

Posted: Thu Aug 29, 2019 2:01 am
by Link100
For some things I can't use the firewall of the main router. For example Torrent I can't just lock it, because the Linux kernel can't be patched and complicated for Layer7. Bittorrent block in conjunction with WebProxy (squid) is not as effective as MikroTik and layer7 filters. At least I haven't found an effective solution yet, neither with iptables nor with squid.

I checked CPU under Tools->Profile and the CPU is hardly used. It varies between 2 and 10, so not much and I don't think that's why.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/