Hello,
I have had a 450g for about two months and recently upgraded it to 5.6 from 4.14 (what it came with) and subsequently 5.7.
After the upgrade, I am getting some strange behaviour. It drops outgoing connections (preserving incoming connections) for a second or so, before allowing them again.
I am thinking it keeps removing the outgoing route and then adding it back in, but I am very uneducated when it comes to Mikrotik products. I have checked the logs and everything claims to be working fine.
Two interesting things: -EDIT-
- One person plays games [Team Fortress 2]. They will see other people move, even during the connectivity issues, while they cannot. (sending vs receiving?)
- Pinging will be completely fine and then respond from the gateway interface that the destination is unreachable. This will be followed by a 1000ms (+/-) and then normal operation
[admin@HoboTik] > ip dhcp-client print
Flags: X - disabled, I - invalid
# INTERFACE USE ADD STATUS ADDRESS
0 ;;; default configuration
ether1-gateway yes bound [WAN]/20
[admin@HoboTik] > ip dhcp-relay print
Flags: X - disabled, I - invalid
# NAME INTERFACE DHCP-SERVER LOCAL-ADDRESS
[admin@HoboTik] > ip dhcp-server print
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 dhcp1 bridge dhcp_pool1 3d
[admin@HoboTik] > ip dhcp-server lease print
Flags: X - disabled, R - radius, D - dynamic, B - blocked
# ADDRESS MAC-ADDRESS HOS... SERVER RAT... STATUS
0 10.10.0.110 00:0A:CD:1B:71:F7 sma... dhcp1 bound
1 D 10.10.0.149 0C:EE:E6:B1:8F:2B hob... dhcp1 bound
2 10.10.0.105 00:1F:BC:02:66:4A Sma... dhcp1 bound
3 10.10.0.111 00:02:B3:A9:E4:07 Sma... dhcp1 bound
4 D 10.10.0.104 00:21:5D:5A:37:40 Jam... dhcp1 bound
5 D 10.10.0.103 00:26:22:62:96:ED hob... dhcp1 bound
[admin@HoboTik] > ip dhcp-server option print
# NAME CODE VALUE
[admin@HoboTik] > ip dhcp-server config print
store-leases-disk: 5m
[admin@HoboTik] > ip dhcp-server network print
# ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN
0 ;;; default configuration
10.10.0.0/23 10.10.0.1 10.10.0.1
EDIT: By disabling/renabling DHCP, it fixed the cpu pegging issues. But it is still dropping outbound connections.
Thank you!!
There have been several posts regarding DHCP and 100% cpu. I hope that gets fixed soon!
I fixed the 100% CPU DHCP, due to a misconfiguration error: I have two /24 networks, my local and VPN networks. The DHCP server was attempting to hand out ip addresses on both, but the VPN server does the other /24, creating the cpu pegging issue.
However, my issue of outbound connections dropping still persists. It seems to me that it is dropping a route, although the routing table never changes, nothing shows up in the log, and no interfaces go down.
Here is my full config
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
disabled=no forward-delay=15s l2mtu=1520 max-message-age=20s mtu=1500 \
name=bridge priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1526 \
mac-address=00:0C:42:BD:5E:9F mtu=1500 name=ether1-gateway speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1520 mac-address=00:0C:42:BD:5E:A0 \
master-port=none mtu=1500 name=ether2-local speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1520 mac-address=00:0C:42:BD:5E:A1 \
master-port=none mtu=1500 name=ether3-local speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1520 mac-address=00:0C:42:BD:5E:A2 \
master-port=none mtu=1500 name=ether4-local speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1520 mac-address=00:0C:42:BD:5E:A3 \
master-port=none mtu=1500 name=ether5-local speed=100Mbps
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1 \
switch-all-ports=no
/ip pool
add name=default-dhcp ranges=10.10.0.100-10.10.0.199
add name=dhcp_pool1 ranges=10.10.0.100-10.10.0.199
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=\
static disabled=no interface=bridge lease-time=3d name=dhcp1
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none \
stop-bits=1
/ppp profile
set default change-tcp-mss=yes name=default only-one=default use-compression=\
default use-encryption=default use-mpls=default use-vj-compression=\
default
set default-encryption change-tcp-mss=yes name=default-encryption only-one=\
default use-compression=default use-encryption=yes use-mpls=default \
use-vj-compression=default
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
5
set multi-queue-ethernet-default kind=mq-pfifo mq-pfifo-limit=50 name=\
multi-queue-ethernet-default
set default-small kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes disabled=no \
ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
redistribute-static=no router-id=0.0.0.0 routing-table=""
/routing ospf instance
set default disabled=no distribute-default=never in-filter=ospf-in \
metric-bgp=auto metric-connected=20 metric-default=1 metric-other-ospf=\
auto metric-rip=20 metric-static=20 name=default out-filter=ospf-out \
redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no \
redistribute-rip=no redistribute-static=no router-id=0.0.0.0
/routing ospf area
set backbone area-id=0.0.0.0 disabled=no instance=default name=backbone type=\
default
/snmp
set contact="" enabled=no engine-id="" location="" trap-target=0.0.0.0 \
trap-version=1
/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \
disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 \
src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto target=\
remote
/system routerboard settings
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet \
boot-protocol=bootp cpu-frequency=680MHz enable-jumper-reset=yes \
enter-setup-on=any-key force-backup-booter=no silent-boot=no
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet \
boot-protocol=bootp cpu-frequency=680MHz enable-jumper-reset=yes \
enter-setup-on=any-key force-backup-booter=no silent-boot=no
/interface bridge port
add bridge=bridge disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether2-local path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether3-local path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether4-local path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether5-local path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=10.10.0.1/23 disabled=no interface=bridge network=10.10.0.0
/ip dhcp-client
add add-default-route=yes comment="default configuration" \
default-route-distance=1 disabled=no interface=ether1-gateway
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server lease
add address=10.10.0.110 client-id=1:0:a:cd:1b:71:f7 disabled=no mac-address=\
00:0A:CD:1B:71:F7 server=dhcp1
add address=10.10.0.105 client-id=1:0:1f:bc:2:66:4a disabled=no mac-address=\
00:1F:BC:02:66:4A server=dhcp1
add address=10.10.0.111 disabled=no mac-address=00:02:B3:A9:E4:07 server=\
dhcp1
/ip dhcp-server network
add address=10.10.0.0/24 comment="default configuration" dns-server=10.10.0.1 \
gateway=10.10.0.1 netmask=23
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 servers=8.8.8.8,8.8.4.4
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=input comment="Drop Invalid Conns" connection-state=\
invalid disabled=no
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=drop chain=forward comment="dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=drop chain=forward comment="Block Bogon IP addresses" disabled=no \
src-address=0.0.0.0/8
add action=drop chain=forward comment="Block Bogon IP addresses" disabled=no \
dst-address=0.0.0.0/8
add action=drop chain=forward comment="Block Bogon IP addresses" disabled=no \
src-address=127.0.0.0/8
add action=drop chain=forward comment="Block Bogon IP addresses" disabled=no \
dst-address=127.0.0.0/8
add action=accept chain=input comment="Allow WinBox" disabled=no dst-port=\
8291 in-interface=ether1-gateway protocol=tcp
add action=accept chain=input comment="Allow DNS" disabled=no in-interface=\
ether1-gateway protocol=udp src-port=53
add action=accept chain=input comment="Allow ICMP" disabled=no protocol=icmp
add action=accept chain=input comment="Allow Established Conns" \
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="Allow New Conns" connection-state=new \
disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no in-interface=ether1-gateway
add action=accept chain=forward disabled=no in-interface=bridge \
out-interface=ether1-gateway src-address=10.10.0.0/24
add action=accept chain=forward disabled=no dst-address=10.10.0.0/24 \
in-interface=ether1-gateway out-interface=bridge
add action=accept chain=forward disabled=no
add action=accept chain=output disabled=no
add action=drop chain=input comment="Drop all" disabled=no in-interface=\
ether1-gateway
/ip firewall nat
add action=dst-nat chain=dstnat comment=SSH disabled=no dst-port=22 \
in-interface=ether1-gateway protocol=tcp to-addresses=10.10.0.111 \
to-ports=22
add action=dst-nat chain=dstnat comment=ZNC disabled=no dst-port=45000 \
in-interface=ether1-gateway protocol=tcp to-addresses=10.10.0.111 \
to-ports=45000
add action=dst-nat chain=dstnat comment=Terraria disabled=no dst-port=7777 \
in-interface=ether1-gateway protocol=tcp to-addresses=10.10.0.111 \
to-ports=7777
add action=dst-nat chain=dstnat comment=Terraria disabled=no dst-port=7777 \
in-interface=ether1-gateway protocol=udp to-addresses=10.10.0.111 \
to-ports=7777
add action=dst-nat chain=dstnat comment="Mumble UDP" disabled=no dst-port=\
64738 in-interface=ether1-gateway protocol=udp to-addresses=10.10.0.111 \
to-ports=64738
add action=dst-nat chain=dstnat comment="Mumble TCP" disabled=no dst-port=\
64738 in-interface=ether1-gateway protocol=tcp to-addresses=10.10.0.111 \
to-ports=64738
add action=dst-nat chain=dstnat comment="OpenVPN TCP" disabled=no dst-port=\
30000 protocol=tcp to-addresses=10.10.0.111
add action=dst-nat chain=dstnat comment="OpenVPN UDP" disabled=no dst-port=\
30000 protocol=udp to-addresses=10.10.0.111
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=ether1-gateway
add action=log chain=dstnat disabled=yes log-prefix=""
add action=log chain=srcnat disabled=yes log-prefix=""
add action=dst-nat chain=dstnat comment=SRCDS disabled=yes dst-port=27015 \
in-interface=ether1-gateway protocol=tcp to-addresses=10.10.0.105 \
to-ports=27015
add action=dst-nat chain=dstnat comment=SRCDS disabled=yes dst-port=27015 \
in-interface=ether1-gateway protocol=udp to-addresses=10.10.0.105 \
to-ports=27015
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061 sip-direct-media=yes
set pptp disabled=yes
/ip hotspot service-port
set ftp disabled=no ports=21
/ip neighbor discovery
set ether1-gateway disabled=no
set ether2-local disabled=no
set ether3-local disabled=no
set ether4-local disabled=no
set ether5-local disabled=no
set bridge disabled=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
0.0.0.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ether1-gateway \
pref-src=10.10.0.1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ether1-gateway \
pref-src=0.0.0.0 scope=30 target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=76.178.144.1 scope=\
30 target-scope=10
/ip service
set telnet disabled=yes port=23
set ftp disabled=yes port=21
set www address=10.10.0.0/23 disabled=no port=80
set ssh disabled=yes port=22
set www-ssl certificate=none disabled=yes port=443
set api disabled=yes port=8728
set winbox disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=80
/ip ssh
set forwarding-enabled=no
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=yes show-dummy-rule=yes
/ip upnp interfaces
add disabled=no interface=bridge type=internal
add disabled=no interface=ether1-gateway type=external
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
add disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
use-explicit-null=no
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1-gateway queue=ethernet-default
set ether2-local queue=ethernet-default
set ether3-local queue=ethernet-default
set ether4-local queue=ethernet-default
set ether5-local queue=ethernet-default
/radius incoming
set accept=no port=3799
/routing bfd interface
set all disabled=no interface=all interval=0.2sec min-rx=0.2sec multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no \
routing-table=main timeout-timer=3m update-timer=30s