750GL home setup need help

Leto · August 10, 2011, 10:41pm

Hello, I just bought a 750GL and managed to get my connection working on it.
I have a FTTH connection 25mbit down and 100mbit up, it receives a dynamic IP over pppoe.

First problem is that I can’t get port forwarding working. I tried stuff like this

add action=dst-nat chain=dstnat disabled=no dst-address-type=local dst-port=
1000 protocol=tcp to-addresses=192.168.88.100 to-ports=22
(want to get ssh working on 192.168.88.100)
But it doesn’t work.

Second problem is with dhcp, how do I get one server working on all interfaces (except WAN)

Currently I have it like this.

And third problem is that I just tried upgrading to 5.6 and internet speed dropped from 93-94mbit down to ~75. Tested on ndt.arnes.si - it’s very accurate.
Weird thing is that CPU usage on 5.2 went 85-90% and it delivered 94mbit, now cpu usage is 60-70% and i get 75mbit.

Help please!

kirshteins · August 11, 2011, 6:40am

Is SSH forwarding rule counters increasing?

Please post some additional configuration like: /ip address export, /interface ethernet export, /ip dhcp-server export

macgaiver · August 11, 2011, 6:52am

It looks like other ports are slaves to other port - why do you need 4 DHCPs with same address pull? Create a bridge or a switch group and use one DHCP server

BTW reset to default and ether2-ether5 will already configured as LAN, connect your ISP to ether1 and enjoy

Leto · August 11, 2011, 10:06pm

I have fixed the dhcp issue, I just have a dhcp server on master interface now and it works. Not sure why it didn’t before.

macgaiver:
these settings are default and they are correct according to this:
http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features
(first and second picture)

Is SSH forwarding rule counters increasing?

Please post some additional configuration like: /ip address export, /interface ethernet export, /ip dhcp-server export

Yes. the forwarding rule increases every time I try to connect to ssh by 1 packet, but connection times out.

[admin@MikroTik] > /ip address export
# jan/02/1970 21:35:29 by RouterOS 5.6
# software id = R5CQ-CUX9
#
/ip address
add address=192.168.88.1/24 disabled=no interface=ether2-local-master network=192.168.88.0

[admin@MikroTik] > /interface ethernet export
# jan/02/1970 21:35:57 by RouterOS 5.6
# software id = R5CQ-CUX9
#
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=00:0C:42:AA:86:05 master-port=none mtu=1500 name=ether1-gateway speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=00:0C:42:AA:86:06 master-port=none mtu=1500 name=ether2-local-master speed=\
    100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=00:0C:42:AA:86:07 master-port=ether2-local-master mtu=1500 name=\
    ether3-local-slave speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=00:0C:42:AA:86:08 master-port=ether2-local-master mtu=1500 name=\
    ether4-local-slave speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=00:0C:42:AA:86:09 master-port=ether2-local-master mtu=1500 name=\
    ether5-local-slave speed=100Mbps
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set ether1-gateway vlan-mode=disabled
set ether2-local-master vlan-mode=disabled
set ether3-local-slave vlan-mode=disabled
set ether4-local-slave vlan-mode=disabled
set ether5-local-slave vlan-mode=disabled
set switch1_cpu vlan-mode=disabled

[admin@MikroTik] > /ip dhcp-server export
# jan/02/1970 21:36:30 by RouterOS 5.6
# software id = R5CQ-CUX9
#
/ip dhcp-server
add address-pool=DHCP-Pool authoritative=after-2sec-delay bootp-support=static disabled=no interface=ether2-local-master lease-time=3d name=server
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1

fewi · August 11, 2011, 10:25pm

To troubleshoot port forwarding please add the output of “/ip firewall export”. It’s better to wrap that in

 rather than [quote] tags for spacing.

Leto · August 11, 2011, 10:26pm

Ok, thanks.

[admin@MikroTik] > /ip firewall export
# jan/02/1970 21:56:35 by RouterOS 5.6
# software id = R5CQ-CUX9
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=yes out-interface=ether1-gateway
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-ether1
add action=dst-nat chain=dstnat disabled=no dst-address-type=local dst-port=1000 protocol=tcp to-addresses=192.168.88.100 to-ports=22
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

fewi · August 11, 2011, 10:32pm

That should work fine. The NAT rule is reasonable, there are no firewall filters in the way.

Time to check the host. What is 192.168.88.100? Is it configured with a host firewall? Is that firewall configured to accept this traffic? Does that host use 192.168.88.1 as a default gateway to the Internet? Can that host otherwise access the Internet?

Leto · August 11, 2011, 10:40pm

Host is just a Linux PC(Ubuntu 11.04, default configuration, no firewall), I can ssh to it via local address - 192.168.88.100.

It uses Mikrotik as gateway.

From 192.168.88.100:

traceroute to www.arnes.si (193.2.1.87), 30 hops max, 60 byte packets
 1  router (192.168.88.1)  0.295 ms  0.367 ms  0.689 ms
 2  postojna1.amis.net (212.18.32.171)  2.125 ms  2.204 ms  2.298 ms
 3  six.amis.net (193.2.141.40)  3.083 ms  3.076 ms  3.135 ms
 4  six.arnes.si (193.2.141.33)  3.842 ms  3.835 ms  4.014 ms
 5  lljtpl1-v472.arnes.si (88.200.2.169)  4.679 ms  4.671 ms  4.717 ms
 6  * * *
 7  * * *

 route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.88.0    *               255.255.255.0   U     1      0        0 eth0
link-local      *               255.255.0.0     U     1000   0        0 eth0
default         router          0.0.0.0         UG    0      0        0 eth0

fewi · August 11, 2011, 10:48pm

That also looks fine. Maybe double check the firewall, I guess, via “iptables -L -n” - but if you say it’s not running a host firewall we can rule that out.

How are you testing the SSH port forward? Are you initiating the SSH connection from outside the router (traffic would enter the router via the ether1-gateway interface), or inside the router (traffic would enter the router via one of the other four ports)?

Leto · August 11, 2011, 11:01pm

Oh, it’s working .

I was trying to connect to local computer, but using external IP address (assigned by pppoe).
It works if I connect to that IP from a computer that is not in my network (from the internet).

fewi · August 11, 2011, 11:09pm

http://wiki.mikrotik.com/wiki/Hairpin_NAT

That explains why, and how to work around it - just in case you’re interested.

Leto · August 11, 2011, 11:50pm

I understand.

Last question, can anything be done about this, or is the router simply too slow?

This is while running iperf

iperf -c iperf-test.arnes.si -u -p 5555 -b 100m -t 60
------------------------------------------------------------
Client connecting to iperf-test.arnes.si, UDP port 5555
Sending 1470 byte datagrams
UDP buffer size:  124 KByte (default)
------------------------------------------------------------
[  3] local 192.168.88.100 port 33945 connected with 193.2.254.246 port 5555
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-60.0 sec   651 MBytes  91.1 Mbits/sec
[  3] Sent 464643 datagrams
[  3] WARNING: did not receive ack of last datagram after 10 tries.

The router is rated for 480mbps with big packets, but 100mbit pppoe seems to max it out (or 50-60mbit of torrent traffic).

fewi · August 12, 2011, 4:05am

iperf-test.arnes.si resolves to a public IP to me. Are you testing across a WAN circuit? If so, 91Mbps is pretty damn close to the 100Mbps limit your provider is giving you.

What kind of firewall rules/NAT do you have? The router is spending 42% of its time in the firewall, yet your export from earlier is only showing a few NAT rules.

Leto · August 12, 2011, 4:28am

Yes, I am testing WAN. The speed is fine, but the router is at edge of capacity (download speed drops if I am doing iperf at the same time).
I have no firewall rules at all and also no queues. Two port forwarding rules are all I have.

I have also removed a bridge that was doing nothing, bridging is not in “Profile” anymore.
Firewall 40%+
Queuing 25%
Ethernet 25%

fewi · August 12, 2011, 4:48am

Then I got nothing, I’m afraid.

Leto · August 12, 2011, 4:54am

Ok, thank you, you were very helpful .