Hello,
I have a problem in my network that I don’t know how to solve. It happens when I want to download large files (2GB+) over HTTP. In Firefox it says that the download has failed. I can restart the file transfer from there and it happens again after about 2 gigabytes.
Because I thought it was a router problem I switched my HexS (which I wanted to replace anyway) to RB5009. I mostly copied the config, I use the SFP+ port as a trunk to my CSS324 with about 5 VLANs and the ether1 interface is used as the WAN port. I get a static IP address from my ISP. Other than that I have a few Wireguard tunnels and a separate VRF for some BGP experiments.
The problem still persists, only now it happens a bit later (after 3 gigabytes). I would really appreciate your help, I have been struggling with this for quite some time now. Thank you in advance!
My configuration (redacted):
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN"
set [ find default-name=sfp-sfpplus1 ] name="sfp-sfpplus1 - TRUNK"
/interface wireguard
add listen-port=16005 mtu=1420 name=S5Net-HQZRS
add listen-port=17005 mtu=1420 name=S5Net-zahod
add listen-port=13231 mtu=1420 name=random-wg
/interface vlan
add interface="sfp-sfpplus1 - TRUNK" name="10 - Domaci" vlan-id=10
add interface="sfp-sfpplus1 - TRUNK" name="20 - Strezniki" vlan-id=20
add interface="sfp-sfpplus1 - TRUNK" name="30 - Upravljanje" vlan-id=30
add disabled=yes interface="sfp-sfpplus1 - TRUNK" name="40 - DMZ" vlan-id=40
add interface="sfp-sfpplus1 - TRUNK" name="50 - Gosti" vlan-id=50
add interface="sfp-sfpplus1 - TRUNK" name="100 - javni 107" vlan-id=100
add interface="sfp-sfpplus1 - TRUNK" name="150 - S5NET" vlan-id=150
add disabled=yes interface="sfp-sfpplus1 - TRUNK" name="254 - Gostujoce" vlan-id=1
/ip pool
add name=domaci_pool ranges=10.11.10.10-10.11.10.254
add name=upravljanje_pool ranges=10.11.30.100-10.11.30.254
add name=lab_pool ranges=10.11.20.2-10.11.20.50
add name=gosti_pool ranges=10.11.50.2-10.11.50.254
add name=dhcp_pool4 ranges=10.150.48.10-10.150.48.14
add name=dhcp_pool5 ranges=10.150.56.10-10.150.56.14
/ip dhcp-server
add address-pool=domaci_pool interface="10 - Domaci" lease-time=23h59m59s name=DOMACI_DHCP
add address-pool=upravljanje_pool disabled=yes interface="30 - Upravljanje" lease-time=23h59m59s name=UPRAVLJANJE_DHCP
add address-pool=lab_pool disabled=yes interface="20 - Strezniki" lease-time=10m name=LAB_DHCP
add address-pool=gosti_pool disabled=yes interface="50 - Gosti" lease-time=10m name=GOSTI_DHCP
add address-pool=dhcp_pool5 interface="150 - S5NET" name="S5NET DHCP"
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/ip address
add address=@@.@@@.@@@.@@/18 interface="ether1 - WAN" network=@@.@@@.@@@.@@
add address=10.11.10.1/24 interface="10 - Domaci" network=10.11.10.0
add address=10.11.20.1/24 interface="20 - Strezniki" network=10.11.20.0
add address=10.11.30.1/24 interface="30 - Upravljanje" network=10.11.30.0
add address=10.11.40.1/24 disabled=yes interface="40 - DMZ" network=10.11.40.0
add address=10.11.50.1/24 interface="50 - Gosti" network=10.11.50.0
add address=10.150.12.5 interface=S5Net-HQZRS network=10.150.12.1
add address=10.150.56.1/28 interface="150 - S5NET" network=10.150.56.0
add address=10.150.14.5 interface=S5Net-zahod network=10.150.14.1
add address=10.11.100.1/24 interface=random-wg network=10.11.100.0
add address=100.64.0.1/25 interface="100 - javni 107" network=100.64.0.0
/ip dhcp-server network
add address=10.11.10.0/24 gateway=10.11.10.1
add address=10.11.20.0/24 gateway=10.11.20.1
add address=10.11.30.0/24 gateway=10.11.30.1
add address=10.11.50.0/24 gateway=10.11.50.1
add address=10.150.56.0/28 gateway=10.150.56.1
/ip dns
set servers=193.2.1.66,193.2.1.72
/ip firewall address-list
add address=@@.@@@.@@@.@@ list="Javni IP"
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=Bogons
add address=141.98.10.156 list=block
add address=103.99.1.230 list=block
/ip firewall filter
add action=drop chain=input comment="Blocklista IP-jev" in-interface="ether1 - WAN" src-address-list=block
add action=drop chain=forward in-interface="ether1 - WAN" src-address-list=block
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface="ether1 - WAN"
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface="ether1 - WAN"
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT out-interface="ether1 - WAN"
add action=masquerade chain=srcnat comment="Loopback za NAT" dst-address=10.11.40.0/24 src-address=10.11.0.0/16
add action=masquerade chain=srcnat comment="Loopback domaci VLAN" dst-address=10.11.10.0/24 src-address=10.11.0.0/16
add action=dst-nat chain=dstnat comment="Server 80" dst-address-list="Javni IP" dst-port=80 protocol=tcp to-addresses=10.11.40.100 to-ports=80
add action=dst-nat chain=dstnat comment="Server 30013" dst-address-list="Javni IP" dst-port=30013 protocol=tcp to-addresses=10.11.10.45 to-ports=30013
/ip firewall service-port
set ftp disabled=yes
set irc disabled=no
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=@@.@@@.@@@.@ routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.11.255.0/24 gateway=10.11.100.2 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.11.254.0/24 gateway=10.11.100.3 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
# BGP ROUTING
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=ntp1.arnes.si
add address=ntp2.arnes.si