Getting a configuration suggestion

Alibay · July 24, 2019, 7:31am

Greetings to the Mikrotik community,

Guys here’s the deal, we have a hotel which has been built from scratch by the Mikrotik router, switches, and groove ap’s. Recently I have been monitoring the router and I observed that the usage of CPU is abnormally at the peaks and the internet speed on the ap’s are slow.

In a nutshell, I’d like you guys to give me some suggestions in terms of the configuration and stuff like that.

Though I suspect that the firewall is not configured in order, please examine that thoroughly.

  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 6.45.2 (c) 1999-2019       http://www.mikrotik.com/

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level
[user1@Main-GW] > /export file=config
[user1@Main-GW] > /export


# jul/24/2019 11:21:53 by RouterOS 6.45.2
# software id = R00D-0NW4
#
# model = CRS125-24G-1S
# serial number = 43C7027B1AF8
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=channel1 tx-power=19
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2422 name=channel3 reselect-interval=8h
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2432 name=channel5
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=channel6
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2442 name=channel7
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2452 name=channel9
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=channel11
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=channel13
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=channel01
/caps-man configuration
add channel=channel1 distance=indoors guard-interval=long hide-ssid=no hw-protection-mode=rts-cts hw-retries=5 mode=ap multicast-helper=full name=cfg3 rx-chains=0,1,2 ssid="Anatolia Hotel 1" \
    tx-chains=0,1,2
/interface bridge
add arp=proxy-arp fast-forward=no name=Bridge-Office
add arp=proxy-arp disabled=yes fast-forward=no name=Bridge-Wifi
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] disabled=yes speed=100Mbps
set [ find default-name=ether3 ] disabled=yes speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=ether6 ] disabled=yes speed=100Mbps
set [ find default-name=ether7 ] comment=To-Wifi speed=100Mbps
set [ find default-name=ether8 ] comment="uplink to css" speed=100Mbps
set [ find default-name=ether9 ] comment="uplink 1,2,3,4,5 floor" speed=100Mbps
set [ find default-name=ether10 ] comment="uplink 6thfloor-restoran" speed=100Mbps
set [ find default-name=ether11 ] comment="To-BaseBox-BackOffice direcly conneced" speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
set [ find default-name=ether14 ] speed=100Mbps
set [ find default-name=ether15 ] speed=100Mbps
set [ find default-name=ether16 ] speed=100Mbps
set [ find default-name=ether17 ] comment="kassa server \?\?\?\?\?\?\?" speed=100Mbps
set [ find default-name=ether18 ] speed=100Mbps
set [ find default-name=ether19 ] speed=100Mbps
set [ find default-name=ether20 ] speed=100Mbps
set [ find default-name=ether21 ] speed=100Mbps
set [ find default-name=ether22 ] speed=100Mbps
set [ find default-name=ether23 ] comment=reception-1 speed=100Mbps
set [ find default-name=ether24 ] disabled=yes speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/caps-man datapath
add bridge=Bridge-Office client-to-client-forwarding=yes local-forwarding=yes name=datapath2
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=security1 passphrase=welcometoanatolia
/caps-man configuration
add datapath=datapath2 distance=indoors guard-interval=long hide-ssid=no hw-protection-mode=rts-cts hw-retries=4 mode=ap multicast-helper=disabled name=cfg1 rx-chains=0,1 security=security1 \
    ssid="Anatolia Hotel" tx-chains=0,1
add distance=indoors guard-interval=any hide-ssid=no hw-protection-mode=rts-cts hw-retries=4 mode=ap multicast-helper=disabled name=cfg2 rx-chains=0,1 security=security1 ssid="Anatolia Hotel" \
    tx-chains=0,1
/caps-man interface
add channel=channel1 comment="ch 1" configuration=cfg1 configuration.guard-interval=any datapath=datapath2 disabled=no l2mtu=1600 mac-address=D4:CA:6D:2F:38:A3 master-interface=none name=\
    1st_floor-groove1-1 radio-mac=D4:CA:6D:2F:38:A3 radio-name=D4CA6D2F38A3
add channel=channel6 comment="ch 6" configuration=cfg1 configuration.guard-interval=any datapath=datapath2 disabled=no l2mtu=1600 mac-address=D4:CA:6D:2D:75:8F master-interface=none name=\
    1st_floor-groove2-1 radio-mac=D4:CA:6D:2D:75:8F radio-name=D4CA6D2D758F
add channel=channel11 comment="ch 11" configuration=cfg1 configuration.guard-interval=any datapath=datapath2 disabled=no l2mtu=1600 mac-address=D4:CA:6D:25:CF:2B master-interface=none name=\
    2nd_floor-groove1-1 radio-mac=D4:CA:6D:25:CF:2B radio-name=D4CA6D25CF2B
add channel=channel01 comment="ch 1" configuration=cfg1 configuration.guard-interval=any datapath=datapath2 disabled=no l2mtu=1600 mac-address=D4:CA:6D:25:CF:41 master-interface=none name=\
    2nd_floor-groove2-1 radio-mac=D4:CA:6D:25:CF:41 radio-name=D4CA6D25CF41
add channel=channel11 configuration=cfg1 disabled=no l2mtu=1600 mac-address=E4:8D:8C:F6:D7:69 master-interface=none name=3rd-floor-2.2-1 radio-mac=E4:8D:8C:F6:D7:69 radio-name=E48D8CF6D769
add channel=channel6 comment="ch 6" configuration=cfg1 configuration.guard-interval=any datapath=datapath2 disabled=no l2mtu=1600 mac-address=E4:8D:8C:F6:D8:B9 master-interface=none name=\
    3rd_floor-groove1-1 radio-mac=E4:8D:8C:F6:D8:B9 radio-name=E48D8CF6D8B9
add channel=channel01 comment=ch-1 configuration=cfg1 configuration.guard-interval=any datapath=datapath2 disabled=no l2mtu=1600 mac-address=D4:CA:6D:25:CF:49 master-interface=none name=\
    4th_floor-groove1-1 radio-mac=D4:CA:6D:25:CF:49 radio-name=D4CA6D25CF49
add channel=channel6 comment="ch 6" configuration=cfg1 configuration.guard-interval=any datapath=datapath2 disabled=no l2mtu=1600 mac-address=D4:CA:6D:2F:38:B5 master-interface=none name=\
    4thfloor-groove-2-1 radio-mac=D4:CA:6D:2F:38:B5 radio-name=D4CA6D2F38B5
add channel=channel11 comment="ch 11" configuration=cfg1 datapath=datapath2 disabled=no l2mtu=1600 mac-address=D4:CA:6D:2B:6E:A0 master-interface=none name=5th_floor-groove1-1 radio-mac=\
    D4:CA:6D:2B:6E:A0 radio-name=D4CA6D2B6EA0
add channel=channel01 comment="ch 1" configuration=cfg1 configuration.distance=indoors configuration.guard-interval=any datapath=datapath2 disabled=no l2mtu=1600 mac-address=D4:CA:6D:2D:75:83 \
    master-interface=none name=5thfloor-groove-2-2 radio-mac=D4:CA:6D:2D:75:83 radio-name=D4CA6D2D7583
add channel=channel1 comment="cfg3den 1e" configuration=cfg1 datapath=datapath2 disabled=no l2mtu=1600 mac-address=D4:CA:6D:9E:15:62 master-interface=none name=BaseBox-Backoffice-1 radio-mac=\
    D4:CA:6D:9E:15:62 radio-name=D4CA6D9E1562 security=security1
add channel=channel6 comment="ch 6" configuration=cfg2 datapath=datapath2 disabled=no l2mtu=1600 mac-address=D4:CA:6D:83:BB:EB master-interface=none name=BaseBox-O.S-1 radio-mac=\
    D4:CA:6D:83:BB:EB radio-name=D4CA6D83BBEB security=security1
add channel=channel1 comment=confrance configuration=cfg3 datapath=datapath2 datapath.client-to-client-forwarding=no disabled=no l2mtu=1600 mac-address=6C:3B:6B:26:9F:BB master-interface=none \
    name=confrance-1 radio-mac=6C:3B:6B:26:9F:BB radio-name=6C3B6B269FBB security=security1
/interface list
add name=Bridges
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool2 ranges=192.168.1.101-192.168.1.250
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=pool2 interface=Bridge-Wifi name=Dhcp-Wifi
/ip pool
add name=dhcp next-pool=pool2 ranges=192.168.1.40-192.168.1.99
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=Bridge-Office lease-time=8h name=Dhcp-Office
/ppp profile
set *0 local-address=192.168.1.1 remote-address=dhcp
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue type
set 5 pcq-limit=1024KiB pcq-total-limit=51200KiB
set 6 pcq-limit=1024KiB pcq-total-limit=51200KiB
/queue tree
add bucket-size=0 max-limit=20M name=Download parent=global queue=default
add bucket-size=0 max-limit=20M name=Upload parent=global queue=default
add bucket-size=0 disabled=yes name=D-Wifi packet-mark=D-P-W parent=Download priority=7 queue=pcq-download-default
add bucket-size=0 name=D-O packet-mark=D-P-O parent=Download queue=pcq-download-default
add bucket-size=0 disabled=yes name=U-Wifi packet-mark=U-P-W parent=Upload priority=7 queue=pcq-upload-default
add bucket-size=0 name=U-O packet-mark=U-P-O parent=Upload queue=pcq-upload-default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/caps-man access-list
add action=accept disabled=yes interface=any signal-range=-88..120 ssid-regexp=""
add action=reject disabled=yes interface=any signal-range=-120..-89 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-enabled master-configuration=cfg1 name-format=prefix-identity
add action=create-enabled hw-supported-modes=gn master-configuration=cfg2 name-format=prefix-identity
add action=create-enabled master-configuration=cfg3 name-format=prefix-identity
/interface bridge port
add bridge=Bridge-Office interface=ether7
add bridge=Bridge-Office interface=ether11
add bridge=Bridge-Office interface=ether8
add bridge=Bridge-Office interface=ether9
add bridge=Bridge-Office comment=reception interface=ether23
add bridge=Bridge-Office interface=ether24
add bridge=Bridge-Office interface=ether10
add bridge=Bridge-Office interface=ether12
add bridge=Bridge-Office interface=ether17
add bridge=Bridge-Office interface=ether20
add bridge=Bridge-Office interface=ether21
add bridge=Bridge-Office interface=ether15
add bridge=Bridge-Office interface=ether16
add bridge=Bridge-Office interface=ether14
add bridge=Bridge-Office disabled=yes interface=ether1
add bridge=Bridge-Office interface=sfp1
add bridge=Bridge-Office interface=ether2
add bridge=Bridge-Office interface=ether3
add bridge=Bridge-Office interface=ether4
add bridge=Bridge-Office interface=ether5
add bridge=Bridge-Office interface=ether6
add bridge=Bridge-Office interface=ether13
add bridge=Bridge-Office interface=ether18
add bridge=Bridge-Office interface=ether19
add bridge=Bridge-Office interface=ether22
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip firewall connection tracking
set enabled=yes tcp-established-timeout=3h tcp-fin-wait-timeout=1m tcp-last-ack-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=Bridges
/ip settings
set allow-fast-path=no tcp-syncookies=yes
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=Bridge-Office list=Bridges
add interface=Bridge-Wifi list=Bridges
add interface=Bridge-Office list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=80.100.15.254/30 interface=ether1 network=80.100.15.252
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip arp
add address=192.168.1.100 interface=Bridge-Office mac-address=00:A0:A4:10:59:61
add address=192.168.1.132 interface=Bridge-Office mac-address=00:A0:A4:15:D9:38
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.1.194 client-id=1:d4:ca:6d:2f:38:a2 mac-address=D4:CA:6D:2F:38:A2 server=Dhcp-Office
add address=192.168.1.216 client-id=1:d4:ca:6d:2b:6e:9f mac-address=D4:CA:6D:2B:6E:9F server=Dhcp-Office
add address=192.168.1.221 client-id=1:d4:ca:6d:25:cf:48 mac-address=D4:CA:6D:25:CF:48 server=Dhcp-Office
add address=192.168.1.203 client-id=1:d4:ca:6d:9e:15:61 mac-address=D4:CA:6D:9E:15:61 server=Dhcp-Office
add address=192.168.1.214 client-id=1:e4:8d:8c:f6:d8:b8 mac-address=E4:8D:8C:F6:D8:B8 server=Dhcp-Office
add address=192.168.1.211 client-id=1:d4:ca:6d:25:cf:2a mac-address=D4:CA:6D:25:CF:2A server=Dhcp-Office
add address=192.168.1.210 client-id=1:d4:ca:6d:25:cf:40 mac-address=D4:CA:6D:25:CF:40 server=Dhcp-Office
add address=192.168.1.209 client-id=1:d4:ca:6d:25:cf:20 mac-address=D4:CA:6D:25:CF:20 server=Dhcp-Office
add address=192.168.1.206 client-id=1:d4:ca:6d:9e:15:62 mac-address=D4:CA:6D:9E:15:62 server=Dhcp-Office
add address=192.168.1.42 client-id=1:d4:ca:6d:2d:75:8e mac-address=D4:CA:6D:2D:75:8E server=Dhcp-Office
add address=192.168.1.132 client-id=1:0:a0:a4:15:d9:38 comment=ws1 mac-address=00:A0:A4:15:D9:38 server=Dhcp-Office
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=3h cache-size=4096KiB max-concurrent-queries=300 max-concurrent-tcp-sessions=100 servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.0/24 list=MGT-O
add address=192.168.2.0/24 disabled=yes list=MGT-O
add address=192.168.2.20-192.168.2.254 disabled=yes list=MGT-Wifi-pool
add address=192.168.1.40-192.168.1.250 list=MGT-Office-pool
add address=8.8.8.8 list=dns
add address=8.8.4.4 list=dns
/ip firewall filter
add action=drop chain=input disabled=yes src-mac-address=24:0A:64:8D:5A:51
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input dst-port=1723 in-interface=ether1 protocol=tcp
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall mangle
add action=accept chain=prerouting
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip route
add check-gateway=ping distance=1 gateway=85.132.13.253 pref-src=85.132.13.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=user1 password=123456Seven service=pptp
add name=vpn
/system clock
set time-zone-name=Asia/Baku
/system identity
set name=Main-GW
/system ntp client
set enabled=yes primary-ntp=78.111.50.50
/system routerboard settings
set force-backup-booter=yes
/system scheduler
add name=DynDNSUpdate on-event="# Define User Variables\r\
    \n:global ddnsuser \"DYNDNSUSER\"\r\
    \n:global ddnspass \"DYNDNSPASS\"\r\
    \n:global ddnshost \"DYNDNSHOST\"\r\
    \n\r\
    \n# Define Global Variables\r\
    \n:global ddnsip\r\
    \n:global ddnslastip\r\
    \n:if ([ :typeof \$ddnslastip ] = nil ) do={ :global ddnslastip \"0\" }\r\
    \n\r\
    \n:global ddnsinterface\r\
    \n:global ddnssystem (\"mt-\" . [/system package get system version] )\r\
    \n\r\
    \n# Define Local Variables\r\
    \n:local int\r\
    \n\r\
    \n# Loop thru interfaces and look for ones containing\r\
    \n# default gateways without routing-marks\r\
    \n:foreach int in=[/ip route find dst-address=0.0.0.0/0 active=yes ] do={ /system reset-configuration no-defaults=yes skip-backup=yes }\r\
    \n  :if ([:typeof [/ip route get \$int routing-mark ]] != str ) do={\r\
    \n     :global ddnsinterface [/ip route get \$int interface]\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n# Grab the current IP address on that interface.\r\
    \n:global ddnsip [ /ip address get [/ip address find interface=\$ddnsinterface ] address ]\r\
    \n\r\
    \n# Did we get an IP address to compare\?\r\
    \n:if ([ :typeof \$ddnsip ] = nil ) do={\r\
    \n   :log info (\"DynDNS: No ip address present on \" . \$ddnsinterface . \", please check.\")\r\
    \n} else={\r\
    \n  :if (\$ddnsip != \$ddnslastip) do={\r\
    \n    :log info \"DynDNS: Sending UPDATE!\"\r\
    \n    :local str \"/nic/update\?hostname=\$ddnshost&myip=\$ddnsip&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG\"\r\
    \n    /tool fetch address=members.dyndns.org src-path=\$str mode=http user=\$ddnsuser \\\r\
    \n        password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\r\
    \n    :delay 1\r\
    \n    :local str [/file find name=\"DynDNS.\$ddnshost\"];\r\
    \n    /file remove \$str\r\
    \n    :global ddnslastip \$ddnsip\r\
    \n  }\r\
    \n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/24/2019 start-time=08:12:17
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1
/tool graphing resource
add
[user1@Main-GW] > 
[user1@Main-GW] >

mkx · July 24, 2019, 8:20am

The major thing, which might help, is to move firewall rule

add action=fasttrack-connection chain=forward connection-state=established,related

right above rule

add action=accept chain=forward connection-state=established,related

As it is now, nothing gets fast-tracked (and fast-tracking does speed-up firewalling quite much).

However: you have queues set up … and fast-tracking things is not compatible with queues. (It may get close to being compatible but queues stuff has to be excluded from fast-tracking and if majority of traffic is subject to queuing, then the whole exercise becomes pointless).

You have to be aware that CRS is essentially a switch, not a (decent) router. The best approach would be to fetch a separate router (can be as cheap as a RB750Gr3) and use CRS as smart switch only.

Alibay · July 24, 2019, 8:48am

Thanks for the reply,

I did what you said and I guess it seems to be dropping a bit, I just noticed that DNS is consuming a lot. There might be an issue on that?

Btw, do you think the queues are necessary in my case?

mkx · July 24, 2019, 11:22am

There are two things which are to be corrected:

If I didn’t overlook something in the firewall filter list for chain=input, then access to DNS service from internet is allowed. Which is not good.
There isn’t a rule allowing it indeed, but for sanity sake there should be a rule

/ip firewall filter
add chain=input action=drop in-interface=ether1

(assuming that ether1 is your WAN logical interface … which is not if your internet came in via some PtP interface, such as PPPoE or VPN or whatever)
2. if you don’t plan to mangle DNS replies (or to server some static FQDN<->IP mappings about your own network), then you could let guests use public DNS servers directly … just set dns-server=8.8.8.8,8.8.4.4 in /ip dhcp-server network …

That’s up to you to decide. Usually network administrators instate queues to limit throughput consumed by individual devices if WAN speed is limited … to give customers equal speed. If this is your position, then you’ll need queues. If you don’t care if one LAN device uses up all of internet bandwidth, then you don’t need queues.

anav · July 24, 2019, 2:26pm

If the internet service is for a hotel, why would you even consider allowing one guest to hog all the bandwidth MKX. There are times to get off your neutral fence and admit the obvious.
The more relevant question is if the router is also supplying internet for staff or VIPs where you might want to guarantee XX throughput at any point in time. Probably preferable to have a separate internet connection for those where queues need not apply.

mkx · July 24, 2019, 2:30pm

As I wrote: it’s up to OP to decide, I know what I would do (but that’s not the point). I just mentioned a few possible reasons for choosing one over another, that’s all.