Hi there. I have mikrotik hap ac (model: RouterBOARD 962UiGS-5HacT2HnT) and sometimes ago i found that icmp ping on ethernet worksatations spikes in local network and internet (and maybe it causes no only icmp delays, test with icmp is pretty easy). I tried to diagnose this problem and came to a conclusion that the problem is in wireless. So what i did.
I have small gigabit ethernet network with 1 linux 1gbit server, 1 windows 1gbit workstation, 1 macbook with 5ghz wifi. All of them are connected to hap ac mikrotik.
I started ping 192.168.1.1 (mikrotik bridge, i will post my settings below) from my linux server, and same time started ping 192.168.1.1 from my macbook 5ghz wifi.
When there is a delay in icmp it looks like this on linux server (ethernet 1gbit):
64 bytes from 192.168.1.1: icmp_seq=42 ttl=64 time=0.189 ms
64 bytes from 192.168.1.1: icmp_seq=43 ttl=64 time=0.200 ms
64 bytes from 192.168.1.1: icmp_seq=44 ttl=64 time=43.1 ms
64 bytes from 192.168.1.1: icmp_seq=45 ttl=64 time=0.187 ms
64 bytes from 192.168.1.1: icmp_seq=46 ttl=64 time=0.211 ms
and like this on macbook (5ghz wireless):
64 bytes from 192.168.1.1: icmp_seq=47 ttl=64 time=1.158 ms
64 bytes from 192.168.1.1: icmp_seq=48 ttl=64 time=1.052 ms
64 bytes from 192.168.1.1: icmp_seq=49 ttl=64 time=120.935 ms
64 bytes from 192.168.1.1: icmp_seq=50 ttl=64 time=0.996 ms
64 bytes from 192.168.1.1: icmp_seq=51 ttl=64 time=1.026 ms
in tool profile on mikrotik in this time i see next:
[admin@MikroTik] > /tool profile
NAME CPU USAGE
wireless 13%
ethernet 0%
console 0%
ssh 0.5%
firewall 0%
networking 0%
management 0%
bridging 0%
unclassified 0%
total 13.5%
The problem totally go out where i completely disable 5ghz wlan2 and setup macbook to wlan1 (2.4 ghz).
I don’t understand how wireless cpu load influence to 1gbit linux server ↔ mikrotik connectivity. And to wired connectivity to world.
I tried to change multiple params in 5ghz wlan2 setttings (pretty all), but in vain. Seems like a bug in routerboard software witch mainatin 5ghz wireless.
Routerboard print:
[admin@MikroTik] > /system routerboard print
routerboard: yes
board-name: hAP ac
model: RouterBOARD 962UiGS-5HacT2HnT
serial-number: 6F1206EE0399
firmware-type: qca9550L
factory-firmware: 3.31
current-firmware: 6.46.4
upgrade-firmware: 6.46.4
So my confifuration (export hide-sensetive):
/interface bridge
add arp=proxy-arp fast-forward=no name=bridge1-lan
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] name=ether4-ext speed=100Mbps
set [ find default-name=ether5 ] disabled=yes poe-out=off speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" group-key-update=1h management-protection=allowed mode=dynamic-keys name=SESSION supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode antenna-gain=0 band=2ghz-b/g/n country=russia disabled=no distance=indoors frequency=2447 \
frequency-mode=manual-txpower mode=ap-bridge multicast-helper=full security-profile=SESSION ssid=SESSION-2 wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode antenna-gain=0 band=5ghz-onlyac channel-width=20/40/80mhz-Ceee country=russia disabled=no distance=\
indoors frequency=5260 frequency-mode=manual-txpower installation=indoor mode=ap-bridge multicast-helper=full security-profile=SESSION ssid=SESSION wireless-protocol=802.11 \
wmm-support=enabled wps-mode=disabled
/interface wireless nstreme
set wlan1 enable-polling=no
set wlan2 enable-polling=no
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.128-192.168.1.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge1-lan lease-time=3d name=dhcp1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1-lan interface=ether1
add bridge=bridge1-lan interface=ether2
add bridge=bridge1-lan interface=ether3
add bridge=bridge1-lan interface=wlan2
add bridge=bridge1-lan interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface pptp-server server
set default-profile=default max-mru=1400 max-mtu=1400
/ip address
add address=192.168.1.1/24 interface=bridge1-lan network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether4-ext use-peer-dns=no
/ip dhcp-server config
set store-leases-disk=59m
/ip dhcp-server lease
add address=192.168.1.239 client-id=1:80:4a:14:ed:19:42 mac-address=80:4A:14:ED:19:42 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 boot-file-name=pxelinux.0 gateway=192.168.1.1 netmask=24 next-server=192.168.1.10
/ip dns
set allow-remote-requests=yes servers=77.88.8.8,8.8.8.8
/ip dns static
add address=192.168.1.1 name=mikrotik.local
add address=192.168.1.9 name=win.local
add address=192.168.1.253 name=iPhone.local
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related protocol=udp
add action=accept chain=forward comment="FastTrack Connection" connection-state=established,related
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input disabled=yes protocol=icmp src-address=192.168.1.0/24
add action=accept chain=input dst-address-list="" dst-port=123 protocol=udp src-address=192.36.143.130
add action=accept chain=input dst-address-list="" dst-port=123 protocol=udp src-address=91.206.16.3
add action=accept chain=input comment="allow igmp" disabled=yes in-interface=ether4-ext protocol=igmp
add action=accept chain=input comment="allow igmp" disabled=yes dst-port=1234 in-interface=ether4-ext protocol=udp
add action=accept chain=input comment="allow igmp" disabled=yes dst-port=5050 in-interface=ether4-ext protocol=udp
add action=accept chain=forward comment="allow igmp" disabled=yes dst-port=1234 protocol=udp
add action=accept chain=forward comment="allow igmp" disabled=yes dst-port=5050 protocol=udp
add action=drop chain=input comment="drop icmp" protocol=icmp src-address=!192.168.1.0/24
add action=reject chain=input comment="drop dns tcp" dst-port=53 protocol=tcp reject-with=icmp-port-unreachable src-address=!192.168.1.0/24
add action=reject chain=input comment="drop dns udp" dst-port=53 protocol=udp reject-with=icmp-port-unreachable src-address=!192.168.1.0/24
add action=reject chain=input comment="drop ssh" dst-port=22 protocol=tcp reject-with=icmp-port-unreachable src-address=!192.168.1.0/24
add action=reject chain=input comment="drop http" dst-port=80 protocol=tcp reject-with=icmp-port-unreachable src-address=!192.168.1.0/24
add action=reject chain=input comment="drop winbox" dst-port=8291 protocol=tcp reject-with=icmp-port-unreachable src-address=!192.168.1.0/24
add action=reject chain=input comment="drop ntp" dst-port=123 protocol=udp reject-with=icmp-port-unreachable src-address=!192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether4-ext src-address=192.168.1.0/24
add action=netmap chain=dstnat comment=needed dst-port=15141 in-interface=ether4-ext protocol=tcp to-addresses=192.168.1.10 to-ports=15141
add action=dst-nat chain=dstnat comment=ntp disabled=yes dst-port=123 protocol=udp to-addresses=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp interfaces
add disabled=yes interface=ether4-ext type=external
add disabled=yes interface=bridge1-lan type=internal
/ppp secret
add local-address=192.168.1.1 name=userone profile=default-encryption remote-address=192.168.1.201
/routing igmp-proxy
set query-interval=1m
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 disabled=yes interface=ether4-ext upstream=yes
add disabled=yes interface=bridge1-lan
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system leds
set 0 disabled=yes
set 1 disabled=yes interface=wlan2
set 2 disabled=yes interface=ether1
/system ntp client
set enabled=yes primary-ntp=192.36.143.130 secondary-ntp=91.206.16.3
/system ntp server
set enabled=yes
/system routerboard settings
set silent-boot=yes
/system upgrade upgrade-package-source
add
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add allow-address=192.168.1.0/24
/tool graphing queue
add allow-address=192.168.1.0/24
/tool graphing resource
add allow-address=192.168.1.0/24
/tool sniffer
set file-limit=3000KiB file-name=test1.pcap filter-ip-address=!192.168.1.8/32,192.168.1.218/32 filter-ip-protocol=udp filter-operator-between-entries=and filter-port=!winbox,dns \
filter-stream=yes streaming-enabled=yes streaming-server=192.168.1.10