HAP AX3 Something is eating my upload bandwitch

RouterOS General
1

Hi, I have LTE bridged modem with public IP to HAP AX3. I saw that something is using my upload bandwitch. How can I block it? When I turn off public IP everything backs to normal. Now I disabled ether1 and use backup DSL.
Torch:
winbox64_PMArCcRSKX.png
My mikrotik config:

# 2023-09-08 20:26:56 by RouterOS 7.11.2
# software id = DCEF-ADAK
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface bridge
add admin-mac=48:A9:8A:B0:A6:39 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 channel
add disabled=no frequency=2412,2432,2472 name=ch-2ghz width=20mhz
add disabled=no frequency=5180,5260,5500 name=ch-5ghz width=20/40/80mhz
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk name=common-auth wps=disable
/interface wifiwave2 configuration
add country=Poland disabled=no name=common-conf security=common-auth ssid=KRS
/interface wifiwave2
set [ find default-name=wifi1 ] channel=ch-5ghz channel.frequency=\
    5180,5260,5500 configuration=common-conf configuration.country=Poland \
    .mode=ap .ssid=KRS disabled=no mtu=1500 security=common-auth \
    security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] channel=ch-2ghz channel.frequency=\
    2412,2432,2472 configuration=common-conf configuration.country=Poland \
    .mode=ap .ssid=KRS disabled=no mtu=1500 security=common-auth \
    security.authentication-types=wpa2-psk
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=karnas
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf disabled=yes interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5 list=WAN
/interface wireguard peers
add allowed-address=10.10.0.2/32 comment=lenovo interface=wireguard1 \
    public-key="DUBJuNQN2fuo4Y2nNVKi4WrEto30s2Dez/SOHRi4cEk="
add allowed-address=10.10.0.3/32 comment=pocof2pro interface=wireguard1 \
    public-key="7XcN0zT532Il2yHIlVYuytJkak4a6mX7acTZhboXRSI="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.0.1/24 interface=wireguard1 network=10.10.0.0
/ip dhcp-client
add add-default-route=no interface=ether1
add add-default-route=no interface=ether5
/ip dhcp-server lease
add address=192.168.88.102 client-id=1:5a:d4:cd:53:70:49 mac-address=\
    5A:D4:CD:53:70:49 server=karnas
add address=192.168.88.151 mac-address=F4:CF:A2:21:6D:4D server=karnas
add address=192.168.88.150 mac-address=D8:F1:5B:FA:37:11 server=karnas
add address=192.168.88.101 client-id=1:cc:15:31:60:39:9d mac-address=\
    CC:15:31:60:39:9D server=karnas
add address=192.168.88.160 mac-address=2C:F4:32:6C:75:6C server=karnas
add address=192.168.88.152 client-id=1:80:64:6f:8b:5f:72 mac-address=\
    80:64:6F:8B:5F:72 server=karnas
add address=192.168.88.154 client-id=1:80:64:6f:89:cb:63 mac-address=\
    80:64:6F:89:CB:63 server=karnas
add address=192.168.88.153 client-id=1:80:64:6f:89:ef:22 mac-address=\
    80:64:6F:89:EF:22 server=karnas
add address=192.168.88.100 client-id=1:4:7c:16:53:3:59 mac-address=\
    04:7C:16:53:03:59 server=karnas
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=LAN
add address=XXX.XXX.XXX.XXX list=WAN
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.8.1-192.168.8.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.1.20 list=WAN
add address=192.168.1.1-192.168.1.254 list=allowed_to_router
add address=192.168.77.1-192.168.77.254 disabled=yes list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Disabled - drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input comment=Disabled disabled=yes
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=jump chain=forward comment="jump to ICMP filters" \
    connection-limit=100,32 dst-limit=1,5,dst-address/1m40s jump-target=icmp \
    limit=1,5:packet protocol=icmp psd=21,3s,3,1 time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment=\
    "Disabled - Drop incoming from internet which is not public IP" disabled=\
    yes in-interface=ether1 log=yes log-prefix=!public src-address-list=\
    not_in_internet
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade DSL" ipsec-policy=\
    out,none out-interface=ether5
add action=masquerade chain=srcnat comment="masquerade LTE" ipsec-policy=\
    out,none out-interface=ether1
add action=dst-nat chain=dstnat comment="Pi Server" dst-address=\
    XXX.XXX.XXX.XXX dst-port=80,443 protocol=tcp to-addresses=192.168.88.10
add action=dst-nat chain=dstnat comment="Pi Server" dst-address=192.168.1.20 \
    dst-port=80,443 protocol=tcp to-addresses=192.168.88.10
add action=dst-nat chain=dstnat comment="SSH Raspberry Pi" dst-address=\
    XXX.XXX.XXX.XXX dst-port=8822 protocol=tcp to-addresses=192.168.88.10 \
    to-ports=22
add action=masquerade chain=srcnat comment="NAT Loopback" dst-address=\
    192.168.88.10 out-interface=bridge protocol=tcp src-address=\
    192.168.88.0/24
add action=dst-nat chain=dstnat comment="Supla App Pi Docker" dst-address=\
    XXX.XXX.XXX.XXX dst-port=2015,2016 protocol=tcp to-addresses=\
    192.168.88.10
add action=dst-nat chain=dstnat comment="Supla App Pi Docker" dst-address=\
    192.168.1.20 dst-port=2015,2016 protocol=tcp to-addresses=192.168.88.10
add action=dst-nat chain=dstnat comment="Moonlight Internet Stream" \
    dst-address=XXX.XXX.XXX.XXX dst-port=47984,47989,48010 protocol=tcp \
    to-addresses=192.168.88.100
add action=dst-nat chain=dstnat comment="Moonlight Internet Stream" \
    dst-address=XXX.XXX.XXX.XXX dst-port=47998,47999,48000,48002,48010 \
    protocol=udp to-addresses=192.168.88.100
add action=dst-nat chain=dstnat comment="COD Warzone" dst-address-list=WAN \
    dst-port=3074,27014-27050 protocol=tcp to-addresses=192.168.88.100
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=\
    3074,3478,4379-4380,27000-27031,27036 protocol=udp to-addresses=\
    192.168.88.100
/ip route
add check-gateway=ping comment="Default Route - Main LTE" disabled=no \
    distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment="Default Route - Backup DSL" disabled=no \
    distance=2 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=8.8.8.8/32 gateway=178.182.0.1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=8822
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Warsaw
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

I restored router to default config. Now everything is ok. I made to many bad changes in firewall. I have to think now how to give acces from the outside for some services to have connection to my IP from notebook and smartphone.

3

Like a VPN connection :smiley:

4

Running COD servers on your equipment is not a smart move.
There is a reason why people play on sites like Steam!

As far as external access… if you must let folks access servers at least use a source address list for dst nat rules as any user will have a fixed static wanip (can put directly onto firewall address list OR dynamic WANIP and they can make use of free available DYNDNS names/urls, which the router will resolve to IP.

Other than that the best way for you as an admin and for users to access your servers is through VPN. Wireguard comes to mind as a nice, relatively easy VPN for access to the router etc.

5

Maybe someone can help. Now I have default firewall settings and dstnated WAN to Raspberry Pi Server. I have access only from outside my network. When I connect to WLAN I can’t open my websites. Hairpin NAT didn’t help. I use Wireguard already to have access to my LAN devices.

# 2023-09-08 21:56:08 by RouterOS 7.11.2
# software id = DCEF-ADAK
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Raspberry Pi" dst-port=80,443 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.10
add action=dst-nat chain=dstnat comment=Supla dst-port=2015,2016 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.10
add action=masquerade chain=srcnat dst-address=192.168.88.10 \
    out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24
6

Nevermind, I had to remove In-Interface WAN in dstnat rule and add my public IP in Dst Address. After that Hairpin NAT works.

7

https://forum.mikrotik.com/viewtopic.php?t=179343

8

Nice Topic. Thanks :slightly_smiling_face: