High ping in openvpn tunnel

butroskali · March 14, 2017, 5:24pm

Good day, I have two CCR 1016-12G, between them ovpn tunnel. Ping for external ip is perfect, however inside the tunnel ping is vary from 10 to 4000 ms.
If anyone had the same problem and knows how to fix it please let me know.
Its not routing problem, I checked.
config of router with ovpn server

 # mar/14/2017 14:33:31 by RouterOS 6.38.3
# software id = AXN7-BP3K
#
/interface ovpn-client
add connect-to=93.171.140.88 disabled=yes mac-address=02:2B:A8:58:58:1F name=ovpn-out3 port=2005 user=Moscow-msk1c-mtk.tdrwt.ru
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1590
set [ find default-name=ether2 ] l2mtu=1590
set [ find default-name=ether3 ] l2mtu=1590
set [ find default-name=ether4 ] l2mtu=1590
set [ find default-name=ether5 ] l2mtu=1590
set [ find default-name=ether6 ] l2mtu=1590
set [ find default-name=ether7 ] l2mtu=1590
set [ find default-name=ether8 ] l2mtu=1590
set [ find default-name=ether9 ] l2mtu=1590
set [ find default-name=ether10 ] l2mtu=1590
set [ find default-name=ether11 ] l2mtu=1590
set [ find default-name=ether12 ] comment="lan 10.7.0.0/24 dlink dgs-1024d" l2mtu=1590
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=Moscow-msk1c-mtk.tdrwt.ru
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=DHCP_Pool_10.7 ranges=10.7.0.101-10.7.0.240
add name=msk-office ranges=10.7.250.1-10.7.250.100
/ip dhcp-server
add add-arp=yes address-pool=DHCP_Pool_10.7 disabled=no interface=ether12 lease-time=3d name=DHCP_10.7
/ppp profile
add local-address=10.7.250.1 name=msk-office remote-address=msk-office use-encryption=yes
/interface ovpn-client
add certificate=cert_2 cipher=aes256 comment="\C2\EF\ED 29-58.kartel.komi.me" connect-to=62.182.29.58 mac-address=02:7D:0A:7A:2C:C3 name=ovpn-out1 port=2004 \
profile=default-encryption user=Moscow-msk1c-mtk.tdrwt.ru
add certificate=ca_4 cipher=aes256 comment="ovpn \F1\EA\EB\E0\E4" connect-to=93.171.140.88 disabled=yes mac-address=02:5B:C5:8F:B4:76 name=ovpn-out2 port=2004 \
profile=default-encryption user=Moscow-msk1c-mtk.tdrwt.ru
/queue interface
set ether2 queue=wireless-default
set ovpn-out1 queue=default
/routing ospf instance
set [ find default=yes ] router-id=10.7.0.1
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface ovpn-server server
set auth=sha1 certificate=cert_3 cipher=aes256 default-profile=msk-office enabled=yes port=2005 require-client-certificate=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.15.1/24 comment=wan disabled=yes interface=ether12 network=192.168.15.0
add address=10.7.0.1/24 interface=ether12 network=10.7.0.0
add address=87.229.250.178/30 interface=ether1 network=87.229.250.176
add address=192.168.15.50/24 disabled=yes interface=ether12 network=192.168.15.0
add address=10.7.2.1/24 disabled=yes interface=ether2 network=10.7.2.0
add address=93.171.140.88/24 disabled=yes interface=ether1 network=93.171.140.0
add address=10.7.0.1/24 disabled=yes interface=ovpn-out2 network=10.7.0.0
/ip dhcp-server lease
add address=10.7.0.254 address-lists=main_mobile_work client-id=1:c:8b:fd:4c:62:1a mac-address=0C:8B:FD:4C:62:1A server=DHCP_10.7
add address=10.7.0.8 address-lists=main_device client-id=1:20:aa:4b:59:8e:58 mac-address=20:AA:4B:59:8E:58 server=DHCP_10.7
add address=10.7.0.9 address-lists=main_device client-id=1:20:aa:4b:59:8f:80 mac-address=20:AA:4B:59:8F:80 server=DHCP_10.7
add address=10.7.0.252 address-lists=main_workstation client-id=1:74:d0:2b:c5:78:7e mac-address=74:D0:2B:C5:78:7E server=DHCP_10.7
add address=10.7.0.112 address-lists=main_device always-broadcast=yes client-id=1:f0:92:1c:63:62:4 mac-address=F0:92:1C:63:62:04 server=DHCP_10.7
add address=10.7.0.253 address-lists=main_workstation always-broadcast=yes client-id=1:74:d0:2b:c5:84:cd mac-address=74:D0:2B:C5:84:CD server=DHCP_10.7
add address=10.7.0.114 address-lists=main_device mac-address=2C:44:FD:07:DF:81 server=DHCP_10.7
add address=10.7.0.248 address-lists=main_workstation always-broadcast=yes client-id=1:74:d0:2b:c5:84:c0 mac-address=74:D0:2B:C5:84:C0 server=DHCP_10.7
add address=10.7.0.249 address-lists=main_workstation client-id=1:bc:5f:f4:af:47:83 mac-address=BC:5F:F4:AF:47:83 server=DHCP_10.7
add address=10.7.0.247 address-lists=main_workstation client-id=1:bc:5f:f4:af:47:45 mac-address=BC:5F:F4:AF:47:45 server=DHCP_10.7
add address=10.7.0.246 address-lists=main_workstation client-id=1:bc:5f:f4:af:a6:75 mac-address=BC:5F:F4:AF:A6:75 server=DHCP_10.7
add address=10.7.0.245 address-lists=main_workstation client-id=1:bc:5f:f4:af:47:a2 mac-address=BC:5F:F4:AF:47:A2 server=DHCP_10.7
add address=10.7.0.250 address-lists=main_mobile_work always-broadcast=yes client-id=1:9c:4e:36:87:ec:d8 mac-address=9C:4E:36:87:EC:D8 server=DHCP_10.7
add address=10.7.0.244 address-lists=main_workstation always-broadcast=yes client-id=1:bc:5f:f4:af:a6:32 mac-address=BC:5F:F4:AF:A6:32 server=DHCP_10.7
add address=10.7.0.251 address-lists=main_workstation client-id=1:bc:5f:f4:af:46:ea mac-address=BC:5F:F4:AF:46:EA server=DHCP_10.7
add address=10.7.0.243 address-lists=main_workstation client-id=1:9c:b6:54:a1:bc:b mac-address=9C:B6:54:A1:BC:0B server=DHCP_10.7
add address=10.7.0.115 address-lists=main_device mac-address=74:46:A0:52:69:84 server=DHCP_10.7
add address=10.7.0.113 address-lists=main_device always-broadcast=yes mac-address=1C:3E:84:96:0A:AF server=DHCP_10.7
add address=10.7.0.149 address-lists=main_device client-id=1:0:15:65:66:1a:c4 mac-address=00:15:65:66:1A:C4 server=DHCP_10.7
add address=10.7.0.150 always-broadcast=yes mac-address=90:48:9A:CD:30:87 server=DHCP_10.7
add address=10.7.0.148 address-lists=main_device client-id=1:0:15:65:8d:26:b0 mac-address=00:15:65:8D:26:B0 server=DHCP_10.7
add address=10.7.0.117 address-lists=main_device always-broadcast=yes client-id=1:bc:85:56:82:bf:43 mac-address=BC:85:56:82:BF:43 server=DHCP_10.7
add address=10.7.0.116 address-lists=main_device always-broadcast=yes client-id=1:80:56:f2:9c:56:bc lease-time=7h mac-address=80:56:F2:9C:56:BC server=\
DHCP_10.7
add address=10.7.0.242 address-lists=main_workstation client-id=1:bc:ae:c5:da:35:1b mac-address=BC:AE:C5:DA:35:1B server=DHCP_10.7
add address=10.7.0.236 address-lists=main_workstation client-id=1:90:2b:34:5a:ae:4b mac-address=90:2B:34:5A:AE:4B server=DHCP_10.7
add address=10.7.0.235 address-lists=main_workstation client-id=1:60:a4:4c:b5:74:8 mac-address=60:A4:4C:B5:74:08 server=DHCP_10.7
add address=10.7.0.237 address-lists=main_workstation client-id=1:e8:40:f2:d1:99:d5 mac-address=E8:40:F2:D1:99:D5 server=DHCP_10.7
add address=10.7.0.238 address-lists=main_workstation always-broadcast=yes client-id=1:6c:19:8f:62:be:44 mac-address=6C:19:8F:62:BE:44 server=DHCP_10.7
add address=10.7.0.240 address-lists=main_workstation always-broadcast=yes client-id=1:0:23:24:7d:b4:cb mac-address=00:23:24:7D:B4:CB server=DHCP_10.7
add address=10.7.0.241 address-lists=main_workstation client-id=1:bc:5f:f4:af:a6:6e mac-address=BC:5F:F4:AF:A6:6E server=DHCP_10.7
add address=10.7.0.239 address-lists=main_workstation always-broadcast=yes client-id=1:5c:ac:4c:73:75:38 mac-address=5C:AC:4C:73:75:38 server=DHCP_10.7
add address=10.7.0.165 always-broadcast=yes client-id=1:a0:d3:c1:ed:dd:68 mac-address=A0:D3:C1:ED:DD:68 server=DHCP_10.7
add address=10.7.0.131 client-id=1:4c:34:88:d6:4a:2 mac-address=4C:34:88:D6:4A:02 server=DHCP_10.7
add address=10.7.0.5 client-id=1:f4:b5:49:0:ac:47 comment=ATC mac-address=F4:B5:49:00:AC:47 server=DHCP_10.7
/ip dhcp-server network
add address=10.7.0.0/24 dns-server=10.8.0.10,10.7.0.1 domain=lan.dekalitr.ru gateway=10.7.0.1 ntp-server=10.7.0.1,10.1.1.1
/ip dns
set allow-remote-requests=yes servers=77.88.8.88,77.88.8.2,77.88.8.1,77.88.8.8
/ip firewall address-list
add address=10.7.0.0/24 list=main
add address=10.8.0.0/24 list=main
add address=10.1.1.0/24 list=main
add address=10.1.250.0/24 list=main
add address=192.168.14.0/24 list=main
add address=192.168.15.0/24 list=main
add address=192.168.2.0/24 list=main
add address=192.168.12.0/24 list=main
add address=78.36.105.213 list=main
add address=89.208.117.206 list=main
add address=62.182.25.250 list=main
add address=8.8.8.8 list=main
add address=91.226.136.136 list=main
add address=88.147.254.232 list=main
add address=10.8.250.0/24 list=main
add address=10.7.250.0/24 list=main
add address=10.7.2.0/24 list=main
add address=62.182.29.58 list=main
add address=192.168.100.0/24 list=main
add address=93.171.140.88 list=main
add address=87.229.250.178 list=main
add address=93.171.140.1 list=main
/ip firewall filter
add action=accept chain=input dst-port=1723 protocol=tcp
add action=drop chain=input in-interface=ether1 src-address-list=!main
add action=accept chain=input dst-port=2005 in-interface=ether1 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall service-port
set sip disabled=yes sip-direct-media=no
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=web-proxy1
/ip route
add distance=1 gateway=87.229.250.177
add distance=1 dst-address=192.168.100.0/24 gateway=ovpn-out1
/ip smb
set allow-guests=no comment=msk2c-mtk.tdrwt.ru domain=workgroup interfaces=ether12
/ppp secret
add name=msk2c-mtk.tdrwt.ru password=********** profile=default-encryption routes=10.8.0.0/24 service=ovpn

/routing ospf network
add area=backbone network=10.1.250.0/24
add area=backbone network=10.7.0.0/24
add area=backbone disabled=yes network=192.168.15.0/24
/snmp
set enabled=yes location=Moscow-msk1c-mtk.tdrwt.ru
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=SR-07-01mtk
/system logging
add topics=pptp,!raw
/system ntp client
set enabled=yes primary-ntp=91.226.136.136 secondary-ntp=88.147.254.229
/system ntp server
set enabled=yes
/system scheduler
add interval=6h name=autobackup on-event=autobackup policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jul/25/2016 start-time=\
16:57:35
/system script
add name=autobackup owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="log info \"Starting Automatic Backup Script\" \r\
\n:global thisdate [/system clock get date] \r\
\n:global datetimestring ([:pick \$thisdate 0 3] .\"-\" . [:pick \$thisdate 4 6] .\"-\" . [:pick \$thisdate 7 11]) \r\
\n:global backupfilename ([/system identity get name].\"_\".\$datetimestring.\"_1w\") \r\
\n:global ftpusername \"ftpbackup\" \r\
\n:global ftpuserpassword \"********\" \r\
\n:global ftphostname \"10.4.0.14\" \r\
\n/system backup save name=\"\$backupfilename\" \r\
\n:delay 5s \r\
\n/export compact file=\"\$backupfilename\" \r\
\n:log info \"Please wait\85!!!\" \r\
\n:delay 5s \r\
\n/tool fetch address=\"\$ftphostname\" src-path=\"\$backupfilename.backup\" user=\"\$ftpusername\" password=\"\$\" port=21 upload=yes mode=f\
tp dst-path=\"/mtk/msk-mkt-korov10/\$backupfilename.backup\" \r\
\n:log info \"Sending Backup Mikrotik to FTP Server\85\85\85\85.\" \r\
\n:delay 1s \r\
\n/tool fetch address=\"\$ftphostname\" src-path=\"\$backupfilename.rsc\" user=\"\$ftpusername\" password=\"\$\" port=21 upload=yes mode=ftp\
\_dst-path=\"/mtk/msk-mkt-korov10/\$backupfilename.rsc\" \r\
\n:delay 1s \r\
\n/file remove \"\$backupfilename.backup\" \r\
\n/file remove \"\$backupfilename.rsc\" \r\
\n:log info \"Finished Backup Script\85!!!!\""
add name=backup_no_e-mail owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# Mikrotik Backup Script for Mikrotik 6.x \
Series, well tested with 6.3x.x\r\
\n:log warning \"Mikrotik Router Backup no mail JOB Started\"\r\
\n:local company \"Dekalitr\"\r\
\n:local sub1 ([/system identity get name])\r\
\n:local sub2 ([/system clock get date])\r\
\n\r\
\n:local datetimestring ([:pick \$sub2 0 3] .\"-\" . [:pick \$sub2 4 6] .\"-\" . [:pick \$sub2 7 11])\r\
\n:local backupfilename (\$sub1.\"_\".\$datetimestring.\"_full_backup\")\r\
\n:local mikrotikexport (\$sub1.\"_\".\$datetimestring.\"_config_backup\")\r\
\n\r\
\n:log warning \"\$company : Creating new up to date backup files . . . \"\r\
\n\r\
\n# Start creating Backup files backup and export both\r\
\n/system backup save dont-encrypt=yes name=\$backupfilename\r\
\n/export file=\$mikrotikexport\r\
\n\r\
\n:log warning \"\$company : Backup no mail JOB process pausing for 10s so it can complete creating backup. Usually for Slow systems ...\"\r\
\n:delay 10s\r\
\n\r\
\n# REMOVE Old backup files to save space.\r\
\n#/file remove \$backupfile\r\
\n#/file remove \$mikrotikexport\r\
\n\r\
\n# Print Log for done\r\
\n:log warning \"\$company : Backup no mail JOB: Process Finished & Backup File Removed. All Done\"\r\
\n# Script END"
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool user-manager database
set db-path=web-proxy1

config of router with ovpn client

# mar/14/2017 14:47:55 by RouterOS 6.38.3
# software id = FEAN-6ANK
#
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1590
set [ find default-name=ether2 ] l2mtu=1590
set [ find default-name=ether3 ] l2mtu=1590
set [ find default-name=ether4 ] l2mtu=1590
set [ find default-name=ether5 ] l2mtu=1590
set [ find default-name=ether6 ] comment="lan 10.8.0.0/24 dlink dgs-1024d" l2mtu=1590
set [ find default-name=ether7 ] l2mtu=1590
set [ find default-name=ether8 ] l2mtu=1590
set [ find default-name=ether9 ] l2mtu=1590
set [ find default-name=ether10 ] l2mtu=1590
set [ find default-name=ether11 ] l2mtu=1590
set [ find default-name=ether12 ] l2mtu=1590
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=msk2-mtk.tdrwt.ru
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=DHCP_Pool_10.8 ranges=10.8.0.150-10.8.0.254
/ip dhcp-server
add add-arp=yes address-pool=DHCP_Pool_10.8 disabled=no interface=ether6 lease-time=3d name=DHCP_10.8
/interface ovpn-client
add certificate=cert_2 cipher=aes256 comment="\C2\EF\ED 29-58.kartel.komi.me" connect-to=62.182.29.58 mac-address=02:0C:61:89:4C:C1 name=ovpn-out1 port=2004 profile=\
default-encryption user=Moscow-msk2c-mtk.tdrwt.ru
add certificate=cert_2 cipher=aes256 comment="\C2\CF\CD \E2 \EE\F4\E8\F1 87.229.250.178" connect-to=87.229.250.178 disabled=yes mac-address=02:31:BB:3D:AF:EB name=\
ovpn-out2 port=2005 profile=default-encryption user=msk2c-mtk.tdrwt.ru
add certificate=cert_2 cipher=aes256 connect-to=87.229.250.178 mac-address=02:13:BA:09:35:3C name=ovpn-out3 port=2005 profile=default-encryption user=msk2c-mtk.tdrwt.ru
/queue interface
set ovpn-out1 queue=default
set ovpn-out2 queue=default
/routing ospf instance
set [ find default=yes ] router-id=10.8.0.1
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add disabled=yes interface=ether1
add
/interface ovpn-server server
set auth=sha1 certificate=cert_1 cipher=blowfish128,aes256 default-profile=profile1 max-mtu=1400 port=2005
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/ip address
add address=10.8.0.1/24 interface=ether6 network=10.8.0.0
add address=10.8.254.1/24 disabled=yes interface=ovpn-out2 network=10.8.254.0
add address=87.229.250.178/30 disabled=yes interface=ether1 network=87.229.250.176
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.8.0.254 address-lists=main_workstation client-id=1:bc:5f:f4:af:47:a3 comment="\EA\EE\EC\EF rvt-cert1.kripton.local \C1\E0\E7\EE\E5\E2\E0 \C5\D4" \
mac-address=BC:5F:F4:AF:47:A3 server=DHCP_10.8
add address=10.8.0.4 address-lists=main_servers client-id=1:20:aa:4b:59:8a:78 comment="PG SPA8000" mac-address=20:AA:4B:59:8A:78 server=DHCP_10.8
add address=10.8.0.10 address-lists=main_servers always-broadcast=yes client-id=1:52:41:53:20:92:2b:34:da:eb:51:0:0:0:0:0:0 comment="\F1\E5\F0\E2\E5\F0 sr-08-10w" \
mac-address=92:2B:34:DA:EB:51 server=DHCP_10.8
add address=10.8.0.250 address-lists=main_workstation always-broadcast=yes client-id=1:bc:5f:f4:af:47:a5 comment=\
"\EA\EE\EC\EF ws-08-176w.kripton.local \CF\EE\E4\EB\E8\EF\E0\EB\E8\ED\E0 \CE\C2" mac-address=BC:5F:F4:AF:47:A5 server=DHCP_10.8
add address=10.8.0.110 address-lists=main_devices always-broadcast=yes client-id=1:0:c0:ee:b1:d8:7c comment="\EE\EF\E5\F0\E0\F2\EE\F0\F1\EA\E0\FF Kyocera" mac-address=\
00:C0:EE:B1:D8:7C server=DHCP_10.8
add address=10.8.0.248 address-lists=main_workstation always-broadcast=yes client-id=1:0:e0:53:f:61:fb comment="\EA\EE\EC\EF \ED\E0 \F1\EA\EB\E0\E4\E5" mac-address=\
00:E0:53:0F:61:FB server=DHCP_10.8
add address=10.8.0.111 address-lists=main_devices always-broadcast=yes client-id=1:f0:92:1c:63:62:6 comment="\EE\EF\E5\F0\E0\F2\EE\F0\F1\EA\E0\FF HP LaserJet 600 M603" \
mac-address=F0:92:1C:63:62:06 server=DHCP_10.8
add address=10.8.0.112 address-lists=main_devices always-broadcast=yes client-id=1:a0:48:1c:68:6:1c comment="\F1\EA\EB\E0\E4 HP LaserJet 600 M603" mac-address=\
A0:48:1C:68:06:1C server=DHCP_10.8
add address=10.8.0.114 address-lists=main_devices client-id=1:f0:92:1c:63:62:2 comment="\EE\EF\E5\F0\E0\F2\EE\F0\F1\EA\E0\FF HP LaserJet 600 M603" mac-address=\
F0:92:1C:63:62:02 server=DHCP_10.8
add address=10.8.0.81 always-broadcast=yes client-id=1:44:39:c4:89:91:e9 comment="TSD 2" mac-address=44:39:C4:89:91:E9 server=DHCP_10.8
add address=10.8.0.80 always-broadcast=yes client-id=1:44:39:c4:89:91:b3 comment="TSD 1" mac-address=44:39:C4:89:91:B3 server=DHCP_10.8
add address=10.8.0.79 comment="\F2\E5\F0\EC\EE\EF\F0\E8\ED\F2\E5\F0 \E2 \EE\EF\E5\F0\E0\F2\EE\F0\F1\EA\EE\E9 PS-31EC4B" mac-address=00:1B:82:31:EC:4B server=DHCP_10.8
add address=10.8.0.181 client-id=1:0:15:65:8d:26:f4 comment="\F2\E5\EB\E5\F4\EE\ED \D1\F3\F5\E0\F0\E5\E2 ex.124" mac-address=00:15:65:8D:26:F4 server=DHCP_10.8
add address=10.8.0.176 client-id=1:44:8a:5b:e4:63:42 comment="\EA\EE\EC\EF ws-08-176w.lan.dekalitr.ru" mac-address=44:8A:5B:E4:63:42 server=DHCP_10.8
add address=10.8.0.91 address-lists=main comment="Eth1 SR-08-212033 Bridge" mac-address=0C:C4:7A:74:72:42 server=DHCP_10.8
add address=10.8.0.90 address-lists=main comment="iKVM SR-08-212033" mac-address=0C:C4:7A:74:6F:1D server=DHCP_10.8
add address=10.8.0.92 address-lists=main comment="Eth2 SR-08-212033" mac-address=0C:C4:7A:74:72:43 server=DHCP_10.8
add address=10.8.0.154 client-id=1:c0:18:85:b7:c4:5b comment="\E7\E0\E2 \F1\EA\EB\E0\E4\E0 \ED\EE\F3\F2" mac-address=C0:18:85:B7:C4:5B server=DHCP_10.8
add address=10.8.0.151 client-id=1:0:15:65:83:2d:d8 comment="\F2\E5\EB\E5\F4\EE\ED \F2\F0\F3\E1\EA\E0 \F1\EA\EB\E0\E4 ex125" mac-address=00:15:65:83:2D:D8 server=\
DHCP_10.8
add address=10.8.0.153 always-broadcast=yes client-id=1:e0:ca:94:53:8b:8c comment=Vitalic mac-address=E0:CA:94:53:8B:8C server=DHCP_10.8
add address=10.8.0.152 always-broadcast=yes comment=Volodina mac-address=D0:5B:A8:5D:74:C9 server=DHCP_10.8
add address=10.8.0.163 always-broadcast=yes client-id=1:4c:34:88:d6:4a:2 mac-address=4C:34:88:D6:4A:02 server=DHCP_10.8
add address=10.8.0.160 client-id=1:ec:9b:f3:b8:9a:b mac-address=EC:9B:F3:B8:9A:0B server=DHCP_10.8
add address=10.8.0.164 client-id=1:90:2b:34:da:eb:33 mac-address=90:2B:34:DA:EB:33 server=DHCP_10.8
add address=10.8.0.12 client-id=1:c8:d3:a3:ad:2a:1b mac-address=C8:D3:A3:AD:2A:1B server=DHCP_10.8
add address=10.8.0.247 client-id=1:10:be:f5:a7:4d:2 mac-address=10:BE:F5:A7:4D:02 server=DHCP_10.8
/ip dhcp-server network
add address=10.8.0.0/24 dns-server=10.8.0.10,10.8.0.1 domain=lan.dekalitr.ru gateway=10.8.0.1 ntp-server=10.8.0.1,10.1.1.1
/ip dns
set allow-remote-requests=yes servers=77.88.8.88,77.88.8.2,77.88.8.1,77.88.8.8
/ip firewall address-list
add address=78.36.105.213 list=main
add address=62.182.29.58 list=main
add address=87.229.250.178 list=main
add address=10.8.0.0/24 list=main
add address=10.1.1.0/24 list=main
add address=192.168.14.0/24 list=main
add address=192.168.15.0/24 list=main
add address=10.1.250.0/24 list=main
add address=10.8.250.0/24 list=main
add address=10.8.251.0/24 list=main
add address=10.5.0.0/24 list=main
add address=10.3.0.0/24 list=main
add address=10.6.0.0/24 list=main
add address=10.10.0.0/24 list=main
add address=10.2.0.0/24 list=main
add address=77.88.8.2 list=main
add address=91.226.136.136 list=main
add address=88.147.254.232 list=main
add address=10.7.0.0/24 list=main
add address=10.12.0.0/24 list=main
add address=10.7.250.0/24 list=main
add address=172.16.2.0/24 list=main
add address=192.168.100.0/24 list=main
add address=10.8.0.91 list=utm
add address=10.1.1.0/24 list=centr-utm
add address=10.8.0.90 list=utm
add address=10.8.0.92 list=utm
add address=10.11.0.0/24 list=main
add address=10.13.0.0/24 list=main
add address=10.1.2.0/24 list=main
add address=10.14.0.0/24 list=main
add address=93.171.140.88 list=main
add address=87.229.250.177 list=main
/ip firewall filter
add action=accept chain=input dst-port=1723 protocol=tcp
add action=drop chain=input in-interface=ether1 src-address-list=!main
add action=accept chain=input comment=icmp disabled=yes protocol=icmp
add action=accept chain=forward disabled=yes dst-address-list=utm in-interface=ovpn-out1 src-address-list=centr-utm
add action=drop chain=forward disabled=yes dst-address-list=utm in-interface=ovpn-out1
add action=accept chain=input disabled=yes dst-port=2005 in-interface=ether1 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=netmap chain=dstnat comment=sip disabled=yes dst-port=5060 in-interface=ether1 protocol=udp to-addresses=10.8.0.5 to-ports=5060
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp to-ports=8080
/ip firewall service-port
set sip disabled=yes sip-direct-media=no
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-administrator=sukharevsu@tdrwt.ru cache-path=web-proxy1 enabled=yes max-cache-size=none
/ip route
add distance=1 dst-address=10.7.0.0/24 gateway=ovpn-out3 scope=5 target-scope=5

/ppp profile
add local-address=10.8.250.1 name=profile1 remote-address=*3 use-encryption=yes
/ppp secret
add name=Moscow-msk1c-mtk.tdrwt.ru password=********* profile=default-encryption service=ovpn
add name=msk-IGN profile=profile1 service=pptp

/routing ospf network
add area=backbone network=10.1.250.0/24
add area=backbone network=10.8.0.0/24
add area=backbone disabled=yes network=192.168.14.0/24
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system health
set fan-mode=manual use-fan=auxiliary
/system identity
set name=SR-08-01mtk
/system logging
add topics=ovpn,!raw
add topics=pptp
/system ntp client
set enabled=yes primary-ntp=91.226.136.136 secondary-ntp=88.147.254.229
/system ntp server
set enabled=yes
/system scheduler
add interval=6h name=autobackup on-event=autobackup policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jul/25/2016 start-time=20:53:51
/system script
add name=autobackup owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="log info \"Starting Automatic Backup Script\" \r\
\n:global thisdate [/system clock get date] \r\
\n:global datetimestring ([:pick \$thisdate 0 3] .\"-\" . [:pick \$thisdate 4 6] .\"-\" . [:pick \$thisdate 7 11]) \r\
\n:global backupfilename ([/system identity get name].\"_\".\$datetimestring.\"_1w\") \r\
\n:global ftpusername \"ftpbackup\" \r\
\n:global ftpuserpassword \"*********\" \r\
\n:global ftphostname \"10.4.0.14\" \r\
\n/system backup save name=\"\$backupfilename\" \r\
\n:delay 5s \r\
\n/export compact file=\"\$backupfilename\" \r\
\n:log info \"Please wait\85!!!\" \r\
\n:delay 5s \r\
\n/tool fetch address=\"\$ftphostname\" src-path=\"\$backupfilename.backup\" user=\"\$ftpusername\" password=\"\$\" port=21 upload=yes mode=ftp dst-path\
=\"/mtk/msk-mkt-korov35/\$backupfilename.backup\" \r\
\n:log info \"Sending Backup Mikrotik to FTP Server\85\85\85\85.\" \r\
\n:delay 1s \r\
\n/tool fetch address=\"\$ftphostname\" src-path=\"\$backupfilename.rsc\" user=\"\$ftpusername\" password=\"\$\" port=21 upload=yes mode=ftp dst-path=\
\"/mtk/msk-mkt-korov35/\$backupfilename.rsc\" \r\
\n:delay 1s \r\
\n/file remove \"\$backupfilename.backup\" \r\
\n/file remove \"\$backupfilename.rsc\" \r\
\n:log info \"Finished Backup Script\85!!!!\""
add name=backup_no_e-mail owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# Mikrotik Backup Script for Mikrotik 6.x Series, wel\
l tested with 6.3x.x\r\
\n:log warning \"Mikrotik Router Backup no mail JOB Started\"\r\
\n:local company \"Dekalitr\"\r\
\n:local sub1 ([/system identity get name])\r\
\n:local sub2 ([/system clock get date])\r\
\n\r\
\n:local datetimestring ([:pick \$sub2 0 3] .\"-\" . [:pick \$sub2 4 6] .\"-\" . [:pick \$sub2 7 11])\r\
\n:local backupfilename (\$sub1.\"_\".\$datetimestring.\"_full_backup\")\r\
\n:local mikrotikexport (\$sub1.\"_\".\$datetimestring.\"_config_backup\")\r\
\n\r\
\n:log warning \"\$company : Creating new up to date backup files . . . \"\r\
\n\r\
\n# Start creating Backup files backup and export both\r\
\n/system backup save dont-encrypt=yes name=\$backupfilename\r\
\n/export file=\$mikrotikexport\r\
\n\r\
\n:log warning \"\$company : Backup no mail JOB process pausing for 10s so it can complete creating backup. Usually for Slow systems ...\"\r\
\n:delay 10s\r\
\n\r\
\n# REMOVE Old backup files to save space.\r\
\n#/file remove \$backupfile\r\
\n#/file remove \$mikrotikexport\r\
\n\r\
\n# Print Log for done\r\
\n:log warning \"\$company : Backup no mail JOB: Process Finished & Backup File Removed. All Done\"\r\
\n# Script END"
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool user-manager database
set db-path=web-proxy1

andriys · March 14, 2017, 5:59pm

Why have you chosen the OpenVPN for site-to-site in the first place. Not the best choice on Mikrotik.