How to see what is transmitting high Tx

Hi All,

I’m new to Mikrotik and identified a slow and laggy network reported by multiple users. I was able to identify that most of my bandwidth was being “hogged” on the WAN port. What’s odd is that this bandwidth usage seems to be coming directly from the router and not any of the 10s of servers set up behind the network because theoretically I would assume (as I understand it) that the values on the bridges that all servers are behind would match out the output.

How can I identify what may be causing this? Has anyone experienced something like this?

Maybe I’m just thinking and reviewing the information incorrectly. Screenshot below for reference.

Any feedback is helpful. Ty.

https://imgur.com/a/wMaoNCm

Oh, btw the device is a: Mikrotik Routerboard RB1100AHx4 Dude Edition 1100Dx4

Hi, please share the output of a “/export hide-sensitive” (if ROS 6.x) ot “/export” (if ROS 7.x) command so we can have a better understanding of what could be happening.

My guess: missing/wrong firewall rules and dns open to public or proxy enabled and open to public.

Hi martinclaro, thank you for your feedback; I suspect your guess is correct.

Here is an output of what you requested:
I removed the dstnat’s and some IPSEC info from the output fyi.

I suspect the issue is somewhere here (new to Mikrotik =D):

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=\
    "accept established, related, untracked - inbound" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "accept established, related, untracked - outbound" connection-state=\
    established,related,untracked
add action=accept chain=input comment=ICMP protocol=icmp
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu \
    passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1-DivTech-WAN1
add action=masquerade chain=srcnat disabled=yes out-interface=\
    ether6-DivTech-WAN2

# aug/17/2023 11:57:48 by RouterOS 6.49.8
# software id = MA6T-AYVZ
#
# model = RB1100Dx4
# serial number = HD608BZSQVK
/interface bridge
add name="bridge - ais"
add name="bridge - divtech"
add name="bridge - divts"
/interface ethernet
set [ find default-name=ether1 ] name=ether1-DivTech-WAN1
set [ find default-name=ether2 ] name=ether2-DivTech-LAN1
set [ find default-name=ether6 ] disabled=yes name=ether6-DivTech-WAN2
set [ find default-name=ether7 ] name=ether7-AIS-LAN1
set [ find default-name=ether8 ] name=ether8-DivTS-LAN1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=Paneffort
/ip ipsec peer
add address=RemovedForForumPosting/32 exchange-mode=ike2 name=Paneffort profile=\
    Paneffort
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=3des lifetime=8h name=Paneffort
/ip pool
add name=dhcp_pool0-divtech ranges=192.168.80.2-192.168.80.254
add name=dhcp_pool0-ais ranges=192.168.81.2-192.168.81.254
add name=dhcp_pool0-nware ranges=192.168.82.2-192.168.82.254
add name=l2tp-divtech ranges=192.168.77.2-192.168.77.254
add name=dhcp_pool0-divts ranges=192.168.83.2-192.168.83.254
/ip dhcp-server
add address-pool=dhcp_pool0-divtech disabled=no interface="bridge - divtech" \
    name=dhcp1-divtech
add address-pool=dhcp_pool0-ais disabled=no interface="bridge - ais" name=\
    dhcp2-ais
add address-pool=dhcp_pool0-divts disabled=no interface="bridge - divts" name=\
    dhcp4-divts
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.80.1 name=divtech-dltx \
    remote-address=l2tp-divtech
/dude
set enabled=yes
/interface bridge port
add bridge="bridge - divtech" interface=ether2-DivTech-LAN1
add bridge="bridge - ais" interface=ether7-AIS-LAN1
add bridge="bridge - divts" interface=ether8-DivTS-LAN1
/interface l2tp-server server
set enabled=yes max-sessions=3 use-ipsec=required
/interface list member
add interface=ether1-DivTech-WAN1 list=WAN
add interface=ether2-DivTech-LAN1 list=LAN
add interface=ether6-DivTech-WAN2 list=WAN
add interface=ether7-AIS-LAN1 list=LAN
add interface=ether8-DivTS-LAN1 list=LAN
/ip address
add address=192.168.80.1/24 interface="bridge - divtech" network=192.168.80.0
add address=RemovedForForumPosting/29 interface=ether1-DivTech-WAN1 network=\
    RemovedForForumPosting
add address=RemovedForForumPosting/29 interface=ether6-DivTech-WAN2 network=\
    RemovedForForumPosting
add address=192.168.81.1/24 interface="bridge - ais" network=192.168.81.0
add address=RemovedForForumPosting/29 interface=ether6-DivTech-WAN2 network=\
    RemovedForForumPosting
add address=192.168.83.1/24 interface="bridge - divts" network=192.168.83.0
/ip dhcp-client
add disabled=no interface=ether1-DivTech-WAN1
add disabled=no interface=ether6-DivTech-WAN2
/ip dhcp-server network
add address=192.168.80.0/24 dns-server=192.168.80.30,8.8.8.8 domain=DIVTECH \
    gateway=192.168.80.1 netmask=24
add address=192.168.81.0/24 dns-server=192.168.81.30,8.8.8.8 domain=AISSAP \
    gateway=192.168.81.1 netmask=24
add address=192.168.82.0/24 dns-server=192.168.82.2,8.8.8.8 domain=dt.nware \
    gateway=192.168.82.1 netmask=24
add address=192.168.83.0/24 dns-server=192.168.83.2,8.8.8.8 domain=divts \
    gateway=192.168.83.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=\
    "accept established, related, untracked - inbound" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "accept established, related, untracked - outbound" connection-state=\
    established,related,untracked
add action=accept chain=input comment=ICMP protocol=icmp
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu \
    passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1-DivTech-WAN1
add action=masquerade chain=srcnat disabled=yes out-interface=\
    ether6-DivTech-WAN2
/ip route
add check-gateway=ping distance=1 gateway=RemovedForForumPosting
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

Indeed. Your DNS server accepts remote requests (doesn’t matter where client is located) and your firewall is a piece of …, it doesn’t block any traffic whatsoever … neither from internet towards LAN nor towards router itself. So it’s easily used as part of (D)DoS amplification attack.

I guess that RB1100 doesn’t come with default config … so here’s default firewall config for SoHo devices (and it’s a good starting point for other as well):

/interface list add name=WAN comment="defconf"
/interface list add name=LAN comment="defconf"
/interface list member add list=LAN interface=bridge comment="defconf"
/interface list member add list=WAN interface=ether1 comment="defconf"
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
/ip firewall {
       filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
       filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
       filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
       filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
       filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
       filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
       filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
       filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
       filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
       filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
       filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}

Adjust the interface list membership to what you need (SoHo default uses ether1 as WAN interface, the rest of ports are members of bridge and used as LAN), the rest of firewall will probably fit your needs just fine. The only exception being hair-pin NAT you have, you might need to alter it a bit.

Thank you mkx. The “allow remote requests” option for the DNS fixed the issue. I will review the firewall specific rules you mentioned as well.

Thank you!

Disabling remote requests will block also requests from your LAN clients (so if DHCP server settings instruct them to use your RB1100 as DNS server, they will suffer) - this then means that DNS server on RB will only serve for it’s own needs (e.g. resolving upgrade.mikrotik.com or some such). Configuring firewall (specially chain=input) will block connections from WAN but still alow LAN clients to use the service. Similarly for other services (e.g. WebFig or SSH or WinBox). So definitely do something about firewall.