Hi all
I have some issues with a local wifi bridge and identifying the root cause of ping spikes and basically connection losses.
Ping from local client connected to the AP:
Antwort von 10.0.1.1: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=219ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=129ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=90ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=19ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=24ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=3ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=23ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=159ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=53ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=26ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=3ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=22ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=21ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=3ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=4ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=23ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=194ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=116ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=10ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=22ms TTL=64
Antwort von 10.0.1.1: Bytes=32 Zeit=11ms TTL=64
Is there anything in my configuration that seems completely wrong and could cause those spikes?
Thanks in advance!
WAN:
10.0.2.1
MAIN (RB4011):
[admin@MikroTik] > /export
2023-11-03 15:24:06 by RouterOS 7.11.2
software id = LA4I-67U9
model = RB4011iGS+5HacQ2HnD
serial number = XXXXXXXX
/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=CH1
add band=2ghz-b/g/n frequency=2417 name=CH2
add band=2ghz-b/g/n frequency=2422 name=CH3
add band=2ghz-b/g/n frequency=2427 name=CH4
add band=2ghz-b/g/n frequency=2432 name=CH5
add band=2ghz-b/g/n frequency=2437 name=CH6
add band=2ghz-b/g/n frequency=2442 name=CH7
add band=2ghz-b/g/n frequency=2447 name=CH8
add band=2ghz-b/g/n frequency=2452 name=CH9
add band=2ghz-b/g/n frequency=2457 name=CH10
add band=2ghz-b/g/n frequency=2462 name=CH11
add band=2ghz-b/g/n frequency=2467 name=CH12
add band=2ghz-b/g/n frequency=2472 name=CH13
add band=5ghz-onlyac frequency=5180 name=CH36
add band=5ghz-onlyac frequency=5200 name=CH40
add band=5ghz-onlyac frequency=5220 name=CH44
add band=5ghz-onlyac frequency=5240 name=CH48
add band=5ghz-a/n/ac frequency=5260 name=CH52
add band=5ghz-a/n/ac frequency=5280 name=CH56
add band=5ghz-a/n/ac frequency=5300 name=CH60
add band=5ghz-a/n/ac frequency=5320 name=CH64
add band=5ghz-a/n/ac frequency=5500 name=CH100
add band=5ghz-a/n/ac frequency=5520 name=CH104
add band=5ghz-a/n/ac frequency=5540 name=CH108
add band=5ghz-a/n/ac frequency=5560 name=CH112
add band=5ghz-a/n/ac frequency=5580 name=CH116
add band=5ghz-a/n/ac frequency=5600 name=CH120
add band=5ghz-a/n/ac frequency=5620 name=CH124
add band=5ghz-a/n/ac frequency=5640 name=CH128
add band=5ghz-a/n/ac frequency=5660 name=CH132
add band=5ghz-a/n/ac frequency=5680 name=CH136
add band=5ghz-a/n/ac frequency=5700 name=CH140
add band=5ghz-a/n/ac frequency=5745 name=CH149
add band=5ghz-a/n/ac frequency=5765 name=CH153
add band=5ghz-a/n/ac frequency=5785 name=CH157
add band=5ghz-a/n/ac frequency=5805 name=CH161
/interface bridge
add name=bridge-lan
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-n/ac channel-width=20/40mhz-XX
country=germany disabled=no installation=indoor mode=ap-bridge
nv2-security=enabled ssid=darknet_5G wireless-protocol=nv2-nstreme-802.11
set [ find default-name=wlan2 ] band=2ghz-g/n country=germany disabled=no
installation=indoor mode=ap-bridge ssid=darknet
/interface wireless nstreme
set wlan1 enable-nstreme=yes
set wlan2 enable-nstreme=yes
/interface list
add comment=“public network” name=public
add comment=“local network” name=local
add comment=“guest network” name=guest
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.0.1.2-10.0.1.100
add name=vpn ranges=10.0.1.102-10.0.1.110
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge-lan lease-script=“:local DHCPtag\r
\n:set DHCPtag "#DHCP"\r
\n\r
\n:if ( [ :len $leaseActIP ] <= 0 ) do={ :error "empty lease address" }\r
\n\r
\n:if ( $leaseBound = 1 ) do=\\r
\n{\r
\n :local ttl\r
\n :local domain\r
\n :local hostname\r
\n :local fqdn\r
\n :local leaseId\r
\n :local comment\r
\n\r
\n /ip dhcp-server\r
\n :set ttl [ get [ find name=$leaseServerName ] lease-time ]\r
\n network \r
\n :set domain [ get [ find $leaseActIP in address ] domain ]\r
\n\r
\n .. lease\r
\n :set leaseId [ find address=$leaseActIP ]\r
\n\r
\n # Check for multiple active leases for the same IP address. It’s weird
_and it shouldn’t be, but just in case.\r
\n\r
\n :if ( [ :len $leaseId ] != 1) do={\r
\n :log info "DHCP2DNS: not registering domain name for address $le
aseActIP because of multiple active leases for $leaseActIP"\r
\n :error "multiple active leases for $leaseActIP"\r
\n } \r
\n\r
\n :set hostname [ get $leaseId host-name ]\r
\n :set comment [ get $leaseId comment ]\r
\n /\r
\n\r
\n :if ( [ :len $hostname ] <= 0 ) do={ :set hostname $comment }\r
\n\r
\n :if ( [ :len $hostname ] <= 0 ) do={\r
\n :log error "DHCP2DNS: not registering domain name for address $l
easeActIP because of empty lease host-name or comment"\r
\n :error "empty lease host-name or comment"\r
\n }\r
\n :if ( [ :len $domain ] <= 0 ) do={\r
\n :log error "DHCP2DNS: not registering domain name for address $l
easeActIP because of empty network domain name"\r
\n :error "empty network domain name"\r
\n }\r
\n\r
\n :set fqdn "$hostname.$domain"\r
\n\r
\n /ip dns static\r
\n :if ( [ :len [ find name=$fqdn and address=$leaseActIP and disabled=
no ] ] = 0 ) do={\r
\n :log info "DHCP2DNS: registering static domain name $fqdn for ad
dress $leaseActIP with ttl $ttl"\r
\n add address=$leaseActIP name=$fqdn ttl=$ttl comment=$DHCPtag d
isabled=no\r
\n } else={\r
\n :log error "DHCP2DNS: not registering domain name $fqdn for addr
ess $leaseActIP because of existing active static DNS entry with this name
or address"\r
\n }\r
\n /\r
\n} else={\r
\n /ip dns static\r
\n :local dnsDhcpId\r
\n :set dnsDhcpId [ find address=$leaseActIP and comment=$DHCPtag ]\r
\n :if ( [ :len $dnsDhcpId ] > 0 ) do={\r
\n :log info "DHCP2DNS: removing static domain name(s) for address
$leaseActIP"\r
\n remove $dnsDhcpId\r
\n }\r
\n /\r
\n}” lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *FFFFFFFE bridge=bridge-lan dns-server=10.0.1.1 local-address=10.0.1.101
remote-address=vpn wins-server=8.8.8.8
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=
suggest-same-version
/caps-man provisioning
add action=create-enabled hw-supported-modes=ac master-configuration=*2
/interface bridge port
add bridge=bridge-lan ingress-filtering=no interface=ether2
add bridge=bridge-lan ingress-filtering=no interface=ether3
add bridge=bridge-lan ingress-filtering=no interface=ether4
add bridge=bridge-lan ingress-filtering=no interface=ether5
add bridge=bridge-lan ingress-filtering=no interface=ether6
add bridge=bridge-lan ingress-filtering=no interface=ether7
add bridge=bridge-lan ingress-filtering=no interface=ether8
add bridge=bridge-lan ingress-filtering=no interface=ether9
add bridge=bridge-lan ingress-filtering=no interface=ether10
add bridge=bridge-lan interface=wlan1
add bridge=bridge-lan interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 enabled=yes use-ipsec=
yes
/interface list member
add interface=ether1 list=public
add interface=bridge-lan list=local
/interface ovpn-server server
set auth=sha1,md5
/interface wireless cap
set caps-man-addresses=127.0.0.1 certificate=request interfaces=wlan1
/ip address
add address=10.0.1.1/24 interface=bridge-lan network=10.0.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.0.1.16 client-id=1:e8:a7:2f:59:19:8 mac-address=
E8:A7:2F:59:19:08 server=dhcp1
add address=10.0.1.29 client-id=1:0:60:2f:67:bb:c5 mac-address=
00:60:2F:67:BB:C5 server=dhcp1
add address=10.0.1.12 client-id=1:66:4d:18:2f:13:3a mac-address=
66:4D:18:2F:13:3A server=dhcp1
add address=10.0.1.51 client-id=1:2c:59:e5:9d:c9:c7 mac-address=
2C:59:E5:9D:C9:C7 server=dhcp1
add address=10.0.1.48 client-id=
ff:20:67:ad:6f:0:1:0:1:2a:d7:42:2d:f2:1d:20:67:ad:6f mac-address=
F2:1D:20:67:AD:6F server=dhcp1
add address=10.0.1.45 client-id=1:62:cc:ae:d0:6:da mac-address=
62:CC:AE:D0:06:DA server=dhcp1
add address=10.0.1.34 client-id=
ff:f8:15:51:68:0:1:0:1:2a:cb:fc:ef:a6:12:f8:15:51:68 mac-address=
A6:12:F8:15:51:68 server=dhcp1
add address=10.0.1.46 client-id=
ff:89:48:ac:5b:0:1:0:1:2a:d5:f5:bb:9a:b6:89:48:ac:5b mac-address=
9A:B6:89:48:AC:5B server=dhcp1
add address=10.0.1.30 client-id=1:7e:44:57:5f:1e:df mac-address=
7E:44:57:5F:1E:DF server=dhcp1
add address=10.0.1.71 client-id=
ff:4:cf:2d:1e:0:1:0:1:2a:e3:21:58:1e:b7:4:cf:2d:1e mac-address=
1E:B7:04:CF:2D:1E server=dhcp1
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=10.0.1.48,10.0.1.1 domain=local gateway=
10.0.1.1
/ip dns
set allow-remote-requests=yes servers=10.0.2.1,1.1.1.1
/ip dns static
add address=10.0.1.49 comment=#DHCP name=fritz.box.local ttl=1h
add address=10.0.1.61 comment=#DHCP name=MG.local ttl=1h
add address=10.0.1.5 comment=#DHCP name=MikroTik.local ttl=1h
add address=10.0.1.59 comment=#DHCP name=Hue-Bridge.local ttl=1h
add address=10.0.1.57 comment=#DHCP name=DEMBVTGX72NN.local ttl=1h
add address=10.0.1.70 comment=#DHCP name=LAPTOP-BEGU3GHQ.local ttl=1h
add address=10.0.1.27 comment=#DHCP name=HF-LPT230.local ttl=1h
add address=10.0.1.41 comment=#DHCP name=ecb5fa129592.local ttl=1h
add address=10.0.1.38 comment=#DHCP name=x3d.local ttl=1h
add address=10.0.1.72 comment=#DHCP name=softliQ-SC-ae-b9-5b.local ttl=1h
add address=10.0.1.25 comment=#DHCP name=amazon-e2d52f943.local ttl=1h
add address=10.0.1.23 comment=#DHCP name=amazon-e98b0ebc8.local ttl=1h
add address=10.0.1.32 comment=#DHCP name=amazon-cde1a007d.local ttl=1h
/ip firewall address-list
add address=10.0.1.0/24 list=local
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment=“6to4 relay Anycast [RFC 3068]” list=
not_in_internet
/ip firewall filter
add action=fasttrack-connection chain=forward comment=
“Enable FastTrack for all zones” connection-state=established,related
hw-offload=yes
add action=jump chain=input comment=“PUBLIC —> ROUTER” in-interface-list=
public jump-target=PUBLIC-TO-ROUTER
add action=accept chain=PUBLIC-TO-ROUTER dst-port=1701 ipsec-policy=in,ipsec
protocol=udp
add action=accept chain=PUBLIC-TO-ROUTER protocol=ipsec-esp
add action=accept chain=PUBLIC-TO-ROUTER comment=PPTP dst-port=1723 protocol=
tcp
add action=accept chain=PUBLIC-TO-ROUTER protocol=gre
add action=return chain=PUBLIC-TO-ROUTER
add action=jump chain=output comment=“PUBLIC <— ROUTER” jump-target=
ROUTER-TO-PUBLIC out-interface-list=public
add action=return chain=ROUTER-TO-PUBLIC
add action=jump chain=input comment=“LOCAL —> ROUTER” in-interface-list=local
jump-target=LOCAL-TO-ROUTER
add action=accept chain=LOCAL-TO-ROUTER
add action=jump chain=output comment=“LOCAL <— ROUTER” jump-target=
ROUTER-TO-LOCAL out-interface-list=local
add action=accept chain=ROUTER-TO-LOCAL
add action=jump chain=forward comment=“PUBLIC —> LOCAL” in-interface-list=
public jump-target=PUBLIC-TO-LOCAL out-interface-list=local
add action=accept chain=PUBLIC-TO-LOCAL connection-state=
established,related,untracked
add action=drop chain=PUBLIC-TO-LOCAL connection-state=invalid
add action=drop chain=PUBLIC-TO-LOCAL connection-nat-state=!dstnat
connection-state=new
add action=accept chain=PUBLIC-TO-LOCAL
add action=jump chain=forward comment=“PUBLIC <— LOCAL” in-interface-list=
local jump-target=LOCAL-TO-PUBLIC out-interface-list=public
add action=accept chain=LOCAL-TO-PUBLIC
add action=jump chain=input comment=“GUEST —> ROUTER” in-interface-list=guest
jump-target=GUEST-TO-ROUTER
add action=drop chain=GUEST-TO-ROUTER protocol=icmp
add action=return chain=GUEST-TO-ROUTER
add action=jump chain=output comment=“GUEST <— ROUTER” jump-target=
ROUTER-TO-GUEST out-interface-list=guest
add action=return chain=ROUTER-TO-GUEST
add action=jump chain=forward comment=“PUBLIC —> GUEST” in-interface-list=
public jump-target=PUBLIC-TO-GUEST out-interface-list=guest
add action=return chain=PUBLIC-TO-GUEST
add action=jump chain=forward comment=“PUBLIC <— GUEST” in-interface-list=
guest jump-target=GUEST-TO-PUBLIC out-interface-list=public
add action=return chain=GUEST-TO-PUBLIC
add action=jump chain=forward comment=“LOCAL —> GUEST” in-interface-list=
local jump-target=LOCAL-TO-GUEST out-interface-list=guest
add action=drop chain=LOCAL-TO-GUEST
add action=jump chain=forward comment=“LOCAL <— GUEST” in-interface-list=
guest jump-target=GUEST-TO-LOCAL out-interface-list=local
add action=drop chain=GUEST-TO-LOCAL
add action=accept chain=input comment=“[Default policy] INPUT”
connection-state=established,related,untracked
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input dst-port=5246,5247 protocol=udp src-address=
127.0.0.1
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment=“[Default policy] FORWARD”
connection-state=established,related,untracked
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new
in-interface-list=public
add action=reject chain=forward comment=“Forbid connections between networks”
disabled=yes reject-with=icmp-net-prohibited
add action=accept chain=forward
add action=accept chain=output comment=“[Default policy] OUTPUT”
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-address=10.0.2.2 dst-port=3074 protocol=udp
src-port=3074 to-addresses=10.0.1.16 to-ports=3074
add action=dst-nat chain=dstnat dst-address=10.0.1.33 dst-port=41448 protocol=
tcp src-port=41448 to-addresses=10.0.1.33 to-ports=41448
/ppp secret
add name=phone profile=default-encryption service=l2tp
add name=marcel profile=default-encryption service=l2tp
/system clock
set time-zone-name=Europe/Berlin
/system leds
add interface=wlan2 leds=“wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,
wlan2_signal4-led,wlan2_signal5-led” type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
add disabled=yes topics=caps
add disabled=yes topics=l2tp
add disabled=yes topics=ipsec
add disabled=yes topics=ppp
add topics=firewall
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=de.pool.ntp.org
add address=pool.ntp.org
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool sniffer
set filter-port=ms-wbt-server
AP (HAP AC2):
[admin@MikroTik] > /export
2023-11-03 15:21:48 by RouterOS 7.11.2
software id = L5TW-BBV7
model = RBD52G-5HacD2HnD
serial number = XXXXXXXXX
/interface bridge
add name=bridge-lan
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn country=germany disabled=no
frequency=2447 installation=indoor mode=ap-bridge ssid=darknet-g
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-XX
country=germany disabled=no installation=indoor mode=station-bridge
nv2-security=enabled ssid=darknet_5G wireless-protocol=nv2-nstreme-802.11
/interface wireless nstreme
set wlan2 enable-nstreme=yes
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=“” mode=
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=oldnet
supplicant-identity=“”
/ip pool
add name=dhcp_pool0 ranges=10.0.2.2-10.0.2.254
/interface bridge port
add bridge=bridge-lan ingress-filtering=no interface=wlan1
add bridge=bridge-lan ingress-filtering=no interface=wlan2
add bridge=bridge-lan ingress-filtering=no interface=all
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5
/ip dhcp-client
add interface=bridge-lan
/ip dhcp-server network
add address=10.0.2.0/24 gateway=10.0.2.1
/ip dns
set servers=8.8.8.8
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
