Mikrotik RB2011UiAS + UniFi AP configuration problem

SzwordSznayder · September 16, 2016, 10:32am

Hello, I’m happy owner of Mikrotik RB2011UiAS router.
Here is my network configuration:

WAN
port 6 = ether6WAN1 8Mb/s with ip… 83.18.101.0/29 static;
port 8 = ether8WAN3 40Mb/s 10.1.0.1/24 static;
port 9 = ether9WAN4 40Mb/s 10.2.0.1/24 static;

LAN
port 3 = ether3LAN3 192.168.1.1/24 DHCP Server on;
port 2 = ether2LAN2 192.168.2.1/24 DHCP Server on;

192.168.1.0/24 is fast, local, cable network connected to WAN3 as internet connection;
192.168.2.0/24 is… WiFi port 2 is connected directly to UniFi access point. Router onboard WiFi is disabled… it has to be disabled because router device is very far from the area which WiFi has to be supported. Internet connections for this network are WAN3 and WAN4 in PCC mode. Maybe it isn’t the best solution… idk.

The problem is: WiFi works very slowly, sometimes drops internet connection

The router configuration

/ip address

 0   address=192.168.2.1/24 network=192.168.2.0 interface=ether2LAN2 actual-interface=ether2LAN2 

 1   address=10.1.0.2/24 network=10.1.0.0 interface=ether8WAN3 actual-interface=ether8WAN3 

 2   address=10.2.0.2/24 network=10.2.0.0 interface=ether9WAN4 actual-interface=ether9WAN4 

 3   address=83.18.101.2/29 network=83.18.101.0 interface=ether6WAN1 actual-interface=ether6WAN1 

 4   address=192.168.1.1/24 network=192.168.1.0 interface=ether3LAN3 actual-interface=ether3LAN3

/ip firewall mangle

 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting 

 3    chain=input action=mark-connection new-connection-mark=ether8WAN3_conn passthrough=yes 
      in-interface=ether8WAN3 log=no log-prefix="" 

 4    chain=input action=mark-connection new-connection-mark=ether9WAN4_conn passthrough=yes 
      in-interface=ether9WAN4 log=no log-prefix="" 

 5    chain=input action=mark-connection new-connection-mark=ether6WAN1_conn passthrough=yes 
      in-interface=ether6WAN1 log=no log-prefix="" 

 6    chain=output action=mark-routing new-routing-mark=to_ether8WAN3 passthrough=yes 
      connection-mark=ether8WAN3_conn log=no log-prefix="" 

 7    chain=outputre action=mark-routing new-routing-mark=to_ether9WAN4 passthrough=yes 
      connection-mark=ether9WAN4_conn log=no log-prefix="" 

 8    chain=output action=mark-routing new-routing-mark=to_ether6WAN1 passthrough=yes 
      connection-mark=ether6WAN1_conn log=no log-prefix="" 

 9    chain=prerouting action=accept dst-address=10.1.0.0/24 in-interface=ether2LAN2 log=no 
      log-prefix="" 

10    chain=prerouting action=accept dst-address=10.2.0.0/24 in-interface=ether2LAN2 log=no 
      log-prefix="" 

11    chain=prerouting action=accept dst-address=83.18.101.0/29 in-interface=ether3LAN3 log=no 
      log-prefix="" 

12    chain=prerouting action=mark-connection new-connection-mark=ether8WAN3_conn passthrough=yes 
      dst-address-type=!local in-interface=ether2LAN2 
      per-connection-classifier=both-addresses-and-ports:2/0 log=no log-prefix="" 

13    chain=prerouting action=mark-connection new-connection-mark=ether9WAN4_conn passthrough=yes 
      dst-address-type=!local in-interface=ether2LAN2 
      per-connection-classifier=both-addresses-and-ports:2/1 log=no log-prefix="" 

14    chain=prerouting action=mark-connection new-connection-mark=ether6WAN1_conn passthrough=yes 
      dst-address-type=!local in-interface=ether3LAN3 log=no log-prefix="" 

15    chain=prerouting action=mark-routing new-routing-mark=to_ether8WAN3 passthrough=yes 
      in-interface=ether2LAN2 connection-mark=ether8WAN3_conn log=no log-prefix="" 

16    chain=prerouting action=mark-routing new-routing-mark=to_ether9WAN4 passthrough=yes 
      in-interface=ether2LAN2 connection-mark=ether9WAN4_conn log=no log-prefix="" 

17    chain=prerouting action=mark-routing new-routing-mark=to_ether6WAN1 passthrough=yes 
      in-interface=ether3LAN3 connection-mark=ether6WAN1_conn log=no log-prefix=""

/ip firewall nat

 0    chain=srcnat action=masquerade out-interface=ether8WAN3 log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether9WAN4 log=no log-prefix="" 

 2    chain=srcnat action=masquerade out-interface=ether6WAN1 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=192.168.1.90 to-ports=3389 protocol=tcp 
      dst-address=83.18.101.2 dst-port=13389 log=no log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=192.168.1.90 to-ports=1195 protocol=udp 
      dst-address=83.18.101.2 dst-port=1195 log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=192.168.1.90 to-ports=3080 protocol=tcp 
      dst-address=83.18.101.2 dst-port=3080 log=no log-prefix="" 

 6    chain=dstnat action=dst-nat to-addresses=192.168.1.90 to-ports=3080 protocol=udp 
      dst-address=83.18.101.2 dst-port=3080 log=no log-prefix="" 

 7    chain=dstnat action=dst-nat to-addresses=192.168.1.90 to-ports=3081 protocol=tcp 
      dst-address=83.18.101.2 dst-port=3081 log=no log-prefix="" 

 8    chain=dstnat action=dst-nat to-addresses=192.168.1.90 to-ports=2222 protocol=tcp 
      dst-address=83.18.101.2 dst-port=2222 log=no log-prefix="" 

 9    chain=dstnat action=dst-nat to-addresses=192.168.1.90 to-ports=8443 protocol=tcp 
      dst-address=83.18.101.2 dst-port=18443 log=no log-prefix="" 

10    chain=dstnat action=dst-nat to-addresses=192.168.1.16 to-ports=8086 protocol=tcp 
      dst-address=83.18.101.2 dst-port=8086 log=no log-prefix="" 

11    chain=dstnat action=dst-nat to-addresses=192.168.1.91 to-ports=443 protocol=tcp 
      dst-address=83.18.101.2 dst-port=1443 log=no log-prefix=""

/ip route

 0 A S  dst-address=0.0.0.0/0 gateway=10.1.0.1 gateway-status=10.1.0.1 reachable via  ether8WAN3 
        check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_ether8WAN3 

 1 A S  dst-address=0.0.0.0/0 gateway=10.2.0.1 gateway-status=10.2.0.1 reachable via  ether9WAN4 
        check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_ether9WAN4 

 2 A S  dst-address=0.0.0.0/0 gateway=83.18.101.1 gateway-status=83.18.101.1 reachable via  ether6WAN>
        check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_ether6WAN1 

 3 A S  dst-address=0.0.0.0/0 gateway=10.1.0.1 gateway-status=10.1.0.1 reachable via  ether8WAN3 
        check-gateway=ping distance=1 scope=30 target-scope=10 

 4   S  dst-address=0.0.0.0/0 gateway=83.18.101.1 gateway-status=83.18.101.1 reachable via  ether6WAN>
        check-gateway=ping distance=1 scope=30 target-scope=10 

 5   S  dst-address=0.0.0.0/0 gateway=10.2.0.1 gateway-status=10.2.0.1 reachable via  ether9WAN4 
        check-gateway=ping distance=3 scope=30 target-scope=10 

 6 ADC  dst-address=10.1.0.0/24 pref-src=10.1.0.2 gateway=ether8WAN3 
        gateway-status=ether8WAN3 reachable distance=0 scope=10 

 7 ADC  dst-address=10.2.0.0/24 pref-src=10.2.0.2 gateway=ether9WAN4 
        gateway-status=ether9WAN4 reachable distance=0 scope=10 

 8 ADC  dst-address=83.18.101.0/29 pref-src=83.18.101.2 gateway=ether6WAN1 
        gateway-status=ether6WAN1 reachable distance=0 scope=10 

 9 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=ether3LAN3 
        gateway-status=ether3LAN3 reachable distance=0 scope=10 

10 ADC  dst-address=192.168.2.0/24 pref-src=192.168.2.1 gateway=ether2LAN2 
        gateway-status=ether2LAN2 reachable distance=0 scope=10

/ip firewall filter

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 3 XI  ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1LAN1 log=no log-prefix="" 

 4    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no 
      log-prefix="" 

 5    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 6 XI  ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 7 XI  ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat 
      in-interface=ether1LAN1 log=no log-prefix=""

I would be grateful for any solution and…
Sorry for bad english

ucs75 · October 1, 2016, 5:05pm

Without having reviewed everything, I did notice that you have three ISPs and three Masquerade rules all on the same Routerboard. This has never worked for me. Masquerade often NATs using the wrong public IP in this setup. I’ve resolved this by adding a routerboard for each ISP/Required-Masquerade.

If there is another way, I’m open to hearing about it, but I’ve spent many mind-numbing hours on this issue myself.

Also, since this isn’t purely a Mikrotik question, I’d recommend researching the UniFi firmware level. There are some known bad ones, and known good ones out there.

skuykend · October 1, 2016, 6:06pm

You need to either disable the Fasttrack filter rule, or create a system where the marked routes are not Fasttracked.

Fasttrack bypasses filters and mangles after the first few packets and then will get routed out the default route table causing havoc with connection tracking, etc.

If you still want some traffic fasttracked for cpu savings, try putting an extra condition on the Fasttrack to only do connections with no connection mark, and in the main routing table.