Mikrotik Router High TX Rate

hatstrow · March 2, 2016, 6:05pm

Hello,

I’ve been having issues with my internet running really slow. Whenever my internet goes to a crawl (about 1 - 0.2 Mbps, when its suppose to be going 6 Mbps download), I will look on the interfaces list in the router configuration and I see the gateway and pppoe-out interface TX rate going about 7 - 8 Mbps. Whenever I disable and enable the gateway interface the internet speed will go back to its normal speed. Sometimes this happens several times a week and other times it won’t happen for a couple of weeks.

I have updated the RouterOS version to 6.34, but the problem still persists. I have just upgraded it to 6.34.2, so I’ll see if that helps any. I have also unplugged the modem from the router and connected it directly into my computer when the internet is going slow and the speeds are at the normal speed after I do that. I don’t see any computers on my network that are using an excessive amount of bandwidth when I have this slow network issue. Is there any way I can see if any service is using lots of bandwidth on the router itself or any kind of log that shows detailed network usage stats?

Thanks,
Jacob

pukkita · March 2, 2016, 7:12pm

Do you have firewall rules in place, with the proper WAN interface (pppoe-out, NOT the ether device)?

Do you have Allow Remote Requests enabled in IP > DNS Settings?

If your firewall rules are not being applied to the PPPoE interface, it could be your router being used in a DNS DDOS amplification attack.

hatstrow · March 27, 2016, 1:46am

Thanks for your response. I haven’t setup any firewall rules when I setup the router. It looks like it has just the default ones. The “Allow Remote Requests” are enabled under the DNS Settings. I have been meaning to lock down my router with firewall rules, but haven’t got to it yet.

This does sound like a DDOS attack that could be happening. What would I enter for adding a new firewall rule in order to block these potential DDOS attacks? Wouldn’t I also be able to limit the number of incoming connections or would I firewall rule be better for this?

pukkita · March 27, 2016, 7:08am

You should by all means implement firewall filter rules to protect your router from internet.

Default configuration already implements a firewall ruleset that protects you, but if you’re using PPPoE you should make sure the PPPoE interface is the one the firewall rules refer to, not the ether port it is binded to.

type this on a New Terminal:

/export hide-sensitive

and post it here to check.

Default device configuration script, which contain the default firewall rules can be seen by issuing:

/system default-configuration print

hatstrow · May 23, 2016, 4:34pm

Sorry for the late response. I entered in the /export hide-sensitive command and got this:

may/23/2016 11:26:57 by RouterOS 6.34.2

software id = AB1E-A2M3

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=
ether5-slave-local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway max-mru=1480
max-mtu=1480 name=pppoe-out1 use-peer-dns=yes user=renshawwc@frontier.com
/interface pptp-server
add name=pptp-vpn-server user=""
/ip neighbor discovery
set pppoe-out1 discover=no
set pptp-vpn-server discover=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.1.50-192.168.1.253
add name=VPN-pool ranges=192.168.1.45-192.168.1.50
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master-local
lease-time=3d name=default
/ppp profile
add local-address=192.168.1.1 name=VPN-Profile remote-address=VPN-pool
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/user group
add name=sniffer policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!te
st,!winbox,!password,!web,!sniff,!sensitive,!api"
/interface pptp-server server
set default-profile=VPN-Profile enabled=yes max-mru=1460 max-mtu=1460
/ip accounting
set enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=192.168.1.72/32
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=
ether2-master-local network=192.168.1.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no
interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.1.10 client-id=1:0:80:77:70:BC:9B mac-address=
00:80:77:70:BC:9B server=default
add address=192.168.1.2 client-id=1:0:80:87:94:90:9e mac-address=
00:80:87:94:90:9E server=default
add address=192.168.1.72 always-broadcast=yes mac-address=68:05:CA:1C:00:3D
server=default
add address=192.168.1.4 comment="Swann Camera" mac-address=44:19:B7:02:43:C1
add address=192.168.1.5 comment="Swann Camera" mac-address=44:19:B7:02:43:B5
add address=192.168.1.7 comment="Swann Camera" mac-address=24:A4:3C:44:EB:F2
add address=192.168.1.6 comment="Swann Camera" mac-address=44:19:B7:08:64:1F
add address=192.168.1.8 comment="Hikvision Camera" mac-address=
44:19:B6:44:22:AE
add address=192.168.1.70 mac-address=00:25:31:06:33:63 server=default
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" dns-server=
208.67.222.222,208.67.220.220 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=74.40.74.40,74.40.74.41
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=
ether1-gateway
add action=drop chain=input in-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration"
out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat src-address=192.168.1.0/24 to-addresses=
0.0.0.0
add action=dst-nat chain=dstnat dst-port=401 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.1 to-ports=22
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1-gateway
protocol=tcp to-addresses=192.168.1.70 to-ports=22
/ip proxy
set cache-path=web-proxy1 parent-proxy=0.0.0.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
/ip traffic-flow
set cache-entries=4k enabled=yes
/ppp secret
add name=ppp1 profile=VPN-Profile
add local-address=192.168.1.45 name=Jacob profile=VPN-Profile remote-address=
192.168.1.46
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-autodetect=no time-zone-name=EST
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local

I also added a firewall to drop chain:input for the pppoe-out1 interface, but I'm not sure if that is setup correctly. I didn't seem to fix the issue of the DDOS attacks, so there must be something else that needs to be set.

felixcontreras · March 8, 2017, 4:49am

i disable allow remote requests in dns settings an it works thanks, can you explain how it work please

pukkita · March 8, 2017, 12:33pm

felix: if you do that, you won’t have internal DNS service for your network; if you provide DNS service from a different server inside your LAN, then that’s the best approach.

Otherwise, with the default firewall config (check that you drop on the pppoe client interface) you will be protected.

hastrow: dropping all on pppoe-out1 should be enough.