Hi All,
Hoping for some help here as im loosing my mind. Ive gone through and checked every setting i can think of, googled everything I can think of, with no luck.
Im running a Routerboard 3011 on RouterOS6.44.3 which runs the home internet on an Australian NBN ISP (FTTH) called Aussie Boardband. They use IPoE w/DHCP for connection/authentication/etc.
Im having an issue where im seeing daily or sometimes every other day, internet outages with the ISP. They are informing me, that looking at the logs, my MIkrotik is tearing the session down every 30 minutes, and reestablishing a new session. They are telling me this isnt normal behaviour, and its been happening for as long as they can tell. I tried plugging a PC directly into the NBN NTD, and left it running overnight and checked in the next day, they told the session was stable for a solid 12 hours it was operational. Incidently the ISP runs a 30min DHCP lease, however they’ve told me there is no relation to the 30min session drops im getting. When the internet drops outs, i still have an active DHCP lease (usually its got 25-28 min on the lease). Additionally the only way i can restore internet access is by rebooting the Mikrotik.
The Mikrotik doesnt connect directly to the NTD, I have a seperate switch closer to the NTD, and the Mikrotik ↔ NTD traffic resides in an isolated VLAN trunked between both devices.
Here is a sanatised copy of the config, thanks in advance:
# apr/19/2020 09:19:53 by RouterOS 6.44.3
# software id = ULLN-Q8G0
#
# model = RouterBOARD 3011UiAS
# serial number = xxxxx
/interface bridge
add admin-mac=64:D1:54:81:50:87 auto-mac=no comment=defconf name=bridge
add admin-mac=64:D1:54:81:50:8C auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1500 name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp name=ether2-master-local \
speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
set [ find default-name=ether6 ] name=ether6-master-local speed=100Mbps
set [ find default-name=ether7 ] name=ether7-slave-local speed=100Mbps
set [ find default-name=ether8 ] name=ether8-slave-local speed=100Mbps
set [ find default-name=ether9 ] name=ether9-slave-local speed=100Mbps
set [ find default-name=ether10 ] name=ether10-slave-local speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=ether5-slave-local loop-protect=off mtu=1496 name=NBNTransit \
vlan-id=21
add interface=ether5-slave-local loop-protect=off mtu=1496 name=WIFI_External \
vlan-id=110
/interface ethernet switch port
set 0 default-vlan-id=110 vlan-mode=fallback
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=skypenack regexp="[\\\\|\\xd5]"
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
profile1
/ip ipsec peer
add address=180.150.13.138/32 local-address=x.x.x.12 name=peer1 profile=\
profile1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=mikrotik
/ip pool
add name=default-dhcp range=
add name=vpn-pool ranges=
/ppp profile
set *0 dns-server=x.x.x.5,x.x.x.13 local-address=x.x.x.11
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 read-access=no
/system logging action
set 3 remote=x.x.x.16
/tool traffic-generator port
add interface=ether1-gateway name=443
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master-local
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge interface=ether3-slave-local
add bridge=bridge interface=ether4-slave-local
add bridge=bridge interface=ether5-slave-local
add bridge=bridge1 interface=ether7-slave-local
add bridge=bridge1 interface=ether8-slave-local
add bridge=bridge1 interface=ether9-slave-local
add bridge=bridge1 interface=ether10-slave-local
add bridge=bridge1 interface=ether6-master-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface ethernet switch vlan
add independent-learning=yes ports=ether1-gateway switch=switch1 vlan-id=21
add independent-learning=yes ports=ether1-gateway switch=switch1 vlan-id=110
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=sfp1 list=discover
add interface=bridge1 list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=sfp1 list=mactel
add interface=bridge list=mac-winbox
add interface=sfp1 list=mac-winbox
/interface ovpn-server server
set auth=sha1 certificate=vpn-server.crt_0 cipher=aes256 enabled=yes \
require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=x.x.21.4/24 interface=ether2-master-local network=\
x.x.21.0
add address=192.168.1.1/24 interface=ether10-slave-local network=x.x.1.0
add address=x.x.x.10 disabled=yes interface=bridge1 network=\
255.255.255.254
add address=x.x.x.12 interface=bridge1 network=255.255.255.255
add address=x.x.110.1/24 interface=WIFI_External network=x.x.110.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1-gateway
add dhcp-options=hostname,clientid disabled=no interface=bridge1
/ip dhcp-relay
add dhcp-server=x.x.x.5 interface=ether10-slave-local local-address=\
192.168.1.1 name=relay1
add dhcp-server=x.x.x.5 disabled=no interface=WIFI_External \
local-address=x.x.110.1 name=WIFI_External_DHCP_Relay
/ip dhcp-server network
add address=x.x.1.0/32 dns-server=x.x.x.4 domain=xxx.local gateway=\
192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=x.x.x.4,x.x.x.13
/ip dns static
add address=192.168.88.1 name=router
add address=x.x.x.211 comment="Plex IP Address for QoS Matching" list=\
Plex_Internal
add address=x.x.x.13 comment="Crashplan Internal IP's for QoS Matching" \
list=Crashplan_Internal
add address=103.8.239.0/24 comment="Crashplan Australia IP Range" list=\
Crashplan_External
/ip firewall filter
add action=accept chain=forward comment="Inbound Plex" dst-address=\
x.x.x.11 dst-port=32400 log=yes protocol=tcp
add action=accept chain=forward comment="Mikrotik OpenVPN Traffic" \
dst-address=x.x.x.11 log=yes log-prefix=OVPN
add action=accept chain=forward comment="Tempoary Plex Rule TCP/32400 Allow" \
dst-port=32400 protocol=tcp
add action=accept chain=forward comment=\
"Alow VPN Traffic between Site 1 & Site 2" dst-address=x.x.0.0/16 \
src-address=x.x.11.0/24
add action=drop chain=input comment="Drop Shadow Server Foundation IP's" \
src-address-list=ShadowFoundation
add action=drop chain=input comment="Drop all China traffic" \
src-address-list=CN
add action=accept chain=output src-address=x.x.x.12
add action=accept chain=input dst-address=x.x.x.12 protocol=ipsec-esp
add action=accept chain=input dst-address=x.x.x.12 protocol=ipsec-ah
add action=accept chain=input dst-address=x.x.x.12 dst-port=500 \
in-interface=bridge1 protocol=udp
add action=accept chain=forward disabled=yes dst-address=x.x.x.16
add action=accept chain=forward comment="Mikrotik OpenVPN" dst-address=\
10.254.254.2 dst-port=443 protocol=udp
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=forward comment="Inbound Exchange OWA" dst-port=443 \
in-interface=bridge1 protocol=tcp
add action=accept chain=forward comment="Inbound Plex" dst-address=\
x.x.x.x.27 dst-address-list=Plex_Server dst-port=32400 in-interface=\
bridge1 log-prefix=PLEXFW protocol=tcp src-address-list=""
add action=accept chain=forward comment="Inbound Exchange SMTP" dst-port=25 \
in-interface=bridge1 protocol=tcp src-address-list=MXGuardDog
add action=accept chain=forward comment="Inbound SSH" dst-port=22 \
in-interface=bridge1 protocol=tcp
add action=accept chain=forward dst-port=21 protocol=tcp
add action=accept chain=input comment="Allow Winbox access remotely" \
dst-port=8291 protocol=tcp
add action=accept chain=forward dst-address=x.x.252.0/23 src-address=\
x.x.11.0/24
add action=drop chain=forward comment=\
"VLAN 110 WIFI External - Drop all internal traffic" dst-address-list=\
InsideNetworks src-address=x.x.110.0/24
add action=fasttrack-connection chain=forward comment="default configuration" \
connection-state=established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=bridge1
add action=drop chain=forward connection-state=!established,related \
in-interface=bridge1
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=bridge1
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=bridge1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
/ip firewall mangle
add action=change-mss chain=forward new-mss=1448 protocol=tcp tcp-flags=syn \
tcp-mss=!0-1448
add action=mark-packet chain=prerouting comment=\
"Mark Backup Traffic as \"CrashPlan\"" dst-address-list=\
Crashplan_External new-packet-mark=CrashPlan packet-mark=CrashPlan \
passthrough=yes protocol=tcp
/ip firewall nat
add action=accept chain=srcnat comment=\
"NAT rule for VPN - Site 1 <-> Site 2" dst-address=10.253.11.0/24 \
src-address=x.x.0.0/16
add action=dst-nat chain=dstnat comment="Plex Inbound" dst-address=\
x.x.x.11 dst-port=32400 in-interface=bridge1 log=yes protocol=tcp \
to-addresses=x.x.150.56
add action=src-nat chain=srcnat comment="Plex Outbound SRC-NAT" protocol=tcp \
src-address=x.x.150.56 to-addresses=x.x.x.11
add action=dst-nat chain=dstnat comment="OpenVPN Inound -> PfSense" \
dst-address=x.x.x.11 dst-port=443 protocol=udp to-addresses=\
10.254.254.2 to-ports=443
add action=dst-nat chain=dstnat comment="OpenVPN Inound -> PfSense" \
dst-address=x.x.x.11 dst-port=1943 in-interface=bridge1 protocol=udp \
to-addresses=x.x.254.2
add action=accept chain=srcnat disabled=yes dst-address=x.x.11.0/24 \
src-address=x.x.252.0/23
add action=src-nat chain=srcnat comment=\
"ExchangeSMTP Outbound to AussieBB IP: x.x.x.12 " dst-port=25 \
out-interface=bridge1 protocol=tcp src-address=x.x.120.6 \
to-addresses=x.x.x.12
add action=src-nat chain=srcnat comment=\
"Exchange 2016 SMTP Outbound to AussieBB IP: x.x.x.12 " \
dst-port=25 out-interface=bridge1 protocol=tcp src-address=x.x.x.7 \
to-addresses=x.x.x.12
add action=src-nat chain=srcnat comment="Plex Outbound on x.x.x.x.173 \
\_ AussieBB: x.x.x.10\r\
\n" disabled=yes log=yes log-prefix="PLEX OUT" out-interface=bridge1 \
protocol=tcp src-address=x.x.x.215 to-addresses=x.x.x.11
add action=dst-nat chain=dstnat comment="Plex Inbound \
.173 - AussieBB:x.x.x.10\r\
\n" disabled=yes dst-address=x.x.x.11 dst-port=32400 in-interface=\
bridge1 log-prefix="PLEX IN" protocol=tcp to-addresses=x.x.150.56
add action=masquerade chain=srcnat comment="default configuration" \
dst-address=0.0.0.0/0 out-interface=bridge1 src-address-list=\
InsideNetworks
add action=dst-nat chain=dstnat comment="Exchange 2016 OWA Inbound" \
dst-address=x.x.x.11 dst-port=443 in-interface=bridge1 protocol=tcp \
to-addresses=x.x.x.7 to-ports=443
add action=dst-nat chain=dstnat comment="Exchange OWA inbound" dst-address=\
x.x.x.12 dst-port=443 in-interface=bridge1 log-prefix=Exchange port=\
"" protocol=tcp to-addresses=x.x.x.7
add action=dst-nat chain=dstnat disabled=yes dst-address=x.x.x.11 \
dst-port=443 in-interface=bridge1 protocol=tcp to-addresses=x.7
add action=dst-nat chain=dstnat disabled=yes dst-port=21 protocol=tcp \
to-addresses=x.x.150.65 to-ports=21
add action=dst-nat chain=dstnat comment="SMTP Inbound to Exchange" \
dst-address=x.x.x.12 dst-port=25 in-interface=bridge1 protocol=tcp \
src-address-list=MXGuardDog to-addresses=x.x.x.7
add action=dst-nat chain=dstnat comment="SMTP to Exchange" disabled=yes \
dst-port=25 in-interface=ether1-gateway log=yes protocol=tcp \
to-addresses=x.x.120.6
add action=dst-nat chain=dstnat comment="SSH Inbound to Gateway VM" \
dst-address=x.x.x.11 dst-port=22 in-interface=bridge1 protocol=tcp \
to-addresses=x.x.120.10
add action=accept chain=srcnat disabled=yes dst-address=x.x.x.11 \
dst-port=32400 log=yes protocol=tcp
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=bridge1
add action=masquerade chain=srcnat comment="masq. vpn traffic"
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add notrack-chain=output peer=peer1
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=10.253.11.0/24 proposal=mikrotik sa-dst-address=\
180.150.13.138 sa-src-address=x.x.x.12 src-address=x.x.252.0/23 \
tunnel=yes
add dst-address=10.253.11.0/24 proposal=mikrotik sa-dst-address=\
180.150.13.138 sa-src-address=x.x.x.12 src-address=x.x.0.0/16 \
tunnel=yes
/ip route
xxxx
/ip service
set telnet address=x.x.150.0/24
set ftp address=x.x.150.0/24
set www address=x.x.150.0/24
set ssh address=x.x.150.0/24
set api address=x.x.150.0/24
set winbox address=x.x.150.0/24
set api-ssl address=x.x.150.0/24
/ip traffic-flow
set cache-entries=128k enabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=ether2-master-local type=internal
/lcd
set time-interval=hour
/lcd interface
add interface=bridge1
/lcd interface pages
set 0 interfaces="ether1-gateway,ether2-master-local,ether3-slave-local,ether4\
-slave-local,ether5-slave-local,sfp1,bridge1,ether7-slave-local,ether8-sla\
ve-local,ether9-slave-local,ether10-slave-local"
/ppp secret
add name=xxxx service=ovpn
add local-address=x.x.21.4 name=xxxx remote-address=x.x.21.100 \
service=ovpn
/snmp
set enabled=yes trap-community=xxxxx trap-interfaces=\
ether2-master-local trap-version=2
/system clock
set time-zone-name=Australia/Melbourne
/system identity
set name=xxx
/system logging
set 2 action=remote
add action=remote disabled=yes topics=packet
add disabled=yes topics=info
add disabled=yes topics=firewall
/system ntp client
set enabled=yes primary-ntp=192.189.54.33 secondary-ntp=13.55.50.68 \
server-dns-names=""
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-interface=bridge1 filter-ip-protocol=udp \
filter-operator-between-entries=and filter-port=https memory-limit=\
1000KiB