Hi, I’ve been struggling to get my setup working, with intermittently high ping-packet loss between some subnets and devices on a bridge.
My setup uses an RB2011UiAS and a CapAc. It looks roughly like:
DSL router 192.168.2.1 / 24
RB2011: ETH1 192.168.2.5/24
Bridge on a number of interfaces for servers: 10.42.42.1/24
WIFI private network: 10.42.43.1/24
WIFI guest network: 10.42.44.1/24 (vlan1)
Test network: 10.42.45.1/24
I have a server at 10.42.42.5.
I have a DNS server at 10.42.42.12
From a computer wired to the 10.42.42.0/24 bridge I can reliably ping both servers.
From a computer wired to the 10.42.45.1 interface (or through WIFI) pinging the servers is unreliable. I will either get a good connection to one or other server, and the other will be bursty, giving 2-3 ping responses, timeout for 10 or so, then a few responses.
The only thing that appears to make a difference, is if I’m running torch on any interface. When torch is running I have no packet loss, and when its stopped its back to being bursty.
I have seen in other forum posts about issues with fasttrack connections, but I have none. Disabling ‘fast forward’ on the bridge also has no effect. Removing my queues has no effect.
What other things should I look at? What is torch enabling or disabling when its running?
Thanks
Config attached below:
# nov/28/2020 22:01:15 by RouterOS 6.47.6
# software id = NG9Q-TLC8
#
# model = RB2011UiAS
# serial number = C68E0BAB798C
/caps-man channel
add name=ABCDEFG_wifi_guest
add name=ABCDEFG_wifi_private
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=ABCDEFG
add local-forwarding=yes name=ABCDEFG_VLAN1 vlan-id=1 vlan-mode=use-service-tag
/interface bridge
add name=Core
/interface ethernet
set [ find default-name=ether1 ] comment="Internet Router"
set [ find default-name=ether5 ] comment="WIFI Router"
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=ether5 name=ether5_vlan1 use-service-tag=yes vlan-id=1
/interface bonding
add name=BOND_ETH2_ETH3 slaves=ether2,ether3
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=ABCDEFG_private passphrase=XXXXXXXXXXXXXXXX
add authentication-types=wpa2-psk encryption=aes-ccm name=ABCDEFG_guest passphrase=XXXXXXXXXXXXXXX
/caps-man configuration
add channel=ABCDEFG_wifi_private country="new zealand" datapath=ABCDEFG name=ABCDEFG_private security=ABCDEFG_private ssid=ABCDEFG
add channel=ABCDEFG_wifi_guest country="new zealand" datapath=ABCDEFG_VLAN1 name=ABCDEFG_guest security=ABCDEFG_guest ssid=ABCDEFG_guest
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=core ranges=10.42.42.128-10.42.42.254
add name=wifi ranges=10.42.43.128-10.42.43.254
add name=wifi_guest ranges=10.42.44.128-10.42.44.254
/ip dhcp-server
add address-pool=core disabled=no interface=Core name=Core
add address-pool=wifi disabled=no interface=ether5 name=Wifi_Ether5
add address-pool=wifi_guest disabled=no interface=ether5_vlan1 name=Wifi_Guest_Ether5_Vlan1
/queue simple
add max-limit=256k/3M name=TVRestriction target=10.42.43.100/32
add max-limit=512k/1M name=VLan1Restriction packet-marks=VLan1Packets target=""
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether5
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=ABCDEFG_private slave-configurations=ABCDEFG_guest
/interface bridge port
add bridge=Core interface=ether6
add bridge=Core interface=ether9
add bridge=Core interface=ether10
add bridge=Core interface=BOND_ETH2_ETH3
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all wan-interface-list=all
/ip address
add address=192.168.2.5/24 interface=ether1 network=192.168.2.0
add address=10.42.42.1/24 interface=Core network=10.42.42.0
add address=10.42.43.1/24 interface=ether5 network=10.42.43.0
add address=10.42.44.1/24 interface=ether5_vlan1 network=10.42.44.0
add address=192.168.2.6/24 interface=ether1 network=192.168.2.0
add address=10.42.45.1/24 interface=ether8 network=10.42.45.0
/ip dhcp-server lease
add address=10.42.43.2 mac-address=C4:AD:34:E7:1C:EE server=Wifi_Ether5
add address=10.42.42.5 mac-address=3C:EC:EF:2A:FA:E7 server=Core
add address=10.42.43.100 mac-address=D4:6A:6A:E6:9C:39 server=Wifi_Ether5
add address=10.42.42.10 mac-address=3C:EC:EF:28:B1:E0
add address=10.42.42.11 mac-address=3C:EC:EF:28:B1:E1
add address=10.42.42.12 mac-address=B8:27:EB:3C:2B:D3 server=Core
/ip dhcp-server network
add address=10.42.42.0/24 dns-server=10.42.42.12 gateway=10.42.42.1
add address=10.42.43.0/24 dns-server=10.42.42.12 gateway=10.42.43.1
add address=10.42.44.0/24 dns-server=10.42.42.12 gateway=10.42.44.1
/ip dns
set servers=10.42.42.12
/ip firewall filter
add action=accept chain=input comment="Allow connections to the router from 10.42.42.0" src-address=10.42.42.0/24
add action=accept chain=input comment="Allow connections to the router from 10.42.42.0" src-address=10.42.45.0/24
add action=accept chain=input comment="Allow responses to things the router has initiated" connection-state=established,related
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="Allow forwarding of established and related connections" connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=accept chain=forward comment="Allow forwarding from vlan1 to the DNS server" connection-state=new dst-address=10.42.42.12 in-interface=ether5_vlan1
add action=drop chain=forward comment="Dont forward from vlan1 to anything other than ether1" in-interface=ether5_vlan1 out-interface=!ether1
add action=accept chain=forward comment="Allow forwarding from this network" connection-state=new src-address=10.42.42.0/24
add action=accept chain=forward comment="Allow forwarding from this network" connection-state=new src-address=10.42.43.0/24
add action=accept chain=forward comment="Allow forwarding from this network" connection-state=new src-address=10.42.44.0/24
add action=accept chain=forward comment="Allow forwarding from this network" connection-state=new src-address=10.42.45.0/24
add action=drop chain=forward comment="Drop everything else"
/ip firewall mangle
add action=mark-connection chain=forward in-interface=ether5_vlan1 new-connection-mark=VLan1Connections passthrough=no
add action=mark-packet chain=prerouting connection-mark=VLan1Connections new-packet-mark=VLan1Packets passthrough=no
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=192.168.2.5
/ip route
add distance=1 gateway=192.168.2.1
/system clock
set time-zone-autodetect=no time-zone-name=UTC
/system identity
set name=BBBBBBBB
/system ntp client
set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org