lubeda
December 30, 2024, 5:39pm
1
Hi,download.mikrotik.com (behind the hAP ax²) it slows down and stops the download, even if it is a tiny file. Behind the fritzbox it works fine.
In the screenshot, you can see the behaviour. The download speed starts good but is quick slowing down until it goes to zero and the download fails.
I think the firewall rules are fine because other files, even bigger, are working and I have more or less the default/factory firewall rules.
I am on RouterOS 7.16.2
Any hints to help me?
Thanx
LuBeDa
anav
December 30, 2024, 6:07pm
2
The answer is the same as always, you can think what you like and give an opinion but we need the facts…(evidence - aka FULL CONFIG)
lubeda
December 30, 2024, 9:00pm
3
Here is the cleaned config:
# 2024-12-30 21:46:08 by RouterOS 7.16.2
# model = C52iG-5HaxD2HaxD
/interface bridge
add admin-mac=D4:01:C3:XX:XX:XX auto-mac=no comment=defconf name=bridge-LAN
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Germany .mode=ap .ssid=Luke \
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Germany .mode=ap .ssid=Luke \
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
add configuration.mode=ap .ssid=Leia mac-address=D6:01:C3:XX:XX:XX \
master-interface=wifi1 name=wifi3
add configuration.mode=ap .ssid=Leia mac-address=D6:01:C3:XX:XX:XX \
master-interface=wifi2 name=wifi4
/interface wireguard
add comment=wireguard-VPN listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add comment="GUest VLAN" interface=bridge-LAN name=VLAN107 vlan-id=107
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.178.17-192.168.178.254
add name=dhcp_pool1 ranges=192.168.176.2-192.168.176.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=1d name=defconf
add address-pool=dhcp_pool1 interface=VLAN107 lease-time=1h name=dhcp1
/queue simple
add comment="XBOX-oben auf 20Mbit/s" max-limit=20480k/20480k name=\
queue_xbox_ff target=192.168.178.83/32
add comment="Leo-PC auf 20Mbit/s" max-limit=20480k/20480k name=queue1 target=\
192.168.178.59/32
/disk settings
set auto-media-interface=bridge-LAN
/interface bridge filter
# wifi3 not ready
# in/out-bridge-port matcher not possible when interface (wifi3) is not slave
add action=drop chain=forward in-interface=wifi3
# wifi3 not ready
# in/out-bridge-port matcher not possible when interface (wifi3) is not slave
add action=drop chain=forward out-interface=wifi3
# wifi4 not ready
# in/out-bridge-port matcher not possible when interface (wifi4) is not slave
add action=drop chain=forward in-interface=wifi4
# wifi4 not ready
# in/out-bridge-port matcher not possible when interface (wifi4) is not slave
add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=bridge-LAN comment=defconf interface=ether2
add bridge=bridge-LAN comment=defconf interface=ether3
add bridge=bridge-LAN comment=defconf interface=ether4
add bridge=bridge-LAN comment=defconf interface=ether5
add bridge=bridge-LAN comment=defconf interface=wifi1
add bridge=bridge-LAN comment=defconf interface=wifi2
add bridge=bridge-LAN interface=wifi3
add bridge=bridge-LAN interface=wifi4
/ip neighbor discovery-settings
set discover-interface-list=all lldp-mac-phy-config=yes lldp-vlan-info=yes
/interface bridge vlan
add bridge=bridge-LAN comment="GuestVLAN auf Uplink" tagged=ether2 vlan-ids=\
107
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.177.2/32 client-address=192.168.177.2/32 \
client-dns=192.168.178.1 client-endpoint=sell-e.de client-listen-port=\
13231 comment=Dienstdings13 interface=wireguard1 name=Dienstdings13 \
private-key="XX" public-key=\
"XX"
/ip address
add address=192.168.178.1/24 comment=defconf interface=bridge-LAN network=\
192.168.178.0
add address=192.168.177.1/24 comment=Wireguard interface=wireguard1 network=\
192.168.177.0
add address=192.168.176.1/24 comment=Guest_VLAN interface=VLAN107 network=\
192.168.176.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.178.47 client-id=homeassistant comment=\
"Reservation Homeassistant" server=defconf
/ip dhcp-server network
add address=192.168.176.0/24 gateway=192.168.176.1
add address=192.168.178.0/24 comment=defconf dns-server=192.168.178.1 \
gateway=192.168.178.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=30720KiB servers=\
8.8.8.8,1.1.1.1,9.9.9.9
/ip dns adlist
add ssl-verify=no url=\
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
add ssl-verify=no url="https://raw.githubusercontent.com/StevenBlack/hosts/mas\
ter/alternates/porn-only/hosts"
/ip dns static
add address=192.168.178.196 comment=Wildcard match-subdomain=yes name=\
home.xxxx.xx type=A
/ip firewall address-list
add address=192.168.178.1-192.168.178.14 comment=\
"Switche Router und NAS-Hardware" list=IPs_Infrastruktur
add address=192.168.178.33-192.168.178.126 comment="Alle IoTs" list=IPs_IoT
add address=192.168.177.2 comment="Wireguard Dienstding13" list=Trusted-VPN
add address=192.168.177.0/24 comment="Wireguard alle" list=All-VPN
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Wireguard UDP accept" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="Wireguard VPN traffic" src-address=\
192.168.177.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=\
"defconf: accept ICMP from LAN (bridge)" in-interface=bridge-LAN \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="LAN => FW | erlauben" in-interface=\
bridge-LAN
add action=drop chain=input comment="drop ping over WAN" in-interface=ether1 \
protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=no
add action=accept chain=forward comment="LAN-> WAN | alles erlauben" \
in-interface=bridge-LAN out-interface=ether1
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Forwarding http to nginx" disabled=\
yes dst-port=80 in-interface=ether1 protocol=tcp to-addresses=\
192.168.178.2 to-ports=80
add action=dst-nat chain=dstnat comment="Forwarding https to nginx" \
dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.178.2 \
to-ports=443
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate="Self signed for API" disabled=no
set api-ssl certificate="Self signed for API"
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/snmp
set contact=LuBeDa enabled=yes location=Office
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Berlin
/system identity
set name=MIC_RT_GF
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=192.168.180.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
lubeda
December 31, 2024, 12:32pm
4
In a trace i found a lot of retransmits and duplicated ack. So its clear that there is a problem, but i can’t find the reason why.
sindy
December 31, 2024, 12:51pm
5
I cannot spot anything wrong, even anything too unusual (the order of firewall rules in ipv4 firewall filter is not optimal but neither is it wrong) in the configuration; the sniffing is a good idea but you should do it on the Mikrotik itself without filtering by interface, only by the remote address. The goal is to see whether there is some issue on the Mikrotik itself and the packet doesn’t make it from WAN to LAN or whether interworking between Mikrotik and Friztbox is not OK. Could it be that you have set the MTU of Fritzbox LAN to be higher than the one of Mikrotik’s WAN (which is the default 1500)?
Maybe it’s coincidence maybe not but in the morning I had troubles connecting to Mikrotik forum. Ngnix errors so your problems could had been a sign of trouble. Even now post “submit” is a liitle slow paced.
EDIT: I see even HTTP 500 now.
lubeda
December 31, 2024, 3:02pm
7
I will investigate further, although I found a solution (hopefully it will stay working). I changed the uplink port on the fritz box to LAN3 and all worked fine, changing back to LAN4 the error was there again. Setting LAN4 on the fritz box to Guest-Mode and it worked.
Thanx for the support.
