Questions about 2 Mikrotiks connected by PTP link

jakkwb · September 2, 2011, 12:16am

Hello,

I have had a single PC-based Mikrotik running for a few years now. I have lately added another, and have some issues with it.

Here is a diagram of my setup:

Internet—PC-Mk----1stwirelessPTPlink------2nd-Mk----2ndwirelessPTPlink------otherPCs

All IPs once they get past the PC-Mk are private ones.

All the links work and pass data/internet. However, I am having some performance issues with the PCs behind the 2ndwirelessPTPlink. They timeout and drop packets a lot when there is even a small amount of data moving on it.

The wireless links are fine, with no issues. I can ping from my workstation (connected to Pc-Mk) all the IPs along the way with times always under 5 or 6 ms.

Can someone help me with the firewall rules for the 2nd MK? I think there is something I don’t have set quite right.

Thank you!

fewi · September 2, 2011, 12:36am

If you want specific help with firewall rules you’re going to have to post some details. What do you want the firewall to do? Firewalls refer to interfaces and IP addresses. What are your IP addresses and interfaces? And so on. Specific answers require specific questions.

http://catb.org/~esr/faqs/smart-questions.html#beprecise
http://catb.org/~esr/faqs/smart-questions.html#explicit

Start by posting the output of the following commands: “/ip address print detail”, “/ip route print detail”, “/interface print”, and “/ip firewall export”, each wrapped in

 tags. Also post an accurate, well-labeled network diagram, and any further details you think are relevant.

jakkwb · September 2, 2011, 1:49am

This is the output from the 2nd Mikrotik:

ip address print detail:

0 address=192.168.168.9/24 network=192.168.168.0 broadcast=192.168.168.255
interface=ether2-loc1-tower actual-interface=ether2-loc1-tower

1 address=172.16.16.1/24 network=172.16.16.0 broadcast=172.16.16.255
interface=ether3-loc2-tower actual-interface=ether3-loc2-tower

ip route print detail:

0 address=192.168.168.9/24 network=192.168.168.0 broadcast=192.168.168.255
interface=ether2-loc1-tower actual-interface=ether2-loc1-tower

1 address=172.16.16.1/24 network=172.16.16.0 broadcast=172.16.16.255
interface=ether3-loc2-tower actual-interface=ether3-loc2-tower

interface print:

NAME TYPE MTU L2MTU

0 ether1-gateway ether 1500 1524
1 R ether2-loc1-tower ether 1500 1524
2 R ether3-loc2-tower ether 1524 1524
3 ether4-local-slave ether 1500 1524
4 ether5-local-slave ether 1500 1524

ip firewall export:

jan/08/1970 05:06:24 by RouterOS 4.13

software id = GQNF-NCMJ

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Allow ICMP (pings)" disabled=no
protocol=icmp
add action=drop chain=forward comment="Drop invalid connections"
connection-state=invalid disabled=no
add action=accept chain=forward comment="Allow Established connections"
connection-state=established disabled=no
add action=accept chain=forward comment="Allow related connections"
connection-state=related disabled=no
add action=accept chain=input comment="Allow related connections"
connection-state=related disabled=no
add action=accept chain=input comment="Allow established connectiions"
connection-state=established disabled=no
add action=drop chain=input comment="Drop invalid connections"
connection-state=invalid disabled=no
add action=accept chain=input comment="default configuration"
connection-state=established disabled=yes in-interface=ether3-loc2-tower
add action=accept chain=input comment="default configuration"
connection-state=related disabled=yes in-interface=ether3-loc2-tower
add action=drop chain=input comment="default configuration" disabled=yes
in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=
yes out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="" disabled=no out-interface=
ether2-loc1-tower
add action=masquerade chain=srcnat comment="" disabled=yes out-interface=
ether2-loc1-tower src-address=172.16.16.0/24 src-address-list=
172.16.16.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

More to come later....

jakkwb · September 2, 2011, 3:07pm

Just noticed this in my config:

2 R ether3-loc2-tower ether 1524 1524

Shouldn’t that MTU be 1500 instead of 1524? Will that cause problems like I am having?

Thanks!

jakkwb · September 2, 2011, 7:26pm

I changed that number from 1524 to 1500.

I have a person on the end of the 2nd-wireless-PTP with a attached desktop. They are still seeing sporadic timeouts and pings over 200 or 300ms when pinging my gateway router.

I, however, can ping them with no problems at all.

As I said, all wirelessPTP links are running fine with no issues.

jakkwb · September 8, 2011, 3:56am

Can someone please help me with this? I can supply any other needed information.

fewi · September 8, 2011, 4:12am

I don’t see anything wrong with that firewall configuration.

MTU issues wouldn’t cause spikes in ICMP echo reply latency, or drops of those packets. The default on all usual operating systems is somewhere between 64 and 32 bytes - well below the lowest possible MTU on the path.

Have you looked at router utilization at that point? Is the interface near its limit? The link? Do you have any queuing going on that could delay/drop packets? Keep in mind that there are default queues associated with interfaces. Even though you say you have ruled out layer 1 issues I would look at those again as well.

From the configuration you’ve shown there are no issues on layer 3 or above.