I have two offices, a main and an offsite small office. The main office has a 1100x2 running well but the offsite offices edgerouter is dying and I’m going to replace it. So I thought use the opportunity to can upgrade the main office mikrotik and move the 1100x2 to the small office.
The main reason I’m thinking of upgrading is we have a 1gb fiber connection but only get about 400mbps download speeds even with fast track enabled. It’s probably because of all my firewall rules etc. would a router with more power help?
Well, the CCR1009 line is where you might start looking. However, I’m interested to see your configuration and what makes it so complex as to require so much more CPU.
Thanks, here is my router config.
I have two internet providers that give us both fail over redundancy plus I have a vlan setup for guests that uses WAN 2 for internet access keeping them off our main internet connection.
I have a VPN between two sites
I use the mikrotik vpn to remote in myself
and I’ve failover setp in routes.
# dec/16/2019 09:46:34 by RouterOS 6.45.7
# software id = 5BUL-L32B
#
# model = 1100AHx2
# serial number = 123456789456
/interface bridge
add fast-forward=no name=LAN-Bridge
add fast-forward=no name=Wan2_Vlan_bridge
/interface ethernet
set [ find default-name=ether1 ] name="1 WAN1"
set [ find default-name=ether2 ] comment="Backup WAN connection" name="2 WAN2"
set [ find default-name=ether3 ] name="3 Sip Phone 1"
set [ find default-name=ether4 ] name="4 AP Office 1"
set [ find default-name=ether5 ] name="5 AP Office 2"
set [ find default-name=ether6 ] name="6 Sip Phone 2"
set [ find default-name=ether7 ] name="7 Sip Phone 3"
set [ find default-name=ether8 ] name="8 AP Office 2"
set [ find default-name=ether9 ] name="9 Switch 1 #1"
set [ find default-name=ether10 ] mac-address=E1:8A:8B:1C:1D:4E name="10 Switch 1 #2"
/interface vlan
add comment="WAN1 ISP Vlan 10" interface="1 WAN1" name=vlan-ftth vlan-id=10
add comment="Vlan200" interface=LAN-Bridge name=vlan200 vlan-id=200
add comment="Vlan300" interface=LAN-Bridge name=vlan300 vlan-id=300
add comment="SipVlan400" interface=LAN-Bridge name=vlan400 vlan-id=400
/interface bonding
add mode=802.3ad name="LAN Link" slaves="10 Switch 1 #2,9 Switch 1 #1" transmit-hash-policy=layer-2-and-3
/interface pppoe-client
add add-default-route=yes comment="Fiber Pppoe login details" dial-on-demand=yes disabled=no interface=vlan-ftth name=WAN1-pppoe password=FTTH use-peer-dns=yes user=passwordFTTH
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=81.82.83.84/32 local-address=85.86.87.88 name=peer2
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128 nat-traversal=no
add dh-group=modp1024 dpd-interval=1m enc-algorithm=aes-128 name=site2 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,aes-128-ctr,3des
add enc-algorithms=aes-256-cbc,aes-128-cbc,aes-128-ctr name=site2
/ip pool
add name=vlan200-pool ranges=20.20.20.10-20.20.20.254
add name=1-pool ranges=192.168.100.60-192.168.100.254
add name=vpn ranges=192.168.30.245-192.168.30.250
add name=2-pool ranges=192.168.1.15-192.168.1.254
add name=VoIP ranges=192.168.4.10-192.168.4.30
/ip dhcp-server
add address-pool=vlan200-pool disabled=no interface=vlan200 name=vlan200-dhcp
add address-pool=VoIP disabled=no interface=vlan400 name=vlan400-dhcp
/ppp profile
set *FFFFFFFE dns-server=192.168.0.10,192.168.0.11 local-address=192.168.30.1 remote-address=vpn
/interface bridge port
add bridge=LAN-Bridge interface="LAN Link"
add bridge=LAN-Bridge interface="8 AP Office 2"
add bridge=LAN-Bridge interface="7 Sip Phone 3"
add bridge=LAN-Bridge interface="6 Sip Phone 2"
add bridge=LAN-Bridge interface="5 AP Office 2"
add bridge=LAN-Bridge interface="44 AP Office 1"
add bridge=LAN-Bridge interface="3 Sip Phone 1"
add bridge=Wan2_Vlan_bridge interface="2 WAN2"
add bridge=Wan2_Vlan_bridge interface=vlan300
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set enabled=yes ipsec-secret=secret-password use-ipsec=yes
/interface list member
add interface=WAN1-pppoe list=WAN
add interface="LAN Link" list=LAN
add interface=Wan2_Vlan_bridge list=LAN
add interface="2 WAN2" list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.0.1/24 interface=LAN-Bridge network=192.168.0.0
add address=192.168.15.50/24 interface="2 WAN2" network=192.168.15.0
add address=20.20.20.1/24 interface=vlan200 network=20.20.20.0
add address=192.168.4.1/27 interface=vlan400 network=192.168.4.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-relay
add dhcp-server=192.168.0.10,192.168.0.11 disabled=no interface=LAN-Bridge name="Windows server"
/ip dhcp-server network
add address=20.20.20.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=20.20.20.1
add address=192.168.0.0/24 dns-server=192.168.0.10,192.168.0.11 gateway=192.168.0.1
add address=192.168.3.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.4.1
add address=192.168.15.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.15.1
add address=192.168.100.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.100.50
/ip dns
set servers=192.168.0.10,192.168.0.11
/ip firewall address-list
add address=192.168.0.2-192.168.0.254 list=allowed_to_router
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Accept established and related packets" connection-state=established,related
add action=accept chain=input comment="Accept established and related packets" connection-state=established,related
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input log=yes protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" disabled=yes dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" in-interface=WAN1-pppoe protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 in-interface=WAN1-pppoe protocol=udp
add action=accept chain=input comment="Accept all connections from local network" in-interface=LAN-Bridge
add action=drop chain=input log=yes
add action=drop chain=input comment="drop all traffic brute force attack sources" log=yes src-address-list=sshblacklist
add action=add-src-to-address-list address-list=sshblacklist address-list-timeout=1h chain=input comment="add new failed sshdarkgreylist to sshblacklist" connection-state=new dst-port=22 protocol=tcp \
src-address-list=sshdarkgreylist
add action=add-src-to-address-list address-list=sshdarkgreylist address-list-timeout=1m chain=input comment="add new failed sshgreylist to sshdarkgreylist" connection-state=new dst-port=22 protocol=tcp \
src-address-list=sshgreylist
add action=add-src-to-address-list address-list=sshgreylist address-list-timeout=1m chain=input comment="add new failed sshlightgreylist to sshgreylist" connection-state=new dst-port=22 protocol=tcp \
src-address-list=sshlightgreylist
add action=add-src-to-address-list address-list=sshlightgreylist address-list-timeout=1m chain=input comment="new connections to sshlightgreylist" connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN1-pppoe src-address-list=NotPublic
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface=Wan2_Vlan_bridge src-address-list=NotPublic
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted " connection-nat-state=!dstnat connection-state=new in-interface=WAN1-pppoe
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN1-pppoe src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=NotPublic in-interface=LAN-Bridge
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=LAN-Bridge src-address=!192.168.0.0/24
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=Wan2_Vlan_bridge
add action=add-src-to-address-list address-list=udpflood address-list-timeout=30s chain=input connection-limit=30,32 protocol=udp tcp-flags=""
add action=drop chain=input src-address-list=udpflood
add action=add-src-to-address-list address-list=outUDPflood address-list-timeout=30s chain=output connection-limit=30,32 limit=1,5:packet protocol=udp
add action=drop chain=output src-address-list=outUDPflood
add action=reject chain=input comment=SECURITY content=user.dat reject-with=icmp-network-unreachable
add action=drop chain=input content=user.dat
/ip firewall mangle
add action=mark-connection chain=forward dst-port=5060 new-connection-mark=voip-conn passthrough=yes protocol=udp
add action=mark-connection chain=forward connection-type=sip new-connection-mark=voip-conn passthrough=yes
add action=mark-packet chain=forward connection-mark=voip-conn new-packet-mark=voip-packet passthrough=no
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.11.0/24
add action=accept chain=srcnat dst-address=192.168.11.0/24 log=yes log-prefix=company-vpn src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface=WAN1-pppoe
add action=masquerade chain=srcnat out-interface=Wan2_Vlan_bridge
add action=dst-nat chain=dstnat dst-port=5091 in-interface=WAN1-pppoe log=yes log-prefix=PBX protocol=tcp src-address=81.82.83.84 to-addresses=192.168.0.7 to-ports=5091
add action=dst-nat chain=dstnat dst-port=5091 in-interface=Wan2_Vlan_bridge log=yes log-prefix=PBX protocol=tcp src-address=81.82.83.84 to-addresses=192.168.0.7 to-ports=5091
add action=dst-nat chain=dstnat comment="PBX" dst-port=5090 in-interface=WAN1-pppoe log=yes log-prefix=PBX-Controller protocol=tcp src-address=85.86.87.88 src-address-type="" \
to-addresses=192.168.0.7 to-ports=443
add action=dst-nat chain=dstnat dst-port=5060 in-interface=WAN1-pppoe log=yes log-prefix=PBX protocol=udp src-address=81.82.83.84 to-addresses=192.168.0.7 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5060 in-interface=Wan2_Vlan_bridge log=yes log-prefix=PBX protocol=udp src-address=81.82.83.84 to-addresses=192.168.0.7 to-ports=5060
add action=dst-nat chain=dstnat dst-port=8000-9000 in-interface=WAN1-pppoe protocol=udp src-address=81.82.83.84 to-addresses=192.168.0.7 to-ports=8000-9000
add action=dst-nat chain=dstnat dst-port=8000-9000 in-interface=Wan2_Vlan_bridge protocol=udp src-address=81.82.83.84 to-addresses=192.168.0.7 to-ports=8000-9000
add action=dst-nat chain=dstnat dst-port=5060 in-interface=WAN1-pppoe log=yes log-prefix=PBX protocol=tcp src-address=81.82.83.84 to-addresses=192.168.0.7 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5060 in-interface=Wan2_Vlan_bridge log=yes log-prefix=PBX protocol=tcp src-address=81.82.83.84 to-addresses=192.168.0.7 to-ports=5060
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.11.0/24 src-address=192.168.0.0/24
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=192.168.11.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set udplite disabled=yes
set dccp disabled=yes
/ip ipsec identity
add peer=peer2 secret=secretpassword
/ip ipsec policy
add dst-address=192.168.11.0/24 sa-dst-address=81.82.83.84 sa-src-address=85.86.87.88 src-address=192.168.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.1.1.1
add distance=2 gateway=10.2.2.2
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.15.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=85.86.87.88 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=8.8.8.8 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=208.67.220.220 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=8.8.4.4 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=208.67.222.222 scope=10
add distance=1 dst-address=208.67.220.220/32 gateway=85.86.87.88 scope=10
add distance=1 dst-address=208.67.222.222/32 gateway=192.168.15.1 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/24
set api disabled=yes
set winbox address=192.168.0.0/24,192.168.89.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ppp secret
add name=vpn password=secretpassword
/system clock
set time-zone-name=timezone
/system identity
set name=router
/system logging
add prefix=ipsec topics=ipsec
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Setting up firewall rules is a personal thing, so I won’t tell you how to manage your packets. There are some things to understand about how to use hardware. I mean, do we make it easy on our routers or do we buy faster hardware? That’s a personal decision.
What does concern me is you don’t have a catchall drop for the input and forward chains in logical (logical to me) order. It bothers me when I can not quickly deduce that someone is stopping packets they don’t care about. Beyond that, you have two interesting input drops, one of them logs and the user does a lookup with content=user.dat. So, some extra CPU cycles are being used there. Nothing wrong with that, but its not free.
Yes, of course you would benefit from faster hardware. I can not say with certainty the exact model. Buy from a vendor with a good return policy so you can experiment.
Thanks I appreciate the advise. A few years ago I got a idea that our network might be compromised, wiped the router and added a lot of rules a result! I’ll tidy up and make those edits now.