Hi guys!
For some time now I recognize quite a loss in performance on my network.
What happens:
- after reboot, 5-15mins everything seems good, lag-free and fast then …
- winbox access from wan often stays at connecting to … comes up at 5th attempt or so
- same with connecting my email service to provider which often results in a timeout, works after 5th attempt
- established connections seem to work perfect (speedtest when I’m able to make it), 2nd winbox after the 1st is open etc
- teamviewer to computers on local network often times out if not established
- rdp often times out
- unifi controller (if anyone knows it) half of the connected devices are in heartbeat missed or disconnected state, sites are on wan
- many droped packets from known ip addresses due to invalid state (tcp ack/fin) on port 8080, these are from unifi devices
- connections (around 300 items) shows many tcp close wait to x.x.x.162:8080 from customer sites
CPU Load is around 7% on rb951g, nothing special.
Sometime ago I had similar problems. The reason was a malware on a server on the local net which did port spoofing to other public IPs (TCP Syn flood?).
Connections on that router was around 2k items and the problems were alot worse (harder to access local services over dstnat).
Do I have a resource problem that a rb951g can’t handle or is it a tcp syn flood alike problem? Should i test the same configuration with e.g. rb4011?
Tested with RB951G and hAP AC2, nearly same configuration, same behavior. Both ROS6.44
- Mikrotik std config with fixed public ip subnet /29 on eth1 ( we use 6 public IPs to host some services to us). All 6 public IPs are configured on eth1
- One bridge for the local subnet 192.168.100.0/24
- src-nat rules to let specific local hosts masq with the right public IP
- dst-nat rules to our services: webserver and two unifi controllers.
ADDRESS:
/ip address
add address=x.x.x.162/29 comment="wanip-1" interface=\
ether1 network=x.x.x.160
add address=192.168.100.254/24 interface=br-local network=192.168.100.0
add address=x.x.x.163/29 comment="wanip-2" interface=ether1 \
network=x.x.x.160
add address=x.x.x.166/29 comment="wanip-5" interface=ether1 network=\
x.x.x.160
add address=x.x.x.164/29 comment="wanip-3" interface=ether1 \
network=x.x.x.160
add address=x.x.x.165/29 interface=ether1 network=x.x.x.160
FILTER:
/ip firewall filter
add action=drop chain=input connection-state=invalid log-prefix=INVALID
add action=accept chain=input comment="established, related, untracked" \
connection-state=established,related,untracked
add action=accept chain=input comment=icmp protocol=icmp
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp \
src-address-list=CountryIPBlocks
add action=drop chain=input connection-state="" in-interface=ether1 \
log-prefix=DROP
add action=accept chain=forward comment="ipsec in" ipsec-policy=in,ipsec
add action=accept chain=forward comment="ipsec out" connection-state="" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=\
established,related
add action=accept chain=forward comment="established, related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=ether1
NAT:
/ip firewall nat
add action=src-nat chain=srcnat comment="src-nat webserver to wanip-2" \
out-interface=ether1 src-address=192.168.100.222 to-addresses=\
x.x.x.166
add action=src-nat chain=srcnat comment="src-nat unifilts to wanip-3" \
out-interface=ether1 src-address=192.168.100.210 to-addresses=\
x.x.x.164
add action=src-nat chain=srcnat comment="src-nat webserver to wanip-5" \
out-interface=ether1 src-address=192.168.100.230 to-addresses=\
x.x.x.166
add action=src-nat chain=srcnat comment="src-nat local net to wanip-1" \
out-interface=ether1 src-address=192.168.100.0/24 to-addresses=\
x.x.x.162
add action=dst-nat chain=dstnat comment="unifi tcp" dst-address=x.x.x.162 \
dst-port=8080,9080,8443,8880,8843,6789 protocol=tcp to-addresses=\
192.168.100.211
add action=dst-nat chain=dstnat comment="unifilts tcp" dst-address=\
x.x.x.164 dst-port=8080,9080,8443,8880,8843,6789 protocol=tcp \
to-addresses=192.168.100.210
add action=dst-nat chain=dstnat comment="unifi udp" dst-address=x.x.x.162 \
dst-port=3478 protocol=udp to-addresses=192.168.100.211
add action=dst-nat chain=dstnat comment="unifilts udp" dst-address=\
x.x.x.164 dst-port=3478 protocol=udp to-addresses=192.168.100.210
add action=dst-nat chain=dstnat comment=webserver-unifi dst-address=\
x.x.x.162 dst-port=80 protocol=tcp to-addresses=192.168.100.211
add action=dst-nat chain=dstnat comment=webserver-unifi dst-address=\
x.x.x.162 dst-port=443 protocol=tcp to-addresses=192.168.100.211 \
to-ports=8443
add action=dst-nat chain=dstnat comment="webserver-unifilts 80" dst-address=\
x.x.x.164 dst-port=80 protocol=tcp to-addresses=192.168.100.210 \
to-ports=443
add action=dst-nat chain=dstnat comment="webserver-unifilts 443" dst-address=\
x.x.x.164 dst-port=443 protocol=tcp to-addresses=192.168.100.210 \
to-ports=8443
add action=dst-nat chain=dstnat comment="webserver-erp wanip-5" dst-address=\
x.x.x.166 dst-port=80,443,21 protocol=tcp to-addresses=\
192.168.100.222
add action=dst-nat chain=dstnat comment="HTTP webserver-ubuntu" dst-address=\
x.x.x.163 dst-port=80 protocol=tcp to-addresses=192.168.100.230 \
to-ports=80
Everything else is in standard config!
