I use an RB2011UiAS-2HnD-IN and i replaced my ISP-modem yesterday.
Now the RB2011 is very unstable, i use this configuration for over a half year now.
I replaced the RB2011 with an RB951 just to make sure that the internet connection was working fine.
With that RB951 i get a full 200/20Mbit down and upload, the RB951 has an default config.
I erased the RB2011 and placed the same default config on the RB2011, and with that config the connection is unstable.
Not as unstable as with my original config but i do not get the 200/20Mbit throughput.
Does anyone sees anything strange or wrong in my running-config?
The router “crashes” when you put load on the connection.
When i start an download or an speedtest the test shows me a download of 10Mbit and it falls immediately back to 0.8Mbit and it times out.
Edit: The logfiles shows nothing strange.
MikroTik RouterOS 6.30.2 (c) 1999-2015 http://www.mikrotik.com/
[admin@RB_XXXX] > export
# jul/29/2015 08:10:38 by RouterOS 6.30.2
# software id = XXXXXX
#
/interface bridge
add arp=proxy-arp mtu=1500 name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
set [ find default-name=ether2 ] arp=proxy-arp comment=\
"LAN - ports 3 - 5 are switched of eth2"
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether6 ] arp=proxy-arp comment=\
"LAN - ports 6 - 10 are switched of eth6"
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6
/ip neighbor discovery
set ether2 comment="LAN - ports 3 - 5 are switched of eth2"
set ether6 comment="LAN - ports 6 - 10 are switched of eth6"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=WPA2 \
supplicant-identity="" wpa-pre-shared-key=WPAKEY \
wpa2-pre-shared-key=WPAKEY
/interface wireless
set [ find default-name=wlan1 ] arp=proxy-arp band=2ghz-b/g/n country=\
netherlands disabled=no frequency=2437 l2mtu=1600 mode=ap-bridge \
security-profile=WPA2 wireless-protocol=802.11
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.1.21-192.168.1.100
add name=VPN-pool-1 ranges=192.168.1.125-192.168.1.130
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=1d name=dhcp1
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=192.168.1.1 name=Client-VPN \
remote-address=VPN-pool-1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=sfp1
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=ether1 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.8 comment="Raspberry Pi" mac-address=B8:27:EB:4A:3A:3D \
server=dhcp1
add address=192.168.1.6 client-id=1:8:eb:74:23:7f:83 comment="Humax 5200" \
mac-address=08:EB:74:23:7F:83 server=dhcp1
add address=192.168.1.3 client-id=1:0:8:9b:8d:23:ab comment="Qnap 219P NAS" \
mac-address=00:08:9B:8D:23:AB server=dhcp1
add address=192.168.1.4 client-id=1:0:26:55:73:bb:ef comment="HP 8500" \
mac-address=00:26:55:73:BB:EF server=dhcp1
add address=192.168.1.5 client-id=1:0:ce:40:0:38:3c comment="Mede8er " \
mac-address=00:CE:40:00:38:3C server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 domain=Domain.local \
gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
/ip firewall filter
add chain=input comment=\
"Allow access to the WAN from the LAN using an adresslist" \
src-address-list=LAN
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
add chain=forward comment="Allow connections from the LAN" connection-state=\
new in-interface=bridge1
add chain=forward comment="Allow connections from the VPN to the LAN and WAN" \
connection-state=new in-interface=all-ppp
add chain=forward comment="Allow established connections" connection-state=\
established
add chain=forward comment="Allow related connections" connection-state=\
related
add chain=input comment="Allow established connection to the WAN" \
connection-state=established
add chain=input comment="Allow related connections to the WAN" \
connection-state=related
add chain=forward comment="Allow traffic from WAN to Internal IPs" \
dst-address=192.168.1.1 in-interface=ether1
add chain=forward dst-address=192.168.1.3 in-interface=ether1
add chain=forward dst-address=192.168.1.8 in-interface=ether1
add chain=forward dst-address=192.168.1.100 in-interface=ether1
add action=drop chain=input comment="Drop all other traffic to the WAN" \
disabled=yes
add action=drop chain=forward comment=\
"Drop all other conections trough the router"
add action=drop chain=input comment="Block DNS-requests incoming from WAN" \
dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
/ip firewall nat
add chain=srcnat comment="IPSec NAT rule (LRS)" dst-address=192.168.4.0/24 \
src-address=192.168.1.0/24
add chain=srcnat comment="IPSec NAT rule (MGE)" dst-address=192.168.2.0/24 \
src-address=192.168.1.0/24
add chain=srcnat comment="IPSec NAT rule (ZWD)" dst-address=192.168.3.0/24 \
src-address=192.168.1.0/24
add chain=srcnat comment="IPSec NAT rule (MajoSign)" dst-address=\
192.168.10.0/24 src-address=192.168.1.0/24
add chain=srcnat comment="IPSec NAT rule (DenHelder)" dst-address=\
192.168.5.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="Portforwarding to QNAP Frontend" \
dst-port=1234 in-interface=ether1 protocol=tcp to-addresses=192.168.1.3 \
to-ports=8080
add action=dst-nat chain=dstnat comment="Portforwarding to QNAP Rsync" \
dst-port=873 in-interface=ether1 protocol=tcp to-addresses=192.168.1.3 \
to-ports=873
add action=dst-nat chain=dstnat comment="Portforwarding to QNAP torrent" \
dst-port=59150-59155 in-interface=ether1 protocol=tcp to-addresses=\
192.168.1.3 to-ports=59150-59155
add action=dst-nat chain=dstnat comment="Portforwarding to RB Frontend" \
dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.1.1 \
to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding RDP to 1.100" \
dst-port=3389 in-interface=ether1 protocol=tcp to-addresses=192.168.1.100 \
to-ports=3389
add action=dst-nat chain=dstnat comment="Portforwarding to Qnap webserver" \
dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.1.3 \
to-ports=5678
add action=dst-nat chain=dstnat comment="Portforwarding to QNAP FTP" \
dst-port=20 in-interface=ether1 protocol=tcp to-addresses=192.168.1.3 \
to-ports=20
add action=dst-nat chain=dstnat dst-port=21 in-interface=ether1 protocol=tcp \
to-addresses=192.168.1.3 to-ports=21
add action=dst-nat chain=dstnat comment="Raspberry pi" dst-port=5678 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.8 to-ports=80
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip ipsec peer
add address=94.213.xxx.xxx/32 comment=LRS enc-algorithm=aes-128 secret=SECRET
add enc-algorithm=aes-128 exchange-mode=main-l2tp secret=SECRET
add address=24.132.xxx.xxx/32 comment=ZWD enc-algorithm=aes-128 secret=SECRET
add address=94.213.xxx.xxx/32 comment=MGE enc-algorithm=aes-128 secret=SECRET
add address=94.211.xxx.xxx/32 comment="Den Helder" enc-algorithm=aes-128 \
secret=SECRET
add address=77.161.xxx.xxx/32 comment=Majosign enc-algorithm=aes-128 \
nat-traversal=no secret=SECRET
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add comment=LRS dst-address=192.168.4.0/24 sa-dst-address=94.213.xxx.xxx \
sa-src-address=217.123.xxx.xxx src-address=192.168.1.0/24 tunnel=yes
add comment=ZWD dst-address=192.168.3.0/24 sa-dst-address=24.132.xxx.xxx \
sa-src-address=217.123.xxx.xxx src-address=192.168.1.0/24 tunnel=yes
add comment=MGE dst-address=192.168.2.0/24 sa-dst-address=94.213.xxx.xxx \
sa-src-address=217.123.xxx.xxx src-address=192.168.1.0/24 tunnel=yes
add comment=MajoSign dst-address=192.168.10.0/24 sa-dst-address=\
77.161.xxx.xxx sa-src-address=217.123.xxx.xxx src-address=192.168.1.0/24 \
tunnel=yes
add comment="Den Helder" dst-address=192.168.5.0/24 sa-dst-address=\
94.211.xxx.xxx sa-src-address=217.123.xxx.xxx src-address=192.168.1.0/24 \
tunnel=yes
/ip proxy
set cache-path=web-proxy1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=5m default-screen=stat-slideshow
/ppp secret
add comment="pass: SECRET" local-address=192.168.1.1 name=User password=\
SECRET profile=Client-VPN
add comment="pass: USER2" local-address=192.168.1.1 name=User \
password=SECRET profile=Client-VPN
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system identity
set name=RB_xxx
/system logging
add topics=error
/system ntp client
set enabled=yes primary-ntp=131.211.8.244 secondary-ntp=193.67.79.202
/system scheduler
add interval=30m name="Update No-ip DDNS" on-event=no-ip_ddns_update policy=\
read,write,test start-date=jul/03/2014 start-time=20:00:00
/system script
add name=no-ip_ddns_update owner=admin policy=ftp,read,write,test source="# No\
-IP automatic Dynamic DNS update\r\
\n#\r\
\n#--------------- Change Values in this section to match your setup -----\
-------------\r\
\n\r\
\n# No-IP User account info\r\
\n:local noipuser \"xxxx\"\r\
\n:local noippass \"xxxx\"\r\
\n\r\
\n# Set the hostname or label of network to be updated.\r\
\n# Hostnames with spaces are unsupported. Replace the value in the quotat\
ions below with your host names.\r\
\n# To specify multiple hosts, separate them with commas.\r\
\n:local noiphost \"xxxx\"\r\
\n\r\
\n# Change to the name of interface that gets the dynamic IP address\r\
\n:local inetinterface \"ether1\"\r\
\n\r\
\n#-----------------------------------------------------------------------\
-------------\r\
\n# No more changes need\r\
\n\r\
\n:local previousIP\r\
\n\r\
\nif ( [:len [/file find name=(\"no-ip_ddns_previousip.txt\")]] > 0 ) do={\
\r\
\n:set previousIP [/file get (\"no-ip_ddns_previousip.txt\") contents]\r\
\n}\r\
\n\r\
\n\r\
\n:if ([/interface get \$inetinterface value-name=running]) do={\r\
\n# Get the current IP on the interface\r\
\n:local currentIP [/ip address get [find interface=\"\$inetinterface\" di\
sabled=no] address]\r\
\n\r\
\n# Strip the net mask off the IP address\r\
\n:for i from=( [:len \$currentIP] - 1) to=0 do={\r\
\n:if ( [:pick \$currentIP \$i] = \"/\") do={\r\
\n:set currentIP [:pick \$currentIP 0 \$i]\r\
\n}\r\
\n}\r\
\n\r\
\n:if (\$currentIP != \$previousIP) do={\r\
\n:log info \"No-IP: Current IP (\$currentIP) is not equal to previous IP \
(\$previousIP), update needed\"\r\
\n\r\
\n# The update URL. Note the \"\\3F\" is hex for question mark (\?). Requi\
red since \? is a special character in commands.\r\
\n:local url \"http://dynupdate.no-ip.com/nic/update\\3Fmyip=\$currentIP\"\
\r\
\n:local noiphostarray\r\
\n:set noiphostarray [:toarray \$noiphost]\r\
\n:foreach host in=\$noiphostarray do={\r\
\n:log info \"No-IP: Sending update for \$host\"\r\
\n/tool fetch url=(\$url . \"&hostname=\$host\") user=\$noipuser password=\
\$noippass mode=http dst-path=(\"no-ip_ddns_update-\" . \$host . \".txt\")\
\r\
\n:log info \"No-IP: Host \$host updated on No-IP with IP \$currentIP\"\r\
\n/file print file=(\"no-ip_ddns_previousip.txt\")\r\
\n:delay 3\r\
\n/file set contents=\"\$currentIP\" (\"no-ip_ddns_previousip.txt\")\r\
\n}\r\
\n} else={\r\
\n:log info \"No-IP: Previous IP \$previousIP is equal to current IP, no u\
pdate needed\"\r\
\n}\r\
\n} else={\r\
\n:log info \"No-IP: \$inetinterface is not currently running, so therefor\
e will not update.\"\r\
\n}"
/tool bandwidth-server
set allocate-udp-ports-from=1000 authenticate=no
/tool graphing interface
add allow-address=192.168.1.0/24 interface=ether1
add allow-address=192.168.3.0/24 interface=ether1
add allow-address=192.168.1.0/24 interface=bridge1
/tool romon port
add
[admin@RB_xxx] >
Yesterday i did an reset of the configuration and let the router install the default configuration with the default Firewall rules in it.
Then the router has the right troughput 200/20Mbit, BUT when I disable one of the firewall rules, for example an Drop-rule on the firewall, the connection gets worse (a download of 0.8Mbit, and even time outs).
Then i disabled every rule in the firewall and the NAT table shows only the masquerade-rule. The connection stay really bad. 0.8Mbit down and time outs.
When i enable all the rules, the router has the right troughput.
