I’m using routerboard RB2011UAS-2HnD, latest ROS 5.24
when I click through hyper links , for example from http://www.baidu.com, I can get random connection time out on a link, but if I come back after some time, I may be able to get in the link quickly.
it’s not website problem, I tried on my tablet thru 3g connection, every link on that site worked perfectly.
Why the routerboard get connection choked on web browsing? my ROS is 5.24, the latest, the CPU load is about 20% on that hyper link click.
and it’s not browser issue, I tried on different laptop using the same wired connection to the ROS router, using Chrome, get the same result, not failed on the same link, but get failed on other link. and it’s not limited to that site, I tried other site, local search engine site like http://www.soso.com.

So I believe it’s routerbord or ROS issue.

Thanks,

leon

Admin please help to move this post to General topics, guess it’s not caused by ROS 5.24

Now, I watched the firewall connection, on my click the hyper link, there was no response, I saw a lot of connections created in the firewall connections window. and finally I got
connection time out error from Chrome: “Connection Timed out” error.
Please see attached picture of the firewall connections. a burst of connection creation after click the hyper link and finally the connection get closed.

I see you are using a PPTP link, are you sure its not MTU issues?

I see you are using a PPTP link, are you sure its not MTU issues?

Actually, I have PPTP connection only takes part of outbound request to some banned site by chinese great firewall. most of the connections, including the “timed out” links are local Chinese sites, go through the normal pppoe connection.

I feel it could be ROS NAT function instability. because the timed out links randomly have this behavior. and all links worked well on my phone or tablet using dedicated 3g connecction.

PPPoE is a PPP-type connection too, so MTU issues can occur, and that is how MTU issues look like in the connection table. Please verify again if its an MTU issue or not.

I checked my former router, My Linksys e2000 used same MTU 1480 for pppoe, it worked perfectly.

Do you have change MSS enabled?

please post full output of this command:
/export compact

Hi, Normis,
Plesae see the export below, I've replaced user credentials with x:
Thanks,

Leon
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 5.24 (c) 1999-2013 http://www.mikrotik.com/[admin@leonMT] > /export compact

mar/03/2013 11:17:53 by RouterOS 5.24

software id = 4IKN-QV1F

/interface bridge
add admin-mac=D4:CA:6D:85:76:99 auto-mac=no l2mtu=2290 name=bridge-local
protocol-mode=rstp
add name=bridgeIPTV
/interface wireless
set 0 band=2ghz-onlyn channel-width=20/40mhz-ht-above country="united states"
disabled=no distance=indoors frequency=2442 ht-rxchains=0,1 ht-txchains=0,1
l2mtu=2290 mode=ap-bridge ssid=Leon_MT tx-power-mode=all-rates-fixed
wireless-protocol=802.11
/interface ethernet
set 0 disabled=yes name=sfp1-gateway
set 1 name=ether1-gateway speed=1Gbps
set 6 name=ether6-master-local
set 7 master-port=ether6-master-local name=ether7-slave-local
set 8 master-port=ether6-master-local name=ether8-slave-local
set 9 master-port=ether6-master-local name=ether9-slave-local
set 10 name=ether10-slave-local
/interface pppoe-client
add add-default-route=yes interface=ether1-gateway name=pppoe-out1 password=
x service-name=CTwan use-peer-dns=yes user=x
/interface l2tp-client
add connect-to=72.52.94.226 name=l2tp-Linost password=x user=x
/interface pptp-client
add connect-to=67.215.241.74 disabled=no name=pptp-Linost password=x user=
x
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=x
wpa2-pre-shared-key=x
/ip dhcp-server
add interface=sfp1-gateway name=dhcp1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.250
add name=pptp-pool ranges=192.168.87.251-192.168.87.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/ppp profile
add local-address=192.168.87.1 name=pptp-profile1 only-one=yes remote-address=
pptp-pool use-encryption=yes
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether5
add bridge=bridgeIPTV interface=ether6-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local disabled=yes interface=ether1-gateway
add bridge=bridge-local disabled=yes interface=sfp1-gateway
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=pptp-Linost
/interface ethernet switch port
set 6 vlan-mode=check
set 7 vlan-mode=check
set 8 vlan-mode=check
set 9 vlan-mode=check
set 12 vlan-mode=check
/interface ethernet switch vlan
add ports=ether6-master-local switch=switch2 vlan-id=85
add ports=ether6-master-local switch=switch2 vlan-id=51
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=pptp-profile1
enabled=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=wlan1
add address=192.168.88.1/24 comment="default configuration" interface=ether2
add address=192.168.88.1/24 comment="default configuration" interface=ether3
add address=192.168.88.1/24 comment="default configuration" interface=ether4
add address=192.168.88.1/24 comment="default configuration" interface=ether5
add address=192.168.88.1/24
add address=192.168.88.1/24 interface=ether10-slave-local
/ip dhcp-client
add comment="default configuration" interface=sfp1-gateway
add comment="default configuration" disabled=no interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.88.2 client-id=1:10:bf:48:b7:b4:e6 mac-address=
10:BF:48:B7:B4:E6 server=default
add address=192.168.88.3 client-id=1:0:8:9b:8c:57:b7 mac-address=
00:08:9B:8C:57:B7 server=default
add address=192.168.88.11 client-id=1:0:1f:d0:5e:dd:18 mac-address=
00:1F:D0:5E:DD:18 server=default
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" gateway=
192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=116.228.111.118,180.168.255.18
/ip dns static
add address=192.168.88.1 name=router
add address=184.107.18.92 name=www.botanwang.comadd address=69.171.234.18 name=www.facebook.comadd address=74.125.129.191 name=www.blogger.comadd address=199.59.148.82 name=twitter.com
add address=74.125.129.191 name=www.blogspot.comadd address=199.59.148.10 name=twitter.com
add address=199.59.150.39 name=twitter.com
add address=198.171.79.36 name=whois.net
add address=206.190.36.45 name=www.yahoo.comadd address=74.125.129.141 name=www.appspot.comadd address=190.93.242.99 name=www.bannedbook.orgadd address=170.149.168.130 name=www.nytimes.comadd address=72.52.81.84 name=www.epochtimes.comadd address=31.222.74.36 name=www.badoo.comadd address=23.60.125.15 name=www.apple.comadd address=208.80.154.225 name=www.wikipedia.orgadd address=174.133.217.98 name=www.kanzhongguo.comadd address=76.74.254.120 name=www.wordpress.comadd address=74.125.224.180 name=www.google.comadd address=38.99.106.19 name=www.wenxuecity.comadd address=50.23.146.178 name=www.iask.caadd address=199.59.150.39 name=www.twitter.comadd address=69.171.224.42 name=www.facebook.comadd address=206.190.36.45 name=yahoo.com
add address=74.125.129.141 name=appspot.com
add address=141.101.112.100 name=bannedbook.org
add address=170.149.168.130 name=nytimes.com
add address=72.52.81.84 name=epochtimes.com
add address=31.222.74.33 name=badoo.com
add address=74.125.129.191 name=blogspot.com
add address=74.125.129.191 name=blogger.com
add address=17.172.224.47 name=apple.com
add address=208.80.152.201 name=wikipedia.org
add address=174.133.217.98 name=kanzhongguo.com
add address=66.155.11.243 name=wordpress.com
add address=74.125.224.167 name=google.com
add address=38.99.106.19 name=wenxuecity.com
add address=50.23.146.178 name=iask.ca
add address=173.252.110.27 name=facebook.com
add address=74.125.224.161 name=www.youtube.comadd address=74.125.224.160 name=www.youtube.comadd address=72.233.104.124 name=wordpress.com
add address=74.125.224.164 name=plus.google.com
add address=74.125.224.165 name=gmail.google.com
add address=74.125.224.182 name=mail.google.com
add address=74.125.224.162 name=drive.google.com
add address=172.245.61.120 name=www.letscorp.netadd address=172.145.60.120 name=www.letscorp.net/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" src-address=
192.168.87.0/24
add action=masquerade chain=srcnat comment="default configuration" src-address=
192.168.88.0/24
add action=masquerade chain=srcnat comment="default configuration" disabled=yes
out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=yes out-interface=pppoe-out1
add action=masquerade chain=srcnat disabled=yes out-interface="(unknown)"
add action=masquerade chain=srcnat disabled=yes out-interface="(unknown)"
to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=yes out-interface="(unknown)"
add action=masquerade chain=srcnat disabled=yes out-interface="(unknown)"
add action=masquerade chain=srcnat disabled=yes out-interface="(unknown)"
add action=masquerade chain=srcnat disabled=yes out-interface="(unknown)"
to-addresses=0.0.0.0
/ip neighbor discovery
set sfp1-gateway disabled=no
set ether1-gateway disabled=yes
set wlan1 disabled=yes
/ip route
add distance=1 dst-address=8.7.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=8.8.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=24.143.192.0/20 gateway=pptp-Linost
add distance=1 dst-address=31.222.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=38.99.106.0/24 gateway=pptp-Linost
add distance=1 dst-address=50.18.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=50.23.146.176/28 gateway=pptp-Linost
add distance=1 dst-address=59.24.3.128/26 gateway=pptp-Linost
add distance=1 dst-address=60.199.175.0/24 gateway=pptp-Linost
add distance=1 dst-address=66.102.0.0/20 gateway=pptp-Linost
add distance=1 dst-address=66.155.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=66.220.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=69.65.0.0/18 gateway=pptp-Linost
add distance=1 dst-address=69.171.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=72.14.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=72.52.81.0/24 gateway=pptp-Linost
add distance=1 dst-address=72.233.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=74.125.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=74.200.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=75.101.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=76.74.254.0/24 gateway=pptp-Linost
add distance=1 dst-address=108.162.195.0/24 gateway=pptp-Linost
add distance=1 dst-address=128.242.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=131.103.192.0/18 gateway=pptp-Linost
add distance=1 dst-address=168.143.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=170.149.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=173.194.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=173.245.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=173.252.64.0/18 gateway=pptp-Linost
add distance=1 dst-address=174.133.217.0/24 gateway=pptp-Linost
add distance=1 dst-address=174.142.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=184.107.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=184.154.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=184.169.128.0/17 gateway=pptp-Linost
add distance=1 dst-address=198.171.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=199.59.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=203.98.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=208.67.216.0/21 gateway=pptp-Linost
add distance=1 dst-address=208.80.152.0/22 gateway=pptp-Linost
add distance=1 dst-address=208.87.32.0/21 gateway=pptp-Linost
add distance=1 dst-address=208.117.0.0/16 gateway=pptp-Linost
add distance=1 dst-address=209.85.229.0/24 gateway=pptp-Linost
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=sfp1-gateway type=external
/ppp secret
add caller-id=posix77 name=l2tp/pptp password=x service=l2tp
add name=leon password=x profile=pptp-profile1
/system clock
set time-zone-name=Asia/Shanghai
/system identity
set name=leonMT
/system logging
add topics=firewall
/system ntp client
set enabled=yes mode=unicast primary-ntp=202.120.2.101 secondary-ntp=
133.100.11.8
/system scheduler
add interval=30m name=OrayDDNS on-event=":execute OrayDDNS" policy=
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
start-date=jan/12/1970 start-time=16:46:39
add interval=30m name=3322dns on-event=":execute 3322dns" policy=
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
start-date=jan/01/1970 start-time=12:41:00
/system script
add name=3322dns-bk policy=
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
source=":local ddnsname x.3322.org\r
\n:local ddnsuser x\r
\n:local ddnspsd x\r
\n:local ddnsinterface [/ip route get [/ip route find dst-address=0.0.0.0/0
active=yes comment="def"] interface]\r
\n:local ddnsip [ /ip address get [/ip address find interface=$ddnsinterfac
e] address]\r
\n:local ddnsip [:pick $ddnsip 0 [:find $ddnsip "/"]]\r
\n:if ($ddnsip =[:resolve $ddnsname]) do={\r
\n:log info "ddns:No change"\r
\n} else={\r
\n:local urlstr ("http://members.3322.org/dyndns/update?system=dyndns&host
name=" . $ddnsname . "&myip=" . $ddnsip)\r
\n/tool fetch url=$urlstr mode=http user=$ddnsuser password=$ddnspsd dst-
path=$ddnsname\r
\n:delay 3\r
\n:local result [/file get $ddnsname contents]\r
\n:log info ($ddnsname . " " . $result)\r
\n/file remove $ddnsname}"
add name=OrayDDNS policy=
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
source="local ipaddr \r
\nlocal server "http://ddns.oray.com"\r
\nlocal domain "x"\r
\nlocal par "/ph/update?&hostname=$domain&myip=$ipaddr"\r
\nlocal users "x"\r
\nlocal paswd "x"\r
\n:set ipaddr [/ip address get [/ip address find interface=pppoe-out1] addre
ss]\r
\n:set ipaddr [:pick $ipaddr 0 ([len $ipaddr] -3)]\r
\n/tool fetch url=($server . $par) mode=http user=$users password=$paswd
"
add name=3322dns policy=
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
source="global ednsuser "x" \r
\nglobal ednspass "x" \r
\nglobal ednshost "x.3322.org" \r
\nglobal ednsinterface "pppoe-out1" \r
\nglobal members "http://members.3322.org/dyndns/update\?system=dyndns"
\r
\nglobal status \r
\nglobal status [/interface get [/interface find name=$ednsinterface] runn
ing] \r
\n\r
\nif ($status!=false) do={ \r
\n:global ednslastip [:resolve $ednshost] \r
\n:if ([ :typeof $ednslastip ] = nil ) do={ :global ednslastip "0" } \r
\n:global ednsiph [ /ip address get [/ip address find interface=$ednsinterf
ace ] address ] \r
\n:global ednsip [:pick $ednsiph 0 [:find $ednsiph "/"]] \r
\n:global ednsstr "&hostname=$ednshost&myip=$ednsip" \r
\n:if ($ednslastip != $ednsip) do={ \r
\n/tool fetch url="$members$ednsstr" mode=http user=$ednsuser password=
$ednspass dst-path=$ednshost \r
\n:delay 4 \r
\n:global result [/file get $ednshost contents] \r
\n:log info ($ednshost . " " .$result) \r
\n/file remove $ednshost ; \r
\n} \r
\n}"
add name=wol2 policy=test source=
"/tool wol interface=ether2 mac=10:bf:48:b7:b4:e6"
add name=wol11 policy=test source=
"/tool wol interface=ether2 mac=00:1f:d0:5e:dd:18"
/tool e-mail
set address=123.58.178.203 password=x user=x
/tool graphing interface
add
/tool mac-server
add disabled=no interface=ether9-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
[admin@leonMT] >

Any findings?

No offense, but your configuration seems to be messy in my eyes:

• You have assigned IP 192.168.88.1 to multiple interfaces - wlan1, ether2, ether3, ether4, ether5 are parts of bridge-local, so you should assign it only to just one interface (bridge-local in this case) and not for each port.
• You have assigned this IP to ether10-slave-local too, which is completely different interface! And there is one more assignment of this IP with no interface specified - what’s that?
• Do you really need to use bridge for ports ether2-5? You can join them using switch2 (ether2 could be master port) - it will be much faster.
• You have set 1Gbps manually for ether1-gateway? I think it is not good idea if you didn’t set speed manually on the other end too. If the other end is set to Auto negotiation, you should use Auto Negotation too.
• I think it is not good idea to set DNS record manually - they are changing, it would be better to use DNS over pptp-Linost if it is manipulated by great firewall
• You have some masquerades with messy out-interface=“(unknown)”, delete them all
• I’m not sure if you are really using ether1-gateway as gateway or it is only the interface to make pppoe-out1 - in such case you should remove it from dhcp-client and masquerade

Hi , Zervan, Thank you for your suggestions. yes, ether1-gateway is gateway interface. there are some messy items but disabled. I will try your suggestions.