RouterOS NAT and DNS issue.

RouterOS General
1

Hi

Im tearing my hair out with a ROS issue. Whereby approximatly every 10 minutes NAT connections are broken. Unfortunatly after this occurs, any machines on the internal LAN’ ability to DNS lookup, ping, browse web, nslookup, create new NAT connections tend to be broken. Not totally broken, as I can see the entries being added to the DNS cache on the RB, but no ability to ping. Occasionally this is fixable by a dns flush on the RB followed by a nslookup on a local machine to the outside world. But this may not be the case for all the machiens on the lan. IE, at anyone point at the two computers infront of me, id be lucky if both can ping google at the same time. The every 10 minute closing of NAT connections is problematic due the number of programs and computers on the network requiring a persistant NAT connection making port forwards and the like infeasable.


Anyone have any suggestions on how I can get this Router working consistently and stable?

Heres the current config and a few outputs.

[admin@BlueRoute] > ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          203.16.215.174     1       
 1 X S  0.0.0.0/0          10.10.1.254     Internode          1       
 2 ADC  10.10.1.0/24       10.10.1.254     BlueRoute          0       
                                           BlueNET           
 3 ADC  203.16.215.174/32  121.45.68.14    Internode          0       


[admin@BlueRoute] > ip firewall nat print  
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=Internode


[admin@BlueRoute] > ip firewall mangle print all
Flags: X - disabled, I - invalid, D - dynamic 
 0 D chain=forward action=change-mss new-mss=1440 tcp-flags=syn protocol=tcp 
     in-interface=Internode tcp-mss=1441-65535 

 1 D chain=forward action=change-mss new-mss=1452 tcp-flags=syn protocol=tcp 
     out-interface=Internode tcp-mss=1453-65535




# apr/04/2010 12:38:08 by RouterOS 5.0beta1
# software id = FEFF-6IY9
#
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment=LAN disabled=no full-duplex=\
    yes l2mtu=1526 mac-address=00:0C:42:3F:89:2C mtu=1500 name=BlueNET speed=\
    100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    WAN disabled=no full-duplex=yes l2mtu=1522 mac-address=00:0C:42:3F:89:2D \
    master-port=none mtu=1500 name=ADSL speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=yes full-duplex=yes mac-address=00:0C:42:3F:89:2E \
    master-port=none mtu=1500 name=ether3 speed=100Mbps

/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1

/ip pool
add name=BluePool ranges=10.10.1.16-10.10.1.253

/ip dhcp-server
add address-pool=BluePool authoritative=after-2sec-delay bootp-support=static \
    disabled=no interface=BlueNET lease-time=3d name=BlueDHCP
add address-pool=BluePool authoritative=after-2sec-delay bootp-support=static \
    disabled=no interface=BlueRoute lease-time=3d name=BlueDHCP2

/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none \
    stop-bits=1

/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default \
    use-compression=default use-encryption=default use-mpls=default \
    use-vj-compression=default
set default-encryption change-tcp-mss=yes comment="" name=default-encryption \
    only-one=default use-compression=default use-encryption=yes use-mpls=\
    default use-vj-compression=default

/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap comment=\
    "Internode ADSL2+ Connection" dial-on-demand=no disabled=no interface=\
    ADSL max-mru=1480 max-mtu=1480 mrru=disabled name=Internode password=\
    <blanked> profile=default service-name="" use-peer-dns=yes user=\
    <blanked>@<blanked>

/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
    sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
    red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
    5
set default-small kind=pfifo name=default-small pfifo-limit=10


/system routerboard settings
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet \
    boot-protocol=bootp cpu-frequency=680MHz enable-jumper-reset=yes \
    enter-setup-on=any-key force-backup-booter=no
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet \
    boot-protocol=bootp cpu-frequency=680MHz enable-jumper-reset=yes \
    enter-setup-on=any-key force-backup-booter=no

/interface bridge port
add comment="" disabled=no edge=auto external-fdb=auto horizon=none \
    interface=BlueNET path-cost=10 point-to-point=auto priority=0x80
add comment="" disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ADSL path-cost=10 point-to-point=auto priority=0x80
add comment="" disabled=no edge=auto external-fdb=auto horizon=none \
    interface=BlueRoute path-cost=10 point-to-point=auto priority=0x80

/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
    no

/ip address
add address=192.168.88.1/24 broadcast=192.168.88.255 comment=\
    "default configuration" disabled=yes interface=BlueNET network=\
    192.168.88.0
add address=10.10.1.254/24 broadcast=10.10.1.255 comment="" disabled=no \
    interface=BlueNET network=10.10.1.0
add address=10.10.1.254/24 broadcast=10.10.1.255 comment="" disabled=no \
    interface=BlueRoute network=10.10.1.0

/ip dhcp-client
add add-default-route=yes comment="" default-route-distance=0 disabled=no \
    interface=ADSL use-peer-dns=yes use-peer-ntp=yes
add add-default-route=yes comment="" default-route-distance=0 disabled=yes \
    interface=BlueNET use-peer-dns=yes use-peer-ntp=yes

/ip dhcp-server config
set store-leases-disk=5m

/ip dhcp-server lease
add address=10.10.1.98 client-id=1:0:1e:8c:cb:bc:e7 comment="" disabled=no \
    mac-address=00:1E:8C:CB:BC:E7 server=BlueDHCP
add address=10.10.1.97 client-id=1:0:15:f2:94:de:58 comment="" disabled=no \
    mac-address=00:15:F2:94:DE:58 server=BlueDHCP

/ip dhcp-server network
add address=10.10.1.0/24 comment="" dns-server=10.10.1.254 gateway=\
    10.10.1.254

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=512 servers=192.231.203.132,192.231.203.3

/ip firewall connection tracking
set enabled=no generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s

/ip firewall filter
add action=accept chain=input comment="Accept established connections" \
    connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" \
    connection-state=related disabled=no
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid disabled=no
add action=accept chain=input comment=UDP disabled=no protocol=udp
add action=accept chain=input comment="Allow limited pings" disabled=no \
    limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=\
    icmp
add action=accept chain=input comment="From our LAN" disabled=no src-address=\
    10.10.1.0/24
add action=log chain=input comment="Log everything else" disabled=no \
    log-prefix="DROP INPUT"

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    Internode

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
/ip route
add comment="" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    Internode pref-src=10.10.1.254 scope=30 target-scope=10

/ip service
set telnet address=10.10.1.0/24 disabled=no port=23
set ftp address=10.10.1.0/24 disabled=no port=21
set www address=10.10.1.0/24 disabled=no port=80
set ssh address=10.10.1.0/24 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=10.10.1.0/24 disabled=no port=8291

/ip ssh
set forwarding-enabled=yes

/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=yes

/ip upnp interfaces
add disabled=no interface=BlueNET type=internal
add disabled=no interface=ADSL type=internal
add disabled=no interface=ether3 type=internal
add disabled=no interface=Internode type=external
add disabled=no interface=BlueRoute type=internal
add disabled=no interface=wlan2 type=internal

/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes

/mpls interface
add comment="" disabled=no interface=all mpls-mtu=1508

/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
    lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
    use-explicit-null=no

/queue interface
set BlueNET queue=ethernet-default
set ADSL queue=ethernet-default
set ether3 queue=ethernet-default
set Internode queue=default
set BlueRoute queue=wireless-default
set wlan2 queue=wireless-default

/routing bfd interface
set all comment="" disabled=no interface=all interval=0.2sec min-rx=0.2sec \
    multiplier=5

/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
    gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
    0.0.0.0 timeout=1m ttl=50

/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
    metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
    redistribute-connected=no redistribute-ospf=no redistribute-static=no \
    routing-table=main timeout-timer=3m update-timer=30s

/store
add comment="" disabled=no disk=micro-sd name=MicroSD
add comment="" disabled=no disk=system name=web-proxy1 type=web-proxy

/system identity
set name=BlueRoute

/system logging
add action=memory disabled=no prefix="" topics=info
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical

A few lines have been stripped from the config export as they were unlikely to matter to this issue.

2

to make this router work stable - don’t use early beta versions of RouterOS :smiley:

download and install latest stable version (v4.6)

3

thanks for the responce Chupaka, however even using 4.5 and 4.6, im still loosing NAT connections every 10 minutes which is making the RB close to unusable.

4

Would you please explain this. Why two dhcp-server interfaces and the same ip pool?

What interface is BlueRoute? Is this a bridge? I don’t see it on “/interface ethernet” or the pppoe-client, and there is no bridge name in any of the “/ip bridge port” entries.

5

BlueRoute within the DHCP servers is a wireless AP

6

Next question:

Same ip subnets? That will be a difficult route! Might want to either assign separate subnets or bridge those two interfaces and assign the ip/subnet and dhcp server to the bridge.

ADD: If you bridge them, may I suggest the bridge name “BlueBridge”.

7

Wow, didn’t even consider that routing nightmare as I hadn’t been thinking about the wireless side of the network.

Adding in that bridge (As BlueBridge :slight_smile: ) seems to have solved the issue. Ill let things run overnight in this configuration to make totally sure.