SPIKES & SLOW LAN PINGS

rgrocery · March 16, 2020, 8:33pm

Hello,
I have a network with two subnets
Location 1. Mikrotik RB951G-2hnd as my main router with no AP & one subnet (192.168.3.1)
&
2 Mikrotik RB951G-2hnd acting as slave access points connected via ethernet back to the main router for wifi coverage

Location 2. Mikrotik RB951G-2hnd main router with AP on its own subnet (192.168.0.1)

These two routers are linked via a LT2P ipsec.

Problems
The problem I currently have are ping spikes over a lan network and some packet losses.
This network just a few months ago was 0-1ms pinging from devices on the same subnet.
I also have some increased ping times between the two location routers but at this point
I believe it is happening due to an issue at the location 1 router.

Changes:

We recently added 4 new Amcrest IP security cameras.
I thought these devices were the culprit
but disconnecting the cameras physically only lessened the CPU usage
on the router and lowered the ping times just a little.

Besides this I can’t really see what is causing these high pings and packet losses.

Any help would be great.
See location 1 and 2 export configs

MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 6.46.4 (c) 1999-2020       http://www.mikrotik.com/

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level
[josh@Warehouse Main1] > export compact
# mar/16/2020 16:22:17 by RouterOS 6.46.4
# software id = BEUB-UCGA
#
# model = 951G-2HnD
# serial number = 4F4404AEF76D
/interface bridge
add arp=proxy-arp fast-forward=no mtu=1500 name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country="united states" frequency=auto frequency-mode=manual-txpower mode=station-bridge rx-chains=0 ssid="Use me Sommers Wifi" \
    tx-chains=0 wireless-protocol=nv2-nstreme-802.11
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=RGWifi23 wpa2-pre-shared-key=RGWifi23
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.3.100-192.168.3.200
add name=VPN ranges=192.168.3.25-192.168.3.75
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge1 name=dhcp1
/ppp profile
add change-tcp-mss=yes local-address=VPN name=roadwarrior remote-address=VPN use-encryption=yes
/queue simple
add disabled=yes max-limit=9M/90M name="All Bandwidth" target=192.168.3.0/24
add disabled=yes limit-at=1M/1M max-limit=8M/80M name=Voip parent="All Bandwidth" priority=2/2 target=192.168.3.2/32
add disabled=yes max-limit=8M/80M name="The Rest Of the network" parent="All Bandwidth" priority=3/3 target=bridge1
/queue interface
set ether1 queue=ethernet-default
set wlan1 queue=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=5000
set 1 disk-file-name=log
/user group
add name=sniffer policy=ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
/interface bridge settings
set use-ip-firewall=yes
/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret="xxxxxxxxxxxxx" max-mru=1460 max-mtu=1420 use-ipsec=required
/interface pptp-server server
set default-profile=roadwarrior
/interface sstp-server server
set authentication=mschap2 enabled=yes
/ip accounting
set enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=192.168.3.187/32
/ip address
add address=192.168.3.1/24 interface=bridge1 network=192.168.3.0
add address=xx.xx.xx.253/29 interface=ether1 network=xx.xx.xx248
add address=192.168.11.1/24 comment="hotspot network" interface=bridge1 network=192.168.11.0
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=192.168.3.81 client-id=1:0:b:82:63:3e:58 comment="Grand Central Analog Wireless Phone Adapter Ext 106" mac-address=00:0B:82:63:3E:58 server=dhcp1
add address=192.168.3.200 client-id=1:0:17:61:10:f2:e7 comment="Warehouse Employee Time Clock" mac-address=00:17:61:10:F2:E7 server=dhcp1
add address=192.168.3.175 client-id=1:48:5d:60:69:f9:12 comment="W Freezer Temp" mac-address=48:5D:60:69:F9:12 server=dhcp1
add address=192.168.3.113 client-id=1:0:15:65:73:ae:19 comment="Yealink Cordless NF 1" mac-address=00:15:65:73:AE:19 server=dhcp1
add address=192.168.3.80 client-id=1:0:b:82:63:48:db comment="Grand Central Analog Wireless Phone Adapter Ext 108" mac-address=00:0B:82:63:48:DB server=dhcp1
add address=192.168.3.196 client-id=1:28:92:4a:b6:9b:dd comment="Warehouse 1st Floor Printer 8600" mac-address=28:92:4A:B6:9B:DD server=dhcp1
add address=192.168.3.121 client-id=1:d8:cb:8a:54:24:8b comment=EPLUM mac-address=D8:CB:8A:54:24:8B server=dhcp1
add address=192.168.3.136 always-broadcast=yes client-id=1:3c:d9:2b:6c:60:f7 comment="NF2 Pricing" mac-address=3C:D9:2B:6C:60:F7 server=dhcp1
add address=192.168.3.100 client-id=1:9c:ad:ef:20:5e:ac comment="OBI Fax Device" mac-address=9C:AD:EF:20:5E:AC server=dhcp1
add address=192.168.3.172 client-id=1:ec:b1:d7:c7:84:47 comment="Warehouse Basement Printer HP 8610" mac-address=EC:B1:D7:C7:84:47 server=dhcp1
add address=192.168.3.138 client-id=1:0:21:70:5c:a2:38 mac-address=00:21:70:5C:A2:38 server=dhcp1
add address=192.168.3.108 client-id=1:78:61:7c:e9:39:3f comment=IT-Tablet mac-address=78:61:7C:E9:39:3F server=dhcp1
add address=192.168.3.167 client-id=1:0:b:82:63:12:da comment="Warehouse LunchRoom 112" mac-address=00:0B:82:63:12:DA server=dhcp1
add address=192.168.3.6 client-id=1:0:15:5d:3:c6:1 comment="Leviticus VTC DB" mac-address=00:15:5D:03:C6:01 server=dhcp1
add address=192.168.3.103 client-id=1:0:15:5d:3:c6:3 comment=SL-Server mac-address=00:15:5D:03:C6:03 server=dhcp1
add address=192.168.3.5 client-id=1:0:15:5d:3:c6:4 comment=NumbersQB mac-address=00:15:5D:03:C6:04 server=dhcp1
add address=192.168.3.139 mac-address=00:50:C2:E3:ED:54 server=dhcp1
add address=192.168.3.4 client-id=1:0:15:5d:3:c6:2 mac-address=00:15:5D:03:C6:02 server=dhcp1
add address=192.168.3.180 comment="Verizon Network Extender Basement" mac-address=20:DB:AB:1F:DC:44 server=dhcp1
add address=192.168.3.194 client-id=1:10:bf:48:4f:15:36 comment="2nd Floor VTC" mac-address=10:BF:48:4F:15:36 server=dhcp1
add address=192.168.3.137 comment="Server Room Main Switch Netgear" mac-address=A0:04:60:01:2C:37 server=dhcp1
add address=192.168.3.154 client-id=1:0:15:5d:3:a5:2 comment=Kaspersky mac-address=00:15:5D:03:A5:02 server=dhcp1
add address=192.168.3.174 client-id=1:d0:17:c2:ae:ff:10 mac-address=D0:17:C2:AE:FF:10 server=dhcp1
add address=192.168.3.150 client-id=1:d8:cb:8a:3b:5e:61 mac-address=D8:CB:8A:3B:5E:61 server=dhcp1
add address=192.168.3.101 client-id=1:d4:ca:6d:da:7a:85 comment="2nd Floor wifi" mac-address=D4:CA:6D:DA:7A:85 server=dhcp1
add address=192.168.3.105 client-id=1:4c:5e:c:b9:6c:9d comment="Basement WIFI" mac-address=4C:5E:0C:B9:6C:9D server=dhcp1
add address=192.168.3.2 client-id=1:c0:25:e9:f:23:33 comment="3CX 2 NIc Card" mac-address=C0:25:E9:0F:23:33 server=dhcp1
add address=192.168.3.3 client-id=1:18:66:da:9f:23:49 mac-address=18:66:DA:9F:23:49 server=dhcp1
add address=192.168.3.178 client-id=1:9c:8e:cd:22:b:7b comment="C W1 Basement Door" mac-address=9C:8E:CD:22:0B:7B server=dhcp1
add address=192.168.3.134 client-id=1:9c:8e:cd:21:b8:68 comment="C W1 2nd Floor Food Side" mac-address=9C:8E:CD:21:B8:68 server=dhcp1
add address=192.168.3.135 client-id=1:9c:8e:cd:21:b7:bd comment="C W1 2nd Floor Dock Door" mac-address=9C:8E:CD:21:B7:BD server=dhcp1
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.3.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.3.133 list="Block IP CAM"
add address=192.168.3.134 list="Block IP CAM"
add address=192.168.3.135 list="Block IP CAM"
add address=192.168.3.178 list="Block IP CAM"
/ip firewall filter
add action=drop chain=forward comment="IP cam 133" disabled=yes dst-address=0.0.0.0/0 log=yes src-address=192.168.3.133
add action=drop chain=forward comment="IP cam 133" disabled=yes dst-address=192.168.3.133 src-address=192.168.3.0/24
add action=drop chain=forward comment="IP cam 134" disabled=yes dst-address=0.0.0.0/0 src-address=192.168.3.134 src-mac-address=9C:8E:CD:21:B8:68
add action=drop chain=forward comment="IP cam .135" disabled=yes dst-address=0.0.0.0/0 src-address=192.168.3.135 src-mac-address=9C:8E:CD:21:B7:BD
add action=drop chain=forward comment="IP cam .178" disabled=yes dst-address=0.0.0.0/0 src-address=192.168.3.178 src-mac-address=9C:8E:CD:22:0B:7B
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input protocol=icmp
add action=drop chain=forward src-address-list="Block IP CAM"
add action=accept chain=input comment="Allow all things ipsec from anywhere" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment="established, related" connection-state=established,related
add action=accept chain=forward comment="established, related" connection-state=established,related
add action=accept chain=input comment="established, related" connection-state=new
add action=accept chain=forward comment="established, related" connection-state=new
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=443 protocol=tcp
add action=drop chain=input connection-state="" in-interface=ether1
add action=drop chain=forward connection-nat-state=!dstnat connection-state="" in-interface=ether1
/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=ether1 to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=5060 in-interface=ether1 protocol=udp to-addresses=192.168.3.2 to-ports=5060
add action=accept chain=dstnat dst-port=5000 in-interface=ether1 protocol=tcp
add action=dst-nat chain=dstnat dst-port=9000-9500 in-interface=ether1 protocol=udp to-addresses=192.168.3.2 to-ports=9000-9049
add action=dst-nat chain=dstnat dst-port=5090 in-interface=ether1 protocol=tcp to-addresses=192.168.3.2 to-ports=5090
add action=dst-nat chain=dstnat dst-port=5090 in-interface=ether1 protocol=udp to-addresses=192.168.3.2 to-ports=5090
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=ether1 protocol=tcp to-addresses=192.168.3.103 to-ports=3389
/ip firewall service-port
set sip disabled=yes
/ip hotspot user
add name=admin password=admin
/ip proxy
set cache-path=web-proxy1
/ip route
add distance=1 gateway=xx.xx.xx.xxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.3.0/24,192.168.0.0/24,10.0.9.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.3.0/24,192.168.0.0/24,65.189.40.65/32
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1 type=external
/ppp secret
add comment="for remote users" name=roadwarrior password=xxxxxxxxxxxxx profile=roadwarrior service=l2tp
add comment="for store" local-address=10.0.5.1 name=store password=xxxxxxxxxxx profile=default-encryption remote-address=10.0.5.2 routes="192.168.0.0/24 10.0.5.2" service=l2tp
/system clock
set time-zone-name=America/New_York
/system identity
set name="Warehouse Main1"
/system logging
add topics=info
/system ntp client
set enabled=yes primary-ntp=13.65.245.138 secondary-ntp=199.102.46.73
/system scheduler
add name="Reboot schedule" on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/25/2018 start-time=13:28:12
/system script
add dont-require-permissions=no name="fasttrack Ipsec " owner=josh policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip firewall mangle add action=mark-connection c\
    hain=forward comment=\"mark ipsec connections\" ipsec-policy=out,ipsec new-connection-mark=ipsec\r\
    \n/ip firewall mangle add action=mark-connection chain=forward comment=\"mark ipsec connections\" ipsec-policy=in,ipsec new-connection-mark=ipsec"
add dont-require-permissions=no name=FastTrack owner=josh policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip firewall filter add chain=forward action=fasttrack-co\
    nnection connection-state=established,related connection-mark=!ipsec\r\
    \n/ip firewall filter add chain=forward action=accept connection-state=established,related"
/tool romon
set enabled=yes
[josh@Warehouse Main1] >

rgrocery · March 16, 2020, 8:34pm

One thing I did find odd when exporting the config was that my ethernet ports are all set to 100mbps!!
Not sure what that is about!

/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps

rgrocery · March 16, 2020, 8:45pm

Oddly within Winbox the ports that are live are set to gigabit.

mkx · March 16, 2020, 9:09pm

Ethernet port speed settings are not of concern as long as ports are set to auto-negotiation=yes and the advertise= is set appropriately.

Other than that, you’re really stretching your RB951G devices: you’re disabling switching in hardware (by setting hw=no), forcing all traffic through firewall (by setting use-ip-firewall=yes). And keep in mind that RB951G does IPsec encryption in software.

What does /tool profile show? What is CPU load?

rgrocery · March 17, 2020, 1:58pm

Hey Mkx,
thanks for the reply!
IP Firewall, I just recently turned this on to see if it alleviated anything.
It looked like it did but I don’t have a ton of knowledge concerning it.
CPU Load ranges from: 40 to 70% with IP Firewall Off
CPU Load ranges from: 20 to 60% with IP Firewall On
These fluctuate wildly but never hit 100% or even 90% on either setting but I do believe I see spikes in ping when these higher percentages are seen

See picture for
Profile tool

I have figured out that encrypting is related to my vpn,
however I would think this would drop when I kill the cameras manually when unplugging and or use a firewall rule to block them.

Note: the 4 camera’s NVR is at location 2, so camera traffic when allowed is going over the vpn which
i would expect some load from encryption but I would also expect this would drop
when I kill the cameras and or use a firewall rule to block them, however this has not been the case.
The loads persist and the pings are still spiking from 0ms to as high as 300ms(usually around 150 ms are the spikes) at each subnet(router).

Concerning HW: how do I set this?
I thought I read that this model of router didn’t have it.

Thank you a lot for the help. Not sure whats up with these routers.
Is 70% utilization too high for these?

rgrocery · March 17, 2020, 2:06pm

I forgot one other problem.

Our ISP speeds are 250 down and 20 up
Upload seems fine but our download seems capped at
100, which is why the interface set speeds in the export config bothered me.

This issue occured after we had someone configure our vpn with ipsec and did not adjust the fast forward rule. After I adjusted this rule years ago our speeds were back up. However it doesnt look like anything has changed with that rule.

mkx · March 17, 2020, 6:01pm

There are many things that I personally think are wrong. Perhaps you should hire an expert to get things straight?

rgrocery · March 17, 2020, 7:03pm

Do you recommend anyone?
This network was originally set up by a company and left us with the ipsec and fast forward issue. After that I felt less confident with them.