A brief overview of my setup:
I have RB2011 UiAS, 2 WANs connected, one for primary use and another for failover.
I also force some connections through second ISP with mangle table.
One of these forced connections to WAN-2 is SSH to a server, which freezes for short periods of time when I type text every few seconds.
In Wireshark on my local PC I see lots of TCP retransmissions.
ICMP echos are flowing well in both directions.
Now:
- If I disconnect the WAN-1 and all traffic goes through WAN-2, this SSH connection works perfectly.
- If I make WAN-2 primary and WAN-1 as failover and for this SSH session through WAN-1, these freezes now repeat on WAN-1.
This makes me think that there’s a problem with RouterOS or my setup.
Now the fun part!
If start packet sniffer in RouterOS to investigate the problem a little, suddenly everything works well: no freezes, no retransmissions.
If I stop the sniffer again, it’s all slow again. I tried this a number of times, there’s no mistake, starting a sniffer (no matter what interface to capture or what filter to apply) always cures my SSH problem.
Please help / share your thoughts on why this might happen.
Details follow.
ether9 is our WAN-1 (ISP called Avtovo) and ether10 is WAN-2 (ISP called Domru).
I use recursive routes (dynamic on-link routes, tunnels and some neighbour networks not shown):
1 A S ;;; Domru #1
dst-address=0.0.0.0/0 gateway=10.208.176.1 gateway-status=10.208.176.1 reachable via ether10 distance=1 scope=30
target-scope=10 routing-mark=ISP_Domru
2 A S ;;; Avtovo #1
dst-address=0.0.0.0/0 gateway=xx.xx.94.193 gateway-status=xx.xx.94.193 reachable via ether9 distance=1 scope=30
target-scope=10 routing-mark=ISP_Avtovo
3 A S ;;; Avtovo #2 (ya.ru)
dst-address=0.0.0.0/0 gateway=213.180.204.3 gateway-status=213.180.204.3 recursive via xx.xx.94.193 ether9 check-gateway=ping
distance=1 scope=30 target-scope=10
4 S ;;; Domru #2 (youtube.com)
dst-address=0.0.0.0/0 gateway=173.194.221.91 gateway-status=173.194.221.91 recursive via 10.208.176.1 ether10
check-gateway=ping distance=2 scope=30 target-scope=10
6 A S ;;; Domru #3
dst-address=173.194.221.91/32 gateway=10.208.176.1 gateway-status=10.208.176.1 reachable via ether10 distance=1 scope=10
target-scope=10
13 A S ;;; Avtovo #3
dst-address=213.180.204.3/32 gateway=xx.xx.94.193 gateway-status=xx.xx.94.193 reachable via ether9 distance=1 scope=10
target-scope=10
Mangle rules used:
6 ;;; Additional marks for Domru
chain=prerouting action=mark-connection new-connection-mark=ISP_Domru_conn passthrough=yes connection-state=new
dst-address-list=redirect_domru connection-mark=no-mark in-interface-list=lans log=no log-prefix=""
7 ;;; Multi-routing
chain=input action=mark-connection new-connection-mark=ISP_Avtovo_conn passthrough=yes in-interface=ether9 log=no log-prefix=""
8 chain=input action=mark-connection new-connection-mark=ISP_Domru_conn passthrough=yes in-interface=ether10 log=no log-prefix=""
9 chain=output action=mark-routing new-routing-mark=ISP_Avtovo passthrough=yes connection-mark=ISP_Avtovo_conn log=no log-prefix=""
10 chain=output action=mark-routing new-routing-mark=ISP_Domru passthrough=yes connection-mark=ISP_Domru_conn log=no log-prefix=""
11 chain=prerouting action=mark-connection new-connection-mark=ISP_Avtovo_conn passthrough=yes connection-mark=no-mark
in-interface=ether9 log=no log-prefix=""
12 chain=prerouting action=mark-connection new-connection-mark=ISP_Domru_conn passthrough=yes connection-mark=no-mark
in-interface=ether10 log=no log-prefix=""
13 chain=prerouting action=mark-routing new-routing-mark=ISP_Avtovo passthrough=yes connection-mark=ISP_Avtovo_conn
in-interface-list=!wans-real log=no log-prefix=""
14 chain=prerouting action=mark-routing new-routing-mark=ISP_Domru passthrough=yes connection-mark=ISP_Domru_conn
in-interface-list=!wans-real log=no log-prefix=""