Hello all,

I have Mikrotik running with 4 nics. I don’t know how to export my configuration (yet). It was running fine until earlier today. Do not know what happened/changed.

I have 2 DHCP servers running on 2 of the NICs. They both hand out/assign IPs with no problem. DNS servers are also registered with the requesting machine.

Here is my problem: I can ping/tracert from any DHCPed machine through the Mikrotik and out to any IP/web site and get a success. I cannot, however, load ANY web page through either NIC.

They appear to be configured correctly, but I am a bit of a newbie at this. As I said, it was running fine earlier.

What do I need to check? Or what info can I provide to help out?

Could this be some kind of DOS or DNS attack?

Again, this is an urgent problem. I would greatly appreciate any help,

Jakkwb

post a traceroute from your clients,
post your src-nat/dst-nat settings so people know exactly whats runnning there.

post a traceroute from your clients:

from one of my office machines that can ping/tracert, but cannot get web pages:

tracert yahoo.com 216.109.112.135
first hop 172.16.1.1 (office-gateway NIC on Mikrotik)
x.y.z.1 Cisco gateway router (nothing changed on this machine at all - has always worked perfectly)
out to yahoo - get there fine.

post your src-nat/dst-nat settings so people know exactly whats runnning there.

The only NAT rule I have is this one:

ip firewall nat add chain=srcnat action=masquerade out-interface=Public

Which I got from the Mikrotik web site, and an earlier post from me. This worked fine until today. I originally could not get DHCPed machines to have any access at all past the Mikrotik, and was told I needed this masquerade rule. When I put it in, it started working.

I can supply any other needed info.

Thank you for the post,

Jakkwb

check whether you enabled transparent proxy in hotspot profiles

Yes, that actually is enabled under the default profile, but I am not using wireless or hotspots on this router.

Advice?

in winbox

open new terminal
type in “export file=routerconfig”
press enter
open “files” in winbox
drag and drop the “routerconfig.src” onto your pc desktop or location of your choice
open this file with app like notepad2 (or notepad)
copy the text (changing your real IPs) and paste it in the forum

Maybe we can then see what wrong

ok, here it is:

\

nov/14/2007 20:54:45 by RouterOS 2.9.43

software id = DQ5H-6XT

/ interface ethernet
set Public-gateway name="Public-gateway" mtu=1500
mac-address=00:10:4B:C5:25:68 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps
comment="" disabled=no
set "PTP to Black Rock" name="PTP to Black Rock" mtu=1500
mac-address=00:60:97:C9:B5:79 arp=enabled disable-running-check=yes
auto-negotiation=no full-duplex=no cable-settings=default speed=10Mbps
comment="" disabled=no
set "PTP to Hoxie" name="PTP to Hoxie" mtu=1500 mac-address=00:B0:D0:16:A5:BF
arp=enabled disable-running-check=yes auto-negotiation=yes full-duplex=yes
cable-settings=default speed=100Mbps comment="" disabled=no
set Office-network name="Office-network" mtu=1500
mac-address=00:A0:C9:89:46:A6 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps
comment="" disabled=no
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460
authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
/ interface pptp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2
keepalive-timeout=30 default-profile=default-encryption
/ ip pool
add name="Office-pool" ranges=172.16.1.2-172.16.1.254
add name="Wireless-pool" ranges=192.168.2.10-192.168.2.254
/ ip service
set telnet port=23 address=192.168.1.0/24 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=yes
set www port=80 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes
/ ip upnp
set enabled=no allow-disable-external-interface=yes show-dummy-rule=yes
/ ip arp
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip dns
set primary-dns=68.95.120.3 secondary-dns=68.95.120.4
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
/ ip dns static
add name="gate.westweb1.net" address=68.95.120.3 ttl=1d
/ ip traffic-flow
set enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m
inactive-flow-timeout=15s
/ ip address
add address=68.95.120.4/26 network=68.95.120.0 broadcast=68.95.120.63
interface=Public-gateway comment="added by setup" disabled=no
add address=68.95.120.129/26 network=68.95.120.128 broadcast=68.95.120.191
interface="PTP to Black Rock" comment="" disabled=no
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255
interface="PTP to Hoxie" comment="" disabled=no
add address=172.16.1.1/24 network=172.16.1.0 broadcast=172.16.1.255
interface=Office-network comment="" disabled=no
/ ip proxy
set enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000
maximal-server-connectons=1000
/ ip proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying"
disabled=no
/ ip accounting
set enabled=no account-local-traffic=no threshold=256
/ ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ ip neighbor discovery
set Public-gateway discover=yes
set "PTP to Black Rock" discover=yes
set "PTP to Hoxie" discover=yes
set Office-network discover=yes
/ ip route
add dst-address=0.0.0.0/0 gateway=68.95.120.1 distance=1 scope=255
target-scope=10 comment="added by setup" disabled=no
/ ip firewall nat
add chain=srcnat out-interface=Public-gateway icmp-options=0:0-255
action=masquerade comment="" disabled=no
/ ip firewall filter
add chain=forward connection-state=established action=accept comment="allow
established connections" disabled=yes
add chain=forward connection-state=related action=accept comment="allow
related connections" disabled=yes
add chain=forward connection-state=invalid action=drop comment="drop invalid
connections" disabled=yes
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="drop
blaster worm" disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment="drop
messenger worm" disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="drop blaster
worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="drop blaster
worm" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="don't know"
disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="don't
know" disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="drop mydoom"
disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="don't know"
disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="worm"
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="drop bagle
virus" disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="drop dumaru.Y"
disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="drop Beagle"
disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop
MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor
OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop
Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop
Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop
MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"
disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"
disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop
SubSeven" disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot,
Agobot, Gaobot" disabled=no
add chain=forward action=jump jump-target=virus comment="jump to the virus
chain" disabled=yes
add chain=forward protocol=icmp action=accept comment="allow ping"
disabled=yes
add chain=forward protocol=udp action=accept comment="allow udp" disabled=yes
add chain=forward action=drop comment="drop everything else" disabled=yes
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2s comment="port
scanners to list" disabled=yes
add chain=input protocol=tcp dst-port=22 src-address-list=black_list
action=drop comment="drop ssh brute forcers" disabled=yes
add chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage3 action=add-src-to-address-list
address-list=black_list address-list-timeout=1d comment="" disabled=yes
add chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage2 action=add-src-to-address-list
address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=yes
add chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage1 action=add-src-to-address-list
address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=yes
add chain=input protocol=tcp dst-port=22 connection-state=new
action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m comment="" disabled=yes
add chain=sanity-check protocol=tcp psd=50,3s,3,1
action=add-src-to-address-list address-list=blocked-addr
address-list-timeout=1d comment="Block port scans (causes high cpu
load)" disabled=yes
add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list=blocked-addr
address-list-timeout=1d comment="Block TCP Null scan" disabled=yes
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=blocked-addr
address-list-timeout=1d comment="Block TCP Xmas scan" disabled=yes
add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump
jump-target=drop comment="" disabled=yes
add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop
comment="Drop TCP RST" disabled=yes
add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump
jump-target=drop comment="Drop TCP SYN+FIN" disabled=yes
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set gre disabled=yes
set pptp disabled=yes
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s
tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m
tcp-syncookie=no
/ ip dhcp-server
add name="Office-DHCP" interface=Office-network lease-time=3d
address-pool=Office-pool bootp-support=static add-arp=yes
authoritative=after-2sec-delay disabled=no
add name="Wireless-network" interface="PTP to Hoxie" lease-time=3d
address-pool=Wireless-pool bootp-support=static add-arp=yes
authoritative=after-2sec-delay disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
/ ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
dns-server=68.95.120.3,68.95.120.4 domain="westweb1.net"
dhcp-option=(unknown) comment=""
add address=192.168.2.0/24 gateway=192.168.2.1
dns-server=68.95.120.3,68.95.120.4 domain="westweb1.net" comment=""
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set default name="default" hotspot-address=0.0.0.0 dns-name=""
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d
split-user-domain=no use-radius=no
/ ip hotspot user profile
set default name="default" idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=1 transparent-proxy=no
/ ip web-proxy
set enabled=no src-address=0.0.0.0 port=3128 hostname="proxy"
transparent-proxy=no parent-proxy=0.0.0.0:0
cache-administrator="webmaster" max-object-size=4096KiB cache-drive=system
max-cache-size=none max-ram-cache-size=unlimited
/ ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying"
disabled=no
/ ip web-proxy cache
add url=":cgi-bin \?" action=deny comment="don't cache dynamic http pages"
disabled=no
/ system logging
add topics=info prefix="" action=memory disabled=no
add topics=error prefix="" action=memory disabled=no
add topics=warning prefix="" action=memory disabled=no
add topics=critical prefix="" action=echo disabled=no
/ system logging action
set memory name="memory" target=memory memory-lines=100 memory-stop-on-full=no
set disk name="disk" target=disk disk-lines=100 disk-stop-on-full=no
set echo name="echo" target=echo remember=yes
set remote name="remote" target=remote remote=0.0.0.0:514
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0
check-interval=1d user=""
/ system clock manual
set time-zone=+00:00 dst-delta=+00:00 dst-start="jan/01/1970 00:00:00"
dst-end="jan/01/1970 00:00:00"
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes
no-ping-delay=5m automatic-supout=yes auto-send-supout=no
/ system console
add port=serial0 term="" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
/ system console screen
set line-count=25
/ system identity
set name="MikroTik"
/ system note
set show-at-login=yes note=""
/ system lcd
set enabled=no type=24x4 port=parallel contrast=0
/ system lcd page
set time display-time=5s disabled=yes
set resources display-time=5s disabled=yes
set uptime display-time=5s disabled=yes
set packets display-time=5s disabled=yes
set bits display-time=5s disabled=yes
set version display-time=5s disabled=yes
set Public-gateway display-time=5s disabled=yes
set "PTP to Black Rock" display-time=5s disabled=yes
set "PTP to Hoxie" display-time=5s disabled=yes
set Office-network display-time=5s disabled=yes
/ system health
set state-after-reboot=enabled
/ system routerboard bios
set
/ port
set serial0 name="serial0" baud-rate=9600 data-bits=8 parity=none stop-bits=1
flow-control=hardware
set serial1 name="serial1" baud-rate=9600 data-bits=8 parity=none stop-bits=1
flow-control=hardware
/ ppp profile
set default name="default" use-compression=default use-vj-compression=default
use-encryption=default only-one=default change-tcp-mss=yes comment=""
set default-encryption name="default-encryption" use-compression=default
use-vj-compression=default use-encryption=yes only-one=default
change-tcp-mss=yes comment=""
/ ppp aaa
set use-radius=no accounting=yes interim-update=0s
/ queue type
set default name="default" kind=pfifo pfifo-limit=50
set ethernet-default name="ethernet-default" kind=pfifo pfifo-limit=50
set wireless-default name="wireless-default" kind=sfq sfq-perturb=5
sfq-allot=1514
set synchronous-default name="synchronous-default" kind=red red-limit=60
red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name="hotspot-default" kind=sfq sfq-perturb=5
sfq-allot=1514
add name="default-small" kind=pfifo pfifo-limit=10
/ queue interface
set Public-gateway queue=ethernet-default
set "PTP to Black Rock" queue=ethernet-default
set "PTP to Hoxie" queue=ethernet-default
set Office-network queue=ethernet-default
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool e-mail
set server=0.0.0.0 from="<>"
/ tool sniffer
set interface=all only-headers=no memory-limit=10 file-name="" file-limit=10
streaming-enabled=no streaming-server=0.0.0.0 filter-stream=yes
filter-protocol=ip-only filter-address1=0.0.0.0/0:0-65535
filter-address2=0.0.0.0/0:0-65535
/ tool graphing
set store-every=5min
/ user
add name="admin" group=full address=68.95.120.0/26 comment="system default
user" disabled=no
/ user group
add name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!f
tp,!write,!policy
add name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password
,web,!ftp,!policy
add name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo
x,password,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ radius
add service=ppp,login called-id="" domain="westweb1.net" address=68.95.120.3
secret="hello" authentication-port=1645 accounting-port=1646 timeout=600ms
accounting-backup=no realm="" comment="" disabled=no
/ radius incoming
set accept=yes port=1645
/ driver
/ snmp
set enabled=no contact="" location=""
/ snmp community
set public name="public" address=0.0.0.0/0 read-access=yes
/ routing ospf
set router-id=0.0.0.0 distribute-default=never redistribute-connected=no
redistribute-static=no redistribute-rip=no redistribute-bgp=no
metric-default=1 metric-connected=20 metric-static=20 metric-rip=20
metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate
authentication=none disabled=no
/ routing bgp instance
set default name="default" as=65530 router-id=0.0.0.0
redistribute-connected=no redistribute-static=no redistribute-rip=no
redistribute-ospf=no redistribute-other-bgp=no out-filter=""
client-to-client-reflection=yes ignore-as-path-len=no comment=""
disabled=no
/ routing rip
set distribute-default=never redistribute-static=no redistribute-connected=no
redistribute-ospf=no redistribute-bgp=no metric-default=1 metric-static=1
metric-connected=1 metric-ospf=1 metric-bgp=1 update-timer=30s
timeout-timer=3m garbage-timer=2m
/ routing rip interface
add interface=all receive=v2 send=v2 authentication=none authentication-key=""
key-chain="" in-filter="" out-filter="" disabled=no


Thanks a million,

Jakkwb

jakkwb -
First thing I would do is disable your filtering rules - all of them. Dimitry’s firewalling rule set is very good and comprehesive - but if you don’t know what you are doing you can ‘shoot yourself in the foot’ - so disable all that for the moment. Then if everything works - go through the rules, understand what they are and enable sections at a time making sure everything works.

One thing you didn’t actually specify - do the pages not load or do they say the site cannot be found? There is a big difference… The reason I ask is one of your rules below drops all UDP traffic - DNS is udp based…

Thanks for the tips, Thom.

I actually found the rule that said to drop all UDP last night after my last post. After I disabled it, one of the interfaces started working (Office-network). The other, PTP-H, still does not bring up web pages. It tries - sits for several minutes as te progress bar slowly moves, but never loads. I can still ping and tracert the same web page through that interface. IE says “opening (web page)” at the bottom of the screen.

I now have all filters disabled. I am getting the same results.

Thank you again,

Jakkwb

jakkwb -
Ok - office Internet is working…

PTP-H - this looks like a wireless hotspot interface - is it?
Are you getting a correct IP when you are connected to this interface - looks like between 192.168.2.10 - 192.168.2.xx
When you ping or traceroute - do you use the IP address or the domain name 216.218.186.2 vice http://www.he.net ? It makes a difference so be precise.

Thom, hi again. After I disabled all the other filters, I waited a bit then rebooted the router.

I do not have a hotspot, this PTP is a wireless PTP to a Motorola Canopy tower.

I can ping from a remote Canopy connected PC using IP or domain name successfully. I can also ping (ip or name) from Mikrotik out to web pages.

Yes, the above PC has the proper IP and subnet assigned to it.

Web pages still do not come through on this interface. What is interesting, after the reboot above, it worked for a few minutes, then slowed to a crawl/non-working again.

I need to do some reading on the filters.

Thanks for all your help.

please, someone help me with this…

How can I test the NIC cards in Mikrotik?

Please help me. The web performance on the PTP-H is dismal. Something is wrong with my setup, but I do not know what it is.

Anyone?

can you post (from a terminal window) /ip route print and /ip route rule print

There are no route rules.

Here are the routes:

Terminal vt102 detected, using multiline input mode
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC G GATEWAY DIS

0 A S ;;; added by setup
0.0.0.0/0 r 68.95.120.1 1
1 ADC 68.95.120.0/26 192.168.2.1 0
2 ADC 68.95.120.128/26 68.95.120.129 0
3 ADC 169.254.1.0/24 169.254.1.1 0
4 ADC 192.168.2.0/24 192.168.2.1 0

Thank you.

As you can tell, I have been messing with it all day long. I changed the IP information for the Office-network. Also changed that NIC card (it seemed a bit flakey)

Anyway, there are a few pages now and then that come through (via a remote PC connected to a Motorola Canopy radio on the PTP-H interface). I can still ping and tracert anywhere from that same PC. Just web data is very slow, mostly not working at all.

The office network is running fine, now.

If you’ll notice on the DC routes, Mikrotik software automatically assigns the wrong preferred source and interface for 1 & 3 (why does it do that?). It does not show the interfaces on the post above, but they are wrong. It will not let me change them. This has been going on for days; I posted previously about it, but no fix. That may be my whole problem, perhaps.

One more thing, do I need just one NAT/Masquerade rule for both sets of private IPs, or do I need a rule for each of them?

Thank you again.

winbox - IP / then route / once in the route window go to the rule tab. Hit the ‘+’ to add a rule. src-addr 0.0.0.0/0 dst-addr 0.0.0.0/0 action lookup Table main


Thom

add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=“don’t
know” disabled=no

If I’m not mistaken this rule would drop web traffic because the traffic coming back to your computer from the web server would probably be destined to port 1024 or just higher (random to a certain extent).

You can’t drop that range of ports like you are - I think that was your problem IMO

Scott

Scott,

quote: add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=“don’t
know” disabled=no

I did find that earlier and disabled it (see my above posts). That fixed my Office-network web pages loading. There is still something wrong with my PTP-H - I still cannot get web pages through that interface for some reason.

Thom,

I put that route rule in and rebooted. It worked a few minutes, then went back to its slowness/never loading a page.

What do you think about Mikrotik assigning the wrong interface/pref source to 2 of the DAC routes?

Thanks so much.

Let me know if I need to provide any other info.

For all of you ‘watching’ this thread jakkwb emailed me offline. We have his routing and src-nat issue fixed. The ‘real’ issue was he was getting some interference from another WISP eating up his backhaul channel so his wireless subscribers (not wireless via MT) could not actually get to the Internet…

I’ll let jakkwb tell the rest if he is so inclined…