WAN interface Passes more data than the LAN interface

RouterOS General
1

Dear all,
strange issue
even though I have blocked unnecessary ports I still
The WAN interface Passes more data than the LAN interface.
my filter rules

/ip firewall filter
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment="Router Access Remotely" dst-port=\
    8295,8296 protocol=tcp
add action=drop chain=input comment="Block Attack" dst-port=\
    25,53,87,512-515,543,544,7547,8080 protocol=tcp
add action=drop chain=input comment="Block Attack" dst-port=\
    53,80,87,161,162,1900,4520-4524,8080 protocol=udp
add action=drop chain=input comment="Block Ping" in-interface-list=\
    WAN-Interface-List protocol=icmp
add action=add-src-to-address-list address-list="Port Scanners" \
    address-list-timeout=none-dynamic chain=input comment=\
    "Port Scanners to Address List " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Port Scanners" \
    address-list-timeout=none-dynamic chain=input comment=\
    "TCP Flag-NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanners" \
    address-list-timeout=none-dynamic chain=input comment=\
    "TCP Flag-FIN/SYN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port Scanners" \
    address-list-timeout=none-dynamic chain=input comment=\
    "TCP Flag-RST/SYN scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port Scanners" \
    address-list-timeout=none-dynamic chain=input comment=\
    "TCP Flag-FIN/PSH/URG scan" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Port Scanners" \
    address-list-timeout=none-dynamic chain=input comment=\
    "TCP Flag-ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port Scanners" \
    address-list-timeout=none-dynamic chain=input comment=\
    "TCP Flag-NMAP NULL scan" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping Port Scanners" \
    src-address-list="Port Scanners"

wanlan.PNG

2

Start by simply blocking ALL incoming traffic, then see what happens.

3

Your firewall does take care of that, albeit in a way I do not like, but just for others eventually reading this in future: my first step would be to check that DNS requests from WAN are blocked in firewall, as sending very short DNS requests that generate very large answers is a popular way to use ill-secured devices to flood victims with garbage UDP packets while hiding the IP of the actual attacker. But as said, your firewall does take care of that, so it’s not the issue here.

So my next step would be to assume that the extra traffic is neverheless generated by the router itself, so to confirm or exclude that, I would put an action=passthrough rule to chain output in table mangle and see its byte counters; if they do increase by about 1 MByte every second, it confirms that it is indeed an own IP traffic of the router (it may be some other kind of traffic, like e.g. ARP responses).

If it is IP traffic, I would change the action of that rule to sniff-tzsp, set its sniff-target-port to 37008 and the sniff-target to an IP address of a PC connected to the device so that I could run Wireshark on that PC and only get the packets sent by the router itself. If that is not possible and you have enough free RAM on the device, you can also use the following trick:
/interface ipip add name=ipip-sniff !keepalive remote-address=127.0.0.15
/ip route add dst-address=10.11.12.13 gateway=ipip-sniff
Then, set the filter-interface of /tool sniffer to ipip-sniff and let it write to a local file of about 10 MB of size, set the sniff-target in the mangle rule to 10.11.12.13, and run tool sniffer for about 10 seconds. Then download the local file from the router and open it using Wireshark.

4

Your firewall rules are over the top complex and simplifying them will enable troubleshooting to some extent.
However far more worrisome…
if assuming 8295,8296 are something to do with accessing winbox and your router is public facing, you are asking to be hacked.

Also without seeing the FULL Mess you have created, its not really feasible to get to the bottom of the issue.
For example, do you have port forwarding on the go as well??

5

Hmmm … the way I read OP’s screenshot is that WAN Rx is considerably larger than LAN Tx … which means that router is dropping some of traffic comming to router from internet. Which means that firewall is doing its thing.

6

:smiley: indeed, right you are… I guess it is time for me to take a training in screenshot reading :smiley:

7

Belgian chocolate makes one smarter, apparently. Screenshots are hard on my eyes so I try to avoid them.

8

Its nothing wrong with a firewall.
I have found what caused the drop in low data between WAN and LAN.
I had 100 Simple Queues when I disabled it, It sorted out everything.
All data on WAN and LAN is now the same.

what do I need to do in Queues which pass equal data between LAN & WAN
I don’t know what’s wrong with Queues
queues same.PNG

9

Well, the very goal of queues is to enforce bandwidth limits. So there are two possibilities - either the queues were actually doing their job and the remote sources were sending more traffic than the queue configuration permitted, so the drops were a correct behavior, or the router doesn’t have enough resources to handle 30 Mbit/s using queues, so it drops packets due to overload. With the queues enabled and 30 Mbit/s WAN Rx, what is the CPU load? And what is the model of the device?

Not all transport and application protocols are equipped with means to inform the sender about bandwidth limitations along the network path, so the senders may not be able to adjust their output bandwidth to the available one based on the feedback.

10

Rb5009 and the CPU Load is 6 or 7 or 8 its below than 10

11

OK, so it seems the queues do their job - what is the configuration?

12

I have two Mikrotik routers for 2 separate sites
router A is RB-5009 = PPPoE server
router B is RB-750Gr3 = Hotspot Server

all user’s speed controlling with Simple Queues.

That’s the simple configuration on both router

13

That’s still just a high-level description that says nothing about the actual bandwidth settings of the queues, so it does not help in finding out whether it’s a configuration issue or a RouterOS bug that makes the 5009 drop part of the download traffic rather than forward it to the LAN side.

14

@mian,

have found what caused the drop in low data between WAN and LAN.
I had 100 Simple Queues when I disabled it, It sorted out everything.
All data on WAN and LAN is now the same.

what do I need to do in Queues which pass equal data between LAN & WAN
I don’t know what’s wrong with Queues

aside from firewalls,

there are strategies for better utilizing bandwidth Management - namely bandwidth multiplexing. because there are periods for peak and low access. to build the quality of service or sla.

the bandwidth queue (as any other qos flags) performed/shaped at the out interface - which also dictated the timing of the ack flags going to sender. if this timing is not equal to the output bandwidth (or at least burst able) then the reply will build up at the wan interface.

if you don’t count the spare bandwidth in the spare time - you will get that results. so try to multiply your lan queue.

supposed you have 30 Mbps for 100 clients value - then try to make it for equal to 200 clients value (or triple) . that way you will reduce your interface queue.

the bigger your upstream bandwidth - bigger multiply value. and don’t forget to see the user experience.

good luck :+1:t2: