This site was running a hAP ac2, however the users - heavy gamers - were reporting 20-30 second drops in connectivity.
Whenever I tried to connect to the hAP via winbox using the public IP address it would also trigger a lock up of the router.
I can connect via SSH without issue, and I can generate a /system/sup-output file, but I can't scp this file off the device on to my computer - it hangs at 0%.
My config is extremely basic (included below), so I took the drastic action of getting a hEX S, updating it to 7.2, then moving the config over.
It exhibits the same problem.
Where do I start when I can't get a supout.rif ?
Code: Select all
# apr/09/2022 13:15:48 by RouterOS 7.2
# software id = YEPP-2C2D
#
# model = RBD52G-5HacD2HnD
# serial number = A6490AD14FEE
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-AA6BEF wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-AA6BF0 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=vpn name=VPN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm pfs-group=none
/ip pool
add name=dhcp ranges=192.168.18.2-192.168.18.254
/ip dhcp-server
add address-pool=dhcp interface=ether2 lease-time=1w name=defconf
/queue type
add cake-atm=ptm cake-diffserv=besteffort cake-nat=yes cake-overhead=22 cake-overhead-scheme=bridged-ptm,via-ethernet cake-rtt=50ms kind=cake name=cake-default
add cake-atm=ptm cake-bandwidth=36.0Mbps cake-diffserv=besteffort cake-nat=yes cake-overhead=22 cake-overhead-scheme=bridged-ptm,via-ethernet cake-rtt=50ms \
kind=cake name=cake-up
add cake-atm=ptm cake-bandwidth=90.0Mbps cake-diffserv=besteffort cake-nat=yes cake-overhead=22 cake-overhead-scheme=bridged-ptm,via-ethernet cake-rtt=50ms \
kind=cake name=cake-down
/queue simple
add bucket-size=0.001/0.001 name=cake queue=cake-down/cake-up target=ether1 total-queue=cake-default
/routing table
add fib name=""
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.18.1/24 interface=ether2 network=192.168.18.0
add address=192.168.1.100/24 comment="modem: access to modem" disabled=yes interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.18.2 client-id=1:64:eb:8c:59:75:3 mac-address=64:EB:8C:59:75:03 server=defconf
/ip dhcp-server network
add address=192.168.18.0/24 comment=defconf dns-server=192.168.18.1 gateway=192.168.18.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=20480KiB max-concurrent-queries=1000 max-concurrent-tcp-sessions=200 query-server-timeout=1s query-total-timeout=5s \
servers=1.1.1.1 verify-doh-cert=yes
/ip firewall address-list
add address=x.x.x.a disabled=yes list=allowed-dns
add address=x.x.x.b disabled=yes list=allowed-dns
add address=x.x.x.c disabled=yes list=allowed-dns
add address=x.x.x.d list=allowed-dns
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="wan: accept from blurrybird" in-interface-list=WAN log=yes log-prefix=blurrybird src-address=x.x.x.e
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="dns: dst-nat all dns to router" dst-address-list=!allowed-dns dst-port=53 in-interface-list=LAN protocol=udp \
to-addresses=192.168.18.1
/ip ssh
set forwarding-enabled=both
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether2 type=internal
add interface=ether1 type=external
/ipv6 address
add eui-64=yes from-pool=dhcp6 interface=ether2
add address=fd3e:9134:9285::1 comment="ULA: fd3e:9134:9285::/48" interface=ether2
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=dhcp6 request=address,prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no interface=ether2 other-configuration=yes ra-interval=5s-10s
/snmp
set enabled=yes
/system clock
set time-zone-name=Australia/Melbourne
/system identity
set name=Something
/system logging
add disabled=yes topics=dhcp
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
/system routerboard settings
set auto-upgrade=yes cpu-frequency=716MHz
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN