I have a mikrotik router since a few years.
Since NAT was not working as i wanted it, I thought to reset and reconfigure it from scratch.
So, I've exported the settings, reseted the router and manually imported the commands one by one from my file (except a few that where not relevant anymore to my scenario).
The router works, BUT i have a problem.
All websites that I browse, either load very slow (12 seconds for example for a 1 second site), but at second refresh, they load as they supposed to load (in that 1 second or whatever).
I'll add the exported settings here, maybe some of you can track what's my issue
Code: Select all
# oct/20/2018 21:20:00 by RouterOS 6.43.4
# software id = VB0L-2IA0
#
# model = CCR1009-8G-1S-1S+
# serial number = 675305824784
/interface bridge
add fast-forward=no mtu=1500 name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=lan1
set [ find default-name=ether2 ] name=lan2
set [ find default-name=ether3 ] name=lan3
set [ find default-name=ether4 ] name=lan4
set [ find default-name=sfp-sfpplus1 ] name=sfp+
set [ find default-name=sfp1 ] loop-protect=off name=sfp-fx
/interface ethernet switch
set 0 name=sw-lan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp_pool1 ranges=10.11.12.201-10.11.12.254
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
interface=bridge1 lease-time=15h15m name=dhcp1
/interface bridge port
add bridge=bridge1 interface=lan1
add bridge=bridge1 interface=lan2
add bridge=bridge1 interface=lan3
add bridge=bridge1 interface=lan4
add bridge=bridge1 disabled=yes interface=ether5
add bridge=bridge1 disabled=yes interface=ether6
add bridge=bridge1 disabled=yes interface=ether7
add bridge=bridge1 disabled=yes interface=ether8
/ip firewall connection tracking
set enabled=yes
/interface ethernet switch vlan
add independent-learning=no ports=lan1,lan2,lan3,lan4 switch=sw-lan vlan-id=1
/ip accounting
set enabled=yes
/ip accounting web-access
set accessible-via-web=yes
/ip address
add address=10.11.12.1/24 comment="default LAN" interface=lan1 network=\
10.11.12.0
add address=X.X.X.163 comment="IF fx-net" interface=sfp-fx network=\
X.X.X.160
add address=X.X.X.190 interface=sfp-fx network=X.X.X.160
add address=X.X.X.164 interface=sfp-fx network=X.X.X.160
add address=X.X.X.165 interface=sfp-fx network=X.X.X.160
add address=X.X.X.166 interface=sfp-fx network=X.X.X.160
add address=X.X.X.167 interface=sfp-fx network=X.X.X.160
add address=X.X.X.168 interface=sfp-fx network=X.X.X.160
add address=X.X.X.169 interface=sfp-fx network=X.X.X.160
add address=X.X.X.170 interface=sfp-fx network=X.X.X.160
add address=X.X.X.171 interface=sfp-fx network=X.X.X.160
add address=X.X.X.172 interface=sfp-fx network=X.X.X.160
add address=X.X.X.173 interface=sfp-fx network=X.X.X.160
add address=X.X.X.174 interface=sfp-fx network=X.X.X.160
add address=X.X.X.175 interface=sfp-fx network=X.X.X.160
add address=X.X.X.176 interface=sfp-fx network=X.X.X.160
add address=X.X.X.177 interface=sfp-fx network=X.X.X.160
add address=X.X.X.178 interface=sfp-fx network=X.X.X.160
add address=X.X.X.179 interface=sfp-fx network=X.X.X.160
add address=X.X.X.180 interface=sfp-fx network=X.X.X.160
add address=X.X.X.181 interface=sfp-fx network=X.X.X.160
add address=X.X.X.182 interface=sfp-fx network=X.X.X.160
add address=X.X.X.183 interface=sfp-fx network=X.X.X.160
add address=X.X.X.184 interface=sfp-fx network=X.X.X.160
add address=X.X.X.185 interface=sfp-fx network=X.X.X.160
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=10.11.12.153 always-broadcast=yes client-id=1:20:cf:30:7f:5a:33 \
mac-address=20:CF:30:7F:5A:33 server=dhcp1
add address=10.11.12.10 client-id=1:0:11:32:19:77:24 mac-address=\
00:11:32:19:77:24 server=dhcp1
add address=10.11.12.108 always-broadcast=yes client-id=1:0:27:13:53:e1:af \
mac-address=00:27:13:53:E1:AF server=dhcp1
add address=10.11.12.152 client-id=1:50:e5:49:5b:7f:c4 mac-address=\
50:E5:49:5B:7F:C4 server=dhcp1
add address=10.11.12.151 client-id=1:5c:f9:dd:60:9:6f mac-address=\
5C:F9:DD:60:09:6F server=dhcp1
add address=10.11.12.106 client-id=1:0:27:13:53:ff:96 mac-address=\
00:27:13:53:FF:96 server=dhcp1
add address=10.11.12.105 always-broadcast=yes client-id=1:0:27:13:53:df:73 \
mac-address=00:27:13:53:DF:73 server=dhcp1
add address=10.11.12.101 client-id=1:70:f3:95:3:98:68 mac-address=\
70:F3:95:03:98:68 server=dhcp1
add address=10.11.12.103 client-id=1:0:27:13:54:3:f1 mac-address=\
00:27:13:54:03:F1 server=dhcp1
add address=10.11.12.11 client-id=1:0:11:32:19:77:23 mac-address=\
00:11:32:19:77:23 server=dhcp1
add address=10.11.12.107 client-id=1:0:27:13:53:d7:3d mac-address=\
00:27:13:53:D7:3D server=dhcp1
add address=10.11.12.102 always-broadcast=yes client-id=1:cc:52:af:3d:a3:66 \
mac-address=CC:52:AF:3D:A3:66 server=dhcp1
add address=10.11.12.104 client-id=1:0:27:13:54:3:54 mac-address=\
00:27:13:54:03:54 server=dhcp1
add address=10.11.12.154 always-broadcast=yes client-id=1:50:e5:49:5b:74:bc \
mac-address=50:E5:49:5B:74:BC server=dhcp1
add address=10.11.12.130 client-id=1:90:f6:52:71:cf:99 comment=wireless \
mac-address=90:F6:52:71:CF:99 server=dhcp1
add address=10.11.12.155 always-broadcast=yes client-id=1:78:ac:c0:b7:e8:19 \
mac-address=78:AC:C0:B7:E8:19 server=dhcp1
add address=10.11.12.254 client-id=wifi-ex-edimax-1 mac-address=\
80:1F:02:EB:B5:9C server=dhcp1
add address=10.11.12.253 client-id=1:8c:f5:a3:ee:eb:c7 mac-address=\
8C:F5:A3:EE:EB:C7 server=dhcp1
add address=10.11.12.252 client-id=nas-reina mac-address=00:11:32:8D:CC:FA \
server=dhcp1
add address=10.11.12.190 client-id=1:0:25:64:a8:93:c8 mac-address=\
00:25:64:A8:93:C8 server=dhcp1
add address=10.11.12.51 client-id=1:0:18:ae:39:73:95 mac-address=\
00:18:AE:39:73:95 server=dhcp1
/ip dhcp-server network
add address=10.11.12.0/24 dns-server=89.45.200.1,8.8.8.8 gateway=10.11.12.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB servers=8.8.8.8,89.45.200.1
/ip dns static
add address=10.11.12.10 name=nas.chatlive.ro ttl=10s
add address=10.11.12.10 name=chat.chatlive.ro ttl=10s
add address=10.11.12.101 name=c1.chatlive.ro ttl=10s
add address=10.11.12.102 name=c2.chatlive.ro ttl=10s
add address=10.11.12.103 name=c3.chatlive.ro ttl=10s
add address=10.11.12.104 name=c4.chatlive.ro ttl=10s
add address=10.11.12.105 name=c5.chatlive.ro ttl=10s
add address=10.11.12.106 name=c6.chatlive.ro ttl=10s
add address=10.11.12.107 name=c7.chatlive.ro ttl=10s
add address=10.11.12.108 name=c8.chatlive.ro ttl=10s
add address=10.11.12.190 name=sebi.chatlive.ro ttl=10s
add address=10.11.12.151 name=andreea.chatlive.ro ttl=10s
add address=8.8.8.8 name=apps.skype.com
/ip firewall address-list
add address=10.11.12.0/24 list=allow-ip
add address=X.X.X.160 list=allow-ip
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add action=drop chain=input comment="Blochez acces extern in tot ce inseamna I\
P-uri de conectare (telnet, ssh, etc)" disabled=yes dst-port=\
21,22,23,8291 in-interface=sfp-fx protocol=tcp
add action=passthrough chain=input
add chain=input comment="Accept established and related packets" \
connection-state=established,related
add action=drop chain=input comment="Drop invalid packets" connection-state=\
invalid
add action=drop chain=input comment=\
"Drop all packets which are not destined to routes IP address" \
dst-address-type=!local
add action=drop chain=input comment=\
"Drop all packets which does not have unicast source IP address" \
src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet whi\
ch should not exist in public network" in-interface=sfp-fx \
src-address-list=NotPublic
add chain=forward comment="Accept established and related packets" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface=sfp-fx
add action=drop chain=forward comment="Drop all packets from public internet w\
hich should not exist in public network" in-interface=sfp-fx \
src-address-list=NotPublic
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface=sfp-fx
/ip firewall nat
add action=src-nat chain=srcnat out-interface=sfp-fx src-address=10.11.12.10 \
to-addresses=X.X.X.166
add action=dst-nat chain=dstnat dst-address=X.X.X.166 in-interface=sfp-fx \
to-addresses=10.11.12.10
add action=src-nat chain=srcnat out-interface=sfp-fx src-address=10.11.12.51 \
to-addresses=X.X.X.167
add action=dst-nat chain=dstnat dst-address=X.X.X.167 in-interface=sfp-fx \
to-addresses=10.11.12.51
add action=src-nat chain=srcnat out-interface=sfp-fx src-address=10.11.12.52 \
to-addresses=X.X.X.168
add action=dst-nat chain=dstnat dst-address=X.X.X.168 in-interface=sfp-fx \
to-addresses=10.11.12.52
add action=src-nat chain=srcnat out-interface=sfp-fx src-address=10.11.12.190 \
to-addresses=X.X.X.163
add action=dst-nat chain=dstnat dst-address=X.X.X.163 in-interface=sfp-fx \
to-addresses=10.11.12.190
add action=src-nat chain=srcnat out-interface=sfp-fx src-address=10.11.12.101 \
to-addresses=X.X.X.171
add action=dst-nat chain=dstnat dst-address=X.X.X.171 in-interface=sfp-fx \
to-addresses=10.11.12.101
add action=src-nat chain=srcnat out-interface=sfp-fx src-address=10.11.12.102 \
to-addresses=X.X.X.172
add action=dst-nat chain=dstnat dst-address=X.X.X.172 in-interface=sfp-fx \
to-addresses=10.11.12.102
add action=src-nat chain=srcnat out-interface=sfp-fx src-address=10.11.12.103 \
to-addresses=X.X.X.173
add action=dst-nat chain=dstnat dst-address=X.X.X.173 in-interface=sfp-fx \
to-addresses=10.11.12.103
add action=src-nat chain=srcnat out-interface=sfp-fx src-address=10.11.12.104 \
to-addresses=X.X.X.174
add action=dst-nat chain=dstnat dst-address=X.X.X.174 in-interface=sfp-fx \
to-addresses=10.11.12.104
add action=src-nat chain=srcnat out-interface=sfp-fx src-address=10.11.12.105 \
to-addresses=X.X.X.175
add action=dst-nat chain=dstnat dst-address=X.X.X.175 in-interface=sfp-fx \
to-addresses=10.11.12.105
add action=src-nat chain=srcnat out-interface=sfp-fx src-address=10.11.12.106 \
to-addresses=X.X.X.176
add action=dst-nat chain=dstnat dst-address=X.X.X.176 in-interface=sfp-fx \
to-addresses=10.11.12.106
add action=src-nat chain=srcnat out-interface=sfp-fx src-address=10.11.12.107 \
to-addresses=X.X.X.177
add action=dst-nat chain=dstnat dst-address=X.X.X.177 in-interface=sfp-fx \
to-addresses=10.11.12.107
add action=src-nat chain=srcnat out-interface=sfp-fx src-address=10.11.12.108 \
to-addresses=X.X.X.178
add action=dst-nat chain=dstnat dst-address=X.X.X.178 in-interface=sfp-fx \
to-addresses=10.11.12.108
add action=src-nat chain=srcnat out-interface=sfp-fx src-address=10.11.12.109 \
to-addresses=X.X.X.179
add action=dst-nat chain=dstnat dst-address=X.X.X.179 in-interface=sfp-fx \
to-addresses=10.11.12.109
add action=src-nat chain=srcnat out-interface=sfp-fx src-address=\
10.11.12.0/24 to-addresses=X.X.X.164
/ip proxy
set anonymous=yes cache-administrator=sebi@chatlive.ro max-cache-size=none \
parent-proxy=0.0.0.0 src-address=0.0.0.0
/ip proxy access
add action=deny dst-host=facebook.com redirect-to=chatlive.ro
add action=deny dst-host=www.facebook.com redirect-to=chatlive.ro
add action=deny dst-host=badoo.com redirect-to=chatlive.ro
add action=deny dst-host=ejobs.ro redirect-to=chatlive.ro
add action=deny dst-host=e-jobs.ro redirect-to=chatlive.ro
add action=deny dst-host=bestjobs.ro redirect-to=chatlive.ro
add action=deny dst-host=www.bestjobs.ro redirect-to=chatlive.ro
add action=deny dst-host=www.ejobs.ro redirect-to=chatlive.ro
add action=deny dst-host=*ejobs.ro redirect-to=chatlive.ro
add action=deny dst-host=*jobs.ro redirect-to=chatlive.ro
add action=deny dst-host=playninja.us
add action=deny dst-host=www.playninja.us
add action=deny dst-host=two.com redirect-to=chatlive.ro
add action=deny dst-host=www.two.com redirect-to=chatlive.ro
add action=deny dst-host=sentimente.ro redirect-to=chatlive.ro
/ip route
add check-gateway=arp comment="gateway principal FX" distance=1 gateway=\
sfp-fx pref-src=X.X.X.165 scope=20
/ip socks
set port=4145
/ip traffic-flow
set enabled=yes
/system clock
set time-zone-name=Europe/Bucharest
/system note
set note="I just reconfigured RouterOS today."
/system routerboard settings
set silent-boot=no
/tool e-mail
set address=smtp.gmail.com from=sebi@onofrei.org password=4619debal416rRr! \
port=465 start-tls=tls-only user=sebi@onofrei.org
/tool graphing interface
add interface=sfp-fx
