Community discussions

MikroTik App
 
kevintkv
just joined
Topic Author
Posts: 5
Joined: Fri May 28, 2021 6:29 pm

After applied filter rule internet connect not stable

Sat May 29, 2021 1:31 pm

I am new to mikrotik. After i applied the filter rule internet connect not stable. Filter get it from here http://tksja.com/essential-firewall-rules/.

# may/29/2021 18:27:22 by RouterOS 6.47.4
# software id = RI21-KVP2
#
# model = CCR1009-7G-1C-1S+
# serial number = CD640C2B57E2
/interface ethernet
set [ find default-name=ether1 ] name=ether1-UNIFI1
set [ find default-name=ether2 ] name=ether2-UNIFI2
set [ find default-name=ether3 ] name=ether3-UNIFI3
set [ find default-name=ether4 ] name=ether4-UNIFI4
set [ find default-name=ether5 ] name=ether5-UNIFI5
set [ find default-name=ether6 ] name=ether6-UNIFI6
set [ find default-name=ether7 ] name=ether7-GUEST
/interface vlan
add interface=ether1-UNIFI1 name=vlan500-Unifi1 vlan-id=500
add interface=ether2-UNIFI2 name=vlan500-Unifi2 vlan-id=500
add interface=ether3-UNIFI3 name=vlan500-Unifi3 vlan-id=500
add interface=ether4-UNIFI4 name=vlan500-Unifi4 vlan-id=500
add interface=ether5-UNIFI5 name=vlan500-Unifi5 vlan-id=500
add interface=ether6-UNIFI6 name=vlan500-Unifi6 vlan-id=500
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan500-Unifi1 max-mtu=1480 \
name=unifi1 use-peer-dns=yes user=star2021@unifibiz
add add-default-route=yes disabled=no interface=vlan500-Unifi2 max-mtu=1480 \
name=unifi2 use-peer-dns=yes user=star2022@unifibiz
add add-default-route=yes disabled=no interface=vlan500-Unifi3 max-mtu=1480 \
name=unifi3 use-peer-dns=yes user=star2023@unifibiz
add add-default-route=yes disabled=no interface=vlan500-Unifi4 max-mtu=1480 \
name=unifi4 use-peer-dns=yes user=star2024@unifibiz
add add-default-route=yes disabled=no interface=vlan500-Unifi5 max-mtu=1480 \
name=unifi5 use-peer-dns=yes user=star2025@unifibiz
add add-default-route=yes disabled=no interface=vlan500-Unifi6 max-mtu=1480 \
name=unifi6 use-peer-dns=yes user=star2026@unifibiz
/interface list
add name=LB-List
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=GUEST ranges=172.16.3.1-172.16.31.254
/ip dhcp-server
add address-pool=GUEST disabled=no interface=sfp-sfpplus1 lease-time=1d name=\
dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=sfp-sfpplus1 list=LB-List
/ip address
add address=172.16.1.1/19 interface=sfp-sfpplus1 network=172.16.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-server lease
add address=172.16.31.41 client-id=1:84:d8:1b:3f:7a:dd mac-address=\
84:D8:1B:3F:7A:DD server=dhcp1
add address=172.16.31.235 mac-address=5A:6F:0C:EC:B1:08 server=dhcp1
add address=172.16.25.138 client-id=1:50:76:af:73:4f:b5 mac-address=\
50:76:AF:73:4F:B5 server=dhcp1
add address=172.16.22.56 client-id=1:f8:59:71:8d:f5:90 mac-address=\
F8:59:71:8D:F5:90 server=dhcp1
/ip dhcp-server network
add address=172.16.0.0/19 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.1.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=Bogons
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1-UNIFI1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1-UNIFI1
/ip firewall mangle
add action=accept chain=prerouting in-interface=unifi1
add action=accept chain=prerouting in-interface=unifi2
add action=accept chain=prerouting in-interface=unifi3
add action=accept chain=prerouting in-interface=unifi4
add action=accept chain=prerouting in-interface=unifi5
add action=accept chain=prerouting in-interface=unifi6
add action=mark-connection chain=prerouting dst-address-type="" \
in-interface-list=LB-List new-connection-mark=wan1_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:6/0
add action=mark-connection chain=prerouting dst-address-type="" \
in-interface-list=LB-List new-connection-mark=wan2_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:6/1
add action=mark-connection chain=prerouting dst-address-type="" \
in-interface-list=LB-List new-connection-mark=wan3_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:6/2
add action=mark-connection chain=prerouting dst-address-type="" \
in-interface-list=LB-List new-connection-mark=wan4_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:6/3
add action=mark-connection chain=prerouting dst-address-type="" \
in-interface-list=LB-List new-connection-mark=wan5_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:6/4
add action=mark-connection chain=prerouting dst-address-type="" \
in-interface-list=LB-List new-connection-mark=wan6_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:6/5
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
in-interface-list=LB-List new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
in-interface-list=LB-List new-routing-mark=to_wan2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan3_conn \
in-interface-list=LB-List new-routing-mark=to_wan3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan4_conn \
in-interface-list=LB-List new-routing-mark=to_wan4 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan5_conn \
in-interface-list=LB-List new-routing-mark=to_wan5 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan6_conn \
in-interface-list=LB-List new-routing-mark=to_wan6 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add check-gateway=ping distance=1 gateway=unifi1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=unifi2 routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=unifi3 routing-mark=to_wan3
add check-gateway=ping distance=1 gateway=unifi4 routing-mark=to_wan4
add check-gateway=ping distance=1 gateway=unifi5 routing-mark=to_wan5
add check-gateway=ping distance=1 gateway=unifi6 routing-mark=to_wan6
/ip service
set ftp disabled=yes
set www port=58080
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Kuala_Lumpur
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: After applied filter rule internet connect not stable

Mon May 31, 2021 4:05 pm

The first thing to do is to stick to the default firewall rules to start.
(how did I guess you used some 'other resource' to make this mess LOL.)

(1) Get rid of all those firewall address lists
(2) Remove all firewall rules and replace in the order prescribed below. Order is important always in firewall rules.

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

(3) I am assuming you get your WAN through SFP1?
In any case the source nat rule for the router is not complete.
there should be an in-interface=sfp1 I THINK??? EDIT, no apparently your setup actually works, but above my head why........

(4) Detect internet rule is safer if set to NONE.

(5) Also unsure of this IP pool format/numbering (besides not having a clue who is getting these IPs and how??
....... 172.16.3.1 TO 172.16.31.254
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: After applied filter rule internet connect not stable

Mon May 31, 2021 10:39 pm

@anav do not lost time with this...
 
kevintkv
just joined
Topic Author
Posts: 5
Joined: Fri May 28, 2021 6:29 pm

Re: After applied filter rule internet connect not stable

Wed Jun 02, 2021 3:46 pm

@anav, thanks for the input.

Only firewall filter u used "other resource" to try.

Actually is for my company router. It seen didn't work as well after I input the speed was slow and latency was high. Im using GPON after my Mikrotik router. Can I have more input from you?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: After applied filter rule internet connect not stable

Wed Jun 02, 2021 5:41 pm

Yes, if one is using mangling one needs to turn fastrack off I believe..........
This could be the culprit
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"

From other posts......
Why do you look at fasttrack as global feature for all the traffic - it is not.
Fasttrack-connection is essentially exactly the same as mark-connection/packet.
With one you mark specific connections for queues.
With other you mark specific traffic for fast bypass.
i use fasttrack for all client communication to internal servers, and use queues for client Internet connections at the same time.

Routing marks are not applied to packets when FastTrack is being used so the policy based routing can not work in such configuration.
Queues (except Queue Trees parented to interfaces), firewall filter, and mangle rules will not be applied for FastTracked traffic.

So not sure what to do, whether disable fastrack or move some rules around.................. tis why I hate mangling because it makes such a mess of things.........
 
kevintkv
just joined
Topic Author
Posts: 5
Joined: Fri May 28, 2021 6:29 pm

Re: After applied filter rule internet connect not stable

Mon Jun 07, 2021 10:51 am

@anav,

Thanks for the input. After i applied the firewall rule you mentioned. The connect better.

Question 1
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"

how to get this IP address 127.0.0.1?

Question 2

Any reason my PPoE client L2 MTU didn't show up?

Thanks a lot

Kevin
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: After applied filter rule internet connect not stable

Mon Jun 07, 2021 11:28 am

Question 1
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"

how to get this IP address 127.0.0.1?
It's there, implicitly set. But it's hidden from you, you can't see it anywhere. However it's not really usable for many things, e.g. you can't ping router via this address even from router itself.

Question 2

Any reason my PPoE client L2 MTU didn't show up?

Because PPPoE doesn't have it's own physical properties (L2 MTU is property of physical or "physical" interface), it's piggy-backed over another physical interface. And actual MTU of underlying interface less PPPoE overhead could be actual MTU of PPPoE interface. However there's more to it, there might be some other bottleneck between PPPoE client and PPPoE server (some kind of RAS) which reduces actual MTU of PPPoE connection.

Who is online

Users browsing this forum: Amazon [Bot], Batterio, jaclaz and 42 guests