Dual WAN, very slow port forward on second wan.

misucatinas · Mon Dec 20, 2021 3:31 pm

Hi,
I configured to work 2 wan and i set mangle to use port forward from any WAN.
But when I connect to server by remote desktop from distance to second wan ip address it works slowly, not stable.
I attach configuration.
Please help.
Thank you!

# dec/20/2021 15:20:49 by RouterOS 6.49.2
# software id = P360-M1XL
#
# model = 951G-2HnD
# serial number = 
/interface bridge
add admin-mac=64:D1:54:A0:FD:BA auto-mac=no comment=defconf name=bridge
/interface wireless
/interface ethernet
set [ find default-name=ether1 ] comment="WAN ORANGE" name=ether1-ORANGE \
    speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] name=ether4-VODAFONE speed=100Mbps
set [ find default-name=ether5 ] name=ether5-switch speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=wan
/interface wireless security-profiles
/ip pool
add name=dhcp ranges=192.168.10.100-192.168.10.170
add name=vpn ranges=192.168.89.2-192.168.89.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *0 dns-server=8.8.8.8 only-one=no
set *FFFFFFFE dns-server=192.168.10.1,8.8.8.8 local-address=192.168.89.1 \
    remote-address=vpn
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether5-switch
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
/interface list member
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4-VODAFONE list=discover
add interface=ether5-switch list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1-ORANGE list=wan
add interface=ether4-VODAFONE list=wan
/interface ovpn-server server
set certificate=server cipher=aes128,aes256 default-profile=\
    default-encryption enabled=yes require-client-certificate=yes
/interface sstp-server server
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
add address=82.208.181.78/25 interface=ether4-VODAFONE network=82.208.181.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no comment=defconf disabled=no interface=ether1-ORANGE
add add-default-route=no interface=ether4-VODAFONE
/ip dhcp-server lease
add address=192.168.10.116 client-id=1:a4:5d:36:ca:75:64 comment="Anca SAGA" \
    mac-address=A4:5D:36:CA:75:64 server=defconf
add address=192.168.10.158 client-id=1:50:3e:aa:e9:6f:6 mac-address=\
    50:3E:AA:E9:6F:06 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=95.77.94.77,78.96.7.7,8.8.8.8
/ip dns static
add address=192.168.10.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment=ovpn dst-port=1194 protocol=tcp
add action=accept chain=input comment="allow l2tp" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1-ORANGE
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1-ORANGE
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether1-ORANGE \
    new-connection-mark=WAN1_connection passthrough=yes
add action=mark-connection chain=input in-interface=ether4-VODAFONE \
    new-connection-mark=WAN2_connection passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_connection \
    new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_connection \
    new-routing-mark=to_WAN2 passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether1-ORANGE \
    new-connection-mark=WAN1_connection passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether4-VODAFONE \
    new-connection-mark=WAN2_connection passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_connection \
    in-interface=bridge new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_connection \
    in-interface=bridge new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=wan src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment=BFK dst-port=7788 in-interface=\
    all-ethernet protocol=tcp src-address=82.79.218.26 to-addresses=\
    192.168.10.10 to-ports=3389
add action=dst-nat chain=dstnat comment=Bucuresti dst-port=7788 in-interface=\
    all-ethernet protocol=tcp src-address=89.238.233.22 to-addresses=\
    192.168.10.10 to-ports=3389
add action=dst-nat chain=dstnat comment=Tinoli dst-port=7788 \
    in-interface-list=wan protocol=tcp src-address=90.84.229.149 \
    to-addresses=192.168.10.10 to-ports=3389
/ip route
add check-gateway=ping comment=orange distance=1 gateway=192.168.100.1 \
    routing-mark=to_WAN1
add check-gateway=ping comment=vodafone distance=2 gateway=82.208.181.1 \
    routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=109.166.202.230 target-scope=30
add check-gateway=ping distance=2 gateway=8.8.8.8 target-scope=30
add distance=2 dst-address=8.8.8.8/32 gateway=82.208.181.1
add distance=1 dst-address=109.166.202.230/32 gateway=192.168.100.1
add distance=1 dst-address=192.168.0.0/24 gateway=172.16.1.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=\
    192.168.10.0/24
set api-ssl disabled=yes
/ppp secret
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=MikroTik-zzzz
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

ConnyMercier · Mon Dec 20, 2021 11:13 pm

I wasn't able to find the root issue, why only the Vodafon-WAN is slower.

Did you monitor CPU usage on your device ?
Maybe you are achieving the performance limits of your Router?

Extra ! Extra !
while looking at your config, saw a posible miss configuration,

Firewall:
You don`t have any Firewall-Rule to limit access to your router via the Vodafone-WAN

You are only limiting the Orange-WAN

add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1-ORANGE

Neighbor Discovery Protocol:

You have it active on you Vodafon-WAN
I recommand you disable :

add interface=ether4-VODAFONE list=discover

misucatinas · Tue Dec 21, 2021 1:13 pm

Thank you for reply.
Yes, I modified firewall and same.
CPU is fine.

mkx · Tue Dec 21, 2021 5:22 pm

Disable the fast-track firewall rule. Fast-track is not compatible with certain features, mangle is one of them (mangle doesn't work for fast-tracked packets).
Beware that this will severely limit overall performance ... RB951G is a humble old and small device.

anav · Tue Dec 21, 2021 5:48 pm

Wait, perish the thought, Old does not necessarily mean slow

))

misucatinas · Tue Dec 21, 2021 6:06 pm

Disable the fast-track firewall rule.

Hi,
Disabling fast-track firewall and it works! You're rock!!!
Thank you very much!
Can you explain us why fast-track affect speed?

anav · Tue Dec 21, 2021 6:08 pm

Lets make Mkx work for the money!!
Or conversely, how to work around mangle such that fast track is still working for all other traffic, best of both worlds.......

mkx · Tue Dec 21, 2021 8:09 pm

When a connection is marked for fast tracking, most packets bypass all processing (vastly reducing CPU load and consequently increasing router capacity), including mangling. But for dual-wan mangling is required. The (now) non-mangled packets take the default path, which in case of alternate WAN is the wrong way. However, some packets of fast-tracked connection still take slow-track, reason is updating status of connection tracking machinery. And these packets are properly mangled and leave router through correct WAN interface. For a TCP connection that means huge number of retransmissions, a few making through correct WAN interface keep conection alive but at extremely low end-to-end throughput.

For @anav only: it is possible to keep some fast tracking enabled in such cases ... but the fast track rule has to be crafted so that it only acts on packets which don't have to be mangled. Alternatively one can place "normal" accept rule accepting packets which have to be mangled and placing it above the fast track rule. The later option means slightly higher processing load for packets that are eligible to fast tracking, but that processing overhead only happens for the fraction of fast-tracked packets taking slow-track.

Same principle (fast track incompatibility) applies to queues as well ...

mkx · Tue Dec 21, 2021 8:13 pm

Wait, perish the thought, Old does not necessarily mean slow ))

You're trying to say you're not slow (learner)? I happen to know you're old ... or in politically correct parlance, you're a senior citizen.

Sob · Tue Dec 21, 2021 8:30 pm

@mkx: Don't confuse physical and mental age. I mean, take one look:

mkx · Tue Dec 21, 2021 9:26 pm

@Sob: yeah, @anav on the avatar is a real nice looking youngster ... too bad he's different mentally

anav · Wed Dec 22, 2021 12:53 am

I hear reading my posts will age even the most vigorous MT admins.

Dual WAN, very slow port forward on second wan. [SOLVED]

Dual WAN, very slow port forward on second wan.

Re: Dual WAN, very slow port forward on second wan.

Re: Dual WAN, very slow port forward on second wan.

Re: Dual WAN, very slow port forward on second wan. [SOLVED]

Re: Dual WAN, very slow port forward on second wan.

Re: Dual WAN, very slow port forward on second wan.

Re: Dual WAN, very slow port forward on second wan.

Re: Dual WAN, very slow port forward on second wan.

Re: Dual WAN, very slow port forward on second wan.

Re: Dual WAN, very slow port forward on second wan.

Re: Dual WAN, very slow port forward on second wan.

Re: Dual WAN, very slow port forward on second wan.

Who is online