I'm in a similar situation described in this topic viewtopic.php?t=61826
Some time ago we've bought RB2011UiAS-RM to replace an old and faulty linux proxy server in my workplace. The router accepts two WAN symetric connections on 100Mb ports, and combines them using load-balancing+failover method.
We have also a managed cisco switch (24 100Mb ports, 4 1Gb ports). Ports 1 and 13* are reserved for WAN1, ports 2 and 14* for WAN2 and port 1G for LAN, all other ports use vlans to distribute these three networks on our servers (small servers, just for office use). The router is connected to three cisco switch ports, 13 for WAN1, 14 for WAN2 and 1G for LAN. Other gigabyte ports on a router are used for company local network.
* - underneath
Most of the time the internet works just fine, but from time to time I can't get on some websites. A browser shows an error page saying connection has been reset and it's not secure. I've tried this on firefox and chrome but both browsers respond with the same error. The problem persisted on stackoverflow until RouterOS update from 6.3x to 6.41.2, now it occurs just randomly on some less visited websites for a few minutes.
Wireshark shows lots of RST packets send from external IP addreses to me, but I'm sure it's the router itself. TTL of each TCP Reset is short (50-60) and MAC address is always pointing at our router.
It happened a moment ago, I disabled WAN2 interface and bam! It works. .. unless it didn't solve the problem and I have to wait some time for another situation to happen.
Code: Select all
/interface bridge
add admin-mac=MAC:MAC:MAC auto-mac=no comment=defconf fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=LAN
set [ find default-name=ether8 ] name=WAN-myIsp1
set [ find default-name=ether9 ] disabled=yes name=WAN-myIsp2
set [ find default-name=ether6 ] name=ether6-master
/interface list
add name=WAN-List
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=10.1.5.10-10.1.6.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no interface=bridge name=defconf
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=LAN
add bridge=bridge comment=defconf disabled=yes hw=no interface=ether6-master
add bridge=bridge comment=defconf disabled=yes hw=no interface=sfp1
add bridge=bridge interface=ether1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/interface list member
add interface=WAN-myIsp1 list=WAN-List
add interface=WAN-myIsp2 list=WAN-List
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/ip address
add address=192.168.1.174/28 comment="WAN MyISP1" interface=WAN-myIsp1 network=192.168.1.160
add address=192.168.2.78/28 comment="WAN MyISP2" interface=WAN-myIsp2 network=192.168.2.64
add address=10.1.0.1/21 comment=LAN interface=bridge network=10.1.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=WAN-myIsp1
/ip dhcp-server network
add address=10.1.0.0/21 comment=defconf dns-server=8.8.8.8,8.8.4.4 gateway=10.1.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=drop chain=input comment="Blokada dost\EApu do WINBOX z zewn\B9trz" in-interface-list=WAN-List port=8291 protocol=tcp
add action=drop chain=input in-interface-list=WAN-List port=8291 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related,new
add action=drop chain=input comment="defconf: drop all from WAN" in-interface-list=WAN-List
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related,new
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN-List
/ip firewall mangle
add action=accept chain=prerouting connection-limit=0,32 dst-address=192.168.1.0/24 in-interface=bridge
add action=accept chain=prerouting connection-limit=0,32 dst-address=192.168.2.0/24 in-interface=bridge
add action=mark-connection chain=prerouting connection-limit=0,32 connection-mark=no-mark in-interface=WAN-myIsp1 new-connection-mark=WAN-myIsp1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-limit=0,32 connection-mark=no-mark in-interface=WAN-myIsp2 new-connection-mark=WAN-myIsp2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-limit=0,32 connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=WAN-myIsp1_conn passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-limit=0,32 connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=WAN-myIsp2_conn passthrough=yes per-connection-classifier=\
both-addresses:2/1
add action=mark-routing chain=prerouting connection-limit=0,32 connection-mark=WAN-myIsp1_conn in-interface=bridge new-routing-mark=to_WAN-myIsp1 passthrough=yes
add action=mark-routing chain=prerouting connection-limit=0,32 connection-mark=WAN-myIsp2_conn in-interface=bridge new-routing-mark=to_WAN-myIsp2 passthrough=yes
add action=mark-routing chain=output connection-limit=0,32 connection-mark=WAN-myIsp1_conn new-routing-mark=to_WAN-myIsp1 passthrough=yes
add action=mark-routing chain=output connection-limit=0,32 connection-mark=WAN-myIsp2_conn new-routing-mark=to_WAN-myIsp2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes src-address=10.1.0.0/21
add action=masquerade chain=srcnat out-interface=WAN-myIsp1
add action=masquerade chain=srcnat out-interface=WAN-myIsp2
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.161 routing-mark=to_WAN-myIsp1
add check-gateway=ping distance=1 gateway=192.168.2.65 routing-mark=to_WAN-myIsp2
add check-gateway=ping distance=1 gateway=192.168.1.161
add check-gateway=ping distance=2 gateway=192.168.2.65
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=59184
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system logging
add topics=interface,route,ipsec
/system ntp client
set enabled=yes primary-ntp=95.158.95.123 secondary-ntp=91.232.160.1
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-interface=LAN filter-ip-address=10.1.4.10/32