I have a MikroTik hAP ac2 as router of a small network. In general it has been working fine with the exception that sometimes (often in specific scenarios) we got connection reset issues.
The issue has been going for months and I have tried many things without success. I want to try again, this time with your help.
The network has a single router (Mikrotik) which is a PPPoE client (with my ISP) and it is used mainly as DNS, DHCP, VPN (L2TP) server and firewall.
Usual problems which I have identified as connection reset:
1) When connecting to the VPN (from outside that network), sometimes the connections drops immediately. After retrying, the connection succeed.
2) From inside the network, while using a system and requesting some service from a remote server (e.g. downloading a file) in which it takes about 1 minute or more to prepare the data before receiving it, the browser fails with "connection reset" error. However, requesting the same service from a computer outside the network to the same server, finish without any issue.
3) When connecting through SSH to a remote server outside the network (or from outside to inside the network), the terminal freezes or gets disconnected often. Specially if a command is executed which expects at least 1 or 2 screens of data ( for example listing a directory with many files ). However, most of the times, if I keep pressing some key (like space), even though it get stuck for few seconds, the output is returned completely and it doesn't disconnect. It also happens more often when its waiting for a password, and after entering it, it gets disconnected. If I leave the terminal open (without entering any command) it can last for hours without getting disconnected, so I don't think its related to "keep alive" or a "time out" issue. In the same way, if the commands entered return few lines (an no much delay), it has no problems.
In general we don't have any issues in the local network or browsing sites, its mainly the above issues.
This is my firewall configuration:
Code: Select all
0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 1 ;;; defconf: accept established,related,untracked chain=input action=accept connection-state=established,related,untracked 2 ;;; Enable Mikrotik SSH chain=input action=accept protocol=tcp dst-port=22 log=yes log-prefix="" 3 ;;; allow IPsec NAT chain=input action=accept protocol=udp dst-port=4500 4 ;;; allow IKE chain=input action=accept protocol=udp dst-port=500 5 ;;; allow l2tp chain=input action=accept protocol=udp dst-port=1701 6 ;;; PPTP chain=input action=accept protocol=tcp dst-port=1723 7 ;;; allow sstp chain=input action=accept protocol=tcp dst-port=443 log=no log-prefix="" 8 ;;; defconf: drop all not coming from LAN chain=input action=drop in-interface-list=!LAN log=no log-prefix="NOTLAN" 9 ;;; Block WIN Input LAN chain=input action=drop src-address-list=win_servers dst-address-list=local_network log=yes log-prefix="WIN-IN-" 10 ;;; Block SSH from outside chain=input action=drop protocol=tcp in-interface=pppoe-out dst-port=22 log=no log-prefix="NOSSH" 11 ;;; defconf: accept ICMP - PING chain=input action=accept protocol=icmp log=no log-prefix="" 12 ;;; defconf: drop invalid chain=input action=drop connection-state=invalid log=no log-prefix="INVALID" 13 ;;; defconf: fasttrack chain=forward action=fasttrack-connection connection-state=established,related 14 ;;; defconf: accept in ipsec policy chain=forward action=accept ipsec-policy=in,ipsec 15 ;;; defconf: accept out ipsec policy chain=forward action=accept ipsec-policy=out,ipsec 16 ;;; Block Windows Server to LAN chain=forward action=drop src-address-list=win_servers dst-address-list=local_network log=yes log-prefix="WIN-" 17 ;;; defconf: drop all from WAN not DSTNATed chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="FWD-NODST" 18 ;;; Drop incoming packets that are not NATted chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-WAN log=no log-prefix="!NAT" 19 ;;; defconf: drop invalid chain=forward action=drop connection-state=invalid log=no log-prefix="FWD-INVALID"
Code: Select all
0 R name="pppoe-out" max-mtu=auto max-mru=auto mrru=disabled interface=ether1-WAN user="********@**********" password="*******" profile=default keepalive-timeout=100 service-name="ISP" ac-name="" add-default-route=yes default-route-distance=1 dial-on-demand=no use-peer-dns=yes allow=pap,chap,mschap1,mschap2
How can I debug this issue, and how can I solve it?