http request to device in a static route takes a long time

ofirule · Tue Sep 24, 2019 12:47 pm

I have the following two boards:

1) connected to my ISP via WAN , and has Ethernet and WIFI for LAN

[admin@MikroTik] > system resource print 
             uptime: 1w1d16h50m31s
            version: 6.45.6 (stable)
         build-time: Sep/10/2019 09:06:31
   factory-software: 6.43.10
        free-memory: 964.1MiB
       total-memory: 1024.0MiB
                cpu: ARMv7
          cpu-count: 4
      cpu-frequency: 1400MHz
           cpu-load: 0%
     free-hdd-space: 424.8MiB
    total-hdd-space: 512.3MiB
  architecture-name: arm
         board-name: RB4011iGS+5HacQ2HnD
           platform: MikroTik

I removed some unnecessary and sensitive conf manually

[admin@MikroTik] > export hide-sensitive 
# sep/24/2019 12:21:47 by RouterOS 6.45.6
# software id = S8W1-4UHM
#
# model = RB4011iGS+5HacQ2HnD
# serial number = B3A30A963E1A
/interface bridge
add admin-mac=74:4D:28:5D:46:44 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=5ghz-n/ac channel-width=20/40/80mhz-eCee disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=NoTraffic_5_1 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=NoTraffic_2_4 wireless-protocol=802.11
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=76:4D:28:0A:42:96 master-interface=wlan2 name=wlan4 security-profile=profile ssid=NoTraffic-Guest
/ip pool
add name=dhcp ranges=192.168.191.50-192.168.191.200
add name=ovpn-pool ranges=192.168.8.10-192.168.8.100
add name=dhcp_pool3 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool3 disabled=no interface=wlan4 name=dhcp1
/ppp profile
add local-address=192.168.8.1 name=ovpn_office remote-address=ovpn-pool use-encryption=required
/queue simple
add limit-at=2M/10M max-limit=2M/10M name=guestqueue target=10.10.10.0/24
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*F
# no interface
add action=drop chain=forward out-interface=*F
# in/out-bridge-port matcher not possible when interface (wlan4) is not slave
add action=drop chain=forward in-interface=wlan4
# in/out-bridge-port matcher not possible when interface (wlan4) is not slave
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.191.1/24 comment=defconf interface=ether2 network=192.168.191.0
add address=10.10.10.1/24 interface=wlan4 network=10.10.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.191.74 client-id=1:74:4d:28:37:a6:29 mac-address=74:4D:28:37:A6:29 server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.10.1
add address=192.168.191.0/24 comment=defconf gateway=192.168.191.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.191.74 name=1:74:4d:28:37:a6:29.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN src-address=10.10.10.0/24
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.191.74
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system scheduler
add interval=1h name=dhcp_dns on-event=dhcp_lease_dns policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2019 start-time=00:00:00

2) connected to router 1 as WAN and as Ethernet ad LAN

[admin@MikroTikRouter1] > system resource print 
                   uptime: 4w1d22h25m38s
                  version: 6.44.3 (stable)
               build-time: Apr/23/2019 12:37:03
         factory-software: 6.15
              free-memory: 42.2MiB
             total-memory: 64.0MiB
                      cpu: MIPS 74Kc V4.12
                cpu-count: 1
            cpu-frequency: 600MHz
                 cpu-load: 6%
           free-hdd-space: 110.0MiB
          total-hdd-space: 128.0MiB
  write-sect-since-reboot: 47443
         write-sect-total: 113867
               bad-blocks: 0%
        architecture-name: mipsbe
               board-name: RB2011iL
                 platform: MikroTik

I removed some unnecessary and sensitive conf manually

[admin@MikroTikRouter1] > export hide-sensitive 
# sep/24/2019 12:30:17 by RouterOS 6.44.3
# software id = TMKF-L4A4
#
# model = 2011iL
# serial number = 7DCF0A685F1D
/interface bridge
add admin-mac=74:4D:28:37:A6:2A auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Asia/Jerusalem
/system identity
set name=MikroTikRouter1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

router1 as a static ip for router2 and it as a static route to router's2 addresses
route2 firewall rules were updated to support it

Now the problem is that http request to devices connected to router2 or even getting router2 ui via it's none dhcp given address takes a long time 6-12 seconds, (when connected to router1)

Examples:

1) getting to router2 via 192.168.191.74:

$ LC_TIME=en_US date ; wget http://192.168.191.74
Tue Sep 24 12:35:04 IDT 2019
--2019-09-24 12:35:04--  http://192.168.191.74/
Connecting to 192.168.191.74:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7070 (6.9K) [text/html]
Saving to: ‘index.html.5’

index.html.5                                       100%[================================================================================================================>]   6.90K  --.-KB/s    in 0.001s  

2019-09-24 12:35:04 (10.6 MB/s) - ‘index.html.5’ saved [7070/7070]

2) getting to router2 via 192.168.88.1 (took about 8 seconds):

$ LC_TIME=en_US date ; wget http://192.168.88.1 
Tue Sep 24 12:38:19 IDT 2019
--2019-09-24 12:38:19--  http://192.168.88.1/
Connecting to 192.168.88.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7068 (6.9K) [text/html]
Saving to: ‘index.html.6’

index.html.6                                       100%[================================================================================================================>]   6.90K  --.-KB/s    in 0.04s   

2019-09-24 12:38:27 (174 KB/s) - ‘index.html.6’ saved [7068/7068]

mkx · Tue Sep 24, 2019 2:06 pm

There two things I'd think about:

IP address (and setup) for LAN on router 1 is set on ether2 ... it should be on bridge
I don't think router2 should be doing src-nat?

In addition to that, there's nothing on router2 that would allow to connect to webfig via WAN interface (which is, if I understand it right, the router1's LAN subnet). So I'd say that the redacted part of configuration does matter and would help to understand the problem.

ofirule · Tue Sep 24, 2019 3:41 pm

Router1 config (removed config only from: "/ip route", "/ip dns static" and "/ip dhcp-server lease" )

[admin@MikroTik] > export hide-sensitive 
# sep/24/2019 15:09:45 by RouterOS 6.45.6
# software id = S8W1-4UHM
#
# model = RB4011iGS+5HacQ2HnD
# serial number = B3A30A963E1A
/interface bridge
add admin-mac=74:4D:28:5D:46:44 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=5ghz-n/ac channel-width=20/40/80mhz-eCee disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=NoTraffic_5_1 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=NoTraffic_2_4 wireless-protocol=802.11
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=76:4D:28:0A:42:96 master-interface=wlan2 name=wlan4 security-profile=profile ssid=NoTraffic-Guest
/ip pool
add name=dhcp ranges=192.168.191.50-192.168.191.200
add name=ovpn-pool ranges=192.168.8.10-192.168.8.100
add name=dhcp_pool3 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool3 disabled=no interface=wlan4 name=dhcp1
/ppp profile
add local-address=192.168.8.1 name=ovpn_office remote-address=ovpn-pool use-encryption=required
/queue simple
add limit-at=2M/10M max-limit=2M/10M name=guestqueue target=10.10.10.0/24
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*F
# no interface
add action=drop chain=forward out-interface=*F
# in/out-bridge-port matcher not possible when interface (wlan4) is not slave
add action=drop chain=forward in-interface=wlan4
# in/out-bridge-port matcher not possible when interface (wlan4) is not slave
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.191.1/24 comment=defconf interface=bridge network=192.168.191.0
add address=10.10.10.1/24 interface=wlan4 network=10.10.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.191.74 client-id=1:74:4d:28:37:a6:29 mac-address=74:4D:28:37:A6:29 server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.10.1
add address=192.168.191.0/24 comment=defconf gateway=192.168.191.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.191.74 name=1:74:4d:28:37:a6:29.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN src-address=10.10.10.0/24
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.191.74
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=office
/system clock
set time-zone-name=Asia/Jerusalem
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system scheduler
add interval=1h name=dhcp_dns on-event=dhcp_lease_dns policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2019 start-time=00:00:00
/system script
add dont-require-permissions=no name=dhcp_lease_dns owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# DNS record for DHCP lease\
    \n# Prepare variables in use\
    \n:local topdomain;\
    \n:local hostname;\
    \n:local hostip;\
    \n\
    \n# Configure your domain\
    \n:set topdomain \"lan\";\
    \n\
    \n/ip dhcp-server lease;\
    \n:foreach i in=[find] do={\
    \n  /ip dhcp-server lease;\
    \n  :if ([:len [get \$i host-name]] > 0) do={\
    \n    :set hostname ([get \$i client-id] . \".\" . \$topdomain);\
    \n    :set hostip [get \$i address];\
    \n    /ip dns static;\
    \n# Remove if DNS entry already exist\
    \n    :foreach di in [find] do={\
    \n      :if ([get \$di name] = \$hostname) do={\
    \n        :put (\"Removing: \" . \$hostname . \" : \" . \$hostip);\
    \n        remove \$di;\
    \n      }\
    \n    }\
    \n# Add DNS entry\
    \n    :put (\"Adding: \" . \$hostname . \" : \" . \$hostip);\
    \n    /ip dns static add name=\$hostname address=\$hostip;\
    \n  }\
    \n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

router2 config:

[admin@MikroTikRouter1] > export hide-sensitive 
# sep/24/2019 15:27:30 by RouterOS 6.44.3
# software id = TMKF-L4A4
#
# model = 2011iL
# serial number = 7DCF0A685F1D
/interface bridge
add admin-mac=74:4D:28:37:A6:2A auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Asia/Jerusalem
/system identity
set name=MikroTikRouter1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Fixed both router's ip address interface from ether2 to bridge, but there was no major change.
Also removed src-nat but it had no effect (the way I see it , it's an architectural decision and not a fix, not sure)
Getting to router2 UI is working from WAN since I disabled the firewall rule which drop input from WAN (it's just very slow)

Example1:

$ LC_TIME=en_US date ; wget http://192.168.191.74
Tue Sep 24 15:25:51 IDT 2019
--2019-09-24 15:25:51--  http://192.168.191.74/
Connecting to 192.168.191.74:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7070 (6.9K) [text/html]
Saving to: ‘index.html.6’

index.html.6                                       100%[================================================================================================================>]   6.90K  --.-KB/s    in 0.001s  

2019-09-24 15:25:51 (7.56 MB/s) - ‘index.html.6’ saved [7070/7070]

Example2 ,takes about 9 seconds using static route:

$ LC_TIME=en_US date ; wget http://192.168.88.1 
Tue Sep 24 15:25:31 IDT 2019
--2019-09-24 15:25:31--  http://192.168.88.1/
Connecting to 192.168.88.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7068 (6.9K) [text/html]
Saving to: ‘index.html.4’

index.html.4                                       100%[================================================================================================================>]   6.90K  --.-KB/s    in 0.1s    

2019-09-24 15:25:40 (71.6 KB/s) - ‘index.html.4’ saved [7068/7068]

Example3, ping examples:

$ ping 192.168.191.74
PING 192.168.191.74 (192.168.191.74) 56(84) bytes of data.
64 bytes from 192.168.191.74: icmp_seq=1 ttl=64 time=95.4 ms
64 bytes from 192.168.191.74: icmp_seq=2 ttl=64 time=22.9 ms
64 bytes from 192.168.191.74: icmp_seq=3 ttl=64 time=39.9 ms
64 bytes from 192.168.191.74: icmp_seq=4 ttl=64 time=81.2 ms
64 bytes from 192.168.191.74: icmp_seq=5 ttl=64 time=472 ms
^C
--- 192.168.191.74 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 22.973/142.394/472.256/167.029 ms
c$ ping 192.168.88.1 
PING 192.168.88.1 (192.168.88.1) 56(84) bytes of data.
64 bytes from 192.168.88.1: icmp_seq=1 ttl=64 time=542 ms
64 bytes from 192.168.88.1: icmp_seq=2 ttl=64 time=9.14 ms
64 bytes from 192.168.88.1: icmp_seq=3 ttl=64 time=1.09 ms
64 bytes from 192.168.88.1: icmp_seq=4 ttl=64 time=10.4 ms
64 bytes from 192.168.88.1: icmp_seq=5 ttl=64 time=2.25 ms
64 bytes from 192.168.88.1: icmp_seq=6 ttl=64 time=18.0 ms
64 bytes from 192.168.88.1: icmp_seq=7 ttl=64 time=2.27 ms
64 bytes from 192.168.88.1: icmp_seq=8 ttl=64 time=92.7 ms

mkx · Tue Sep 24, 2019 6:50 pm

Thinking of it: you have routing triangle and connection tracking firewall on router1 doesn't like it. Let's say you're running wget from PC with IP address 192.168.191.100. Here's what happens:

client starts new connection towards 192.168.88.1. It notices it's not a directly accessible remote address and sends packet to its default gateway (router1)
router1 sees it's remote address, hence it goes through firewall rules in chain=forward. Notices new connection (a TCP SYN packet)
router1 sees it has a static route with gateway router2 and sends packet there
router2 receives packet, sees it's targeting one of its own addresses, processes firewall rules, allows connection, http server replies with TCP SYN ACK packet which is second leg of initial TCP connection handshake
router2 consults how to deliver return packet. Its destination address is 192.168.191.100 which is directly reachable by router2. So router2 delivers return packet directly to client
client sends the last part of TCP connection handshake - TCP ACK packet. It uses default gateway (router1) due to very same reason as in point #1
router1 again processes firewall rules. Seeing it's part of a connection which is not new but still not established, and yet it apparently doesn't follow proper TCP connection handshake, it marks the connection invalid. The reason for it is that router1 did not see the first reply and thus did not update conection state accordingly.

Connections, initiated ftom 192.168.88.0/24 subnet towards 192.168.191.0/24, would experience same problems, this time router1 would not see initial SYN packets and would thus drop initial replies (SYN ACK) ...

The cure? You might explicitly accept packets travelling between both subnets with a pair of rules placed above "drop invalid" rule. If you need to filter connections between these two subnets, then you can run firewall on router2.

If you want to configure the whole lot on router1, then you should either use dedicated physical ethernet cable between both routers or use VLAN (if the rest of network allows that) and then configure router2 as switch/AP, but move L3 setup (IP address, DHCP server, ...) to appropriate interface on router1.

ofirule · Wed Sep 25, 2019 5:47 pm

I chose to update the firewall rules on router1.
needed to just accept forwarding from router1 net to router2 net.

This is the new firewall config:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow invalid on local statically routed subnets" dst-address=192.168.88.0/24 src-address=192.168.191.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

http request to device in a static route takes a long time [SOLVED]

http request to device in a static route takes a long time

Re: http request to device in a static route takes a long time

Re: http request to device in a static route takes a long time

Re: http request to device in a static route takes a long time [SOLVED]

Re: http request to device in a static route takes a long time

Who is online