1) connected to my ISP via WAN , and has Ethernet and WIFI for LAN
Code: Select all
[admin@MikroTik] > system resource print
uptime: 1w1d16h50m31s
version: 6.45.6 (stable)
build-time: Sep/10/2019 09:06:31
factory-software: 6.43.10
free-memory: 964.1MiB
total-memory: 1024.0MiB
cpu: ARMv7
cpu-count: 4
cpu-frequency: 1400MHz
cpu-load: 0%
free-hdd-space: 424.8MiB
total-hdd-space: 512.3MiB
architecture-name: arm
board-name: RB4011iGS+5HacQ2HnD
platform: MikroTik
Code: Select all
[admin@MikroTik] > export hide-sensitive
# sep/24/2019 12:21:47 by RouterOS 6.45.6
# software id = S8W1-4UHM
#
# model = RB4011iGS+5HacQ2HnD
# serial number = B3A30A963E1A
/interface bridge
add admin-mac=74:4D:28:5D:46:44 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=5ghz-n/ac channel-width=20/40/80mhz-eCee disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=NoTraffic_5_1 \
wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=NoTraffic_2_4 wireless-protocol=802.11
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=76:4D:28:0A:42:96 master-interface=wlan2 name=wlan4 security-profile=profile ssid=NoTraffic-Guest
/ip pool
add name=dhcp ranges=192.168.191.50-192.168.191.200
add name=ovpn-pool ranges=192.168.8.10-192.168.8.100
add name=dhcp_pool3 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool3 disabled=no interface=wlan4 name=dhcp1
/ppp profile
add local-address=192.168.8.1 name=ovpn_office remote-address=ovpn-pool use-encryption=required
/queue simple
add limit-at=2M/10M max-limit=2M/10M name=guestqueue target=10.10.10.0/24
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*F
# no interface
add action=drop chain=forward out-interface=*F
# in/out-bridge-port matcher not possible when interface (wlan4) is not slave
add action=drop chain=forward in-interface=wlan4
# in/out-bridge-port matcher not possible when interface (wlan4) is not slave
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.191.1/24 comment=defconf interface=ether2 network=192.168.191.0
add address=10.10.10.1/24 interface=wlan4 network=10.10.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.191.74 client-id=1:74:4d:28:37:a6:29 mac-address=74:4D:28:37:A6:29 server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.10.1
add address=192.168.191.0/24 comment=defconf gateway=192.168.191.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.191.74 name=1:74:4d:28:37:a6:29.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN src-address=10.10.10.0/24
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.191.74
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system scheduler
add interval=1h name=dhcp_dns on-event=dhcp_lease_dns policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2019 start-time=00:00:00
2) connected to router 1 as WAN and as Ethernet ad LAN
Code: Select all
[admin@MikroTikRouter1] > system resource print
uptime: 4w1d22h25m38s
version: 6.44.3 (stable)
build-time: Apr/23/2019 12:37:03
factory-software: 6.15
free-memory: 42.2MiB
total-memory: 64.0MiB
cpu: MIPS 74Kc V4.12
cpu-count: 1
cpu-frequency: 600MHz
cpu-load: 6%
free-hdd-space: 110.0MiB
total-hdd-space: 128.0MiB
write-sect-since-reboot: 47443
write-sect-total: 113867
bad-blocks: 0%
architecture-name: mipsbe
board-name: RB2011iL
platform: MikroTik
Code: Select all
[admin@MikroTikRouter1] > export hide-sensitive
# sep/24/2019 12:30:17 by RouterOS 6.44.3
# software id = TMKF-L4A4
#
# model = 2011iL
# serial number = 7DCF0A685F1D
/interface bridge
add admin-mac=74:4D:28:37:A6:2A auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Asia/Jerusalem
/system identity
set name=MikroTikRouter1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
route2 firewall rules were updated to support it
Now the problem is that http request to devices connected to router2 or even getting router2 ui via it's none dhcp given address takes a long time 6-12 seconds, (when connected to router1)
Examples:
1) getting to router2 via 192.168.191.74:
Code: Select all
$ LC_TIME=en_US date ; wget http://192.168.191.74
Tue Sep 24 12:35:04 IDT 2019
--2019-09-24 12:35:04-- http://192.168.191.74/
Connecting to 192.168.191.74:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7070 (6.9K) [text/html]
Saving to: ‘index.html.5’
index.html.5 100%[================================================================================================================>] 6.90K --.-KB/s in 0.001s
2019-09-24 12:35:04 (10.6 MB/s) - ‘index.html.5’ saved [7070/7070]
Code: Select all
$ LC_TIME=en_US date ; wget http://192.168.88.1
Tue Sep 24 12:38:19 IDT 2019
--2019-09-24 12:38:19-- http://192.168.88.1/
Connecting to 192.168.88.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7068 (6.9K) [text/html]
Saving to: ‘index.html.6’
index.html.6 100%[================================================================================================================>] 6.90K --.-KB/s in 0.04s
2019-09-24 12:38:27 (174 KB/s) - ‘index.html.6’ saved [7068/7068]