Packet loss between two bridges
Posted: Thu Nov 07, 2019 9:56 pm
I've bought Microtik recently, so I'm a new user, however I think my issue is not so beginner.
I have a strange packet loss, it is not random, usually every 6th packet is lost. Sometimes it come back with delay (900ms, 1600ms), but usually it's lost completely. After reboot pings work for some time without issues.
1. I'm pinging 10.0.0.10 from 192.168.3.100
2. 10.0.0.10 drops no pings when pinged from 10.0.0.0/16 or from device.
Any ideas are welcome.
I have a strange packet loss, it is not random, usually every 6th packet is lost. Sometimes it come back with delay (900ms, 1600ms), but usually it's lost completely. After reboot pings work for some time without issues.
1. I'm pinging 10.0.0.10 from 192.168.3.100
2. 10.0.0.10 drops no pings when pinged from 10.0.0.0/16 or from device.
Any ideas are welcome.
Code: Select all
# nov/07/2019 22:48:26 by RouterOS 6.45.7
# software id = 04PU-E3UT
#
# model = RB760iGS
# serial number = *snip*
/interface bridge
add admin-mac=74:4D:28:F0:95:A6 auto-mac=no comment=defconf fast-forward=no name=inside protocol-mode=none
add fast-forward=no mtu=1500 name=wifi protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:16:C7:FA:0F:F4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=WIFI
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add address=*snip*/32 exchange-mode=ike2 name=*snip*
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 proposal-check=exact
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=none
/ip pool
add name="inside pool" ranges=10.0.0.100-10.0.0.200
add name="wifi pool" ranges=192.168.3.100-192.168.3.200
/ip dhcp-server
add address-pool="inside pool" disabled=no interface=inside name=defconf
add address-pool="wifi pool" disabled=no interface=wifi name="wifi server"
/interface bridge port
add bridge=inside comment=defconf interface=ether2
add bridge=inside comment=defconf interface=ether3
add bridge=wifi comment=defconf hw=no interface=ether4
add bridge=wifi comment=defconf hw=no interface=ether5
add bridge=inside comment=defconf hw=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=inside list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wifi list=WIFI
/ip address
add address=10.0.0.222/24 comment=defconf interface=inside network=10.0.0.0
add address=192.168.3.222/24 interface=wifi network=192.168.3.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf gateway=10.0.0.222 netmask=24
add address=192.168.3.0/24 dns-server=109.195.80.1,109.195.81.1 gateway=192.168.3.222
/ip dns
set allow-remote-requests=yes servers=10.0.10.1
/ip dns static
add address=10.0.0.222 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.0.0/16 list=local
add address=10.0.0.10 list=printer.home
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="local device access" dst-address=10.0.0.222 dst-port=80 protocol=tcp src-address-list=local
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="default input rule" log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="allow access to printer" dst-address-list=printer.home in-interface-list=WIFI
add action=drop chain=forward comment="disallow access from wifi" dst-address-list=local in-interface-list=WIFI
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=0.0.0.0/0 log=yes src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=*snip* peer=*snip*
/ip ipsec policy
set 0 disabled=yes
add action=none dst-address=10.0.0.0/24 src-address=10.0.0.0/24
add action=none dst-address=192.168.3.0/24 src-address=10.0.0.0/24
add dst-address=0.0.0.0/0 peer=*snip* sa-dst-address=*snip* sa-src-address=0.0.0.0 src-address=10.0.0.0/24 tunnel=yes
add dst-address=10.0.10.1/32 peer=*snip* sa-dst-address=*snip* sa-src-address=0.0.0.0 src-address=10.208.125.234/32 tunnel=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=*snip*
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN