Community discussions

MikroTik App
 
rcmarco
just joined
Topic Author
Posts: 2
Joined: Tue Jun 02, 2020 4:46 pm

Connection times out or just takes too long +++ goes thru if I resubmit

Thu Jun 18, 2020 6:02 pm

Hi, I'm running a DUAL WAN with mikrotik hap2.
Thru trial and error I made it work with load balancing with PCC, and some exemptions.

The problem is that when browsing the internet most pages take a long time to load, especially if they are HTTPS.
The strange thing is that if I access a webpage, and reload it, it works right away, which gives me the impression that something in my firewall rules is causing a delay, or a dead end, which is then picked up by another rule and only then it works.

Here's my firewall rules if anyone can take a look:

/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=192.168.8.2/24 interface=ISP1 network=192.168.8.0
add address=192.168.1.2/24 interface=ISP2 network=192.168.1.0
/ip firewall address-list
add address=192.168.88.21 list=WAN-01
add address=192.168.88.28 list=WAN-01
add address=192.168.88.26 list=WAN-01
add address=192.168.88.31 list=WAN-02
/ip settings
set allow-fast-path=no
/ip firewall filter
add action=accept chain=input comment="Accept all connections from local network" in-interface=bridge1
add action=accept chain=forward in-interface=bridge1 out-interface=ISP2
add action=accept chain=forward in-interface=bridge1 out-interface=ISP1
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward comment="Accept established and related packets" connection-state=established,related
add action=accept chain=input comment="Accept established and related packets" connection-state=established,related
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=ISP1
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=ISP2
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=bridge1 src-address=!192.168.88.0/24
add action=drop chain=input comment="DROP ALL ELSE" log-prefix="INPUT DROP ALL"
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=bridge1
add action=accept chain=prerouting dst-address=192.168.8.0/24 in-interface=bridge1
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ISP2 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ISP1 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1 new-connection-mark=ISP1_conn per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1 new-connection-mark=ISP2_conn per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge1 new-connection-mark=ISP2_conn src-address-list=WAN-02
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge1 new-connection-mark=ISP1_conn src-address-list=WAN-01
add action=mark-routing chain=prerouting connection-mark=ISP1_conn in-interface=bridge1 new-routing-mark=to_ISP1
add action=mark-routing chain=prerouting connection-mark=ISP2_conn in-interface=bridge1 new-routing-mark=to_ISP2
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2
add action=masquerade chain=srcnat out-interface=ISP2 src-address-list=WAN-02
add action=masquerade chain=srcnat out-interface=ISP1 src-address-list=WAN-01
add action=dst-nat chain=dstnat dst-port=1194 protocol=udp to-addresses=192.168.88.26 to-ports=1194
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=192.168.8.1 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=192.168.8.1
add check-gateway=ping distance=1 gateway=192.168.1.1

Who is online

Users browsing this forum: Bing [Bot], LSan83, RackKing and 79 guests