I come from an Ubiquiti ER-4 but I needed a router capable of multi-gig routing. And so I bought the CCR2004-1G-12S+2XS.
I have a fairly simple home installation, with:
- my router connected to switch via a trunk port (sfp-sfpplus12) and then this same switch is connected to another switch via another trunk port.
- a 'main' vlan with all my trusted devices and full access to everything
- a 'iot' vlan where I put all my trash devices. In this vlan they can reach each other but are unable to reach the main vlan unless a connection was already established.
It used to work pretty well with my ER-4 but when I tried to adapt these set of rules to my CCR2004 I struggle:
- traffic within each vlan seems OK
- when I try to reach the 'iot' vlan from my 'main' the connection takes a lot of time to establish. Around 6-8 seconds and then I runs alright with no packet loss I think. I can see this behavior with iperf, once the connection is established, I get full wire speed.
Can you please take a look into my conf and see if something is misconfigured. I been banging my head for days now, I am starting to loose my sleep and thinking of bringing back my ER-4 :(
Code: Select all
[andrep@RT-POLARIS] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.88.1/24 192.168.88.0 ether1
1 192.168.10.1/24 192.168.10.0 vlan10_home
2 192.168.11.1/24 192.168.11.0 vlan11_iot
3 192.168.12.1/24 192.168.12.0 vlan12_guest
4 192.168.13.1/24 192.168.13.0 vlan13_iot-offline
5 D xxx.xxx.xx3.183/24 xxx.xxx.xx3.0 sfp-sfpplus1
*******************************************************************
Code: Select all
[andrep@RT-POLARIS] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 ether1 ether 1500 1600 9586 08:55:31:A5:9C:27
1 R sfp-sfpplus1 ether 1500 1592 9578 B4:FB:E4:CB:06:B2
2 sfp-sfpplus2 ether 1500 1592 9578 08:55:31:A5:9C:29
3 sfp-sfpplus3 ether 1500 1592 9578 08:55:31:A5:9C:2A
4 sfp-sfpplus4 ether 1500 1592 9578 08:55:31:A5:9C:2B
5 sfp-sfpplus5 ether 1500 1592 9578 08:55:31:A5:9C:2C
6 sfp-sfpplus6 ether 1500 1592 9578 08:55:31:A5:9C:2D
7 sfp-sfpplus7 ether 1500 1592 9578 08:55:31:A5:9C:2E
8 sfp-sfpplus8 ether 1500 1592 9578 08:55:31:A5:9C:2F
9 sfp-sfpplus9 ether 1500 1592 9578 08:55:31:A5:9C:30
10 sfp-sfpplus10 ether 1500 1592 9578 08:55:31:A5:9C:31
11 sfp-sfpplus11 ether 1500 1592 9578 08:55:31:A5:9C:32
12 R sfp-sfpplus12 ether 1500 1592 9578 08:55:31:A5:9C:33
13 sfp28-1 ether 1500 1592 9578 08:55:31:A5:9C:34
14 sfp28-2 ether 1500 1592 9578 08:55:31:A5:9C:35
15 R vlan10_home vlan 1500 1588 08:55:31:A5:9C:33
16 R vlan11_iot vlan 1500 1588 08:55:31:A5:9C:33
17 R vlan12_guest vlan 1500 1588 08:55:31:A5:9C:33
18 R vlan13_iot-offline vlan 1500 1588 08:55:31:A5:9C:33
*******************************************************************
Code: Select all
[andrep@RT-POLARIS] > /interface vlan print
Flags: X - disabled, R - running
# NAME MTU ARP VLAN-ID INTERFACE
0 R vlan10_home 1500 enabled 10 sfp-sfpplus12
1 R vlan11_iot 1500 enabled 11 sfp-sfpplus12
2 R vlan12_guest 1500 enabled 12 sfp-sfpplus12
3 R vlan13_iot-offline 1500 enabled 13 sfp-sfpplus12
*******************************************************************
Code: Select all
[andrep@RT-POLARIS] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 185.66.103.254 1
1 ADC 185.66.103.0/24 xxx.xxx...3.183 sfp-sfpplus1 0
2 ADC 192.168.10.0/24 192.168.10.1 vlan10_home 0
3 ADC 192.168.11.0/24 192.168.11.1 vlan11_iot 0
4 ADC 192.168.12.0/24 192.168.12.1 vlan12_guest 0
5 ADC 192.168.13.0/24 192.168.13.1 vlan13_iot-offline 0
6 DC 192.168.88.0/24 192.168.88.1 ether1 255
7 A S 239.255.255.0/24 vlan11_iot 1
*******************************************************************
Code: Select all
[andrep@RT-POLARIS] > /ip firewall filter export
# mar/28/2021 09:23:45 by RouterOS 6.48.1
# software id = TPHC-LDWX
#
# model = CCR2004-1G-12S+2XS
# serial number =
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="drop invalid state" connection-state=invalid
add action=accept chain=input comment="accept KNET ICMP probes " limit=50/1m,1:packet log=yes log-prefix="[knet icmp probes]" protocol=icmp src-address-list=KNET_ICMP-PROBES
add action=drop chain=input comment="block everything else from WAN" in-interface-list=wan_ipv4
add action=jump chain=input comment="input IOT rules" in-interface=vlan11_iot jump-target=input_IOT
add action=jump chain=input comment="input GUEST rules" in-interface=vlan12_guest jump-target=input_RESTRICTED
add action=jump chain=input comment="input IOT OFFLINE rules" in-interface=vlan13_iot-offline jump-target=input_RESTRICTED
add action=accept chain=input_RESTRICTED comment="Accept DHCP (udp)" dst-port=67 protocol=udp src-port=68
add action=drop chain=input_RESTRICTED comment="drop everything else"
add action=accept chain=input_RESTRICTED comment="Accept DHCP (tcp)" dst-port=67 port="" protocol=tcp src-port=68
add action=accept chain=input_IOT comment="Accept DNS (tcp)" port=53 protocol=tcp
add action=accept chain=input_IOT comment="Accept DNS (udp)" port=53 protocol=udp
add action=accept chain=input_IOT comment="Accept DHCP (tcp)" dst-port=67 port="" protocol=tcp src-port=68
add action=accept chain=input_IOT comment="Accept DHCP (udp)" dst-port=67 protocol=udp src-port=68
add action=drop chain=input_IOT comment="drop everything else"
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid state" connection-state=invalid
add action=drop chain=forward comment="drop access to clients behind NAT form WAN" connection-nat-state=!dstnat connection-state=new in-interface-list=wan_ipv4
add action=jump chain=forward comment="forward IOT rules" in-interface=vlan11_iot jump-target=forward_IOT
add action=jump chain=forward comment="forward GUEST rules" in-interface=vlan12_guest jump-target=forward_GUEST
add action=jump chain=forward comment="forward IOT OFFLINE rules" in-interface=vlan13_iot-offline jump-target=forward_FULL-ISOLATION
add action=accept chain=forward_IOT comment="accept all within IOT" out-interface=vlan11_iot
add action=accept chain=forward_IOT comment="accept WAN outbound traffic (tcp)" out-interface-list=wan_ipv4 port="" protocol=tcp
add action=accept chain=forward_IOT comment="accept WAN outbound traffic (udp)" out-interface-list=wan_ipv4 port="" protocol=udp
add action=accept chain=forward_IOT comment="accept multicast" disabled=yes dst-address-type=multicast out-interface=vlan10_home
add action=reject chain=forward_IOT comment="drop everything else" reject-with=icmp-network-unreachable
add action=accept chain=forward_GUEST comment="accept DNS (tcp)" dst-address-list=GUEST_DNS port=53 protocol=udp
add action=accept chain=forward_GUEST comment="accept DNS (udp)" dst-address-list=GUEST_DNS port=53 protocol=tcp
add action=accept chain=forward_GUEST comment="accept omada captive portal" dst-address=192.168.10.21 port=8088 protocol=tcp
add action=accept chain=forward_GUEST comment="accept HTTP HTTPS (tcp)" out-interface-list=wan_ipv4 port=80,8080,443,8443 protocol=tcp
add action=accept chain=forward_GUEST comment="accept HTTP HTTPS (udp)" out-interface-list=wan_ipv4 port=80,8080,443,8443 protocol=udp
add action=drop chain=forward_GUEST comment="drop everything else"
add action=drop chain=forward_FULL-ISOLATION comment="drop everything else"
*******************************************************************
Code: Select all
[andrep@RT-POLARIS] > /ip firewall nat export
# mar/28/2021 09:37:07 by RouterOS 6.48.1
# software id = TPHC-LDWX
#
# model = CCR2004-1G-12S+2XS
# serial number =
/ip firewall nat
add action=masquerade chain=srcnat comment="masquarade for WAN" out-interface-list=wan_ipv4
add action=dst-nat chain=dstnat comment="DNS interception for IOT (udp)" dst-address=!192.168.11.1 in-interface=vlan11_iot port=53 protocol=udp to-addresses=192.168.11.1
add action=dst-nat chain=dstnat comment="DNS interception for IOT (tcp)" dst-address=!192.168.11.1 in-interface=vlan11_iot port=53 protocol=tcp to-addresses=192.168.11.1
add action=dst-nat chain=dstnat comment="DNS interception for GUEST (udp)" dst-address-list=!GUEST_DNS in-interface=vlan12_guest port=53 protocol=udp to-addresses=1.0.0.3
add action=dst-nat chain=dstnat comment="DNS interception for GUEST (tcp)" dst-address-list=!GUEST_DNS in-interface=vlan12_guest port=53 protocol=tcp to-addresses=1.1.1.3
add action=dst-nat chain=dstnat comment="SSH to pireserver" in-interface-list=wan_ipv4 port=2287 protocol=tcp to-addresses=192.168.10.10 to-ports=22
add action=dst-nat chain=dstnat comment="PLEX to pireserver" in-interface-list=wan_ipv4 port=23004 protocol=tcp to-addresses=192.168.11.10 to-ports=32400
add action=dst-nat chain=dstnat comment="OPENVPN (udp)" in-interface-list=wan_ipv4 port=123 protocol=udp to-addresses=192.168.10.10 to-ports=1194
add action=dst-nat chain=dstnat comment="OPENVPN (tcp)" in-interface-list=wan_ipv4 port=443 protocol=tcp to-addresses=192.168.10.10 to-ports=1194
add action=dst-nat chain=dstnat comment="HASSIO (tcp)" in-interface-list=wan_ipv4 port=8123 protocol=tcp to-addresses=192.168.10.21 to-ports=8123