I inherited this network setup when a friend passed away, I realise that it is NOT the ideal setup but it is what it is and as we do upgrades we are trying to rectify bad setups but it is a LIVE (Production) network with approx. 50 clients.
Starts at the “OFFICE” (all references to diagram) with a 600/60 fiber router from provider, this unit is in bridge mode fiber to eth1. Gigabit cable connected from this to TestAC WAN port which gets the External IP.
TestAC – Currently RBD52G-5HacD2HnD – Router with static routes for network, DHCP Server on 192.168.40.0/24 – Firewall with NAT
TAGFiber – 960PGS – DHCP Server 10.99.66.0/24 – PPP Server for 10.99.26.0/24 Clients – Firewall with NAT – Client limiting with Packet Marks and Mangle Rules
TAG4 – SA5? Bridged Sector TAGFiber for 10.99.26.0/24 Clients
LHG60Master – RBLHGG-60ad Master unit (AP) Bridge
LHG60Slave – RBLHGG-60ad Slave unit (SLAVE) Bridge
TAGMASTER – PB-960PGS – DHCP Server 10.99.2.0/24 - – PPP Server for 10.99.25.0/24 Clients – Firewall with NAT – Client limiting with Packet Marks and Mangle Rules (15-20 Clients)
PBColin – PB-960PGS – Bridged to TAGMASTER 10.99.2.0/24 - – PPP Server for 10.99.29.0/24 Clients – Firewall with NAT – Client limiting with Packet Marks and Mangle Rules (5-10 Clients)
TAGEE_Link – SXT5AC? – Bridge to TAGMASTER 10.99.2.0/24 to EE_AC Mountain 2
TAG1 – RB922UAGS-5HPacD-NM & am-5ac21-60- Bridged Sector TAGEMASTER to Cients 10.99.29.0/24
TAG2 – RB922UAGS-5HPacD-NM & am-5ac21-60- Bridged Sector TAGEMASTER to Cients 10.99.25.0/24
EE_AC – SXT5AC? – Bridge EEPB to TAGMASTER 10.99.2.0/24 Mountain 1
EEPB – PB-960PGS – Bridged to TAGMASTER 10.99.2.0/24 - – PPP Server for 10.99.28.0/24 Clients – Firewall with NAT – Client limiting with Packet Marks and Mangle Rules (15-20 Clients)
TAG3 – SA5? - Bridged Sector EEPB to 10.99.28.0/24 Clients
All units in the Office including TAG4 Sector and all 10.99.26.0/24 Clients are functioning normally. At all points to the sector we have Gigabit speeds and all clients have 20/4 packages functioning fine. BTEST near Gigabit to all units and plug a laptop in and furthest point and run a speedtest.net test 660/58.
LHG60 Link is not aligned perfectly (about 0.4deg off) but link speeds of 2.3Gbps are stable over 1.9Km. BTEST at Mountain 1 other LHG60_Slave 250-320Mbps Laptop with speedtest.net 280/56 Mbps. (Happy to provide Further info on these units as we would probably not have bought these based on OUR real world results)
TAG1 Clients 10.99.29.5 report random (we have done extensive monitoring and it does appear random) speed test of 4-12Mbps on speedtest.net and TV buffering.
TAG2 Clients 10.99.25.5 report occasional speed test of 14-17Mbps on speedtest.net and occasional TV buffering.
EEPB Actual speedtest.net across AC Link 128/49Mbps BTEST to TestAC 180/180 Mountian2
TAG3 Clients here experience daily problems (weirdly during monitoring worse between 4pm – 7pm, possible sunset reflection etc on sectors and AC Link?) 1.9-20/3Mbps.
When the problem is not there all clients are fine with speedtest.net of 20/4Mbps as per their package.
When the problem is occurring for the clients we can look at all equipment and NO high CPU etc and BTEST results to all units in every combination achieve normal (expected) results.
NOTHING is maxed out at any point?
Upgrade & Questions:
We have purchased a CCR-1009-7G-1C-1S+PC to replace the first link in the chain TestAC 10.99.40.1
I am fairly sure at this point (most customers have various IPTV solutions) that its not necessarily a speed or resource issue but the number of packets at times coupled with BAD config with potential routing issues and broadcast flooding. The various units that are handling the Mangle rules and packet marking & client limiting have got 20-50 firewall rules and 50 Mangle rules each.
I am a qualified network engineer with years of small network experience single subnet type stuff. I only came to Mikrotik & The Dude with inheriting this network 3 yrs ago (love Mikrotik love RouterOS and love scripting).
I have watched a lot of youtube videos, read a hell of a lot and built a Physical test networks and a GNS3 Virtual simulations in attempts to improve the network and track down these issues. As we only plan to add approx. 25 more clients to the network MAX and not all of the clients are here all year round (holiday homes). Our plan was to simplify the network with most equipment as Bridges back to the new CCR at the office (head end I think is the correct term)
The CCR would run DHCP for 10.99.2.0/24 with various bits to help with exchanging into a live network (middle of the night work)
NEW DHCP Server 10.99.99.0/24 for Management Equipment VLAN99 (would replace the existing 10.99.2.0/24 address that equipment currently has)
New DHCP Server 10.99.26.0/24 for Clients VLAN24 (TAG4)
New DHCP Server 10.99.25.0/24 for Clients VLAN25 (TAG2)
New DHCP Server 10.99.29.0/24 for Clients VLAN29 (TAG1)
New DHCP Server 10.99.28.0/24 for Clients VLAN28 (TAG3)
NEW Firewall Filter rules (possibly in lists) to replace all Firewall rules on current equipment
New Mangle and limiting rules to replace the ones on the other equipment reflecting the various NEW VLAN setup
Q1: Firstly is VLAN the way to go?
Q2: Move everything to be handled by the NEW CCR ?
Q3: If Q1 is yes then this is where im falling down, in physical and GNS testing to do VLANS on different versions of RouterOS (not possible to have latest version on all equipment 6.32.5 is the lowest on all sectors)
I can get the VLAN on the CCR with DHCP server, next piece of equipment gets either 10.99.2.0/24 address unless specify VLAN id in which case gets the appropriate VLAN ip address. With a bridged unit that’s fine but my next piece of equipment is a Router TAGFiber 10.99.66.0/24 effectively WAN LAN. In these situations I cant get the VLANS to pass WAN to LAN so the next piece of equipment ends up with a 10.99.66.0/24 address from the old config despite specifying VLAN id’s?
Wow I know that was a lot of reading but ive tried to be as concise as possible (there is various other parts on this network like a 5Ghz backup for the 60Ghz that auto fails over etc but all of these other parts function normally and we are more than capable at supporting and managing the network).
We are only very small 2 person outfit with very limited budget but would really appreciate any helpful advice on how we should proceed and possible assistance.