Community discussions

MikroTik App
 
LaKing
just joined
Topic Author
Posts: 21
Joined: Fri Oct 05, 2018 5:56 am

Capsman network, enabling Hotspot configuration results is 0,02Mbps download bandwith for clients

Tue Jan 28, 2020 1:00 am

Komrades!

I have a problem when enabling my hotspot configuration: The Download bandwidth drops from 95Mbps to 0,02 Mbps as soon as the hotspot is enabled on wifi.instant-fogas.com
Everything works, authentication, radius, etc, everything seems to be set up fine, but that bandwidth drop renders the wifi useless.
If the hotspot is disabled, then bandwidth rates go back to normal instantly, then download is 95Mbps as it is on other capsman networks.

We have a Cloud Core router and about 30 cap's.
At the moment I can not reproduce the problem on my development router + cap.

Any suggestion on how to troubleshoot the problem is welcome.
# jan/27/2020 19:34:50 by RouterOS 6.46.1
# software id = ZTRG-65M4
#
# model = CCR1009-7G-1C
# serial number = 84A1078A5D6B

## I manually added some comments, and moved the relevant configurations to the top.
## we have these three CAPSMAN networks, we try to get the new wifi.instant-fogas.com to use a hotspot

/caps-man configuration
add country=hungary datapath.bridge=mazel_bridge name=MazelTov ssid=MazelTov
add country=hungary datapath.bridge=capsman_bridge name=Instant-Fogas ssid=INSTANT-FOGAS
add comment=wifi.instant-fogas.com country=hungary datapath.bridge=wifi_instant-fogas_com hide-ssid=no name=wifi.instant-fogas.com ssid=wifi.instant-fogas.com
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=capsman_bridge
add disabled=no interface=mazel_bridge
add disabled=no interface=wifi_instant-fogas_com
/caps-man provisioning
add action=create-dynamic-enabled comment="MazelTov: IF Identity starts with underscore, we use this config" identity-regexp=^_ master-configuration=MazelTov
add action=create-dynamic-enabled comment=Instant-Fogas master-configuration=wifi.instant-fogas.com slave-configurations=Instant-Fogas

/ip hotspot profile
add dns-name=hotspot.instant-fogas.com hotspot-address=172.17.0.1 login-by=http-pap name=wifi.instant-fogas.com use-radius=yes
/ip hotspot
add address-pool=wifi.instant-fogas.com_pool disabled=no interface=wifi_instant-fogas_com name=wifi.instant-fogas.com profile=wifi.instant-fogas.com
/ip hotspot user profile
set [ find default=yes ] address-pool=wifi.instant-fogas.com_pool shared-users=100 transparent-proxy=yes
/ip hotspot user
add name=LaKing
add name=x password=******
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add disabled=yes dst-host=*facebook*
add disabled=yes dst-host=*fbcdn*
add disabled=yes dst-host=*fb*
add disabled=yes dst-host=*akamai*
add disabled=yes dst-host=*.google.*
add disabled=yes dst-host=*.googleapis.com
add disabled=yes dst-host=*.gstatic.com
add disabled=yes dst-host=*.googleusercontent.com
add disabled=yes dst-host=*instant-fogas.com
add disabled=yes dst-host=*d250.hu
add disabled=yes dst-host=facebook.com
/ip hotspot walled-garden ip
add action=accept comment=bp.d250.hu disabled=yes dst-address=89.133.151.125 !dst-address-list !dst-port !protocol !src-address !src-address-list
add action=accept comment=fx.d250.hu disabled=yes dst-address=89.133.151.124 !dst-address-list !dst-port !protocol !src-address !src-address-list

/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="ICMP allow PING" icmp-options=8:0-255 protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment=default out-interface-list=WAN
add action=masquerade chain=srcnat comment="Hairpin nat to reach catlan services via f1.d250.hu with port forwarding" dst-address=!10.0.0.1 src-address=10.0.0.0/16
add action=masquerade chain=srcnat comment="Hairpin nat to reach catlan services via f1.d250.hu with port forwarding" dst-address=!10.10.30.1 src-address=10.10.30.0/24
add action=dst-nat chain=dstnat comment="HTTP fx port 80" dst-port=80 in-interface=combo1 protocol=tcp to-addresses=192.168.117.247 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS port 443" dst-port=443 in-interface=combo1 protocol=tcp to-addresses=10.0.0.5 to-ports=443
add action=dst-nat chain=dstnat comment="MazelTov CAM port 34567 to 192.168.0.200" dst-port=34567 in-interface=combo1 protocol=tcp to-addresses=192.168.0.200 to-ports=34567
add action=masquerade chain=srcnat comment="CAPSMAN MASQ" out-interface=capsman_bridge
add action=dst-nat chain=dstnat comment="CAM recorder 1.4" dst-port=34504 protocol=tcp to-addresses=192.168.1.4 to-ports=34504
add action=dst-nat chain=dstnat comment="CAM recorder 1.9" dst-port=34509 protocol=tcp to-addresses=192.168.1.9 to-ports=34509
add action=dst-nat chain=dstnat comment="CAM recorder 1.5" dst-port=34505 protocol=tcp to-addresses=192.168.1.5 to-ports=34505
add action=dst-nat chain=dstnat comment="CAM recorder 1.6" dst-port=34506 protocol=tcp to-addresses=192.168.1.6 to-ports=34506
add action=dst-nat chain=dstnat comment="CAM recorder 1.7" dst-port=34507 protocol=tcp to-addresses=192.168.1.7 to-ports=34507
add action=masquerade chain=srcnat comment="MAZEL MASQ" out-interface=mazel_bridge
add action=dst-nat chain=dstnat comment="FX win7fx" dst-address=89.133.151.113 dst-port=1050 protocol=tcp to-addresses=10.0.0.50 to-ports=5900
add action=dst-nat chain=dstnat comment="FX Qlcplus VNC Serverterem" dst-address=89.133.151.113 dst-port=2001 protocol=tcp to-addresses=192.168.117.200 to-ports=5901
add action=dst-nat chain=dstnat comment="FX VNC qlcplus VAD" dst-address=89.133.151.113 dst-port=2002 protocol=tcp to-addresses=10.0.0.200 to-ports=5901
add action=dst-nat chain=dstnat comment=Ellatohaz dst-address=89.133.151.113 dst-port=3901 protocol=tcp to-addresses=10.10.0.14 to-ports=5901
add action=dst-nat chain=dstnat comment="FX Belepesszamlalo" dst-address=89.133.151.113 dst-port=1051 protocol=tcp to-addresses=10.0.0.51 to-ports=5900
add action=dst-nat chain=dstnat comment="Stream Cam" dst-address=89.133.151.113 dst-port=181 protocol=tcp to-addresses=10.0.0.181 to-ports=22
add action=dst-nat chain=dstnat comment="FTP FX" dst-address=89.133.151.113 dst-port=20-21 protocol=tcp to-addresses=10.0.0.5 to-ports=20-21
add action=dst-nat chain=dstnat comment="VNC Ankert" dst-address=89.133.151.113 dst-port=3902 protocol=tcp to-addresses=10.10.30.14 to-ports=5901
add action=dst-nat chain=dstnat comment="@kozpont XTouch" dst-address=89.133.151.113 dst-port=3200 protocol=tcp to-addresses=10.10.32.15 to-ports=5901
add action=dst-nat chain=dstnat comment=@larm.fx.d250.hu dst-address=89.133.151.113 dst-port=1710 protocol=tcp to-addresses=192.168.117.10 to-ports=5901
add action=dst-nat chain=dstnat comment="iMini VNC" dst-address=89.133.151.113 dst-port=1837 protocol=tcp to-addresses=192.168.118.37 to-ports=5900
add action=dst-nat chain=dstnat comment=@komplex.fx.d250.hu dst-address=89.133.151.113 dst-port=2612 protocol=tcp to-addresses=10.10.26.12 to-ports=5901
add action=masquerade chain=srcnat comment="masquerade hotspot network" out-interface=wifi_instant-fogas_com src-address=172.17.0.0/16
/ip route
add distance=1 gateway=89.133.151.126

## So we have bridges for every area of functionality
/interface bridge
add comment="Instant-Fogas local AudioLAN" name=audiolan_bridge
add comment="Bela camerarendszer" name=belacam_bridge
add comment="Instant fogas capsman" fast-forward=no name=capsman_bridge
add arp=proxy-arp comment="Instant fogas internal cat6/7 cable lan" name=catlan_bridge
add comment="Dante Primary" name=danteprimary_bridge
add name=dantesecondary_bridge
add comment="Direct connection to fx.d250.hu" name=fx_connector_bridge
add comment="SITE-TO_SITE Layer2 VPN" name=hangmaffia_vpn_ankert_bridge
add admin-mac=64:D1:54:DF:E2:CF auto-mac=no comment="SITE-TO-SITE Layer2 VPN" name=hangmaffia_vpn_ellatohaz_bridge
add comment="SITE-TO_SITE Layer2 VPN" name=hangmaffia_vpn_komplex_bridge
add comment="SITE-TO_SITE Layer2 VPN" name=hangmaffia_vpn_kozpont_bridge
add comment="MazelTov LAN and CAPSMAN" fast-forward=no name=mazel_bridge
add comment=wifi.instant-fogas.com name=wifi_instant-fogas_com

## not sure why there are 100Mbps values here, I checked and all negotiations are actually at 1Gbps
/interface ethernet
set [ find default-name=combo1 ] comment=WAN
set [ find default-name=ether1 ] comment="AUDIOLAN " speed=100Mbps
set [ find default-name=ether2 ] comment="DANTE primary" speed=100Mbps
set [ find default-name=ether3 ] comment="Instant fogas CATLAN" speed=100Mbps
set [ find default-name=ether4 ] comment=BELACAM speed=100Mbps
set [ find default-name=ether5 ] comment="CAPSMAN on Instant-Fogas" speed=100Mbps
set [ find default-name=ether6 ] comment=MAZELTOV speed=100Mbps
set [ find default-name=ether7 ] comment="Direct Connection to fx.d250.hu" speed=100Mbps
## we only have one set of vlans for fx ...not really relevant for wifi
/interface vlan
add interface=fx_connector_bridge name=vlan-@ankert vlan-id=30
add interface=fx_connector_bridge name=vlan-@ellatohaz vlan-id=111
add interface=fx_connector_bridge name=vlan-@komplex vlan-id=26
add interface=fx_connector_bridge name=vlan-@kozpont vlan-id=32
add interface=fx_connector_bridge name=vlan-audiolan vlan-id=11
add interface=fx_connector_bridge name=vlan-belacam vlan-id=14
add interface=fx_connector_bridge name=vlan-capsman vlan-id=15
add interface=fx_connector_bridge name=vlan-catlan vlan-id=13
add interface=fx_connector_bridge name=vlan-dantepri vlan-id=12
add interface=fx_connector_bridge name=vlan-dantesec vlan-id=19
add interface=fx_connector_bridge name=vlan-mazeltov vlan-id=16
/interface list
add name=WAN
add name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=audiolan_pool ranges=192.168.117.10-192.168.117.250
add name=danteprimary_pool ranges=192.168.118.10-192.168.118.250
add name=mazeltov_pool ranges=192.168.10.1-192.168.15.250
add name=capsman_pool ranges=172.16.1.1-172.16.255.254
add name=belacam_pool ranges=192.168.1.250-192.168.1.254
add name=pool@ellatohaz ranges=10.10.0.10-10.10.0.100
add name=catlan_pool ranges=10.0.1.10-10.0.2.250
add name=dantesecondary_pool ranges=192.168.119.10-192.168.119.250
add name=pool@ankert ranges=10.10.30.10-10.10.30.100
add name=pool@kozpont ranges=10.10.32.10-10.10.32.100
add name=pool@komplex ranges=10.10.26.10-10.10.26.100
add name=wifi.instant-fogas.com_pool ranges=172.17.0.10-172.17.255.254
add name=hs-pool-1323 ranges=172.17.0.2-172.17.255.254
/ip dhcp-server
add address-pool=mazeltov_pool disabled=no interface=mazel_bridge name=mazeltov
add address-pool=capsman_pool disabled=no interface=capsman_bridge name=instant-fogas-capsman
add address-pool=pool@ellatohaz disabled=no interface=hangmaffia_vpn_ellatohaz_bridge lease-time=23h name=@ellatohaz
add address-pool=catlan_pool disabled=no interface=catlan_bridge lease-time=23h name=catlan
add address-pool=belacam_pool disabled=no interface=belacam_bridge lease-time=23h name=belacam
add address-pool=audiolan_pool disabled=no interface=audiolan_bridge lease-time=23h name=audiolan
add address-pool=danteprimary_pool disabled=no interface=danteprimary_bridge lease-time=23h name=danteprimary
add address-pool=dantesecondary_pool disabled=no interface=dantesecondary_bridge lease-time=23h name=dantesecondary
add address-pool=pool@ankert disabled=no interface=hangmaffia_vpn_ankert_bridge lease-time=23h name=@ankert
add address-pool=pool@kozpont disabled=no interface=hangmaffia_vpn_kozpont_bridge lease-time=23h name=@kozpont
add address-pool=pool@komplex disabled=no interface=hangmaffia_vpn_komplex_bridge name=@komplex
add address-pool=wifi.instant-fogas.com_pool disabled=no interface=wifi_instant-fogas_com name=wifi.instant-fogas.com
/ppp profile
add bridge=hangmaffia_vpn_ellatohaz_bridge comment=SITE-TO-SITE-Layer2-VPN name=hangmaffia_vpn_ellatohaz
add bridge=catlan_bridge comment="SIMPLE VPN for CATLAN clients" local-address=10.0.3.1 name=catlan_vpn
add bridge=hangmaffia_vpn_ankert_bridge comment="SITE-TO-SITE Layer2 VPN" name=hangmaffia_vpn_ankert
add bridge=hangmaffia_vpn_kozpont_bridge comment="SITE-TO-SITE Layer2 VPN" name=hangmaffia_vpn_kozpont
add bridge=hangmaffia_vpn_komplex_bridge comment="SITE-TO-SITE Layer2 VPN" name=hangmaffia_vpn_komplex
/interface bridge nat
add action=accept chain=srcnat
/interface bridge port
add bridge=capsman_bridge comment="Fogas wifi port" interface=ether5
add bridge=mazel_bridge comment=Mazel interface=ether6
add bridge=fx_connector_bridge comment="Dedicated port for fx.d250.hu" interface=ether7 trusted=yes
add bridge=catlan_bridge comment="LAN Bridge binding" interface=ether3
add bridge=hangmaffia_vpn_ellatohaz_bridge interface=vlan-@ellatohaz
add bridge=catlan_bridge interface=vlan-catlan
add bridge=capsman_bridge interface=vlan-capsman
add bridge=mazel_bridge interface=vlan-mazeltov
add bridge=audiolan_bridge interface=vlan-audiolan
add bridge=danteprimary_bridge interface=vlan-dantepri
add bridge=belacam_bridge interface=vlan-belacam
add bridge=belacam_bridge comment=Belacam interface=ether4
add bridge=danteprimary_bridge comment="Dante Primary LAN" interface=ether2
add bridge=audiolan_bridge comment=AudioLan interface=ether1
add bridge=dantesecondary_bridge interface=vlan-dantesec
add bridge=hangmaffia_vpn_ankert_bridge interface=vlan-@ankert
add bridge=hangmaffia_vpn_kozpont_bridge interface=vlan-@kozpont
add bridge=hangmaffia_vpn_komplex_bridge interface=vlan-@komplex
/interface l2tp-server server
set default-profile=hangmaffia_vpn enabled=yes ipsec-secret=****** mrru=1600 use-ipsec=required
/interface list member
add interface=ether1 list=LAN
add interface=combo1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=VPN
/ip address
add address=192.168.117.1/24 comment="LAN AUDIOLAN" interface=ether1 network=192.168.117.0
add address=89.133.151.117/28 comment="WAN / f5.d250.hu" interface=combo1 network=89.133.151.112
add address=192.168.118.1/24 comment=Dante interface=danteprimary_bridge network=192.168.118.0
add address=89.133.151.118/28 comment="WAN / f6.d250.hu" interface=combo1 network=89.133.151.112
add address=89.133.151.119/28 comment="WAN / f7.d250.hu" interface=combo1 network=89.133.151.112
add address=89.133.151.120/28 comment="WAN / f8.d250.hu" interface=combo1 network=89.133.151.112
add address=89.133.151.121/28 comment="WAN / f9.d250.hu" interface=combo1 network=89.133.151.112
add address=89.133.151.122/28 comment="WAN / fa.d250.hu" interface=combo1 network=89.133.151.112
add address=89.133.151.123/28 comment="WAN / fb.d250.hu" interface=combo1 network=89.133.151.112
add address=192.168.1.1/24 comment="LAN BELACAM" interface=belacam_bridge network=192.168.1.0
add address=172.16.0.1/16 comment="CAPSMAN = 172.16.0.1 - 172.16.255.254" interface=capsman_bridge network=172.16.0.0
add address=192.168.0.1/20 comment="LAN MAZELTOV " interface=mazel_bridge network=192.168.0.0
add address=89.133.151.116/28 comment="WAN / f4-cam.d250.hu" interface=combo1 network=89.133.151.112
add address=10.10.0.1/24 comment=@ellatohaz interface=hangmaffia_vpn_ellatohaz_bridge network=10.10.0.0
add address=10.0.0.1/16 comment=CATLAN interface=catlan_bridge network=10.0.0.0
add address=89.133.151.113/28 comment="WAN / f1 primary" interface=combo1 network=89.133.151.112
add address=192.168.119.1/24 interface=dantesecondary_bridge network=192.168.119.0
add address=10.10.30.1/24 comment=@ankert interface=hangmaffia_vpn_ankert_bridge network=10.10.30.0
add address=10.10.32.1/24 comment=@kozpont interface=hangmaffia_vpn_kozpont_bridge network=10.10.32.0
add address=10.10.26.1/24 comment=@komplex interface=hangmaffia_vpn_komplex_bridge network=10.10.26.0
add address=172.17.0.1/16 comment=wifi.instant-fogas.com interface=wifi_instant-fogas_com network=172.17.0.0
/ip dhcp-server lease
## a long list of static leases ....
add address=192.168.10.19 client-id=1:50:60:28:4:a6:44 comment="Xirrus MazelTov" mac-address=50:60:28:04:A6:44 server=mazeltov
## [...]
/ip dhcp-server network
add address=10.0.0.0/16 comment=CATLAN gateway=10.0.0.1
add address=10.10.0.0/24 comment=HANGMAFFIA_VPN_ELLATOHAZ gateway=10.10.0.1
add address=10.10.26.0/24 comment=hangmaffia_vpn_komplex gateway=10.10.26.1
add address=10.10.30.0/24 comment=hangmaffia_vpn_ankert gateway=10.10.30.1
add address=10.10.32.0/24 comment=hangmaffia_vpn_kozpont gateway=10.10.32.1
add address=172.16.0.0/16 comment="INSTANT-FOGAS CAPSMAN ;; 172.16.0.1 - 172.16.255.254" gateway=172.16.0.1 netmask=16
add address=172.17.0.0/16 comment=wifi.instant-fogas.com gateway=172.17.0.1
add address=192.168.0.0/20 comment="MAZELTOV ;; 192.168.0.1 - 192.168.15.254" gateway=192.168.0.1
add address=192.168.1.0/24 comment="BELACAM ;; 192.168.1.1 - 192.168.1.254" gateway=192.168.1.1 netmask=24
add address=192.168.117.0/24 comment="AUDIOLAN ;; 192.168.117.1 - 192.168.117.254" gateway=192.168.117.1 netmask=24
add address=192.168.118.0/24 comment="DANTE PRIMARY" gateway=192.168.118.1
add address=192.168.119.0/24 comment="DANTE SECONDARY" gateway=192.168.118.1
## given by the provider
/ip dns
set servers=195.184.180.4,195.184.181.4
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add comment="Ell\E1t\F3h\E1z - router: 10.10.0.2" name=@ellatohaz password=****** profile=hangmaffia_vpn_ellatohaz service=l2tp
add comment="Fruitsys tablet" name=gray-surface password=****** profile=catlan_vpn remote-address=10.0.3.10
add comment="Fruitsys tablet" name=black-surface password=****** profile=catlan_vpn remote-address=10.0.3.11
add comment="ankert (10.10.30.x)" name=@ankert password=****** profile=hangmaffia_vpn_ankert
add comment="kozpont (10.10.32.x)" name=@kozpont password=****** profile=hangmaffia_vpn_kozpont
add comment="komplex (10.10.26.x)" name=@komplex password=****** profile=hangmaffia_vpn_komplex
/radius
add accounting-port=1819 address=89.133.151.125 authentication-port=1818 comment="bp.d250.hu - wifi.instant-fogas.com" secret=****** service=hotspot
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=Instant-Fogas
 
LaKing
just joined
Topic Author
Posts: 21
Joined: Fri Oct 05, 2018 5:56 am

Re: Capsman network, enabling Hotspot configuration results is 0,02Mbps download bandwith for clients

Wed Jan 29, 2020 3:16 pm

After consulting with the official Mikrotik support, we found out that the fasttrack firewall rule limits all our networks, by about 50%
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related

Who is online

Users browsing this forum: No registered users and 23 guests