Community discussions

MikroTik App
 
s19
just joined
Topic Author
Posts: 1
Joined: Wed May 17, 2023 7:33 am

Massive delays and packet loss in LAN traffic on RB5009UG+S+IN

Wed May 17, 2023 8:31 am

Greetings,

I recently received my long-awaited RB5009UG+S+IN router. Before this I have used a Mikrotik hEX connected to a switch, which has worked beautifully for my home network and server use. However, I needed the hEX and switch for another project and decided to get an RB5009UG+S+IN as a one-stop shop solution.

The change has not gone without issues.

I successfully moved my custom configuration from the hEX to the RB and everything seemed to work (port forwarding to my server, hairpin NAT for my home network), but communication within my LAN network was very unstable and erratic. This was not limited to any single protocol. When pinging another device within the network, 50-75% of the requests would be responded to instantly and the rest would time out. SSH connections would be interrupted within seconds of opening them, accessing folders on network drives would either succeed instantly or time out, HTTP and HTTPS connection to the server on my network were very erratic (some resources loading instantly, some taking dozen of second to mites to load). Any successfully established remote desktop connections within the network would fail within seconds. Curiously enough, the problem was not as bad with connections to the web server from outside the network (WAN), but still very noticeable. Also, when moving files from and to the network drives, as long as the transfer got started, it would run at a very stable 1Gbps speed regardless of the file size (tested up to 10Gb).

Connections from LAN to the router itself and to internet worked flawlessly, even remote desktop connections.

I tried disabling IPV6 and hairpin NAT rules, no effect. I reset the configuration to device default using Winbox, the same problem persisted.

Now I accidentally clicked "remove configuration" thinking this would allow me to reapply my own config for further testing, but of course the device became completely inaccessible. I will probably have to perform some hard reset if I want to keep experimenting. For now I have moved back to my hEX+switch setup and everything is running smoothly.

RB was updated to latest 7.9 software. Google searches did not yield any useful results. Device CPU load was negligible during the connection lags/interruptions.

Is there something I have missed, some setup step I skipped? Considering the problem persisted even on default configuration, do you think I have a faulty unit or is there something more I can do?

My custom config:
/interface bridge
add admin-mac=xxx auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=local ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.200 client-id=1:3c:7c:3f:1d:eb:87 mac-address=\
    xxx server=defconf
add address=192.168.1.12 client-id=1:cc:32:e5:f:ab:57 mac-address=\
    xxx server=defconf
add address=192.168.1.11 client-id=1:98:da:c4:d:3:cf mac-address=\
    xxx server=defconf
add address=192.168.1.100 client-id=1:1c:98:ec:1e:26:fe mac-address=\
    xxx server=defconf
add address=192.168.1.101 mac-address=xxx server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Server HTTP" dst-address=\
    !192.168.1.1 dst-address-type=local dst-port=80 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.1.100 to-ports=8000
add action=dst-nat chain=dstnat comment="Server HTTPS" dst-address=\
    !192.168.1.1 dst-address-type=local dst-port=443 in-interface-list=all \
    protocol=tcp to-addresses=192.168.1.100 to-ports=4430
add action=dst-nat chain=dstnat comment="Server WireGuard" dst-address=\
    !192.168.1.1 dst-port=51820 in-interface-list=WAN protocol=udp \
    to-addresses=192.168.1.100 to-ports=51820
/ip service
set www port=8080
set www-ssl port=4430
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=xxx
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Who is online

Users browsing this forum: Bing [Bot] and 23 guests