Community discussions

MikroTik App
  4. RouterOS
  5. General

Local connection to nated gameserver very slow / high ping

Post Reply
 
mikrotiknewbie222
just joined
Topic Author
Posts: 13
Joined: Mon Mar 24, 2025 10:00 pm

Local connection to nated gameserver very slow / high ping

Mon Mar 24, 2025 10:19 pm

Hi,
first of all im very new in Mikrotik and im very happy that i got internet working :D (btw. my english is not perfect sry)

My Setup is a fritzbox as modem, behind it a mikrotik Router.... Connection to internet is made by mikrotik router via pppoe
All my Clients are connected to the mikrotik router and all of them have working internet and dns (as far i can see)
one of my clients is a gameserver via docker on unraid.... This stuff worked all perfectly with my old router (fritzbox)
My Problem is that i get very high pings if im connected to the gameservers. My Friends, that are connecting from outside my homenetwork does not have this problem so i guess it is something stupid in my config (this hairpin stuff is rly new to me have not needed this before). A result is that i need to wait sometimes around 5 minutes until the game check that i have made some inputs :D
Also the Portforwarding is a bit different as i thought.... Here is my config (this is a WIP and all tips are welcome)
Code: Select all
# 2025-03-24 21:03:08 by RouterOS 7.18.2
# software id = KEEF-Y536
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = #############
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] loop-protect=off
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Germany .mode=ap .ssid=\
    Dingsbums .station-roaming=yes disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .encryption=""
set [ find default-name=wifi2 ] configuration.country=Germany .mode=ap .ssid=\
    Dingsbums disabled=no security.authentication-types=wpa2-psk,wpa3-psk \
    .encryption=""
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=ether1 \
    name=telekom use-peer-dns=yes user=\
    ********************
/interface list
add name=WAN
add name=LAN
/interface wifi security
add authentication-types=wpa-psk,wpa2-psk disabled=no encryption=\
    tkip,ccmp,gcmp,ccmp-256,gcmp-256 name=wpa_profiile
/ip pool
add name=dhcp_pool0 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=7h30m name=dhcp1
/ipv6 pool
add name=telekom.ipv6 prefix=::/56 prefix-length=64
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5 
add bridge=bridge1 disabled=yes interface=wifi1
add bridge=bridge1 interface=wifi2
add bridge=bridge1 interface=wifi1
/ip neighbor discovery-settings
# ipv6 *accept router advertisements* configuration has changed, please restart device to apply settings
set discover-interface-list=!dynamic
/ip settings
# ipv6 *accept router advertisements* configuration has changed, please restart device to apply settings
set accept-redirects=yes
/ipv6 settings
# ipv6 *accept router advertisements* configuration has changed, please restart device to apply settings
set accept-router-advertisements=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=telekom list=WAN
/interface ovpn-server server
add mac-address=FE:BA:63:7F:C2:23 name=ovpn-server1
/ip address
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.2.141 address-lists="192.168.2.153,192.168.2.139,192.168.2\
    .143,192.168.2.154,192.168.2.142,192.168.2.110" comment=Unraid \
    mac-address=B0:41:6F:0E:98:51 server=dhcp1
add address=192.168.2.124 comment=docker-master mac-address=38:F7:CD:C1:DB:2D \
    server=dhcp1
add address=192.168.2.42 comment=gitlabrunner mac-address=52:54:00:5B:1B:68 \
    server=dhcp1
add address=192.168.2.40 comment=Harbor mac-address=52:54:00:79:24:FB server=\
    dhcp1
add address=192.168.2.123 comment=nas mac-address=00:13:3B:2F:25:80 server=\
    dhcp1
add address=192.168.2.100 comment="Netgear Switch" mac-address=\
    B0:39:56:70:33:41 server=dhcp1
add address=192.168.2.51 comment=rpi8-gb mac-address=E4:5F:01:6E:FD:27 \
    server=dhcp1
add address=192.168.2.50 comment="\C2\A0rpi-400-4gb" mac-address=\
    E4:5F:01:27:28:B2 server=dhcp1
add address=192.168.2.43 comment=zaproxy mac-address=52:54:00:93:36:C1 \
    server=dhcp1
add address=192.168.2.35 client-id=1:fa:b5:a:57:29:80 mac-address=\
    FA:B5:0A:57:29:80 server=dhcp1
add address=192.168.2.33 client-id=1:24:58:7c:ab:fb:ec mac-address=\
    24:58:7C:AB:FB:EC server=dhcp1
add address=192.168.2.34 mac-address=AC:15:A2:DD:78:93 server=dhcp1
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.2.43 comment=tower regexp=*.home.lan type=A
/ip firewall address-list
add address=*********** list=WAN-IP
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=drop chain=input connection-state=new dst-address-list=WAN-IP \
    dst-port=53 protocol=udp
add action=drop chain=input dst-address-list=WAN-IP dst-port=53 protocol=tcp
add action=accept chain=input connection-state=new
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment=steam disabled=yes dst-address-list=\
    WAN-IP dst-port=3478 protocol=udp
add action=accept chain=input connection-state=related disabled=yes
add action=accept chain=input disabled=yes
add action=accept chain=output connection-nat-state=srcnat,dstnat \
    connection-state=established,related,new
add action=accept chain=forward dst-address-list=WAN-IP dst-port=25565-25620 \
    protocol=udp
add action=accept chain=input dst-address-list=WAN-IP dst-port=4379-4380 \
    protocol=udp
add action=accept chain=input dst-address-list=WAN-IP dst-port=25565-25620 \
    protocol=tcp
add action=accept chain=input dst-address-list=WAN-IP dst-port=25565-25620 \
    protocol=udp
add action=accept chain=input dst-address-list=WAN-IP dst-port=27000-27050 \
    protocol=tcp
add action=accept chain=input dst-address-list=WAN-IP dst-port=27000-27050 \
    protocol=udp
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    established,related,new dst-address-list=WAN-IP log=yes log-prefix=\
    dropforward
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward connection-nat-state=dstnat \
    in-interface-list=WAN log-prefix="forward dstnat"
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="Allow Port forwarding" \
    connection-state=established,related,new,untracked
add action=accept chain=forward comment="Internet Traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat disabled=yes
add action=drop chain=input log-prefix="input block"
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.2.0/24 src-address=192.168.2.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=80 protocol=tcp to-addresses=192.168.2.43 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=443 protocol=tcp to-addresses=192.168.2.43 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=25565-25620 protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat connection-limit=100,32 disabled=yes \
    dst-port=25565-25620 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=27000-27050 protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=27000-27050 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=3478 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=4379-4380 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25565-25620 \
    protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25565-25620 \
    protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27030 \
    protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27030 \
    protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=3478 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=4379-4380 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat comment="zaproxy https" dst-address-list=\
    WAN-IP dst-port=443 log-prefix=ssl protocol=tcp to-addresses=192.168.2.43
add action=masquerade chain=srcnat comment=Masquerade out-interface=telekom \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment="zaproxy http" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.2.43
add action=dst-nat chain=dstnat dst-port=25000 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.2.141 to-ports=25000
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet address=192.168.2.0/24
set ftp address=192.168.2.0/24
set www address=192.168.2.0/24
set ssh address=192.168.2.0/24
set api address=192.168.2.0/24
set winbox address=192.168.2.0/24
set api-ssl address=192.168.2.0/24
/ip traffic-flow
set enabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=telekom type=external
/ipv6 address
# duplicate address detected
add from-pool=telekom.ipv6-2 interface=bridge1
/ipv6 dhcp-client
add add-default-route=yes interface=telekom pool-name=telekom.ipv6-2 request=\
    prefix
/ipv6 dhcp-server
add address-pool=telekom.ipv6-2 interface=bridge1 name=server1 prefix-pool=\
    telekom.ipv6-2
/ipv6 firewall filter
add action=accept chain=input protocol=icmpv6
add action=accept chain=forward dst-port=546 protocol=udp src-address=\
    fe80::/10
/ipv6 nd
set [ find default=yes ] interface=bridge1
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system ntp client
set mode=broadcast
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=192.168.2.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Any Idea how i can fix this local stuff issues?
Last edited by mikrotiknewbie222 on Wed Mar 26, 2025 11:13 pm, edited 1 time in total.
Top
 
mikrotiknewbie222
just joined
Topic Author
Posts: 13
Joined: Mon Mar 24, 2025 10:00 pm

Re: Local connection to nated gameserver very slow / high ping

Tue Mar 25, 2025 2:12 am

in the time of waiting for approval here, i have done a full backup and after that i restored default configs, made my changes to fit my network, added my wifi and ipv6 but its still the same, very very high pings in game server just from local connection. Connections from outside working as expected.
Cant believe that a MK router is having this kind of trouble in performance vs a fritzbox...
But im sure its just a config issue....

Here my current config after reset.... Firewall rules and co was in there too this time :D so i let them in and just added my port nat
Code: Select all
# 2025-03-25 01:06:48 by RouterOS 7.18.2
# software id = KEEF-Y536
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = ##########
/interface bridge
add admin-mac=F4:1E:57:2A:33:61 auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Germany .mode=ap .ssid=Dingsbums disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Germany .mode=ap .ssid=Dingsbums disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=ether1 \
    name=telekom user=***************
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=telekom list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=\
    192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.2.141 client-id=1:b0:41:6f:e:98:51 mac-address=\
    B0:41:6F:0E:98:51 server=defconf
add address=192.168.2.43 client-id=1:52:54:0:93:36:c1 mac-address=\
    52:54:00:93:36:C1 server=defconf
add address=192.168.2.42 client-id=1:52:54:0:5b:1b:68 mac-address=\
    52:54:00:5B:1B:68 server=defconf
add address=192.168.2.40 client-id=1:52:54:0:79:24:fb mac-address=\
    52:54:00:79:24:FB server=defconf
add address=192.168.2.50 client-id=1:e4:5f:1:27:28:b2 mac-address=\
    E4:5F:01:27:28:B2 server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.1 gateway=\
    192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=*************** comment=WAN-IP list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface=!telekom src-address=\
    192.168.2.0/24
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=192.168.2.43 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.2.43 to-ports=443
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25565-25620 \
    protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat connection-limit=100,32 dst-address-list=\
    WAN-IP dst-port=25565-25620 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27050 \
    protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27050 \
    protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=3478 \
    protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=4379-4380 \
    protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25565-25620 \
    protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25565-25620 \
    protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27030 \
    protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27030 \
    protocol=udp to-addresses=192.168.2.141
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=telekom type=external
/ipv6 address
add address=::1 from-pool=telekom.ipv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=telekom pool-name=telekom.ipv6 request=\
    prefix
/ipv6 dhcp-server
add address-pool=telekom.ipv6 interface=bridge name=server1 prefix-pool=\
    telekom.ipv6
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] hop-limit=64 interface=bridge
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
    p\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by mikrotiknewbie222 on Wed Mar 26, 2025 11:13 pm, edited 2 times in total.
Top
 
mikrotiknewbie222
just joined
Topic Author
Posts: 13
Joined: Mon Mar 24, 2025 10:00 pm

Re: Local connection to nated gameserver very slow / high ping

Tue Mar 25, 2025 10:49 pm

Nobody has an idea or tip how i can fix or analyse this issue? No tips or suggestions at all with the rules? Im surpressed :D
Or are here more informations needed? If so which information?
Top
 
lurker888
Member Candidate
Member Candidate
Posts: 256
Joined: Thu Mar 02, 2023 12:33 am

Re: Local connection to nated gameserver very slow / high ping

Tue Mar 25, 2025 11:10 pm

Well... your setup seems ok based on a cursory reading.

How high do your pings get? Compared to your friends?

Make sure that you are addressing your server via the router's *external* address even from the inside.

You can always enable logging for your hairpin nat rule to check if all the address translations work out correctly.

(This does not really relate to your problem of high pings, but it's generally a good idea to do things like running a private game server over some sort of VPN for security reasons.)
Top
 
itimo01
Member Candidate
Member Candidate
Posts: 238
Joined: Thu Jun 29, 2023 2:55 am
Location: Germany
Contact:
Contact itimo01

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 12:00 am

Cant believe that a MK router is having this kind of trouble in performance vs a fritzbox
Actually, fritz box devices are terrible modems.

But why do you have the same NAT rule multiple times?
Top
 
mikrotiknewbie222
just joined
Topic Author
Posts: 13
Joined: Mon Mar 24, 2025 10:00 pm

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 12:04 am

Hi lurker,
I got Pings between 800ms and 350000ms, disabling fasttrack made it a bit better i was much higher pings with fasttrack... my friends are in a normal range between 10 and 20ms, in peaks around 30ms

The connection to the server is made by steam networking so its always from outside, i connect to a steam server and from there it goes to my gameserver. it is not reachable from within my lan network because there is no connection to steam directly.

With my old fritzbox this works like a charm thats the point where i dont get it right now

hi itimo,
which rules are duplicates?

oh i see yeah there duplicates in but all with count 0... this was a test i tried without WAN-IP but that did not helped so i forgot to disable the 4 rules
disabled rules now.png
You do not have the required permissions to view the files attached to this post.
Top
 
itimo01
Member Candidate
Member Candidate
Posts: 238
Joined: Thu Jun 29, 2023 2:55 am
Location: Germany
Contact:
Contact itimo01

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 12:14 am

Your export has this one multiple times:
Code: Select all
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25565-25620 \
    protocol=tcp to-addresses=192.168.2.141

if that's not the case check your export again and post a new config

Also on your screenshot your NAT rules have 0B Transferred. You sure theyre working?
nvm i didnt read that far while playing a game ^^

EDIT: also that "hairpin nat" rule is never gonna work. As you never actually access the server with the 2.141 IP if you're using your WAN-Address
You must use your wan IP as dst-address.

Check this:
viewtopic.php?t=172380
Top
 
mikrotiknewbie222
just joined
Topic Author
Posts: 13
Joined: Mon Mar 24, 2025 10:00 pm

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 12:24 am

Hi,

here is the current config
Code: Select all
# 2025-03-25 23:17:20 by RouterOS 7.18.2
# software id = KEEF-Y536
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = #############
/interface bridge
add admin-mac=F4:1E:57:2A:33:61 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    1G-baseT-half,1G-baseT-full,2.5G-baseT rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether5 ] advertise=1G-baseT-half,1G-baseT-full
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Germany .mode=ap .ssid=Dingsbums disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Germany .mode=ap .ssid=Dingsbums disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=ether1 \
    max-mru=1500 max-mtu=1500 name=telekom user=\
    **************
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=telekom list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=\
    192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.2.141 client-id=1:b0:41:6f:e:98:51 mac-address=\
    B0:41:6F:0E:98:51 server=defconf
add address=192.168.2.43 client-id=1:52:54:0:93:36:c1 mac-address=\
    52:54:00:93:36:C1 server=defconf
add address=192.168.2.42 client-id=1:52:54:0:5b:1b:68 mac-address=\
    52:54:00:5B:1B:68 server=defconf
add address=192.168.2.40 client-id=1:52:54:0:79:24:fb mac-address=\
    52:54:00:79:24:FB server=defconf
add address=192.168.2.50 client-id=1:e4:5f:1:27:28:b2 mac-address=\
    E4:5F:01:27:28:B2 server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.1 gateway=\
    192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=************ comment=WAN-IP list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface=!telekom src-address=\
    192.168.2.0/24
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes \
    dst-address=192.168.2.0/24 log=yes log-prefix=hairpin src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=192.168.2.43 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.2.43 to-ports=443
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25565-25620 \
    protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat connection-limit=100,32 dst-address-list=\
    WAN-IP dst-port=25565-25620 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27050 \
    protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27050 \
    protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=3478 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=4379-4380 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=25565-25620 protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=25565-25620 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=27000-27030 protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=27000-27030 protocol=udp to-addresses=192.168.2.141
/ip service
set telnet address=192.168.2.0/24
set www disabled=yes
set ssh address=192.168.2.0/24
set api address=192.168.2.0/24
set winbox address=192.168.2.0/24
set api-ssl address=192.168.2.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=telekom type=external
/ipv6 address
add address=::1 from-pool=telekom.ipv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=telekom pool-name=telekom.ipv6 request=\
    prefix
/ipv6 dhcp-server
add address-pool=telekom.ipv6 interface=bridge name=server1 prefix-pool=\
    telekom.ipv6
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] hop-limit=64 interface=bridge
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system scheduler
add interval=1d name=backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-03-25 start-time=01:13:44
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
    p\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script="" host=192.168.2.141 http-codes="" test-script=\
    "" type=simple up-script=""
/tool sniffer
set filter-ip-address=192.168.2.141/32
Also on your screenshot your NAT rules have 0B Transferred. You sure theyre working?
yes they work because this rules are hittet onetime only and the other entry works fine
counter.png
EDIT: also that "hairpin nat" rule is never gonna work. As you never actually access the server with the 2.141 IP if you're using your WAN-Address
You must use your wan IP as dst-address.
The hairpin is needed if you want access to a webserver from within the network, its needed with mikrotik. without the rule i have no access to my internal websites. Not sure if this is a best practice but thats the only solution i found to get it working
You do not have the required permissions to view the files attached to this post.
Last edited by mikrotiknewbie222 on Wed Mar 26, 2025 11:12 pm, edited 1 time in total.
Top
 
itimo01
Member Candidate
Member Candidate
Posts: 238
Joined: Thu Jun 29, 2023 2:55 am
Location: Germany
Contact:
Contact itimo01

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 12:36 am

The hairpin is needed if you want access to a webserver from within the network, its needed with mikrotik. without the rule i have no access to my internal websites. Not sure if this is a best practice but thats the only solution i found to get it working
The Hairpin rule is still wrong.

Hairpin NAT is for natting the ROUTER IP to a service. Not a whole subnet to each other.

So if ANYTHING from subnet 2.0/24 to subnet 2.0/24

So if client 2.20 tries to access 2.30:25565 it will be natted to 2.141
Not even sure if this works as both are on the same broadcast domain on a bridge

Check the forum post i linked

EDIT:
Do you try to access the server with your WAN IP?

If not: then why the hairpin rule?
Just access the server with its own IP-Address?

If yes: then your hairpin rule is even more wrong :D
Top
 
mikrotiknewbie222
just joined
Topic Author
Posts: 13
Joined: Mon Mar 24, 2025 10:00 pm

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 12:52 am

So if client 2.20 tries to access 2.30:25565 it will be natted to 2.141
ok got the point with using same port on different machines in lan so i used the solution from your post because it should work better internaly, my internal webservices are still working yeah :D

here is my current config
Code: Select all
# 2025-03-25 23:46:23 by RouterOS 7.18.2
# software id = KEEF-Y536
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = ##############
/interface bridge
add admin-mac=F4:1E:57:2A:33:61 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    1G-baseT-half,1G-baseT-full,2.5G-baseT rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether5 ] advertise=1G-baseT-half,1G-baseT-full
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Germany .mode=ap .ssid=Dingsbums disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Germany .mode=ap .ssid=Dingsbums disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=ether1 \
    max-mru=1500 max-mtu=1500 name=telekom user=\
    ###################
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=telekom list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=\
    192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.2.141 client-id=1:b0:41:6f:e:98:51 mac-address=\
    B0:41:6F:0E:98:51 server=defconf
add address=192.168.2.43 client-id=1:52:54:0:93:36:c1 mac-address=\
    52:54:00:93:36:C1 server=defconf
add address=192.168.2.42 client-id=1:52:54:0:5b:1b:68 mac-address=\
    52:54:00:5B:1B:68 server=defconf
add address=192.168.2.40 client-id=1:52:54:0:79:24:fb mac-address=\
    52:54:00:79:24:FB server=defconf
add address=192.168.2.50 client-id=1:e4:5f:1:27:28:b2 mac-address=\
    E4:5F:01:27:28:B2 server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.1 gateway=\
    192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=################ comment=WAN-IP list=WAN-IP
add address=192.168.2.0/24 comment="Lan Subnet" list=LAN-subnet
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface=!telekom src-address=\
    192.168.2.0/24
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connections for hairpin NAT" dst-address-list=WAN-IP \
    new-connection-mark="Hairpin NAT" src-address-list=LAN-subnet
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT"
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes \
    dst-address=192.168.2.0/24 log=yes log-prefix=hairpin src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=192.168.2.43 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.2.43 to-ports=443
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25565-25620 \
    protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat connection-limit=100,32 dst-address-list=\
    WAN-IP dst-port=25565-25620 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27050 \
    protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27050 \
    protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=3478 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=4379-4380 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=25565-25620 protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=25565-25620 protocol=udp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=27000-27030 protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN-IP \
    dst-port=27000-27030 protocol=udp to-addresses=192.168.2.141
/ip service
set telnet address=192.168.2.0/24
set www disabled=yes
set ssh address=192.168.2.0/24
set api address=192.168.2.0/24
set winbox address=192.168.2.0/24
set api-ssl address=192.168.2.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=telekom type=external
/ipv6 address
add address=::1 from-pool=telekom.ipv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=telekom pool-name=telekom.ipv6 request=\
    prefix
/ipv6 dhcp-server
add address-pool=telekom.ipv6 interface=bridge name=server1 prefix-pool=\
    telekom.ipv6
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] hop-limit=64 interface=bridge
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system scheduler
add interval=1d name=backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-03-25 start-time=01:13:44
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
    p\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script="" host=192.168.2.141 http-codes="" test-script=\
    "" type=simple up-script=""
/tool sniffer
set filter-ip-address=192.168.2.141/32
Do you try to access the server with your WAN IP?
thats the point, the connection is made via steam network and they use the WAN-IP, so my traffic to this server is goint from my machine .2.254 via WAN-IP to Steam Network and from there back to WAN-IP:gameport and is natted there to my internal .2.141:gameport

If yes: then your hairpin rule is even more wrong :D
As i said, the hairpin is not needed for it its just for accessing my internal services from within the lan himself where dns responding my WAN-IP


EDIT:
hmm after changing hairpin it looks that my port forwardings are not working anymore from outside the lan
Last edited by mikrotiknewbie222 on Wed Mar 26, 2025 11:12 pm, edited 1 time in total.
Top
 
itimo01
Member Candidate
Member Candidate
Posts: 238
Joined: Thu Jun 29, 2023 2:55 am
Location: Germany
Contact:
Contact itimo01

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 1:19 am

thats the point, the connection is made via steam network and they use the WAN-IP, so my traffic to this server is goint from my machine .2.254 via WAN-IP to Steam Network and from there back to WAN-IP:gameport and is natted there to my internal .2.141:gameport
hmm kinda forgot the part about Steam Networking.

To explain the high ping:
Its because of a configuration issue.

Steam Networking first tries to connect to the Server-IP:Port.
If that doesn't work, it will use a Proxy. Which obviously will route traffic to one of Steams servers and then back to you.

Since your hairpin nat didn't make any sense, it used the proxy just for you.

Hairpin rule looks good now.
hmm after changing hairpin it looks that my port forwardings are not working anymore from outside the lan
How are you testing this?

It might also be good to clean up that mess of NAT rules.
Also, why do you have a connection-limit enabled on the 25565-25620/udp rule?
Top
 
mikrotiknewbie222
just joined
Topic Author
Posts: 13
Joined: Mon Mar 24, 2025 10:00 pm

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 1:35 am

To explain the high ping:
Its because of a configuration issue.

Steam Networking first tries to connect to the Server-IP:Port.
If that doesn't work, it will use a Proxy. Which obviously will route traffic to one of Steams servers and then back to you.

Since your hairpin nat didn't make any sense, it used the proxy just for you.
Thats the reason why im asking the pro's here :D i dont see a config issue but im not a mikrotik pro

But yes make sense because now i have this log entrys and this massage i get because the connection via configured ports are not possible
Code: Select all
Game Port: 25587
Steam Port: 25590
Steam Query Port: 25588
Query Port: 25589
Steam Networking initialized.
WARNING: Query port change detected.
       - The dedicated server window will not find this server.
       - Players will be able to join via the server browser.
       - Players won't find this server in the 'Join via IP' and 'Join LAN' windows.
i see the gameserver ingame in serverbrowser but the ping is now around 500-800 in my 30 sec test..
How are you testing this?
i used https://portchecker.co/ to check if the ports are open and they don't. I tried also some other portchecker but there responding all closed and they should be open. The rule is not hitted since counter reset so something is rly strange and i dont see where.
Also, why do you have a connection-limit enabled on the 25565-25620/udp rule?
have no idea, saw the same and thought that is my issue. So i disabled it, tryed ingame but nothing changed... i guess it was a missklick in winbox what enabled this limit

i cleaned it up now, here is again the new config
Code: Select all
# 2025-03-26 00:34:27 by RouterOS 7.18.2
# software id = KEEF-Y536
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = #################
/interface bridge
add admin-mac=F4:1E:57:2A:33:61 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    1G-baseT-half,1G-baseT-full,2.5G-baseT rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether5 ] advertise=1G-baseT-half,1G-baseT-full
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Germany .mode=ap .ssid=Dingsbums disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Germany .mode=ap .ssid=Dingsbums disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=ether1 \
    max-mru=1500 max-mtu=1500 name=telekom user=\
    ###############################
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=telekom list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=\
    192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.2.141 client-id=1:b0:41:6f:e:98:51 mac-address=\
    B0:41:6F:0E:98:51 server=defconf
add address=192.168.2.43 client-id=1:52:54:0:93:36:c1 mac-address=\
    52:54:00:93:36:C1 server=defconf
add address=192.168.2.42 client-id=1:52:54:0:5b:1b:68 mac-address=\
    52:54:00:5B:1B:68 server=defconf
add address=192.168.2.40 client-id=1:52:54:0:79:24:fb mac-address=\
    52:54:00:79:24:FB server=defconf
add address=192.168.2.50 client-id=1:e4:5f:1:27:28:b2 mac-address=\
    E4:5F:01:27:28:B2 server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.1 gateway=\
    192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=############### comment=WAN-IP list=WAN-IP
add address=192.168.2.0/24 comment="Lan Subnet" list=LAN-subnet
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface=!telekom src-address=\
    192.168.2.0/24
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connections for hairpin NAT" dst-address-list=WAN-IP \
    new-connection-mark="Hairpin NAT" src-address-list=LAN-subnet
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT"
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=192.168.2.43 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.2.43 to-ports=443
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25565-25620 \
    protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=25565-25620 \
    protocol=udp to-addresses=192.168.2.141 to-ports=25565-25620
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27050 \
    protocol=tcp to-addresses=192.168.2.141
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=27000-27050 \
    protocol=udp to-addresses=192.168.2.141
/ip service
set telnet address=192.168.2.0/24
set www disabled=yes
set ssh address=192.168.2.0/24
set api address=192.168.2.0/24
set winbox address=192.168.2.0/24
set api-ssl address=192.168.2.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=telekom type=external
/ipv6 address
add address=::1 from-pool=telekom.ipv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=telekom pool-name=telekom.ipv6 request=\
    prefix
/ipv6 dhcp-server
add address-pool=telekom.ipv6 interface=bridge name=server1 prefix-pool=\
    telekom.ipv6
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] hop-limit=64 interface=bridge
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system scheduler
add interval=1d name=backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-03-25 start-time=01:13:44
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
    p\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script="" host=192.168.2.141 http-codes="" test-script=\
    "" type=simple up-script=""
/tool sniffer
set filter-ip-address=192.168.2.141/32
Thank you so much for your time! I realy appreciate it
Last edited by mikrotiknewbie222 on Wed Mar 26, 2025 11:12 pm, edited 1 time in total.
Top
 
itimo01
Member Candidate
Member Candidate
Posts: 238
Joined: Thu Jun 29, 2023 2:55 am
Location: Germany
Contact:
Contact itimo01

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 1:40 am

Are you sure you have a static ipv4?
German Telekom usually only offers those on their business contracts.
Otherwise check that your WAN-IP Address List is the same as your actual Public IPv4. (for example: https://wieistmeineip.de - German Service)

Since you have rebooted the router your PPPoE conection has restarted which might mean you get a new IPv4 with a new IPv6 Prefix.

If you have a dynamic IP you probably need a script to update the Address List but for testing you can manually update the Address List entry.
Top
 
mikrotiknewbie222
just joined
Topic Author
Posts: 13
Joined: Mon Mar 24, 2025 10:00 pm

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 2:02 am

No its a dynamic ip which is updated on every reconnect. It resolves the public dns name from IP-> Cloud and write the ip into a list
The List reflects my current IP

Port 443 shows open and if i enter the ip into browser i land on my default host so im sure that WAN-IP is the right one

Hmm IPv6....just a stupid question, are all the port forwards needed for ipv6 to? because the ip-> Cloud shows the ipv6 from router and not from the server himself. Not sure if steam uses ipv4 or ipv6 to connect to server
Top
 
itimo01
Member Candidate
Member Candidate
Posts: 238
Joined: Thu Jun 29, 2023 2:55 am
Location: Germany
Contact:
Contact itimo01

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 2:17 am

Not sure if steam uses ipv4 or ipv6 to connect to server
According to some people its ipv4 only. As some games dont even support ipv6
https://steamcommunity.com/discussions/ ... 810531813/

For me it also usually just runs on ipv4.

If your game server is source/goldsrc engine based, it should show the ip it uses in the startup log.
Keep in mind you will have to restart the server when your ipv4 changes.

This is because the game server advertises itself to the Server list.
Port 443 shows open and if i enter the ip into browser i land on my default host so im sure that WAN-IP is the right one
Well that seems like the hairpin nat is working. Is it the same on for example your phones data?
Top
 
mikrotiknewbie222
just joined
Topic Author
Posts: 13
Joined: Mon Mar 24, 2025 10:00 pm

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 2:38 am

For me it also usually just runs on ipv4.
a great so ipv6 doesnt matter....

The Gameserver is in a docker and is bound to 0.0.0.0 / 192.168.2.141 on the defined ports.
i know that i have to restart every time but it is not working before a reconnect and not after a pppoe reconnect.
The server himself is working fine from outside the lan perfectly (i guess from outside they using the same steam proxy as me and there ping is normal). Its also working from inside lan just with a very high ping for me only.

And that all port checker are showing port as closed is bit confusing because it should be open i guess.... i think the steam api is trying to connect to the provided WAN IP and thats not working because port is closed but i see traffic on the rules (just made a new range just for this one avorion gameserver)
But its not much traffic.... 19 packets since a half hour where i changed it and there is no traffic if i connect in the hosted server so its using a different port and not that ports that are configured what is very crazy

EDIT:
Is it the same on for example your phones data?
If its in wlan yes
Top
 
itimo01
Member Candidate
Member Candidate
Posts: 238
Joined: Thu Jun 29, 2023 2:55 am
Location: Germany
Contact:
Contact itimo01

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 3:05 am

If its in wlan yes
So on LTE/4G/5G it doesn't work?
(i guess from outside they using the same steam proxy as me and there ping is normal
Probably not. I have only bad experiences with the Steam Proxys.
You should see the client IP in the routers connection list.
Top
 
mikrotiknewbie222
just joined
Topic Author
Posts: 13
Joined: Mon Mar 24, 2025 10:00 pm

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 3:11 am

So on LTE/4G/5G it doesn't work?
What should i test from 5G? Connection to my webserver? Thats working but thats working all the time and thats also working without the hairpin and before we changed the hairpin config
The Porttester also respond closed if i made the test from phone but that is expected because they using the server ip from port tester not from my wan or phone
You should see the client IP in the routers connection list.
Im sure i would but without knowing which port the server is using it could be every of this connections :D
so i guess if i get the port forwarding stuff working it should be fine again i guess.... if i remember right the forwarded ports within fritzbox shows as opened in the porttesters.
Top
 
itimo01
Member Candidate
Member Candidate
Posts: 238
Joined: Thu Jun 29, 2023 2:55 am
Location: Germany
Contact:
Contact itimo01

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 3:19 am

I feel like this is going in circles right now
What should i test from 5G? Connection to my webserver?
Yes. Then you have a connection from outside.
because they using the server ip from port tester not from my wan or phone
?
Top
 
mikrotiknewbie222
just joined
Topic Author
Posts: 13
Joined: Mon Mar 24, 2025 10:00 pm

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 3:27 am

I think we means the same or is missunderstood something, sry...

in the meantime i enabled logging on the nat rules and there is traffik on the configured steam query port....
But still
Code: Select all
Server connected to Steam successfully
Server is VAC Secure!
Game Server Steam ID: 90263359915329559
Game Port: 25710
Steam Port: 25707
Steam Query Port: 25708
Query Port: 25709
Steam Networking initialized.
WARNING: Query port change detected.
       - The dedicated server window will not find this server.
       - Players will be able to join via the server browser.
       - Players won't find this server in the 'Join via IP' and 'Join LAN' windows.
If you're running multiple servers, you may want to look at binding the server to an ip with the --ip option.
But i can connect just with a high ping so yes i guess there is a loop or something like this from my local client to server connection.... is it possible to disable this damnit hairpin stuff and just overwrite for me internaly the dns answer that are provided to my lan clients? Just for testing if its working without this hairpin stuff
gameudp.png
Edit: i forgot the picture :D
The Traffic is just on this one port not on other ports like gameport and co.... very confusing
You do not have the required permissions to view the files attached to this post.
Top
 
itimo01
Member Candidate
Member Candidate
Posts: 238
Joined: Thu Jun 29, 2023 2:55 am
Location: Germany
Contact:
Contact itimo01

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 3:41 am

Since i don't know what game server you are running, try keeping the query ports on default for now.
Not every game likes when they get changed.

Other than that, some games allow a direct connection via IP. Does that work from outside?
Top
 
mikrotiknewbie222
just joined
Topic Author
Posts: 13
Joined: Mon Mar 24, 2025 10:00 pm

Re: Local connection to nated gameserver very slow / high ping

Wed Mar 26, 2025 4:36 am

https://github.com/pelican-eggs/games-s ... in/avorion
This is the gameserver template.

And yes the game has a connect via IP but if i enter the WAN-IP:25710 it says not reachable. The same if i use some of the other ports.
But the same if i enter the internal ip but not sure how they test. If they try to reach it from extern then the internal ip would never work

i rewrited the dns stuff for webservices and co to try without hairpin (because its just needed for webservices i thought) but yeah without it i dont see the server in serverlist.

So i guess its something around this hairpin stuff that is not working as expected

Also confusing, i dont see in firewall any connection to my WAN-IP to expected Ports but im still ingame so i checked my computers IPand also nothing to expected ports.
Total Connections to router is showing with around 110-120 cpu usage is around 1-2 percent over 600mb ram free so i guess its no hardware limit.

Are the connections that are handled via hairpin not visible in connection list?

Uh it seems its rly a MK / config related... here is someone with the same issue but also without a solution -.- https://www.reddit.com/r/mikrotik/comme ... f_my_ping/

One stupid question, would it make sense to put my computer on another ethernet port, give this port a second subnet (it doesnt matter what ip my pc has) and also configure this that i can communicate to the subnet where the server is in? its just an idea because i read that with a second subnet hairpin is not needed (so in my case it would be needed because there is a communication between services in the server subnet) but my pc would not need the hairpin stuff at this point. Or should it work in the same subnet as before with the fritzbox and we just dont find the issue here?


So in the morning i puted my pc on a dedicated port, there is just only my pc on it for easier investigations. I torched the port and i saw the right ports there, the only thing i saw is that packets are increasing at the same time where i get realy high pings ingame
packets.png
i also do the same on the ether port where the server is connected and it looks the same, packets increasing but i guess this is in a good limit right now.
packet-mtr.png
i also runs a mtr to google in the same time but theres no loss or increasing in that time where i get very high pings ingame ( i found this one viewtopic.php?t=214760&sid=d1a546e517ec ... ce976f3e51 but i guess this is not my case but just to make sure i checked my routes but they seems ok for me
routes.png
)
But CPU and ram from router was in absolut bored state and the packets amount is from my view not in a critical state... i hosted the same savegame on a server outside my lan and i have no issues with ping. So at this point im very sure it is something around this hairpin but im a newbie in mikrotik so not sure at all what here is going on or how to fix it. Hopefully you pros here can help me out

And one more stupid question, is it possible that this is caused to the pppoe connection? Because a different MTU size as my lan? And if i get rid of this pppoe connection and install a external modem instead (draytek as example) would that to 100% resolve my issues?
You do not have the required permissions to view the files attached to this post.
Top
Post Reply
  4. RouterOS
  5. General