Community discussions

MikroTik App
 
theflyingdutchman
just joined
Topic Author
Posts: 14
Joined: Thu Jul 14, 2022 11:17 pm

Slow Port Forwarding

Tue Aug 02, 2022 2:03 am

I'm testing out port forwarding to an ESXI host (yes, I know don't do this in production) in a double-nat environment. Hex S behind a Fios router. Inserted a firewall rule to allow port forwarding (thanks @anav) and created a NAT rule to forward port 443 to my esxi host. It works.....but it is extremely slow. Like 10 seconds to load the esxi webpage slow. Here is my config:
# aug/01/2022 18:48:55 by RouterOS 7.3.1
# software id = 88SS-MGZU
#
# model = RB760iGS
# serial number = serial
/interface bridge
add admin-mac=macaddr auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=GuestVLAN vlan-id=30
add interface=bridge name=HomeVLAN vlan-id=10
add interface=bridge name=MgmtVLAN vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=HomePool ranges=192.168.10.10-192.168.10.254
add name=MgmtPool ranges=192.168.20.10-192.168.20.254
add name=GuestPool ranges=192.168.30.10-192.168.30.254
/ip dhcp-server
add address-pool=HomePool interface=HomeVLAN name=HomeDHCP
add address-pool=GuestPool interface=GuestVLAN name=GuestDHCP
add address-pool=MgmtPool interface=MgmtVLAN name=MgmtDHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge comment="Make ether1 LAN, not WAN" frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2,ether3,sfp1 vlan-ids=10
add bridge=bridge tagged=bridge,ether1,ether2,ether3,sfp1 vlan-ids=20
add bridge=bridge tagged=bridge,ether1,ether2,ether3,sfp1 vlan-ids=30
/interface list member
add interface=ether5 list=WAN
add interface=ether4 list=LAN
add interface=HomeVLAN list=LAN
add interface=MgmtVLAN list=LAN
add interface=GuestVLAN list=LAN
add interface=MgmtVLAN list=MANAGE
add interface=ether4 list=MANAGE
/ip address
add address=192.168.10.1/24 interface=HomeVLAN network=192.168.10.0
add address=192.168.20.1/24 interface=MgmtVLAN network=192.168.20.0
add address=192.168.30.1/24 interface=GuestVLAN network=192.168.30.0
add address=192.168.99.1/24 interface=ether4 network=192.168.99.0
/ip dhcp-client
add interface=ether5
/ip dhcp-server lease
add address=192.168.20.2 comment=comment mac-address=addr server=MgmtDHCP
add address=192.168.20.3 comment=comment mac-address=addr server=MgmtDHCP
add address=192.168.20.4 comment=comment mac-address=addr server=MgmtDHCP
add address=192.168.10.5 comment=comment mac-address=addr server=HomeDHCP
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 domain=my.domain gateway=192.168.10.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1 domain=my.domain gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 dns-server=192.168.30.1 domain=my.domain gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.20.1 name=something.my.domain
add address=192.168.20.4 name=something.my.domain
add address=192.168.10.5 name=something.my.domain
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow all management traffic" in-interface-list=MANAGE
add action=accept chain=input comment="Allow UDP DNS" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow TCP DNS" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet access on LAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="port forward to esxi" dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.20.4 to-ports=443
/ip route
add blackhole disabled=no dst-address=10.0.0.0/8
add blackhole disabled=no dst-address=172.16.0.0/12
add blackhole disabled=no dst-address=192.168.0.0/16
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.20.0/24,192.168.99.0/24 disabled=yes
set ssh disabled=yes
set www-ssl address=192.168.20.0/24,192.168.99.0/24 certificate=https-cert disabled=no tls-version=only-1.2
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Even if my rules are in the wrong order, I can't imagine it would cause my port forwarding speeds to be THAT slow. Any ideas?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Slow Port Forwarding  [SOLVED]

Tue Aug 02, 2022 8:26 am

If you talk about the management page of the ESXi itself, not of one of the virtual machines running on it, it has always been slow when I tried, but I admit I never had them directly on LAN. I would make a command line window as wide as your screen allows and run /tool sniffer quick ip-address=ip.of.the.test.client while connecting to the ESXi via the dst-nat rule; this should show you whether the ESXi is slow to respond or whether the client (browser) is slow to acknowledge received packets, whether Mikrotik delays/drops the packets, whether every packet sent by the ESXi has an issue or only some of them... If the root cause is related to networking, it is most likely some MTU issue (the ESXi may be trying to use jumbo frames first). If you don't know the IP of the test client, use 192.168.20.4 in the /tool sniffer ... command first, it will show you the client address.

Who is online

Users browsing this forum: EmuAGR and 74 guests