Community discussions

MikroTik App
 
User avatar
aaronk6
just joined
Topic Author
Posts: 4
Joined: Tue Mar 14, 2023 11:06 am
Location: Germany

Certain TCP connections are extremely slow, except while running a packet capture on the router

Tue Mar 14, 2023 7:52 pm

Hi,

I noticed that with my new MikroTik RouterBoard hEX, some websites are extremely slow to load (as in a simple website taking 30 seconds). Screenshot below.

I can reproduce this with curl by requesting a single resource that the site is using:

curl https://gewerbeauskunft.bremen.de/navigaweb/res/themes/System_09.12.06/js/jquery-1.11.3.min.js > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 95957    0 95957    0     0   2019      0 --:--:--  0:00:47 --:--:--  1842

So this 90 KB file took 47 seconds to download from a client in the router’s LAN. I can reproduce it on multiple clients (tried macOS and Ubuntu). When I do the same on the router, it’s as fast you would expect it:

[admin@MikroTik] > /tool/fetch url="https://gewerbeauskunft.bremen.de/navigaweb/res/themes/System_09.12.06/js/jquery-1.11.3.min.js"
      status: finished
  downloaded: 93KiB-z pause]
       total: 0KiB
    duration: 1s

My ISP requires a PPPoE tunnel to connect, so I suspected an issue with the MTU. However, MSS clamping is enabled and I tried lowering the MTU manually on the clients (even went down to 1450), but the issue still occurs. So it seems to be unrelated to the packet size.

Surprisingly (for me at least), it also works fine while running a packet capture on the router like this:

[admin@MikroTik] /tool/sniffer> set filter-dst-ip-address="141.91.174.108"
[admin@MikroTik] /tool/sniffer> start

The curl command then finishes immediately:

curl https://gewerbeauskunft.bremen.de/navigaweb/res/themes/System_09.12.06/js/jquery-1.11.3.min.js > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 95957    0 95957    0     0   444k      0 --:--:-- --:--:-- --:--:--  457k

I can reproduce this on both RouterOS 7.7 and 7.8. Full config below. Any ideas?

/interface bridge add admin-mac=DC:2C:6E:57:EC:BE auto-mac=no comment=defconf name=bridge
/interface wireguard add listen-port=13232 mtu=1420 name=wg-roadwarrior
/interface wireguard add listen-port=13231 mtu=1420 name=wg-site2site
/interface vlan add interface=ether1 name=vlan7 vlan-id=7
/interface pppoe-client add add-default-route=yes disabled=no interface=vlan7 name=pppoe-out1 user=[removed]
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=default-dhcp interface=bridge name=defconf
/ipv6 pool add name=ULA-pool6 prefix=fd13::/64 prefix-length=64
/port set 0 name=serial0
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add interface=pppoe-out1 list=WAN
# removed Wireguard peers
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip address add address=192.168.86.1/24 interface=wg-roadwarrior network=192.168.86.0
/ip address add address=192.168.85.2/30 interface=wg-site2site network=192.168.85.0
/ip dhcp-client add comment=defconf interface=ether1
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 domain=example.com gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input dst-port=22 protocol=tcp src-address=0.0.0.0/0
/ip firewall filter add action=accept chain=input comment="Allow Wireguard Site-to-Site" dst-port=13231 protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow Wireguard for Road Warrior" dst-port=13232 protocol=udp src-address=0.0.0.0/0
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route add disabled=no distance=1 dst-address=10.0.2.0/24 gateway=wg-site2site pref-src="" routing-table=main suppress-hw-offload=no
/ip route add disabled=no dst-address=10.0.90.0/24 gateway=wg-site2site routing-table=main suppress-hw-offload=no
/ip ssh set forwarding-enabled=both
/ipv6 address add from-pool=telekom-ipv6 interface=bridge
/ipv6 address add address=fd13::1 comment="IPv6 ULA address" interface=bridge
/ipv6 dhcp-client add add-default-route=yes interface=pppoe-out1 pool-name=telekom-ipv6 prefix-hint=::/56 request=prefix
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd set [ find default=yes ] dns=fd13::1 hop-limit=64 mtu=1492
/system clock set time-zone-name=Europe/Berlin
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

Thanks!

Note that I also posted this at https://serverfault.com/questions/11263 ... -packet-ca since since my post here wasn’t approved (yet). I’ll make sure to mark this as resolved once I get a reply there—or vice-versa.
 
User avatar
aaronk6
just joined
Topic Author
Posts: 4
Joined: Tue Mar 14, 2023 11:06 am
Location: Germany

Re: Certain TCP connections are extremely slow, except while running a packet capture on the router

Sat Mar 18, 2023 11:47 am

Using ChatGPT’s help (with the new GPT-4 model), I found out this this is caused by Fasttrack. Disabling Fasttrack actually fixes the issue reliably. So it makes sense that doing a packet capture also fixes it, too, as it presumably also deactivates Fasttrack.

I don’t notice any slowdown without Fasttrack on my 290 mbit/s link, so leaving it disabled solves the issue for me.

Who is online

Users browsing this forum: BioMax, cdblue and 47 guests