Community discussions

MikroTik App
 
Rohllik28
just joined
Topic Author
Posts: 5
Joined: Mon Mar 06, 2023 3:10 pm

Strange network behavior

Wed Mar 22, 2023 11:54 pm

My network looks something like this: 2 IPS, 1 main (xDSL), 1 failover (fiber - I know it's a bit strange to have fiber as a backup, but there are reasons) - both go through modems supplied by providers. Behind them is a Mikrotik RB4011iGS+ serving as the main router, with all the firewall rules, routes, failovers, mangle rules and so on. Behind it is CRS CAS125-24G-1S-RM serving as a switch and then patchpanels. Now to the problem...describing it is a bit of a nut to crack. Fiber goes to the MT connected via port 2 and works in every situation without any problems. xDSL is connected via port 1 and the situation with it is as follows:
Most of the time the network is available in the sense that you can go to websites without problems, the response and download is fast. But when I try to ping e.g. google it crashes into timeout, so does the ping to it's GW (= router from the provider) which is in front of MT and some people complain that it is impossible to make calls, it is practically impossible to connect to the office via VPN at all and bonus syptom that no speedtest can be run and I think that even the location determination does not work. But you can still go to those sites that can't be pinged without a problem.
I tried a couple of days pinging via PingInfoView (pinging tool) all hops on google and the result is that some days the network is stable with minimal timeouts (e.g. 0.1%) and other days it crashes like 50% into timeout on all hops except the main MT see screen.
Image
Another thing is that when I put my PC directly behind the xDSL router and ping from it everything works without problems. So it seems that the problems occur somewhere between MT and xDSL router.
Before DSL we were using coax, there were similar problems with that but to a greater extent and the internet on it was dropping out completely.
I monitor CPU and memory usage on MT and everything is ok there.
I don't see anything strange in the FW in the connections at the moment of the "ongoing outage".
As a test I turned off all FW rules during the outage and no change.
I am bidding the export settings below.
Any ideas on how to proceed?

Config:
# mar/22/2023 13:04:34 by RouterOS 6.49.6
# software id = 0JHI-G70I
#
# model = RB4011iGS+
# serial number = 
/interface bridge
add add-dhcp-option82=yes comment="==RootBridge==" dhcp-snooping=yes name=\
    RootBridge protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no comment=\
    "==WAN UPC Coax==" name=ether1_WAN_Coax
set [ find default-name=ether2 ] comment="==WAN UPC Fiber==" name=\
    ether2_WAN_Fiber
set [ find default-name=ether3 ] comment="==CRS 326 ==" \
    name=ether3_LAN_326
set [ find default-name=ether4 ] comment="==CRS 125 ==" name=\
    ether4_LAN_125
set [ find default-name=ether5 ] comment="==TPLINK ==" name=\
    ether5_LAN_TPL
set [ find default-name=ether6 ] comment="==Service Port for Admin==" name=\
    ether6_Service
set [ find default-name=ether7 ] name=ether7_backup_router
set [ find default-name=ether8 ] comment="==TP-LINK 48G==" name=ether8_TPL48G
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] name=ether10_TRUNK
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=RootBridge name=vlan1 vlan-id=112
add interface=ether10_TRUNK name=vlan10_devit vlan-id=10
add interface=RootBridge name=vlan20_supsal vlan-id=20
add interface=RootBridge name=vlan2000 vlan-id=2000
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add name=profile_1
/ip pool
add name=private_pool ranges=192.168.15.100-192.168.15.199
add name=public_pool ranges=172.20.26.100-172.20.26.254
add name=openvpn_pool ranges=10.20.0.10-10.20.0.100
add name=vlan10_pool_devit ranges=192.168.16.100-192.168.16.199
add name=vlan20_pool_supsal ranges=192.168.17.100-192.168.17.199
add name=dhcp_pool7 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool8 ranges=10.10.20.2-10.10.20.254
/ip dhcp-server
add add-arp=yes address-pool=private_pool authoritative=after-2sec-delay \
    disabled=no interface=RootBridge name=private_newtork
add address-pool=public_pool authoritative=after-2sec-delay disabled=no \
    interface=vlan2000 name=guest_network
add address-pool=vlan10_pool_devit disabled=no interface=vlan10_devit name=\
    vlan10_dhcp_devit
add address-pool=vlan20_pool_supsal disabled=no interface=vlan20_supsal name=\
    vlan20_dhcp_supsal
/ppp profile
add bridge=RootBridge dns-server=192.168.15.1,8.8.8.8 local-address=\
    192.168.15.1 name=L2TP remote-address=private_pool use-encryption=\
    required
add bridge=RootBridge name=L2TP-o2 use-encryption=required
add local-address=10.20.0.1 name=openvpn-profile use-compression=yes \
    use-encryption=yes
add bridge=RootBridge dns-server=192.168.15.1 interface-list=all \
    local-address=192.168.15.1 name=L2TP-withDNS remote-address=private_pool \
    use-encryption=required
set *FFFFFFFE bridge=RootBridge local-address=192.168.15.1 remote-address=\
    private_pool use-encryption=required
/snmp community
set [ find default=yes ] read-access=no
add addresses=XX.XXX.XXX.XXX/32 name=zabbix
/system logging action
add email-start-tls=yes email-to=trash@XXXX.com name=email target=\
    email
/interface bridge port
add bridge=RootBridge interface=ether3_LAN_326 trusted=yes
add bridge=RootBridge interface=ether4_LAN_125 trusted=yes
add bridge=RootBridge interface=ether5_LAN_TPL
add bridge=RootBridge interface=ether6_Service
add bridge=RootBridge disabled=yes interface=vlan2000 pvid=2000
add bridge=RootBridge interface=ether8_TPL48G trusted=yes
add bridge=RootBridge disabled=yes interface=vlan10_devit pvid=10
add bridge=RootBridge interface=vlan20_supsal pvid=20
add bridge=RootBridge interface=ether7_backup_router
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=loose
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP enabled=yes \
    keepalive-timeout=disabled use-ipsec=yes
/interface ovpn-server server
set auth=sha1 certificate=XX_OPENVPN_SERVER cipher=aes256 default-profile=\
    openvpn-profile require-client-certificate=yes
/interface pptp-server server
set authentication=mschap2 enabled=yes
/ip address
add address=192.168.15.1/24 comment="==LAN Network Kancl==" interface=\
    RootBridge network=192.168.15.0
add address=172.20.26.1/24 comment="==VLAN 2000 pro public wifi==" interface=\
    vlan2000 network=172.20.26.0
add address=x.x.x.x/xx comment="==WAN UPC Fiber==" interface=\
    ether2_WAN_Fiber network=x.x.x.x
add address=x.x.x.x/xx comment="==Guest VLAN 2000 UPC Fiber==" \
    interface=ether2_WAN_Fiber network=x.x.x.x
add address=x.x.x.x/xx comment="==OpenVPN UPC Fiber==" interface=\
    ether2_WAN_Fiber network=x.x.x.x
add address=192.168.16.1/24 interface=vlan10_devit network=192.168.16.0
add address=192.168.17.1/24 interface=vlan20_supsal network=192.168.17.0
/ip dhcp-client
add disabled=no interface=ether1_WAN_Coax
add address=192.168.15.245 client-id=1:44:dxxxxxxxxxxx comment=\
/ip dhcp-server network
add address=172.20.26.0/24 dns-server=172.20.26.1 gateway=172.20.26.1
add address=192.168.1.0/24 dns-server=192.168.16.1 gateway=192.168.16.1
add address=192.168.15.0/24 dns-server=192.168.15.1 gateway=192.168.15.1 \
    netmask=24 ntp-server=192.168.15.1
add address=192.168.16.0/24 dns-server=192.168.16.1 gateway=192.168.16.1
add address=192.168.17.0/24 dns-server=192.168.17.1 gateway=192.168.17.1


/ip firewall filter
add action=accept chain=forward comment="Allow established a related" \
    connection-state=established,related in-interface=ether1_WAN_Coax
add action=accept chain=forward comment="Allow established a related" \
    connection-state=established,related in-interface=ether2_WAN_Fiber
add action=accept chain=input comment="Allow established a related" \
    connection-state=established,related in-interface=ether1_WAN_Coax
add action=accept chain=input comment="Allow established a related" \
    connection-state=established,related in-interface=ether2_WAN_Fiber
add action=drop chain=input comment="Drop invalid - coax" connection-state=\
    invalid in-interface=ether1_WAN_Coax
add action=drop chain=input comment="Drop invalid - fiber" connection-state=\
    invalid in-interface=ether2_WAN_Fiber
add action=drop chain=input comment="Drop blacklist" in-interface=\
    ether1_WAN_Coax src-address-list=blacklist
add action=drop chain=input comment="Drop blacklist" in-interface=\
    ether2_WAN_Fiber src-address-list=blacklist
add action=drop chain=input comment="Drop dns" dst-port=53 in-interface=\
    ether1_WAN_Coax protocol=tcp
add action=drop chain=input comment="Drop dns" dst-port=53 in-interface=\
    ether1_WAN_Coax protocol=udp
add action=drop chain=input comment="Drop dns" dst-port=53 in-interface=\
    ether2_WAN_Fiber protocol=tcp
add action=drop chain=input comment="Drop dns" dst-port=53 in-interface=\
    ether2_WAN_Fiber protocol=udp
add action=drop chain=forward comment="==Block Sites on backup connection==" \
    disabled=yes dst-address-list=blocked-sites out-interface=\
    ether2_WAN_Fiber src-address-list=!blocked-sites-allowed
add action=accept chain=input comment="Allow ping" in-interface=\
    ether1_WAN_Coax limit=10/1m,5:packet protocol=icmp
add action=accept chain=input comment="Allow ping" in-interface=\
    ether2_WAN_Fiber limit=10/1m,5:packet protocol=icmp
add action=accept chain=input comment="allow open-vpn" dst-port=1194 \
    in-interface=ether1_WAN_Coax protocol=tcp
add action=accept chain=input comment="allow open-vpn" dst-port=1194 \
    in-interface=ether1_WAN_Coax protocol=udp
add action=accept chain=input comment="allow open-vpn" dst-port=1194 \
    in-interface=ether2_WAN_Fiber protocol=tcp
add action=accept chain=input comment="allow open-vpn" dst-port=1194 \
    in-interface=ether2_WAN_Fiber protocol=udp
add action=accept chain=input comment="admin trusted" in-interface=\
    ether1_WAN_Coax src-address-list=admin-trusted
add action=accept chain=input comment="admin trusted" in-interface=\
    ether2_WAN_Fiber src-address-list=admin-trusted
add action=accept chain=input comment="Access from trusted IP's" \
    in-interface=ether1_WAN_Coax src-address-list=trusted
add action=accept chain=input comment="Access from trusted IP's" \
    in-interface=ether2_WAN_Fiber src-address-list=trusted
add action=accept chain=input comment=L2TP dst-port=1701 in-interface=\
    ether1_WAN_Coax protocol=udp
add action=accept chain=input comment=L2TP dst-port=1701 in-interface=\
    ether2_WAN_Fiber protocol=udp
add action=accept chain=input comment=L2TP dst-port=500 in-interface=\
    ether1_WAN_Coax protocol=udp
add action=accept chain=input comment=L2TP dst-port=500 in-interface=\
    ether2_WAN_Fiber protocol=udp
add action=accept chain=input comment=L2TP dst-port=4500 in-interface=\
    ether1_WAN_Coax protocol=udp
add action=accept chain=input comment=L2TP dst-port=4500 in-interface=\
    ether2_WAN_Fiber protocol=udp
add action=accept chain=input comment=L2TP in-interface=ether1_WAN_Coax \
    protocol=ipsec-ah
add action=accept chain=input comment=L2TP in-interface=ether2_WAN_Fiber \
    protocol=ipsec-ah
add action=accept chain=input comment=L2TP in-interface=ether1_WAN_Coax \
    protocol=ipsec-esp
add action=accept chain=input comment=L2TP in-interface=ether2_WAN_Fiber \
    protocol=ipsec-esp
add action=accept chain=input comment=PPTP dst-port=1723 in-interface=\
    ether1_WAN_Coax protocol=tcp
add action=accept chain=input comment=PPTP dst-port=1723 in-interface=\
    ether2_WAN_Fiber protocol=tcp
add action=accept chain=input comment="SNMP from Zabbix" dst-port=161 \
    in-interface=ether1_WAN_Coax protocol=udp src-address=XX.XXX.XXX.XXX
add action=add-src-to-address-list address-list=blacklist \
    address-list-timeout=1d chain=input comment="log 22 ssh - 1d blacklist" \
    dst-port=22 in-interface=ether1_WAN_Coax protocol=tcp
add action=add-src-to-address-list address-list=blacklist \
    address-list-timeout=1d chain=input comment="log 22 ssh - 1d blacklist" \
    dst-port=22 in-interface=ether2_WAN_Fiber protocol=tcp
add action=add-src-to-address-list address-list=blacklist \
    address-list-timeout=1d chain=input comment="log 445 smb - 1d blacklist" \
    dst-port=445 in-interface=ether1_WAN_Coax protocol=tcp
add action=add-src-to-address-list address-list=blacklist \
    address-list-timeout=1d chain=input comment="log 445 smb - 1d blacklist" \
    dst-port=445 in-interface=ether2_WAN_Fiber protocol=tcp
add action=drop chain=input comment=\
    "Block all access to the winbox - except to trusted list" dst-port=8291 \
    in-interface=ether1_WAN_Coax protocol=tcp src-address-list=!trusted
add action=drop chain=input comment=\
    "Block all access to the winbox - except to trusted list" dst-port=8291 \
    in-interface=ether2_WAN_Fiber protocol=tcp src-address-list=!trusted
add action=drop chain=input comment="Drop anything else!" in-interface=\
    ether1_WAN_Coax
add action=drop chain=input comment="Drop anything else!" in-interface=\
    ether2_WAN_Fiber
add action=accept chain=forward comment="Allow open-vpn users to LAN" \
    dst-address=192.168.15.0/24 src-address=10.20.0.0/24
add action=drop chain=forward comment="Isolate networks" dst-address=\
    192.168.15.0/24 log=yes src-address=172.20.26.0/24
add action=drop chain=forward comment="Deny Guest to housing services" \
    dst-address=xx.xxx.xxx.xxx/28 dst-port=!80,443 log=yes protocol=tcp \
    src-address=172.20.26.0/24
add action=drop chain=forward comment="Deny Guest to housing services" \
    dst-address=xx.xxx.xxx.xxx/27 dst-port=!80,443 log=yes protocol=tcp \
    src-address=172.20.26.0/24
add action=accept chain=forward comment="Access PublicWiFi to internet" \
    out-interface=ether1_WAN_Coax src-address=172.20.26.0/24
add action=accept chain=forward comment="Access PublicWiFi to internet" \
    out-interface=ether2_WAN_Fiber src-address=172.20.26.0/24
add action=drop chain=forward comment="Drop UPS kancelar a cloud" \
    src-address=192.168.15.199
add action=drop chain=forward comment=\
    in-interface=ether1_WAN_Coax
add action=accept chain=forward comment=DevIT-VLAN-Isolation out-interface=\
    ether1_WAN_Coax src-address=192.168.16.0/24
add action=drop chain=forward comment=DevIT-VLAN-Isolation src-address=\
    192.168.16.0/24
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether1_WAN_Coax \
    new-connection-mark=wan_coax_connection passthrough=yes
add action=mark-connection chain=input in-interface=ether2_WAN_Fiber \
    new-connection-mark=wan_fiber_connection passthrough=yes
add action=mark-routing chain=output connection-mark=wan_coax_connection \
    new-routing-mark=to_wan_coax passthrough=no
add action=mark-routing chain=output connection-mark=wan_fiber_connection \
    new-routing-mark=to_wan_fiber passthrough=no
add action=mark-connection chain=forward in-interface=ether1_WAN_Coax \
    new-connection-mark=wan_coax_connection_forward passthrough=no
add action=mark-connection chain=forward in-interface=ether2_WAN_Fiber \
    new-connection-mark=wan_fiber_connection_forward passthrough=no
add action=mark-routing chain=prerouting connection-mark=\
    wan_coax_connection_forward in-interface=RootBridge new-routing-mark=\
    to_wan_coax passthrough=yes
add action=mark-routing chain=prerouting connection-mark=\
    wan_fiber_connection_forward in-interface=RootBridge new-routing-mark=\
    to_wan_fiber passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="==Loopback NAT==" dst-address=\
    192.168.15.0/24 src-address=192.168.15.0/24
add action=masquerade chain=srcnat comment=\
    "==NAT - maskarada UPC Fiber VLANa==" out-interface=ether2_WAN_Fiber \
    src-address=192.168.16.0/24
add action=src-nat chain=srcnat comment="==Reverse DNS Vyvoj Coax==" \
    disabled=yes out-interface=ether1_WAN_Coax src-address=192.168.15.13 \
    to-addresses=x.x.x.134
add action=src-nat chain=srcnat comment="==Reverse DNS Vyvoj Optika==" \
    out-interface=ether2_WAN_Fiber src-address=192.168.15.13 to-addresses=\
    x.x.x.x
add action=src-nat chain=srcnat comment="==Reverse DNS OpenVPN Fiber==" \
    out-interface=ether2_WAN_Fiber src-address=192.168.15.205 to-addresses=\
    x.x.x.x
add action=src-nat chain=srcnat comment=\
    "==Reverse DNS XXXXXXX x.x.x.x==" disabled=yes out-interface=\
    ether2_WAN_Fiber src-address=192.168.15.230 to-addresses=x.x.x.x
add action=src-nat chain=srcnat comment=\
    "==Reverse DNS DEV test merchant PL x.x.x.x==" out-interface=\
    ether2_WAN_Fiber src-address=192.168.15.81 to-addresses=x.x.x.x
add action=src-nat chain=srcnat comment=\
    "==Reverse DNS Guest network x.x.x.x==" out-interface=\
    ether2_WAN_Fiber src-address=172.20.26.0/24 to-addresses=x.x.x.x
add action=masquerade chain=srcnat comment="==NAT - maskarada UPC Coax==" \
    out-interface=ether1_WAN_Coax src-address=192.168.15.0/24
add action=masquerade chain=srcnat comment="==NAT - maskarada UPC Coax==" \
    out-interface=ether1_WAN_Coax src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="==NAT - maskarada UPC Coax==" \
    out-interface=ether1_WAN_Coax src-address=192.168.17.0/24
add action=masquerade chain=srcnat comment="==NAT - maskarada UPC Fiber==" \
    out-interface=ether2_WAN_Fiber src-address=192.168.15.0/24
add action=masquerade chain=srcnat comment=\
    "==NAT - maskarada UPC Fiber Guest==" out-interface=ether2_WAN_Fiber \
    src-address=172.20.26.0/24
add action=masquerade chain=srcnat comment=\
    "==NAT - maskarada UPC Coax Guest==" out-interface=ether1_WAN_Coax \
    src-address=172.20.26.0/24
add action=masquerade chain=srcnat comment="==NAT - maskarada z OpenVPN==" \
    out-interface=ether1_WAN_Coax src-address=10.20.0.0/24
add action=masquerade chain=srcnat comment="==NAT - maskarada z OpenVPN==" \
    out-interface=ether2_WAN_Fiber src-address=10.20.0.0/24
add action=dst-nat chain=dstnat comment="OpenVPN Server WAN fiber" \
    dst-address=x.x.x.x dst-port=1194 in-interface=ether2_WAN_Fiber \
    protocol=udp to-addresses=192.168.15.205 to-ports=1194
add action=dst-nat chain=dstnat comment="OpenVPN Server WAN fiber" \
    dst-address=x.x.x.x dst-port=1194 in-interface=ether2_WAN_Fiber \
    protocol=tcp to-addresses=192.168.15.205 to-ports=1194
add action=dst-nat chain=dstnat comment="OpenVPN Server WAN fiber" \
    dst-address=78.x.x.x.x dst-port=443 in-interface=ether2_WAN_Fiber \
    protocol=tcp to-addresses=192.168.15.205 to-ports=443
add action=dst-nat chain=dstnat comment="OpenVPN Server Admin WAN fiber" \
    dst-address=78.x.x.x.x dst-port=943 in-interface=ether2_WAN_Fiber \
    protocol=tcp to-addresses=192.168.15.205 to-ports=943
add action=dst-nat chain=dstnat comment="HTTP dev.XXXX.cz from WAN coax" \
    dst-address=x.x.x.x dst-port=80 in-interface=ether1_WAN_Coax \
    protocol=tcp to-addresses=192.168.15.13 to-ports=80
add action=dst-nat chain=dstnat comment="HTTP dev.XXXX.cz from LAN" \
    dst-address= dst-port=80 protocol=tcp to-x.x.x.xaddresses=\
    192.168.15.13 to-ports=80
add action=dst-nat chain=dstnat comment=\
    "HTTPS dev.XXXX.cz from WAN coax" dst-address=x.x.x.x \
    dst-port=443 in-interface=ether1_WAN_Coax protocol=tcp to-addresses=\
    192.168.15.13 to-ports=443
add action=dst-nat chain=dstnat comment="HTTPS dev.XXXX.cz from LAN" \
    dst-address=x.x.x.134 dst-port=443 protocol=tcp to-addresses=\
    192.168.15.13 to-ports=443
add action=dst-nat chain=dstnat comment="HTTPS Centurion Share from WAN coax" \
    disabled=yes dst-address=x.x.x.134 dst-port=443 in-interface=\
    ether1_WAN_Coax protocol=tcp to-addresses=192.168.15.200 to-ports=5001
add action=dst-nat chain=dstnat comment="HTTPS Centurion Share from LAN" \
    disabled=yes dst-address=x.x.x.134 dst-port=443 protocol=tcp \
    to-addresses=192.168.15.200 to-ports=5001
add action=dst-nat chain=dstnat comment=\
    "HTTPS Centurion Share from WAN fiber" dst-address=x.x.x.210 \
    dst-port=443 in-interface=ether2_WAN_Fiber protocol=tcp to-addresses=\
    192.168.15.200 to-ports=5001
add action=dst-nat chain=dstnat comment="HTTPS Centurion Share from LAN" \
    dst-address=x.x.x.x dst-port=443 protocol=tcp to-addresses=\
    192.168.15.200 to-ports=5001
add action=dst-nat chain=dstnat comment="HTTPS XXXXXXX from WAN fiber" \
    disabled=yes dst-address=x.x.x.x dst-port=443 protocol=tcp \
    to-addresses=192.168.15.210 to-ports=443
add action=dst-nat chain=dstnat comment="HTTP Vyvoj Coax" disabled=yes \
    dst-address=x.x.x.x dst-port=80 in-interface=ether1_WAN_Coax \
    protocol=tcp src-address-list=trusted to-addresses=192.168.15.13 \
    to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS XXXXXXX from WAN fiber" \
    disabled=yes dst-address=x.x.x.213 dst-port=80 in-interface=\
    ether2_WAN_Fiber protocol=tcp to-addresses=192.168.15.210 to-ports=80
add action=dst-nat chain=dstnat comment="HTTP Vyvoj Fiber" disabled=yes \
    dst-address=x.x.x.210 dst-port=80 in-interface=ether2_WAN_Fiber \
    protocol=tcp src-address-list=trusted to-addresses=192.168.15.13 \
    to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS 8443 to vyvoj02 " \
    disabled=yes dst-address=x.x.x.134 dst-port=8445 in-interface=\
    ether1_WAN_Coax protocol=tcp to-addresses=192.168.15.7 to-ports=443
add action=dst-nat chain=dstnat comment="HTTPS Centurion" disabled=yes \
    dst-address=x.x.x.211 dst-port=80,443 in-interface=ether2_WAN_Fiber \
    protocol=tcp to-addresses=192.168.15.200 to-ports=5000
add action=dst-nat chain=dstnat comment=\
    "RDP na vyvoj z trusted address listu" dst-port=3389 in-interface=\
    ether1_WAN_Coax protocol=tcp src-address-list=trusted to-addresses=\
    192.168.15.13 to-ports=3389
add action=dst-nat chain=dstnat comment=\
    "RDP na vyvoj z trusted address listu" dst-port=3389 in-interface=\
    ether2_WAN_Fiber protocol=tcp src-address-list=trusted to-addresses=\
    192.168.15.13 to-ports=3389
add action=dst-nat chain=dstnat comment="Zabbix HV - " dst-port=10053 \
    in-interface=ether1_WAN_Coax protocol=tcp src-address=XX.XXX.XXX.XXX \
    to-addresses=192.168.15.15 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix VM-XXDB01" dst-port=\
    10052 in-interface=ether1_WAN_Coax protocol=tcp src-address=\
    XX.XXX.XXX.XXX to-addresses=192.168.15.14 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix VXXxx" dst-port=10050 \
    in-interface=ether1_WAN_Coax protocol=tcp src-address=XX.XXX.XXX.XXX \
    to-addresses=192.168.15.15 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix Centurion" dst-port=10051 \
    in-interface=ether1_WAN_Coax protocol=udp src-address=XX.XXX.XXX.XXX \
    to-addresses=192.168.15.200 to-ports=161
add action=dst-nat chain=dstnat comment="Zabbix Centurion" dst-port=10051 \
    in-interface=ether2_WAN_Fiber protocol=udp src-address=XX.XXX.XXX.XXX \
    to-addresses=192.168.15.200 to-ports=161
add action=src-nat chain=srcnat out-interface=ether2_WAN_Fiber src-address=\
    192.168.15.167 to-addresses=10.0.10.122
/ip route
add check-gateway=ping comment="==Gateway UPC Coax==" distance=1 gateway=\
    x.x.x.129 routing-mark=to_wan_coax
add check-gateway=ping comment="==Gateway UPC Fiber==" distance=1 gateway=\
    x.x.x.209 routing-mark=to_wan_fiber
add check-gateway=ping comment="==Gateway UPC Fiber==" distance=2 gateway=\
    x.x.x.209
/ip route rule
add action=drop comment="==deny guest to housing 1==" disabled=yes \
    dst-address=xx.xxx.xxx.xxx/28 src-address=172.20.26.0/24
add action=drop comment="==deny guest to housing 2==" disabled=yes \
    dst-address=xx.xxx.xxx.xxx/27 src-address=172.20.26.0/24
add comment="==Guest network output only by fiber==" disabled=yes \
    src-address=172.20.26.0/24 table=to_wan_fiber
add comment="==XXXXXXX network output only by fiber==" src-address=\
    172.10.10.0/24 table=to_wan_fiber
add comment="==XXx output to housing1 by fiber==" dst-address=\
    xx.xxx.xxx.xxx/28 src-address=192.168.15.50/32 table=to_wan_fiber
add comment="==XXx output to housing2 by fiber==" dst-address=\
    xx.xxx.xxx.xxx/27 src-address=192.168.15.50/32 table=to_wan_fiber
add comment="== output to housing1 by fiber==" dst-address=\
    xx.xxx.xxx.xxx/28 src-address=192.168.15.62/32 table=to_wan_fiber
add comment="== output to housing2 by fiber==" dst-address=xx.xxx.xxx.xxx/27 \
    src-address=192.168.15.62/32 table=to_wan_fiber
add comment="== output to housing1 by fiber==" disabled=yes dst-address=\
    xx.xxx.xxx.xxx/28 src-address=192.168.15.120/32 table=to_wan_fiber
add comment="== ntb output to housing2 by fiber==" disabled=yes \
    dst-address=xx.xxx.xxx.xxx/27 src-address=192.168.15.121/32 table=\
    to_wan_fiber
add comment="== ntb output to housing1 by fiber==" disabled=yes \
    dst-address=xx.xxx.xxx.xxx/28 src-address=192.168.15.121/32 table=\
    to_wan_fiber
add comment="== output to housing2 by fiber==" disabled=yes dst-address=\
    xx.xxx.xxx.xxx/27 src-address=192.168.15.120/32 table=to_wan_fiber
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/queue simple
add disabled=yes max-limit=10M/30M name=free_wifi target=*D
    trap-generators=""
/system leds
set 0 interface=RootBridge
/system logging
set 0 topics=info,!ovpn
set 1 topics=error,!ovpn
set 2 topics=warning,!ovpn
set 3 topics=critical,!ovpn
add action=email topics=critical
add action=email topics=ipsec,error
add action=disk topics=warning,error,critical
                                                   "
/system script
add dont-require-permissions=no name=RebootScript owner=admin policy=reboot \
    source="/system reboot\r\
    \n/system reboot\r\
    \n#"
/tool graphing interface
add allow-address=192.168.15.0/24 interface=ether1_WAN_Coax
add allow-address=192.168.15.0/24 interface=ether2_WAN_Fiber
/tool graphing resource
add allow-address=192.168.15.0/24
//edit:
I will add that we have xDSL via terminator and bonding (2x50).
And a new observation...when I ping the hops on google from the PC that is behind the Mikrotik it is ok. But when I start pinging from the other PC that is directly behind the DSL modem they both fall into timeout.

Who is online

Users browsing this forum: apitsos, maxslug, smirgo and 64 guests