Community discussions

MUM Europe 2020
 
abi
just joined
Topic Author
Posts: 8
Joined: Mon Nov 04, 2019 4:08 pm

Packet loss between two bridges

Thu Nov 07, 2019 9:56 pm

I've bought Microtik recently, so I'm a new user, however I think my issue is not so beginner.
I have a strange packet loss, it is not random, usually every 6th packet is lost. Sometimes it come back with delay (900ms, 1600ms), but usually it's lost completely. After reboot pings work for some time without issues.

1. I'm pinging 10.0.0.10 from 192.168.3.100
2. 10.0.0.10 drops no pings when pinged from 10.0.0.0/16 or from device.

Any ideas are welcome.
# nov/07/2019 22:48:26 by RouterOS 6.45.7

# software id = 04PU-E3UT

#

# model = RB760iGS

# serial number = *snip*

/interface bridge

add admin-mac=74:4D:28:F0:95:A6 auto-mac=no comment=defconf fast-forward=no name=inside protocol-mode=none

add fast-forward=no mtu=1500 name=wifi protocol-mode=none

/interface ethernet

set [ find default-name=ether1 ] mac-address=00:16:C7:FA:0F:F4

/interface list

add comment=defconf name=WAN

add comment=defconf name=LAN

add name=WIFI

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

/ip hotspot profile

set [ find default=yes ] html-directory=flash/hotspot

/ip ipsec peer

add address=*snip*/32 exchange-mode=ike2 name=*snip*

/ip ipsec profile

set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 proposal-check=exact

/ip ipsec proposal

set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=none

/ip pool

add name="inside pool" ranges=10.0.0.100-10.0.0.200

add name="wifi pool" ranges=192.168.3.100-192.168.3.200

/ip dhcp-server

add address-pool="inside pool" disabled=no interface=inside name=defconf

add address-pool="wifi pool" disabled=no interface=wifi name="wifi server"

/interface bridge port

add bridge=inside comment=defconf interface=ether2

add bridge=inside comment=defconf interface=ether3

add bridge=wifi comment=defconf hw=no interface=ether4

add bridge=wifi comment=defconf hw=no interface=ether5

add bridge=inside comment=defconf hw=no interface=sfp1

/ip neighbor discovery-settings

set discover-interface-list=LAN

/interface list member

add comment=defconf interface=inside list=LAN

add comment=defconf interface=ether1 list=WAN

add interface=wifi list=WIFI

/ip address

add address=10.0.0.222/24 comment=defconf interface=inside network=10.0.0.0

add address=192.168.3.222/24 interface=wifi network=192.168.3.0

/ip dhcp-client

add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no

/ip dhcp-server network

add address=10.0.0.0/24 comment=defconf gateway=10.0.0.222 netmask=24

add address=192.168.3.0/24 dns-server=109.195.80.1,109.195.81.1 gateway=192.168.3.222

/ip dns

set allow-remote-requests=yes servers=10.0.10.1

/ip dns static

add address=10.0.0.222 comment=defconf name=router.lan

/ip firewall address-list

add address=10.0.0.0/16 list=local

add address=10.0.0.10 list=printer.home

/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=accept chain=input comment="local device access" dst-address=10.0.0.222 dst-port=80 protocol=tcp src-address-list=local

add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp

add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp

add action=drop chain=input comment="default input rule" log=yes

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add action=accept chain=forward comment="allow access to printer" dst-address-list=printer.home in-interface-list=WIFI

add action=drop chain=forward comment="disallow access from wifi" dst-address-list=local in-interface-list=WIFI

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat

add action=accept chain=srcnat dst-address=0.0.0.0/0 log=yes src-address=10.0.0.0/24

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip ipsec identity

add auth-method=digital-signature certificate=*snip* peer=*snip*

/ip ipsec policy

set 0 disabled=yes

add action=none dst-address=10.0.0.0/24 src-address=10.0.0.0/24

add action=none dst-address=192.168.3.0/24 src-address=10.0.0.0/24

add dst-address=0.0.0.0/0 peer=*snip* sa-dst-address=*snip* sa-src-address=0.0.0.0 src-address=10.0.0.0/24 tunnel=yes

add dst-address=10.0.10.1/32 peer=*snip* sa-dst-address=*snip* sa-src-address=0.0.0.0 src-address=10.208.125.234/32 tunnel=yes

/system clock

set time-zone-name=Europe/Moscow

/system identity

set name=*snip*

/tool mac-server

set allowed-interface-list=LAN

/tool mac-server mac-winbox

set allowed-interface-list=LAN
 
sindy
Forum Guru
Forum Guru
Posts: 4196
Joined: Mon Dec 04, 2017 9:19 pm

Re: Packet loss between two bridges

Sun Nov 10, 2019 11:22 pm

You haven't stated whether, at the 192.168.3.0/24 subnet / "wifi" bridge side, the pinged devices are connected using a wire or wirelessly, and how do they respond to pings from 192.168.3.222 (the Tik itself).

The problem may be in the routing on the Tik itself, in the bridging on the Tik itself, in the wireless AP connected to the Tik, in the cable between the Tik and the wireless AP... So the right thing to do is to split the path into small portions and investigate them as separately as possible. Running /interface ethernet print stats interval=1s while pinging and watching for the various error counters (rx-fcs-error and maybe others) may help you identify cable issues, and running tool sniffer quick ip-address=x.x.x.x ip-protocol=icmp will show you whether the ICMP echo requests and responses are being forwarded (routed) from one interface to another.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
abi
just joined
Topic Author
Posts: 8
Joined: Mon Nov 04, 2019 4:08 pm

Re: Packet loss between two bridges

Mon Nov 11, 2019 8:28 pm

Thank you for your reply. I've almost lost any hope that my topic was noticed.
I did everything that you suggested and I think, the problem is in printer device itself (10.0.0.10). It reliably dropping some packets when pinged outside of it's network. Yes, I know it's very confusing, but it happens with my old router as well. As minor packet loss is not affecting it's printing capabilities, I leave it as is.

Who is online

Users browsing this forum: No registered users and 27 guests