I've got a wierd problem. My internet is intermittent. I can ping websites consistently, but on a browser they are hit or miss unreachable. If I try wikipedia for example, I might get it and I might not. Usually refreshing the browser repeatedly eventually works. Video streaming services are the most likely to fail.
I've had this problem on and off for a few weeks. Sometimes the router works fine and I think the problem is solved, then it acts up.
I bypassed the router (RB2011UiAS-2HnD) and hooked my laptop directly to my GPON and I was able to get the internet consistently, so it seems to be the router. I've restored an older working backup configuration and downgraded the firmware, but the problem still persists. Could this be a hardware problem?
Re: Intermittent internet
Do you have these problems while connected through wire or wireless?
What version of RouterOS are you running?
Can you please share you config (/export hide-sensitive file=router)?
What version of RouterOS are you running?
Can you please share you config (/export hide-sensitive file=router)?
-
-
vecernik87
Forum Veteran
- Posts: 882
- Joined:
Re: Intermittent internet
symptoms are typical for MTU issues... Maybe you need to add mangle with MSS clamp? Or just allow ICMP?
Anyway, you can confirm it by trying to ping with large packets:
Anyway, you can confirm it by trying to ping with large packets:
Code: Select all
ping 1.1.1.1 size=1500 do-not-fragmentRe: Intermittent internet
We have an AirBnB and I had to temporarily go to my old Linksys WRT54GL DD-WRT router to give our guests the internet that was promised until I can figure this out. I'll get the above info when I have time (hopefully this afternoon). It sounds similar to an MTU issue, but if so, why would it work some of the time?
Re: Intermittent internet
There may be an actual MTU issue, or a path MTU discovery issue (blocked ICMP), somewhere in the middle of the path between the client and the server, and the path may differ for each session, even for two sessions towards the same server.It sounds similar to an MTU issue, but if so, why would it work some of the time?
Is there a PPPoE setup on your WAN?
Re: Intermittent internet
I still haven't had a chance to switch back to the MK, but I'm pretty sure it's an MTU issue. I used to have a static IP from my ISP. Then some trunk was cut in Colorado and everyone with a static IP in town only saw half of the internet. So I went to a dynamic IP and that's when the problems started. My ISP uses CGNAT. I don't really know much about it, but I'm thinking that's adding to the packet size. I can't ping google.com with a size any larger than 1472.
When I go back to the MK, I'm gonna drop the MTU on my WAN port. I'll also try to get a static IP again. That might wait until our AirBnB guests leave.
When I go back to the MK, I'm gonna drop the MTU on my WAN port. I'll also try to get a static IP again. That might wait until our AirBnB guests leave.
Code: Select all
# jul/18/2020 20:56:38 by RouterOS 6.47.1
# software id = R9RF-MAEY
#
# model = 2011UiAS-2HnD r2
# serial number = 91DF099E8A71
/interface bridge
add comment="Hospitality House network" name=bridgeGuest
add admin-mac=##:##:##:##:##:## auto-mac=no comment=DTJNet name=bridgeMain
add name=bridgePhone
add name=bridgeSecurity
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment="DTJ Desktop"
set [ find default-name=ether3 ] comment=Printer/Scanner
set [ find default-name=ether4 ] comment="*VLAN TEST*"
set [ find default-name=ether5 ] comment="*VLAN TEST*"
set [ find default-name=ether6 ] comment="Media Switch"
set [ find default-name=ether9 ] comment="Hospitality House trunk"
set [ find default-name=ether10 ] comment="VoIP (Phone)"
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
20/40mhz-XX country="united states" disabled=no distance=indoors \
frequency=2437 frequency-mode=manual-txpower mode=ap-bridge ssid=DTJNet \
station-roaming=enabled wireless-protocol=802.11
/interface ethernet switch port
set 4 default-vlan-id=12 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=******** \
wpa2-pre-shared-key=********
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
supplicant-identity=MikroTik wpa-pre-shared-key=newJoy123 \
wpa2-pre-shared-key=newJoy123
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=secure-proposal \
pfs-group=modp4096
/ip pool
add name=dhcp ranges=192.168.0.101-192.168.0.150
add name=poolHH ranges=192.168.1.101-192.168.1.150
add name=poolOpenVPN ranges=192.168.10.10-192.168.10.99
add name=poolPhones ranges=192.168.6.100-192.168.6.110
add name=poolHome ranges=192.168.10.100-192.168.10.199
add name=poolMedia ranges=192.168.13.100-192.168.13.199
add name=poolGuest ranges=192.168.15.100-192.168.15.199
add name=poolSecurity ranges=192.168.12.100-192.168.12.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridgeMain lease-time=12h name=\
dhcpDTJ
add address-pool=poolHH disabled=no interface=bridgeGuest lease-time=12h \
name=dhcpHH
add address-pool=poolPhones disabled=no interface=bridgePhone lease-time=12h \
name=dhcpPhone
add address-pool=poolHome disabled=no lease-time=12h name=dhcpHome
add address-pool=poolMedia disabled=no lease-time=12h name=dhcpMedia
add address-pool=poolGuest disabled=no lease-time=12h name=dhcpGuest
add address-pool=poolSecurity disabled=no lease-time=12h name=dhcpSecurity
/ipv6 pool
add name=IPv6Blacklist prefix=ff12::8384/128 prefix-length=128
/ppp profile
add local-address=192.168.10.33 name=OpenVPN remote-address=poolOpenVPN \
use-encryption=required
add dns-server=192.168.10.250 local-address=192.168.10.250 name=vpn-profile \
remote-address=poolOpenVPN use-encryption=yes
/queue simple
add comment="Bandwidth limit Dropbox" max-limit=5M/10M name=Dropbox \
packet-marks=dropbox target=192.168.0.0/24
add comment="Bandwidth limit the guest network" dst=ether1 max-limit=5M/25M \
name=Guest target=192.168.1.0/24
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge filter
# in/out-bridge-port matcher not possible when interface (bridgeGuest) is not slave
add action=drop chain=forward in-interface=*E
# in/out-bridge-port matcher not possible when interface (bridgeGuest) is not slave
add action=drop chain=forward out-interface=*E
/interface bridge port
add bridge=bridgeMain comment=defconf interface=ether2
add bridge=bridgeMain comment=defconf interface=ether3
add bridge=bridgeMain comment=defconf interface=ether4
add bridge=bridgeMain comment=defconf interface=ether5
add bridge=bridgeMain comment=defconf interface=ether6
add bridge=bridgeMain comment=defconf interface=ether7
add bridge=bridgeMain comment=defconf interface=ether8
add bridge=bridgeGuest comment="Hospitality House Router" hw=no interface=\
ether9
add bridge=bridgePhone comment="VoiP Adapter" interface=ether10
add bridge=bridgeMain comment=defconf interface=sfp1
add bridge=bridgeMain comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set rp-filter=strict
/interface detect-internet
set detect-interface-list=all
/interface ethernet switch vlan
add independent-learning=yes ports=ether2,ether3,ether4,ether5 switch=switch1 \
vlan-id=12
/interface list member
add comment="DTJNet bridge interface" interface=bridgeMain list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="Hospitality House bridge interface" interface=bridgeGuest list=\
LAN
add comment="IP Phone bridge interface" interface=bridgePhone list=LAN
add comment="Security bridge interface" interface=bridgeSecurity list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 \
default-profile=vpn-profile enabled=yes keepalive-timeout=disabled \
require-client-certificate=yes
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
192.168.0.0
add address=192.168.0.1/24 comment=defconf interface=bridgeMain network=\
192.168.0.0
add address=192.168.1.2/24 interface=bridgeGuest network=192.168.1.0
add address=192.168.6.1/24 interface=bridgePhone network=192.168.6.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.110 mac-address=00:16:E3:FE:C7:82 server=dhcpDTJ
add address=192.168.0.107 client-id=1:b4:f1:da:ed:ea:3b mac-address=\
B4:F1:DA:ED:EA:3B server=dhcpDTJ
add address=192.168.0.113 mac-address=3C:59:1E:E5:EC:B7 server=dhcpDTJ
add address=192.168.0.90 mac-address=00:24:D7:B9:28:F8 server=dhcpDTJ
/ip dhcp-server network
add address=192.168.0.0/24 comment=DTJNet gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 comment="Hospitality House" gateway=192.168.1.2
add address=192.168.6.0/24 comment=VoIP gateway=192.168.6.1
add address=192.168.10.0/24 comment=vlanHome gateway=192.168.10.1 netmask=24
add address=192.168.11.0/24 comment=vlanPrinter gateway=192.168.11.1 netmask=\
24
add address=192.168.12.0/24 comment=vlanSecurity gateway=192.168.12.1 \
netmask=24
add address=192.168.13.0/24 comment=vlanMedia gateway=192.168.13.1 netmask=24
add address=192.168.14.0/24 comment=vlanVoIP gateway=192.168.14.1 netmask=24
add address=192.168.15.0/24 comment=vlanGuest gateway=192.168.15.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4,64.6.64.6
/ip dns static
add address=192.168.0.1 name=router.lan type=A
/ip firewall address-list
add address=192.168.0.0/24 list=DTJnet
add address=192.168.1.0/24 list=HHnet
add address=192.168.0.0/16 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=0.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
add address=192.168.6.0/24 list=PhoneNet
add address=192.168.0.13 list=Camera
add address=192.168.0.14 list=Camera
add address=192.168.0.1 list=Routers
add address=192.168.1.3 list=Routers
add address=192.168.0.100 list=AdminPC
add address=192.168.0.90 list=AdminPC
add address=192.168.0.107 list=AdminPC
add address=162.125.0.0/16 list=Dropbox
/ip firewall filter
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop Bogon forward" in-interface=\
ether1 log=yes log-prefix="Bogon forward" src-address-list=Bogon
add action=drop chain=forward comment="Drop all traffic from closesecure addre\
sses until scheduled script can delete the secure address list" \
src-address-list=closesecure
add action=add-src-to-address-list address-list=secure address-list-timeout=\
5m chain=forward comment=\
"Refresh source address list timer for data coming from that source." \
src-address-list=secure
add action=jump chain=forward comment=\
">> Incoming camera access: Jump to SECURE-IN" dst-address-list=Camera \
jump-target=SECURE-IN
add action=jump chain=forward comment=\
">> Outgoing camera: Jump to SECURE-OUT" jump-target=SECURE-OUT \
src-address-list=Camera
add action=jump chain=forward comment=">> Guest-to-main: Jump to OTHER2MAIN" \
in-interface=bridgeGuest jump-target=OTHER2MAIN out-interface=bridgeMain
add action=accept chain=forward comment=\
"Allow connections from main network to Hosp House" in-interface=\
bridgeMain out-interface=bridgeGuest
add action=accept chain=forward comment="Allow responses from Phone network to\
\_main network for established connections" connection-state=\
established,related in-interface=bridgePhone out-interface=bridgeMain
add action=drop chain=forward comment=\
"Drop new connections from Phone to main network" connection-state=\
invalid,new in-interface=bridgePhone out-interface=bridgeMain
add action=accept chain=forward comment=\
"Allow connections from main network to Phone network" in-interface=\
bridgeMain out-interface=bridgePhone
add action=add-src-to-address-list address-list=AbuseLog \
address-list-timeout=none-dynamic chain=forward comment=\
"Add incoming Abuse IP to AbuseLog list." src-address-list=Abuse
add action=drop chain=forward comment=\
"Drop all incoming from Abuse addresses" src-address-list=Abuse
add action=drop chain=forward comment="Drop all outgoing to Abuse addresses" \
dst-address-list=Abuse
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Enable LAN to WAN for main network" \
in-interface=bridgeMain out-interface=ether1
add action=accept chain=forward comment="Enable LAN to WAN for Hosp House" \
in-interface=bridgeGuest out-interface=ether1
add action=accept chain=forward comment="Enable LAN to WAN for phone network" \
in-interface=bridgePhone out-interface=ether1
add action=accept chain=forward comment="Enable LAN to WAN for Security" \
in-interface=bridgeSecurity out-interface=ether1
add action=accept chain=forward comment=\
"Accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="Allow Port Forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all other incoming traffic"
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment=\
"Always allow access to routers and switches from desktop PC." \
dst-address-list=Routers src-address-list=AdminPC
add action=add-src-to-address-list address-list=knockport1 \
address-list-timeout=3s chain=input comment="Port knock 1" dst-port=##### \
protocol=tcp
add action=add-src-to-address-list address-list=knockport2 \
address-list-timeout=3s chain=input comment="Port knock 2" dst-port=##### \
protocol=udp src-address-list=knockport1
add action=add-src-to-address-list address-list=secure address-list-timeout=\
5m chain=input comment="Port knock 3 - Add address to secure list" \
dst-port=##### log=yes log-prefix="Knocked port open" protocol=tcp \
src-address-list=knockport2
add action=add-src-to-address-list address-list=closesecure \
address-list-timeout=5m chain=input comment="Close open knocked port on re\
quest. This blocks the source IP until a timer can remove the closesecure \
and secure address lists." dst-port=##### protocol=tcp src-address-list=\
secure
add action=drop chain=input comment=\
"Drop access to routers and switches from other networks" \
dst-address-list=Routers
add action=accept chain=input comment="Accept established,related,untracked" \
connection-state=established,related,untracked
add action=accept chain=input comment="Accept ICMP only from main network" \
protocol=icmp src-address-list=DTJnet
add action=drop chain=input comment=\
"Drop all other traffic destined to router." in-interface-list=!LAN
add action=add-src-to-address-list address-list=secure address-list-timeout=\
5m chain=SECURE-IN comment="SECURE-IN: Incoming packets from secure remote\
\_address restart secure timer" src-address-list=secure
add action=accept chain=SECURE-IN comment=\
"SECURE-IN: Allow security camera access if secured by port knocks" \
dst-port=##### protocol=tcp src-address-list=secure
add action=log chain=SECURE-IN comment=\
"SECURE-IN: Log incoming camera access" connection-state=\
invalid,new,untracked dst-address-list=Camera log=yes log-prefix=\
CAMERA-INBOUND
add action=drop chain=SECURE-IN comment=\
"SECURE-IN: Drop all other incoming camera access" dst-address-list=\
Camera
add action=log chain=SECURE-OUT comment=\
"SECURE-OUT: Log outgoing camera access" connection-state=\
invalid,new,untracked log=yes log-prefix=CAMERA-OUTBOUND \
src-address-list=Camera
add action=add-dst-to-address-list address-list=_CameraOutbound \
address-list-timeout=none-dynamic chain=SECURE-OUT comment="SECURE-OUT: Bu\
ild camera outgoing address list (detect abuse activity from camera)" \
dst-address-list=!secure src-address-list=Camera
add action=drop chain=SECURE-OUT comment=\
"SECURE-OUT: Drop all outgoing camera traffic except knock secured" \
dst-address-list=!secure src-address-list=Camera
add action=accept chain=OTHER2MAIN comment="Allow responses from other subnet \
to main network for established connections only" dst-address-list=\
AdminPC src-address-list=Routers
add action=drop chain=OTHER2MAIN comment=\
"Drop all other access from other subnet to main network " \
connection-state=""
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Dropbox outgoing" \
dst-address-list=Dropbox new-connection-mark=dropbox_conn passthrough=yes
add action=mark-connection chain=prerouting comment="Dropbox incoming" \
new-connection-mark=dropbox_conn passthrough=yes src-address-list=Dropbox
add action=mark-packet chain=prerouting comment="Dropbox packet mark" \
connection-mark=dropbox_conn new-packet-mark=dropbox passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat comment="Remote DTJ Desktop access" dst-port=\
22 protocol=tcp to-addresses=192.168.0.100 to-ports=22
add action=dst-nat chain=dstnat comment="Remote VNC connection" dst-port=5900 \
protocol=tcp to-addresses=192.168.0.100 to-ports=5900
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=ether1
/ip firewall raw
add action=drop chain=prerouting dst-port=22 in-interface=ether1 protocol=tcp \
src-address-list=!secure
/ip ipsec policy
set 0 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set domain=DTJNet
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridgeMain type=internal
add interface=bridgeGuest type=internal
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/lcd
set backlight-timeout=never default-screen=stats
/lcd interface
set wlan1 disabled=yes
set sfp1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/lcd interface pages
set 0 interfaces=wlan1
/ppp secret
add name=Andrew password="********"
add name=vpnuser password="********" profile=vpn-profile
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=DTJR1
/system note
set note="DTJ Software. Authorized administrators only. Access to this device \
is monitored."
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=132.163.97.3 \
server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system routerboard settings
set silent-boot=yes
/system scheduler
add interval=5s name=AutoPortKnockClose on-event=":if ([:len [/ip firewall add\
ress-list find list=\"closesecure\"]] != 0) do={\r\
\n :local i [/ip firewall address-list get value-name=address [find list=\
\"closesecure\"]];\r\
\n /ip firewall address-list remove [find list=\"secure\" address=\$i];\r\
\n /ip firewall address-list remove [find list=\"closesecure\" address=\$i\
];\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add disabled=yes interval=1d name=Auto-Upgrade on-event="/system package updat\
e\r\
\ncheck-for-updates once\r\
\n:delay 1s;\r\
\n:if ( [get status] = \"New version is available\") do={ install }" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/2017 start-time=03:00:20
/system watchdog
set ping-timeout=5m watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1
add interface=ether10
add interface=bridgeMain
add interface=wlan1
add interface=bridgeGuest
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
Re: Intermittent internet
I'm back to the MK with a WAN interface MTU of 1472 and everything's looking good. I also went back to my old static IP. Thanks vecernik87 for the pointer.
Who is online
Users browsing this forum: Yahoo [Bot] and 174 guests