Hi,
Been using my hex for a long time with no issues.
Recently got into vlans with it and seems to be having issues with transfer speeds.
Getting anywhere between 200 and 300 Mbit/s with iperf when going between 2 vlans and 900 when staying inside the vlan.
I currently have 127 firewall rules. Some disabled.
When running the iperf I was seeing the CPU usage hitting 50%. So guessing the hex may just be under powered for what I need.
Can anyone recommend a better model to upgrade to so I can get the gigabit speeds across vlans, or recommend any settings that I may be able to use to get the hex to get a better speed when crossing the vlan boundaries?
Hex is currently running routeros 7.14.2
Re: Slow connections across vlans with hex
if you want a noticiable performance improvement the next tier of performance is RB5009UG+S+IN, at least 3x the performance of smaller devices like hEX
of course is another tier of price, but the price to performance ratio is better
of course is another tier of price, but the price to performance ratio is better
Re: Slow connections across vlans with hex
Two options.
budget: hap AX3, just disable wifi if dont need, it. Will handle a 1 gig WAN connection
Better: RB5009, good for up to a 2.5 gig WAN connection
PRO: 2116, mouthwatering performance
budget: hap AX3, just disable wifi if dont need, it. Will handle a 1 gig WAN connection
Better: RB5009, good for up to a 2.5 gig WAN connection
PRO: 2116, mouthwatering performance
Re: Slow connections across vlans with hex
Thanks for the advice.
Just ordered the RB5009UG+S+IN and the mounting ears for it.
Give that a go.
Just ordered the RB5009UG+S+IN and the mounting ears for it.
Give that a go.
Re: Slow connections across vlans with hex
Sorted out the RB5009. But getting an even slower cross vlan connection now. In the 15 Mbits/sec range.
I did lift and shift the settings from the hex manually. But would have thought it would still have worked?
Including the config.
I did lift and shift the settings from the hex manually. But would have thought it would still have worked?
Including the config.
Code: Select all
# 2024-04-11 07:24:33 by RouterOS 7.14.2
# software id = EBIH-DSRK
#
# model = RB5009UG+S+
# serial number = HFH09FYM095
/interface bridge
add admin-mac=78:9A:18:C7:1E:BF auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=
/interface vlan
add interface=ether3 name=CAM88 vlan-id=88
add interface=ether3 name=IoT687 vlan-id=687
add interface=ether3 name=VLAN82 vlan-id=82
add interface=ether3 name=VLAN3000 vlan-id=3000
add interface=ether3 name=WIFI20 vlan-id=20
add interface=ether3 name=WORK999 vlan-id=999
add interface=ether3 name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=66 name=option66 value="'192.168.82.239'"
add code=60 name=pi-60 value="'PXEClient'"
add code=43 name=pi-43 value="'Raspberry Pi Boot'"
/ip dhcp-server option sets
add name=set1 options=option66
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=192.168.99.0/24-IPPool ranges=192.168.99.10-192.168.99.254
add name=dhcp ranges=192.168.41.10-192.168.41.254
add name=192.168.82.0/24-IPPool ranges=192.168.82.10-192.168.82.254
add name=192.168.41.0/24-IPPool ranges=192.168.41.2-192.168.41.254
add name=192.168.89.0/24-IPPool ranges=192.168.89.10-192.168.89.254
add name=192.168.40.0/24-IPPool ranges=192.168.40.2-192.168.40.254
add name=10.0.68.0/24-IPPool ranges=10.0.68.2-10.0.68.254
add name=192.168.42.0/24-IPPool ranges=192.168.42.10-192.168.42.254
add name=192.168.253.0/29-IPPool ranges=192.168.253.2-192.168.253.6
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=192.168.99.0/24-IPPool interface=WORK999 lease-time=10m name=192.168.99.0-DHCP
add address-pool=192.168.253.0/29-IPPool interface=VLAN3000 lease-time=10m name=192.168.254.0-DHCP
add address-pool=192.168.89.0/24-IPPool insert-queue-before=bottom interface=CAM88 lease-time=10m name=192.168.89.0-DHCP
add address-pool=192.168.42.0/24-IPPool insert-queue-before=bottom interface=WIFI20 lease-time=10m name=192.168.42.0-DHCP
add address-pool=192.168.41.0/24-IPPool interface=vlan10 lease-script="# When \"1\" all DNS entries with IP address of DHCP lease are removed\r\
\n:local dnsRemoveAllByIp \"1\"\r\
\n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
\n:local dnsRemoveAllByName \"1\"\r\
\n# When \"1\" addition and removal of DNS entries is always done also for non-FQDN hostname\r\
\n:local dnsAlwaysNonfqdn \"1\"\r\
\n# DNS domain to add after DHCP client hostname\r\
\n:local dnsDomain \"lan\"\r\
\n# DNS TTL to set for DNS entries\r\
\n:local dnsTtl \"00:15:00\"\r\
\n# Source of DHCP client hostname, can be \"lease-hostname\" or any other lease attribute, like \"host-name\" or \"comment\"\r\
\n:local leaseClientHostnameSource \"lease-hostname\"\r\
\n\r\
\n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientHostnameSource\"\r\
\n:local leaseClientHostname\r\
\n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
\n :set leaseClientHostname \$\"lease-hostname\"\r\
\n} else={\r\
\n :set leaseClientHostname ([:pick \\\r\
\n [/ip dhcp-server lease print as-value where server=\"\$leaseServerName\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
\n 0]->\"\$leaseClientHostnameSource\")\r\
\n}\r\
\n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
\n:if ([:len [\$dnsDomain]] > 0) do={\r\
\n :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
\n :set leaseClientHostnames \"\$leaseClientHostname.\$dnsDomain,\$leaseClientHostname\"\r\
\n } else={\r\
\n :set leaseClientHostnames \"\$leaseClientHostname.\$dnsDomain\"\r\
\n }\r\
\n}\r\
\n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" and address=\"\$leaseActIP\"]\r\
\n}\r\
\n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
\n :if (\$dnsRemoveAllByName = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" and name=\"\$h\"]\r\
\n }\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
\n :if (\$leaseBound = \"1\") do={\r\
\n :delay 1\r\
\n /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
\n }\r\
\n}" lease-time=10m name=192.168.41.0-DHCP
add address-pool=10.0.68.0/24-IPPool interface=IoT687 lease-time=10m name=10.0.68.0-DHCP
add address-pool=192.168.82.0/24-IPPool insert-queue-before=bottom interface=VLAN82 lease-time=10m name=192.168.82.0-DHCP
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=WORK999 list=LAN
add interface=VLAN3000 list=LAN
add interface=CAM88 list=LAN
add interface=WIFI20 list=LAN
add interface=vlan10 list=LAN
add interface=VLAN82 list=LAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.99.1/24 interface=WORK999 network=192.168.99.0
add address=192.168.253.1/29 interface=VLAN3000 network=192.168.253.0
add address=192.168.89.1/24 interface=CAM88 network=192.168.89.0
add address=192.168.42.1/24 interface=WIFI20 network=192.168.42.0
add address=192.168.41.1/24 interface=vlan10 network=192.168.41.0
add address=10.0.68.1/24 interface=IoT687 network=10.0.68.0
add address=192.168.82.1/24 interface=VLAN82 network=192.168.82.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.89.253 client-id=1:e0:ca:3c:4e:65:38 mac-address=E0:CA:3C:4E:65:38 server=192.168.89.0-DHCP
add address=192.168.89.254 client-id=1:8:a1:89:53:f3:cd mac-address=08:A1:89:53:F3:CD server=192.168.89.0-DHCP
add address=192.168.42.230 mac-address=88:DC:96:87:25:C5 server=192.168.42.0-DHCP
add address=192.168.42.228 mac-address=88:DC:96:87:25:C9 server=192.168.42.0-DHCP
add address=192.168.42.227 mac-address=88:DC:97:07:68:92 server=192.168.42.0-DHCP
add address=192.168.42.11 comment=ezMaster mac-address=00:0C:29:FF:9F:C1 server=192.168.42.0-DHCP
add address=192.168.41.11 client-id=1:ec:d:e4:f:f6:44 comment="Ben fire Stick" mac-address=EC:0D:E4:0F:F6:44 server=192.168.41.0-DHCP
add address=192.168.41.61 client-id=ff:c5:5a:4d:5e:0:2:0:0:ab:11:ba:d0:eb:15:93:1d:54:e5 mac-address=00:26:B6:60:D1:52 server=192.168.41.0-DHCP
add address=192.168.41.24 client-id=1:c4:54:44:98:b0:45 comment="Main Desk Voice" mac-address=C4:54:44:98:B0:45 server=192.168.41.0-DHCP
add address=192.168.41.19 client-id=1:f0:2f:74:1c:63:9f mac-address=F0:2F:74:1C:63:9F server=192.168.41.0-DHCP
add address=192.168.41.184 comment="Zyxel GS1900-10HP PoE Switch" mac-address=D8:EC:E5:BE:74:F5 server=192.168.41.0-DHCP
add address=192.168.41.21 client-id=1:b8:27:eb:dd:5d:4 mac-address=B8:27:EB:DD:5D:04 server=192.168.41.0-DHCP
add address=192.168.41.183 comment="Server Switch" mac-address=B8:EC:A3:A8:20:01 server=192.168.41.0-DHCP
add address=192.168.41.13 mac-address=1C:6F:65:37:4C:83 server=192.168.41.0-DHCP
add address=192.168.41.9 client-id=1:84:a6:c8:e0:51:b9 mac-address=84:A6:C8:E0:51:B9 server=192.168.41.0-DHCP
add address=192.168.41.25 client-id=1:0:4:4b:fb:96:db comment="Nvidia Shield Main Bedroom wifi" mac-address=00:04:4B:FB:96:DB server=192.168.41.0-DHCP
add address=192.168.41.18 client-id=1:0:4:4b:fd:1d:7b comment="Nvidia Shield Main Bedroom Lan" mac-address=00:04:4B:FD:1D:7B server=192.168.41.0-DHCP
add address=192.168.41.29 client-id=1:fc:d7:49:8e:a5:bc comment="Ben Fire 10" mac-address=FC:D7:49:8E:A5:BC server=192.168.41.0-DHCP
add address=192.168.41.62 client-id=ff:7b:31:fe:60:0:2:0:0:ab:11:ba:d0:eb:15:93:1d:54:e5 mac-address=00:26:9E:7D:00:77 server=192.168.41.0-DHCP
add address=192.168.41.23 client-id=1:4c:9e:ff:6e:7a:77 comment="Main Switch" mac-address=4C:9E:FF:6E:7A:77 server=192.168.41.0-DHCP
add address=192.168.41.42 client-id=1:e4:5f:1:20:f6:9b dhcp-option=option66,pi-43,pi-60 mac-address=E4:5F:01:20:F6:9B server=192.168.41.0-DHCP
add address=192.168.41.36 mac-address=00:0C:29:EA:11:D8 server=192.168.41.0-DHCP
add address=192.168.41.53 client-id=48:B0:2D:7A:0B:05 comment="Nvidia Shield Living Room wifi" mac-address=48:B0:2D:7A:0B:05 server=192.168.41.0-DHCP
add address=192.168.41.30 client-id=1:b8:27:eb:45:63:55 mac-address=B8:27:EB:45:63:55 server=192.168.41.0-DHCP
add address=192.168.82.229 client-id=ff:66:7b:93:2a:0:2:0:0:ab:11:c7:62:4a:58:b:f9:3f:26 mac-address=48:4D:7E:E0:04:8F server=192.168.82.0-DHCP
add address=192.168.82.231 client-id=ff:66:7b:93:2a:0:2:0:0:ab:11:1a:c3:92:fd:e0:70:10:de mac-address=48:4D:7E:D9:01:C8 server=192.168.82.0-DHCP
add address=192.168.82.239 client-id=1:98:90:96:e0:3e:4c comment=Baldrick mac-address=98:90:96:E0:3E:4C server=192.168.82.0-DHCP
add address=192.168.82.238 client-id=1:e4:54:e8:d0:18:cd mac-address=E4:54:E8:D0:18:CD server=192.168.82.0-DHCP
/ip dhcp-server network
add address=10.0.68.0/24 comment=IoT dns-server=10.0.68.1 gateway=10.0.68.1 netmask=24
add address=192.168.41.0/24 comment=Main dns-server=1.1.1.1 gateway=192.168.41.1 netmask=24
add address=192.168.42.0/24 comment="Network Equipment" dns-server=192.168.42.1 gateway=192.168.42.1 netmask=24
add address=192.168.82.0/24 comment=Servers dns-server=192.168.82.1 gateway=192.168.82.1 netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.89.0/24 comment=Cameras dns-server=192.168.89.1 gateway=192.168.89.1 netmask=24
add address=192.168.99.0/24 comment=Work dns-server=192.168.99.1 gateway=192.168.99.1 netmask=24
add address=192.168.253.0/29 comment=Hive dns-server=192.168.253.1 gateway=192.168.253.1 netmask=29
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.41.24 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=DESKTOP-7S7LN24.lan ttl=15m
add address=192.168.41.24 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=DESKTOP-7S7LN24 ttl=15m
add address=192.168.41.21 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=ExcerciseLibreElec.lan ttl=15m
add address=192.168.41.21 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=ExcerciseLibreElec ttl=15m
add address=192.168.41.3 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=OCTO-CADLITE.lan ttl=15m
add address=192.168.41.3 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=OCTO-CADLITE ttl=15m
add address=192.168.41.23 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=GS1920.lan ttl=15m
add address=192.168.41.23 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=GS1920 ttl=15m
add address=192.168.41.8 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=myHivehub.lan ttl=15m
add address=192.168.41.8 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=myHivehub ttl=15m
add address=192.168.41.19 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=Main.lan ttl=15m
add address=192.168.41.19 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=Main ttl=15m
add address=192.168.41.29 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=.lan ttl=15m
add address=192.168.41.14 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=OnePlus5T.lan ttl=15m
add address=192.168.41.14 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=OnePlus5T ttl=15m
/ip firewall address-list
add address=80.41.251.68 list="External IP"
add address=192.168.89.254 list="Security Cameras"
add address=192.168.89.253 list="Security Cameras"
add address=192.168.41.11 list="Bens Devices"
add address=192.168.41.29 list="Bens Devices"
add address=192.168.41.25 list="Shield TVs"
add address=192.168.41.18 list="Shield TVs"
add address=192.168.41.53 list="Shield TVs"
add address=192.168.82.229 list="Traefik Box"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=\
WAN
add action=passthrough chain=forward comment="special dummy rule to show fasttrack counters"
add action=accept chain=forward comment="Time Servers" protocol=udp src-port=123
add action=accept chain=forward comment=ICMP dst-address=192.168.0.0/16 protocol=icmp src-address=192.168.0.0/16
add action=accept chain=forward comment="NETBIOS Name Service" dst-address=192.178.0.0/16 dst-port=137 protocol=udp src-port=137
# inactive time
add action=drop chain=forward comment="Bens Weekday Bedtime" src-address-list="Bens Devices" time=21h30m-7h,sun,mon,tue,wed,thu
# inactive time
add action=drop chain=forward comment="Bens Weekend Bedtime" src-address-list="Bens Devices" time=21h30m-7h,fri,sat
add action=accept chain=forward comment="Inbound External HTTP Connectivity to Traefik" in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp src-port=80
add action=accept chain=forward comment="Inbound External HTTPS Connectivity to Traefik" in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp src-port=443
add action=accept chain=forward comment="Outbound External HTTP Connectivity to Traefik" dst-port=80 in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment="Outbound External HTTPS Connectivity to Traefik" dst-port=443 in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment="Inbound HTTP Connectivity to Traefik" dst-address-list="Traefik Box" dst-port=80 in-interface=!pppoe-out1 out-interface=\
VLAN82 protocol=tcp
add action=accept chain=forward comment="Inbound HTTPS Connectivity to Traefik" dst-address-list="Traefik Box" dst-port=443 in-interface=!pppoe-out1 out-interface=\
VLAN82 protocol=tcp
add action=accept chain=forward comment="Inbound XMPP" dst-address-list="Traefik Box" in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp src-port=5222
add action=accept chain=forward comment="Plex port internal" dst-address=192.168.82.238 dst-port=32400 in-interface=vlan10 protocol=tcp
add action=accept chain=forward comment="Plex port internal" dst-address=192.168.82.238 in-interface=vlan10 protocol=udp
add action=accept chain=forward comment="Plex port internal" dst-address=192.168.82.238 in-interface=vlan10 protocol=tcp
add action=accept chain=forward comment="Plex port external" dst-address=192.168.82.238 dst-port=32400 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward comment="Main to cameras" dst-address-list="Security Cameras" out-interface=CAM88 src-address=192.168.41.19
add action=accept chain=forward comment="Internetwork Connectivity" in-interface=VLAN82 out-interface=VLAN82
add action=accept chain=forward comment="Doorbell to HA" dst-address=192.168.82.231 dst-port=8123 in-interface=vlan10 out-interface=VLAN82 protocol=tcp \
src-address=192.168.41.30
add action=accept chain=forward comment="HA to Shield TVs" dst-address-list="Shield TVs" in-interface=vlan10 out-interface=VLAN82 protocol=tcp src-address=\
192.168.82.231
add action=accept chain=forward comment="HA to Shield TVS" dst-address-list="Shield TVs" in-interface=vlan10 out-interface=VLAN82 protocol=udp src-address=\
192.168.82.231
add action=accept chain=forward comment="Shield TVs to HA" dst-address=192.168.82.231 in-interface=VLAN82 out-interface=vlan10 protocol=tcp src-address-list=\
"Shield TVs"
add action=accept chain=forward comment="Shield TVs to HA" dst-address=192.168.82.231 in-interface=VLAN82 out-interface=vlan10 protocol=udp src-address-list=\
"Shield TVs"
add action=accept chain=forward comment="Main to IoT" in-interface=vlan10 out-interface=IoT687 protocol=tcp src-address=192.168.41.19
add action=accept chain=forward comment="HA to IoT" in-interface=VLAN82 out-interface=IoT687 protocol=tcp src-address-list="Traefik Box"
add action=accept chain=forward comment="Main to Baldrick" dst-address=192.168.82.239 dst-port=80 in-interface=vlan10 out-interface=VLAN82 protocol=tcp \
src-address=192.168.41.19
add action=accept chain=forward comment=Tailscale dst-port=41641 in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment=Tailscale in-interface=pppoe-out1 out-interface=VLAN82 protocol=udp src-port=3478
add action=accept chain=forward comment=Tailscale dst-port=41641 in-interface=vlan10 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment=Tailscale dst-port=41641 in-interface=VLAN82 out-interface=vlan10 protocol=tcp
add action=accept chain=forward comment="PIHole to Baldrick" dst-address=192.168.82.239 in-interface=vlan10 out-interface=VLAN82 protocol=tcp src-address=\
192.168.41.42
add action=accept chain=forward comment="PIHole to Baldrick" dst-address=192.168.82.239 in-interface=vlan10 out-interface=VLAN82 protocol=udp src-address=\
192.168.41.42
add action=accept chain=forward comment="MQTT to HA" dst-address=192.168.82.231 dst-port=1883 in-interface=IoT687 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment="HA to MQTT" in-interface=VLAN82 out-interface=IoT687 protocol=tcp src-address=192.168.82.231 src-port=1883
add action=accept chain=forward dst-port=22 out-interface=VLAN82 protocol=tcp src-address=192.168.41.19
add action=drop chain=forward comment="Drop all other traffic to 192.168.82.0/24 network" log=yes log-prefix=Server-Drop out-interface=VLAN82
add action=accept chain=forward comment="Frigate to Cameras" dst-address-list="Security Cameras" dst-port=554 in-interface=VLAN82 out-interface=CAM88 protocol=tcp \
src-address=192.168.82.238
add action=drop chain=forward comment="Drop all other traffic to 192.168.89.0/24 network" log=yes log-prefix=Server-Drop out-interface=CAM88
add action=drop chain=forward comment="Drop outbound traffic from 192.168.89.0/24 network" in-interface=CAM88 log=yes log-prefix=Server-Drop out-interface=\
pppoe-out1
add action=drop chain=forward comment="Drop all internal traffic to work network" in-interface=!pppoe-out1 log=yes log-prefix=Server-Drop out-interface=WORK999
add action=drop chain=forward comment="Drop all work traffic to internal vlans" in-interface=WORK999 log=yes log-prefix=Server-Drop out-interface=!pppoe-out1
add action=drop chain=forward comment="Drop all traffic to the IoT network" log=yes log-prefix=Server-Drop out-interface=IoT687
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=Server-Drop
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=dstnat connection-state=new in-interface-list=!WAN log-prefix=\
nodstnat
/ip firewall nat
add action=dst-nat chain=dstnat comment="Echre port 80" dst-address-list="External IP" dst-port=80 protocol=tcp to-addresses=192.168.82.229 to-ports=80
add action=dst-nat chain=dstnat comment="Echre port 443" dst-address-list="External IP" dst-port=443 protocol=tcp to-addresses=192.168.82.229 to-ports=443
add action=dst-nat chain=dstnat comment="Echre port 32400" dst-address-list="External IP" dst-port=32400 protocol=tcp to-addresses=192.168.82.238 to-ports=32400
add action=masquerade chain=srcnat comment="Internet access for 192.168.82.0 network" src-address=192.168.82.0/24
add action=masquerade chain=srcnat comment="Internet access for 192.168.99.0 network" src-address=192.168.99.0/24
add action=masquerade chain=srcnat comment="Internet access for 192.168.41.0 network" src-address=192.168.41.0/24
add action=masquerade chain=srcnat comment="Internet access for 192.168.253.0 network" src-address=192.168.253.0/29
add action=accept chain=dstnat dst-address=192.168.82.236 dst-address-list="External IP" dst-port=9001 protocol=tcp src-port=9001
add action=masquerade chain=srcnat comment="Internet access for 192.168.42.0 network" disabled=yes src-address=192.168.42.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set www-ssl certificate=ServerCA disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Slow connections across vlans with hex
This is wrong:
You should never use bridge port as anchor for any other configuration. As soon as interface (ether3) is made bridge port, you forget about it ... and use bridge interface as anchor for the rest of configuration.
Two tutorials which I suggest you to read and understand:
Different bridge personalities
VLANs in ROS
/interface vlan
add interface=ether3 name=CAM88 vlan-id=88
add interface=ether3 name=IoT687 vlan-id=687
add interface=ether3 name=VLAN82 vlan-id=82
add interface=ether3 name=VLAN3000 vlan-id=3000
add interface=ether3 name=WIFI20 vlan-id=20
add interface=ether3 name=WORK999 vlan-id=999
add interface=ether3 name=vlan10 vlan-id=10
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10 trusted=yes
You should never use bridge port as anchor for any other configuration. As soon as interface (ether3) is made bridge port, you forget about it ... and use bridge interface as anchor for the rest of configuration.
Two tutorials which I suggest you to read and understand:
Different bridge personalities
VLANs in ROS
Re: Slow connections across vlans with hex
Post again after applying the new knowledge MKX referenced, and we will have another look!
Re: Slow connections across vlans with hex
Thanks for the links. I had believed I understood the network part, but not the use of the bridge. It had been working so never looked into it more.
Have now moved all the vlans to use the bridge interface.
Still getting dog slow connection cross vlans.
Have now moved all the vlans to use the bridge interface.
Still getting dog slow connection cross vlans.
Re: Slow connections across vlans with hex
post your latest.
Re: Slow connections across vlans with hex
Code: Select all
# 2024-04-11 22:51:46 by RouterOS 7.14.2
# software id = EBIH-DSRK
#
# model = RB5009UG+S+
# serial number = HFH09BYM065
/interface bridge
add admin-mac=78:9A:18:E9:1E:BF auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=
/interface vlan
add interface=bridge name=CAM88 vlan-id=88
add interface=bridge name=IoT687 vlan-id=687
add interface=bridge name=VLAN82 vlan-id=82
add interface=bridge name=VLAN3000 vlan-id=3000
add interface=bridge name=WIFI20 vlan-id=20
add interface=bridge name=WORK999 vlan-id=999
add interface=bridge name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=66 name=option66 value="'192.168.82.239'"
add code=60 name=pi-60 value="'PXEClient'"
add code=43 name=pi-43 value="'Raspberry Pi Boot'"
/ip dhcp-server option sets
add name=set1 options=option66
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=192.168.99.0/24-IPPool ranges=192.168.99.10-192.168.99.254
add name=dhcp ranges=192.168.41.10-192.168.41.254
add name=192.168.82.0/24-IPPool ranges=192.168.82.10-192.168.82.254
add name=192.168.41.0/24-IPPool ranges=192.168.41.2-192.168.41.254
add name=192.168.89.0/24-IPPool ranges=192.168.89.10-192.168.89.254
add name=192.168.40.0/24-IPPool ranges=192.168.40.2-192.168.40.254
add name=10.0.68.0/24-IPPool ranges=10.0.68.2-10.0.68.254
add name=192.168.42.0/24-IPPool ranges=192.168.42.10-192.168.42.254
add name=192.168.253.0/29-IPPool ranges=192.168.253.2-192.168.253.6
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=192.168.99.0/24-IPPool interface=WORK999 lease-time=10m name=192.168.99.0-DHCP
add address-pool=192.168.253.0/29-IPPool interface=VLAN3000 lease-time=10m name=192.168.254.0-DHCP
add address-pool=192.168.89.0/24-IPPool insert-queue-before=bottom interface=CAM88 lease-time=10m name=192.168.89.0-DHCP
add address-pool=192.168.42.0/24-IPPool insert-queue-before=bottom interface=WIFI20 lease-time=10m name=192.168.42.0-DHCP
add address-pool=192.168.41.0/24-IPPool interface=vlan10 lease-script="# When \"1\" all DNS entries with IP address of DHCP lease are removed\r\
\n:local dnsRemoveAllByIp \"1\"\r\
\n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
\n:local dnsRemoveAllByName \"1\"\r\
\n# When \"1\" addition and removal of DNS entries is always done also for non-FQDN hostname\r\
\n:local dnsAlwaysNonfqdn \"1\"\r\
\n# DNS domain to add after DHCP client hostname\r\
\n:local dnsDomain \"lan\"\r\
\n# DNS TTL to set for DNS entries\r\
\n:local dnsTtl \"00:15:00\"\r\
\n# Source of DHCP client hostname, can be \"lease-hostname\" or any other lease attribute, like \"host-name\" or \"comment\"\r\
\n:local leaseClientHostnameSource \"lease-hostname\"\r\
\n\r\
\n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientHostnameSource\"\r\
\n:local leaseClientHostname\r\
\n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
\n :set leaseClientHostname \$\"lease-hostname\"\r\
\n} else={\r\
\n :set leaseClientHostname ([:pick \\\r\
\n [/ip dhcp-server lease print as-value where server=\"\$leaseServerName\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
\n 0]->\"\$leaseClientHostnameSource\")\r\
\n}\r\
\n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
\n:if ([:len [\$dnsDomain]] > 0) do={\r\
\n :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
\n :set leaseClientHostnames \"\$leaseClientHostname.\$dnsDomain,\$leaseClientHostname\"\r\
\n } else={\r\
\n :set leaseClientHostnames \"\$leaseClientHostname.\$dnsDomain\"\r\
\n }\r\
\n}\r\
\n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" and address=\"\$leaseActIP\"]\r\
\n}\r\
\n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
\n :if (\$dnsRemoveAllByName = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" and name=\"\$h\"]\r\
\n }\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
\n :if (\$leaseBound = \"1\") do={\r\
\n :delay 1\r\
\n /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
\n }\r\
\n}" lease-time=10m name=192.168.41.0-DHCP
add address-pool=10.0.68.0/24-IPPool interface=IoT687 lease-time=10m name=10.0.68.0-DHCP
add address-pool=192.168.82.0/24-IPPool insert-queue-before=bottom interface=VLAN82 lease-time=10m name=192.168.82.0-DHCP
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=WORK999 list=LAN
add interface=VLAN3000 list=LAN
add interface=CAM88 list=LAN
add interface=WIFI20 list=LAN
add interface=vlan10 list=LAN
add interface=VLAN82 list=LAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.99.1/24 interface=WORK999 network=192.168.99.0
add address=192.168.253.1/29 interface=VLAN3000 network=192.168.253.0
add address=192.168.89.1/24 interface=CAM88 network=192.168.89.0
add address=192.168.42.1/24 interface=WIFI20 network=192.168.42.0
add address=192.168.41.1/24 interface=vlan10 network=192.168.41.0
add address=10.0.68.1/24 interface=IoT687 network=10.0.68.0
add address=192.168.82.1/24 interface=VLAN82 network=192.168.82.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.89.253 client-id=1:e0:ca:3c:4e:65:38 mac-address=E0:CA:3C:4E:65:38 server=192.168.89.0-DHCP
add address=192.168.89.254 client-id=1:8:a1:89:53:f3:cd mac-address=08:A1:89:53:F3:CD server=192.168.89.0-DHCP
add address=192.168.42.230 mac-address=88:DC:96:87:25:C5 server=192.168.42.0-DHCP
add address=192.168.42.228 mac-address=88:DC:96:87:25:C9 server=192.168.42.0-DHCP
add address=192.168.42.227 mac-address=88:DC:97:07:68:92 server=192.168.42.0-DHCP
add address=192.168.42.11 comment=ezMaster mac-address=00:0C:29:FF:9F:C1 server=192.168.42.0-DHCP
add address=192.168.41.11 client-id=1:ec:d:e4:f:f6:44 comment="Alice fire Stick" mac-address=EC:0D:E4:0F:F6:44 server=192.168.41.0-DHCP
add address=192.168.41.61 client-id=ff:c5:5a:4d:5e:0:2:0:0:ab:11:ba:d0:eb:15:93:1d:54:e5 mac-address=00:26:B6:60:D1:52 server=192.168.41.0-DHCP
add address=192.168.41.24 client-id=1:c4:54:44:98:b0:45 comment="Main Desk Voice" mac-address=C4:54:44:98:B0:45 server=192.168.41.0-DHCP
add address=192.168.41.19 client-id=1:f0:2f:74:1c:63:9f mac-address=F0:2F:74:1C:63:9F server=192.168.41.0-DHCP
add address=192.168.41.184 comment="Zyxel GS1900-10HP PoE Switch" mac-address=D8:EC:E5:BE:74:F5 server=192.168.41.0-DHCP
add address=192.168.41.21 client-id=1:b8:27:eb:dd:5d:4 mac-address=B8:27:EB:DD:5D:04 server=192.168.41.0-DHCP
add address=192.168.41.183 comment="Server Switch" mac-address=B8:EC:A3:A8:20:01 server=192.168.41.0-DHCP
add address=192.168.41.13 mac-address=1C:6F:65:37:4C:83 server=192.168.41.0-DHCP
add address=192.168.41.9 client-id=1:84:a6:c8:e0:51:b9 mac-address=84:A6:C8:E0:51:B9 server=192.168.41.0-DHCP
add address=192.168.41.25 client-id=1:0:4:4b:fb:96:db comment="Nvidia Shield Main Bedroom wifi" mac-address=00:04:4B:FB:96:DB server=192.168.41.0-DHCP
add address=192.168.41.18 client-id=1:0:4:4b:fd:1d:7b comment="Nvidia Shield Main Bedroom Lan" mac-address=00:04:4B:FD:1D:7B server=192.168.41.0-DHCP
add address=192.168.41.29 client-id=1:fc:d7:49:8e:a5:bc comment="Alice Fire 10" mac-address=FC:D7:49:8E:A5:BC server=192.168.41.0-DHCP
add address=192.168.41.62 client-id=ff:7b:31:fe:60:0:2:0:0:ab:11:ba:d0:eb:15:93:1d:54:e5 mac-address=00:26:9E:7D:00:77 server=192.168.41.0-DHCP
add address=192.168.41.23 client-id=1:4c:9e:ff:6e:7a:77 comment="Main Switch" mac-address=4C:9E:FF:6E:7A:77 server=192.168.41.0-DHCP
add address=192.168.41.42 client-id=1:e4:5f:1:20:f6:9b dhcp-option=option66,pi-43,pi-60 mac-address=E4:5F:01:20:F6:9B server=192.168.41.0-DHCP
add address=192.168.41.36 mac-address=00:0C:29:EA:11:D8 server=192.168.41.0-DHCP
add address=192.168.41.53 client-id=48:B0:2D:7A:0B:05 comment="Nvidia Shield Living Room wifi" mac-address=48:B0:2D:7A:0B:05 server=192.168.41.0-DHCP
add address=192.168.41.30 client-id=1:b8:27:eb:45:63:55 mac-address=B8:27:EB:45:63:55 server=192.168.41.0-DHCP
add address=192.168.82.229 client-id=ff:66:7b:93:2a:0:2:0:0:ab:11:c7:62:4a:58:b:f9:3f:26 mac-address=48:4D:7E:E0:04:8F server=192.168.82.0-DHCP
add address=192.168.82.231 client-id=ff:66:7b:93:2a:0:2:0:0:ab:11:1a:c3:92:fd:e0:70:10:de mac-address=48:4D:7E:D9:01:C8 server=192.168.82.0-DHCP
add address=192.168.82.239 client-id=1:98:90:96:e0:3e:4c comment=Baldrick mac-address=98:90:96:E0:3E:4C server=192.168.82.0-DHCP
add address=192.168.82.238 client-id=1:e4:54:e8:d0:18:cd mac-address=E4:54:E8:D0:18:CD server=192.168.82.0-DHCP
/ip dhcp-server network
add address=10.0.68.0/24 comment=IoT dns-server=10.0.68.1 gateway=10.0.68.1 netmask=24
add address=192.168.41.0/24 comment=Main dns-server=1.1.1.1 gateway=192.168.41.1 netmask=24
add address=192.168.42.0/24 comment="Network Equipment" dns-server=192.168.42.1 gateway=192.168.42.1 netmask=24
add address=192.168.82.0/24 comment=Servers dns-server=192.168.82.1 gateway=192.168.82.1 netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.89.0/24 comment=Cameras dns-server=192.168.89.1 gateway=192.168.89.1 netmask=24
add address=192.168.99.0/24 comment=Work dns-server=192.168.99.1 gateway=192.168.99.1 netmask=24
add address=192.168.253.0/29 comment=Hive dns-server=192.168.253.1 gateway=192.168.253.1 netmask=29
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.41.24 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=DESKTOP-7S7LN24.lan ttl=15m
add address=192.168.41.24 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=DESKTOP-7S7LN24 ttl=15m
add address=192.168.41.21 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=ExcerciseLibreElec.lan ttl=15m
add address=192.168.41.21 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=ExcerciseLibreElec ttl=15m
add address=192.168.41.3 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=OCTO-CADLITE.lan ttl=15m
add address=192.168.41.3 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=OCTO-CADLITE ttl=15m
add address=192.168.41.8 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=myHivehub.lan ttl=15m
add address=192.168.41.8 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=myHivehub ttl=15m
add address=192.168.41.14 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=OnePlus5T.lan ttl=15m
add address=192.168.41.14 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=OnePlus5T ttl=15m
add address=192.168.82.231 name=dockerhost.lan
add address=192.168.41.9 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=PCS-Laptop.lan ttl=15m
add address=192.168.41.9 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=PCS-Laptop ttl=15m
add address=192.168.41.4 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=Pixel-7.lan ttl=15m
add address=192.168.41.4 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=Pixel-7 ttl=15m
add address=192.168.41.5 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=HUAWEI_P20-b8d72a4cdc9bd9.lan ttl=15m
add address=192.168.41.5 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=HUAWEI_P20-b8d72a4cdc9bd9 ttl=15m
add address=192.168.41.10 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=Tracey-s-Galaxy-S20-5G.lan ttl=15m
add address=192.168.41.10 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=Tracey-s-Galaxy-S20-5G ttl=15m
add address=192.168.41.29 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=.lan ttl=15m
add address=192.168.41.19 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=Main.lan ttl=15m
add address=192.168.41.19 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=Main ttl=15m
/ip firewall address-list
add address=92.9.186.92 list="External IP"
add address=192.168.89.254 list="Security Cameras"
add address=192.168.89.253 list="Security Cameras"
add address=192.168.41.11 list="Bens Devices"
add address=192.168.41.29 list="Bens Devices"
add address=192.168.41.25 list="Shield TVs"
add address=192.168.41.18 list="Shield TVs"
add address=192.168.41.53 list="Shield TVs"
add address=192.168.82.229 list="Traefik Box"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=\
WAN
add action=passthrough chain=forward comment="special dummy rule to show fasttrack counters"
add action=accept chain=forward comment="Time Servers" protocol=udp src-port=123
add action=accept chain=forward comment=ICMP dst-address=192.168.0.0/16 protocol=icmp src-address=192.168.0.0/16
add action=accept chain=forward comment="NETBIOS Name Service" dst-address=192.178.0.0/16 dst-port=137 protocol=udp src-port=137
add action=drop chain=forward comment="Bens Weekday Bedtime" disabled=yes src-address-list="Bens Devices" time=21h30m-7h,sun,mon,tue,wed,thu
add action=drop chain=forward comment="Bens Weekend Bedtime" disabled=yes src-address-list="Bens Devices" time=21h30m-7h,fri,sat
add action=accept chain=forward comment="Inbound External HTTP Connectivity to Traefik" in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp src-port=80
add action=accept chain=forward comment="Inbound External HTTPS Connectivity to Traefik" in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp src-port=443
add action=accept chain=forward comment="Outbound External HTTP Connectivity to Traefik" dst-port=80 in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment="Outbound External HTTPS Connectivity to Traefik" dst-port=443 in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment="Inbound HTTP Connectivity to Traefik" dst-port=80 in-interface=!pppoe-out1 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment="Inbound HTTPS Connectivity to Traefik" dst-port=443 in-interface=!pppoe-out1 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment="Inbound XMPP" dst-address=192.168.82.229 in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp src-port=5222
add action=accept chain=forward comment="Plex port internal" dst-address=192.168.82.238 dst-port=32400 in-interface=vlan10 protocol=tcp
add action=accept chain=forward comment="Plex port internal" dst-address=192.168.82.238 in-interface=vlan10 protocol=udp
add action=accept chain=forward comment="Plex port internal" dst-address=192.168.82.238 in-interface=vlan10 protocol=tcp
add action=accept chain=forward comment="Plex port external" dst-address=192.168.82.238 dst-port=32400 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward comment="Main to cameras" dst-address-list="Security Cameras" out-interface=CAM88 src-address=192.168.41.19
add action=accept chain=forward comment="Internetwork Connectivity" in-interface=VLAN82 out-interface=VLAN82
add action=accept chain=forward comment="Doorbell to HA" dst-address=192.168.82.231 dst-port=8123 in-interface=vlan10 out-interface=VLAN82 protocol=tcp \
src-address=192.168.41.30
add action=accept chain=forward comment="HA to Shield TVs" dst-address-list="Shield TVs" in-interface=vlan10 out-interface=VLAN82 protocol=tcp src-address=\
192.168.82.231
add action=accept chain=forward comment="HA to Shield TVS" dst-address-list="Shield TVs" in-interface=vlan10 out-interface=VLAN82 protocol=udp src-address=\
192.168.82.231
add action=accept chain=forward comment="Shield TVs to HA" dst-address=192.168.82.231 in-interface=VLAN82 out-interface=vlan10 protocol=tcp src-address-list=\
"Shield TVs"
add action=accept chain=forward comment="Shield TVs to HA" dst-address=192.168.82.231 in-interface=VLAN82 out-interface=vlan10 protocol=udp src-address-list=\
"Shield TVs"
add action=accept chain=forward comment="Main to IoT" in-interface=vlan10 out-interface=IoT687 protocol=tcp src-address=192.168.41.19
add action=accept chain=forward comment="HA to IoT" in-interface=VLAN82 out-interface=IoT687 protocol=tcp src-address-list="Traefik Box"
add action=accept chain=forward comment="Main to Baldrick" dst-address=192.168.82.239 dst-port=80 in-interface=vlan10 out-interface=VLAN82 protocol=tcp \
src-address=192.168.41.19
add action=accept chain=forward comment=Tailscale dst-port=41641 in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment=Tailscale in-interface=pppoe-out1 out-interface=VLAN82 protocol=udp src-port=3478
add action=accept chain=forward comment=Tailscale dst-port=41641 in-interface=vlan10 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment=Tailscale dst-port=41641 in-interface=VLAN82 out-interface=vlan10 protocol=tcp
add action=accept chain=forward comment="PIHole to Baldrick" dst-address=192.168.82.239 in-interface=vlan10 out-interface=VLAN82 protocol=tcp src-address=\
192.168.41.42
add action=accept chain=forward comment="PIHole to Baldrick" dst-address=192.168.82.239 in-interface=vlan10 out-interface=VLAN82 protocol=udp src-address=\
192.168.41.42
add action=accept chain=forward comment="MQTT to HA" dst-address=192.168.82.231 dst-port=1883 in-interface=IoT687 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment="HA to MQTT" in-interface=VLAN82 out-interface=IoT687 protocol=tcp src-address=192.168.82.231 src-port=1883
add action=accept chain=forward dst-port=22 out-interface=VLAN82 protocol=tcp src-address=192.168.41.19
add action=drop chain=forward comment="Drop all other traffic to 192.168.82.0/24 network" log=yes log-prefix=Server-Drop out-interface=VLAN82
add action=accept chain=forward comment="Frigate to Cameras" dst-address-list="Security Cameras" dst-port=554 in-interface=VLAN82 out-interface=CAM88 protocol=tcp \
src-address=192.168.82.238
add action=drop chain=forward comment="Drop all other traffic to 192.168.89.0/24 network" log=yes log-prefix=Server-Drop out-interface=CAM88
add action=drop chain=forward comment="Drop outbound traffic from 192.168.89.0/24 network" in-interface=CAM88 log=yes log-prefix=Server-Drop out-interface=\
pppoe-out1
add action=drop chain=forward comment="Drop all internal traffic to work network" in-interface=!pppoe-out1 log=yes log-prefix=Server-Drop out-interface=WORK999
add action=drop chain=forward comment="Drop all work traffic to internal vlans" in-interface=WORK999 log=yes log-prefix=Server-Drop out-interface=!pppoe-out1
add action=drop chain=forward comment="Drop all traffic to the IoT network" log=yes log-prefix=Server-Drop out-interface=IoT687
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=Server-Drop
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=dstnat connection-state=new in-interface-list=!WAN log-prefix=\
nodstnat
/ip firewall nat
add action=dst-nat chain=dstnat comment="Echre port 80" dst-address-list="External IP" dst-port=80 protocol=tcp to-addresses=192.168.82.229 to-ports=80
add action=dst-nat chain=dstnat comment="Echre port 443" dst-address-list="External IP" dst-port=443 protocol=tcp to-addresses=192.168.82.229 to-ports=443
add action=dst-nat chain=dstnat comment="Echre port 32400" dst-address-list="External IP" dst-port=32400 protocol=tcp to-addresses=192.168.82.238 to-ports=32400
add action=masquerade chain=srcnat comment="Internet access for 192.168.82.0 network" src-address=192.168.82.0/24
add action=masquerade chain=srcnat comment="Internet access for 192.168.99.0 network" src-address=192.168.99.0/24
add action=masquerade chain=srcnat comment="Internet access for 192.168.41.0 network" src-address=192.168.41.0/24
add action=masquerade chain=srcnat comment="Internet access for 192.168.253.0 network" src-address=192.168.253.0/29
add action=accept chain=dstnat dst-address=192.168.82.236 dst-address-list="External IP" dst-port=9001 protocol=tcp src-port=9001
add action=masquerade chain=srcnat comment="Internet access for 192.168.42.0 network" disabled=yes src-address=192.168.42.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set www-ssl certificate=ServerCA disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LANRe: Slow connections across vlans with hex [SOLVED]
1. vlan-filtering on bridge not turned on.
add admin-mac=xx.xx.xx.xx name=bridge vlan-filtering=yes
Then it goes downhill............
2. How can you have 7 VLANS but 10 Pools, 8 DHCP servers, 8 IP addresses, 8 dhcp server networks,
some pools seem to overlap (192.168.41.......)
3. Firewall wall are fricken mess, from chain order to, very inefficient.
4. MISSING /interface bridge vlan altogether.
5. if not using ivp6 shoudl be disabled and all rules associated removed.
add admin-mac=xx.xx.xx.xx name=bridge vlan-filtering=yes
Then it goes downhill............
2. How can you have 7 VLANS but 10 Pools, 8 DHCP servers, 8 IP addresses, 8 dhcp server networks,
some pools seem to overlap (192.168.41.......)
3. Firewall wall are fricken mess, from chain order to, very inefficient.
4. MISSING /interface bridge vlan altogether.
5. if not using ivp6 shoudl be disabled and all rules associated removed.
Re: Slow connections across vlans with hex
The vlan filtering and missing vlans on the bridge interface got it thanks.
Will have another read through the firewall documentation and work on tidying up those rules and making them more efficient.
As well as the other points you have made
Thank you
Will have another read through the firewall documentation and work on tidying up those rules and making them more efficient.
As well as the other points you have made
Thank you
Re: Slow connections across vlans with hex
The only block rules you need in firewall are
invalid traffic ( both input and forward chain)
and
last rule in each chain (everything else)
All other firewall rules should be about allowing traffic ( default rules + admin traffic desired )
invalid traffic ( both input and forward chain)
and
last rule in each chain (everything else)
All other firewall rules should be about allowing traffic ( default rules + admin traffic desired )
Who is online
Users browsing this forum: Bing [Bot] and 15 guests