Hi All,
Hoping for some help here as im loosing my mind. Ive gone through and checked every setting i can think of, googled everything I can think of, with no luck.
See Also
MX Guarddog review: Filter spam for your domain-based emails for free!Anti-Spam Filtering Service - Email Security by MX GuarddogMX Guarddog Free Spam Filtering – Add New DomainIm running a Routerboard 3011 on RouterOS6.44.3 which runs the home internet on an Australian NBN ISP (FTTH) called Aussie Boardband. They use IPoE w/DHCP for connection/authentication/etc.
Im having an issue where im seeing daily or sometimes every other day, internet outages with the ISP. They are informing me, that looking at the logs, my MIkrotik is tearing the session down every 30 minutes, and reestablishing a new session. They are telling me this isnt normal behaviour, and its been happening for as long as they can tell. I tried plugging a PC directly into the NBN NTD, and left it running overnight and checked in the next day, they told the session was stable for a solid 12 hours it was operational. Incidently the ISP runs a 30min DHCP lease, however they've told me there is no relation to the 30min session drops im getting. When the internet drops outs, i still have an active DHCP lease (usually its got 25-28 min on the lease). Additionally the only way i can restore internet access is by rebooting the Mikrotik.
The Mikrotik doesnt connect directly to the NTD, I have a seperate switch closer to the NTD, and the Mikrotik <-> NTD traffic resides in an isolated VLAN trunked between both devices.
Here is a sanatised copy of the config, thanks in advance:
Code: Select all
# apr/19/2020 09:19:53 by RouterOS 6.44.3# software id = ULLN-Q8G0## model = RouterBOARD 3011UiAS# serial number = xxxxx/interface bridgeadd admin-mac=64:D1:54:81:50:87 auto-mac=no comment=defconf name=bridgeadd admin-mac=64:D1:54:81:50:8C auto-mac=no comment=\ "created from master port" name=bridge1 protocol-mode=none/interface ethernetset [ find default-name=ether1 ] l2mtu=1500 name=ether1-gateway speed=100Mbpsset [ find default-name=ether2 ] arp=proxy-arp name=ether2-master-local \ speed=100Mbpsset [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbpsset [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbpsset [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbpsset [ find default-name=ether6 ] name=ether6-master-local speed=100Mbpsset [ find default-name=ether7 ] name=ether7-slave-local speed=100Mbpsset [ find default-name=ether8 ] name=ether8-slave-local speed=100Mbpsset [ find default-name=ether9 ] name=ether9-slave-local speed=100Mbpsset [ find default-name=ether10 ] name=ether10-slave-local speed=100Mbpsset [ find default-name=sfp1 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full/interface vlanadd interface=ether5-slave-local loop-protect=off mtu=1496 name=NBNTransit \ vlan-id=21add interface=ether5-slave-local loop-protect=off mtu=1496 name=WIFI_External \ vlan-id=110/interface ethernet switch portset 0 default-vlan-id=110 vlan-mode=fallback/interface listadd exclude=dynamic name=discoveradd name=macteladd name=mac-winbox/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip firewall layer7-protocoladd name=skypenack regexp="[\\\\|\\xd5]"/ip ipsec profileadd dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha512 name=\ profile1/ip ipsec peeradd address=180.150.13.138/32 local-address=x.x.x.12 name=peer1 profile=\ profile1/ip ipsec proposalset [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbcadd auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=mikrotik/ip pooladd name=default-dhcp range=add name=vpn-pool ranges=/ppp profileset *0 dns-server=x.x.x.5,x.x.x.13 local-address=x.x.x.11/snmp communityset [ find default=yes ] addresses=0.0.0.0/0 read-access=no/system logging actionset 3 remote=x.x.x.16/tool traffic-generator portadd interface=ether1-gateway name=443/interface bridge portadd bridge=bridge comment=defconf interface=ether2-master-localadd bridge=bridge comment=defconf hw=no interface=sfp1add bridge=bridge interface=ether3-slave-localadd bridge=bridge interface=ether4-slave-localadd bridge=bridge interface=ether5-slave-localadd bridge=bridge1 interface=ether7-slave-localadd bridge=bridge1 interface=ether8-slave-localadd bridge=bridge1 interface=ether9-slave-localadd bridge=bridge1 interface=ether10-slave-localadd bridge=bridge1 interface=ether6-master-local/ip neighbor discovery-settingsset discover-interface-list=discover/interface detect-internetset detect-interface-list=all/interface ethernet switch vlanadd independent-learning=yes ports=ether1-gateway switch=switch1 vlan-id=21add independent-learning=yes ports=ether1-gateway switch=switch1 vlan-id=110/interface l2tp-server serverset use-ipsec=yes/interface list memberadd interface=ether2-master-local list=discoveradd interface=ether3-slave-local list=discoveradd interface=ether4-slave-local list=discoveradd interface=ether5-slave-local list=discoveradd interface=sfp1 list=discoveradd interface=bridge1 list=discoveradd interface=ether7-slave-local list=discoveradd interface=ether8-slave-local list=discoveradd interface=ether9-slave-local list=discoveradd interface=ether10-slave-local list=discoveradd interface=bridge list=discoveradd interface=bridge list=macteladd interface=sfp1 list=macteladd interface=bridge list=mac-winboxadd interface=sfp1 list=mac-winbox/interface ovpn-server serverset auth=sha1 certificate=vpn-server.crt_0 cipher=aes256 enabled=yes \ require-client-certificate=yes/interface sstp-server serverset default-profile=default-encryption/ip addressadd address=x.x.21.4/24 interface=ether2-master-local network=\ x.x.21.0add address=192.168.1.1/24 interface=ether10-slave-local network=x.x.1.0add address=x.x.x.10 disabled=yes interface=bridge1 network=\ 255.255.255.254add address=x.x.x.12 interface=bridge1 network=255.255.255.255add address=x.x.110.1/24 interface=WIFI_External network=x.x.110.0/ip cloudset ddns-enabled=yes/ip dhcp-clientadd comment=defconf dhcp-options=hostname,clientid disabled=no interface=\ ether1-gatewayadd dhcp-options=hostname,clientid disabled=no interface=bridge1/ip dhcp-relayadd dhcp-server=x.x.x.5 interface=ether10-slave-local local-address=\ 192.168.1.1 name=relay1add dhcp-server=x.x.x.5 disabled=no interface=WIFI_External \ local-address=x.x.110.1 name=WIFI_External_DHCP_Relay/ip dhcp-server networkadd address=x.x.1.0/32 dns-server=x.x.x.4 domain=xxx.local gateway=\ 192.168.1.1 netmask=24/ip dnsset allow-remote-requests=yes servers=x.x.x.4,x.x.x.13/ip dns staticadd address=192.168.88.1 name=routeradd address=x.x.x.211 comment="Plex IP Address for QoS Matching" list=\ Plex_Internaladd address=x.x.x.13 comment="Crashplan Internal IP's for QoS Matching" \ list=Crashplan_Internaladd address=103.8.239.0/24 comment="Crashplan Australia IP Range" list=\ Crashplan_External/ip firewall filteradd action=accept chain=forward comment="Inbound Plex" dst-address=\ x.x.x.11 dst-port=32400 log=yes protocol=tcpadd action=accept chain=forward comment="Mikrotik OpenVPN Traffic" \ dst-address=x.x.x.11 log=yes log-prefix=OVPNadd action=accept chain=forward comment="Tempoary Plex Rule TCP/32400 Allow" \ dst-port=32400 protocol=tcpadd action=accept chain=forward comment=\ "Alow VPN Traffic between Site 1 & Site 2" dst-address=x.x.0.0/16 \ src-address=x.x.11.0/24add action=drop chain=input comment="Drop Shadow Server Foundation IP's" \ src-address-list=ShadowFoundationadd action=drop chain=input comment="Drop all China traffic" \ src-address-list=CNadd action=accept chain=output src-address=x.x.x.12add action=accept chain=input dst-address=x.x.x.12 protocol=ipsec-espadd action=accept chain=input dst-address=x.x.x.12 protocol=ipsec-ahadd action=accept chain=input dst-address=x.x.x.12 dst-port=500 \ in-interface=bridge1 protocol=udpadd action=accept chain=forward disabled=yes dst-address=x.x.x.16add action=accept chain=forward comment="Mikrotik OpenVPN" dst-address=\ 10.254.254.2 dst-port=443 protocol=udpadd action=accept chain=forward comment="defconf: accept established,related" \ connection-state=established,relatedadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcpadd action=accept chain=input comment="defconf: accept established,related" \ connection-state=established,relatedadd action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udpadd action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcpadd action=accept chain=forward comment="Inbound Exchange OWA" dst-port=443 \ in-interface=bridge1 protocol=tcpadd action=accept chain=forward comment="Inbound Plex" dst-address=\ x.x.x.x.27 dst-address-list=Plex_Server dst-port=32400 in-interface=\ bridge1 log-prefix=PLEXFW protocol=tcp src-address-list=""add action=accept chain=forward comment="Inbound Exchange SMTP" dst-port=25 \ in-interface=bridge1 protocol=tcp src-address-list=MXGuardDogadd action=accept chain=forward comment="Inbound SSH" dst-port=22 \ in-interface=bridge1 protocol=tcpadd action=accept chain=forward dst-port=21 protocol=tcpadd action=accept chain=input comment="Allow Winbox access remotely" \ dst-port=8291 protocol=tcpadd action=accept chain=forward dst-address=x.x.252.0/23 src-address=\ x.x.11.0/24add action=drop chain=forward comment=\ "VLAN 110 WIFI External - Drop all internal traffic" dst-address-list=\ InsideNetworks src-address=x.x.110.0/24add action=fasttrack-connection chain=forward comment="default configuration" \ connection-state=established,relatedadd action=accept chain=input protocol=icmpadd action=accept chain=input connection-state=establishedadd action=accept chain=input connection-state=relatedadd action=drop chain=input in-interface=bridge1add action=drop chain=forward connection-state=!established,related \ in-interface=bridge1add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface=bridge1add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=input comment="defconf: drop all from WAN" \ in-interface=bridge1add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related/ip firewall mangleadd action=change-mss chain=forward new-mss=1448 protocol=tcp tcp-flags=syn \ tcp-mss=!0-1448add action=mark-packet chain=prerouting comment=\ "Mark Backup Traffic as \"CrashPlan\"" dst-address-list=\ Crashplan_External new-packet-mark=CrashPlan packet-mark=CrashPlan \ passthrough=yes protocol=tcp/ip firewall natadd action=accept chain=srcnat comment=\ "NAT rule for VPN - Site 1 <-> Site 2" dst-address=10.253.11.0/24 \ src-address=x.x.0.0/16add action=dst-nat chain=dstnat comment="Plex Inbound" dst-address=\ x.x.x.11 dst-port=32400 in-interface=bridge1 log=yes protocol=tcp \ to-addresses=x.x.150.56add action=src-nat chain=srcnat comment="Plex Outbound SRC-NAT" protocol=tcp \ src-address=x.x.150.56 to-addresses=x.x.x.11add action=dst-nat chain=dstnat comment="OpenVPN Inound -> PfSense" \ dst-address=x.x.x.11 dst-port=443 protocol=udp to-addresses=\ 10.254.254.2 to-ports=443add action=dst-nat chain=dstnat comment="OpenVPN Inound -> PfSense" \ dst-address=x.x.x.11 dst-port=1943 in-interface=bridge1 protocol=udp \ to-addresses=x.x.254.2add action=accept chain=srcnat disabled=yes dst-address=x.x.11.0/24 \ src-address=x.x.252.0/23add action=src-nat chain=srcnat comment=\ "ExchangeSMTP Outbound to AussieBB IP: x.x.x.12 " dst-port=25 \ out-interface=bridge1 protocol=tcp src-address=x.x.120.6 \ to-addresses=x.x.x.12add action=src-nat chain=srcnat comment=\ "Exchange 2016 SMTP Outbound to AussieBB IP: x.x.x.12 " \ dst-port=25 out-interface=bridge1 protocol=tcp src-address=x.x.x.7 \ to-addresses=x.x.x.12add action=src-nat chain=srcnat comment="Plex Outbound on x.x.x.x.173 \ \_ AussieBB: x.x.x.10\r\ \n" disabled=yes log=yes log-prefix="PLEX OUT" out-interface=bridge1 \ protocol=tcp src-address=x.x.x.215 to-addresses=x.x.x.11add action=dst-nat chain=dstnat comment="Plex Inbound \ .173 - AussieBB:x.x.x.10\r\ \n" disabled=yes dst-address=x.x.x.11 dst-port=32400 in-interface=\ bridge1 log-prefix="PLEX IN" protocol=tcp to-addresses=x.x.150.56add action=masquerade chain=srcnat comment="default configuration" \ dst-address=0.0.0.0/0 out-interface=bridge1 src-address-list=\ InsideNetworksadd action=dst-nat chain=dstnat comment="Exchange 2016 OWA Inbound" \ dst-address=x.x.x.11 dst-port=443 in-interface=bridge1 protocol=tcp \ to-addresses=x.x.x.7 to-ports=443add action=dst-nat chain=dstnat comment="Exchange OWA inbound" dst-address=\ x.x.x.12 dst-port=443 in-interface=bridge1 log-prefix=Exchange port=\ "" protocol=tcp to-addresses=x.x.x.7add action=dst-nat chain=dstnat disabled=yes dst-address=x.x.x.11 \ dst-port=443 in-interface=bridge1 protocol=tcp to-addresses=x.7add action=dst-nat chain=dstnat disabled=yes dst-port=21 protocol=tcp \ to-addresses=x.x.150.65 to-ports=21add action=dst-nat chain=dstnat comment="SMTP Inbound to Exchange" \ dst-address=x.x.x.12 dst-port=25 in-interface=bridge1 protocol=tcp \ src-address-list=MXGuardDog to-addresses=x.x.x.7add action=dst-nat chain=dstnat comment="SMTP to Exchange" disabled=yes \ dst-port=25 in-interface=ether1-gateway log=yes protocol=tcp \ to-addresses=x.x.120.6add action=dst-nat chain=dstnat comment="SSH Inbound to Gateway VM" \ dst-address=x.x.x.11 dst-port=22 in-interface=bridge1 protocol=tcp \ to-addresses=x.x.120.10add action=accept chain=srcnat disabled=yes dst-address=x.x.x.11 \ dst-port=32400 log=yes protocol=tcpadd action=masquerade chain=srcnat comment="defconf: masquerade" \ out-interface=bridge1add action=masquerade chain=srcnat comment="masq. vpn traffic"/ip firewall service-portset sip disabled=yes/ip ipsec identityadd notrack-chain=output peer=peer1/ip ipsec policyset 0 disabled=yesadd disabled=yes dst-address=10.253.11.0/24 proposal=mikrotik sa-dst-address=\ 180.150.13.138 sa-src-address=x.x.x.12 src-address=x.x.252.0/23 \ tunnel=yesadd dst-address=10.253.11.0/24 proposal=mikrotik sa-dst-address=\ 180.150.13.138 sa-src-address=x.x.x.12 src-address=x.x.0.0/16 \ tunnel=yes/ip routexxxx/ip serviceset telnet address=x.x.150.0/24set ftp address=x.x.150.0/24set www address=x.x.150.0/24set ssh address=x.x.150.0/24set api address=x.x.150.0/24set winbox address=x.x.150.0/24set api-ssl address=x.x.150.0/24/ip traffic-flowset cache-entries=128k enabled=yes/ip upnpset allow-disable-external-interface=yes enabled=yes/ip upnp interfacesadd interface=ether2-master-local type=internal/lcdset time-interval=hour/lcd interfaceadd interface=bridge1/lcd interface pagesset 0 interfaces="ether1-gateway,ether2-master-local,ether3-slave-local,ether4\ -slave-local,ether5-slave-local,sfp1,bridge1,ether7-slave-local,ether8-sla\ ve-local,ether9-slave-local,ether10-slave-local"/ppp secretadd name=xxxx service=ovpnadd local-address=x.x.21.4 name=xxxx remote-address=x.x.21.100 \ service=ovpn/snmpset enabled=yes trap-community=xxxxx trap-interfaces=\ ether2-master-local trap-version=2/system clockset time-zone-name=Australia/Melbourne/system identityset name=xxx/system loggingset 2 action=remoteadd action=remote disabled=yes topics=packetadd disabled=yes topics=infoadd disabled=yes topics=firewall/system ntp clientset enabled=yes primary-ntp=192.189.54.33 secondary-ntp=13.55.50.68 \ server-dns-names=""/tool graphing interfaceadd/tool mac-serverset allowed-interface-list=mactel/tool mac-server mac-winboxset allowed-interface-list=mac-winbox/tool snifferset filter-interface=bridge1 filter-ip-protocol=udp \ filter-operator-between-entries=and filter-port=https memory-limit=\ 1000KiB