Answer the question
In order to leave comments, you need to log in
A
A
AntHTML2019-01-28 12:42:29
AntHTML, 2019-01-28 12:42:29
Mikrotik breaks heavy/hanging SMB connections, what's wrong?
I'm trying to implement L3 routing in one organization: in fact, it's just dividing one large peer-to-peer mesh into 5 smaller ones.
I installed 2011uai-rs and set up filtering rules, packets run cool and everything seems to be normal, but today I ran into one big problem.
The bottom line: the network has servers 192.168.1.10/24 and 192.168.1.87/24 on which there are several programs (1c77, clipper, business info) that are accessed via SMB (labels are stupidly extended or dbf is being read)
In a peer-to-peer network everything works fine, when transferring clients to the 192.168.4.x/26 and 192.168.3.x/29 segments, computers with WinXP experience a loss of communication with these applications: network errors like External exception C0000006, read error and just crashes. At the same time, the same programs on Win7 / 8 seem to work without failures.
It seems to me that the reason is that microt somehow breaks hung/heavy connections/packages, and Piggy cannot restore them on the fly. Tell me where I could mess up or underdo it in the firewall, that only hung / heavy packets are torn?
Light traffic like RDP Internet, opening files flies by without problems.
export compact
/interface bridge
add name=bridge1-pro
add name=bridge2-file
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1-adm ranges=192.168.4.40-192.168.4.60
add name=pool2-guest ranges=192.168.8.20-192.168.8.60
/ip dhcp-server
add address-pool=pool1-adm authoritative=after-2sec-delay disabled=no interface=ether9-adm lease-time=\
1d name=dhcp-adm
add address-pool=pool2-guest authoritative=after-2sec-delay disabled=no interface=ether2-file \
lease-time=1d name=dhcp-guest
/port
set 1 baud-rate=9600 data-bits=8 flow-control=none name=usb2 parity=none stop-bits=1
/interface ppp-client
add apn=internet name=ppp-out1 port=usb2
/interface bridge port
add bridge=bridge2-file interface=ether3-file
add bridge=bridge2-file interface=ether4-file
add bridge=bridge1-pro comment="proizvodstvo network" interface=ether6-pro
add bridge=bridge1-pro interface=ether7-pro
add bridge=bridge1-pro interface=ether8-pro
add bridge=bridge2-file comment="fileserver and sysadmnin network" interface=ether2-file
/ip address
add address=192.168.1.3/24 interface=ether10-wan network=192.168.1.0
add address=192.168.2.1/29 interface=ether5-db network=192.168.2.0
add address=192.168.3.1/29 interface=bridge2-file network=192.168.3.0
add address=192.168.4.1/26 interface=ether9-adm network=192.168.4.0
add address=192.168.5.1/26 interface=bridge1-pro network=192.168.5.0
add address=192.168.8.1/26 interface=ether1-guest network=192.168.8.0
/ip dhcp-server network
add address=192.168.4.0/26 dns-server=192.168.4.1,82.209.200.16,82.209.200.17,8.8.8.8,1.1.1.1 gateway=\
192.168.4.1 netmask=26
add address=192.168.8.0/26 dns-server=192.168.8.1,82.209.200.16,82.209.200.17,8.8.8.8,1.1.1.1 gateway=\
192.168.8.1 netmask=26
/ip dns
set allow-remote-requests=yes query-server-timeout=4s servers=\
82.209.200.16,82.209.200.17,8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=forward comment="ICMP PING" protocol=icmp
add action=accept chain=forward comment="TO DB" dst-address=192.168.2.0/29 dst-port=80,443,3389 \
in-interface=bridge2-file out-interface=ether5-db protocol=tcp src-address=192.168.3.0/29
add action=accept chain=forward dst-address=192.168.3.0/29 in-interface=ether5-db out-interface=\
bridge2-file protocol=tcp src-address=192.168.2.0/29 src-port=80,443,3389
add action=accept chain=forward dst-address=192.168.2.0/29 dst-port=3389 in-interface=ether9-adm \
out-interface=ether5-db protocol=tcp src-address=192.168.4.0/26
add action=accept chain=forward dst-address=192.168.4.0/26 in-interface=ether5-db out-interface=\
ether9-adm protocol=tcp src-address=192.168.2.0/29 src-port=3389
add action=accept chain=forward dst-address=192.168.2.0/29 dst-port=3389 in-interface=bridge1-pro \
out-interface=ether5-db protocol=tcp src-address=192.168.5.0/26
add action=accept chain=forward dst-address=192.168.5.0/26 in-interface=ether5-db out-interface=\
bridge1-pro protocol=tcp src-address=192.168.2.0/29 src-port=3389
add action=accept chain=forward comment="NETWORK FILE" dst-address=192.168.3.0/29 dst-port=139,445 \
in-interface=ether5-db out-interface=bridge2-file protocol=tcp src-address=192.168.2.0/29 \
src-port=139,445
add action=accept chain=forward dst-address=192.168.3.0/29 dst-port=80,139,445,3389,8080 in-interface=\
ether9-adm out-interface=bridge2-file protocol=tcp src-address=192.168.4.0/26 src-port=""
add action=accept chain=forward dst-address=192.168.4.0/26 dst-port="" in-interface=bridge2-file \
out-interface=ether9-adm protocol=tcp src-address=192.168.3.0/29 src-port=80,139,445,3389,8080
add action=accept chain=forward dst-address=192.168.3.0/29 dst-port=139,445,3389 in-interface=\
bridge1-pro out-interface=bridge2-file port="" protocol=tcp src-address=192.168.5.0/26 src-port=\
139,445,3389
add action=accept chain=forward comment=IPMI dst-address=192.168.4.0/26 dst-port=\
80,443,623,5900,5901,5120,5123 in-interface=bridge2-file out-interface=ether9-adm protocol=tcp \
src-address=192.168.3.0/29 src-port=80,443,623,5900,5901,5120,5123
add action=accept chain=forward dst-address=192.168.4.0/26 dst-port=623 in-interface=bridge2-file \
out-interface=ether9-adm protocol=udp src-address=192.168.3.0/29 src-port=623
add action=accept chain=forward dst-address=192.168.3.0/29 dst-port=80,443,623,5900,5901,5120,5123 \
in-interface=ether9-adm out-interface=bridge2-file protocol=tcp src-address=192.168.4.0/26 \
src-port=80,443,623,5900,5901,5120,5123
add action=accept chain=forward dst-address=192.168.3.0/29 dst-port=623 in-interface=ether9-adm \
out-interface=bridge2-file protocol=udp src-address=192.168.4.0/26 src-port=623
add action=accept chain=forward comment="FORWARD INTERNET" connection-state=established,new \
in-interface=ether1-guest out-interface=ether10-wan src-address=192.168.8.0/26
add chain=forward connection-state=established,new in-interface=ether5-db out-interface=ether10-wan \
src-address=192.168.2.0/29
add chain=forward connection-state=established,new in-interface=bridge2-file out-interface=ether10-wan \
src-address=192.168.3.0/29
add action=accept chain=forward connection-state=invalid,established,related,new,untracked \
in-interface=ether9-adm out-interface=ether10-wan src-address=192.168.4.0/26
add action=accept chain=forward connection-state=established,new in-interface=bridge1-pro \
out-interface=ether10-wan src-address=192.168.5.0/26
add action=accept chain=forward connection-state=established,related in-interface=ether10-wan \
out-interface=ether1-guest
add chain=forward connection-state=established,related in-interface=ether10-wan out-interface=\
ether5-db
add chain=forward connection-state=established,related in-interface=ether10-wan out-interface=\
bridge2-file
add action=accept chain=forward connection-state=invalid,established,related,new,untracked \
in-interface=ether10-wan out-interface=ether9-adm
add chain=forward connection-state=established,related in-interface=ether10-wan out-interface=\
bridge1-pro
add action=accept chain=input comment="INPUT INTERNET" protocol=icmp
add action=accept chain=input connection-state=new dst-port=80,8291,22 in-interface=ether1-guest \
protocol=tcp src-address=192.168.8.0/26
add chain=input connection-state=new dst-port=80,8291,22 in-interface=ether5-db protocol=tcp \
src-address=192.168.2.0/29
add chain=input connection-state=new dst-port=80,8291,22 in-interface=bridge2-file protocol=tcp \
src-address=192.168.3.0/29
add chain=input connection-state=new dst-port=80,8291,22 in-interface=ether9-adm protocol=tcp \
src-address=192.168.4.0/26
add chain=input connection-state=new dst-port=80,8291,22 in-interface=bridge1-pro protocol=tcp \
src-address=192.168.5.0/26
add chain=input connection-mark=allow_in connection-state=new dst-port=80 in-interface=ether10-wan \
protocol=tcp
add chain=input connection-state=new dst-port=53,123 protocol=udp src-address=192.168.8.0/26
add chain=input connection-state=new dst-port=53,123 protocol=udp src-address=192.168.2.0/29
add chain=input connection-state=new dst-port=53,123 protocol=udp src-address=192.168.3.0/29
add chain=input connection-state=new dst-port=53,123 protocol=udp src-address=192.168.4.0/26
add chain=input connection-state=new dst-port=53,123 protocol=udp src-address=192.168.5.0/26
add chain=input connection-state=established,related
add chain=output connection-state=!invalid
add action=accept chain=forward comment="WEB CLI TO ACCESS POINT" dst-address=192.168.4.0/26 \
in-interface=bridge2-file out-interface=ether9-adm protocol=tcp src-address=192.168.3.0/29 \
src-port=80,445,8080
add action=accept chain=forward dst-address=192.168.3.0/29 dst-port=80,445,8080 in-interface=\
ether9-adm out-interface=bridge2-file protocol=tcp src-address=192.168.4.0/26 src-port=""
add action=drop chain=input comment=DROP disabled=yes
add action=drop chain=output disabled=yes
add action=drop chain=forward disabled=yes
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-port=9999 new-connection-mark=\
allow_in protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether10-wan src-address=192.168.8.0/26
add action=masquerade chain=srcnat out-interface=ether10-wan src-address=192.168.2.0/29
add action=masquerade chain=srcnat out-interface=ether10-wan src-address=192.168.3.0/29
add action=masquerade chain=srcnat out-interface=ether10-wan src-address=192.168.4.0/26
add action=masquerade chain=srcnat out-interface=ether10-wan src-address=192.168.5.0/26
add action=redirect chain=dstnat dst-port=9999 protocol=tcp to-ports=80
/ip route
add comment="default route" distance=1 gateway=192.168.1.97
/interface bridge
add name=bridge1-pro
add name=bridge2-file
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1-adm ranges=192.168.4.40-192.168.4.60
add name=pool2-guest ranges=192.168.8.20-192.168.8.60
/ip dhcp-server
add address-pool=pool1-adm authoritative=after-2sec-delay disabled=no interface=ether9-adm lease-time=\
1d name=dhcp-adm
add address-pool=pool2-guest authoritative=after-2sec-delay disabled=no interface=ether2-file \
lease-time=1d name=dhcp-guest
/port
set 1 baud-rate=9600 data-bits=8 flow-control=none name=usb2 parity=none stop-bits=1
/interface ppp-client
add apn=internet name=ppp-out1 port=usb2
/interface bridge port
add bridge=bridge2-file interface=ether3-file
add bridge=bridge2-file interface=ether4-file
add bridge=bridge1-pro comment="proizvodstvo network" interface=ether6-pro
add bridge=bridge1-pro interface=ether7-pro
add bridge=bridge1-pro interface=ether8-pro
add bridge=bridge2-file comment="fileserver and sysadmnin network" interface=ether2-file
/ip address
add address=192.168.1.3/24 interface=ether10-wan network=192.168.1.0
add address=192.168.2.1/29 interface=ether5-db network=192.168.2.0
add address=192.168.3.1/29 interface=bridge2-file network=192.168.3.0
add address=192.168.4.1/26 interface=ether9-adm network=192.168.4.0
add address=192.168.5.1/26 interface=bridge1-pro network=192.168.5.0
add address=192.168.8.1/26 interface=ether1-guest network=192.168.8.0
/ip dhcp-server network
add address=192.168.4.0/26 dns-server=192.168.4.1,82.209.200.16,82.209.200.17,8.8.8.8,1.1.1.1 gateway=\
192.168.4.1 netmask=26
add address=192.168.8.0/26 dns-server=192.168.8.1,82.209.200.16,82.209.200.17,8.8.8.8,1.1.1.1 gateway=\
192.168.8.1 netmask=26
/ip dns
set allow-remote-requests=yes query-server-timeout=4s servers=\
82.209.200.16,82.209.200.17,8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=forward comment="ICMP PING" protocol=icmp
add action=accept chain=forward comment="TO DB" dst-address=192.168.2.0/29 dst-port=80,443,3389 \
in-interface=bridge2-file out-interface=ether5-db protocol=tcp src-address=192.168.3.0/29
add action=accept chain=forward dst-address=192.168.3.0/29 in-interface=ether5-db out-interface=\
bridge2-file protocol=tcp src-address=192.168.2.0/29 src-port=80,443,3389
add action=accept chain=forward dst-address=192.168.2.0/29 dst-port=3389 in-interface=ether9-adm \
out-interface=ether5-db protocol=tcp src-address=192.168.4.0/26
add action=accept chain=forward dst-address=192.168.4.0/26 in-interface=ether5-db out-interface=\
ether9-adm protocol=tcp src-address=192.168.2.0/29 src-port=3389
add action=accept chain=forward dst-address=192.168.2.0/29 dst-port=3389 in-interface=bridge1-pro \
out-interface=ether5-db protocol=tcp src-address=192.168.5.0/26
add action=accept chain=forward dst-address=192.168.5.0/26 in-interface=ether5-db out-interface=\
bridge1-pro protocol=tcp src-address=192.168.2.0/29 src-port=3389
add action=accept chain=forward comment="NETWORK FILE" dst-address=192.168.3.0/29 dst-port=139,445 \
in-interface=ether5-db out-interface=bridge2-file protocol=tcp src-address=192.168.2.0/29 \
src-port=139,445
add action=accept chain=forward dst-address=192.168.3.0/29 dst-port=80,139,445,3389,8080 in-interface=\
ether9-adm out-interface=bridge2-file protocol=tcp src-address=192.168.4.0/26 src-port=""
add action=accept chain=forward dst-address=192.168.4.0/26 dst-port="" in-interface=bridge2-file \
out-interface=ether9-adm protocol=tcp src-address=192.168.3.0/29 src-port=80,139,445,3389,8080
add action=accept chain=forward dst-address=192.168.3.0/29 dst-port=139,445,3389 in-interface=\
bridge1-pro out-interface=bridge2-file port="" protocol=tcp src-address=192.168.5.0/26 src-port=\
139,445,3389
add action=accept chain=forward comment=IPMI dst-address=192.168.4.0/26 dst-port=\
80,443,623,5900,5901,5120,5123 in-interface=bridge2-file out-interface=ether9-adm protocol=tcp \
src-address=192.168.3.0/29 src-port=80,443,623,5900,5901,5120,5123
add action=accept chain=forward dst-address=192.168.4.0/26 dst-port=623 in-interface=bridge2-file \
out-interface=ether9-adm protocol=udp src-address=192.168.3.0/29 src-port=623
add action=accept chain=forward dst-address=192.168.3.0/29 dst-port=80,443,623,5900,5901,5120,5123 \
in-interface=ether9-adm out-interface=bridge2-file protocol=tcp src-address=192.168.4.0/26 \
src-port=80,443,623,5900,5901,5120,5123
add action=accept chain=forward dst-address=192.168.3.0/29 dst-port=623 in-interface=ether9-adm \
out-interface=bridge2-file protocol=udp src-address=192.168.4.0/26 src-port=623
add action=accept chain=forward comment="FORWARD INTERNET" connection-state=established,new \
in-interface=ether1-guest out-interface=ether10-wan src-address=192.168.8.0/26
add chain=forward connection-state=established,new in-interface=ether5-db out-interface=ether10-wan \
src-address=192.168.2.0/29
add chain=forward connection-state=established,new in-interface=bridge2-file out-interface=ether10-wan \
src-address=192.168.3.0/29
add action=accept chain=forward connection-state=invalid,established,related,new,untracked \
in-interface=ether9-adm out-interface=ether10-wan src-address=192.168.4.0/26
add action=accept chain=forward connection-state=established,new in-interface=bridge1-pro \
out-interface=ether10-wan src-address=192.168.5.0/26
add action=accept chain=forward connection-state=established,related in-interface=ether10-wan \
out-interface=ether1-guest
add chain=forward connection-state=established,related in-interface=ether10-wan out-interface=\
ether5-db
add chain=forward connection-state=established,related in-interface=ether10-wan out-interface=\
bridge2-file
add action=accept chain=forward connection-state=invalid,established,related,new,untracked \
in-interface=ether10-wan out-interface=ether9-adm
add chain=forward connection-state=established,related in-interface=ether10-wan out-interface=\
bridge1-pro
add action=accept chain=input comment="INPUT INTERNET" protocol=icmp
add action=accept chain=input connection-state=new dst-port=80,8291,22 in-interface=ether1-guest \
protocol=tcp src-address=192.168.8.0/26
add chain=input connection-state=new dst-port=80,8291,22 in-interface=ether5-db protocol=tcp \
src-address=192.168.2.0/29
add chain=input connection-state=new dst-port=80,8291,22 in-interface=bridge2-file protocol=tcp \
src-address=192.168.3.0/29
add chain=input connection-state=new dst-port=80,8291,22 in-interface=ether9-adm protocol=tcp \
src-address=192.168.4.0/26
add chain=input connection-state=new dst-port=80,8291,22 in-interface=bridge1-pro protocol=tcp \
src-address=192.168.5.0/26
add chain=input connection-mark=allow_in connection-state=new dst-port=80 in-interface=ether10-wan \
protocol=tcp
add chain=input connection-state=new dst-port=53,123 protocol=udp src-address=192.168.8.0/26
add chain=input connection-state=new dst-port=53,123 protocol=udp src-address=192.168.2.0/29
add chain=input connection-state=new dst-port=53,123 protocol=udp src-address=192.168.3.0/29
add chain=input connection-state=new dst-port=53,123 protocol=udp src-address=192.168.4.0/26
add chain=input connection-state=new dst-port=53,123 protocol=udp src-address=192.168.5.0/26
add chain=input connection-state=established,related
add chain=output connection-state=!invalid
add action=accept chain=forward comment="WEB CLI TO ACCESS POINT" dst-address=192.168.4.0/26 \
in-interface=bridge2-file out-interface=ether9-adm protocol=tcp src-address=192.168.3.0/29 \
src-port=80,445,8080
add action=accept chain=forward dst-address=192.168.3.0/29 dst-port=80,445,8080 in-interface=\
ether9-adm out-interface=bridge2-file protocol=tcp src-address=192.168.4.0/26 src-port=""
add action=drop chain=input comment=DROP disabled=yes
add action=drop chain=output disabled=yes
add action=drop chain=forward disabled=yes
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-port=9999 new-connection-mark=\
allow_in protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether10-wan src-address=192.168.8.0/26
add action=masquerade chain=srcnat out-interface=ether10-wan src-address=192.168.2.0/29
add action=masquerade chain=srcnat out-interface=ether10-wan src-address=192.168.3.0/29
add action=masquerade chain=srcnat out-interface=ether10-wan src-address=192.168.4.0/26
add action=masquerade chain=srcnat out-interface=ether10-wan src-address=192.168.5.0/26
add action=redirect chain=dstnat dst-port=9999 protocol=tcp to-ports=80
/ip route
add comment="default route" distance=1 gateway=192.168.1.97
1 answer(s)
@bziker
K
Kirill Maslov, 2019-02-08 @bziker
maybe right now I’ll go through what has already been thought out and done, BUT if some of the wheelbarrows work, and some of the wheelbarrows don’t, and at the same time the part that doesn’t work is similar to having the same OS, then I’m 90% sure that it’s not about setting up network equipment (But just in case , compare the mtu on problematic cars and network nodes).
Have you tried these tweaks? I haven't got any other ideas yet
https://support.microsoft.com/en-us/help/2704157/v...
Similar questions
M
A
D
A
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question