Низкая скорость при пробросе портов

Тема в разделе "Общий форум", создана пользователем AlexLee, 18 янв 2021.

  1. AlexLee

    AlexLee Новый участник

    Коллеги, добрый день. Внезапно выявил крайне низкую скорость загрузки на сервера за проброшенными портами. Скорость загрузки не превышает 10-15 мегабит. Только через правило проброса портов. Внутри сети - проблем нет. Speedtest - прокачивает полную скорость канала. Проверено на RDP и Web серверах. Скорость одинаковая, железки и порты разные.
    Fasttrack присутствует, правила "accept established,related" стоят первыми. Загрузки на процессоре нет. Загрузки канала - нет. Отключение всех правил firewall никакого эффекта не дало. Железка - 4011, ROS - 6.48. ISP - 1 Гигабит туда-сюда. Куда копать?
    Спасибо.

    Код:
    /caps-man channel
    
    /interface bridge
    add admin-mac=B8:69:F4:92:26:12 auto-mac=no comment=defconf name=bridge
    /interface ethernet
    set [ find default-name=ether10 ] arp=proxy-arp
    set [ find default-name=sfp-sfpplus1 ] advertise=1000M-half,1000M-full
    /interface pptp-server
    
    /interface ipip
     name=ipip-tunnel1 remote-address=xxx.xxx.xxx.xxx
     name=ipip-tunnel2 remote-address=xxx.xxx.xxx.xxx
     name=ipip-tunnel3 remote-address=xxx.xxx.xxx.xxx
    /caps-man datapath
    add bridge=bridge local-forwarding=yes name=datapath1
    /caps-man security
    add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
        name=security1 passphrase=xxx.xxx.xxx.xxx
    /caps-man configuration
    
    /interface list
    add comment=defconf name=WAN
    add comment=defconf name=LAN
    /interface wireless security-profiles
    set [ find default=yes ] supplicant-identity=MikroTik
    /ip dhcp-server option
    add code=66 name="tftp 66" value="'xxx.xxx.xxx.xxx'"
    add code=150 name="tftp 150" value="'xxx.xxx.xxx.xxx'"
    /ip ipsec profile
    add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=profile1 \
        nat-traversal=no
    add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=profile2 \
        nat-traversal=no
    /ip ipsec peer
    add address=xxx.xxx.xxx.xxx/32 name=peer1 profile=profile1
    add address=xxx.xxx.xxx.xxx/32 name=peer3 profile=profile1
    add address=xxx.xxx.xxx.xxx/32 name=peer2 profile=profile1
    /ip ipsec proposal
    set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
    /ip pool
    add name=dhcp_pool1 ranges=192.168.0.20-192.168.0.120
    add name=vpn_pool1 ranges=192.168.5.10-192.168.5.20
    /ip dhcp-server
    add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
        interface=bridge lease-time=12h name=dhcp1
    /ppp profile
    
    /routing ospf instance
    set [ find default=yes ] router-id=192.168.0.1
    /user group
    
    /caps-man manager
    
    /caps-man provisioning
    
    /interface bridge port
    add bridge=bridge comment=defconf interface=ether2
    add bridge=bridge comment=defconf interface=ether3
    add bridge=bridge comment=defconf interface=ether4
    add bridge=bridge comment=defconf interface=ether5
    add bridge=bridge comment=defconf interface=ether6
    add bridge=bridge comment=defconf interface=ether7
    add bridge=bridge comment=defconf interface=ether8
    add bridge=bridge comment=defconf interface=ether9
    add bridge=bridge comment=defconf interface=ether10
    add bridge=bridge interface=ether1
    /ip neighbor discovery-settings
    set discover-interface-list=LAN
    /interface list member
    add comment=defconf interface=bridge list=LAN
    add comment=defconf interface=sfp-sfpplus1 list=WAN
    /interface pptp-server server
    set enabled=yes
    /ip address
    add address=192.168.0.1/24 comment=defconf interface=bridge network=\
        192.168.0.0
    add address=xxx.xxx.xxx.xxx/30 interface=sfp-sfpplus1 network=xxx.xxx.xxx.xxx
    add address=10.10.1.22/30 interface=ipip-tunnel1 network=10.10.1.20
    add address=10.10.2.2/30 interface=ipip-tunnel3 network=10.10.2.0
    add address=10.10.3.2/30 interface=ipip-tunnel2 network=10.10.3.0
    add address=192.168.5.1/24 interface=pptp-in1 network=192.168.5.0
    /ip dhcp-client
    add comment=defconf interface=ether1
    /ip dhcp-server lease
    
    /ip dhcp-server network
    add address=192.168.0.0/24 caps-manager=192.168.0.1 dhcp-option=\
        "tftp 66,tftp 150" dns-server=xxx.xxx.xxx.xxx,192.168.0.1 gateway=192.168.0.1 \
        next-server=xxx.xxx.xxx.xxx ntp-server=xxx.xxx.xxx.xxx wins-server=xxx.xxx.xxx.xxx
    /ip dns
    set allow-remote-requests=yes servers=xxx.xxx.xxx.xxx
    /ip dns static
    add address=192.168.88.1 disabled=yes name=router.lan
    
    /ip firewall address-list
    
    /ip firewall filter
    add action=accept chain=input comment=\
        "defconf: accept established,related,untracked" connection-state=\
        established,related,untracked
    add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
        connection-state=established,related
    add action=accept chain=forward comment=\
        "defconf: accept established,related, untracked" connection-state=\
        established,related,untracked
    add action=accept chain=forward comment="defconf: accept in ipsec policy" \
        ipsec-policy=in,ipsec
    add action=accept chain=forward comment="defconf: accept out ipsec policy" \
        ipsec-policy=out,ipsec
    add action=drop chain=input comment="defconf: drop invalid" connection-state=\
        invalid
    add action=drop chain=forward comment="defconf: drop invalid" \
        connection-state=invalid
    add action=drop chain=forward dst-port=3389,1723 protocol=tcp \
        src-address-list=rdp_blacklist
    add action=add-src-to-address-list address-list=rdp_blacklist \
        address-list-timeout=1w3d chain=forward connection-state=new dst-port=\
        3389,1723 protocol=tcp src-address-list=rdp_stage3
    add action=add-src-to-address-list address-list=rdp_stage3 \
        address-list-timeout=30m chain=forward connection-state=new dst-port=\
        3389,1723 protocol=tcp src-address-list=rdp_stage2
    add action=add-src-to-address-list address-list=rdp_stage2 \
        address-list-timeout=15m chain=forward connection-state=new dst-port=\
        3389,1723 protocol=tcp src-address-list=rdp_stage1
    add action=add-src-to-address-list address-list=rdp_stage1 \
        address-list-timeout=5m chain=forward connection-state=new dst-port=\
        3389,1723 protocol=tcp src-address=!192.168.0.0/16 src-address-list=\
        !LOC
    add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
    add action=accept chain=input comment="accept WinBox" dst-port=8291 protocol=\
        tcp
    add action=accept chain=input comment="accept VPN" dst-port=1723 protocol=tcp
    add action=accept chain=input comment="accept OSPF" protocol=ospf
    add action=accept chain=input comment="accept Btest" disabled=yes dst-port=\
        2000 protocol=tcp
    add action=drop chain=input comment="defconf: drop all not coming from LAN" \
        in-interface-list=!LAN
    add action=drop chain=forward comment=\
        "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
        connection-state=new in-interface-list=WAN
    /ip firewall nat
    add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx src-address=\
        xxx.xxx.xxx.xxx to-addresses=xxx.xxx.xxx.xxx
    add action=masquerade chain=srcnat comment="defconf: masquerade" \
        ipsec-policy=out,none out-interface-list=WAN
    add action=dst-nat chain=dstnat comment="MailServer HTTP" dst-port=80 \
        in-interface-list=WAN protocol=tcp to-addresses=xxx.xxx.xxx.xxx
    add action=dst-nat chain=dstnat comment="HTTP" dst-port=8080 \
        in-interface-list=WAN protocol=tcp to-addresses=xxx.xxx.xxx.xxx to-ports=\
        8080
    add action=dst-nat chain=dstnat comment="MailServer HTTPS" dst-port=443,444 \
        in-interface-list=WAN protocol=tcp to-addresses=xxx.xxx.xxx.xxx
    add action=dst-nat chain=dstnat comment="MailServer Mail Exchange Ports" \
        dst-port=25,110,143,465,995,993,1000,389 in-interface-list=WAN protocol=\
        tcp to-addresses=xxx.xxx.xxx.xxx
    add action=dst-nat chain=dstnat comment="MailServer RDP" dst-port=3333 \
        in-interface-list=WAN log-prefix=RDP_SBor protocol=tcp src-address-list=\
        VitroCAD to-addresses=xxx.xxx.xxx.xxx to-ports=3389
    
    
    add action=dst-nat chain=dstnat comment="DNS for Free" dst-port=53 protocol=\
        udp src-address-list="DNS Free" to-addresses=8.8.8.8 to-ports=53
    add action=redirect chain=dstnat comment="DNS Loopback" dst-port=53 \
        in-interface=bridge protocol=udp
    /ip firewall service-port
    set sip disabled=yes
    /ip ipsec identity
    add peer=peer1 secret=xxx.xxx.xxx.xxx
    add peer=peer2 secret=xxx.xxx.xxx.xxx
    add peer=peer3 secret=xxx.xxx.xxx.xxx
    /ip ipsec policy
    add dst-address=xxx.xxx.xxx.xxx/32 peer=peer1 src-address=xxx.xxx.xxx.xxx/32
    add dst-address=xxx.xxx.xxx.xxx/32 peer=peer2 src-address=xxx.xxx.xxx.xxx/32
    add dst-address=xxx.xxx.xxx.xxx/32 peer=peer3 src-address=xxx.xxx.xxx.xxx/32
    /ip route
    add distance=1 gateway=xxx.xxx.xxx.xxx
    add disabled=yes distance=10 dst-address=192.168.1.0/24 gateway=10.10.1.21 \
        scope=20
    /ip service
    set telnet disabled=yes
    set ftp disabled=yes
    set www address=192.168.0.0/16 port=8080
    set ssh address=192.168.0.0/16
    set api-ssl disabled=yes
    /ip ssh
    set allow-none-crypto=yes forwarding-enabled=remote
    /ppp secret
    
    /routing ospf interface
    add cost=5 interface=ipip-tunnel1 network-type=point-to-point
    /routing ospf network
    add area=backbone network=10.10.1.20/30
    add area=backbone network=192.168.0.0/24
    add area=backbone network=10.10.2.0/30
    add area=backbone network=10.10.3.0/30
    add area=backbone network=192.168.5.0/24
    /snmp
    set contact= enabled=yes location= trap-generators=\
        interfaces trap-interfaces=all trap-target=xxx.xxx.xxx.xxx trap-version=3
    /system clock
    set time-zone-name=Europe/Moscow
    /system identity
    set name="RB4011"
    /system logging
    add topics=e-mail
    add topics=script
    add disabled=yes topics=ospf
    /system ntp client
    set enabled=yes primary-ntp=216.239.35.8 secondary-ntp=216.239.35.8
    /system ntp server
    set broadcast=yes enabled=yes manycast=no multicast=yes
    /system scheduler
    
    /system script
    
    /tool mac-server
    set allowed-interface-list=LAN
    /tool mac-server mac-winbox
    set allowed-interface-list=LAN
     
  2. Илья Князев

    Илья Князев Администратор Команда форума

    Из оптимизации не надо указывать в dst-nat новый порт, если вы его не меняете.
    Но это не ваш случай. Начните копать в направлении MTU. Убедитесь, что на бридже и на интерфейсе сервера одно и то же L3 MTU.
    После убедитесь, что у вас проходят пакеты полной длины.