Коллеги, добрый день. Внезапно выявил крайне низкую скорость загрузки на сервера за проброшенными портами. Скорость загрузки не превышает 10-15 мегабит. Только через правило проброса портов. Внутри сети - проблем нет. Speedtest - прокачивает полную скорость канала. Проверено на RDP и Web серверах. Скорость одинаковая, железки и порты разные. Fasttrack присутствует, правила "accept established,related" стоят первыми. Загрузки на процессоре нет. Загрузки канала - нет. Отключение всех правил firewall никакого эффекта не дало. Железка - 4011, ROS - 6.48. ISP - 1 Гигабит туда-сюда. Куда копать? Спасибо. Код: /caps-man channel /interface bridge add admin-mac=B8:69:F4:92:26:12 auto-mac=no comment=defconf name=bridge /interface ethernet set [ find default-name=ether10 ] arp=proxy-arp set [ find default-name=sfp-sfpplus1 ] advertise=1000M-half,1000M-full /interface pptp-server /interface ipip name=ipip-tunnel1 remote-address=xxx.xxx.xxx.xxx name=ipip-tunnel2 remote-address=xxx.xxx.xxx.xxx name=ipip-tunnel3 remote-address=xxx.xxx.xxx.xxx /caps-man datapath add bridge=bridge local-forwarding=yes name=datapath1 /caps-man security add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \ name=security1 passphrase=xxx.xxx.xxx.xxx /caps-man configuration /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip dhcp-server option add code=66 name="tftp 66" value="'xxx.xxx.xxx.xxx'" add code=150 name="tftp 150" value="'xxx.xxx.xxx.xxx'" /ip ipsec profile add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=profile1 \ nat-traversal=no add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=profile2 \ nat-traversal=no /ip ipsec peer add address=xxx.xxx.xxx.xxx/32 name=peer1 profile=profile1 add address=xxx.xxx.xxx.xxx/32 name=peer3 profile=profile1 add address=xxx.xxx.xxx.xxx/32 name=peer2 profile=profile1 /ip ipsec proposal set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des /ip pool add name=dhcp_pool1 ranges=192.168.0.20-192.168.0.120 add name=vpn_pool1 ranges=192.168.5.10-192.168.5.20 /ip dhcp-server add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \ interface=bridge lease-time=12h name=dhcp1 /ppp profile /routing ospf instance set [ find default=yes ] router-id=192.168.0.1 /user group /caps-man manager /caps-man provisioning /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge comment=defconf interface=ether5 add bridge=bridge comment=defconf interface=ether6 add bridge=bridge comment=defconf interface=ether7 add bridge=bridge comment=defconf interface=ether8 add bridge=bridge comment=defconf interface=ether9 add bridge=bridge comment=defconf interface=ether10 add bridge=bridge interface=ether1 /ip neighbor discovery-settings set discover-interface-list=LAN /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=sfp-sfpplus1 list=WAN /interface pptp-server server set enabled=yes /ip address add address=192.168.0.1/24 comment=defconf interface=bridge network=\ 192.168.0.0 add address=xxx.xxx.xxx.xxx/30 interface=sfp-sfpplus1 network=xxx.xxx.xxx.xxx add address=10.10.1.22/30 interface=ipip-tunnel1 network=10.10.1.20 add address=10.10.2.2/30 interface=ipip-tunnel3 network=10.10.2.0 add address=10.10.3.2/30 interface=ipip-tunnel2 network=10.10.3.0 add address=192.168.5.1/24 interface=pptp-in1 network=192.168.5.0 /ip dhcp-client add comment=defconf interface=ether1 /ip dhcp-server lease /ip dhcp-server network add address=192.168.0.0/24 caps-manager=192.168.0.1 dhcp-option=\ "tftp 66,tftp 150" dns-server=xxx.xxx.xxx.xxx,192.168.0.1 gateway=192.168.0.1 \ next-server=xxx.xxx.xxx.xxx ntp-server=xxx.xxx.xxx.xxx wins-server=xxx.xxx.xxx.xxx /ip dns set allow-remote-requests=yes servers=xxx.xxx.xxx.xxx /ip dns static add address=192.168.88.1 disabled=yes name=router.lan /ip firewall address-list /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward dst-port=3389,1723 protocol=tcp \ src-address-list=rdp_blacklist add action=add-src-to-address-list address-list=rdp_blacklist \ address-list-timeout=1w3d chain=forward connection-state=new dst-port=\ 3389,1723 protocol=tcp src-address-list=rdp_stage3 add action=add-src-to-address-list address-list=rdp_stage3 \ address-list-timeout=30m chain=forward connection-state=new dst-port=\ 3389,1723 protocol=tcp src-address-list=rdp_stage2 add action=add-src-to-address-list address-list=rdp_stage2 \ address-list-timeout=15m chain=forward connection-state=new dst-port=\ 3389,1723 protocol=tcp src-address-list=rdp_stage1 add action=add-src-to-address-list address-list=rdp_stage1 \ address-list-timeout=5m chain=forward connection-state=new dst-port=\ 3389,1723 protocol=tcp src-address=!192.168.0.0/16 src-address-list=\ !LOC add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment="accept WinBox" dst-port=8291 protocol=\ tcp add action=accept chain=input comment="accept VPN" dst-port=1723 protocol=tcp add action=accept chain=input comment="accept OSPF" protocol=ospf add action=accept chain=input comment="accept Btest" disabled=yes dst-port=\ 2000 protocol=tcp add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN /ip firewall nat add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx src-address=\ xxx.xxx.xxx.xxx to-addresses=xxx.xxx.xxx.xxx add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN add action=dst-nat chain=dstnat comment="MailServer HTTP" dst-port=80 \ in-interface-list=WAN protocol=tcp to-addresses=xxx.xxx.xxx.xxx add action=dst-nat chain=dstnat comment="HTTP" dst-port=8080 \ in-interface-list=WAN protocol=tcp to-addresses=xxx.xxx.xxx.xxx to-ports=\ 8080 add action=dst-nat chain=dstnat comment="MailServer HTTPS" dst-port=443,444 \ in-interface-list=WAN protocol=tcp to-addresses=xxx.xxx.xxx.xxx add action=dst-nat chain=dstnat comment="MailServer Mail Exchange Ports" \ dst-port=25,110,143,465,995,993,1000,389 in-interface-list=WAN protocol=\ tcp to-addresses=xxx.xxx.xxx.xxx add action=dst-nat chain=dstnat comment="MailServer RDP" dst-port=3333 \ in-interface-list=WAN log-prefix=RDP_SBor protocol=tcp src-address-list=\ VitroCAD to-addresses=xxx.xxx.xxx.xxx to-ports=3389 add action=dst-nat chain=dstnat comment="DNS for Free" dst-port=53 protocol=\ udp src-address-list="DNS Free" to-addresses=8.8.8.8 to-ports=53 add action=redirect chain=dstnat comment="DNS Loopback" dst-port=53 \ in-interface=bridge protocol=udp /ip firewall service-port set sip disabled=yes /ip ipsec identity add peer=peer1 secret=xxx.xxx.xxx.xxx add peer=peer2 secret=xxx.xxx.xxx.xxx add peer=peer3 secret=xxx.xxx.xxx.xxx /ip ipsec policy add dst-address=xxx.xxx.xxx.xxx/32 peer=peer1 src-address=xxx.xxx.xxx.xxx/32 add dst-address=xxx.xxx.xxx.xxx/32 peer=peer2 src-address=xxx.xxx.xxx.xxx/32 add dst-address=xxx.xxx.xxx.xxx/32 peer=peer3 src-address=xxx.xxx.xxx.xxx/32 /ip route add distance=1 gateway=xxx.xxx.xxx.xxx add disabled=yes distance=10 dst-address=192.168.1.0/24 gateway=10.10.1.21 \ scope=20 /ip service set telnet disabled=yes set ftp disabled=yes set www address=192.168.0.0/16 port=8080 set ssh address=192.168.0.0/16 set api-ssl disabled=yes /ip ssh set allow-none-crypto=yes forwarding-enabled=remote /ppp secret /routing ospf interface add cost=5 interface=ipip-tunnel1 network-type=point-to-point /routing ospf network add area=backbone network=10.10.1.20/30 add area=backbone network=192.168.0.0/24 add area=backbone network=10.10.2.0/30 add area=backbone network=10.10.3.0/30 add area=backbone network=192.168.5.0/24 /snmp set contact= enabled=yes location= trap-generators=\ interfaces trap-interfaces=all trap-target=xxx.xxx.xxx.xxx trap-version=3 /system clock set time-zone-name=Europe/Moscow /system identity set name="RB4011" /system logging add topics=e-mail add topics=script add disabled=yes topics=ospf /system ntp client set enabled=yes primary-ntp=216.239.35.8 secondary-ntp=216.239.35.8 /system ntp server set broadcast=yes enabled=yes manycast=no multicast=yes /system scheduler /system script /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN
Из оптимизации не надо указывать в dst-nat новый порт, если вы его не меняете. Но это не ваш случай. Начните копать в направлении MTU. Убедитесь, что на бридже и на интерфейсе сервера одно и то же L3 MTU. После убедитесь, что у вас проходят пакеты полной длины.
