Здравствуйте, меняем у клиентов оборудование с делинков, зукселей и прочей ерунды на микротики, конфигурация примерно одна и та же. Вопрос в том что у одних клиентов не стабильно работает интернет когда они просматривают архивы камер линия, они постоянно подвисают, для них это критично на предыдущем dir-615 все прекрасно работает. При работе проц микротика не напрягается выще 30-40 процентов. Проблема наверно в том что, при работе нарастает за 2-3 сотни соединений, хотя в сети всего 3 компа смотрят интернет и сервак с рдп.
камеры вроде мегапиксельные 8 штук. хотя меня замеры интернета напрягают мы платим за 4 мегабита а у нас 60-70 входящих и под 90 исходящих навсякий случай скинул разделы firewall и nat но даже с девфолтными такая же ситуация /ip firewall address-list add address=0.0.0.0/8 list=BOGON add address=10.0.0.0/8 list=BOGON add address=100.64.0.0/10 list=BOGON add address=127.0.0.0/8 list=BOGON add address=169.254.0.0/16 list=BOGON add address=172.16.0.0/12 list=BOGON add address=192.0.0.0/24 list=BOGON add address=192.0.2.0/24 list=BOGON add address=192.168.0.0/16 list=BOGON add address=198.18.0.0/15 list=BOGON add address=198.51.100.0/24 list=BOGON add address=203.0.113.0/24 list=BOGON add address=224.0.0.0/4 list=BOGON /ip firewall filter add action=add-src-to-address-list address-list="dns spoofing " address-list-timeout=1h chain=input dst-port=53 in-interface=ether1 protocol=udp add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp src-address-list="dns spoofing " add action=jump chain=input comment="port knocking check" dst-address=55.55.55.55 jump-target=portKnocking protocol=icmp add action=add-src-to-address-list address-list=checkLevelOne address-list-timeout=5s chain=portKnocking comment=CheckLevelOne packet-size=460 protocol=icmp add action=add-src-to-address-list address-list=checkLevelTwo address-list-timeout=5s chain=portKnocking comment=CheckLevelTwo packet-size=549 protocol=icmp \ src-address-list=checkLevelOne add action=add-src-to-address-list address-list=AllowRDP address-list-timeout=30m chain=portKnocking comment=AllowRDP packet-size=626 protocol=icmp src-address-list=\ checkLevelTwo add action=return chain=portKnocking add action=add-src-to-address-list address-list=perebor_portov_drop address-list-timeout=30m chain=input comment=Perebor_portov_add_list dst-port=22,3389,5060 \ in-interface=ether1 log=yes log-prefix=Attack protocol=tcp add action=drop chain=input comment=Perebor_portov_list_drop in-interface=ether1 src-address-list=perebor_portov_drop add action=accept chain=input comment=Allow_limited_pings in-interface=ether1 limit=50/5s,2acket protocol=icmp add action=add-dst-to-address-list address-list=connection-limit address-list-timeout=1d chain=input comment=Connection_limit connection-limit=200,32 in-interface=ether1 \ protocol=tcp add action=drop chain=input comment=Adr_list_connection-limit_drop in-interface=ether1 src-address-list=connection-limit add action=drop chain=input comment=Port_scanner_drop disabled=yes src-address-list="port scanners" add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=yes in-interface=ether1 protocol=tcp psd=21,3s,3,1 add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=yes in-interface=ether1 protocol=tcp tcp-flags=\ fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=yes in-interface=ether1 protocol=tcp psd=21,3s,3,1 add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=yes in-interface=ether1 protocol=tcp tcp-flags=\ fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=yes in-interface=ether1 protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=yes in-interface=ether1 protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=yes in-interface=ether1 protocol=tcp tcp-flags=\ fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=yes in-interface=ether1 protocol=tcp tcp-flags=\ fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=yes in-interface=ether1 protocol=tcp tcp-flags=\ !fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment=Drop_winbox_black_list dst-port=5323,5324,33789 in-interface=ether1 protocol=tcp src-address-list=black_list add action=add-src-to-address-list address-list=black_list address-list-timeout=5m chain=input comment=Winbox_add_black_list connection-state=new dst-port=5323,5324,33789 \ in-interface=ether1 protocol=tcp src-address-list=Winbox_Ssh_stage3 add action=add-src-to-address-list address-list=Winbox_Ssh_stage3 address-list-timeout=1m chain=input comment=Winbox_Ssh_stage3 connection-state=new dst-port=\ 5323,5324,33789 in-interface=ether1 protocol=tcp src-address-list=Winbox_Ssh_stage2 add action=add-src-to-address-list address-list=Winbox_Ssh_stage2 address-list-timeout=1m chain=input comment=Winbox_Ssh_stage2 connection-state=new dst-port=\ 5323,5324,33789 in-interface=ether1 protocol=tcp src-address-list=Winbox_Ssh_stage1 add action=add-src-to-address-list address-list=Winbox_Ssh_stage1 address-list-timeout=1m chain=input comment=Winbox_Ssh_stage1 connection-state=new dst-port=\ 5323,5324,33789 in-interface=ether1 protocol=tcp add action=accept chain=input comment="Allow RDP from PortKnockin authorized" dst-port=4565,4355 protocol=tcp src-address-list=AllowRDP add action=accept chain=input comment=Accept_Winbox_Ssh dst-port=5323,5324,33788 in-interface=ether1 protocol=tcp add chain=input comment=Established_Wan_Accept connection-state=established add chain=input comment=Related_Wan_Accept connection-state=related /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether1 add action=dst-nat chain=dstnat comment=rdp dst-port=25895 in-interface=ether1 protocol=tcp src-address-list=AllowRDP to-addresses=192.168.2.106 to-ports=33789 /ip firewall service-port
в пробросе портов ничего кроме рдп нет . через него смотрите ? у меня оно тоже тупит дико. судя по тому что вы больше ничего не писали, то нашли решение ?