Есть железячка CRS112-8G-4S на борту прошивка 6.38. Поставили в ЦОД в замен zywall 110. И сразу после подключения обнаруживается следующая проблема. Загрузка CPU 100%, примерно 50 на 50 из которые берет network и firewall и самое главное что скорость во вне не превышает более 10-12 мегабит, скорость внутри локальной сети по портам до 940 мегибит. Конфигурация довольно простая. Два вана, один является выходом в интернет и подключением двух ipsec туннелей из офисов, второй ван, только для работы почтового сервера с айпи из другой подсети.
Прошу помощи куда копать, второй день бьемся.
Код: Выделить всё
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no name=ether1-wan1
set [ find default-name=ether2 ] auto-negotiation=no loop-protect-disable-time=30s name=ether2-wan2
set [ find default-name=ether3 ] comment=msk name=ether3+master speed=1Gbps
set [ find default-name=ether4 ] comment=msk-nas1 master-port=ether3+master speed=1Gbps
set [ find default-name=ether5 ] master-port=ether3+master speed=1Gbps
set [ find default-name=ether6 ] comment=hyper-v master-port=ether3+master speed=1Gbps
set [ find default-name=ether7 ] master-port=ether3+master name=ether7-rezerve speed=1Gbps
set [ find default-name=ether8 ] comment=hyper-v3 master-port=ether3+master speed=1Gbps
set [ find default-name=sfp9 ] disabled=yes
set [ find default-name=sfp10 ] disabled=yes
set [ find default-name=sfp11 ] disabled=yes
set [ find default-name=sfp12 ] disabled=yes name=sfp12
/ip ipsec policy group
set
add name=group2
add name=group3
add name=group4
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=null lifetime=1d pfs-group=none
/ip address
add address=185.31.ххх.ххх/24 interface=ether1-wan1 network=185.31.ххх.0
add address=62.173.ххх.ххх/24 interface=ether2-wan2 network=62.173.ххх.0
add address=192.168.50.1/24 interface=ether3+master network=192.168.ххх.0
/ip dns
set allow-remote-requests=yes servers=77.88.8.88,77.88.8.2
/ip firewall address-list
add address=83.69.ххх.ххх list=access
add address=62.173.ххх.ххх list=access
add address=192.168.ххх.ххх list=access
add address=213.170.ххх.ххх list=access
add address=195.182.ххх.ххх list=access
add address=192.168.ххх.0/24 list=lan-50.0
add address=192.168.ххх.0/24 list=lsn-100.0
add address=192.168.ххх.0/24 list=lsn-0.0
add address=192.168.ххх.ххх list=Xxx-50.2
add address=192.168.ххх.ххх list=Mooble-50.7
add address=192.168.50.8 list=Openvpn-50.8
add address=192.168.50.10 list=Jira-50.10
add address=192.168.50.5 list=Hyper-v-50.5
add address=178.209.ххх.ххх list=access
/ip firewall filter
add action=accept chain=input comment="IPSEC Allow IKE" dst-port=500,1723,4500 in-interface=\
ether1-wan1 protocol=udp
add action=accept chain=input comment="IPSEC Allow GRE" in-interface=ether1-wan1 protocol=gre
add action=accept chain=input comment="IPSEC Allow IPSec-esp" in-interface=ether1-wan1 protocol=\
ipsec-esp
add action=accept chain=input comment="IPSEC Allow IPSec-ah" in-interface=ether1-wan1 protocol=\
ipsec-ah
add action=accept chain=input comment="\F0\E0\E7\F0\E5\F8\E0\E5\EC ping" protocol=icmp
add action=accept chain=input comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \E8\E7 access ip" in-interface=\
ether1-wan1 src-address-list=access
add action=accept chain=input comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \E8\E7 access ip" in-interface=\
ether2-wan2 src-address-list=access
add action=accept chain=input comment="\F0\E0\E7\F0\E5\F8\E0\E5\EC \F3\F1\F2\E0\ED\EE\E2\EB\E5\ED\ED\FB\
\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" connection-state=established,related
add action=accept chain=forward comment="\F0\E0\E7\F0\E5\F8\E0\E5\EC \F3\F1\F2\E0\ED\EE\E2\EB\E5\ED\ED\
\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" connection-state=established,related
add action=accept chain=forward comment="\F0\E0\E7\F0\E5\F8\E0\E5\EC \E4\EE\F1\F2\F3\EF \E8\E7 \EB\EE\
\EA\E0\EB\FC\ED\EE\E9 \F1\E5\F2\E8 \E2 \E8\ED\F2\E5\F0\ED\E5\F2" src-address-list=lan-col-50.0
add action=accept chain=input comment="\F0\E0\E7\F0\E5\F8\E0\E5\EC \E4\EE\F1\F2\F3\EF \E8\E7 \EB\EE\EA\
\E0\EB\FC\ED\EE\E9 \EA \F0\EE\F3\F2\E5\F0\F3" src-address=192.168.ххх.0/24
add action=accept chain=forward comment=ipsec_col_msk dst-address=192.168.ххх.0/24 src-address=\
192.168.ххх.0/24
add action=accept chain=forward comment=ipsec_msk_col dst-address=192.168.ххх.0/24 src-address=\
192.168.ххх.0/24
add action=accept chain=forward comment=ipsec_col_spb dst-address=192.168.ххх.0/24 src-address=\
192.168.ххх.0/24
add action=accept chain=forward comment=ipsec_spb_col dst-address=192.168.ххх.0/24 src-address=\
192.168.ххх.0/24
add action=drop chain=forward comment=\
"\E7\E0\EF\F0\E5\F9\E0\E5\EC \ED\E5 \F3\E4\E0\F7\ED\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" \
connection-state=invalid in-interface=ether1-wan1
add action=drop chain=forward comment=\
"\E7\E0\EF\F0\E5\F9\E0\E5\EC \ED\E5 \F3\E4\E0\F7\ED\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" \
connection-state=invalid in-interface=ether2-wan2
add action=drop chain=input comment=\
"\E2\F1\E5 \EE\F1\F2\E0\EB\FC\ED\EE\E5 \E7\E0\EF\F0\E5\F9\E0\E5\EC" in-interface=ether1-wan1
add action=drop chain=input comment=\
"\E2\F1\E5 \EE\F1\F2\E0\EB\FC\ED\EE\E5 \E7\E0\EF\F0\E5\F9\E0\E5\EC" in-interface=ether2-wan2
/ip firewall mangle
add action=accept chain=prerouting comment="Out Xxx to Wan2 from Lan" disabled=yes dst-address=\
192.168.ххх.ххх
add action=accept chain=prerouting comment="Out Moodle to Wan2 from Lan" disabled=yes dst-address=\
192.168.ххх.ххх
add action=mark-routing chain=prerouting comment="Out Xxx to Wan2" new-routing-mark=routing_to_wan2 \
passthrough=no src-address=192.168.ххх.ххх
add action=mark-routing chain=prerouting comment="Out Moodle to Wan2" new-routing-mark=routing_to_wan2 \
passthrough=no src-address=192.168.ххх.ххх
/ip firewall nat
add action=netmap chain=srcnat comment=Xxx-OUT-Wan2 disabled=yes dst-address=0.0.0.0 out-interface=\
ether2-wan2 src-address=192.168.ххх.ххх to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=yes dst-address=0.0.0.0 log=yes out-interface=ether2-wan2 \
src-address=192.168.ххх.ххх
add action=accept chain=srcnat dst-address=192.168.ххх.0/24 src-address=192.168.ххх.0/24
add action=accept chain=srcnat dst-address=192.168.ххх.0/24 src-address=192.168.ххх.0/24
add action=accept chain=srcnat dst-address=192.168.ххх.0/24 src-address=192.168.ххх.0/24
add action=accept chain=srcnat dst-address=192.168.ххх.0/24 src-address=192.168.ххх.0/24
add action=dst-nat chain=dstnat comment=Wan2-Xxx-7025 disabled=yes dst-port=7025 in-interface=\
ether2-wan2 protocol=tcp to-addresses=192.168.ххх.ххх to-ports=7025
add action=netmap chain=dstnat comment="Wan2-Xxx-8443 (web)" disabled=yes dst-port=8443 \
in-interface=ether2-wan2 protocol=tcp to-addresses=192.168.ххх.ххх to-ports=8443
add action=dst-nat chain=dstnat comment=Wan2-Moodle-80 dst-port=80 in-interface=ether2-wan2 protocol=\
tcp to-addresses=192.168.ххх.ххх to-ports=80
add action=dst-nat chain=dstnat comment=TEST disabled=yes dst-address=62.173.ххх.ххх protocol=tcp \
src-address=192.168.ххх.0/24 to-addresses=192.168.ххх.ххх
add action=masquerade chain=srcnat comment=TEST disabled=yes dst-address=192.168.ххх.ххх protocol=tcp \
src-address=192.168.ххх.0/24 to-addresses=192.168.ххх.ххх
add action=dst-nat chain=dstnat comment=Wan1-Jira-80 dst-port=80 in-interface=ether1-wan1 protocol=tcp \
to-addresses=192.168.50.10 to-ports=80
add action=dst-nat chain=dstnat comment=Wan1-OpenVpn-18897 dst-port=18897 in-interface=ether1-wan1 \
protocol=udp to-addresses=192.168.50.8 to-ports=18897
add action=dst-nat chain=dstnat comment=Wan1-Hyperv-1C-8080 dst-port=8080 in-interface=ether1-wan1 \
protocol=tcp to-addresses=192.168.50.5 to-ports=8080
add action=netmap chain=dstnat comment=Wan2-Xxx-995 dst-port=995 in-interface=ether2-wan2 protocol=\
tcp to-addresses=192.168.ххх.ххх to-ports=995
add action=dst-nat chain=dstnat comment=Wan2-Xxx-110 dst-port=110 in-interface=ether2-wan2 \
protocol=tcp to-addresses=192.168.ххх.ххх to-ports=110
add action=netmap chain=dstnat comment=Wan2-Xxx-143 dst-port=143 in-interface=ether2-wan2 protocol=\
tcp to-addresses=192.168.ххх.ххх to-ports=143
add action=netmap chain=dstnat comment=Wan2-Xxx-465 dst-port=465 in-interface=ether2-wan2 protocol=\
tcp to-addresses=192.168.ххх.ххх to-ports=465
add action=netmap chain=dstnat comment=Wan2-Xxx-993 dst-port=993 in-interface=ether2-wan2 protocol=\
tcp to-addresses=192.168.ххх.ххх to-ports=993
add action=dst-nat chain=dstnat comment=Wan2-Xxx-443 dst-port=443 in-interface=ether2-wan2 \
protocol=tcp to-addresses=192.168.ххх.ххх to-ports=443
add action=dst-nat chain=dstnat comment=Wan2-Xxx-25 dst-port=25 in-interface=ether2-wan2 protocol=\
tcp to-addresses=192.168.ххх.ххх to-ports=25
add action=dst-nat chain=dstnat comment=Wan1-RDP dst-port=3388 in-interface=ether1-wan1 \
protocol=tcp src-address=62.173.ххх.ххх to-addresses=192.168.50.3 to-ports=3388
add action=masquerade chain=srcnat out-interface=ether1-wan1
add action=masquerade chain=srcnat out-interface=ether2-wan2
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec peer
add address=213.170.ххх.ххх/32 comment=phase1_to_spb2 dh-group=modp768 disabled=yes dpd-interval=2s \
enc-algorithm=des lifetime=2d policy-template-group=group4 secret=ХХХХХХХХХХХХХХХ
add address=195.182.ххх.ххх/32 comment=phase1_to_spb1 dh-group=modp768 dpd-interval=2s enc-algorithm=\
des lifetime=2d policy-template-group=group3 secret=ХХХХХХХХХХХХХХХ
add address=83.69.ххх.ххх/32 comment=phase1_to_msk1 dh-group=modp768 dpd-interval=2s enc-algorithm=des \
lifetime=2d secret=ХХХХХХХХХХХХХХХ
add address=178.209.ххх.ххх/32 comment=phase1_to_msk2 dh-group=modp768 disabled=yes dpd-interval=2s \
enc-algorithm=des lifetime=2d policy-template-group=group2 secret=ХХХХХХХХХХХХХХХ
/ip ipsec policy
add group=group2 template=yes
add group=group3 template=yes
add group=group4 template=yes
add comment=poli_to_msk1 dst-address=192.168.ххх.0/24 sa-dst-address=83.69.ххх.ххх sa-src-address=\
185.31.ххх.ххх src-address=192.168.ххх.0/24 tunnel=yes
add comment=poli_to_msk2 disabled=yes dst-address=192.168.ххх.0/24 sa-dst-address=178.209.ххх.ххх \
sa-src-address=185.31.ххх.ххх src-address=192.168.ххх.0/24 tunnel=yes
add comment=poli_to_spb2 disabled=yes dst-address=192.168.ххх.0/24 sa-dst-address=213.170.ххх.ххх \
sa-src-address=185.31.ххх.ххх src-address=192.168.ххх.0/24 tunnel=yes
add comment=poli_to_spb1 dst-address=192.168.ххх.0/24 sa-dst-address=195.182.ххх.ххх sa-src-address=\
185.31.ххх.ххх src-address=192.168.ххх.0/24 tunnel=yes
/ip route
add comment="Servers to Wan2" distance=1 gateway=62.173.ххх.ххх routing-mark=routing_to_wan2
add comment=Internet distance=1 gateway=185.31.ххх.ххх
add comment=Internet-for-Servise disabled=yes distance=2 gateway=62.173.ххх.ххх
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system logging
add disabled=yes topics=dns
add disabled=yes topics=interface
add disabled=yes topics=manager
/tool sniffer
set file-name=wan11 filter-interface=ether1-wan1 filter-ip-address=0.0.0.0/0 memory-limit=1000KiB