Отваливается интернет

[krik_krak]

dhcp-клиент удалил, check-gateway отключил на обоих маршрутах

 Конфиг

# oct/30/2020 18:36:07 by RouterOS 6.47.4
# software id = yyyyyyyyy
#
# model = CCR1009-8G-1S
# serial number = xxxxxxxxxxx
/interface bridge
add comment=LAN-10 name=bridge1
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp comment=LAN-192 name=eth1 \
speed=100Mbps
set [ find default-name=ether2 ] name=eth2 speed=100Mbps
set [ find default-name=ether3 ] comment=LAN-10 name=eth3 speed=100Mbps
set [ find default-name=ether4 ] arp=proxy-arp comment=LAN-10 name=eth4 \
speed=100Mbps
set [ find default-name=ether5 ] name=eth5 speed=100Mbps
set [ find default-name=ether6 ] name=eth6 speed=100Mbps
set [ find default-name=ether7 ] comment=WAN-RTK name=eth7 speed=100Mbps
set [ find default-name=ether8 ] comment=WAN-Avantel name=eth8 speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-full,100M-full,1000M-full
/interface pptp-server
add name=pptp-in1 user=""
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pptp_vpn_pool ranges=10.2.4.110-10.2.4.150
/ppp profile
add local-address=10.2.4.250 name=pptp-10 remote-address=pptp_vpn_pool \
use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=eth4
add bridge=bridge1 interface=eth3
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=eth7 list=WAN
add interface=eth8 list=WAN
add interface=bridge1 list=LAN
add interface=eth1 list=LAN
/interface ovpn-server server
set certificate=siroca.crt_0 cipher=blowfish128,aes128,aes192,aes256 enabled=\
yes mode=ethernet require-client-certificate=yes
/interface pptp-server server
set authentication=mschap2 default-profile=pptp-10 enabled=yes \
keepalive-timeout=disabled
/ip address
add address=192.168.100.1/24 comment=LAN-192 interface=eth1 network=\
192.168.100.0
add address=109.x.x.x/25 comment=WAN-2 interface=eth8 network=\
109.x.x.y
add address=10.1.4.250/24 comment=LAN10 interface=eth4 network=10.1.4.0
add address=212.x.x.x/29 comment=WAN-1 interface=eth7 network=\
212.x.x.y
/ip dns
set allow-remote-requests=yes servers=217.70.106.5,195.49.169.4,195.49.169.4
/ip dns static
add address=192.168.100.6 name=xxxxxxx.ru
/ip firewall address-list
add address=a.a.a.a list=RDP_allow
add address=b.b.b.b list=RDP_allow
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Allow Fasttrack" \
connection-state=established,related
add action=accept chain=input comment=\
"Only for test! Enable ALL Input traffic" disabled=yes
add action=accept chain=forward comment=\
"Only for test! Allow ALL Forward traffic" disabled=yes
add action=drop chain=output comment="Deny 8.8.4.4 for ISP Check" disabled=\
yes dst-address=8.8.4.4 out-interface=eth8 protocol=icmp
add action=drop chain=forward comment="Block invalid connection" \
connection-state=invalid disabled=yes
add action=accept chain=input comment="Allow ping from outside" protocol=icmp
add action=accept chain=input comment="Allow winbox access from outside" \
dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow ALL access from LAN" \
in-interface-list=LAN
add action=accept chain=input comment=\
"Allow established & related Input traffic" connection-state=\
established,related
add action=accept chain=forward comment=\
"Allow established & related Forward traffic" connection-state=\
established,related
add action=accept chain=forward comment="Allow all traffic from LAN-10" \
connection-state="" src-address=10.1.4.0/24
add action=accept chain=forward comment="Allow all traffic to LAN-10" \
disabled=yes in-interface=eth1 out-interface=eth4
add action=accept chain=input comment="Allow GRE protocol for PPtP VPN" \
protocol=gre
add action=accept chain=input comment="Allow PPtP VPN" disabled=yes dst-port=\
1723 protocol=tcp
add action=accept chain=input comment="Allow PPtP VPN" dst-port=1723 \
in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=\
tcp
add action=accept chain=forward comment=\
"Allow portforward TCP Openvpn to srv-vpn" dst-address=10.1.4.5 dst-port=\
1194 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=\
"Allow portforward UDP Openvpn on srv-vpn" dst-address=10.1.4.5 dst-port=\
1194 in-interface-list=WAN protocol=udp
add action=accept chain=forward comment="Allow portforward RDP on cld-it-01" \
dst-address=192.168.100.76 dst-port=3389 in-interface-list=WAN protocol=\
tcp src-address-list=RDP_allow
add action=accept chain=forward comment="Allow portforward RDP on cld-p-25" \
dst-address=192.168.100.54 dst-port=3389 in-interface-list=WAN protocol=\
tcp src-address-list=RDP_allow
add action=accept chain=forward comment="Allow portforward RDP on cld-adm-12" \
dst-address=192.168.100.82 dst-port=3389 in-interface-list=WAN protocol=\
tcp src-address-list=RDP_allow
add action=accept chain=forward comment="Allow portforward RDP on srv-ts1" \
dst-address=192.168.100.12 dst-port=3389 in-interface-list=WAN protocol=\
tcp src-address-list=RDP_allow
add action=accept chain=forward comment="Allow portforward RDP on cld-adm-01" \
dst-address=192.168.100.87 dst-port=3389 in-interface-list=WAN protocol=\
tcp src-address-list=RDP_allow
add action=accept chain=forward comment="Allow portforward RDP on srv-doc" \
dst-address=192.168.100.9 dst-port=3389 in-interface-list=WAN protocol=\
tcp src-address-list=RDP_allow
add action=accept chain=forward comment="Allow portforward SSH to srv-neh" \
dst-address=192.168.100.6 dst-port=22 in-interface-list=WAN protocol=tcp \
src-address-list=RDP_allow
add action=accept chain=forward comment="Allow portforward HTTP to srv-neh" \
dst-address=192.168.100.6 dst-port=80 in-interface-list=WAN protocol=tcp \
src-address-list=RDP_allow
add action=accept chain=forward comment=\
"Allow portforward RDP to nsk-srv-iis" dst-address=10.1.4.12 dst-port=\
3389 in-interface-list=WAN protocol=tcp src-address-list=RDP_allow
add action=accept chain=forward comment=\
"Allow portforward FTP to nsk-srv-iis" dst-address=10.1.4.12 dst-port=21 \
in-interface-list=WAN protocol=tcp src-address-list=RDP_allow
add action=accept chain=forward comment=\
"Allow portforward SFTP to nsk-srv-iis" dst-address=10.1.4.12 dst-port=22 \
in-interface-list=WAN protocol=tcp src-address-list=RDP_allow
add action=accept chain=forward comment=\
"Allow portforward 45841 to nsk-srv-iis for LC" dst-address=10.1.4.12 \
dst-port=45841 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=\
"Allow portforward 50001 to nsk-srv-iis for LC" dst-address=10.1.4.12 \
dst-port=50001 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=\
"Allow portforward 50007 to nsk-srv-iis for LC" dst-address=10.1.4.12 \
dst-port=50007 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="Allow portforward RDP on PRDIE gate" \
dst-address=192.168.100.119 dst-port=3389 in-interface-list=WAN protocol=\
tcp
add action=drop chain=input comment="Block Input from outside" \
in-interface-list=WAN
add action=drop chain=forward comment="Block Forward from outside to LAN" \
in-interface-list=WAN out-interface-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT RTK" out-interface=eth8
add action=masquerade chain=srcnat comment="NAT Avantel" out-interface=eth7
add action=dst-nat chain=dstnat comment="Portforward UDP openvpn to srv-vpn" \
dst-port=1194 in-interface-list=WAN protocol=udp to-addresses=10.1.4.5 \
to-ports=1194
add action=dst-nat chain=dstnat comment="Portforward TCP openvpn to srv-vpn" \
dst-port=1194 in-interface-list=WAN protocol=tcp to-addresses=10.1.4.5 \
to-ports=1194
add action=dst-nat chain=dstnat comment="Pertforward RDP to cld-it-01" \
dst-port=50076 in-interface-list=WAN protocol=tcp to-addresses=\
192.168.100.76 to-ports=3389
add action=dst-nat chain=dstnat comment="Portforward FTP to cld-it-01" \
dst-port=2121 in-interface-list=WAN protocol=tcp src-address-list=\
RDP_allow to-addresses=192.168.100.76 to-ports=21
add action=dst-nat chain=dstnat comment="Portforward FTPS to cld-it-01" \
dst-port=21990 in-interface-list=WAN protocol=tcp src-address-list=\
RDP_allow to-addresses=192.168.100.76 to-ports=990
add action=dst-nat chain=dstnat comment="Portforward RDP to cld--p-25" \
dst-port=50054 in-interface-list=WAN protocol=tcp src-address-list=\
RDP_allow to-addresses=192.168.100.54 to-ports=3389
add action=dst-nat chain=dstnat comment="Portforward RDP to cld-adm-12" \
dst-port=50080 in-interface-list=WAN protocol=tcp src-address-list=\
RDP_allow to-addresses=192.168.100.82 to-ports=3389
add action=dst-nat chain=dstnat comment="Portforward RDP to srv-ts1" \
dst-port=50012 in-interface-list=WAN protocol=tcp src-address-list=\
RDP_allow to-addresses=192.168.100.12 to-ports=3389
add action=dst-nat chain=dstnat comment="Portforward RDP to srvhv06" \
dst-port=50026 in-interface-list=WAN protocol=tcp src-address-list=\
RDP_allow to-addresses=192.168.100.26 to-ports=3389
add action=dst-nat chain=dstnat comment="Portforward RDP to cld-adm-01" \
dst-port=50087 in-interface-list=WAN protocol=tcp src-address-list=\
RDP_allow to-addresses=192.168.100.87 to-ports=3389
add action=dst-nat chain=dstnat comment="Portforward RDP to srv-doc" \
dst-port=50009 in-interface-list=WAN protocol=tcp src-address-list=\
RDP_allow to-addresses=192.168.100.9 to-ports=3389
add action=dst-nat chain=dstnat comment="Portforward SSH to srv-neh" \
dst-port=51006 in-interface-list=WAN protocol=tcp src-address-list=\
RDP_allow to-addresses=192.168.100.6 to-ports=22
add action=dst-nat chain=dstnat comment="Portforward HTTP to srv-neh" \
dst-port=58006 in-interface-list=WAN protocol=tcp src-address-list=\
RDP_allow to-addresses=192.168.100.6 to-ports=80
add action=dst-nat chain=dstnat comment="Portforward RDP to nsk-srv-iis" \
dst-port=54012 in-interface-list=WAN protocol=tcp src-address-list=\
RDP_allow to-addresses=10.1.4.12 to-ports=3389
add action=dst-nat chain=dstnat comment="Portforward FTP to nsk-srv-iis" \
dst-port=21 in-interface-list=WAN protocol=tcp src-address-list=RDP_allow \
to-addresses=10.1.4.12 to-ports=21
add action=dst-nat chain=dstnat comment="Portforward SFTP to nsk-srv-iis" \
dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=RDP_allow \
to-addresses=10.1.4.12 to-ports=22
add action=dst-nat chain=dstnat comment=\
"Portforward 45841 to nsk-srv-iis for LC" dst-port=45841 \
in-interface-list=WAN protocol=tcp to-addresses=10.1.4.12 to-ports=45841
add action=dst-nat chain=dstnat comment=\
"Portforward 50001 to nsk-srv-iis for LC" dst-port=50001 \
in-interface-list=WAN protocol=tcp to-addresses=10.1.4.12 to-ports=50001
add action=dst-nat chain=dstnat comment=\
"Portforward 50007 to nsk-srv-iis for LC" dst-port=50007 \
in-interface-list=WAN protocol=tcp to-addresses=10.1.4.12 to-ports=50007
add action=dst-nat chain=dstnat comment="Portforward RDP to PRIDE Gate" \
dst-port=5555 in-interface-list=WAN protocol=tcp to-addresses=\
192.168.100.119 to-ports=3389
add action=dst-nat chain=dstnat comment=test disabled=yes dst-port=50099 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.100.10 to-ports=\
3389
/ip route
add comment=ISP1 distance=5 gateway=212.x.x.y
add comment=ISP2 distance=10 gateway=109.x.x.y
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/ppp secret
add disabled=yes local-address=192.168.100.1 name=user01 password=\
xxxxxxxxxx remote-address=192.168.100.246 service=pptp-10
add name=user02 password=xxxxxxxxx profile=pptp-10
/system clock
set time-zone-name=Asia/Novosibirsk
/system leds
set 0 interface=sfp1
/system ntp client
set enabled=yes primary-ntp=193.171.23.163 secondary-ntp=85.114.26.194
/system scheduler
add disabled=yes interval=1d name="every day reboot" on-event=\
"/system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/27/2020 start-time=00:00:00
/tool netwatch
add disabled=yes down-script="/ip route set [find comment=\"ISP1\"] disabled=y\
es\r\
\n/ip route set [find comment=\"ISP2\"] disabled=no" host=8.8.4.4 \
up-script="/ip route set [find comment=\"ISP1\"] disabled=no\r\
\n/ip route set [find comment=\"ISP2\"] disabled=yes"

Теперь жду отвала

[xvo]

Можно, кстати, создать netwatch до адреса gateway который в лог выведет сообщение или пришлет куда-нибудь - именно с целью посмотреть, не будет ли за период пока ждете таких false-positive отвалов.

Или просто пинг оставить работать на какое-то продолжительное время, если есть возможность держать открытую сессию с роутером.

[krik_krak]

Возможность есть, стоит открытый пинг до 8.8.8.8, 212.x.x.y и 109.x.x.y
Но до изменений в конфигурации 8.8.8.8 и 212.x.x.y всегда отваливались одновременно.

Пока что отвалов нет, но и времени немного прошло

[krik_krak]

Уже почти сутки без обрывов!
Включил check-gateway ping назад, также проблем не наблюдается.

Похоже, проблема была именно в этом:

Во-первых, у вас dhcp-клиент зачем-то все равно создает дефолтный маршрут, хотя у вас такой же есть, созданный руками. Отключите его.

Хотя сам клиент был отключен.

xvo, огромное спасибо, что откликнулись!

[xvo]

Похоже, проблема была именно в этом:

Во-первых, у вас dhcp-клиент зачем-то все равно создает дефолтный маршрут, хотя у вас такой же есть, созданный руками. Отключите его.

Хотя сам клиент был отключен.

Если клиент был отключен, то он и маршрут не создавал, и причиной проблем быть не мог.
Так что это все-таки совпадение.

[krik_krak]

Отвалы стали значительно реже, 1-2 раза за сутки, но они есть:

Статистика Ping для 8.8.8.8:
Пакетов: отправлено = 47316, получено = 47144, потеряно = 172
(0% потерь)
Приблизительное время приема-передачи в мс:
Минимальное = 52мсек, Максимальное = 119 мсек, Среднее = 55 мсек

Заново отключил chek-gateway, посмотрим, что будет без него.
Провайдер со своей стороны запустил пинг со шлюза до микротика - потерь нет

Кроме удаления EoIP-туннеля и dhcp-клиента ничего больше не делал, а улучшения произошли радикальные.
Если это совпадение, то решительно непонятно, в чём причина, так как до этого проблема была несколько месяцев