Подскакивают пинги в Туннеле между Микротиками

Обсуждение оборудования и его настройки
Ответить
artemiy
Сообщения: 1
Зарегистрирован: 10 янв 2020, 13:48

Добрый день! обнаружилась интересная проблема, есть 3 точки
1 Центральный Облачный микротик
2 офис
3 склад

Офис и склад имеют по 2 интернета и схожие конфиги. Оба подключаются к облачному микротику за ним находятся терминалки.
Суть проблемы, при одинаковых настройках в офисе отличная скорость между терминалками и клиентами, пинг стабильный все нормально при передаче файлов, мультимедии и т.д. На складе при обычном remote app все тоже нормально, но как только начинаешь грузить любые файлы, проигрывание звука на терминалках вначале пинг проскакивает с 41 мс до 300, появляется потеря пакетов. Да нам нужно чтобы был звук с терминальных серверов. Причем не зависимо какой провайдер сейчас используется на складе.
если поднимать тунель между офисом и складом все норм, все передается, все проигрывается ничего не обрывается. Облачный микротик за бугром.

Код: Выделить всё

/interface bridge
add admin-mac=C4:AD:34:4A:A4:85 auto-mac=no comment=defconf name=Local
/interface ethernet
set [ find default-name=ether2 ] name=WAN2
/interface pppoe-client
add comment=ISP1 disabled=no interface=ether1 max-mtu=1480 name=WAN1 password=\
     use-peer-dns=yes user=
/interface gre
add allow-fast-path=no ipsec-secret=@rcadia4 local-address=194.190.9 mtu=\
    1400 name=gre-Office remote-address=89.175.1
add allow-fast-path=no ipsec-secret=99029235 keepalive=1s,1 local-address=\
    194.190.9 mtu=1400 name=gre-Sklad1 remote-address=136.243.4
add keepalive=1s,1 local-address=89.208.1 mtu=1400 name=gre-Sklad2 \
    remote-address=136.243.4
/interface ipip
add allow-fast-path=no local-address=89.208.1 mtu=1400 name=ipip-Office \
    remote-address=85.30.20
/interface vlan
add interface=Local name=vlan1 vlan-id=3
/caps-man datapath
add arp=enabled bridge=Local client-to-client-forwarding=yes name=local
add arp=enabled bridge=Local name=guest vlan-id=2 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=tsd passphrase=\
    99029239
add authentication-types=wpa2-psk encryption=aes-ccm name=guest passphrase=\
    LifeMebel

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VPN


/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des

/ip pool
add name=dhcp_pool1 ranges=192.168.2.60-192.168.2.150
add name=dhcp_pool2 ranges=192.168.3.2-192.168.3.254

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=Local name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan1 name=dhcp2



/interface bridge port
add bridge=Local comment=defconf interface=ether3
add bridge=Local comment=defconf interface=ether4
add bridge=Local comment=defconf interface=ether5
add bridge=Local comment=defconf interface=ether6
add bridge=Local comment=defconf interface=ether7
add bridge=Local comment=defconf interface=ether8
add bridge=Local comment=defconf interface=ether9
add bridge=Local comment=defconf interface=ether10
add bridge=Local comment=defconf interface=sfp1

/interface list member
add comment=defconf interface=Local list=LAN
add comment=defconf interface=WAN1 list=WAN
add comment=defconf interface=WAN2 list=WAN
add comment=defconf interface=gre-Sklad1 list=VPN
add comment=defconf interface=gre-Sklad2 list=VPN
add comment=defconf interface=gre-Office list=VPN
add comment=defconf interface=ipip-Office list=VPN

/ip address
add address=192.168.2.254/24 interface=Local network=192.168.2.0
add address=172.16.31.2/24 interface=gre-Sklad1 network=172.16.31.0
add address=172.16.29.2/24 interface=gre-Sklad2 network=172.16.29.0
add address=89.208.1/30 interface=WAN2 network=89.208.
add address=172.16.25.2/24 interface=gre-Office network=172.16.25.0
add address=172.16.26.2/24 interface=ipip-Office network=172.16.26.0
add address=192.168.3.1/24 disabled=yes interface=vlan1 network=192.168.3.0
add address=192.168.49.6/24 disabled=yes interface=Local network=192.168.49.0
add address=192.168.49.12/24 disabled=yes interface=Local network=192.168.49.0

/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.2.33 client-id=1:46:1e:a1:58:2c:51 mac-address=\
    46:1E:A1:58:2C:51 server=dhcp1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.1.1,192.168.1.2 domain=\
    lifeofc.local gateway=192.168.2.254 wins-server=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.2.1 gateway=192.168.3.1

/ip firewall filter
add action=accept chain=input comment="default configuration - ACCEPT wibox" \
    dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="default configuration - ACCEPT web" \
    dst-port=5000 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="default configuration - ACCEPT web" \
    dst-port=3389 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=add-src-to-address-list address-list=ddos-blacklist \
    address-list-timeout=1d chain=input comment=\
    "1.2. DDoS Protect - Connection Limit" connection-limit=100,32 \
    in-interface-list=WAN protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp \
    src-address-list=ddos-blacklist
add action=jump chain=forward comment="1.3. DDoS Protect - SYN Flood" \
    connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=input connection-state=new in-interface-list=WAN \
    jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect connection-state=new limit=200,5:packet \
    protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=\
    syn
add action=drop chain=input comment="1.4. Protected - Ports Scanners" \
    src-address-list="Port Scanners"
add action=add-src-to-address-list address-list="Port Scanners" \
    address-list-timeout=none-dynamic chain=input in-interface-list=WAN \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="1.5. Protected - WinBox Access" \
    src-address-list="Black List Winbox"
add action=add-src-to-address-list address-list="Black List Winbox" \
    address-list-timeout=none-dynamic chain=input connection-state=new \
    dst-port=8291 in-interface-list=WAN log=yes log-prefix="BLACK WINBOX" \
    protocol=tcp src-address-list="Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" \
    address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
    in-interface-list=WAN protocol=tcp src-address-list="Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 2" \
    address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
    in-interface-list=WAN protocol=tcp src-address-list="Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 1" \
    address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="1.7. Access OpenVPN Tunnel Data" \
    in-interface-list=VPN
add action=accept chain=input comment="1.8. Access Normal Ping" \
    in-interface-list=WAN limit=50/5s,2:packet protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="1.9. Drop All Other" in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=con-WAN1 passthrough=yes \
    per-connection-classifier=src-address:2/0
add action=mark-routing chain=prerouting connection-mark=con-WAN1 \
    dst-address-type=!local new-routing-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=con-WAN2 passthrough=yes \
    per-connection-classifier=src-address:2/1
add action=mark-routing chain=prerouting connection-mark=con-WAN2 \
    dst-address-type=!local new-routing-mark=WAN2 passthrough=yes
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=\
    con-WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=con-WAN1 new-routing-mark=\
    WAN1 passthrough=no
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=\
    con-WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=con-WAN2 new-routing-mark=\
    WAN2 passthrough=no
add action=change-mss chain=forward comment="\C5\F1\EB\E8 \EF\F0\EE\E2\E0\E9\E4\
    \E5\F0 \EF\E8\E4\F0 \E8 \F2\E5\F0\FF\FE\F2\F1\FF \EF\E0\EA\E5\F2\FB " \
    new-mss=clamp-to-pmtu out-interface-list=VPN passthrough=yes protocol=tcp \
    tcp-flags=syn
add action=change-mss chain=forward comment="\C5\F1\EB\E8 \EF\F0\EE\E2\E0\E9\E4\
    \E5\F0 \EF\E8\E4\F0 \E8 \F2\E5\F0\FF\FE\F2\F1\FF \EF\E0\EA\E5\F2\FB " \
    in-interface-list=VPN new-mss=clamp-to-pmtu passthrough=yes protocol=tcp \
    tcp-flags=syn
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes in-interface=WAN1 new-connection-mark=con-WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes in-interface=WAN2 new-connection-mark=con-WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=con-WAN1 disabled=yes \
    new-routing-mark=WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=con-WAN2 disabled=yes \
    new-routing-mark=WAN2 passthrough=yes
add action=mark-packet chain=forward dst-port=3389 new-packet-mark=rdp \
    passthrough=yes protocol=tcp
add action=mark-packet chain=forward disabled=yes dst-port=3389 \
    new-packet-mark=rdp passthrough=yes protocol=udp
add action=mark-packet chain=forward disabled=yes dst-port=5060,60000 \
    new-packet-mark=sip passthrough=yes protocol=udp

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN

/ip firewall raw
add action=drop chain=prerouting dst-port=137,138,139 in-interface-list=WAN \
    protocol=udp
add action=drop chain=prerouting dst-port=137,138,139 in-interface-list=WAN \
    protocol=udp

/ip route
add check-gateway=ping distance=1 gateway=192.168.100.1 routing-mark=WAN1
add check-gateway=ping distance=2 gateway=89.208.1 routing-mark=WAN1
add check-gateway=ping distance=1 gateway=89.208.1 routing-mark=WAN2
add check-gateway=ping distance=2 gateway=192.168.100.1 routing-mark=WAN2
add check-gateway=ping distance=1 gateway=WAN1
add check-gateway=ping distance=2 gateway=89.208.1
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=\
    gre-Office,ipip-Office
add check-gateway=ping disabled=yes distance=1 dst-address=192.168.49.0/24 \
    gateway=gre-Sklad1,gre-Sklad2 scope=20
/ip route rule
add action=lookup-only-in-table dst-address=192.168.1.0/24 src-address=\
    192.168.2.0/24 table=main
add action=lookup-only-in-table dst-address=192.168.2.0/24 src-address=\
    192.168.1.0/24 table=main
add action=lookup-only-in-table dst-address=192.168.2.0/24 src-address=\
    192.168.49.0/24 table=main
add action=lookup-only-in-table dst-address=192.168.49.0/24 src-address=\
    192.168.2.0/24 table=main
add action=lookup-only-in-table src-address=194.190./32 table=WAN1
add action=lookup-only-in-table src-address=89.208./32 table=WAN2

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=5000
set ssh disabled=yes
set winbox address=0.0.0.0/0

/routing ospf network
add area=backbone network=192.168.2.0/24
add area=backbone network=172.16.31.0/24
add area=backbone network=172.16.29.0/24
add area=backbone network=172.16.25.0/24
add area=backbone network=172.16.26.0/24
add area=backbone disabled=yes network=172.16.20.0/24


Ответить