[admin@MikroTik] > export compact
# 2023-09-27 16:38:07 by RouterOS 7.11
# software id = 87BS-6Q6G
#
# model = RB4011iGS+
# serial number = D1230BA332D6
/interface bridge
add admin-mac=CC:2D:E0:B6:5B:61 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=*************
set [ find default-name=ether2 ] auto-negotiation=no
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=*****
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.13-192.168.88.79
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *FFFFFFFE local-address=192.168.88.1 remote-address=dhcp
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/ip firewall connection tracking
set tcp-established-timeout=5m
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.254 mac-address=00:25:90:62:9C:4F server=defconf
add address=192.168.88.12 mac-address=00:25:90:66:39:FF server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=188.130.138.250 comment=hidecomment list=blacklist
add address=45.8.228.153 comment=hidecomment list=blacklist
add address=92.53.64.237 comment=hidecomment list=blacklist
add address=188.124.37.88 comment=hidecomment list=blacklist
add address=93.81.101.237 list=blacklist
add address=vk.com list=vk.com
add address=ok.ru list=ok.ru
/ip firewall filter
add action=add-src-to-address-list address-list=ssh_round1 address-list-timeout=2m chain=input connection-state=new dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_round2 address-list-timeout=2m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_round1
add action=add-src-to-address-list address-list=ssh_round3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_round2
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=2w chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_round3
add action=add-src-to-address-list address-list=telnet_round1 address-list-timeout=2m chain=input connection-state=new dst-port=23 protocol=tcp
add action=add-src-to-address-list address-list=telnet_round2 address-list-timeout=2m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=ssh_round1
add action=add-src-to-address-list address-list=telnet_round3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=ssh_round2
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=2w chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=ssh_round3
add action=add-src-to-address-list address-list=winbox_round1 address-list-timeout=2m chain=input connection-state=new dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=telnet_round2 address-list-timeout=2m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_round1
add action=add-src-to-address-list address-list=telnet_round3 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_round2
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=2w chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_round3
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input connection-state=new dst-limit=1/1m,2,src-address/5m dst-port=8080,7001-7069,8001-8070,8090,50000-59999,20000-29999 per-connection-classifier=src-address:1/0 protocol=tcp
add action=reject chain=input connection-state=new dst-port=8080,7001-7069,8001-8070,8090,50000-59999,20000-29999 protocol=tcp reject-with=tcp-reset
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=******* dst-port=22 protocol=tcp to-addresses=192.168.88.100 to-ports=22
add action=dst-nat chain=dstnat dst-address=******* dst-port=7001-7069 protocol=tcp to-addresses=192.168.88.100 to-ports=7001-7069
add action=dst-nat chain=dstnat dst-address=******* dst-port=8001-8070 protocol=tcp to-addresses=192.168.88.100 to-ports=8001-8070
add action=dst-nat chain=dstnat comment="web zabbix" dst-address=******* dst-port=333 protocol=tcp to-addresses=192.168.88.12 to-ports=22
add action=dst-nat chain=dstnat comment="web zabbix old server new ip" dst-address=******* dst-port=8080 protocol=tcp to-addresses=192.168.88.100 to-ports=8080
add action=dst-nat chain=dstnat dst-address=******* dst-port=20000-29999 protocol=tcp to-addresses=192.168.88.33 to-ports=20000-20999
add action=dst-nat chain=dstnat dst-address=******* dst-port=7070 protocol=tcp to-addresses=192.168.88.100 to-ports=7063
add action=dst-nat chain=dstnat dst-address=******* dst-port=222 protocol=tcp to-addresses=192.168.88.33 to-ports=22
add action=dst-nat chain=dstnat dst-address=******* dst-port=8090 protocol=tcp to-addresses=192.168.88.33 to-ports=8080
add action=dst-nat chain=dstnat dst-address=******* dst-port=50000-59999 protocol=tcp to-addresses=192.168.88.100 to-ports=50000-59999
add action=dst-nat chain=dstnat dst-address=******* dst-port=2222 protocol=tcp to-addresses=192.168.88.254 to-ports=22
add action=dst-nat chain=dstnat dst-address=******* dst-port=8071 protocol=tcp to-addresses=192.168.88.254 to-ports=8080
add action=dst-nat chain=dstnat dst-address=******* dst-port=10904 protocol=tcp to-addresses=192.168.88.100 to-ports=10904
add action=dst-nat chain=dstnat dst-address=******* dst-port=10905 protocol=tcp to-addresses=192.168.88.33 to-ports=10905
add action=dst-nat chain=dstnat dst-address=******* dst-port=10906 protocol=tcp to-addresses=192.168.88.33 to-ports=10906
add action=dst-nat chain=dstnat dst-address=******* dst-port=8073 protocol=tcp to-addresses=192.168.88.12 to-ports=8080
add action=dst-nat chain=dstnat dst-address=******* dst-port=29744 protocol=tcp to-addresses=192.168.88.33 to-ports=29744
/ip firewall raw
add action=drop chain=prerouting comment=BlackList src-address-list=blacklist
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Moscow
/system note
set show-at-login=no
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >
# 2023-09-27 16:38:07 by RouterOS 7.11
# software id = 87BS-6Q6G
#
# model = RB4011iGS+
# serial number = D1230BA332D6
/interface bridge
add admin-mac=CC:2D:E0:B6:5B:61 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=*************
set [ find default-name=ether2 ] auto-negotiation=no
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=*****
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.13-192.168.88.79
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *FFFFFFFE local-address=192.168.88.1 remote-address=dhcp
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/ip firewall connection tracking
set tcp-established-timeout=5m
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.254 mac-address=00:25:90:62:9C:4F server=defconf
add address=192.168.88.12 mac-address=00:25:90:66:39:FF server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=188.130.138.250 comment=hidecomment list=blacklist
add address=45.8.228.153 comment=hidecomment list=blacklist
add address=92.53.64.237 comment=hidecomment list=blacklist
add address=188.124.37.88 comment=hidecomment list=blacklist
add address=93.81.101.237 list=blacklist
add address=vk.com list=vk.com
add address=ok.ru list=ok.ru
/ip firewall filter
add action=add-src-to-address-list address-list=ssh_round1 address-list-timeout=2m chain=input connection-state=new dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_round2 address-list-timeout=2m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_round1
add action=add-src-to-address-list address-list=ssh_round3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_round2
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=2w chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_round3
add action=add-src-to-address-list address-list=telnet_round1 address-list-timeout=2m chain=input connection-state=new dst-port=23 protocol=tcp
add action=add-src-to-address-list address-list=telnet_round2 address-list-timeout=2m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=ssh_round1
add action=add-src-to-address-list address-list=telnet_round3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=ssh_round2
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=2w chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=ssh_round3
add action=add-src-to-address-list address-list=winbox_round1 address-list-timeout=2m chain=input connection-state=new dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=telnet_round2 address-list-timeout=2m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_round1
add action=add-src-to-address-list address-list=telnet_round3 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_round2
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=2w chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_round3
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input connection-state=new dst-limit=1/1m,2,src-address/5m dst-port=8080,7001-7069,8001-8070,8090,50000-59999,20000-29999 per-connection-classifier=src-address:1/0 protocol=tcp
add action=reject chain=input connection-state=new dst-port=8080,7001-7069,8001-8070,8090,50000-59999,20000-29999 protocol=tcp reject-with=tcp-reset
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=******* dst-port=22 protocol=tcp to-addresses=192.168.88.100 to-ports=22
add action=dst-nat chain=dstnat dst-address=******* dst-port=7001-7069 protocol=tcp to-addresses=192.168.88.100 to-ports=7001-7069
add action=dst-nat chain=dstnat dst-address=******* dst-port=8001-8070 protocol=tcp to-addresses=192.168.88.100 to-ports=8001-8070
add action=dst-nat chain=dstnat comment="web zabbix" dst-address=******* dst-port=333 protocol=tcp to-addresses=192.168.88.12 to-ports=22
add action=dst-nat chain=dstnat comment="web zabbix old server new ip" dst-address=******* dst-port=8080 protocol=tcp to-addresses=192.168.88.100 to-ports=8080
add action=dst-nat chain=dstnat dst-address=******* dst-port=20000-29999 protocol=tcp to-addresses=192.168.88.33 to-ports=20000-20999
add action=dst-nat chain=dstnat dst-address=******* dst-port=7070 protocol=tcp to-addresses=192.168.88.100 to-ports=7063
add action=dst-nat chain=dstnat dst-address=******* dst-port=222 protocol=tcp to-addresses=192.168.88.33 to-ports=22
add action=dst-nat chain=dstnat dst-address=******* dst-port=8090 protocol=tcp to-addresses=192.168.88.33 to-ports=8080
add action=dst-nat chain=dstnat dst-address=******* dst-port=50000-59999 protocol=tcp to-addresses=192.168.88.100 to-ports=50000-59999
add action=dst-nat chain=dstnat dst-address=******* dst-port=2222 protocol=tcp to-addresses=192.168.88.254 to-ports=22
add action=dst-nat chain=dstnat dst-address=******* dst-port=8071 protocol=tcp to-addresses=192.168.88.254 to-ports=8080
add action=dst-nat chain=dstnat dst-address=******* dst-port=10904 protocol=tcp to-addresses=192.168.88.100 to-ports=10904
add action=dst-nat chain=dstnat dst-address=******* dst-port=10905 protocol=tcp to-addresses=192.168.88.33 to-ports=10905
add action=dst-nat chain=dstnat dst-address=******* dst-port=10906 protocol=tcp to-addresses=192.168.88.33 to-ports=10906
add action=dst-nat chain=dstnat dst-address=******* dst-port=8073 protocol=tcp to-addresses=192.168.88.12 to-ports=8080
add action=dst-nat chain=dstnat dst-address=******* dst-port=29744 protocol=tcp to-addresses=192.168.88.33 to-ports=29744
/ip firewall raw
add action=drop chain=prerouting comment=BlackList src-address-list=blacklist
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Moscow
/system note
set show-at-login=no
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >
Проблема заключается в том, что когда много подключений с одного из адресов, падает скорость интернета. Проверял скорость интернета по проводу. Так же при пинге к примеру ya.ru в момент падения скорости интернета теряются пакеты и возрастает время ответа, либо пинг вообще не проходит.
Вроде как немного помогло решить проблемe изменение настройки TCP Established Timeout.
Есть ли способ разобраться в этой проблеме на микротике или все же оператор режет tcp соеденения ?