hAP AC2: Отключить трансляцию локального трафика через PPPoE WAN-интерфейс

[ralexst]

Добрый день!
Возникла непонятная ситуация при копировании файлов из шары.
Стоит hAP AC2 к нему подключен свитч D-Link, на свиче висит win-шара.
Если копирование происходит в пределах свича D-Link - все прекрасно, 1Гб/с выдаёт. Если копирую файлы на комп, подключенный к hAP - скорость режется до 3-4 МБайт/с. Проверил нагрузку на hAP в момент копирования, показал явную зависимость увеличения скорости на PPPoE в сторону Ростелеком (причем сразу и TX и RX). отключаю PPPoE - копирование с шары на рабочий комп идёт с нормальной скоростью 1Гб. Как от этого избавиться? Почему он как будто транслирует весь трафик через WAN-PPPoE? При включении PPPoE обратно, скорость некоторое время не режется, через 3-5 мин опять начинаются тормоза и нагрузка по PPPoE возрастает.

 

# dec/18/2023 12:38:25 by RouterOS 7.7
# software id = W1JU-UC72
#
# model = RBD52G-5HacD2HnD
# serial number = E5780E464648
/interface bridge
add admin-mac=2C:C8:1B:F4:19:15 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MyWiFi wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MyWiFi wireless-protocol=\
802.11
/interface l2tp-client
add allow=mschap2 connect-to=********** disabled=no name=IHC-CHR \
use-ipsec=yes user=***********
/interface pppoe-client
add add-default-route=yes comment="\C0\EA\EA\E0\F3\ED\F2 \CB\E0\E4" \
interface=ether1 name=Rostelekom-PPPoE-O use-peer-dns=yes user=***********
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest-profile \
supplicant-identity=MikroTik
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:F4:19:19 \
master-interface=wlan1 multicast-buffering=disabled name=wlan3 \
security-profile=guest-profile ssid=Syntegral-Guest wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.53.100-192.168.53.254
add name=guest-pool ranges=192.168.55.20-192.168.55.30
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=guest-pool interface=wlan3 name=guest-server
/ppp profile
add bridge-learning=no change-tcp-mss=yes name=profile1
/interface pppoe-client
add add-default-route=yes comment=\
"\C0\EA\EA\E0\F3\ED\F2 \CC\E8\F5\E0\E9\EB\EE\E2\F1\EA" disabled=no \
interface=ether1 name=Rostelecom-PPPoE-R profile=profile1 use-peer-dns=\
yes user=rvazzpgxye
add add-default-route=yes comment=\
"\C0\EA\EA\E0\F3\ED\F2 \CC\E8\F5\E0\E9\EB\EE\E2\F1\EA" interface=ether1 \
name=Rostelecom-PPPoE-R2 profile=profile1 use-peer-dns=yes user=\
************
/snmp community
set [ find default=yes ] addresses=192.168.51.0/24
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Rostelecom-PPPoE-R list=WAN
add interface=Rostelekom-PPPoE-O list=WAN
add interface=IHC-CHR list=LAN
add interface=wlan3 list=LAN
add interface=Rostelecom-PPPoE-R2 list=WAN
/interface wireless cap
set bridge=bridge discovery-interfaces=bridge interfaces=wlan1,wlan2
/ip address
add address=192.168.53.1/24 comment=defconf interface=bridge network=\
192.168.53.0
add address=192.168.0.2/24 comment="\C4\EB\FF \EF\EE\E4\EA\EB\FE\F7\E5\ED\E8\
\FF \EA \F3\F1\F2\F0\EE\E9\F1\F2\E2\E0\EC \E8\E7 \F1\E5\F2\EA\E8 192.168.0\
.0/24" interface=bridge network=192.168.0.0
add address=192.168.1.2/24 comment="\C4\EB\FF \EF\EE\E4\EA\EB\FE\F7\E5\ED\E8\
\FF \EA \F3\F1\F2\F0\EE\E9\F1\F2\E2\E0\EC \E8\E7 \F1\E5\F2\EA\E8 192.168.1\
.0/24" interface=bridge network=192.168.1.0
add address=192.168.5.1/24 comment="\C4\EB\FF \EF\EE\E4\EA\EB\FE\F7\E5\ED\E8\
\FF \EA \F3\F1\F2\F0\EE\E9\F1\F2\E2\E0\EC \E8\E7 \F1\E5\F2\EA\E8 192.168.5\
.0/24" interface=bridge network=192.168.5.0
add address=192.168.100.1/24 comment="\C4\EB\FF \EF\EE\E4\EA\EB\FE\F7\E5\ED\E8\
\FF \EA \F3\F1\F2\F0\EE\E9\F1\F2\E2\E0\EC \E8\E7 \F1\E5\F2\EA\E8 192.168.1\
00.0/24" disabled=yes interface=bridge network=192.168.100.0
add address=192.168.55.1/24 interface=wlan3 network=192.168.55.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.53.113 client-id=18:FD:74:21:C8:0A mac-address=\
18:FD:74:21:C8:0A server=defconf
add address=192.168.53.133 client-id=\
ff:49:f8:ac:58:0:1:0:1:2b:f4:ac:4d:f4:b5:49:f8:ac:58 comment=\
"\F2\E5\F1\F2 \D8\C0 TA1600" mac-address=F4:B5:49:F8:AC:58 server=defconf
add address=192.168.53.131 client-id=\
ff:49:f9:9c:1a:0:1:0:1:14:8e:a0:9:f4:b5:49:f9:9c:1a mac-address=\
F4:B5:49:F9:9C:1A server=defconf
add address=192.168.53.132 client-id=\
ff:49:f8:aa:fa:0:1:0:1:14:8e:a0:8:f4:b5:49:f8:aa:fa mac-address=\
F4:B5:49:F8:AA:FA server=defconf
add address=192.168.53.245 client-id=\
ff:49:fa:2:f2:0:1:0:1:14:8e:a0:8:f4:b5:49:fa:2:f2 mac-address=\
F4:B5:49:FA:02:F2 server=defconf
add address=192.168.53.244 client-id=\
ff:49:fa:4:48:0:1:0:1:14:8e:a0:8:f4:b5:49:fa:4:48 mac-address=\
F4:B5:49:FA:04:48 server=defconf
add address=192.168.53.243 client-id=\
ff:49:f9:9c:2f:0:1:0:1:14:8e:a0:9:f4:b5:49:f9:9c:2f mac-address=\
F4:B5:49:F9:9C:2F server=defconf
add address=192.168.53.242 client-id=\
ff:49:f9:98:3c:0:1:0:1:14:8e:a0:9:f4:b5:49:f9:98:3c mac-address=\
F4:B5:49:F9:98:3C server=defconf
add address=192.168.53.241 client-id=\
ff:49:f9:9b:bc:0:1:0:1:14:8e:a0:9:f4:b5:49:f9:9b:bc mac-address=\
F4:B5:49:F9:9B:BC server=defconf
add address=192.168.53.240 client-id=\
ff:49:f9:99:39:0:1:0:1:14:8e:a0:9:f4:b5:49:f9:99:39 mac-address=\
F4:B5:49:F9:99:39 server=defconf
/ip dhcp-server network
add address=192.168.53.0/24 comment=defconf dns-server=192.168.53.1 gateway=\
192.168.53.1
add address=192.168.55.0/24 comment="Guest-WiFi Network" dns-server=\
192.168.55.1 gateway=192.168.55.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="mikrotik backup" dst-address=\
192.168.53.1 dst-port=26010 protocol=tcp src-address=192.168.51.1
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.100.0/24 \
src-address=192.168.53.0/24
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=10.5.5.0/24 gateway=10.5.5.1 pref-src=\
10.5.5.3 routing-table=main scope=30 suppress-hw-offload=no target-scope=\
10
add comment="\C4\EE\F1\F2\F0\E4" \
disabled=no distance=1 dst-address=*********/32 gateway=10.5.5.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=192.168.49.0/24 gateway=10.5.5.1 pref-src=\
10.5.5.3 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.51.0/24 gateway=10.5.5.1 \
pref-src=10.5.5.3 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=*****************
set api disabled=yes
set winbox port=****
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/snmp
set contact=*************** enabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=************
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

[ralexst]

Отключение всех правил фаерволла на ситуацию не повлияло.

[ralexst]

Вопрос снят, дело не в Mikrotik, а в OpenVPN-соединениях, поднятых на шаре и на рабочем компе. Видимо, после после поднятия соединения происходит переподключение протокола SMB через OpenVPN-интерфейсы, а OpenVPN-сервер находится снаружи, поэтому и трафик гонится туда и обратно при копировании локальных файлов.
Нашел через Torch на Mikrotik. Оставлю тему так, может кому нить пригодится.

П.С. теперь бы ещё научить SMB Windows 10 не переключаться на OpenVPN
П. П. С. зафаерволил виндовым фаерволом. Задача решена полностью.