Problema RB450 TRAVANDO com Link Dedicado

[fwsolutions]

Olá amigos do Forum !

Estou com um problema estranho, eu usava uma rb450 normalmente para fazer o balanceamento PCC de 4 links que recebia no sistema Wimax da Embratel, minha versão do MK é a 4.5 e tudo funcionava perfeitamente, mas quando instalei um novo link de fibra otica da mesma empresa, quando ele está ativo na rede consigo navegar por uns 20 a 30 min e do nada trava a rb450, não consigo acessar nem pelo winbox e nem por outros meios, a principio pensei que era a fonte, troquei mas não deu resultado, enquanto estou com os links antigos wimax ela funciona normalmente, mas é só colocar o link dedicado na rede que já dá problema, gostaria de saber o que poderia ser ! vou postar as configurações da RB450 abaixo:


# ip address --------------------------
/ip address add address=192.168.0.1/24 interface=SAIDA
/ip address add address=201.73.207.227/28 interface=LINK1
/ip address add address=192.168.15.2/24 interface=LINK2
/ip address add address=172.0.0.2/24 interface=LINK3
/ip address add address=192.168.1.2/24 interface=LINK4

# interface pppoe-client ---------------

# ip dns --------------------------------
/ip dns set primary-dns=8.8.8.8
/ip dns set secondary-dns=8.8.4.4
/ip dns set allow-remote-requests=yes

# ip dns statico------------------------
/ip dns static add address=192.168.0.1 comment="" disabled=no name=192.168.0.1.camonnet.com.br ttl=1d

# ip firewall Filter------------------------
/ip firewall filter add action=drop chain=forward comment="BLOQUEIO DE DNS REVERSO" content=google-public-dns-a.google.com disabled=no
/ip firewall filter add action=accept chain=input disabled=no in-interface=!LINK1 src-address=192.168.0.1/24
/ip firewall filter add action=accept chain=input disabled=no in-interface=!LINK2 src-address=192.168.0.1/24
/ip firewall filter add action=accept chain=input disabled=no in-interface=!LINK3 src-address=192.168.0.1/24
/ip firewall filter add action=accept chain=input disabled=no in-interface=!LINK4 src-address=192.168.0.1/24

# ip firewall nat--------------------------
/ip firewall nat add action=masquerade chain=srcnat disabled=no out-interface=LINK1
/ip firewall nat add action=masquerade chain=srcnat disabled=no out-interface=LINK2
/ip firewall nat add action=masquerade chain=srcnat disabled=no out-interface=LINK3
/ip firewall nat add action=masquerade chain=srcnat disabled=no out-interface=LINK4

# ip firewall mangle------------------------
/ip firewall mangle add action=accept chain=prerouting comment="HTTPS FORA DO LOADBALACED" disabled=no protocol=tcp dst-port=443 in-interface=SAIDA
/ip firewall mangle add action=accept chain=prerouting comment="FORA DO LOADBALACED" disabled=no dst-address-list=loopback in-interface=SAIDA
/ip firewall mangle add action=change-ttl chain=forward comment="Filtro Tracert / Traceroute" disabled=no new-ttl=set:30 protocol=icmp
/ip firewall mangle add action=mark-connection chain=prerouting disabled=no in-interface=LINK1 new-connection-mark=LINK1_conn passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting disabled=no in-interface=LINK2 new-connection-mark=LINK2_conn passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting disabled=no in-interface=LINK3 new-connection-mark=LINK3_conn passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting disabled=no in-interface=LINK4 new-connection-mark=LINK4_conn passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=LINK1_conn disabled=no new-routing-mark=to_LINK1 passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=LINK2_conn disabled=no new-routing-mark=to_LINK2 passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=LINK3_conn disabled=no new-routing-mark=to_LINK3 passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=LINK4_conn disabled=no new-routing-mark=to_LINK4 passthrough=yes
/ip firewall mangle add action=accept chain=prerouting disabled=no dst-address=201.73.207.0/28 in-interface=SAIDA
/ip firewall mangle add action=accept chain=prerouting disabled=no dst-address=192.168.15.0/24 in-interface=SAIDA
/ip firewall mangle add action=accept chain=prerouting disabled=no dst-address=172.0.0.0/24 in-interface=SAIDA
/ip firewall mangle add action=accept chain=prerouting disabled=no dst-address=192.168.1.0/24 in-interface=SAIDA
/ip firewall mangle add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=SAIDA new-connection-mark=LINK1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/0
/ip firewall mangle add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=SAIDA new-connection-mark=LINK2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/1
/ip firewall mangle add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=SAIDA new-connection-mark=LINK3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/2
/ip firewall mangle add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=SAIDA new-connection-mark=LINK4_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/3
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=LINK1_conn disabled=no in-interface=SAIDA new-routing-mark=to_LINK1 passthrough=yes
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=LINK2_conn disabled=no in-interface=SAIDA new-routing-mark=to_LINK2 passthrough=yes
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=LINK3_conn disabled=no in-interface=SAIDA new-routing-mark=to_LINK3 passthrough=yes
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=LINK4_conn disabled=no in-interface=SAIDA new-routing-mark=to_LINK4 passthrough=yes

# ip route----------------------------------
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=201.73.207.225 routing-mark=to_LINK1 comment="Link0"
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.15.1 routing-mark=to_LINK2 comment="Link1"
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.0.0.1 routing-mark=to_LINK3 comment="Link2"
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_LINK4 comment="Link3"
/ip route add check-gateway=ping comment="Link0" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=201.73.207.225 scope=30 target-scope=10
/ip route add check-gateway=ping comment="Link1" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.15.1 scope=30 target-scope=10
/ip route add check-gateway=ping comment="Link2" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=172.0.0.1 scope=30 target-scope=10
/ip route add check-gateway=ping comment="Link3" disabled=no distance=4 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 target-scope=10

# ip firewall address-list-----------------------------
/ip firewall address-list add address=200.155.80.0-200.155.255.255 comment=BRADESCO disabled=no list=loopback
/ip firewall address-list add address=200.220.186.0/24 comment=BRADESCO disabled=no list=loopback
/ip firewall address-list add address=200.220.178.0/24 comment=BRADESCO disabled=no list=loopback
/ip firewall address-list add address=64.38.29.0/24 comment=RapidShare disabled=no list=loopback
/ip firewall address-list add address=208.69.32.0/24 comment="" disabled=no list=loopback
/ip firewall address-list add address=208.67.217.0/24 comment="" disabled=no list=loopback
/ip firewall address-list add address=201.7.178.0/24 comment="" disabled=no list=loopback
/ip firewall address-list add address=201.7.176.0/24 comment="" disabled=no list=loopback
/ip firewall address-list add address=200.159.128.0/24 comment=BRADESCO disabled=no list=loopback
/ip firewall address-list add address=201.7.176.0/20 comment="Vídeos - Globo" disabled=no list=loopback
/ip firewall address-list add address=208.84.247.0/24 comment="Vídeos - terratv" disabled=no list=loopback
/ip firewall address-list add address=200.154.56.0/24 comment="Vídeos - terratv" disabled=no list=loopback
/ip firewall address-list add address=200.201.160.0/24 comment="Caixa Economica Federal" disabled=no list=loopback
/ip firewall address-list add address=200.201.166.0/24 comment="" disabled=no list=loopback
/ip firewall address-list add address=200.201.173.0/24 comment="" disabled=no list=loopback
/ip firewall address-list add address=200.201.174.0/24 comment="" disabled=no list=loopback
/ip firewall address-list add address=200.141.207.3 comment=Detran disabled=no list=loopback

aguardo respostas urgentemente

Desde já obrigado

[fwsolutions]

# /system script--------------------------------------
/system script add name=Link0Dow policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\ /ip firewall filter set [find comment=\"Link0\"] disable=yes;\r\ \n/ip firewall nat set [find comment=\"Link0\"] disable=yes;\r\ \n/ip firewall mangle set [find comment=\"Link0\"] disable=yes;\r\ \n/ip route set [find comment=\"Link0\"] disable=yes;"
/system script add name=Link1Dow policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\ /ip firewall filter set [find comment=\"Link1\"] disable=yes;\r\ \n/ip firewall nat set [find comment=\"Link1\"] disable=yes;\r\ \n/ip firewall mangle set [find comment=\"Link1\"] disable=yes;\r\ \n/ip route set [find comment=\"Link1\"] disable=yes;"
/system script add name=Link2Dow policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\ /ip firewall filter set [find comment=\"Link2\"] disable=yes;\r\ \n/ip firewall nat set [find comment=\"Link2\"] disable=yes;\r\ \n/ip firewall mangle set [find comment=\"Link2\"] disable=yes;\r\ \n/ip route set [find comment=\"Link2\"] disable=yes;"
/system script add name=Link3Dow policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\ /ip firewall filter set [find comment=\"Link3\"] disable=yes;\r\ \n/ip firewall nat set [find comment=\"Link3\"] disable=yes;\r\ \n/ip firewall mangle set [find comment=\"Link3\"] disable=yes;\r\ \n/ip route set [find comment=\"Link3\"] disable=yes;"
/system script add name=Link0Up policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\ /ip firewall filter set [find comment=\"Link0\"] disable=no;\r\ \n/ip firewall nat set [find comment=\"Link0\"] disable=no;\r\ \n/ip firewall mangle set [find comment=\"Link0\"] disable=no;\r\ \n/ip route set [find comment=\"Link0\"] disable=no;"
/system script add name=Link1Up policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\ /ip firewall filter set [find comment=\"Link1\"] disable=no;\r\ \n/ip firewall nat set [find comment=\"Link1\"] disable=no;\r\ \n/ip firewall mangle set [find comment=\"Link1\"] disable=no;\r\ \n/ip route set [find comment=\"Link1\"] disable=no;"
/system script add name=Link2Up policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\ /ip firewall filter set [find comment=\"Link2\"] disable=no;\r\ \n/ip firewall nat set [find comment=\"Link2\"] disable=no;\r\ \n/ip firewall mangle set [find comment=\"Link2\"] disable=no;\r\ \n/ip route set [find comment=\"Link2\"] disable=no;"
/system script add name=Link3Up policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\ /ip firewall filter set [find comment=\"Link3\"] disable=no;\r\ \n/ip firewall nat set [find comment=\"Link3\"] disable=no;\r\ \n/ip firewall mangle set [find comment=\"Link3\"] disable=no;\r\ \n/ip route set [find comment=\"Link3\"] disable=no;"

[granlabor]

Verificou SYSTEM RESOURCE com e sem o link de fibra?

Se você consguir determinar se a RB opera em 100% com a fibra, fica mais fácil encontrar o motivo.

Quais as bandas de cada link?

Não é muita instrução pra RB450 suportar?

[fwsolutions]

Olá amigo, não cheguei a verificar, mas o link dedicado é de 2mb full, e os outros de 2 mb também, o engraçado é que montei um servidor com BRAZILFW para fazer o balanceamento e ele já está ligado a 2 dias na rede e funcionando com o link dedicado 100%, sendo que a rb450 quando fiz o teste com os links wimax funcionava normal, ai quando eu colocava o link dedicado começava a ficar lento e logo em uns 15 minutos mais ou menos travava tudo, não conseguia nem acesso por winbox, só reiniciando para funcionar..


se alguem puder ajudar agradeço

[granlabor]

Olá amigo, não cheguei a verificar, mas o link dedicado é de 2mb full, e os outros de 2 mb também, o engraçado é que montei um servidor com BRAZILFW para fazer o balanceamento e ele já está ligado a 2 dias na rede e funcionando com o link dedicado 100%, sendo que a rb450 quando fiz o teste com os links wimax funcionava normal, ai quando eu colocava o link dedicado começava a ficar lento e logo em uns 15 minutos mais ou menos travava tudo, não conseguia nem acesso por winbox, só reiniciando para funcionar.. se alguem puder ajudar agradeço

Se houver muitas regras de firewall w roteamento, a RB450 suporta até 8 megas de tráfego TCP. Passou disso, começa a ficar crítico.

Pela tua descrição alguma coisa está corrompendo as informações da tua tabela ARP. Será que tem um loop aí na tua rede que conecta LAN e WAN juntas?

Configura a RB pra usar IP x MAC estático para os endereços da tua rede LAN. Depois vai na interface da RB onde a LAN está conectada e muda ARP = reply-only.
Com isso você terá que inserir manualmente cada novo computador que se conectar na tua rede, mas vai diminuir a chance de uma fonte externa propagar o ARP corrompido e prejudicar a RB.

Reveja tuas regras de firewall e reconfigure cuidadosamente a interface que recebe a fibra. Na fibra, desliga todas a regras, revise uma a uma e vai reativando por estágios pra ter certeza que não tem regra bugada.

Uma alternativa temporária, é jogar a porta da RB que recebe a fibra atrás do NAT do BrasilFW. Desta forma você vai ter certeza que suas regras na RB não estão bugadas.

ZéAlves

[fwsolutions]

Olá granlabor, quero agradecer pela resposta, vou estar testando essa solução na rb, porque por conta deste problema eu coloquei na rede o BFW para gerenciar o loadbalance, ai vou estar testando a solução na RB para verificar ok ! mas quero agradecer desde já e qualquer coisa eu posto aqui ! vlw

[rogeriodj]

Sua rb é a 450g, se não for é esse o seu problema, pois ela é muito fraquinha e não aguenta mesmo...

[granlabor]

Olá granlabor, quero agradecer pela resposta, vou estar testando essa solução na rb, porque por conta deste problema eu coloquei na rede o BFW para gerenciar o loadbalance, ai vou estar testando a solução na RB para verificar ok ! mas quero agradecer desde já e qualquer coisa eu posto aqui ! vlw

Obrigado pela gentileza de agradecer.

Boa sorte aí e depois posta como vc solucionou.

ZéAlves