Hello!
Since my HeX router is located outside the apartment and because I cannot change wires inside the apartment, I have some unusual set-up with two Mikrotik routers in a single network.
I need a single network because TVs should see the Media Server connected to the second router and as far as I understand it’s can be done only in one network segment.
Current network configuration:
The problem is that some sites (https://www.tumblr.com/, https://m.vk.com/ and many others) are not opening from devices that are connected to the HaP AC router but being loaded perfectly from devices connected to the HeX router. Ping to these hosts returns OK:
Pinging m.vk.com [87.240.129.76] with 32 bytes of data:
Reply from 87.240.129.76: bytes=32 time=38ms TTL=52
Reply from 87.240.129.76: bytes=32 time=38ms TTL=52
Reply from 87.240.129.76: bytes=32 time=38ms TTL=52
Reply from 87.240.129.76: bytes=32 time=38ms TTL=52
I’m sure that I have some issues in my configurations, but I can’t understand what should I change exactly. As I see there are not firewall rules that reject this traffic.
Please help me!
HeX config:
# apr/01/2018 13:11:11 by RouterOS 6.41
# software id = 5ZAW-5PBP
#
# model = RouterBOARD 750G r3
# serial number = 6F3807E66702
/interface bridge
add admin-mac=64:D1:54:14:B2:35 auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=60 \
name=pppoe-out1 password=xxxxxx service-name=MTS use-peer-dns=yes user=\
xxxxxxxxxx
/interface eoip
add keepalive=3m10s mac-address=02:BF:09:2B:8A:58 name=eoip-tunnel1 \
remote-address=xxxxxxxxxxx.sn.mynetname.net tunnel-id=1
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.99
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge1 name=defconf
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
add bridge=bridge1 interface=eoip-tunnel1
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=pppoe-out1 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge1 network=\
192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward in-interface=bridge1
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=pppoe-out1
/system clock
set time-zone-name=Europe/Saratov
/system identity
set name=GATEWAY
/system routerboard mode-button
set enabled=no on-event=""
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Hap AC config:
# apr/01/2018 13:18:14 by RouterOS 6.41
# software id = Q7PY-HEHT
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 6F1207121469
/interface bridge
add admin-mac=64:D1:54:16:78:D7 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
MikroTik-1678DD wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
ap-bridge ssid=MikroTik-1678DC wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=xxxxxxxxxxx \
wpa2-pre-shared-key=xxxxxxxxxxx
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.0.100-192.168.0.200
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf disabled=yes hw=no interface=sfp1
add bridge=bridge comment=defconf hw=no interface=wlan1
add bridge=bridge comment=defconf hw=no interface=wlan2
add bridge=bridge comment=test hw=no interface=ether3
add bridge=bridge comment=test hw=no interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge comment=test1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=wlan1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/ip address
add address=192.168.0.207/24 interface=bridge network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
bridge
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.50 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=accept chain=forward in-interface=bridge
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
out-interface=ether1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Saratov
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox