Android Connection Issues

Hello there. I’ve just replaced an rb2011 with an rb5009. My hardware is as follows:

• Modem to rb5009 SFP+ port.
• Ether1 to Ubiquiti 16 Port switch

Access points are also Ubiquiti hardware, and are connected to the Ubiquiti switch.

Everything works as expected, with the exception of two Android phones (a Pixel 4a and a pixel 7). Both will connect to the access points successfully, but will not initially have internet access through the wireless network.

All other devices work as expected. Any idea what I may be doing wrong?

# 2026-04-17 06:24:44 by RouterOS 7.22.1
# software id = 4YR7-PF94
#
# model = RB5009UPr+S+
# serial number = XXXXXXXXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1514 poe-out=off
set [ find default-name=ether2 ] l2mtu=1514
set [ find default-name=ether3 ] l2mtu=1514
set [ find default-name=ether4 ] l2mtu=1514
set [ find default-name=ether5 ] l2mtu=1514
set [ find default-name=ether6 ] l2mtu=1514
set [ find default-name=ether7 ] l2mtu=1514
set [ find default-name=ether8 ] l2mtu=1514
set [ find default-name=sfp-sfpplus1 ] l2mtu=1514
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus1 name=pppoe-out1 \
    service-name=xxxx use-peer-dns=yes user=xxxxxxxxxxxxxx
/interface wireguard
add listen-port=13232 mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
add comment="Wireguard range" name=wg_pool ranges=192.168.100.0/24
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-out1 list=WAN
add interface=wg1 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=192.168.100.2/32 \
    client-allowed-address=0.0.0.0/0 interface=wg1 name="Matt - phone" \
    public-key="6IZvPq9zqx8YqyQ4obBTXeLPGpPGnArhAwODBmTiMlA="
/ip address
add address=192.168.0.1/23 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.100.1/24 interface=wg1 network=192.168.100.0
/ip dhcp-client
add comment=defconf disabled=yes interface=sfp-sfpplus1 name=ether1
/ip dhcp-server lease
add address=192.168.0.17 client-id=1:18:e8:29:bb:1b:ff mac-address=\
    18:E8:29:BB:1B:FF server=defconf
add address=192.168.0.22 client-id=1:74:83:c2:48:fd:c7 mac-address=\
    74:83:C2:48:FD:C7 server=defconf
add address=192.168.0.16 client-id=1:b4:fb:e4:e2:c1:47 mac-address=\
    B4:FB:E4:E2:C1:47 server=defconf
add address=192.168.0.19 client-id=1:34:7e:5c:3a:5:30 mac-address=\
    34:7E:5C:3A:05:30 server=defconf
add address=192.168.0.18 client-id=1:48:a6:b8:27:25:c6 mac-address=\
    48:A6:B8:27:25:C6 server=defconf
add address=192.168.0.25 comment=NAS mac-address=24:5E:BE:62:3D:55 server=\
    defconf
add address=192.168.0.30 client-id=1:bc:24:11:e5:bb:fa mac-address=\
    BC:24:11:E5:BB:FA server=defconf
/ip dhcp-server network
add address=192.168.0.0/23 comment=defconf dns-server=192.168.0.1 gateway=192.168.0.1 netmask=23
/ip dns
set allow-remote-requests=yes query-server-timeout=4s
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13232 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    192.168.100.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Somewhere/Anywhere
/system identity
set name=router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Hi, you should edit the export and redact the serial number. You export seems to be truncated, it stops after the IPv6 filter rules. Could you please post the rest?

Also, under /ip dns, do not set 192.168.0.1 and 192.168.100.1 in the servers property. The servers property is used to list static upstream DNS server, not your own router's addresses.

Thank you. I’ve updated DNS settings and updated the config settings you asked for.

Thank you. I don't see anything unusual with your configuration. Are those two Android devices part of the list of static DHCP leases in the export above. If yes, you can maybe check your LAN for other devices that might have the same IP addresses manually configured.

They are - there are no differences between these devices and any other devices connecting to same network. However, on further investigation I can see that the ubiquiti hardware sees 192.168.1.0/24 as the subnet from the host, rather than 192.168.0.0/23. I have tested this by setting up a spare rb4011 as a wireless access point - devices connecting to it are able to connect immediately and without issue. It’s only affecting two devices, but I’m baffled as to why that is happening.

What I meant was to make sure that, for example if you give the Pixel 7 the 192.168.0.19 IP address via DHCP (static lease) then check that absolutely no other device in the network also has that same address (it could be a device that does not use DHCP, but has its address manually configured instead). In such IP conflict cases, the phone might lose the ARP race.

On the router, go to the IP -> ARP table and check which MAC address is currently associated with the IP address you expect for the phone. Is the listed MAC address the one of the phone or something else?

Observations:

1. Why does wireguard have an DHCP pool? Not required please remove.

2. Why does peer settings use 0.0.0.0/0 it should be solely for identifying the peer and in this case
   should be something like this ( I normally remove or do not add what the client settings are this just confused me, even when looking a my own config! remove any keys as good practice for display)
   /interface wireguard peers
   add allowed-address=192.168.100.2/32 interface=wg1 name="Matt - phone" \
   public-key="++++”

3. Not sure why your address for the bridge lan is /23 as the pool doesnt reflect it but more so the normal /24 subnet.

4. I typically put all the admin rule after the Default keeper input chain rules, personal preference!
   So your two wireguard related rules would be after the accept LOOPback rule for example.
   Note that if you give wireguard to others, they will also have access to the router which is typically not advised for non-admins, but of course will need access to DNS if using the WAN of the router.
   In that vein you allow all users on the LAN also to the router for both DNS (aka router services) but also the ability to configure the router. For good security practices one should only allow admins to the router for config purposes so construct a firewall address list of LAN IPs and wireguard IPs and use this on the input chain for an accept rule.
   Modify other rules to allow LAN interface to dns, udp, tcp ( after adding wireguard to LAN interface list )
   Last rule, drop all else.

5. If not useing IPV6 then remove all firewall lists, and rules save two:
   add chain=input action=drop
   add chain=forward action=drop
   and also DISABLE ipv6 services.

Thank you, I have resolved it with your help and the help of others on this post.

I realised that I had assumed that IP Pools required all available IP ranges, rather than just DHCP pools. I removed all of those and ensured that 192.168.0.0/24 was the only entry. I modified the subnet so that it was correct, and made sure that DNS settings were configured correctly. It’s now working as expected.