Android Connection Issues

joepineapples · April 17, 2026, 12:21am

Hello there. I’ve just replaced an rb2011 with an rb5009. My hardware is as follows:

Modem to rb5009 SFP+ port.
Ether1 to Ubiquiti 16 Port switch

Access points are also Ubiquiti hardware, and are connected to the Ubiquiti switch.

Everything works as expected, with the exception of two Android phones (a Pixel 4a and a pixel 7). Both will connect to the access points successfully, but will not initially have internet access through the wireless network.

All other devices work as expected. Any idea what I may be doing wrong?

# 2026-04-17 06:24:44 by RouterOS 7.22.1
# software id = 4YR7-PF94
#
# model = RB5009UPr+S+
# serial number = XXXXXXXXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1514 poe-out=off
set [ find default-name=ether2 ] l2mtu=1514
set [ find default-name=ether3 ] l2mtu=1514
set [ find default-name=ether4 ] l2mtu=1514
set [ find default-name=ether5 ] l2mtu=1514
set [ find default-name=ether6 ] l2mtu=1514
set [ find default-name=ether7 ] l2mtu=1514
set [ find default-name=ether8 ] l2mtu=1514
set [ find default-name=sfp-sfpplus1 ] l2mtu=1514
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus1 name=pppoe-out1 \
    service-name=xxxx use-peer-dns=yes user=xxxxxxxxxxxxxx
/interface wireguard
add listen-port=13232 mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
add comment="Wireguard range" name=wg_pool ranges=192.168.100.0/24
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-out1 list=WAN
add interface=wg1 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=192.168.100.2/32 \
    client-allowed-address=0.0.0.0/0 interface=wg1 name="Matt - phone" \
    public-key="6IZvPq9zqx8YqyQ4obBTXeLPGpPGnArhAwODBmTiMlA="
/ip address
add address=192.168.0.1/23 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.100.1/24 interface=wg1 network=192.168.100.0
/ip dhcp-client
add comment=defconf disabled=yes interface=sfp-sfpplus1 name=ether1
/ip dhcp-server lease
add address=192.168.0.17 client-id=1:18:e8:29:bb:1b:ff mac-address=\
    18:E8:29:BB:1B:FF server=defconf
add address=192.168.0.22 client-id=1:74:83:c2:48:fd:c7 mac-address=\
    74:83:C2:48:FD:C7 server=defconf
add address=192.168.0.16 client-id=1:b4:fb:e4:e2:c1:47 mac-address=\
    B4:FB:E4:E2:C1:47 server=defconf
add address=192.168.0.19 client-id=1:34:7e:5c:3a:5:30 mac-address=\
    34:7E:5C:3A:05:30 server=defconf
add address=192.168.0.18 client-id=1:48:a6:b8:27:25:c6 mac-address=\
    48:A6:B8:27:25:C6 server=defconf
add address=192.168.0.25 comment=NAS mac-address=24:5E:BE:62:3D:55 server=\
    defconf
add address=192.168.0.30 client-id=1:bc:24:11:e5:bb:fa mac-address=\
    BC:24:11:E5:BB:FA server=defconf
/ip dhcp-server network
add address=192.168.0.0/23 comment=defconf dns-server=192.168.0.1 gateway=192.168.0.1 netmask=23
/ip dns
set allow-remote-requests=yes query-server-timeout=4s
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13232 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    192.168.100.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Somewhere/Anywhere
/system identity
set name=router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

CGGXANNX · April 17, 2026, 5:22am

Hi, you should edit the export and redact the serial number. You export seems to be truncated, it stops after the IPv6 filter rules. Could you please post the rest?

Also, under /ip dns, do not set 192.168.0.1 and 192.168.100.1 in the servers property. The servers property is used to list static upstream DNS server, not your own router's addresses.

joepineapples · April 18, 2026, 2:51am

Thank you. I’ve updated DNS settings and updated the config settings you asked for.