Bridge Troubles

RouterOS General
1

This router is been a personal experiance and using it to learn.

I have a couple of issues and cant seem to find anything that relates to troubleshooting this. Would appreciate points and explanations why things arnt working as i had intended.
Trying to figure out why Bridge is passing packets through firewall.
DNS server also does not respond to requests.


# 2023-11-10 13:01:02 by RouterOS 7.12rc7
# software id = X23X-V6AT
#
# model = C52iG-5HaxD2HaxD
# serial number = HE708ZJWWS4
/interface bridge
add igmp-snooping=yes multicast-querier=yes name=Bridge
/interface ethernet
set [ find default-name=ether1 ] arp-timeout=1d l2mtu=1500 mtu=1492
/interface list
add comment=defconf name=WAN
add name=ISP
add comment=Wireless name=WLAN
add comment=defconf include=WLAN name=LAN
/interface wifiwave2 datapath
add bridge=Bridge comment=defcon disabled=no interface-list=WLAN name=\
    datapath
/interface wifiwave2 security
add authentication-types="" disabled=no name=OPTUSVD325F7A0
/interface wifiwave2
set [ find default-name=wifi2 ] arp-timeout=5s channel.band=2ghz-ax .width=\
    20/40mhz-Ce configuration.antenna-gain=8 .country=Australia .mode=ap \
    .ssid=OPTUSVD325F7A0 datapath=datapath disabled=no mtu=1500 name=2GHz \
    security=OPTUSVD325F7A0 security.authentication-types=wpa2-psk \
    .encryption=ccmp,gcmp,ccmp-256,gcmp-256
set [ find default-name=wifi1 ] channel.band=5ghz-ax .width=20/40/80mhz \
    configuration.country=Australia .mode=ap .ssid=OPTUSVD325F7A0_5GHz \
    datapath=datapath disabled=no mtu=1500 name=5GHz security=OPTUSVD325F7A0 \
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256
/ip ipsec mode-config
add connection-mark=ProtonVPN name=ProtonVPN responder=no
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd \
    enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer
add address=nl-free-145.protonvpn.net disabled=yes exchange-mode=ike2 name=\
    "ProtonVPN nl-free-145" profile=ProtonVPN
/ip ipsec proposal
add auth-algorithms=sha256 disabled=yes enc-algorithms=aes-256-cbc lifetime=\
    0s name=ProtonVPN pfs-group=none
/ip pool
add name=dhcp_pool1 ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 interface=Bridge name=dhcp1 \
    server-address=192.168.88.1
/ipv6 dhcp-server option
add code=12 name=Ident value=0x000001
/ipv6 dhcp-server option sets
add name=defcon options=Ident
/ipv6 pool
add name=6-4 prefix=::/80 prefix-length=96
/ppp profile
add bridge-path-cost=5 dns-server=10.7.0.1 name="Proto VPN" use-compression=\
    no
/queue type
add kind=pcq name=pcq-large-download pcq-burst-time=8s pcq-classifier=\
    dst-address,src-port pcq-limit=80KiB pcq-total-limit=1024KiB
/queue tree
add name=ISP parent=global queue=ethernet-default
add bucket-size=0.08 burst-limit=57M burst-time=30s limit-at=20k max-limit=\
    50M name=ISP_In packet-mark=catchall_in parent=ISP priority=5 queue=\
    ethernet-default
add name=HTTP_in packet-mark=HTTP_In parent=ISP_In priority=7 queue=\
    pcq-large-download
add name=HTTP_Streaming_in packet-mark=HTTP_Streaming_in parent=ISP_In \
    priority=6 queue=pcq-download-default
add name=DSTNAT_in packet-mark=DSTNAT_IN parent=ISP_In priority=2 queue=\
    pcq-download-default
add name=QUIC_in packet-mark=Quic_in parent=ISP_In priority=4 queue=\
    pcq-download-default
add bucket-size=0.08 burst-limit=27M burst-time=30s limit-at=20k max-limit=\
    20M name=ISP_Out packet-mark=catchall_out parent=ISP priority=5 queue=\
    ethernet-default
add name=DSTNAT_out packet-mark=DSTNAT_out parent=ISP_Out
add name=HTTP_out packet-mark=HTTP_out parent=ISP_Out
add name=HTTP_Streaming_out packet-mark=HTTP_Streaming_out parent=ISP_Out
add name=Quic_out packet-mark=Quic_out parent=ISP_Out
add name=LServer_In packet-mark=LServer_IN parent=ISP_In priority=3
add name=LServer_Out packet-mark=LServer_OUT parent=ISP_Out
/dude
set enabled=yes
/interface bridge port
add bridge=Bridge interface=ether2
add bridge=Bridge interface=ether3
add bridge=Bridge interface=ether4
add bridge=Bridge comment=ISP disabled=yes interface=ether5
add bridge=Bridge interface=2GHz
add bridge=Bridge interface=5GHz
add bridge=Bridge interface=ether1
/ip firewall connection tracking
set enabled=yes icmp-timeout=4s udp-timeout=4s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all internet-interface-list=ISP lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add interface=Bridge list=LAN
add interface=ether5 list=ISP
/ip address
add address=192.168.88.1/24 comment=defconf interface=Bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=ISP interface=ether5 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.147 client-id=1:2c:26:17:e7:ec:4f comment=\
    "Occulus Rift 2" mac-address=2C:26:17:E7:EC:4F
add address=192.168.88.100 client-id=1:dc:e9:94:1b:42:37 comment=\
    "Brother MFC-L2713DW - Study" mac-address=DC:E9:94:1B:42:37
add address=192.168.88.253 mac-address=54:80:28:4B:3A:58
add address=192.168.88.254 client-id=1:d4:5d:64:55:1f:fa mac-address=\
    D4:5D:64:55:1F:FA
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1,8.8.4.4 gateway=192.168.88.1 \
    ntp-server=192.168.88.1
/ip dns
set cache-max-ttl=3d verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=127.0.0.1 name=localhost
/ip firewall address-list
add address=dns.google list="Google DNS"
add address=discord.com list=Discord
add address=6136c3852a51.duckdns.org list=DuckDNS
add address=cloudflare-dns.com list=Cloudflare
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-mark=DNS connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment=\
    "defconf: drop all from ISP not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=ISP
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \
    in-interface-list=!ISP
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward connection-state=related in-interface-list=\
    ISP
/ip firewall mangle
add action=mark-connection chain=output comment=DNS dst-port=53 \
    new-connection-mark=DNS passthrough=yes protocol=udp
add action=mark-connection chain=output dst-port=53 new-connection-mark=DNS \
    passthrough=yes protocol=tcp
add action=fasttrack-connection chain=output connection-mark=DNS
add action=add-src-to-address-list address-list=LServer-DSTNat \
    address-list-timeout=4h chain=forward comment=LServer \
    connection-nat-state=dstnat connection-state=established,related \
    dst-address=192.168.88.253 fragment=no in-interface-list=ISP log-prefix=\
    LServer-DSTNat
add action=add-src-to-address-list address-list=LServer-DSTNat \
    address-list-timeout=5m chain=input connection-nat-state=dstnat \
    connection-state=new dst-address=192.168.88.253 in-interface-list=ISP
add action=mark-connection chain=prerouting comment="Mark ICMP" \
    connection-state=established,related,new in-interface-list=!LAN \
    new-connection-mark=ICMP passthrough=no protocol=icmp
add action=mark-connection chain=forward comment=LServer connection-state=\
    related,new new-connection-mark=LServer passthrough=yes src-address-list=\
    LServer-DSTNat
add action=mark-packet chain=prerouting connection-mark=LServer \
    in-interface-list=ISP new-packet-mark=LServer_IN passthrough=no
add action=mark-packet chain=forward connection-mark=LServer new-packet-mark=\
    LServer_OUT out-interface-list=ISP passthrough=no
add action=mark-connection chain=forward comment="Mark HTTP" \
    connection-state=related,new dst-port=80,443 new-connection-mark=HTTP \
    passthrough=yes protocol=tcp
add action=mark-connection chain=forward connection-state=related,new \
    dst-port=80,443 new-connection-mark=QUIC passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=HTTP \
    in-interface-list=ISP new-packet-mark=HTTP_In passthrough=no
add action=mark-packet chain=forward connection-mark=HTTP new-packet-mark=\
    HTTP_out out-interface-list=ISP passthrough=no
add action=mark-packet chain=prerouting connection-mark=QUIC \
    in-interface-list=ISP new-packet-mark=Quic_in passthrough=no
add action=mark-packet chain=forward connection-mark=QUIC new-packet-mark=\
    Quic_out out-interface-list=ISP passthrough=no
add action=mark-connection chain=forward comment="Mark HTTP_Streaming" \
    connection-state=related,new new-connection-mark=HTTP_Streaming \
    passthrough=yes port=1935 protocol=tcp
add action=mark-connection chain=forward connection-state=related,new \
    new-connection-mark=HTTP_Streaming passthrough=yes port=1935 protocol=udp
add action=mark-packet chain=prerouting connection-mark=HTTP_Streaming \
    in-interface-list=ISP new-packet-mark=HTTP_Streaming_in passthrough=yes
add action=mark-packet chain=forward connection-mark=HTTP_Streaming \
    new-packet-mark=HTTP_Streaming_out out-interface-list=ISP passthrough=yes
add action=mark-connection chain=input comment=ISP connection-mark=no-mark \
    connection-state=established,related,new,untracked in-interface-list=!LAN \
    new-connection-mark=ISP passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=established,related,new,untracked in-interface-list=!LAN \
    new-connection-mark=ISP passthrough=yes
add action=mark-packet chain=input connection-mark=ISP in-interface-list=ISP \
    new-packet-mark=catchall_in passthrough=yes
add action=mark-packet chain=forward connection-mark=ISP new-packet-mark=\
    catchall_out out-interface-list=ISP passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=ISP
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.89.0/24 \
    src-address=192.168.88.0/24 to-addresses=192.168.89.0/24
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.88.0/24 \
    src-address=192.168.89.0/24 to-addresses=192.168.88.0/24
add action=dst-nat chain=dstnat comment="SSH - LServer" dst-port=2223 \
    in-interface-list=ISP log-prefix=LServer-DSTNat protocol=tcp \
    to-addresses=192.168.88.253 to-ports=2223
add action=dst-nat chain=dstnat dst-port=81 in-interface-list=ISP protocol=\
    tcp to-addresses=192.168.88.253 to-ports=81
add action=dst-nat chain=dstnat comment=Icecast disabled=yes dst-port=8000 \
    in-interface-list=ISP protocol=tcp to-addresses=192.168.88.254 to-ports=\
    8000
add action=dst-nat chain=dstnat comment=Neverwinter disabled=yes dst-port=\
    5121 in-interface-list=ISP protocol=tcp to-addresses=192.168.88.254 \
    to-ports=5121
add action=dst-nat chain=dstnat disabled=yes dst-port=6667 in-interface-list=\
    ISP protocol=udp to-addresses=192.168.88.254 to-ports=6667
add action=dst-nat chain=dstnat disabled=yes dst-port=28900 \
    in-interface-list=ISP protocol=udp to-addresses=192.168.88.254 to-ports=\
    28900
add action=dst-nat chain=dstnat disabled=yes dst-port=27900 \
    in-interface-list=ISP protocol=udp to-addresses=192.168.88.254 to-ports=\
    27900
add action=dst-nat chain=dstnat disabled=yes dst-port=6500 in-interface-list=\
    ISP protocol=udp to-addresses=192.168.88.254 to-ports=6500
add action=dst-nat chain=dstnat disabled=yes dst-port=5300 in-interface-list=\
    ISP protocol=udp to-addresses=192.168.88.254 to-ports=5300
add action=dst-nat chain=dstnat disabled=yes dst-port=512 in-interface-list=\
    ISP protocol=udp to-addresses=192.168.88.254 to-ports=512
add action=dst-nat chain=dstnat comment=Factorio disabled=yes dst-port=34197 \
    in-interface-list=ISP protocol=udp to-addresses=192.168.88.254 to-ports=\
    34197
add action=dst-nat chain=dstnat disabled=yes dst-port=34197 \
    in-interface-list=ISP protocol=tcp to-addresses=192.168.88.254 to-ports=\
    34197
add action=dst-nat chain=dstnat disabled=yes dst-port=61621 \
    in-interface-list=ISP protocol=tcp to-addresses=192.168.88.254 to-ports=\
    61621
add action=dst-nat chain=dstnat comment=SotS disabled=yes dst-port=3369 \
    in-interface-list=ISP protocol=udp to-addresses=192.168.88.254 to-ports=\
    3369
add action=dst-nat chain=dstnat disabled=yes dst-port=3369 in-interface-list=\
    ISP protocol=udp to-addresses=192.168.88.254 to-ports=3369
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=ISP protocol=tcp to-addresses=192.168.88.254 to-ports=\
    25565
add action=dst-nat chain=dstnat dst-port=25565 in-interface-list=ISP \
    protocol=udp to-addresses=192.168.88.254 to-ports=25565
add action=dst-nat chain=dstnat comment=Starbound disabled=yes dst-port=21025 \
    in-interface-list=ISP protocol=tcp to-addresses=192.168.88.254 to-ports=\
    21025
add action=dst-nat chain=dstnat comment=Steam disabled=yes dst-port=27015 \
    in-interface-list=ISP protocol=tcp to-addresses=192.168.88.254 to-ports=\
    27015
add action=dst-nat chain=dstnat disabled=yes dst-port=27036 \
    in-interface-list=ISP protocol=tcp to-addresses=192.168.88.254 to-ports=\
    27036
add action=dst-nat chain=dstnat disabled=yes dst-port=27031-27036 \
    in-interface-list=ISP protocol=udp to-addresses=192.168.88.254 to-ports=\
    27031-27036
add action=dst-nat chain=dstnat disabled=yes dst-port=27015 \
    in-interface-list=ISP protocol=udp to-addresses=192.168.88.254 to-ports=\
    27015
add action=dst-nat chain=dstnat comment="Skyrim: Together" disabled=yes \
    dst-port=10578 in-interface-list=ISP protocol=udp to-addresses=\
    192.168.88.254 to-ports=10578
add action=dst-nat chain=dstnat comment=Veloren disabled=yes dst-port=14004 \
    in-interface-list=ISP protocol=tcp to-addresses=192.168.88.254 to-ports=\
    14004
add action=dst-nat chain=dstnat disabled=yes dst-port=14004 \
    in-interface-list=ISP protocol=udp to-addresses=192.168.88.254 to-ports=\
    14004
add action=dst-nat chain=dstnat disabled=yes dst-port=14005 \
    in-interface-list=ISP protocol=tcp to-addresses=192.168.88.254 to-ports=\
    14005
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip ipsec identity
add auth-method=eap certificate=ca_ovpn-import1693628031 disabled=yes \
    eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=\
    ProtonVPN peer="ProtonVPN nl-free-145" policy-template-group=ProtonVPN \
    username=G7UwvJEhNKNOWvBt
/ip ipsec policy
add comment="Proton VPN" disabled=yes group=ProtonVPN proposal=ProtonVPN \
    template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ip smb
set interfaces=*8
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=*8 type=internal
/ipv6 address
add address=::/96 advertise=no from-pool=6to4 interface=*8
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] interface=*8 managed-address-configuration=yes \
    other-configuration=yes ra-lifetime=none
/ipv6 nd prefix
add interface=*8
/system clock
set time-zone-name=Australia/Brisbane
/system logging
add disabled=yes topics=ovpn,debug
add disabled=yes topics=ipsec,info
add disabled=yes topics=dns,debug
add disabled=yes topics=debug,!packet
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=0.au.pool.ntp.org
add address=0.oceania.pool.ntp.org
add address=1.oceania.pool.ntp.org
add address=2.oceania.pool.ntp.org
/system watchdog
set ping-start-after-boot=4h watchdog-timer=no
/tool graphing
set store-every=hour
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

Packets from where to where?

Since your posted setup heavily deviates from defaults, I strongly suggest you to disable detect-internet, i.e. /interface/detect-internet/set detect-interface-list=none.

As to DNS: you’re heavily mangling stuff, including DNS packets in output chain. Using output chain is unusual to begin with, so you either know what you’re trying to achieve (I’ve no idea about that), or you don’t know that and remove those rules to see if things get any better.

3

Thanks for the response mkx,

I’ve done as you suggested and disabled detect-internet.

This should all be LAN side.

Ill see if i can rephrase my issue as i should of been more clear.

Im unable to get the DNS server to resolve anything, i believe its because i had removed the previous bridge that the router had setup in default config in my experiments to learn. Now that i have a new bridge but DNS server does not respond to any requests nor can it resolve anything.

Im not against rebuilding the router config. Im just looking to why things are not working for understanding.
Capture.PNG

4

I don’t use DoH, so I can’t provide you with definitive answer here. But: your setup uses FQDN of DoH server … so before DNS DoH client on your router can resolve anything, it has to resolve FQDN of DoH server itself. Do you see the chicken-egg problem here? There are a few ways out, one is to set static DNS entry for DoH server FQDN. Another one is to use DoH server IP address (I don’t know if this actually works, DoH server might need correct SNI). Probably the most correct one would be to configure ROS DNS client with IP address of a traditional DNS server, AFAIK DoH (after client gets up and running) takes precedence over traditional DNS in ROS, meaning that traditional DNS would ideally be only used to resolve DoH server’s FQDN.

But: this problems has nothing to do with bridge on your device, so thread title is misleading. If you can, edit thread title to reflect the problem correctly, this way you may attract some users with DoH experience to help you.