Can ping IP's/Websites, but no internet.

I absolutely desperately need to solve this issue, so I’m going to try this again now that I’ve narrowed down my problem a bit.

RBM11G + Quectel RM502Q-AE + Tmobile

This modem was working since December, but stopped working a few weeks ago. After it stopped working, I could still ping IP’s from PC, but not addresses. I could ping both in winbox. I’ve since tweaked my configuration and can now ping both from my PC, but I still have no internet. This isn’t isolated to my PC, but my asus router and all devices. Winbox even times out when searching for updates, so I assume the modem itself lacks the internet as well.

My configuration tweak was removing the DNS servers I had originally set, 8.8.8.8/8.8.4.4. Another tweak that was recommended was setting the DNS to 192.168.88.1 and turning “allow remote requests” on.

Configuration:

EDIT: Sorry, I wasn’t aware export didn’t do the full configuration. Here’s the full export verbose configuration.

# may/08/2022 19:34:15 by RouterOS 7.2.2
#
# model = RBM11G
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1596 loop-protect=default loop-protect-disable-time=\
    5m loop-protect-send-interval=5s mac-address=48:8F:5A:C6:E8:42 mtu=1500 name=ether1 orig-mac-address=48:8F:5A:C6:E8:42 rx-flow-control=\
    off speed=1Gbps tx-flow-control=off
/interface ethernet switch
set 0 !cpu-flow-control l3-hw-offloading=no mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 !egress-rate !ingress-rate
set 1 !egress-rate !ingress-rate
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" include="" name=static
add exclude="" include="" name=WAN
add exclude="" include="" name=LAN
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=fast.t-mobile.com authentication=none default-route-distance=2 ip-type=auto name=default \
    use-network-apn=no use-peer-dns=yes
/interface lte
set [ find ] allow-roaming=no apn-profiles=default band="" disabled=no !modem-init mtu=1472 name=lte1 network-mode=3g,lte,5g nr-band=""
/queue interface
set lte1 queue=no-queue
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wireless security-profiles
set [ find default=yes ] authentication-types="" disable-pmkid=no eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m \
    interim-update=0s management-protection=disabled mode=none mschapv2-username="" name=default radius-called-format=mac:ssid \
    radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=\
    XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none \
    static-sta-private-algo=none static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=none tls-mode=no-certificates \
    unicast-ciphers=aes-ccm
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=flash/hotspot html-directory-override="" http-cookie-lifetime=3d \
    http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d \
    name=default !parent-queue !queue-type shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
    lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default \
    pfs-group=modp1024
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 authoritative=yes disabled=no interface=ether1 lease-script="" lease-time=10m name=dhcp1 use-radius=no
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none stop-bits=1
set 1 baud-rate=auto data-bits=8 flow-control=none name=usb2 parity=none stop-bits=1
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=default \
    use-ipv6=yes use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes \
    !dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default-encryption on-down="" on-up=\
    "" only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default \
    use-encryption=yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=no encryption-protocol=DES name=public read-access=yes security=\
    none write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=flash/log disk-lines-per-file=1000 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto \
    syslog-time-format=bsd-syslog target=remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy,!dude \
    skin=default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy,!dude \
    skin=default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!dude \
    skin=default
/caps-man aaa
set called-format=mac:ssid interim-update=disabled mac-caching=disabled mac-format=XX:XX:XX:XX:XX:XX mac-mode=as-username
/caps-man manager
set ca-certificate=none certificate=none enabled=no package-path="" require-peer-certificate=no upgrade-policy=none
/caps-man manager interface
set [ find default=yes ] disabled=no forbid=no interface=all
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=static lldp-med-net-policy-vlan=disabled protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    max-neighbor-entries=8192 route-cache=yes rp-filter=no secure-redirects=yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled disable-ipv6=no forward=yes \
    max-neighbor-entries=4096
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \
    default-profile=default-encryption enabled=no keepalive-timeout=30 l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
    !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface list member
add disabled=no interface=lte1 list=WAN
add disabled=no interface=ether1 list=LAN
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60 mac-address=\
    FE:F2:D3:CA:07:92 max-mtu=1500 mode=ip netmask=24 port=1194 protocol=tcp require-client-certificate=no tls-version=any
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=\
    1500 mrru=disabled pfs=no port=443 tls-version=any verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
    frames-per-second=25 receive-all=no ssid-all=no
/interface wireless cap
set bridge=none caps-man-addresses="" caps-man-certificate-common-names="" caps-man-names="" certificate=none discovery-interfaces="" \
    enabled=no interfaces="" lock-to-caps-man=no static-virtual=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 multiple-channels=no only-headers=no receive-errors=no streaming-enabled=no \
    streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip address
add address=192.168.88.1/24 comment=defconf disabled=no interface=ether1 network=192.168.88.0
/ip cloud
set ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=5m
/ip dhcp-server network
add address=192.168.88.0/24 caps-manager="" dhcp-option="" dns-server="" gateway=192.168.88.1 !next-server ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-concurrent-queries=100 max-concurrent-tcp-sessions=20 \
    max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s servers="" use-doh-server="" verify-doh-cert=no
/ip firewall mangle
add action=change-ttl chain=postrouting new-ttl=set:65 out-interface=lte1 passthrough=yes
add action=change-ttl chain=prerouting in-interface=lte1 new-ttl=set:65 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1 !to-addresses !to-ports
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
    max-cache-object-size=2048KiB max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no src-address=::
/ip service
set telnet address="" disabled=no port=23 vrf=main
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80 vrf=main
set ssh address="" disabled=no port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes port=443 tls-version=any vrf=main
set api address="" disabled=no port=8728 vrf=main
set winbox address="" disabled=no port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no port=8729 tls-version=any vrf=main
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/flash/pub disabled=no max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=200 port=1080 version=4
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no host-key-size=2048 strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=64k enabled=no inactive-flow-timeout=15s interfaces=all packet-sampling=no sampling-interval=0 \
    sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=\
    yes igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes ipv6-flow-label=yes is-multicast=yes last-forwarded=yes \
    nat-dst-address=yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes protocol=yes \
    src-address=yes src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes \
    tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no dns="" hop-limit=unspecified interface=all \
    managed-address-configuration=no mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m reachable-time=\
    unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/radius incoming
set accept=no port=3799
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/snmp
set contact="" enabled=no engine-id="" location="" src-address=:: trap-community=public trap-generators=temp-exception trap-target="" \
    trap-version=1
/system clock
set time-zone-autodetect=no time-zone-name=US/Central
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+00:00
/system console
set [ find port=serial0 ] channel=0 disabled=no port=serial0 term=vt102
/system identity
set name="MikroTik Modem"
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no mode=unicast servers=""
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no local-clock-stratum=5 manycast=no multicast=no use-local-clock=no
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
/system resource irq rps
set ether1 disabled=no
/system resource usb settings
set authorization=no
/system routerboard settings
set auto-upgrade=yes boot-device=nand-if-fail-then-ethernet boot-protocol=bootp disable-pci=no force-backup-booter=no protected-routerboot=\
    disabled reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set address=0.0.0.0 from=<> port=25 tls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" auto-erase=no channel=0 port=none receive-enabled=no
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any filter-interface="" filter-ip-address="" filter-ip-protocol="" \
    filter-ipv6-address="" filter-mac-address="" filter-mac-protocol="" filter-operator-between-entries=or filter-port="" filter-size="" \
    filter-stream=no memory-limit=100KiB memory-scroll=yes only-headers=no streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0

ip dns> print results:

                      servers: 
              dynamic-servers: 192.0.0.1,fd00:976a::9,fd00:976a::10
               use-doh-server: 
              verify-doh-cert: no
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 47KiB

Ping & NSlookup results:

C:\Users\#########>ping google.com

Pinging google.com [142.250.190.14] with 32 bytes of data:
Reply from 142.250.190.14: bytes=32 time=101ms TTL=64
Reply from 142.250.190.14: bytes=32 time=32ms TTL=64
Reply from 142.250.190.14: bytes=32 time=42ms TTL=64
Reply from 142.250.190.14: bytes=32 time=48ms TTL=64

Ping statistics for 142.250.190.14:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 32ms, Maximum = 101ms, Average = 55ms

C:\Users\#########>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=124ms TTL=64
Reply from 8.8.8.8: bytes=32 time=44ms TTL=64
Reply from 8.8.8.8: bytes=32 time=40ms TTL=64
Reply from 8.8.8.8: bytes=32 time=39ms TTL=64

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 39ms, Maximum = 124ms, Average = 61ms

C:\Users\#########>nslookup
Default Server:  UnKnown
Address:  192.168.88.1

> google.com
Server:  UnKnown
Address:  192.168.88.1

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4009:817::200e
          142.250.190.14

Is that the full config ?

Why the mangle rule for lte ?
I don’t have it on my SXT lte device so I’m curious ?

Can not be. Missing DHCP/Bridge/interface config +++

You are using the DNS of a device most likely a modem: 192.0.0.1,fd00:976a::9,fd00:976a::10…these IPv6 DNS servers seems indeed to be used by t-mobile.

If t-mobile is blocking DNS request made to other DNS servers than you could experience what you describe.

See: https://www.reddit.com/r/tmobile/comments/6o8n5w/disable_tmo_dns_hijacking/

Why do some ask always for the full config while reading the given info, give a clue where to begin looking!

Ping works from Mikrotik device so DNS is working, but only partially since it doesn’t work from lan.
Hence the (logical) request to see the rest of the config.

Quick test could also be to manually set dns to 8.8.8.8 or 1.1.1.1 or whatever you like.
If that works, then that wrong dns was the problem.
If it doesn’t, something else is wrong.
And then the full config needs to be shown.

Ping in Winbox is using the DNS of the device you are using to run Winbox.

If you want to test from the router then use :resolve in terminal.

:put [:resolve "www.mikrotik.com"]

This would be hard to believe… winbox is nothing more then a kind of telnet session.
Whatever you do there, is ON that device.

Nope, not for DNS in Winbox. Addres-list excluded that resolves inside the router.

I still don’t believe that’s true.
Have had plenty of situations were ping worked from winbox but not from local cmd window.
So that does not make sense if your statement would be true.

What about webfig then ?
Or plain ssh ?

I need more info to be convinced of that statement.

Other argument
Winbox can work ONLY having MAC access.
How would DNS be possible then ??

dynamic-servers: 192.0.0.1,fd00:976a::9,fd00:976a::10

Where are you getting 192.0.0.1 from? That’s a special-purpose IANA address, not something you should be using on a private LAN, nor for use by T-Mobile.

I suspect you could solve your problem simply by configuring the DHCP client on the router to “use-peer-dns=yes”. That will allow the router’s DHCP server to offer 192.168.88.1 as the DNS to local clients as you’ve got it configured now, acting as a DNS cache for T-Mobile’s DNS.

I already answered that earlier. T-mobile can do in their network what they want. Outside their network that is different.

I am writing about Winbox ping in Tools and not of ping in Terminal. In Terminal it uses the DNS server defined in the router.

Not to my satisfaction.

FC00::/7 is a private IPv6 space, likely used by T-Mobile for CGNAT. I don’t see that the same explanation applies to 192.0.0.0/24; the equivalent in IPv4 land is 100.64.0.0/10.

My wild guess is it’s a typo for 192.168.0.1, the user’s LTE modem IP.

If your point is that T-Mobile’s DNS plays games with advertising and such, that still doesn’t address my point, since using a broken IPv4 DNS IP doesn’t solve that problem, either. The OP said they previously used Google’s DNS to get around that, but if T-Mobile is blocking common third-party DNS, the solution is DoH or similar.

If you look at the DNS printout you see that it are dynamic-servers. There is no user input possible there.

That is not my point. My point is that t-mobile can control what you can visit (resolved) or not, like the EU/Dutch government is doing in the Netherlands forcing ISP’s to filter their DNS.

T-mobile can enforce that you use their DNS. You can then switch your router in War-mode by using DoH or use a VPN to have your freedom back.

The answer to my initial question then is, “T-Mobile is misusing 192.0.0.1”. If so, that sucks.

Thanks for clarifying.

@holvoetn

Winbox use the DNS of the windows machine (simulated or not) where is used.
No matter if to the device is connected by MAC or by IP.
Try yourself setting on windows non-routerboard IP and removing DNS IP from routerboard.

For force RouterOS to solve the resoluction of a DNS using specific server, just:

:put [:resolve www.mikrotik.com server=1.1.1.1]

@holvoetn

This is one hack for thetering when that is not allowed from provider.
Usually, if the provider notices it, then it will no longer make the connection work, until you change IMEI or MAC…
Some provider block directly MikroTik IMEI for this…

I updated the main post with the full configuration. Sorry about that, I wasn’t aware of export verbose.

Mangle is so that tmobile treats it as phone data (unlimited) instead of hotspot/tethering (a measly 40GB/month for their best package, after which it is capped at 600kbps). I have tried with and without the mangle rules, so those aren’t causing the problem. Again, this config (minus the recent changes to DNS) worked fine for months and a few times for several hours in the days following my internet loss.

I started out with 8.8.8.8/8.8.4.4 and it worked fine for months, and I recently tried the current configuration, having no DNS servers, and using the IPv4 servers that were in use by my phone to no avail. I had a couple periods for several hours the days following my internet outage where the internet worked with my old configuration, but nothing since. I could ping ip’s, but I couldn’t ping urls until after removed my old dns servers.

I have no idea if this helps:

> :put [:resolve www.mikrotik.com server=1.1.1.1]
failure: dns server failure
> :put [:resolve www.mikrotik.com server=8.8.8.8]
failure: dns server failure
> :put [:resolve www.mikrotik.com]
159.148.147.196
> :put [:resolve www.mikrotik.com server=208.54.80.113]
failure: dns server failure
> :put [:resolve www.mikrotik.com server=fd00:976a::10]
159.148.147.196

The only tested server that works is the IPv6 dynamic server from tmobile, which I’m assuming the serverless option also used. The 208.54.80.113 server is an IPv4 server that ipleak says my phone is using.