Can't connect to internet from LAN

martinos89 · October 9, 2024, 10:06am

I’ve just purchased a CCR2116 which I want to replace my pfSense router with.

primary WAN (dhcp) is not connected yet (sfp1-xgspon)
backup WAN (dhcp) is connected to ether3
LAN is connected over a trunk on 2 aggregated ports ether1 and ether2 to my unifi switch network

What I’ve noticed:

DHCP client is working for WAN. Default route is being created.
Inter VLAN routing is working.
MACVLan rules for mdns are also working
The router can ping internet and can resolve DNS
Clients on vlan10 can resolve DNS using the router as dns server
Clients on vlan10 can not access the internet (http/https), nor can they ping 1.1.1.1

I’ve tried, without avail:

disabling all drop rules on the firewall
pointing towards the ether3 interface directly instead of using the WAN interface list
upgrading to 7.17beta2. Now running 7.16 again
I even asked chatgpt what was wrong with the config…

Any idea what stupid small thing I’m missing?
Thx!

Config:

/interface bridge
add name=bridge priority=0 vlan-filtering=yes
add name=bridge-mdns protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-lag-trunk
set [ find default-name=ether2 ] name=ether2-lag-trunk
set [ find default-name=ether3 ] name=ether3-wan-backup
set [ find default-name=ether13 ] name=ether13-localmanagement
set [ find default-name=sfp-sfpplus1 ] name=sfp1-xgspon
set [ find default-name=sfp-sfpplus4 ] name=sfp4-server-trunk
/interface vlan
add interface=bridge name=vlan1-management vlan-id=1
add interface=bridge name=vlan5-iot vlan-id=5
add interface=bridge name=vlan6-cameras vlan-id=6
add interface=bridge name=vlan9-iotonline vlan-id=9
add interface=bridge name=vlan10-lan vlan-id=10
add interface=bridge name=vlan15-wifiguests vlan-id=15
/interface macvlan
add interface=vlan5-iot mac-address=6A:95:4C:51:4D:B0 mode=private name=macvlan5-iot
add interface=vlan6-cameras mac-address=8E:33:47:CE:8C:E3 mode=private name=macvlan6-cameras
add interface=vlan9-iotonline mac-address=6E:FB:2B:AE:07:E5 mode=private name=macvlan9-iotonline
add interface=vlan10-lan mac-address=4E:CD:E3:3E:B1:FF mode=private name=macvlan10-lan
/interface bonding
add mode=802.3ad name=lag-trunk slaves=ether1-lag-trunk,ether2-lag-trunk
/interface list
add name=LAN
add name=ManagementAllowed
add name=WAN
/ip dhcp-server option
add code=43 name="Unifi adopt" value=0x0104c0a805d2
/ip pool
add name=pool-lan-dhcp ranges=192.168.10.2-192.168.10.99
add name=pool-iot-dhcp ranges=192.168.8.2-192.168.8.99
add name=pool-cameras-dhcp ranges=192.168.6.2-192.168.6.99
add name=pool-wifiguests-dhcp ranges=192.168.15.2-192.168.15.99
add name=pool-iotonline-dhcp ranges=192.168.9.2-192.168.9.99
add name=pool-management-dhcp ranges=192.168.5.2-192.168.5.99
add name=pool-ipsec-dhcp ranges=192.168.20.2-192.168.20.99
/ip dhcp-server
add address-pool=pool-lan-dhcp interface=vlan10-lan lease-time=2h name=dhcp-vlan10-lan
add address-pool=pool-iot-dhcp interface=vlan5-iot lease-time=2h name=dhcp-vlan5-iot
add address-pool=pool-cameras-dhcp disabled=yes interface=vlan6-cameras lease-time=2h name=dhcp-vlan6-cameras
add address-pool=pool-wifiguests-dhcp interface=vlan15-wifiguests lease-time=2h name=dhcp-vlan15-wifiguests
add address-pool=pool-iotonline-dhcp interface=vlan9-iotonline lease-time=2h name=dhcp-vlan9-iotonline
add address-pool=pool-management-dhcp interface=vlan1-management lease-time=2h name=dhcp-vlan1-management
/port
set 0 name=serial0
/interface bridge filter
add action=accept chain=forward comment="1. Allow mDNS queries from vlan10-lan" dst-address=224.0.0.251/32 dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 in-interface=\
    macvlan10-lan ip-protocol=udp mac-protocol=ip out-bridge=bridge-mdns src-port=5353
add action=accept chain=forward comment="2. Allow mDNS replies to vlan10-lan" dst-address=224.0.0.251/32 dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 in-bridge=\
    bridge-mdns ip-protocol=udp mac-protocol=ip out-interface=macvlan10-lan src-port=5353
add action=drop chain=forward comment="3. Drop mDNS queries from other VLANs" disabled=yes dst-address=224.0.0.251/32 dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 \
    in-bridge=bridge-mdns ip-protocol=udp mac-protocol=ip out-bridge=bridge-mdns src-port=5353
add action=accept chain=forward comment="Allow mDNS only" disabled=yes dst-address=224.0.0.251/32 dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 in-bridge=bridge-mdns \
    ip-protocol=udp mac-protocol=ip out-bridge=bridge-mdns src-port=5353
add action=accept chain=forward comment="1. Allow SSDP queries from vlan10-lan" dst-address=239.255.255.250/32 dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF dst-port=1900 in-interface=\
    macvlan10-lan ip-protocol=udp mac-protocol=ip out-bridge=bridge-mdns
add action=accept chain=forward comment="2. Allow SSDP replies to vlan10-lan" dst-address=239.255.255.250/32 dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF dst-port=1900 in-bridge=\
    bridge-mdns ip-protocol=udp mac-protocol=ip out-interface=macvlan10-lan
add action=drop chain=forward comment="3. Drop SSDP queries from other VLANs" disabled=yes dst-address=239.255.255.250/32 dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF dst-port=1900 \
    in-bridge=bridge-mdns ip-protocol=udp mac-protocol=ip out-bridge=bridge-mdns
add action=accept chain=forward comment="Forward SSDP" disabled=yes dst-address=239.255.255.250/32 dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF dst-port=1900 in-bridge=bridge-mdns \
    ip-protocol=udp mac-protocol=ip out-bridge=bridge-mdns
add action=accept chain=forward comment="1. Allow Sonos queries from vlan10-lan" dst-address=239.255.255.250/32 dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF dst-port=1902 \
    in-interface=macvlan10-lan ip-protocol=udp mac-protocol=ip out-bridge=bridge-mdns
add action=accept chain=forward comment="2. Allow Sonos replies to vlan10-lan" dst-address=239.255.255.250/32 dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF dst-port=1902 in-bridge=\
    bridge-mdns ip-protocol=udp mac-protocol=ip out-interface=macvlan10-lan
add action=drop chain=forward comment="3. Drop Sonos queries from other VLANs" disabled=yes dst-address=239.255.255.250/32 dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF dst-port=1902 \
    in-bridge=bridge-mdns ip-protocol=udp mac-protocol=ip out-bridge=bridge-mdns
add action=accept chain=forward comment="Forward Sonos" disabled=yes dst-address=239.255.255.250/32 dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF dst-port=1902 in-bridge=bridge-mdns \
    ip-protocol=udp mac-protocol=ip out-bridge=bridge-mdns
add action=drop chain=forward comment="Drop all other L2 traffic" in-bridge=bridge-mdns out-bridge=bridge-mdns
/interface bridge nat
add action=src-nat chain=srcnat comment="mDNS - SNAT to Primary VLAN bridge" dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF to-src-mac-address=F4:1E:57:3D:AA:E5
add action=src-nat chain=srcnat comment="SSDP - SNAT to Primary VLAN bridge" dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF to-src-mac-address=F4:1E:57:3D:AA:E5
/interface bridge port
add bridge=bridge interface=sfp4-server-trunk
add bridge=bridge interface=lag-trunk
add bridge=bridge interface=ether12
add bridge=bridge interface=ether10 pvid=10
add bridge=bridge interface=ether9 pvid=9
add bridge=bridge interface=ether8 pvid=5
add bridge=bridge interface=ether6 pvid=6
add bridge=bridge interface=ether5 pvid=5
add bridge=bridge-mdns interface=macvlan5-iot
add bridge=bridge-mdns interface=macvlan6-cameras
add bridge=bridge-mdns interface=macvlan9-iotonline
add bridge=bridge-mdns interface=macvlan10-lan
/ip neighbor discovery-settings
set discover-interface-list=ManagementAllowed
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=lag-trunk,bridge,sfp4-server-trunk untagged=ether10 vlan-ids=10
add bridge=bridge tagged=bridge,lag-trunk,sfp4-server-trunk untagged=ether5 vlan-ids=5
add bridge=bridge tagged=bridge,lag-trunk,sfp4-server-trunk untagged=ether6 vlan-ids=6
add bridge=bridge tagged=bridge,lag-trunk,sfp4-server-trunk untagged=ether12 vlan-ids=1
add bridge=bridge tagged=bridge,lag-trunk,sfp4-server-trunk untagged=ether9 vlan-ids=9
add bridge=bridge tagged=bridge,lag-trunk,sfp4-server-trunk vlan-ids=15
/interface ethernet switch
set 0 l3-hw-offloading=yes name=switch
/interface list member
add interface=bridge list=LAN
add interface=vlan10-lan list=ManagementAllowed
add interface=vlan1-management list=ManagementAllowed
add interface=ether13-localmanagement list=ManagementAllowed
add interface=ether3-wan-backup list=WAN
add interface=sfp1-xgspon list=WAN
/interface ovpn-server servers
add mac-address=FE:CB:7E:18:7D:DE name=ovpn-server1
/ip address
add address=192.168.5.1/24 interface=vlan1-management network=192.168.5.0
add address=192.168.8.1/24 interface=vlan5-iot network=192.168.8.0
add address=192.168.9.1/24 interface=vlan9-iotonline network=192.168.9.0
add address=192.168.10.1/24 interface=vlan10-lan network=192.168.10.0
add address=192.168.15.1/24 interface=vlan15-wifiguests network=192.168.15.0
add address=192.168.6.1/24 interface=vlan6-cameras network=192.168.6.0
/ip cloud
set update-time=no
/ip dhcp-client
add default-route-distance=2 interface=ether3-wan-backup use-peer-dns=no use-peer-ntp=no
# Interface not active
add interface=sfp1-xgspon use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.5.0/24 dhcp-option="Unifi adopt" dns-server=192.168.5.1 gateway=192.168.5.1
add address=192.168.6.0/24 dns-server=192.168.6.1 gateway=192.168.6.1
add address=192.168.8.0/24 dns-server=192.168.8.1 gateway=192.168.8.1
add address=192.168.9.0/24 dns-server=192.168.9.1 gateway=192.168.9.1
add address=192.168.10.0/24 dns-server=192.168.10.210 gateway=192.168.10.1
add address=192.168.15.0/24 dns-server=192.168.15.1 gateway=192.168.15.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=192.168.9.160 list=sonos
add address=192.168.9.161 list=sonos
add address=192.168.9.162 list=sonos
add address=192.168.9.163 list=sonos
add address=192.168.9.164 list=sonos
add address=192.168.9.165 list=sonos
add address=192.168.8.145 list=tuya
add address=192.168.8.146 list=tuya
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop blacklisted IPs" connection-state=new in-interface-list=WAN src-address-list=pwlgrzs-blacklist
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=forward comment="Allow forwarded HTTPS port 443" connection-nat-state=dstnat dst-port=443 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="Allow forwarded HTTP port 80" connection-nat-state=dstnat dst-port=80 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow Winbox" in-interface-list=ManagementAllowed port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface-list=ManagementAllowed port=22 protocol=tcp
add action=accept chain=input comment="allow mikrotik api" in-interface-list=ManagementAllowed port=8728 protocol=tcp
add action=accept chain=input comment="allow mikrotik api" in-interface-list=ManagementAllowed port=8729 protocol=tcp
add action=accept chain=input comment="allow ftp" in-interface-list=ManagementAllowed port=21 protocol=tcp
add action=accept chain=input comment="allow telnet" in-interface-list=ManagementAllowed port=23 protocol=tcp
add action=accept chain=input comment="allow web admin" in-interface-list=ManagementAllowed port=80 protocol=tcp
add action=accept chain=forward comment="Allow TCP for Sonos 3400" dst-address=192.168.10.0/24 dst-port=3400-3401 protocol=tcp src-address-list=sonos
add action=accept chain=forward comment="Allow TCP for Sonos 445" dst-address=192.168.10.0/24 dst-port=445 protocol=tcp src-address-list=sonos
add action=accept chain=forward comment="Allow TCP for Sonos 3500" dst-address=192.168.10.0/24 dst-port=3500 protocol=tcp src-address-list=sonos
add action=accept chain=forward comment="Allow UDP for Sonos 319" dst-address=192.168.10.0/24 dst-port=319-320 protocol=udp src-address-list=sonos
add action=accept chain=forward comment="Allow UDP for Sonos 6969" dst-address=192.168.10.0/24 dst-port=6969 protocol=udp src-address-list=sonos
add action=accept chain=forward comment="Allow UDP for Sonos 49152-65535" dst-address=192.168.10.0/24 dst-port=49152-65535 protocol=udp src-address-list=sonos
add action=accept chain=forward comment="Allow 192.168.5.180 to 192.168.10.210 on TCP port 3493 for UPS" dst-address=192.168.10.210 dst-port=3493 protocol=tcp src-address=192.168.5.180
add action=accept chain=forward comment="Allow 192.168.5.180 to 192.168.10.199 on all protocols and ports" dst-address=192.168.10.199 src-address=192.168.5.180
add action=accept chain=forward comment="Allow all traffic from vlan10-lan to other VLANs" src-address=192.168.10.0/24
add action=accept chain=forward comment="Allow internet access for vlan10-lan" out-interface-list=WAN src-address=192.168.10.0/24
add action=accept chain=forward comment="Allow internet access for vlan9-iotonline" out-interface-list=WAN src-address=192.168.9.0/24
add action=accept chain=forward comment="Allow access to NTP on the internet from vlan5-iot" dst-port=123 protocol=udp src-address=192.168.8.0/24
add action=drop chain=forward comment="Block traffic from other VLANs to vlan10-lan" dst-address=192.168.10.0/24
add action=drop chain=forward comment="Block traffic from vlan1-management to other VLANs" src-address=192.168.5.0/24
add action=drop chain=forward comment="Block internet access for all other VLANs" out-interface-list=WAN
add action=drop chain=forward comment="Deny Internet access from Tuya list" out-interface-list=WAN src-address-list=tuya
add action=drop chain=forward comment="Block TCP DNS from vlan5-iot" dst-port=53 protocol=tcp src-address=192.168.8.0/24
add action=drop chain=forward comment="Block UDP DNS from vlan5-iot" dst-port=53 protocol=udp src-address=192.168.8.0/24
add action=drop chain=forward comment="Deny DNS from Tuya list" dst-port=53 protocol=tcp src-address-list=tuya
add action=drop chain=forward comment="Deny DNS from Tuya list" dst-port=53 protocol=udp src-address-list=tuya
add action=accept chain=forward comment="Allow TCP DNS from vlan10-lan" dst-port=53 protocol=tcp src-address=192.168.10.0/24
add action=accept chain=forward comment="Allow  UDP DNS from vlan10-lan" dst-port=53 protocol=udp src-address=192.168.10.0/24
add action=accept chain=forward comment="Allow TCP DNS from vlan9-iotonline" dst-port=53 protocol=tcp src-address=192.168.9.0/24
add action=accept chain=forward comment="Allow UDP DNS from vlan9-iotonline" dst-port=53 protocol=udp src-address=192.168.9.0/24
add action=accept chain=forward comment="Allow TCP DNS from vlan15-wifiguests" dst-port=53 protocol=tcp src-address=192.168.15.0/24
add action=accept chain=forward comment="Allow UDP DNS from vlan15-wifiguests" dst-port=53 protocol=udp src-address=192.168.15.0/24
add action=drop chain=forward comment="Block traffic from vlan5-iot to other VLANs" src-address=192.168.8.0/24
add action=drop chain=forward comment="Block traffic from vlan6-cameras to other VLANs" src-address=192.168.6.0/24
add action=drop chain=forward comment="Block traffic from vlan9-iotonline to other VLANs" src-address=192.168.9.0/24
add action=drop chain=forward comment="Block traffic from vlan15-wifiguests to other VLANs" src-address=192.168.15.0/24
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Internet access" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Forward port 80" dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.10.210
add action=dst-nat chain=dstnat comment="Forward port 443" dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.10.210
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec mode-config
add address-pool=pool-ipsec-dhcp address-prefix-length=32 name=vpn-ipsec-ikev2
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet address=192.168.10.0/24,192.168.5.0/24
set ftp address=192.168.10.0/24,192.168.5.0/24
set www address=192.168.10.0/24,192.168.5.0/24
set ssh address=192.168.10.0/24,192.168.5.0/24
set www-ssl address=192.168.10.0/24,192.168.5.0/24
set api address=192.168.10.0/24,192.168.5.0/24
set winbox address=192.168.10.0/24,192.168.5.0/24
set api-ssl address=192.168.10.0/24,192.168.5.0/24
/ip smb shares
set [ find default=yes ] directory=pub
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Brussels
/system health settings
set fan-min-speed-percent=10%
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=europe.pool.ntp.org
/system package update
set channel=testing
/system routerboard reset-button
set enabled=yes
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add interval=1w name=dl-mt-blacklist on-event=pwlgrzs-blacklist-dl policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2000-01-01 start-time=00:05:00
add interval=1w name=ins-mt-blacklist on-event=pwlgrzs-blacklist-replace policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2000-01-01 start-time=00:10:00
/system script
add dont-require-permissions=no name=pwlgrzs-blacklist-dl owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/tool fetch url=\"https://raw.githubusercontent.com/pwlgrzs/Mikrotik-Blacklist/master/blacklist.rsc\" mode=https"
add dont-require-permissions=no name=pwlgrzs-blacklist-replace owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/ip firewall address-list remove [find where list=\"pwlgrzs-blacklist\"]; /import file-name=blacklist.rsc; /file remove blacklist.rsc"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=ManagementAllowed
/tool mac-server mac-winbox
set allowed-interface-list=ManagementAllowed

edit: Updated config - pulled config when device had WAN connection
edit2: Added attempt to update to 7.17beta2

jaclaz · October 9, 2024, 3:30pm

The lines that have a # sign prepended and that the board code parser marks red are not good:

/ip dhcp-client
# Interface not active
add interface=ether3-wan-backup use-peer-dns=no use-peer-ntp=no
# Interface not active
add interface=sfp1-xgspon use-peer-dns=no use-peer-ntp=no

The second one is expected as you haven’t yet connected anything to sfp1, but the first one should mean that something with ehter3 is not right.

Post also the output of /ip route print and of /ip address print.

martinos89 · October 10, 2024, 10:05am

Yeah, I created the export when the router was not connected to the WAN port.
Below a number of troubleshooting queries.

/ip route print detail

Flags: D - dynamic; X - disabled, I - inactive, A - active; 
c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn; H - hw-offloaded; + - ecmp 
   DAdH  dst-address=0.0.0.0/0 routing-table=main gateway=XXX.XXX.192.1 immediate-gw=XXX.XXX.192.1%ether3-wan-backup distance=2 scope=30 target-scope=10 
         vrf-interface=ether3-wan-backup 

   DAcH  dst-address=XXX.XXX.192.0/19 routing-table=main gateway=ether3-wan-backup immediate-gw=ether3-wan-backup distance=0 scope=10 target-scope=5 
         local-address=XXX.XXX.205.39%ether3-wan-backup 

   DAcH  dst-address=192.168.5.0/24 routing-table=main gateway=vlan1-management immediate-gw=vlan1-management distance=0 scope=10 target-scope=5 
         local-address=192.168.5.1%vlan1-management 

   DAcH  dst-address=192.168.6.0/24 routing-table=main gateway=vlan6-cameras immediate-gw=vlan6-cameras distance=0 scope=10 target-scope=5 
         local-address=192.168.6.1%vlan6-cameras 

   DAcH  dst-address=192.168.8.0/24 routing-table=main gateway=vlan5-iot immediate-gw=vlan5-iot distance=0 scope=10 target-scope=5 
         local-address=192.168.8.1%vlan5-iot 

   DAcH  dst-address=192.168.9.0/24 routing-table=main gateway=vlan9-iotonline immediate-gw=vlan9-iotonline distance=0 scope=10 target-scope=5 
         local-address=192.168.9.1%vlan9-iotonline 

   DAcH  dst-address=192.168.10.0/24 routing-table=main gateway=vlan10-lan immediate-gw=vlan10-lan distance=0 scope=10 target-scope=5 
         local-address=192.168.10.1%vlan10-lan 

   DAcH  dst-address=192.168.15.0/24 routing-table=main gateway=vlan15-wifiguests immediate-gw=vlan15-wifiguests distance=0 scope=10 target-scope=5 
         local-address=192.168.15.1%vlan15-wifiguests

/ip firewall nat print

Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; Internet access
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" 

 1    ;;; Forward port 80
      chain=dstnat action=dst-nat to-addresses=192.168.10.210 protocol=tcp in-interface-list=WAN dst-port=80 log=no log-prefix="" 

 2    ;;; Forward port 443
      chain=dstnat action=dst-nat to-addresses=192.168.10.210 protocol=tcp in-interface-list=WAN dst-port=443 log=no log-prefix=""

/ip firewall nat print stats

Columns: CHAIN, ACTION, BYTES, PACKETS
# CHAIN   ACTION       BYTES  PACKETS
;;; Internet access
0 srcnat  masquerade  73 882    1 088
;;; Forward port 80
1 dstnat  dst-nat         75        1
;;; Forward port 443
2 dstnat  dst-nat          0        0

/ip firewall filter print

Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; fast-track for established,related
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix="" 

 2    ;;; accept established,related,untracked
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 

 3    ;;; accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 4    ;;; drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 5    ;;; drop blacklisted IPs
      chain=input action=drop connection-state=new src-address-list=pwlgrzs-blacklist in-interface-list=WAN log=no log-prefix="" 

 6    ;;; accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 7    ;;; Allow forwarded HTTPS port 443
      chain=forward action=accept connection-nat-state=dstnat protocol=tcp in-interface-list=WAN dst-port=443 log=no log-prefix="" 

 8    ;;; Allow forwarded HTTP port 80
      chain=forward action=accept connection-nat-state=dstnat protocol=tcp in-interface-list=WAN dst-port=80 log=no log-prefix="" 

 9    ;;; drop all from WAN not DSTNATed
      chain=input action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 

10    ;;; allow Winbox
      chain=input action=accept protocol=tcp in-interface-list=ManagementAllowed port=8291 log=no log-prefix="" 

11    ;;; allow SSH
      chain=input action=accept protocol=tcp in-interface-list=ManagementAllowed port=22 log=no log-prefix="" 

12    ;;; allow mikrotik api
      chain=input action=accept protocol=tcp in-interface-list=ManagementAllowed port=8728 log=no log-prefix="" 

13    ;;; allow mikrotik api
      chain=input action=accept protocol=tcp in-interface-list=ManagementAllowed port=8729 log=no log-prefix="" 

14    ;;; allow ftp
      chain=input action=accept protocol=tcp in-interface-list=ManagementAllowed port=21 log=no log-prefix="" 

15    ;;; allow telnet
      chain=input action=accept protocol=tcp in-interface-list=ManagementAllowed port=23 log=no log-prefix="" 

16    ;;; allow web admin
      chain=input action=accept protocol=tcp in-interface-list=ManagementAllowed port=80 log=no log-prefix="" 

17    ;;; Allow TCP for Sonos 3400
      chain=forward action=accept protocol=tcp dst-address=192.168.10.0/24 src-address-list=sonos dst-port=3400-3401 log=no log-prefix="" 

18    ;;; Allow TCP for Sonos 445
      chain=forward action=accept protocol=tcp dst-address=192.168.10.0/24 src-address-list=sonos dst-port=445 

19    ;;; Allow TCP for Sonos 3500
      chain=forward action=accept protocol=tcp dst-address=192.168.10.0/24 src-address-list=sonos dst-port=3500 

20    ;;; Allow UDP for Sonos 319
      chain=forward action=accept protocol=udp dst-address=192.168.10.0/24 src-address-list=sonos dst-port=319-320 log=no log-prefix="" 

21    ;;; Allow UDP for Sonos 6969
      chain=forward action=accept protocol=udp dst-address=192.168.10.0/24 src-address-list=sonos dst-port=6969 

22    ;;; Allow UDP for Sonos 49152-65535
      chain=forward action=accept protocol=udp dst-address=192.168.10.0/24 src-address-list=sonos dst-port=49152-65535 

23    ;;; Allow 192.168.5.180 to 192.168.10.210 on TCP port 3493 for UPS
      chain=forward action=accept protocol=tcp src-address=192.168.5.180 dst-address=192.168.10.210 dst-port=3493 

24    ;;; Allow 192.168.5.180 to 192.168.10.199 on all protocols and ports
      chain=forward action=accept src-address=192.168.5.180 dst-address=192.168.10.199 

25    ;;; Allow all traffic from vlan10-lan to other VLANs
      chain=forward action=accept src-address=192.168.10.0/24 log=no log-prefix="" 

26    ;;; Allow internet access for vlan10-lan
      chain=forward action=accept src-address=192.168.10.0/24 out-interface-list=WAN log=no log-prefix="" 

27    ;;; Allow internet access for vlan9-iotonline
      chain=forward action=accept src-address=192.168.9.0/24 out-interface-list=WAN log=no log-prefix="" 

28    ;;; Allow access to NTP on the internet from vlan5-iot
      chain=forward action=accept protocol=udp src-address=192.168.8.0/24 dst-port=123 log=no log-prefix="" 

29    ;;; Block traffic from other VLANs to vlan10-lan
      chain=forward action=drop dst-address=192.168.10.0/24 log=no log-prefix="" 

30    ;;; Block traffic from vlan1-management to other VLANs
      chain=forward action=drop src-address=192.168.5.0/24 log=no log-prefix="" 

31    ;;; Block internet access for all other VLANs
      chain=forward action=drop out-interface-list=WAN log=no log-prefix="" 

32    ;;; Deny Internet access from Tuya list
      chain=forward action=drop src-address-list=tuya out-interface-list=WAN log=no log-prefix="" 

33    ;;; Block TCP DNS from vlan5-iot
      chain=forward action=drop protocol=tcp src-address=192.168.8.0/24 dst-port=53 log=no log-prefix="" 

34    ;;; Block UDP DNS from vlan5-iot
      chain=forward action=drop protocol=udp src-address=192.168.8.0/24 dst-port=53 log=no log-prefix="" 

35    ;;; Deny DNS from Tuya list
      chain=forward action=drop protocol=tcp src-address-list=tuya dst-port=53 log=no log-prefix="" 

36    ;;; Deny DNS from Tuya list
      chain=forward action=drop protocol=udp src-address-list=tuya dst-port=53 log=no log-prefix="" 

37    ;;; Allow TCP DNS from vlan10-lan
      chain=forward action=accept protocol=tcp src-address=192.168.10.0/24 dst-port=53 log=no log-prefix="" 

38    ;;; Allow  UDP DNS from vlan10-lan
      chain=forward action=accept protocol=udp src-address=192.168.10.0/24 dst-port=53 log=no log-prefix="" 

39    ;;; Allow TCP DNS from vlan9-iotonline
      chain=forward action=accept protocol=tcp src-address=192.168.9.0/24 dst-port=53 log=no log-prefix="" 

40    ;;; Allow UDP DNS from vlan9-iotonline
      chain=forward action=accept protocol=udp src-address=192.168.9.0/24 dst-port=53 log=no log-prefix="" 

41    ;;; Allow TCP DNS from vlan15-wifiguests
      chain=forward action=accept protocol=tcp src-address=192.168.15.0/24 dst-port=53 log=no log-prefix="" 

42    ;;; Allow UDP DNS from vlan15-wifiguests
      chain=forward action=accept protocol=udp src-address=192.168.15.0/24 dst-port=53 log=no log-prefix="" 

43    ;;; Block traffic from vlan5-iot to other VLANs
      chain=forward action=drop src-address=192.168.8.0/24 log=no log-prefix="" 

44    ;;; Block traffic from vlan6-cameras to other VLANs
      chain=forward action=drop src-address=192.168.6.0/24 log=no log-prefix="" 

45    ;;; Block traffic from vlan9-iotonline to other VLANs
      chain=forward action=drop src-address=192.168.9.0/24 log=no log-prefix="" 

46    ;;; Block traffic from vlan15-wifiguests to other VLANs
      chain=forward action=drop src-address=192.168.15.0/24 log=no log-prefix="" 

47    ;;; drop access to clients behind NAT from WAN
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""

/ip firewall filter print stats

Flags: D - DYNAMIC
Columns: CHAIN, ACTION, BYTES, PACKETS
 #   CHAIN    ACTION                  BYTES  PACKETS
;;; special dummy rule to show fasttrack counters
 0 D forward  passthrough            68 421      161
;;; fast-track for established,related
 1   forward  fasttrack-connection  155 809      885
;;; accept established,related,untracked
 2   forward  accept                155 809      885
;;; accept established,related,untracked
 3   input    accept                783 897    8 088
;;; drop invalid
 4   input    drop                   10 411       94
;;; drop blacklisted IPs
 5   input    drop                        0        0
;;; accept ICMP
 6   input    accept                 42 576       33
;;; Allow forwarded HTTPS port 443
 7   forward  accept                      0        0
;;; Allow forwarded HTTP port 80
 8   forward  accept                     75        1
;;; drop all from WAN not DSTNATed
 9   input    drop                    5 257       56
;;; allow Winbox
10   input    accept                     64        1
;;; allow SSH
11   input    accept                      0        0
;;; allow mikrotik api
12   input    accept                      0        0
;;; allow mikrotik api
13   input    accept                      0        0
;;; allow ftp
14   input    accept                      0        0
;;; allow telnet
15   input    accept                      0        0
;;; allow web admin
16   input    accept                      0        0
;;; Allow TCP for Sonos 3400
17   forward  accept                      0        0
;;; Allow TCP for Sonos 445
18   forward  accept                      0        0
;;; Allow TCP for Sonos 3500
19   forward  accept                      0        0
;;; Allow UDP for Sonos 319
20   forward  accept                      0        0
;;; Allow UDP for Sonos 6969
21   forward  accept                      0        0
;;; Allow UDP for Sonos 49152-65535
22   forward  accept                      0        0
;;; Allow 192.168.5.180 to 192.168.10.210 on TCP port 3493 for UPS
23   forward  accept                      0        0
;;; Allow 192.168.5.180 to 192.168.10.199 on all protocols and ports
24   forward  accept                      0        0
;;; Allow all traffic from vlan10-lan to other VLANs
25   forward  accept                 19 526      279
;;; Allow internet access for vlan10-lan
26   forward  accept                      0        0
;;; Allow internet access for vlan9-iotonline
27   forward  accept                    380        7
;;; Allow access to NTP on the internet from vlan5-iot
28   forward  accept                    380        5
;;; Block traffic from other VLANs to vlan10-lan
29   forward  drop                        0        0
;;; Block traffic from vlan1-management to other VLANs
30   forward  drop                       76        1
;;; Block internet access for all other VLANs
31   forward  drop                       40        1
;;; Deny Internet access from Tuya list
32   forward  drop                        0        0
;;; Block TCP DNS from vlan5-iot
33   forward  drop                        0        0
;;; Block UDP DNS from vlan5-iot
34   forward  drop                        0        0
;;; Deny DNS from Tuya list
35   forward  drop                        0        0
;;; Deny DNS from Tuya list
36   forward  drop                        0        0
;;; Allow TCP DNS from vlan10-lan
37   forward  accept                      0        0
;;; Allow  UDP DNS from vlan10-lan
38   forward  accept                      0        0
;;; Allow TCP DNS from vlan9-iotonline
39   forward  accept                      0        0
;;; Allow UDP DNS from vlan9-iotonline
40   forward  accept                      0        0
;;; Allow TCP DNS from vlan15-wifiguests
41   forward  accept                      0        0
;;; Allow UDP DNS from vlan15-wifiguests
42   forward  accept                      0        0
;;; Block traffic from vlan5-iot to other VLANs
43   forward  drop                        0        0
;;; Block traffic from vlan6-cameras to other VLANs
44   forward  drop                        0        0
;;; Block traffic from vlan9-iotonline to other VLANs
45   forward  drop                        0        0
;;; Block traffic from vlan15-wifiguests to other VLANs
46   forward  drop                        0        0
;;; drop access to clients behind NAT from WAN
47   forward  drop                        0        0

/interface list member print

Columns: LIST, INTERFACE
# LIST               INTERFACE              
0 LAN                bridge                 
1 ManagementAllowed  vlan10-lan             
2 ManagementAllowed  vlan1-management       
3 ManagementAllowed  ether13-localmanagement
4 WAN                ether3-wan-backup      
5 WAN                sfp1-xgspon

/ip address print

Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS           NETWORK       INTERFACE        
0   192.168.5.1/24    192.168.5.0   vlan1-management 
1   192.168.8.1/24    192.168.8.0   vlan5-iot        
2   192.168.9.1/24    192.168.9.0   vlan9-iotonline  
3   192.168.10.1/24   192.168.10.0  vlan10-lan       
4   192.168.15.1/24   192.168.15.0  vlan15-wifiguests
5   192.168.6.1/24    192.168.6.0   vlan6-cameras    
6 D XXX.XXX.205.39/19  XXX.XXX.192.0  ether3-wan-backup

/ip dhcp-client print detail

Flags: X - disabled, I - invalid, D - dynamic 
 0   interface=ether3-wan-backup add-default-route=yes default-route-distance=2 use-peer-dns=no use-peer-ntp=no dhcp-options=hostname,clientid status=bound address=XXX.XXX.205.39/19 
     gateway=XXX.XXX.192.1 dhcp-server=XXX.XXX.36.17 primary-dns=XXX.XXX.129.90 secondary-dns=XXX.XXX.129.94 primary-ntp=XXX.XXX.138.215 secondary-ntp=XXX.XXX.173.74 expires-after=54m39s 

 1 I ;;; Interface not active
     interface=sfp1-xgspon add-default-route=yes default-route-distance=1 use-peer-dns=no use-peer-ntp=no dhcp-options=hostname,clientid

martinos89 · October 10, 2024, 10:33am

I also notice that after connecting the WAN link to ether3, I’m first getting a 192.168.100.1/24 address assigned from my modem to ether3, which is then replaced by the public WAN ip address.
The Orange modem operates in bridge mode, but allows configuration on 192.168.100.1:80.
I am able to connect to 192.168.100.1, even if I disable the NAT masquerade rule. Which … I don’t get at all either to be honest.

jaclaz · October 10, 2024, 11:16am

No idea if part of the problem, but in your /ip route print detail there is:
vrf-interface=ether3-wan-backup
but there is no vrf in your configuration that I can see.

Shouldn’t that be (like the other routes) something like:
local-address=XXX.XXX.205.39%ether3-wan-backup

But if this is an issue, it should affect everything, not only VLAN10.

I too cannot understand how it can connect to 192.168.100.1, maybe the general 0.0.0.0/0 route catches it and then sends it to the modem and the modem gets it and resolves it as local to itself.

martinos89 · October 10, 2024, 11:54am

The route is auto created by the DHCP-client.
I don’t have any VRF configuration. And I don’t know how to remove it either from the route …?

To be clear:
Only the router has access to the internet (ping 1.1.1.1 and resolve google.com).
None of the clients on any vlan have internet access.

martinos89 · October 10, 2024, 11:56am

I also noticed, when trying to connect from the internet towards my HTTP/HTTPS server, the dstnat rule stats increase.
But I’m not getting a response, so no webpage is being displayed.

jaclaz · October 10, 2024, 12:42pm

Sure, it is DAdH, maybe it is just the newish RoS that calls (why?) the interface “vrf-interface” .

A thing that is not advised is the use of VLAN1, if you would use (say) VLAN99 as management you would remove a possible source of issues (but that again might or might not be connected to the issue at hand).

Personally I would try adding a now unused ether interface to the bridge/LAN (without VLAN) and see if you can reach internet to it.
This should be enough to understand if loosely the problem is related to some VLAN mis-configuration or something in routing/nat/firewall.

martinos89 · October 15, 2024, 8:36am

I’ve tried adding an ip address (192.168.44.1/24) directly to ether4 and setting up a DHCP server on it (192.168.44.2-192.168.44.99).
And I’ve added these 2 rules at the top:

 1    ;;; DEBUG: Allow all
      chain=input action=accept src-address=192.168.44.0/24 log=no log-prefix="" 

 2    ;;; DEBUG: Allow all
      chain=forward action=accept src-address=192.168.44.0/24 log=no log-prefix=""

But … same result.
I’ve got an IP, I can ping the router, I can resolve dns trough the router using the router as DNS server, but I cannot ping 1.1.1.1

martinos89 · October 16, 2024, 7:30am

Eureka!
Issue was I had HW offloading enabled on the WAN interface. Disabling that made traffic to 0.0.0.0 hit the firewall rules, which it did not do before because all traffic was being handled by the switch.