Clients not able to browse internet running a CCR2004-16G-2S

teknoguy · November 29, 2023, 11:09pm

Thanks for reading my post.

My setup currently is from my Motorola cable modem>--CCR2004-16G-2S->--Cisco 10 Port PoE Switch>---Cisco 140AP Access Point>-->Clients

At the present time my clients when connected to my Cisco Access Point can't browse the internet. Clients can browse the internet when plugged directly into each port of the CCR2004 or the Cisco 10 Port PoE switch. From each device I can ping every other device (including my Cisco Access Point) inside my 192.168.x.x network, and ping successfully to any other live website on the internet. My Cisco Access Point needs a Poe switch for its power. At this point I'm perplexed at what the issue is but I'm fairly certain is something simple or forgot setting up a CCR2004-16. Any suggestion or help would be greatly appreciated. My current config on the CCR2004.

model = CCR2004-16G-2S+

serial number = HF209D81VWP

/interface bridge
add name=bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp interface=bridge lease-time=15m name=dhcp
server-address=192.168.1.1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16
add bridge=bridge interface=sfp-sfpplus2
add bridge=bridge interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN wan-interface-list=
WAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=
192.168.1.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.11 comment="Cisco AP" lease-time=4w2d mac-address=
A4:88:73:3C:01:20 server=dhcp use-src-mac=yes
add address=192.168.1.16 mac-address=10:E7:C6:03:56:D0 server=dhcp
use-src-mac=yes
add address=192.168.1.13 client-id=1:6e:74:aa:ad:ac:79 mac-address=
6E:74:AA:AD:AC:79 server=dhcp
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d doh-max-server-connections=4
servers=45.90.28.223,45.90.30.223 use-doh-server=
https://dns.nextdns.io/XXXX/MXXXX verify-doh-cert=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan ttl=2d
add address=240.0.0.1 match-subdomain=yes name=youtube.com
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=
not_in_internet
add address=39.128.0.0/10 comment="China Mobile Communications" list=Adblock
add address=204.19.119.0/24 comment="Apple NS" list=Apple
add address=204.26.57.0/24 comment="Apple NS" list=Apple
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" log=yes
protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=68.117.12.1 routing-table=
main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh disabled=yes
set api address=192.168.1.0/24
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24
/system clock
set time-zone-name=America/Chicago
/system identity
set name=CCR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.1.255 enabled=yes
local-clock-stratum=4 multicast=yes
/system ntp client servers
add address=132.163.96.1
add address=132.163.97.1
/system routerboard settings
set boot-delay=4s enter-setup-on=delete-key
/system scheduler
add interval=10m name=FlushDNS on-event="/ip dns cache flush" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2023-11-12 start-time=23:30:46

LdB · November 30, 2023, 1:28am

Your dhcp server doesn’t provide any DNS to clients
The router has a DNS which is why it works when plugged into it.

So a DHCP client is connected to the internet and they will be able to ping anywhere they just can’t resolve anything unless they manually set a DNS.

erlinden · November 30, 2023, 7:43am

Id on not agree with the above:

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24

Can a wireless client ping any public IP at all?
Does the DNS server resolve names correctly while connected wireless?

Can you please remove serial and place the config between code tags (using the </> button)?