Connection issues with new setup

MartinsZB · December 10, 2025, 1:07pm

Hi all!

I have new setup, but still have some issues, that I can not figure out. I would also appreciate the comments about the configuration, if there are some suggestions on improving it.

My Setup:

CHR (QUEMU on Proxmox) RouterOS 7.20.6
WAN-IF connected to DSL modem using PPPoE
LAN-IF connected to cAP ac

cAP ac RouterOS 7.20.6
Proxmox-LAN connected to CHR
Game-LAN connected to hAP ac^2

I use 4 VLANS (later I will set the correct insolation, but by now I want all of them to access internet and be able to communicate with each other).
Admin VLAN (With DHCP) - All Mikrotiks get an address in this VLAN
Home VLAN (With DHCP) - address reservation, DNS forced to use DNS server on CHR with adlists.
IOT VLAN (With DHCP) - address reservation
Guest VLAN (With DHCP) - only DHCP addresses for guests

cAP ac - have virtual AP for each VLAN except Admin. Managed from CAPsMAN on CHR.

With the setup I have following issues

ISSUES

on CHR I can not enable IP/Cloud DDNS - it stuck in Updating. Upgrading RouterOS is possible, ping to 8.8.8.8 succesfull.
on cAP ac I can not access admin interface on Admin VLAN (from Home VLAN using Winbox). I can access, if connecting to MAC address. And I can connect to Admin IP of CHR and hAP ac^2.
on cAP ac I can not access Mikrotik upgrade, (error, Address not available). Ping to 8.8.8.8 succesful.

Things done:

cAP ac & CHR restarted. cAP ac - config backup, reset and deleted config, backup loaded.

CONFIGS

CHR

# 2025-12-10 13:43:01 by RouterOS 7.20.6
# system id = REMOVED
#
/caps-man channel
add band=2ghz-b/g/n comment=2412 control-channel-width=20mhz frequency=2412 \
    name=CH1 reselect-interval=3h15m save-selected=yes
add band=2ghz-b/g/n comment=2437 control-channel-width=20mhz frequency=2437 \
    name=CH6 reselect-interval=4h30m save-selected=yes
add band=2ghz-g/n comment=2462 control-channel-width=20mhz frequency=2462 \
    name=CH11 reselect-interval=2h45m save-selected=yes
/interface bridge
add comment="Common bridge" frame-types=admit-only-vlan-tagged name=\
    DATA-BRIDGE vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] comment="Configuration interface" \
    disable-running-check=no name=CONFIG-IF
set [ find default-name=ether1 ] comment="ETH to MAIN AP" \
    disable-running-check=no name=LAN-IF
set [ find default-name=ether2 ] comment="ETH to Telekom Modem" \
    disable-running-check=no name=WAN-IF
/interface vlan
add comment="55 Admin VLAN" interface=DATA-BRIDGE name=ADMIN-55 vlan-id=55
add comment="99 Guest VLAN" interface=DATA-BRIDGE name=GUEST-99 vlan-id=99
add comment="77 Home VLAN" interface=DATA-BRIDGE name=HOME-77 vlan-id=77
add comment="88 IOT VLAN" interface=DATA-BRIDGE name=IOT-88 vlan-id=88
add comment="7 Telekom VLAN" interface=WAN-IF name=WAN-7 vlan-id=7
/caps-man datapath
add bridge=DATA-BRIDGE comment="Home Network data" name=HOME-DATA vlan-id=77 \
    vlan-mode=use-tag
add bridge=DATA-BRIDGE client-to-client-forwarding=yes comment=\
    "IOT Network Data" name=IOT-DATA vlan-id=88 vlan-mode=use-tag
add bridge=DATA-BRIDGE comment="Guest Network Data" name=GUEST-DATA vlan-id=\
    99 vlan-mode=use-tag
/interface pppoe-client
add add-default-route=yes comment="Telekom PPPoE" disabled=no interface=WAN-7 \
    max-mru=1492 max-mtu=1492 name=TELEKOM-PPPoE use-peer-dns=yes user=\
    REMOVED
/caps-man security
add authentication-types=wpa-psk,wpa2-psk comment=GUEST-NET encryption=\
    aes-ccm name=GUEST-SEC
add authentication-types=wpa-psk,wpa2-psk comment=HOME-NET encryption=aes-ccm \
    name=HOME-SEC
add authentication-types=wpa-psk,wpa2-psk comment=IOT-NET encryption=aes-ccm \
    name=IOT-SEC
/caps-man configuration
add country=germany datapath=GUEST-DATA installation=indoor mode=ap name=\
    GUEST-CONFIG security=GUEST-SEC ssid=GUEST-NET
add channel=CH6 country=germany datapath=HOME-DATA installation=indoor mode=\
    ap name=HOME-CONFIG security=HOME-SEC ssid=HOME-NET
add country=germany datapath=HOME-DATA installation=indoor mode=ap name=\
    HOME-CONFIG-5G security=HOME-SEC ssid=HOME-NET
add channel=CH11 country=germany datapath=IOT-DATA installation=indoor mode=\
    ap name=IOT-IN-CONFIG security=IOT-SEC ssid=IOT-NET
add channel=CH6 country=germany datapath=IOT-DATA installation=outdoor mode=\
    ap name=IOT-OUT-CONFIG security=IOT-SEC ssid=IOT-NET
/interface list
add comment="LAN List" name=LAN
add comment="WAN List" name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="Admin DHCP Pool" name=ADMIN-POOL ranges=\
    192.168.55.10-192.168.55.20
add comment="Home DHCP Pool" name=HOME-POOL ranges=\
    192.168.77.200-192.168.77.254
add comment="IOT DHCP Pool" name=IOT-POOL ranges=\
    192.168.88.200-192.168.88.254
add comment="Guest DHCP Pool" name=GUEST-POOL ranges=\
    192.168.99.2-192.168.99.20
/ip dhcp-server
add address-pool=ADMIN-POOL comment="Admin DHCP server" interface=ADMIN-55 \
    lease-time=1w name=ADMIN-DHCP
add address-pool=HOME-POOL comment="Homenet DHCP server" interface=HOME-77 \
    lease-time=1w name=HOME-DHCP
add address-pool=IOT-POOL comment="IOTnetwork DHCP server" interface=IOT-88 \
    lease-time=1w name=IOT-DHCP
add address-pool=GUEST-POOL comment="GuestNet GHCP server" interface=GUEST-99 \
    name=GUEST-DHCP
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
set [ find default=yes ] comment="Ignore other" forbid=yes
add comment="Admin Interface to connect" disabled=no interface=ADMIN-55
/caps-man provisioning
add action=create-dynamic-enabled comment="Main 2.4Ghz" master-configuration=\
    HOME-CONFIG name-format=prefix-identity name-prefix=2G radio-mac=\
    REMOVED slave-configurations=IOT-IN-CONFIG,GUEST-CONFIG
add action=create-dynamic-enabled comment="Main 5Ghz" master-configuration=\
    HOME-CONFIG-5G name-format=prefix-identity name-prefix=5G radio-mac=\
    REMOVED
add action=create-dynamic-enabled comment="Out 2.4Ghz" master-configuration=\
    IOT-OUT-CONFIG name-format=prefix-identity name-prefix=2G radio-mac=\
    REMOVED slave-configurations=HOME-CONFIG,GUEST-CONFIG
add action=create-dynamic-enabled comment="Game 2.4 Ghz" \
    master-configuration=IOT-IN-CONFIG name-format=prefix-identity \
    name-prefix=2G radio-mac=REMOVED slave-configurations=\
    HOME-CONFIG,GUEST-CONFIG
add action=create-dynamic-enabled comment="Game 5Ghz" master-configuration=\
    HOME-CONFIG-5G name-format=prefix-identity name-prefix=5G radio-mac=\
    REMOVED
/certificate settings
set builtin-trust-anchors=not-trusted
/dude
set enabled=yes
/interface bridge port
add bridge=DATA-BRIDGE frame-types=admit-only-vlan-tagged interface=LAN-IF
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=DATA-BRIDGE comment="VLANs on LAN ETH" tagged=DATA-BRIDGE,LAN-IF \
    vlan-ids=77,88,99
add bridge=DATA-BRIDGE comment="Admin VLAN" tagged=DATA-BRIDGE,LAN-IF \
    vlan-ids=55
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add interface=ADMIN-55 list=LAN
add interface=HOME-77 list=LAN
add interface=IOT-88 list=LAN
add comment="LAN interfaces" interface=GUEST-99 list=LAN
add comment="WAN interface" interface=TELEKOM-PPPoE list=WAN
add comment="ETH port for config" interface=CONFIG-IF list=LAN
add interface=DATA-BRIDGE list=LAN
/ip address
add address=192.168.55.55/24 comment="Static config IP" interface=CONFIG-IF \
    network=192.168.55.0
add address=192.168.55.1/24 comment="Admin IP" interface=ADMIN-55 network=\
    192.168.55.0
add address=192.168.77.1/24 comment="Homenet IP" interface=HOME-77 network=\
    192.168.77.0
add address=192.168.88.1/24 comment="IOTnet IP" interface=IOT-88 network=\
    192.168.88.0
add address=192.168.99.1/24 comment="Guestnet IP" interface=GUEST-99 network=\
    192.168.99.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=CONFIG-IF
/ip dhcp-server lease
REMOVED
/ip dhcp-server network
add address=192.168.55.0/24 comment="Admin Net" dns-server=\
    1.1.1.1,8.8.8.8,8.8.4.4 gateway=192.168.55.1 netmask=24
add address=192.168.77.0/24 comment="Home Net" dns-server=192.168.77.1 \
    gateway=192.168.77.1 netmask=24
add address=192.168.88.0/24 comment="IOT Net" dns-server=\
    1.1.1.1,8.8.8.8,8.8.4.4 gateway=192.168.88.1 netmask=24
add address=192.168.99.0/24 comment="Guest Net" dns-server=\
    1.1.1.1,8.8.8.8,8.8.4.4 gateway=192.168.99.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=6h cache-size=40960KiB \
    doh-max-concurrent-queries=200 doh-max-server-connections=20 \
    max-concurrent-queries=1000 max-concurrent-tcp-sessions=40 \
    mdns-repeat-ifaces=GUEST-99,HOME-77,IOT-88 servers=\
    8.8.8.8,8.8.4.4,1.1.1.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns adlist
add url=https://v.firebog.net/hosts/static/w3kbl.txt
add url=\
    https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/pro.txt
add url=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
add url=https://v.firebog.net/hosts/AdguardDNS.txt
add url=https://v.firebog.net/hosts/Easylist.txt
add url=https://v.firebog.net/hosts/Prigent-Crypto.txt
/ip firewall address-list
add address=192.168.55.0/24 comment="Admin network" list=Admin_IP
add address=192.168.77.0/24 comment="Home network" list=Home_IP
add address=192.168.88.0/24 comment="IOT network" list=IOT_IP
add address=192.168.99.0/24 comment="Guest network" list=Guest_IP
/ip firewall filter
add action=accept chain=input comment=\
    "Defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="Defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "Defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="Defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="Defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="DNS ADblocker" dst-address=\
    !192.168.77.1 dst-port=53 in-interface=HOME-77 protocol=udp src-address=\
    !192.168.77.1 to-addresses=192.168.77.1
add action=dst-nat chain=dstnat comment="DNS ADblocker" dst-address=\
    !192.168.77.1 dst-port=53 in-interface=HOME-77 protocol=tcp src-address=\
    !192.168.77.1 to-addresses=192.168.77.1
add action=masquerade chain=srcnat comment="DNS ADblocker" dst-address=\
    192.168.77.1 dst-port=53 protocol=udp src-address-list=Home_IP
add action=masquerade chain=srcnat comment="DNS ADblocker" dst-address=\
    192.168.77.1 dst-port=53 protocol=udp src-address-list=Home_IP
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Proxmox-MT
/system scheduler
add comment="Automatic weekly update" interval=1w name=Weekly-Update \
    on-event="/system/script/ run Auto-Update" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-12-06 start-time=03:33:33
/system script
add comment="Automatic weekly upgrade" dont-require-permissions=no name=\
    Auto-Update owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system package update\
    \ncheck-for-updates once\
    \n:delay 3s;\
    \n:if ( [get status] = \"New version is available\") do={ install }"

cAP ac

# 2025-12-10 11:33:58 by RouterOS 7.20.6
# software id = REMOVED
#
# model = RBcAPGi-5acD2nD
# serial number = REMOVED
/interface bridge
add frame-types=admit-only-vlan-tagged name=DATA-BRIDGE vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2437/20-Ce/gn(18dBm), SSID: HOME-NET, CAPsMAN forwarding
set [ find default-name=wlan1 ] name=wlan-2G ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: HOME-NET, CAPsMAN forwarding
set [ find default-name=wlan2 ] name=wlan-5G ssid=MikroTik
/interface ethernet
set [ find default-name=ether2 ] name=GAME-LAN
set [ find default-name=ether1 ] name=PROXMOX-LAN
/interface vlan
add interface=DATA-BRIDGE name=ADMIN-55 vlan-id=55
add interface=DATA-BRIDGE name=GUEST-99 vlan-id=99
add interface=DATA-BRIDGE name=HOME-77 vlan-id=77
add interface=DATA-BRIDGE name=IOT-88 vlan-id=88
/interface list
add comment="Admin interface" name=Admin
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/certificate settings
set builtin-trust-anchors=not-trusted
/interface bridge port
add bridge=DATA-BRIDGE frame-types=admit-only-vlan-tagged interface=\
    PROXMOX-LAN
add bridge=DATA-BRIDGE frame-types=admit-only-vlan-tagged interface=GAME-LAN
/ipv6 settings
set allow-fast-path=no disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=DATA-BRIDGE tagged=DATA-BRIDGE,PROXMOX-LAN,GAME-LAN vlan-ids=\
    77,88,99
add bridge=DATA-BRIDGE tagged=PROXMOX-LAN,DATA-BRIDGE,GAME-LAN vlan-ids=55
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all
/interface list member
add interface=ADMIN-55 list=Admin
/interface wireless cap
# 
set bridge=DATA-BRIDGE caps-man-addresses=192.168.55.1 certificate=request \
    discovery-interfaces=ADMIN-55 enabled=yes interfaces=wlan-2G,wlan-5G
/ip dhcp-client
add interface=ADMIN-55
/system identity
set name=HALL-MT
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1w name="Auto Upgrade" on-event=\
    "/system/script/ run Auto_Update  " policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-12-13 start-time=04:30:00
/system script
add dont-require-permissions=no name=Auto_Update owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system package update\
    \ncheck-for-updates once\
    \n:delay 3s;\
    \n:if ( [get status] = \"New version is available\") do={ install }"

Any comments and improvement suggestions welcome!

jaclaz · December 10, 2025, 1:33pm

First thing I would remove that (set interface-list to none), it may be completely unrelated, but it sometimes does strange things.

also this:
/system routerboard settings
set auto-upgrade=yes
should be disabled (IMHO).

Do on the cap AC names resolve correctly? (i.e. can you ping - besides 8.8.8.8 - also google.com?)

Keep an eye on this page:
https://mikrotikstat.us/
there have been some (brief) interruptions in some services, maybe you were unlucky and mikrotik cloud was down when you tried it.

MartinsZB · December 10, 2025, 3:10pm

Hi jaclaz,

Thanks for your comments and especially about the address https://mikrotikstat.us/ - super resource.

I tried your suggested settings:
set detect internet interface to none & disabled auto-upgrade in Routerboard settings. Unfortunately, it did not help.

I tried different Pings and it left me puzzled.

[admin@HALL-MT] > ping 8.8.8.8
  SEQ HOST                                     SIZE TTL TIME       STATUS         
    0 8.8.8.8                                    56 119 13ms493us 
    1 8.8.8.8                                    56 119 12ms155us 
    2 8.8.8.8                                    56 119 12ms317us 
    3 8.8.8.8                                    56 119 12ms334us 
    4 8.8.8.8                                    56 119 12ms364us 
    5 8.8.8.8                                    56 119 12ms319us 
    sent=6 received=6 packet-loss=0% min-rtt=12ms155us avg-rtt=12ms497us 
   max-rtt=13ms493us 

[admin@HALL-MT] > ping www.google.com
  SEQ HOST                                     SIZE TTL TIME       STATUS         
    0 142.251.140.164                                              timeout        
    1 142.251.140.164                                              timeout        
    2 142.251.140.164                                              timeout        
    3 142.251.140.164                                              timeout        
    4 142.251.140.164                                              timeout        
    5 142.251.140.164                                              timeout        
    6 142.251.140.164                                              timeout        
    7 142.251.140.164                                              timeout        
    sent=8 received=0 packet-loss=100% 

[admin@HALL-MT] > ping www.mikrotik.com
  SEQ HOST                                     SIZE TTL TIME       STATUS         
    0 159.148.172.205                            56  53 39ms847us 
    1 159.148.172.205                            56  53 42ms56us  
    2 159.148.172.205                            56  53 42ms3us   
    3 159.148.172.205                            56  53 39ms879us 
    4 159.148.172.205                            56  53 39ms697us 
    5 159.148.172.205                            56  53 39ms744us 
    sent=6 received=6 packet-loss=0% min-rtt=39ms697us avg-rtt=40ms537us 
   max-rtt=42ms56us 

[admin@HALL-MT] > ping 142.251.140.164
  SEQ HOST                                     SIZE TTL TIME       STATUS         
    0 142.251.140.164                                              timeout        
    1 142.251.140.164                                              timeout        
    2 142.251.140.164                                              timeout        
    3 142.251.140.164                                              timeout        
    4 142.251.140.164                                              timeout        
    5 142.251.140.164                                              timeout        
    sent=6 received=0 packet-loss=100% 

[admin@HALL-MT] > ping google.com
  SEQ HOST                                     SIZE TTL TIME       STATUS         
    0 216.58.206.46                                                timeout        
    1 216.58.206.46                                                timeout        
    2 216.58.206.46                                                timeout        
    3 216.58.206.46                                                timeout        
    4 216.58.206.46                                                timeout        
    5 216.58.206.46                                                timeout        
    6 216.58.206.46                                                timeout        
    sent=7 received=0 packet-loss=100% 

[admin@HALL-MT] > ping upgrade.mikrotik.com
  SEQ HOST                                     SIZE TTL TIME       STATUS         
    0 159.148.147.251                                              timeout        
    1 159.148.147.251                                              timeout        
    2 159.148.147.251                                              timeout        
    3 159.148.147.251                                              timeout        
    4 159.148.147.251                                              timeout        
    sent=5 received=0 packet-loss=100% 

[admin@HALL-MT] > ping amazon.com
  SEQ HOST                                     SIZE TTL TIME       STATUS         
    0 98.87.170.71                                                 timeout        
    1 98.87.170.71                                                 timeout        
    2 98.87.170.71                                                 timeout        
    3 98.87.170.71                                                 timeout        
    4 98.87.170.71                                                 timeout        
    5 98.87.170.71                                                 timeout        
    sent=6 received=0 packet-loss=100% 

[admin@HALL-MT] > ping amazon.de 
  SEQ HOST                                     SIZE TTL TIME       STATUS         
    0 3.253.177.16                                                 timeout        
    1 3.253.177.16                                                 timeout        
    2 3.253.177.16                                                 timeout        
    3 3.253.177.16                                                 timeout        
    sent=4 received=0 packet-loss=100%

DNS works ok, but some addresses are not reachable.

erlinden · December 10, 2025, 3:19pm

Sure the MTU is correct? Otherwise you should contact your ISP.
Can you share tracert www.google.com as well?

MartinsZB · December 10, 2025, 3:38pm

Hi,

I believe so. But it is strange that client/router/AP acts differently.

Here is ping from my PC connected to cAP ac Home VLAN. Now the Ping runs also from CHR and cAP ap

>ping www.google.com

Pinging www.google.com [142.250.180.68] with 32 bytes of data:
Reply from 142.250.180.68: bytes=32 time=19ms TTL=116
Reply from 142.250.180.68: bytes=32 time=19ms TTL=116
Reply from 142.250.180.68: bytes=32 time=19ms TTL=116
Reply from 142.250.180.68: bytes=32 time=19ms TTL=116

Ping statistics for 142.250.180.68:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 19ms, Average = 19ms

>tracert www.google.com

Tracing route to www.google.com [142.250.180.68]
over a maximum of 30 hops:

  1    <1 ms     1 ms    <1 ms  192.168.77.1
  2     5 ms     5 ms     6 ms  p3e9bf36b.dip0.t-ipconnect.de [62.155.243.107]
  3    12 ms    13 ms    31 ms  f-ed11-i.F.DE.NET.DTAG.DE [217.0.192.162]
  4    15 ms    14 ms    14 ms  62.157.250.46
  5    16 ms    15 ms    16 ms  192.178.109.243
  6    15 ms    13 ms    13 ms  192.178.109.216
  7    16 ms    15 ms    16 ms  209.85.252.214
  8    21 ms    20 ms    20 ms  192.178.75.104
  9    21 ms    20 ms    21 ms  108.170.232.43
 10    19 ms    18 ms    19 ms  192.178.106.177
 11    23 ms    46 ms    20 ms  142.251.239.183
 12   574 ms   195 ms    45 ms  ber07s03-in-f4.1e100.net [142.250.180.68]

Trace complete.

MartinsZB · December 10, 2025, 3:45pm

If I check upgrade.mikrotik.com

on client

>ping upgrade.mikrotik.com

Pinging global-balancer-e.mikrotik.com [159.148.147.251] with 32 bytes of data:
Reply from 159.148.147.251: bytes=32 time=36ms TTL=53
Reply from 159.148.147.251: bytes=32 time=58ms TTL=53
Reply from 159.148.147.251: bytes=32 time=243ms TTL=53
Reply from 159.148.147.251: bytes=32 time=35ms TTL=53

Ping statistics for 159.148.147.251:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 35ms, Maximum = 243ms, Average = 93ms

>tracert 

Tracing route to global-balancer-e.mikrotik.com [159.148.147.251]
over a maximum of 30 hops:

  1    40 ms    17 ms     2 ms  192.168.77.1
  2     7 ms     6 ms     6 ms  p3e9bf36b.dip0.t-ipconnect.de [62.155.243.107]
  3   464 ms    12 ms    11 ms  f-ed11-i.F.DE.NET.DTAG.DE [217.0.192.134]
  4   294 ms    26 ms    12 ms  ffm-b5-link.ip.twelve99.net [62.115.172.70]
  5    13 ms    12 ms   638 ms  ffm-bb2-link.ip.twelve99.net [62.115.136.218]
  6    32 ms    30 ms     *     sto-bb2-link.ip.twelve99.net [62.115.138.104]
  7   342 ms    36 ms    35 ms  riga-b5-link.ip.twelve99.net [62.115.142.191]
  8   328 ms    38 ms    36 ms  siatet-ic-332270.ip.twelve99-cust.net [213.248.84.33]
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12    35 ms    36 ms    35 ms  159.148.147.251

Trace complete.

On CHR

[admin@Proxmox-MT] > ping upgrade.mikrotik.com     
  SEQ HOST                                     SIZE TTL TIME       STATUS                                              
    0 159.148.147.251                            56  54 35ms205us 
    1 159.148.147.251                            56  54 35ms410us 
    sent=2 received=2 packet-loss=0% min-rtt=35ms205us avg-rtt=35ms307us max-rtt=35ms410us 

[admin@Proxmox-MT] > tool traceroute upgrade.mikrotik.com    
ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS                              
62.155.243.107                     0%    3   4.7ms   250.6     4.7   381.7     174                                     
217.0.192.134                      0%    3  10.2ms    36.9    10.1    90.5    37.9                                     
62.115.172.70                      0%    3  11.9ms    22.1    11.9    42.3    14.3                                     
62.115.136.218                     0%    3    12ms    12.4      12    12.7     0.3                                     
62.115.138.104                   33..    3 timeout    28.6    28.5    28.6     0.1                                     
62.115.142.191                     0%    3  34.5ms    34.7    34.5    34.9     0.2                                     
213.248.84.33                      0%    3  35.7ms    35.8    35.7    35.9     0.1                                     
                                 100%    3 timeout                                                                     
                                 100%    3 timeout                                                                     
                                 100%    3 timeout                                                                     
159.148.147.251                    0%    2  34.3ms    36.6    34.3    38.9     2.3

and on cAP ap

[admin@HALL-MT] > ping upgrade.mikrotik.com           
  SEQ HOST                                     SIZE TTL TIME       STATUS      
    0 159.148.147.251                                              timeout     
    1 159.148.147.251                                              timeout     
    2 159.148.147.251                                              timeout     
    3 159.148.147.251                                              timeout     
    sent=4 received=0 packet-loss=100%

erlinden · December 10, 2025, 3:52pm

Can you give an updated export from the cAP ac?

MartinsZB · December 10, 2025, 4:06pm

This is the actual export

# 2025-12-10 14:35:35 by RouterOS 7.20.6
# software id = REMOVED
#
# model = RBcAPGi-5acD2nD
# serial number = REMOVED
/interface bridge
add frame-types=admit-only-vlan-tagged name=DATA-BRIDGE vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2437/20-Ce/gn(18dBm), SSID: HOME-NET, CAPsMAN forwarding
set [ find default-name=wlan1 ] name=wlan-2G ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: HOME-NET, CAPsMAN forwarding
set [ find default-name=wlan2 ] name=wlan-5G ssid=MikroTik
/interface ethernet
set [ find default-name=ether2 ] name=GAME-LAN
set [ find default-name=ether1 ] name=PROXMOX-LAN
/interface vlan
add interface=DATA-BRIDGE name=ADMIN-55 vlan-id=55
add interface=DATA-BRIDGE name=GUEST-99 vlan-id=99
add interface=DATA-BRIDGE name=HOME-77 vlan-id=77
add interface=DATA-BRIDGE name=IOT-88 vlan-id=88
/interface list
add comment="Admin interface" name=Admin
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/certificate settings
set builtin-trust-anchors=not-trusted
/interface bridge port
add bridge=DATA-BRIDGE frame-types=admit-only-vlan-tagged interface=\
    PROXMOX-LAN
add bridge=DATA-BRIDGE frame-types=admit-only-vlan-tagged interface=GAME-LAN
/ipv6 settings
set allow-fast-path=no disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=DATA-BRIDGE tagged=DATA-BRIDGE,PROXMOX-LAN,GAME-LAN vlan-ids=\
    77,88,99
add bridge=DATA-BRIDGE tagged=PROXMOX-LAN,DATA-BRIDGE,GAME-LAN vlan-ids=55
/interface detect-internet
set lan-interface-list=all
/interface list member
add interface=ADMIN-55 list=Admin
/interface wireless cap
# 
set bridge=DATA-BRIDGE caps-man-addresses=192.168.55.1 certificate=request \
    discovery-interfaces=ADMIN-55 enabled=yes interfaces=wlan-2G,wlan-5G
/ip dhcp-client
add interface=ADMIN-55
/system identity
set name=HALL-MT
/system scheduler
add interval=1w name="Auto Upgrade" on-event=\
    "/system/script/ run Auto_Update  " policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-12-13 start-time=04:30:00
/system script
add dont-require-permissions=no name=Auto_Update owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system package update\
    \ncheck-for-updates once\
    \n:delay 3s;\
    \n:if ( [get status] = \"New version is available\") do={ install }"

jaclaz · December 10, 2025, 4:13pm

Hmmm, it should AFAICR be set to:

/interface detect-internet
set detect-interface-list=none

(again, possibly unrelated to the issue you are experiencing, still ...)

CGGXANNX · December 10, 2025, 4:22pm

MartinsZB:

/ip address
add address=192.168.55.55/24 comment="Static config IP" interface=CONFIG-IF \
    network=192.168.55.0
add address=192.168.55.1/24 comment="Admin IP" interface=ADMIN-55 network=\
    192.168.55.0

Here is probably the root of your problem, on the CHR. If you run:

/ip route print

(or look at the IP -> Routes table in WinBox) you'll probably see that there are two connected routes with the destination dst-address=192.168.55.0/24 with two different gateways, one gateway=CONFIG-IF and one with gateway=ADMIN-55. They will have the same distance and you'll see a + sign in the flag column.

What you created was an ECMP group. Depending on the source and destination addresses of the packets, packets with destination in the 192.168.55.0/24 range will now sometimes be sent to the ether3 port (CONFIG-IF), sometimes to the VLAN interface.

That's the reason why depending on the ping destination, sometimes you get responses, and sometimes not. The response packets of the requests will have a 50% chance of be sent to ether3 and never reach your cAP. ECMP by default (in the L3 mode) calculates the hash based on the source address and the destination address, then picks one of the two routes with the + sign depending on the hash value.

So when 192.168.55.10 pings 8.8.8.8 the calculated hash might cause the response to land on the route with gateway=ADMIN-55, and it works, but pinging 1.0.0.1 will produce a hash that sends the response to the route with gateway=CONFIG-IF and you get the timeout because the packets never get back to 192.168.55.10.

As a fix, you should modify the subnet assigned to CONFIG-IF, so that the connected route created no longer forms an ECMP group with the 192.168.55.0/24 route.

MartinsZB · December 10, 2025, 4:36pm

Thanks CGGXANNX !

You are right! It solved the issues with 192.168.55.0/24 network.

I just removed the IP address from the config interface and all now works perfectly fine!

Only issue is still with DDNS on CHR. I want to get it working for WireGuard (Sad that BTH is not working on CHR)

Thanks also @jaclaz & @erlinden for your input!

CGGXANNX · December 10, 2025, 4:40pm

I only have the free CHR license on my VMs so I cannot test that, but make sure that you've activated your CHR license so that it's recognized as a paid & perpetual license for IP->Cloud to work. Not the trial (60-day) license and not the free (that limits everything to 1 Mbps) license.

MartinsZB · December 10, 2025, 4:44pm

Aha! I still use trial licence for setup and testing. Will check when it will be properly set up.

Thanks!