Connection To Internet Not Working Correctly

RouterOS General
1

Hello we have a MikroTik router running ROuterOS 7.15.2.
We have our internet connection running into Ether1 port 1
The public internet is 135.135.5.48/32 The gateway is 135.135.5.49 and we have ETHER1 assigned 135.135.5.50.
I know the internet is working fine. I set the ethernet port on my laptop to 135.135.5.50 and subnetmask 255.255.252 and gateway 135.135.5.49 and it connects out to the internet with no issues. In the internet browser when I type what is my ip address it shows 135.135.5.50. Speed test runs fast no issues.
Now to the connection through mikrotik
I connect my client to the network through DHCP on the router. The client can get to the internet however it doesn’t work properly. The internet is really slow, and I can’t even run a speed test. I am unable to ping anything including 8.8.8.8. When I go to what is my ip address in the browser it says 135.135.5.50 just like it did when I was connected directly to the internet router. Why would it work however not fully?
I have checked all the settings and configurations, and I can’t figure it out.
Can you please help.

2

Diagnosis: Problem is an erroneous config.
Charge: free

3

Any idea where to check? I’ve made sure under IP address Ether1 is 135.135.5.50/30 and network 135.135.5.48
On the route list DST is 0.0.0.0/0 gateway 135.135.5.49

4

Post your current configuration, follow this:
http://forum.mikrotik.com/t/forum-rules/173010/1

5

2024-07-19 12:41:27 by RouterOS 7.15.2

software id = LBIX-Y0FR

model = RB960PGS

serial number = HFD0995CQF2

/interface bridge
add admin-mac=78:9A:18:C0:33:9F auto-mac=no comment=defconf name=bridge
port-cost-mode=short
/interface vlan
add interface=ether2 name=“vlan 700” vlan-id=700
add interface=ether2 name=“vlan 710” vlan-id=710
add interface=ether2 name=“vlan 799” vlan-id=799
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=213.98.173.154/32 exchange-mode=ike2 local-address=10.52.100.1
name=Reus
add address=213.97.36.126/32 exchange-mode=ike2 local-address=10.52.100.1
name=“Ramon Home”
add address=35.205.54.237/32 exchange-mode=ike2 local-address=10.52.100.1
name=“Google Cloud”
/ip ipsec profile
set [ find default=yes ] dh-group=
ecp256,ecp521,modp4096,modp2048,modp1536,modp1024 dpd-interval=1m
enc-algorithm=aes-256,aes-192,aes-128,3des lifetime=1h nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=“ae
s-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-
128-gcm,3des,des” lifetime=1h
add auth-algorithms=sha512,sha256,sha1 disabled=yes enc-algorithms=
aes-256-cbc,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm name=
“Proposals Ramon Home”
/ip pool
add name=“Green-Bay pool” ranges=10.52.100.20-10.52.100.254
add name=“Guest Pool” ranges=172.16.1.20-172.16.1.254
/ip dhcp-server
add address-pool=“Green-Bay pool” interface=“vlan 710” lease-time=10m name=
“Green Bay”
add address-pool=“Guest Pool” interface=“vlan 799” lease-time=10m name=
“Wifi Dupon Guest”
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
internal-path-cost=10 path-cost=10
add bridge=bridge disabled=yes interface=ether1 internal-path-cost=10
path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.52.100.1/24 comment=defconf interface=“vlan 710” network=
10.52.100.0
add address=192.168.200.45/30 interface=“vlan 700” network=192.168.200.44
add address=172.16.1.1/24 interface=“vlan 799” network=172.16.1.0
add address=135.135.5.50/30 interface=ether1 network=135.135.5.48
add address=10.52.100.1/24 interface=bridge network=10.52.100.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server
add address-pool=*1 disabled=yes interface=bridge lease-time=10m name=defconf
/ip dhcp-server network
add address=10.52.100.0/24 dns-server=8.8.8.8 gateway=10.52.100.1 netmask=24
add address=172.16.1.0/24 dns-server=8.8.8.8 gateway=172.16.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=10.52.100.1 comment=defconf name=router.lan
/ip firewall address-list
add address=80.28.210.181 list=“Public IP’s”
add address=2.207.204.34 list=“Public IP’s”
add address=192.168.4.0/23 list=“Private networks”
add address=192.168.230.0/24 list=“Private networks”
add address=192.168.16.0/24 list=“Private networks”
add address=10.132.0.0/24 list=“Private networks”
add address=80.28.210.181 list=“Private networks”
add address=2.207.204.34 list=“Private networks”
add address=35.205.246.246 list=“Public IP’s”
add address=10.52.100.0/24 list=“Private networks”
add address=98.103.58.154 list=“Public IP’s”
add address=104.155.54.147 list=“Public IP’s”
add address=208.216.242.130 list=“Public IP’s”
add address=213.98.173.154 list=“Public IP’s”
add address=213.97.36.126 list=“Public IP’s”
add address=135.135.5.49 list=“Public IP’s”
add address=135.135.5.50 list=“Public IP’s”
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=fasttrack-connection chain=forward connection-state=
established,related hw-offload=yes
add action=accept chain=forward connection-mark=“” connection-state=
established,related
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input dst-address=10.52.100.0/24 src-address=
10.132.0.0/24
add action=accept chain=input dst-address=10.52.100.0/24 src-address=
135.135.5.48/30
add action=accept chain=output dst-address=10.132.0.0/24 src-address=
10.52.0.0/24
add action=accept chain=output dst-address=135.135.5.48/30 src-address=
10.52.0.0/24
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=input disabled=yes dst-address=192.168.230.0/24
src-address=10.132.0.0/24
add action=accept chain=output disabled=yes dst-address=10.132.0.0/24
src-address=192.168.230.0/24
add action=drop chain=input dst-port=22 protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=
“Private networks”
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=
“Public IP’s”
add action=drop chain=input dst-port=8291 protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input dst-port=88 protocol=tcp src-address-list=
“Private networks”
add action=accept chain=input dst-port=88 protocol=tcp src-address-list=
“Public IP’s”
add action=drop chain=input dst-port=88 protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input dst-port=2202 protocol=tcp src-address-list=
“Private networks”
add action=accept chain=input dst-port=2202 protocol=tcp src-address-list=
“Public IP’s”
add action=drop chain=input dst-port=2202 protocol=tcp src-address=0.0.0.0/0
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward comment=“accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“accept out ipsec policy”
ipsec-policy=out,ipsec
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=10.132.0.0/24
ipsec-policy=in,ipsec new-connection-mark=no-mark passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.230.0/24
ipsec-policy=in,ipsec new-connection-mark=no-mark passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.4.0/23
ipsec-policy=in,ipsec new-connection-mark=no-mark passthrough=yes
add action=mark-connection chain=prerouting dst-address=135.135.5.48/30
ipsec-policy=in,ipsec new-connection-mark=no-mark passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” disabled=yes
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=accept chain=srcnat dst-address=10.132.0.0/24 src-address=
10.52.100.0/24
add action=accept chain=srcnat dst-address=192.168.4.0/23 src-address=
10.52.100.0/24
add action=accept chain=srcnat dst-address=192.168.230.0/24 src-address=
10.52.100.0/24
add action=accept chain=dstnat dst-address=10.52.100.0/24 src-address=
10.132.0.0/24
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=
10.52.100.0/24
add action=masquerade chain=srcnat dst-address=!10.132.0.0/24 src-address=
10.52.100.0/24
add action=masquerade chain=srcnat dst-address=!192.168.4.0/23 src-address=
10.52.100.0/24
add action=masquerade chain=srcnat dst-address=!192.168.230.0/24 src-address=
10.52.100.0/24
add action=masquerade chain=srcnat disabled=yes
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=
172.16.1.0/24
add action=accept chain=forward comment=“Router fw IPsec in accept”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“Router fw IPsec out accept”
ipsec-policy=out,ipsec
/ip firewall service-port
set sip disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec identity
add generate-policy=port-override notrack-chain=prerouting peer=Reus
add notrack-chain=prerouting peer=“Ramon Home”
add notrack-chain=prerouting peer=“Google Cloud”
/ip ipsec policy
add dst-address=10.132.0.0/24 peer=“Google Cloud” src-address=10.52.100.0/24
tunnel=yes
add disabled=yes dst-address=192.168.4.0/23 peer=Reus src-address=
10.52.100.0/24 tunnel=yes
add disabled=yes dst-address=192.168.230.0/24 peer=“Ramon Home” src-address=
10.52.100.0/24 tunnel=yes
add dst-address=10.132.0.0/24 peer=“Google Cloud” src-address=10.52.0.0/19
tunnel=yes
/ip route
add disabled=no dst-address=10.52.0.0/19 gateway=192.168.200.46
add disabled=no dst-address=10.4.0.0/18 gateway=192.168.200.46
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=135.135.5.49
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=88
set ssh port=2202
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/Chicago
/system identity
set name=GreenBay
/system logging
add prefix=ipsec topics=ipsec
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

6

From the mikrotik router 10.52.100.1 I can ping 8.8.8.8 just fine from terminal.
My computer is connected to IP address 10.52.10.252 through DHCP and the gateway is my mikrotik router 10.52.100.1.
From the connected computer I can get to websites partially and its slow and I also can’t ping 8.8.8.8 from the computer. Unable to run speed tests or do anything like I can when im connected directly to the internet router without mikrotik.

7

From the terminal on the Mikrotik, can you ping 8.8.8.8 or something like www.mikrotik.com ??
I can ping your public IP 135.x.x.x (IF that your real one) but looking at your config I tried SSH/Web but no luck.
(you should probably not allow any public IP to connect to your router…)

8

Your config makes little sense to me, three vlans and one bridge with addresses, but only two pools???

What in the heck is the purpose of these rules??
add action=accept chain=input dst-address=10.52.100.0/24 src-address=
10.132.0.0/24
add action=accept chain=input dst-address=10.52.100.0/24 src-address=
135.135.5.48/30
add action=accept chain=output dst-address=10.132.0.0/24 src-address=
10.52.0.0/24
add action=accept chain=output dst-address=135.135.5.48/30 src-address=
10.52.0.0/24


Okay I dont understand most of your firewall rules, did you get this from youtube or something??

9

Yeah I can ping www.mikrotik.com from the router terminal. However from the workstation I can’t ping it.
Yeah firewall rules have been trial and error trying to get it to work youtube videos and forums. I will clean them up once I can find a solution. They may not make sense right now.

10

As always I may be wrong, but it seems to me like you need to clean them up in order to find a solution.

The symptoms you report are “strange” in the sense that usually a connection either works or it doesn’t, from what you report it seems like instead of taking a straight path it goes through some strange labyrinth, and your current configuration is far from being “simple”.

No idea if it can be done and it is actually correct in some particular configuration (not enough experience with VLAN’s) but having the same IP address assigned to the bridge and to vlan 710 seems to me confusing:

/ip address
add address=10.52.100.1/24 comment=defconf interface=“vlan 710” network=10.52.100.0

add address=10.52.100.1/24 interface=bridge network=10.52.100.0

11

Agree, your setup should be easy-peasy actually and this is very strange behaviour.
I would :

  1. Save your complete config a file
  2. Completely erase and start over and fix the basics! Then start building on top with the things like VLAN’s, IPSEC-tunnels, fancy mangle-rules etc,etc