DHCP client - keep having link down

Nexius · December 13, 2024, 2:48pm

Hi all!

Ms ISP provide me a bridge mode. I have rb5009 as DHCP client, but randomly appears

dhcp-client on ether8-WAN lost IP address 89.XXX.XX.18 - lease stopped locally

My firewall rules

# model = RB5009UPr+S+
/ip firewall address-list
add address=192.168.100.0/24 list="rede suporte"
add address=172.29.1.0/24 list="rede suporte"
add address=XXXXXX.synology.me list="rede suporte"
add address=XXXXXX.duckdns.org list="rede suporte"
add address=172.27.10.0/24 list="rede suporte"
/ip firewall connection tracking
set udp-timeout=10s
/ip firewall filter
add action=drop chain=forward connection-state=new dst-address=\
    192.168.100.0/24 src-address=192.168.35.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=31231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    172.27.10.0/24
add action=accept chain=input connection-state=established,related
add action=accept chain=input src-address-list="rede suporte"
add action=accept chain=input limit=50,5:packet protocol=icmp
add action=add-src-to-address-list address-list="rede suporte" \
    address-list-timeout=5h chain=input dst-port=1981 protocol=tcp
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN
/ip firewall service-port
set ftp disabled=yes

Any clue?

mkx · December 13, 2024, 2:55pm

Can you show us log lines immediately preceding the quoted message (a few tens of seconds of history should do it) … in general anything related to ether8-WAN port or DHCP.

erlinden · December 13, 2024, 3:24pm

Does your RB get a public IP address? Hope not…

Nexius · December 13, 2024, 3:39pm

… but randomly appears
dhcp-client on ether8-WAN lost IP address 89.XXX.XX.18 - lease stopped locally
Can you show us log lines immediately preceding the quoted message (a few tens of seconds of history should do it) … in general anything related to ether8-WAN port or DHCP.

I can’t see anything weird…
Sem Título.jpg

Nexius · December 13, 2024, 3:41pm

Yes, my isp provide me a bridge mode, so, on WAN I get public ip...

Why you say, hope not?!?!?

erlinden · December 13, 2024, 4:12pm

You firewall rules set isn’t complete. What made you decide to change it?
Can you please provide a complete config? Remove serial and any other private info.

Nexius · December 13, 2024, 4:23pm

# 2024-12-13 16:19:13 by RouterOS 7.16.2
# model = RB5009UPr+S+
# serial number = XXXXXX
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge port-cost-mode=short \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-eap670
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] comment="EAP outdoor"
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
set [ find default-name=ether6 ] poe-out=off
set [ find default-name=ether7 ] comment="Management port" poe-out=off
set [ find default-name=ether8 ] name=ether8-WAN poe-out=off
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-switch
/interface wireguard
add listen-port=31231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=bridge.110 vlan-id=110
add interface=bridge name=bridge.192 vlan-id=192
/ip pool
add name=pool.192 ranges=192.168.35.2-192.168.35.254
add name=pool.110 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=pool.192 interface=bridge.192 lease-time=6h name=dhcp.192
add address-pool=pool.110 interface=bridge.110 lease-time=1d name=dhcp.110
/interface bridge port
add bridge=bridge interface=ether1-eap670 internal-path-cost=10 path-cost=10 \
    pvid=110
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10 pvid=\
    110
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10 pvid=\
    110
add bridge=bridge interface=sfp-sfpplus1-switch internal-path-cost=10 \
    path-cost=10 pvid=110
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10 pvid=\
    110
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10 pvid=\
    110
add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10 pvid=\
    110
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set tcp-syncookies=yes
/interface bridge vlan
add bridge=bridge tagged="bridge,ether1-eap670,ether2,ether3,ether4,ether5,eth\
    er6,sfp-sfpplus1-switch" vlan-ids=192
add bridge=bridge tagged=bridge vlan-ids=110
/ip address
add address=192.168.100.1/24 interface=bridge.110 network=192.168.100.0
add address=192.168.35.1/24 interface=bridge.192 network=192.168.35.0
add address=172.29.1.1/24 interface=ether7 network=172.29.1.0
add address=172.27.10.1/24 interface=wireguard1 network=172.27.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=ether8-WAN use-peer-dns=no
/ip dhcp-server network
add address=192.168.35.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.35.1
add address=192.168.100.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.100.1
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=192.168.100.0/24 list="rede suporte"
add address=172.29.1.0/24 list="rede suporte"
add address=XXXXX.synology.me list="rede suporte"
add address=XXXXXX.duckdns.org list="rede suporte"
add address=172.27.10.0/24 list="rede suporte"
/ip firewall filter
add action=drop chain=forward connection-state=new dst-address=\
    192.168.100.0/24 src-address=192.168.35.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=31231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    172.27.10.0/24
add action=accept chain=input connection-state=established,related
add action=accept chain=input src-address-list="rede suporte"
add action=accept chain=input limit=50,5:packet protocol=icmp
add action=add-src-to-address-list address-list="rede suporte" \
    address-list-timeout=5h chain=input dst-port=1981 protocol=tcp
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN
/ip firewall service-port
set ftp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=2.pt.pool.ntp.org
add address=0.pt.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool romon
set enabled=yes

Nexius · December 13, 2024, 5:05pm

when I enable log on the general drop of the firewall

 16:59:11 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 51.36.222.178:80->80.XXX.XX.80:53, len 71
 16:59:11 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 64.176.193.175:41780->80.XXX.XX.80:53, len 71
 16:59:11 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:invalid src-mac 00:03:fa:00:00:01, proto TCP (ACK,FIN,PSH), 17.253.15.197:443->80.XXX.XX.80:53207, len 76
 16:59:11 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.12.196.139:80->80.XXX.XX.80:53, len 71
 16:59:11 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto TCP (SYN), 154.213.184.66:43148->80.XXX.XX.80:8332, len 52
 16:59:11 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 35.146.83.136:55765->80.XXX.XX.80:53, len 71
 16:59:11 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.186.109.48:51707->80.XXX.XX.80:53, len 71
 16:59:12 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 81.97.11.107:80->80.XXX.XX.80:53, len 71
 16:59:12 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 24.91.117.233:57330->80.XXX.XX.80:53, len 71
 16:59:12 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.12.196.139:80->80.XXX.XX.80:53, len 71
 16:59:12 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 81.97.11.107:80->80.XXX.XX.80:53, len 71
 16:59:12 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 157.240.27.54:443->80.XXX.XX.80:61900, len 71
 16:59:12 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 35.146.83.136:55765->80.XXX.XX.80:53, len 71
 16:59:12 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 216.197.226.66:80->80.XXX.XX.80:53, len 71
 16:59:12 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 70.70.70.77:80->80.XXX.XX.80:53, len 71
 16:59:12 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:invalid src-mac 00:03:fa:00:00:01, proto TCP (ACK,FIN,PSH), 17.253.15.197:443->80.XXX.XX.80:53217, len 76
 16:59:12 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:invalid src-mac 00:03:fa:00:00:01, proto TCP (ACK,FIN,PSH), 17.253.15.197:443->80.XXX.XX.80:53212, len 76
 16:59:12 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 51.36.222.178:80->80.XXX.XX.80:53, len 71
 16:59:12 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 35.146.83.136:55765->80.XXX.XX.80:53, len 71
 16:59:12 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 51.36.222.178:80->80.XXX.XX.80:53, len 71
 16:59:13 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.12.196.139:80->80.XXX.XX.80:53, len 71
 16:59:13 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:invalid src-mac 00:03:fa:00:00:01, proto TCP (ACK,FIN,PSH), 17.253.144.10:443->80.XXX.XX.80:53224, len 76
 16:59:13 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.186.109.48:51707->80.XXX.XX.80:53, len 71
 16:59:13 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 64.176.193.175:41780->80.XXX.XX.80:53, len 71
 16:59:13 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 35.146.83.136:55765->80.XXX.XX.80:53, len 71
 16:59:13 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 81.97.11.107:80->80.XXX.XX.80:53, len 71
 16:59:13 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.12.196.139:80->80.XXX.XX.80:53, len 71
 16:59:13 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 81.97.11.107:80->80.XXX.XX.80:53, len 71
 16:59:14 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 70.70.70.77:80->80.XXX.XX.80:53, len 71
 16:59:14 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 24.91.117.233:57330->80.XXX.XX.80:53, len 71
 16:59:14 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 51.36.222.178:80->80.XXX.XX.80:53, len 71
 16:59:14 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.186.109.48:51707->80.XXX.XX.80:53, len 71
 16:59:14 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 216.197.226.66:80->80.XXX.XX.80:53, len 71
 16:59:14 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 35.146.83.136:55765->80.XXX.XX.80:53, len 71
 16:59:14 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 51.36.222.178:80->80.XXX.XX.80:53, len 71
 16:59:14 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.12.196.139:80->80.XXX.XX.80:53, len 71
 16:59:15 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 64.176.193.175:41780->80.XXX.XX.80:53, len 71
 16:59:15 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 157.240.212.60:443->80.XXX.XX.80:56918, len 61
 16:59:15 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 81.97.11.107:80->80.XXX.XX.80:53, len 71
 16:59:15 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 47.184.97.238:80->80.XXX.XX.80:53, len 71
 16:59:15 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 64.176.193.175:41780->80.XXX.XX.80:53, len 71
 16:59:15 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 70.70.70.77:80->80.XXX.XX.80:53, len 71
 16:59:15 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 24.91.117.233:57330->80.XXX.XX.80:53, len 71
 16:59:16 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.186.109.48:51707->80.XXX.XX.80:53, len 71
 16:59:16 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 51.36.222.178:80->80.XXX.XX.80:53, len 71
 16:59:16 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.12.196.139:80->80.XXX.XX.80:53, len 71
 16:59:16 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 35.146.83.136:55765->80.XXX.XX.80:53, len 71
 16:59:16 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 81.97.11.107:80->80.XXX.XX.80:53, len 71
 16:59:16 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.12.196.139:80->80.XXX.XX.80:53, len 71
 16:59:16 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 64.176.193.175:41780->80.XXX.XX.80:53, len 71
 16:59:16 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 47.184.97.238:80->80.XXX.XX.80:53, len 71
 16:59:16 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 216.197.226.66:80->80.XXX.XX.80:53, len 71
 16:59:16 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 51.36.222.178:80->80.XXX.XX.80:53, len 71
 16:59:17 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 81.97.11.107:80->80.XXX.XX.80:53, len 71
 16:59:17 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 159.196.170.14:80->80.XXX.XX.80:53, len 71
 16:59:17 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 24.91.117.233:57330->80.XXX.XX.80:53, len 71
 16:59:17 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 70.70.70.77:80->80.XXX.XX.80:53, len 71
 16:59:17 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 35.146.83.136:55765->80.XXX.XX.80:53, len 71
 16:59:17 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 51.36.222.178:80->80.XXX.XX.80:53, len 71
 16:59:17 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.186.109.48:51707->80.XXX.XX.80:53, len 71
 16:59:17 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.12.196.139:80->80.XXX.XX.80:53, len 71
 16:59:17 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 70.70.70.77:80->80.XXX.XX.80:53, len 71
 16:59:17 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 159.196.170.14:80->80.XXX.XX.80:53, len 71
 16:59:17 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 81.97.11.107:80->80.XXX.XX.80:53, len 71
 16:59:18 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 64.176.193.175:41780->80.XXX.XX.80:53, len 71
 16:59:18 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.12.196.139:80->80.XXX.XX.80:53, len 71
 16:59:18 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 51.36.222.178:80->80.XXX.XX.80:53, len 71
 16:59:18 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 81.97.11.107:80->80.XXX.XX.80:53, len 71
 16:59:18 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:invalid src-mac 00:03:fa:00:00:01, proto TCP (ACK,FIN,PSH), 17.253.37.205:443->80.XXX.XX.80:53195, len 76
 16:59:18 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 24.91.117.233:57330->80.XXX.XX.80:53, len 71
 16:59:18 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 159.196.170.14:80->80.XXX.XX.80:53, len 71
 16:59:18 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 216.197.226.66:80->80.XXX.XX.80:53, len 71
 16:59:18 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.186.109.48:51707->80.XXX.XX.80:53, len 71
 16:59:19 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 157.240.27.54:443->80.XXX.XX.80:61900, len 71
 16:59:19 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 70.70.70.77:80->80.XXX.XX.80:53, len 71
 16:59:19 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 35.146.83.136:55765->80.XXX.XX.80:53, len 71
 16:59:19 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 51.36.222.178:80->80.XXX.XX.80:53, len 71
 16:59:19 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.12.196.139:80->80.XXX.XX.80:53, len 71
 16:59:19 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 81.97.11.107:80->80.XXX.XX.80:53, len 71
  16:59:19 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.186.109.48:51707->80.XXX.XX.80:53, len 71
 16:59:19 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 73.12.196.139:80->80.XXX.XX.80:53, len 71
 16:59:19 firewall,info input: in:ether8-WAN out:(unknown 0), connection-state:new src-mac 00:03:fa:00:00:01, proto UDP, 64.176.193.175:41780->80.XXX.XX.80:53, len 71

please… help

mkx · December 13, 2024, 10:03pm

One line above the message about loosing DHCP lease it mentions link down on ether8-WAN … so you’ll have to investigate why link between your router and ISP device drops. There are plenty of possible reasons for that …

Nexius · December 14, 2024, 8:43am

I think my public Ip was having ddos with dns requests…

Since I enable on raw table the drop of all the packets to port 53 on the wan port, I don’t see anymore down links on the wan port

mkx · December 14, 2024, 6:21pm

Generally I’d say that your current firewall is … inadequate. IMO default rules are much better than yours. So I guess you have very good reasons for ditching default and implementing … what you have now.

However, it does seem weird if DDoS attack would cause your router to drop ethernet link. Unless ISP device is also unhappy about the traffic passing it.

Nexius · December 16, 2024, 7:54am

Can you please point me where are the defaults firewall rules?

erlinden · December 16, 2024, 9:48am

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN

mkx · December 16, 2024, 7:04pm

Open terminal and execute

/system/default-configuration/print

(as user with admin privileges)