DNS suddenly stopped working only for one subnet

RouterOS General
1

Hello there!
I’m not a pro in Mikrotik ROS, completed MTCNA course successfully but still feel I need more knowledge to manage some issues I’m facing with in my network.
I’m, currently managing pretty huge network with local servers with DNS domains, IP telephony, 8 subnets with about 200-250 hosts in total, firewall restrictions, internet access restrictions, capsman with cAP AX & couple additional mikrotik routers, SSTP VPN clients, etc.
Main router is hAP ax3 with ROS 7.11 (before) and 7.16.1 (now, after I was trying to fix my problem).

Unfortunately before I started working here and managing this network it was built on not managed switches. That’s why I currently using network segmentation by subnets not VLANs.

A long story short the problem started unexpectedly when one by one all Windows-based hosts couldn’t access my local server by domain name while they still were able to access server by ip. Next day all my main network fall, 2 main issues were:

  1. main subnet hosts couldn’t access my LAN servers by domain name;
  2. main subnet hosts couldn’t access Internet

#1 and #2 were true only for main 192.168.1.0/24 subnet. If I move host from i.e. 192.168.1.45 to 192.168.11.45 subnet everything works like charm.
Router reboot was not helping.
Disabling all the firewall rules doesn’t change situation. Setting DNS server from Dynamic (ISP) to static 192.168.1.1 + 8.8.8.8 + 1.1.1.1 wasn’t helping.
Upgrading ROS from 7.11 to 7.12 and to 7.16.1 no effect.

So I moved all Windows-based hosts to other subnet (192.168.11.0/24) and currently it’s working. But it’s not a problem solving.

Other symptoms:

  • When I’m trying to access local servers (Proxmox) some of them are accessible easily, others are not. Checked with IP-Firewall-Connections and result is protocol - 6(tcp); TCP state - syn received
  • it seems everything is working on IPv6 (at least ping and RDP for sure)
  • while searching for answer there were times everything was working fine (usually when amount of hosts is low) but then suddenly with no reason issue appear and I can’t track why and when it’s crashes.
# 2024-11-15 14:54:42 by RouterOS 7.16.1
/interface bridge
add arp=reply-only name=LAN port-cost-mode=short protocol-mode=none
/interface wifi channel
add band=2ghz-n disabled=no name=ch-2n width=20mhz
add band=5ghz-ac disabled=no name=channel-5ac width=20/40mhz
add band=2ghz-ax disabled=no name=channel_24 width=20mhz
add band=5ghz-ax disabled=no name=channel_5 skip-dfs-channels=all width=20/40mhz
/interface wifi datapath
add bridge=LAN disabled=yes name=data-main
/interface wifi security
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes \
    group-encryption=ccmp name=test
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes \
    group-encryption=ccmp name=CAP_Security
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .width=20/40mhz \
    configuration.country=SOMECOUNTRY .manager=local .mode=ap .ssid=\
    "WIFI5G" disabled=no name=wifi5G security=test \
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=""
set [ find default-name=wifi2 ] channel=ch-2ax channel.band=2ghz-ax .width=\
    20mhz configuration.country=SOMECOUNTRY .manager=local .mode=ap .ssid=\
    "WIFI" disabled=no name=wifi24 security=test \
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp
/interface wifi configuration
add channel=ch-2ax channel.band=2ghz-ax .width=20mhz country=SOMECOUNTRY \
    datapath=data-main disabled=yes mode=ap name=cfg-2ax security=test ssid=\
    "WIFI"
add channel=ch-2n country=SOMECOUNTRY disabled=no mode=ap name=cfg-2n security=\
    CAP_Security ssid="WIFI"
add channel=channel-5ax channel.band=5ghz-ax .width=20/40mhz country=SOMECOUNTRY \
    disabled=yes mode=ap name=cfg-5ax security=test ssid="WIFI5G"
add channel=channel-5ac country=SOMECOUNTRY disabled=no mode=ap name=cfg-5ac \
    security=CAP_Security ssid="WIFI5G"
add channel=channel-5ax channel.band=5ghz-ax .skip-dfs-channels=all .width=\
    20/40mhz country=SOMECOUNTRY disabled=yes mode=ap name=cfg-5ax-K9 security=\
    CAP-sec ssid="WIFI5G"
add channel=channel-5ac channel.band=5ghz-ac .width=20/40mhz country=SOMECOUNTRY \
    disabled=yes mode=ap name=cfg-5ac-K9 security=CAP-sec ssid="WIFI5G"
add channel=channel_24 country=SOMECOUNTRY disabled=no mode=ap name=cfg24 \
    security=CAP_Security ssid="WIFI"
add channel=channel_5 country=SOMECOUNTRY disabled=no mode=ap name=cfg5 security=\
    CAP_Security ssid="WIFI5G"
/interface wifi
add configuration=cfg5 disabled=no name=cap-wifi1 radio-mac=QQQ
add channel.frequency=2412 configuration=cfg24 configuration.mode=ap \
    disabled=no name=cap-wifi2 radio-mac=QQQ
add configuration=cfg5 disabled=no name=cap-wifi3 radio-mac=QQQ
add configuration=cfg24 disabled=no name=cap-wifi4 radio-mac=\
    QQQ
add channel.frequency=2412 configuration=cfg-2n configuration.mode=ap \
    disabled=no name=cap-wifi5 radio-mac=QQQ
add configuration=cfg-5ac disabled=no name=cap-wifi6 radio-mac=\
    QQQ
add configuration=cfg5 disabled=no name=cap-wifi7 radio-mac=QQQ
add configuration=cfg24 disabled=no name=cap-wifi8 radio-mac=\
    QQQ
add channel.frequency=5240 configuration=cfg5 configuration.mode=ap disabled=\
    no name=cap-wifi9 radio-mac=QQQ
add channel.frequency=2412 configuration=cfg24 configuration.mode=ap \
    disabled=no name=cap-wifi10 radio-mac=QQQ
add channel.frequency=2412 configuration=cfg24 configuration.mode=ap \
    disabled=no name=cap-wifi11 radio-mac=QQQ
/ip dhcp-server
add interface=LAN lease-time=1h30m name=dhcp2 server-address=192.168.1.1
/ip pool
add name=servers_pool ranges=192.168.1.2-192.168.1.254
add name=NEW_LAN_pool ranges=192.168.11.2-192.168.11.254
add name=SSTP-pool ranges=192.168.10.2-192.168.10.20
add name=Bambu_pool ranges=192.168.17.2-192.168.17.13
add name=electricity_pool ranges=192.168.150.2-192.168.150.4
add name=machines_pool ranges=192.168.2.2-192.168.2.30
add name=ip_phones_pool ranges=192.168.3.2-192.168.3.115
add name=internet_pool ranges=192.168.200.2-192.168.200.10
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add bridge=LAN local-address=192.168.10.1 name=profile-sstp only-one=yes \
    remote-address=SSTP-pool use-encryption=yes
/queue simple
add max-limit=10M/10M name=queue1 target=192.168.200.0/24
/system logging action
add name=TrafficLog remote=192.168.1.13 target=remote
/user-manager user
add attributes=Framed-IP-Address:192.168.10.2 name=2222
add attributes=Framed-IP-Address:192.168.10.3 name=3333
add attributes=Framed-IP-Address:192.168.10.4 name=4444
add attributes=Framed-IP-Address:192.168.10.5 name=5555
add attributes=Framed-IP-Address:192.168.10.6 name=6666
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=LAN interface=ether2 internal-path-cost=10 path-cost=10
add bridge=LAN interface=ether3 internal-path-cost=10 path-cost=10
add bridge=LAN interface=ether4 internal-path-cost=10 path-cost=10
add bridge=LAN interface=wifi24 internal-path-cost=10 path-cost=10
add bridge=LAN interface=wifi5G internal-path-cost=10 path-cost=10
add bridge=LAN interface=ether5 internal-path-cost=10 path-cost=10
/interface bridge settings
set use-ip-firewall=yes
/ip firewall connection tracking
set udp-timeout=10s
/interface sstp-server server
set authentication=mschap2 certificate=SSTP2 default-profile=profile-sstp \
    enabled=yes keepalive-timeout=90
/interface wifi access-list
add action=accept mac-address=B0:BE:83:1B:6A:72
add action=accept mac-address=F0:A6:54:3C:8D:9F
add action=accept mac-address=74:04:F1:C1:A2:91
add action=accept mac-address=F0:A6:54:3C:56:CD
add action=accept mac-address=4C:44:5B:25:DB:C7
add action=accept mac-address=4C:44:5B:27:2D:92
add action=accept mac-address=08:9D:F4:29:85:74
add action=accept mac-address=00:D4:9E:04:99:A3
add action=accept mac-address=00:D4:9E:04:99:A8
add action=accept mac-address=08:9D:F4:3F:5C:A4
add action=accept mac-address=08:9D:F4:3F:46:FB
add action=accept mac-address=F0:A6:54:DF:28:89
add action=accept mac-address=14:75:5B:0C:EF:8B
add action=accept mac-address=10:68:38:84:2F:88
add action=accept disabled=no mac-address=74:04:F1:C4:E0:EB
add action=accept mac-address=D0:39:57:04:5F:DD
add action=accept mac-address=74:04:F1:C3:45:88
add action=accept mac-address=F0:A6:54:3C:56:2B
add action=accept disabled=no mac-address=40:63:8F:DB:6E:75
add action=accept disabled=no mac-address=EC:63:D7:FC:8F:0A
add action=accept mac-address=9C:50:D1:AC:BF:99
add action=accept disabled=no mac-address=52:91:E3:99:9A:94
add action=accept mac-address=B4:8C:9D:F5:A2:37
add action=accept disabled=no mac-address=F0:A6:54:8F:9C:ED
add action=accept disabled=no mac-address=CC:B0:DA:A6:81:0D
add action=accept disabled=no mac-address=8C:17:59:F4:2F:68
add action=accept disabled=no mac-address=D0:39:57:09:97:6B
add action=accept disabled=no mac-address=CC:B0:DA:A6:81:0D
add action=accept disabled=no mac-address=DC:21:48:33:07:ED
add action=accept disabled=no mac-address=74:04:F1:C3:44:0C
add action=accept disabled=no mac-address=74:04:F1:DD:C1:4C
add action=accept disabled=no mac-address=CA:9A:C8:04:01:D6
add action=accept disabled=no mac-address=14:75:5B:0B:3F:F0
add action=accept disabled=no mac-address=DC:21:48:33:24:E4
add action=accept disabled=no mac-address=EC:63:D7:FC:AE:8B
add action=accept disabled=no mac-address=14:75:5B:0E:A9:AC
add action=accept disabled=no mac-address=4C:44:5B:27:32:BF
add action=accept disabled=no mac-address=DC:21:48:33:65:03
add action=accept disabled=no mac-address=B8:1E:A4:5D:8E:7B
add action=accept disabled=no mac-address=30:F6:EF:25:1D:7C
add action=accept disabled=no mac-address=B8:1E:A4:64:07:6D
add action=accept disabled=no mac-address=70:A6:CC:69:12:4D
add action=accept disabled=no mac-address=B4:8C:9D:F1:9A:00
add action=accept disabled=no mac-address=8C:17:59:F3:C8:D4
add action=accept disabled=no mac-address=E0:1F:FC:B5:3F:72
add action=accept disabled=no mac-address=14:D4:24:FD:F8:5B
add action=accept disabled=no mac-address=14:D4:24:FD:F8:40
add action=accept disabled=no mac-address=98:25:4A:BB:80:18
add action=accept disabled=no mac-address=C6:2A:EA:5C:6E:8D
add action=accept disabled=no mac-address=B8:1E:A4:75:7B:67
add action=accept disabled=no mac-address=B8:1E:A4:75:09:95
add action=accept disabled=no mac-address=84:FC:E6:7A:21:C4
/interface wifi capsman
set enabled=yes interfaces=LAN package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=cfg-2ax \
    supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=yes identity-regexp=\
    ".*Wa B.*" master-configuration=cfg-2n supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=yes master-configuration=cfg-5ax \
    supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=cfg-5ac \
    supported-bands=5ghz-ac
add action=create-enabled disabled=no master-configuration=cfg-2n \
    supported-bands=2ghz-n
add action=create-enabled disabled=no master-configuration=cfg24 \
    supported-bands=2ghz-ax
add action=create-enabled disabled=no master-configuration=cfg5 \
    supported-bands=5ghz-ax
/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
add address=192.168.0.1/24 disabled=yes interface=VPN network=192.168.0.0
add address=192.168.2.1/24 interface=LAN network=192.168.2.0
add address=192.168.3.1/24 interface=LAN network=192.168.3.0
add address=10.8.0.1/24 disabled=yes interface=LAN network=10.8.0.0
add address=192.168.150.1/24 interface=LAN network=192.168.150.0
add address=192.168.10.1/24 interface=LAN network=192.168.10.0
add address=192.168.17.1/24 interface=LAN network=192.168.17.0
add address=192.168.11.1/24 interface=LAN network=192.168.11.0
add address=192.168.200.1/24 interface=LAN network=192.168.200.0
/ip arp
add address=192.168.11.13 interface=LAN mac-address=00:E0:70:D6:E5:4F
add address=192.168.11.17 interface=LAN mac-address=EC:D6:8A:F3:D0:56
add address=192.168.11.9 interface=LAN mac-address=B0:BE:83:1B:6A:72
add address=192.168.11.3 interface=LAN mac-address=C8:7F:54:8C:94:50
add address=192.168.11.2 interface=LAN mac-address=C0:25:2F:CD:3E:CC
add address=192.168.11.4 interface=LAN mac-address=5C:62:5A:21:6F:1F
add address=192.168.11.5 interface=LAN mac-address=9C:50:D1:AC:BF:99
add address=192.168.11.6 interface=LAN mac-address=5C:62:5A:21:D1:41
add address=192.168.11.7 interface=LAN mac-address=00:24:01:A6:73:E7
add address=192.168.11.8 interface=LAN mac-address=5C:62:5A:D0:7C:65
add address=192.168.11.10 interface=LAN mac-address=E8:9C:25:10:F7:3E
add address=192.168.11.11 interface=LAN mac-address=B4:8C:9D:F1:9A:00
add address=192.168.11.12 interface=LAN mac-address=A8:A1:59:8B:FE:4D
add address=192.168.11.14 interface=LAN mac-address=A8:A1:59:A2:90:34
add address=192.168.11.15 interface=LAN mac-address=00:E0:70:D6:E5:8E
add address=192.168.11.16 interface=LAN mac-address=00:E0:70:D6:E5:AE
add address=192.168.11.18 interface=LAN mac-address=A8:A1:59:A2:8F:A3
add address=192.168.11.19 interface=LAN mac-address=04:BF:1B:3D:6D:15
add address=192.168.200.5 interface=LAN mac-address=4C:44:5B:25:DB:C7
add address=192.168.11.23 interface=LAN mac-address=00:D4:9E:04:99:A3
add address=192.168.11.67 interface=LAN mac-address=D0:39:57:09:97:6B
add address=192.168.11.53 interface=LAN mac-address=50:91:E3:99:9A:94
add address=192.168.11.63 interface=LAN mac-address=40:63:8F:DB:6E:75
add address=192.168.11.49 interface=LAN mac-address=10:68:38:84:2F:88
add address=192.168.11.27 interface=LAN mac-address=14:75:5B:0C:EF:8B
add address=192.168.1.60 interface=LAN mac-address=A8:A1:59:C1:65:75
add address=192.168.1.47 interface=LAN mac-address=D8:5E:D3:E5:64:74
add address=192.168.200.2 interface=LAN mac-address=EC:63:D7:FC:8F:0A
add address=192.168.11.21 interface=LAN mac-address=00:E0:70:D6:E3:59
add address=192.168.11.22 interface=LAN mac-address=08:9D:F4:29:85:74
add address=192.168.11.24 interface=LAN mac-address=00:D4:9E:04:99:A8
add address=192.168.11.25 interface=LAN mac-address=00:E0:70:D6:E3:FD
add address=192.168.11.26 interface=LAN mac-address=F0:A6:54:DF:28:89
add address=192.168.11.48 interface=LAN mac-address=08:9D:F4:3F:5C:A4
add address=192.168.11.50 interface=LAN mac-address=E8:65:38:95:60:E5
add address=192.168.11.51 interface=LAN mac-address=00:E0:70:D6:E3:73
add address=192.168.11.52 interface=LAN mac-address=F8:A2:6D:3F:05:F5
add address=192.168.11.28 interface=LAN mac-address=74:04:F1:C4:E0:EB
add address=192.168.11.29 interface=LAN mac-address=D0:39:57:04:5F:DD
add address=192.168.200.3 interface=LAN mac-address=F0:A6:54:3C:56:2B
add address=192.168.11.31 interface=LAN mac-address=50:EB:F6:7C:C1:AC
add address=192.168.11.32 interface=LAN mac-address=50:EB:F6:7C:C0:80
add address=192.168.11.33 interface=LAN mac-address=50:EB:F6:7C:C1:8C
add address=192.168.11.34 interface=LAN mac-address=50:EB:F6:7C:C1:27
add address=192.168.11.35 interface=LAN mac-address=50:EB:F6:7C:C1:C1
add address=192.168.11.36 interface=LAN mac-address=74:56:3C:6E:92:86
add address=192.168.11.37 interface=LAN mac-address=74:56:3C:F7:41:7C
add address=192.168.11.38 interface=LAN mac-address=7C:10:C9:BE:68:36
add address=192.168.11.39 interface=LAN mac-address=D8:5E:D3:AE:E6:49
add address=192.168.11.41 interface=LAN mac-address=D8:5E:D3:AE:E7:C0
add address=192.168.11.42 interface=LAN mac-address=74:56:3C:F7:40:E8
add address=192.168.11.43 interface=LAN mac-address=50:EB:F6:1C:E1:80
add address=192.168.11.44 interface=LAN mac-address=00:E0:70:D6:43:FB
add address=192.168.11.45 interface=LAN mac-address=F0:A6:54:3C:8D:57
add address=192.168.11.54 interface=LAN mac-address=4C:44:5B:27:2D:92
add address=192.168.11.55 interface=LAN mac-address=14:D4:24:FF:DF:3B
add address=192.168.200.4 interface=LAN mac-address=F0:A6:54:8F:9C:ED
add address=192.168.11.57 interface=LAN mac-address=08:9D:F4:3F:46:FB
add address=192.168.11.58 interface=LAN mac-address=E0:73:E7:3A:29:E4
add address=192.168.11.59 interface=LAN mac-address=B4:8C:9D:F5:A2:37
add address=192.168.1.61 interface=LAN mac-address=76:DC:2B:AA:25:09
add address=192.168.11.62 interface=LAN mac-address=A8:A1:59:A2:8E:DF
add address=192.168.2.5 interface=LAN mac-address=00:30:53:FC:CC:6E
add address=192.168.11.65 interface=LAN mac-address=A8:A1:59:A2:8F:C0
add address=192.168.1.66 interface=LAN mac-address=9C:A2:F4:E8:67:2B
add address=192.168.11.40 interface=LAN mac-address=D8:5E:D3:AE:E6:4E
add address=192.168.11.68 interface=LAN mac-address=C8:7F:54:8C:9A:A0
add address=192.168.11.69 interface=LAN mac-address=04:BF:1B:3D:6C:AD
add address=192.168.11.70 interface=LAN mac-address=C6:2A:EA:5C:6E:8D
add address=192.168.11.71 interface=LAN mac-address=4C:44:5B:27:91:83
add address=192.168.11.73 interface=LAN mac-address=DC:21:48:33:07:ED
add address=192.168.11.74 interface=LAN mac-address=A8:A1:59:A2:8E:FF
add address=192.168.11.75 interface=LAN mac-address=16:BB:B6:D8:70:D7
add address=192.168.11.76 interface=LAN mac-address=2A:FC:C0:64:2F:D0
add address=192.168.11.77 interface=LAN mac-address=74:56:3C:C2:25:43
add address=192.168.11.93 interface=LAN mac-address=A8:A1:59:A2:8F:9E
add address=192.168.2.4 interface=LAN mac-address=00:80:A3:F6:B5:AE
add address=192.168.11.81 interface=LAN mac-address=16:E7:8A:DC:C2:E4
add address=192.168.11.83 interface=LAN mac-address=F4:3B:D8:EC:DC:45
add address=192.168.11.84 interface=LAN mac-address=A8:A1:59:A2:8F:FA
add address=192.168.2.6 interface=LAN mac-address=00:E0:E4:66:56:67
add address=192.168.11.86 interface=LAN mac-address=A8:A1:59:A2:8F:B2
add address=192.168.11.88 interface=LAN mac-address=40:F8:DF:F1:6E:2F
add address=192.168.3.4 interface=LAN mac-address=C0:65:FD:E6:E9:C0
add address=192.168.11.90 interface=LAN mac-address=16:4F:3E:BA:F0:F8
add address=192.168.11.91 interface=LAN mac-address=74:04:F1:DD:C1:4C
add address=192.168.11.79 interface=LAN mac-address=DC:21:48:33:24:E4
add address=192.168.2.2 comment=Warehouse interface=LAN mac-address=\
    08:BF:B8:28:BF:BC
add address=192.168.1.92 interface=LAN mac-address=5E:17:88:66:0B:63
add address=192.168.2.3 interface=LAN mac-address=6C:3C:8C:4C:61:49
add address=192.168.11.72 interface=LAN mac-address=00:E0:70:D6:E4:CD
add address=192.168.3.2 comment=Phones interface=LAN mac-address=\
    74:56:3C:48:92:13
add address=192.168.3.3 interface=LAN mac-address=BC:24:11:9C:C5:51
add address=192.168.3.5 interface=LAN mac-address=C0:65:FD:E6:E9:BE
add address=192.168.3.6 interface=LAN mac-address=C0:65:FD:E6:F7:7B
add address=192.168.3.7 interface=LAN mac-address=C0:65:FD:E6:F7:7D
add address=192.168.3.8 interface=LAN mac-address=C0:65:FD:E6:F7:7E
add address=192.168.3.9 interface=LAN mac-address=C0:65:FD:E6:E9:A2
add address=192.168.3.10 interface=LAN mac-address=C0:65:FD:E6:EE:76
add address=192.168.3.11 interface=LAN mac-address=C0:65:FD:E6:EE:7C
add address=192.168.3.12 interface=LAN mac-address=C0:65:FD:E6:EE:85
add address=192.168.3.13 interface=LAN mac-address=C0:65:FD:E6:EE:73
add address=192.168.3.14 interface=LAN mac-address=C0:65:FD:E6:F7:76
add address=192.168.3.15 interface=LAN mac-address=C0:65:FD:E6:F7:73
add address=192.168.3.16 interface=LAN mac-address=C0:65:FD:E6:F7:75
add address=192.168.11.85 interface=LAN mac-address=5C:62:5A:25:16:65
add address=192.168.2.7 interface=LAN mac-address=00:E0:E4:5D:5E:21
add address=192.168.2.8 interface=LAN mac-address=00:E0:E4:65:F1:35
add address=192.168.2.9 interface=LAN mac-address=00:E0:E4:5D:7F:1B
add address=192.168.2.10 interface=LAN mac-address=00:E0:E4:5D:3C:6D
add address=192.168.2.11 interface=LAN mac-address=00:E0:E4:5D:C2:32
add address=192.168.2.12 interface=LAN mac-address=00:E0:E4:83:40:F4
add address=192.168.2.13 interface=LAN mac-address=00:E0:E4:7E:D8:AA
add address=192.168.2.14 interface=LAN mac-address=00:E0:E4:65:F3:9F
add address=192.168.2.15 interface=LAN mac-address=00:E0:E4:7F:D7:43
add address=192.168.2.16 interface=LAN mac-address=00:E0:E4:3F:D8:7E
add address=192.168.2.17 interface=LAN mac-address=00:E0:E4:89:D2:67
add address=192.168.3.17 interface=LAN mac-address=C0:65:FD:38:CF:C2
add address=192.168.3.18 interface=LAN mac-address=C0:65:FD:38:D0:99
add address=192.168.3.19 interface=LAN mac-address=C0:65:FD:38:D0:46
add address=192.168.11.254 interface=LAN mac-address=EC:63:D7:FC:AE:8B
add address=192.168.3.22 interface=LAN mac-address=C0:65:FD:E6:F7:6E
add address=192.168.3.20 interface=LAN mac-address=C0:65:FD:E6:F7:77
add address=192.168.3.27 interface=LAN mac-address=C0:65:FD:38:CF:34
add address=192.168.3.25 interface=LAN mac-address=C0:65:FD:E6:E9:9D
add address=192.168.3.26 interface=LAN mac-address=C0:65:FD:E6:E9:9E
add address=192.168.3.23 interface=LAN mac-address=C0:65:FD:E6:E9:79
add address=192.168.3.24 interface=LAN mac-address=C0:65:FD:E6:E9:43
add address=192.168.3.28 interface=LAN mac-address=C0:65:FD:E6:E9:3B
add address=192.168.3.29 interface=LAN mac-address=C0:65:FD:E6:E9:61
add address=192.168.11.87 interface=LAN mac-address=EC:D6:8A:F3:C8:C0
add address=192.168.2.18 interface=LAN mac-address=00:A0:CD:05:07:72
add address=192.168.2.19 interface=LAN mac-address=00:A0:CD:12:16:3D
add address=192.168.3.30 interface=LAN mac-address=C0:65:FD:C5:9C:70
add address=192.168.11.94 interface=LAN mac-address=4C:44:5B:27:32:BF
add address=192.168.3.31 interface=LAN mac-address=00:05:F9:60:57:CD
add address=192.168.11.95 interface=LAN mac-address=EC:D6:8A:F9:8B:41
add address=192.168.11.96 interface=LAN mac-address=EC:D6:8A:F9:A9:87
add address=192.168.2.21 interface=LAN mac-address=00:A0:CD:04:FC:1E
add address=192.168.2.22 interface=LAN mac-address=00:A0:CD:04:F9:4F
add address=192.168.2.23 interface=LAN mac-address=00:A0:CD:05:01:21
add address=192.168.2.24 interface=LAN mac-address=00:A0:CD:04:53:87
add address=192.168.2.25 interface=LAN mac-address=00:A0:CD:05:09:A4
add address=192.168.2.26 interface=LAN mac-address=00:A0:CD:05:32:96
add address=192.168.11.97 interface=LAN mac-address=EC:D6:8A:F9:A6:24
add address=192.168.11.98 interface=LAN mac-address=EC:D6:8A:F9:A9:8A
add address=192.168.11.99 interface=LAN mac-address=B8:1E:A4:5D:8E:7B
add address=192.168.11.141 interface=LAN mac-address=40:F8:DF:F1:7E:68
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.11.17 mac-address=EC:D6:8A:F3:D0:56 server=dhcp2
add address=192.168.11.2 mac-address=C0:25:2F:CD:3E:CC server=dhcp2
add address=192.168.11.13 mac-address=00:E0:70:D6:E5:4F server=dhcp2
add address=192.168.11.3 mac-address=C8:7F:54:8C:94:50 server=dhcp2
add address=192.168.11.4 mac-address=5C:62:5A:21:6F:1F server=dhcp2
add address=192.168.11.5 mac-address=9C:50:D1:AC:BF:99 server=dhcp2
add address=192.168.11.6 mac-address=5C:62:5A:21:D1:41 server=dhcp2
add address=192.168.11.7 mac-address=00:24:01:A6:73:E7 server=dhcp2
add address=192.168.11.8 mac-address=5C:62:5A:D0:7C:65 server=dhcp2
add address=192.168.11.9 mac-address=B0:BE:83:1B:6A:72 server=dhcp2
add address=192.168.11.10 mac-address=E8:9C:25:10:F7:3E server=dhcp2
add address=192.168.11.11 mac-address=B4:8C:9D:F1:9A:00 server=dhcp2
add address=192.168.11.12 mac-address=A8:A1:59:8B:FE:4D server=dhcp2
add address=192.168.11.14 mac-address=A8:A1:59:A2:90:34 server=dhcp2
add address=192.168.11.15 mac-address=00:E0:70:D6:E5:8E server=dhcp2
add address=192.168.11.16 mac-address=00:E0:70:D6:E5:AE server=dhcp2
add address=192.168.11.18 mac-address=A8:A1:59:A2:8F:A3 server=dhcp2
add address=192.168.11.19 mac-address=04:BF:1B:3D:6D:15 server=dhcp2
add address=192.168.200.5 mac-address=4C:44:5B:25:DB:C7 server=dhcp2
add address=192.168.11.21 mac-address=00:E0:70:D6:E3:59 server=dhcp2
add address=192.168.11.22 mac-address=08:9D:F4:29:85:74 server=dhcp2
add address=192.168.11.23 mac-address=00:D4:9E:04:99:A3 server=dhcp2
add address=192.168.11.24 mac-address=00:D4:9E:04:99:A8 server=dhcp2
add address=192.168.11.25 mac-address=00:E0:70:D6:E3:FD server=dhcp2
add address=192.168.11.26 mac-address=F0:A6:54:DF:28:89 server=dhcp2
add address=192.168.11.27 mac-address=14:75:5B:0C:EF:8B server=dhcp2
add address=192.168.11.28 mac-address=74:04:F1:C4:E0:EB server=dhcp2
add address=192.168.11.29 mac-address=D0:39:57:04:5F:DD server=dhcp2
add address=192.168.200.3 mac-address=F0:A6:54:3C:56:2B server=dhcp2
add address=192.168.11.31 mac-address=50:EB:F6:7C:C1:AC server=dhcp2
add address=192.168.11.32 mac-address=50:EB:F6:7C:C0:80 server=dhcp2
add address=192.168.11.33 mac-address=50:EB:F6:7C:C1:8C server=dhcp2
add address=192.168.11.34 mac-address=50:EB:F6:7C:C1:27 server=dhcp2
add address=192.168.11.35 mac-address=50:EB:F6:7C:C1:C1 server=dhcp2
add address=192.168.11.36 mac-address=74:56:3C:6E:92:86 server=dhcp2
add address=192.168.11.37 mac-address=74:56:3C:F7:41:7C server=dhcp2
add address=192.168.11.38 mac-address=7C:10:C9:BE:68:36 server=dhcp2
add address=192.168.11.39 mac-address=D8:5E:D3:AE:E6:49 server=dhcp2
add address=192.168.11.40 mac-address=D8:5E:D3:AE:E6:4E server=dhcp2
add address=192.168.11.41 mac-address=D8:5E:D3:AE:E7:C0 server=dhcp2
add address=192.168.11.42 mac-address=74:56:3C:F7:40:E8 server=dhcp2
add address=192.168.11.43 mac-address=50:EB:F6:1C:E1:80 server=dhcp2
add address=192.168.11.44 mac-address=00:E0:70:D6:43:FB server=dhcp2
add address=192.168.11.45 mac-address=F0:A6:54:3C:8D:57 server=dhcp2
add address=192.168.200.2 comment="LAPTOPS WITH INTERNET CONNECTION" \
    mac-address=EC:63:D7:FC:8F:0A server=dhcp2
add address=192.168.1.47 mac-address=D8:5E:D3:E5:64:74 server=dhcp2
add address=192.168.11.48 mac-address=08:9D:F4:3F:5C:A4 server=dhcp2
add address=192.168.11.49 mac-address=10:68:38:84:2F:88 server=dhcp2
add address=192.168.11.50 mac-address=E8:65:38:95:60:E5 server=dhcp2
add address=192.168.11.51 mac-address=00:E0:70:D6:E3:73 server=dhcp2
add address=192.168.11.52 mac-address=F8:A2:6D:3F:05:F5 server=dhcp2
add address=192.168.11.53 mac-address=52:91:E3:99:9A:94 server=dhcp2
add address=192.168.11.54 mac-address=4C:44:5B:27:2D:92 server=dhcp2
add address=192.168.11.55 mac-address=14:D4:24:FF:DF:3B server=dhcp2
add address=192.168.200.4 mac-address=F0:A6:54:8F:9C:ED server=dhcp2
add address=192.168.11.57 mac-address=08:9D:F4:3F:46:FB server=dhcp2
add address=192.168.11.58 mac-address=E0:73:E7:3A:29:E4 server=dhcp2
add address=192.168.11.59 mac-address=B4:8C:9D:F5:A2:37 server=dhcp2
add address=192.168.1.61 mac-address=76:DC:2B:AA:25:09 server=dhcp2
add address=192.168.11.62 mac-address=A8:A1:59:A2:8E:DF server=dhcp2
add address=192.168.1.60 mac-address=A8:A1:59:C1:65:75 server=dhcp2
add address=192.168.11.63 mac-address=40:63:8F:DB:6E:75 server=dhcp2
add address=192.168.2.5 mac-address=00:30:53:FC:CC:6E server=dhcp2
add address=192.168.11.65 mac-address=A8:A1:59:A2:8F:C0 server=dhcp2
add address=192.168.1.66 mac-address=9C:A2:F4:E8:67:2B server=dhcp2
add address=192.168.11.67 mac-address=D0:39:57:09:97:6B server=dhcp2
add address=192.168.11.68 mac-address=C8:7F:54:8C:9A:A0 server=dhcp2
add address=192.168.11.69 mac-address=04:BF:1B:3D:6C:AD server=dhcp2
add address=192.168.11.70 mac-address=C6:2A:EA:5C:6E:8D server=dhcp2
add address=192.168.11.71 mac-address=4C:44:5B:27:91:83 server=dhcp2
add address=192.168.11.73 mac-address=DC:21:48:33:07:ED server=dhcp2
add address=192.168.11.74 mac-address=A8:A1:59:A2:8E:FF server=dhcp2
add address=192.168.11.75 mac-address=16:BB:B6:D8:70:D7 server=dhcp2 \
    use-src-mac=yes
add address=192.168.11.76 mac-address=2A:FC:C0:64:2F:D0 server=dhcp2
add address=192.168.11.77 mac-address=74:56:3C:C2:25:43 server=dhcp2
add address=192.168.2.2 comment=Warehouse mac-address=08:BF:B8:28:BF:BC \
    server=dhcp2
add address=192.168.2.4 mac-address=00:80:A3:F6:B5:AE server=dhcp2
add address=192.168.11.80 mac-address=E8:9C:25:10:F9:A7 server=dhcp2
add address=192.168.11.81 mac-address=16:E7:8A:DC:C2:E4 server=dhcp2
add address=192.168.11.82 mac-address=E8:9C:25:10:F6:EF server=dhcp2
add address=192.168.11.83 mac-address=F4:3B:D8:EC:DC:45 server=dhcp2
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
add address=192.168.17.0/24 dns-server=192.168.17.1 gateway=192.168.17.1
add address=192.168.150.0/24 dns-server=192.168.150.1 gateway=192.168.150.1
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip dns static
add address=192.168.1.61 name=git.loc type=A
add address=192.168.1.146 name=archive.loc type=A
add address=192.168.1.146 name=dev.archive.loc type=A
add address=192.168.1.61 name=jira.loc type=A
/ip firewall address-list
add address=192.168.11.XXX list=management
#HUGE LIST REMOVED HERE#
add address=192.168.11.30 disabled=yes list=21cab
/ip firewall filter
add action=accept chain=forward comment=Established/Related connection-state=\
    established,related,untracked
add action=accept chain=input comment=Established/Related connection-state=\
    established,related,untracked
add action=drop chain=forward comment=Invalid connection-state=invalid \
    in-interface=ether1
add action=accept chain=forward comment="All access" out-interface=ether1 \
    src-address-list=21cab
add action=accept chain=input comment=SSTP dst-port=443 protocol=tcp
add action=drop chain=input comment=Invalid connection-state=invalid \
    in-interface=ether1
add action=accept chain=input comment=ICMP in-interface=ether1 limit=\
    1,5:packet packet-size=0-128 protocol=icmp
add action=accept chain=input comment="WinBox Management" protocol=tcp \
    src-address-list=management src-port=25288
add action=add-src-to-address-list address-list="Port Scan" \
    address-list-timeout=1w1h chain=input comment="Port Scan" protocol=tcp \
    psd=21,3s,3,1
add action=accept chain=forward comment="Allow WhatsApp" dst-address-list=\
    WhatsApp src-address=192.168.11.87
add action=drop chain=input comment=Drop in-interface=ether1
add action=drop chain=input comment="Drop SSH" dst-port=22 protocol=tcp
add action=drop chain=forward comment=Drop connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop Facebook" dst-address-list=\
    Facebook src-address=192.168.11.0/24
add action=drop chain=forward comment="Drop TikTok" dst-address-list=TikTok \
    src-address=192.168.11.0/24
add action=accept chain=forward comment="Allow Youtube" dst-address-list=\
    Youtube src-address-list="YouTube Allowed"
add action=drop chain=forward comment="Drop Youtube" dst-address-list=Youtube \
    src-address=192.168.11.0/24
add action=drop chain=forward comment="Drop Instagram" dst-address-list=\
    Instagram src-address=192.168.11.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1 in-interface-list=static \
    src-address-list="Port Scan"
/ip firewall service-port
set ftp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=8585
set ssh disabled=yes port=9242
set api disabled=yes
set winbox address="XXXXXXXX/32,XXXXXXXX/32,XXXXXXXX/32,XXXXXXXX/32,XXXXXXXX/32" port=XXXXXX
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ppp aaa
set use-radius=yes
/radius
add address=127.0.0.1 require-message-auth=no service=ppp
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/XXXXXXX
/system clock manual
set time-zone=+02:00
/system identity
set name=MikrotikRouterMain
/system logging
add topics=dhcp
add action=TrafficLog disabled=yes prefix=pre-tiktok topics=firewall
add disabled=yes topics=wireless
add action=TrafficLog disabled=yes prefix=pre-youtube topics=firewall
add action=TrafficLog disabled=yes prefix=pre-lilu topics=firewall
add disabled=yes topics=dns
add topics=firewall
add topics=bridge
add topics=caps
add topics=route
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=static
/tool sniffer
set filter-dst-ip-address=192.168.11.0/24 filter-interface=LAN \
    filter-src-ip-address=192.168.1.0/24 streaming-server=192.168.11.87
/user group
add name=reboot policy="reboot,winbox,!local,!telnet,!ssh,!ftp,!read,!write,!p\
    olicy,!test,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api"
/user-manager
set certificate=*0 enabled=yes require-message-auth=no
/user-manager router
add address=127.0.0.1 name=router1
2

Why do you set DNS servers to itself? 192.168.1.1

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
...
/ip dns
set allow-remote-requests=yes servers=192.168.1.1

Try changing to public dns

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
3

Hey, Lokamaya
Thanks for your reply,
I’ve already tried to change DNS from dynamic (from my ISP) to 8.8.8.8 and 1.1.1.1 but this doesn’t help. Also tried all possible ways including setting a dns to 192.168.1.1, probably forget to switch back. Any other ideas?
Found something interesting:
I’ve set a rule in firewall to access 192.168.3.0/24 subnet only from 2 my ip’s (from 192.168.11.0/24 subnet) and I can access all the ip’s except one (my proxmox server on 192.168.3.2). When I’m trying to connect to it I can clearly see in firewall packets are going through but server page is not loading (TCP state - syn received) BUT I’ve found similar “syn received” issue on other forum and solution there was adding one more masquerade rule:

add action=masquerade chain=srcnat dst-address=xxx.xxx.xxx.xxx protocol=tcp

and this worked for me.

So the question: could it be that my problem also somehow related to NAT rules?

4

Your firewall filter is a little bit off. I think you should work on it and sort it based on its chain: input first, than forward. Some of forward-drop chain to ether1 can be simplified by using address-list.

The address-list is missing from the configuration above. I can not figure out what it is all about.

You only have 1 DHCP server with static-only pool, but then there are more than one pool in it.

5

Hey,
Problem was solved. Reason was a “device” with static IP 192.168.1.1 added to network and it was changing devices ARP table. Routers MAC was switching into those device MAC. Device was updating ARP tables more frequently then router.