Hi guys,
I’m relatively new to Mikrotik routers. I finally managed to get my fibre internet working with a HEX S router with a SFP module and latest stable FW.
Everything works fine except my inverter can’t connect to the services. There is a list for ports and hosts needed see list.jpg.
What I´ve done:
2 X chain=dstnat action=add-dst-to-address-list to-ports=0-65535 protocol=udp src-address=192.168.178.130
added missing addresses
created NAT entries:
4 chain=dstnat action=dst-nat to-ports=0-65535 protocol=udp src-address=192.168.178.130
added firewall rules:
2 chain=forward action=passthrough protocol=udp src-address=192.168.178.130 dst-address-list=fronius
3 chain=forward action=passthrough protocol=tcp dst-address=192.168.178.130 src-address-list=fronius
4 chain=forward action=passthrough protocol=udp dst-address=192.168.178.130 src-address-list=fronius log=yes
recorded packets, as the inverter still can’t connect to the ports
Has anyone any ideas what I’m missing?
tdw
October 26, 2024, 1:36pm
2
With the default configuration anything initiated from a LAN device has access to the internet - you don’t have to add anything, so what are you trying to achive with these additional rules?
From the start, the inverter can’t access the cloud. Thats why I tried to give the IP of the Inverter access to the ports. But that didn’t help. Router has default settings and this is the only thing that’s not working. Any help appreciated, I’ve been trying for days and I’m out of ideas.
I have to add, my fibre connection is through a ipv6 tunnel and PPPOE. Maybe that has anything to do with this error.
IPv6 Routes:
Drop an /export with private data/serial number/license removed
Hope this helps.
# 2024-10-26 18:11:54 by RouterOS 7.16.1
# software id = *****
#
# model = RB760iGS
# serial number = ****
/interface bridge
add admin-mac=B8:69:F4:04:30:4F auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=sfp1 ] l2mtu=1500 loop-protect=off rx-flow-control=auto tx-flow-control=auto
/interface pppoe-client
add ac-name=DE-SNG4-BNG-01 add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=sfp1 name=\
pppoe-out-SFP service-name=WEMACOM use-peer-dns=yes user=*****
/interface ipipv6
add clamp-tcp-mss=no !keepalive local-address=:: name=ipipv6-tunnel1 remote-address=2a03:b580:b000:1::1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=dhcp ranges=192.168.178.40-192.168.178.160
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether1
/ip firewall connection tracking
set loose-tcp-tracking=no udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN lldp-mac-phy-config=yes lldp-max-frame-size=yes lldp-vlan-info=yes
/ip settings
set accept-redirects=yes accept-source-route=yes
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
add interface=ipipv6-tunnel1 list=WAN
add interface=pppoe-out-SFP list=WAN
/ip address
add address=192.168.178.1/24 comment=defconf interface=bridge network=192.168.178.0
add address=192.0.0.2/29 interface=ipipv6-tunnel1 network=192.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.178.119 comment="Weinzierl KNX/IP" mac-address=00:24:6D:03:2B:88 server=defconf
add address=192.168.178.100 comment="Tasmota 1" mac-address=48:55:19:17:E0:42 server=defconf
add address=192.168.178.120 comment="Tasmota 2" mac-address=48:55:19:17:90:69 server=defconf
add address=192.168.178.118 client-id=1:e4:65:b8:b3:23:4c comment="Tasmota 3" mac-address=E4:65:B8:B3:23:4C \
server=defconf
add address=192.168.178.131 client-id=1:60:9:c3:ca:73:e9 comment="Fronius Symo" mac-address=60:09:C3:CA:73:E9 \
server=defconf
add address=192.168.178.130 client-id=1:0:3:ac:45:c3:f8 comment="Fronius Gen24" mac-address=00:03:AC:45:C3:F8 \
server=defconf
/ip dhcp-server network
add address=192.168.178.0/24 comment=defconf dns-server=192.168.178.1 gateway=192.168.178.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.178.1 comment=defconf name=router.lan type=A/ip firewall address-list
add address=13.74.108.193 list=fronius
add address=20.209.160.225 list=fronius
add address=89.58.43.2 list=fronius
add address=85.214.96.63 list=fronius
add address=217.91.44.17 list=fronius
add address=213.33.117.120 list=fronius
/ip firewall filter
add action=passthrough chain=forward disabled=yes dst-address-list=fronius dst-port=1-65000 log=yes protocol=\
tcp src-address=192.168.178.130
add action=passthrough chain=forward disabled=yes dst-address-list=fronius dst-port=1-65000 log=yes protocol=\
udp src-address=192.168.178.130
add action=passthrough chain=forward disabled=yes dst-address=192.168.178.130 log=yes port=1-65000 protocol=tcp \
src-address-list=fronius
add action=passthrough chain=forward disabled=yes dst-address=192.168.178.130 log=yes protocol=udp \
src-address-list=fronius
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface-list=WAN passthrough=yes protocol=tcp \
tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=\
ipipv6-tunnel1
add action=add-dst-to-address-list address-list=fronius address-list-timeout=none-dynamic chain=dstnat \
disabled=yes log=yes protocol=tcp src-address=192.168.178.130 to-ports=0-65535
add action=add-dst-to-address-list address-list=fronius address-list-timeout=none-dynamic chain=dstnat \
disabled=yes log=yes protocol=udp src-address=192.168.178.130 to-ports=0-65535
add action=dst-nat chain=dstnat disabled=yes dst-address-list=fronius log=yes protocol=tcp src-address=\
192.168.178.130 to-ports=0-65535
add action=dst-nat chain=dstnat disabled=yes dst-address-list=fronius log=yes protocol=udp src-address=\
192.168.178.130 to-ports=0-65535
/ip firewall service-port
set irc disabled=no
set sip disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip nat-pmp
set enabled=yes
/ip nat-pmp interfaces
add interface=bridge type=internal
add interface=ipipv6-tunnel1 type=external
/ip route
add comment="IPV4 ROUTE to Provider" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.0.0.1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set www-ssl disabled=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ipipv6-tunnel1 type=external
/ipv6 address
add from-pool=ipv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out-SFP pool-name=ipv6 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 firewall mangle
add action=change-mss chain=forward comment="fix MTU, make HTTPS happy" new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=bridge
/ipv6 nd prefix
add interface=ipipv6-tunnel1 preferred-lifetime=11m valid-lifetime=15m
/ppp aaa
set enable-ipv6-accounting=yes use-circuit-id-in-nas-port-id=yes use-radius=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Berlin
/system clock manual
set dst-end="2024-10-14 00:00:00" dst-start="2024-10-14 00:00:00" time-zone=+21:12
/system identity
set name=Mikrotik_L46
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/tool graphing interface
add interface=ipipv6-tunnel1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-ip-address=192.168.178.130/32 memory-limit=10000KiB streaming-enabled=yes
mikrotik_conf_export.txt (11.4 KB)
Cant find an issue with your config.
I’ve heard people recommend turning off “detect internet”. That can apparently cause issues with routing.
Other than that, you can run a packet sniffer on the sfp1 interface and check if the packets are passing through.
Also, your firewall rules that are disabled don’t seem to make sense ^^
In their manual it says there are problems with failed TLS checking - could this be a reason?
I found a few forum entries about this problem, but no solution so far, thats really frustrating
TLS is between client and server, the MikroTik has nothing to do with that.
Remars:
remove anything you have done adjusting the firewall rules
disable internet detect
tdw
October 27, 2024, 5:58pm
9
The upnp and nat-pmp settings are unnecessary if the local device is originating the connections. In any case for setups where you do not have a public IP on the client router only PCP works and requires support in the providers AFTR (DS-Lite) or CGNAT (IPv4 only) gateway.
With DS-Lite there should be no local NAT as it is all handled by the provider https://datatracker.ietf.org/doc/html/rfc6333#section-4.2 . It may be worth setting clamp-tcp-mss=yes on the tunnel interface, TLS connections failing is often caused by MTU / fragment handling / PMTU discovery issues.
Is the date/time correct on all involved devices?
Does it work when you (temporarily) test with IPv4 only?
How is (one of the) domain names resolved?
http://provisioning.solarweb.com/
85.31.3.72
tcp 443
sera-gen24.fronius.com
213.33.117.120
udp 1194
fronius-se-iot.azure-devices.net
13.69.109.0
TCP 443,8883
fronius-se-iot-telemetry.azure-devices.net
52.236.189.128
TCP 443,8883
fronius-se-iot-ne.azure-devices.net
13.74.108.193
TCP 443,8883
froniusseiot.blob.core.windows.net
20.209.192.225
TCP 443
device-fi leuploads.solarweb.com
213.33.117.83
TCP 443
0.time.fronius.com
-> not reachable
TCP/UDP 123
1.time.fronius.com
31.209.85.242
TCP/UDP 123
2.time.fronius.com
has IPv6
TCP/UDP 123
3.time.fronius.com
217.197.91.176
TCP/UDP 123
cure-se.fronius.com
85.31.3.144
TCP 443
fronius-se-iot-telemetry-ne.azure-devices.net
13.74.108.193
TCP 443,8883
froniusseiotneprod.blob.core.windows.net
response from 20.209.160.225 target not reachable
What did Fronius support answer?
Remars: remove anything you have done adjusting the firewall rules disable internet detect
See the packets I’m getting are from:fronius-se-iot.azure-devices.net froniusseiot.blob.core.windows.net fronius-se-iot-telemetry.azure-devices.net http://provisioning.solarweb.com/ leuploads.solarweb.com
→ deactivated the NAT setting, TCP-Clamp on tunnel is activated all along.
infabo
October 27, 2024, 11:20pm
11
“In Fall der Verwendung einer Firewall fuer ausgehende Verbindungen”. lol. “Im Fall” would be correct. But that’s just a side note. The point is: only outgoing connections are needed. According to that “list.jpg” there is no need for:
no upnp
no nat-pmp
no whatever firewall “ingress” filtering
There must be another issue inside your network. ROS in a sane default configuration would not block outgoing traffic in any way. Sometimes adblocking DNS (pihole or nextdns, etc.) is in charge for that kind of connectivity issues. Given the fact, you need to allow traffic to a bunch of telemetry domains. Since you seem to use 8.8.8.8 according to your config - DNS is most probably not the issue here.
Now to your config:
/ip firewall connection tracking
set loose-tcp-tracking=no udp-timeout=10s
why you have loose-tcp-tracking disabled? Unless you have a reason for that: better use the default (yes).
/ip settings
set accept-redirects=yes accept-source-route=yes
A special reason for that?
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all wan-interface-list=all
Please disable detect-internet. It is a suprise box. It does a lot of “magic”.
/interface ipipv6
add clamp-tcp-mss=no !keepalive local-address=:: name=ipipv6-tunnel1 remote-address=2a03:b580:b000:1::1
/interface ethernet
set [ find default-name=sfp1 ] l2mtu=1500 loop-protect=off rx-flow-control=auto tx-flow-control=auto
/interface pppoe-client
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface-list=WAN passthrough=yes protocol=tcp \
tcp-flags=syn
/ipv6 firewall mangle
add action=change-mss chain=forward comment="fix MTU, make HTTPS happy" new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
Oh oh, I smell a lot of MTU tinkering. This may be the source of your connectivity issue.
itimo01
October 27, 2024, 11:38pm
12
Looking at the required outgoing connects for a “simple” inverter, do you really think they care about correct German?
Edit: I also see a default oVPN Port
infabo
October 27, 2024, 11:47pm
13
“cure-se.fronius.com ”. “curse” - pun intended?
aesmith
October 28, 2024, 8:57am
14
You could run Packet Sniffer on the interface to the inverter, see what it’s trying to do, and whether it’s getting replies.
OK guys,
I finally managed to get it working.
Good news is inverter is sending data. Bad news I still get errors when doing service test on inverter website.
I came across a similar topic, where tcp-clamp was adressed in firewall mangle for both directions. I only had it defined for outgoing traffic. Since that change it’s somehow working.
