Internet access OK from LAN but NO GO from the router itself

sebus46 · March 8, 2026, 11:19am

There is a topic with same issue: Internet access OK from LAN but not from the router itself but no solution

# 2026-03-05 20:31:49 by RouterOS 7.21
# software id = 5WSQ-IVBW
#
# model = RB4011iGS+
# serial number = ***********
/interface bridge
add arp=proxy-arp ingress-filtering=no name=bridge port-cost-mode=short \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether10 ] name=ether10-HB poe-out=off
set [ find default-name=sfp-sfpplus1 ] name=sfp1
    
/interface vlan
add interface=bridge mtu=1480 name=vlan21-ipphone vlan-id=21
add interface=bridge name=vlan50-apmgmt vlan-id=50
add interface=bridge name=vlan88-default vlan-id=88
add interface=bridge name=vlan99-wifiguest vlan-id=99
add interface=bridge name=vlan100-ipcam vlan-id=100
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=6 name=OpenDNS value="'208.67.222.222''208.67.220.220'"
add code=6 name=NortonConnectSafe value="'199.85.126.20''199.85.127.20'"
add code=6 name=SafeDNS value="'195.46.39.39''195.46.39.40'"
add code=6 name=Cloudflare value="'1.1.1.1''1.0.0.1'"
add code=6 name=FamilyShieldDNS value="'208.67.222.123''208.67.220.123'"
add code=6 name=DNSWatch value="'84.200.69.80''84.200.70.40'"
add code=42 name="NTP Server" value="'192.168.88.1'"
add code=6 name=Quad9 value="'9.9.9.9''149.112.112.112'"
/ip pool
add name=dhcp ranges=192.168.88.5-192.168.88.148
add name=dhcp-pool99 ranges=192.168.99.2-192.168.99.22
add name=dhcp-pool100 ranges=192.168.100.2-192.168.100.10
add name=L2TP ranges=192.168.88.150-192.168.88.160
add name=dhcp-pool21 ranges=192.168.21.2-192.168.21.6
add name=dhcp-pool50 ranges=192.168.50.200-192.168.50.210
/ip dhcp-server
add address-pool=dhcp bootp-support=none interface=bridge lease-time=3d name="dhcp-vlan1 (defcon)"
add address-pool=dhcp-pool99 authoritative=after-2sec-delay interface=\
    vlan99-wifiguest lease-time=1d name=dhcp-vlan99
add address-pool=dhcp-pool100 interface=vlan100-ipcam lease-time=1w name=\
    dhcp-vlan100
add address-pool=dhcp-pool21 authoritative=after-2sec-delay bootp-support=\
    none interface=vlan21-ipphone lease-time=1d name=dhcp-vlan21
add address-pool=dhcp-pool50 authoritative=after-2sec-delay interface=\
    vlan50-apmgmt lease-time=3d name=dhcp-vlan50
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge interface=sfp1 internal-path-cost=10 path-cost=10
add bridge=bridge comment="D-link TV cabinet" interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether8 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-established-timeout=30m
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=4096 rp-filter=loose
/interface bridge vlan
add bridge=bridge vlan-ids=1
add bridge=bridge tagged=ether2,sfp1,bridge vlan-ids=99
add bridge=bridge tagged=ether2,sfp1,bridge vlan-ids=100
add bridge=bridge tagged=bridge,ether2,sfp1 vlan-ids=50
add bridge=bridge tagged=bridge,sfp1 vlan-ids=21
/interface list member
add interface=ether10-HB list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.99.1/24 interface=vlan99-wifiguest network=192.168.99.0
add address=192.168.100.1/24 interface=vlan100-ipcam network=192.168.100.0
add address=192.168.21.1/29 interface=vlan21-ipphone network=192.168.21.0
add address=192.168.50.1/24 interface=vlan50-apmgmt network=192.168.50.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add interface=ether10-HB use-peer-dns=no use-peer-ntp=no
/ip dns
set allow-remote-requests=yes cache-max-ttl=30m doh-max-concurrent-queries=\
    100 doh-timeout=7s use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router type=A
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
/ip firewall address-list
add address=192.168.99.0/24 list=vlan99
add address=192.168.88.0/24 list=internal
add address=192.168.100.0/24 list=vlan100
add address=192.168.21.0/24 list=vlan21
/ip firewall filter
add action=log chain=- comment=\
    ----------------------input--------------------------------
add action=accept chain=input comment="Allow DHCP from Mikrotik (LAN)" \
    disabled=yes dst-port=67 in-interface-list=LAN log=yes log-prefix=\
    "-- DHCP request --" protocol=udp
add action=accept chain=input comment=\
    "Allow IPPhone VLAN 21 access to DNS server UDP" dst-port=53 \
    in-interface=vlan21-ipphone log-prefix="-- DNS UDP --" protocol=udp
add action=accept chain=input comment=\
    "Allow IPPhoneVLAN 21 access to MKT NTP server" dst-port=123 log-prefix=\
    "--NTP 21--" protocol=udp src-address-list=vlan21
add action=accept chain=input comment=\
    "Allow IPCam VLAN 100 access to MKT NTP server" dst-port=123 log-prefix=\
    "--NTP 100--" protocol=udp src-address-list=vlan100
add action=accept chain=input comment="defconf: accept ICMP (internal)" \
    disabled=yes protocol=icmp src-address-list=internal
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix="-- dropped invalid --"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix=\
    "--dropped access not from LAN--"
add action=log chain=- comment=\
    -----------------------forward-------------------------------
add action=log chain=- comment=\
    -----------------------VOIP-------------------------------
add action=accept chain=forward comment="Yealink Out" connection-nat-state="" \
    log=yes log-prefix="--Yealink out--" src-address=192.168.21.2
add action=log chain=- comment=\
    ------------------------------------------------------
add action=log chain=- comment=\
    ------------------------------------------------------
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
    ------------------------------------------------------
add action=drop chain=forward comment=\
    "Disable Guest VLAN to anywhere but Internet" in-interface=\
    vlan99-wifiguest log=yes log-prefix=--GST-- out-interface=!ether10-HB
add action=accept chain=forward comment="Allow Guest VLAN to Internet" \
    in-interface=vlan99-wifiguest out-interface=ether10-HB
add action=accept chain=forward comment="LAN to WAN (for internet access)" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="port forwarding (nat_state=dsnat)" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "--WAN drop--"
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix="--Drop invalid --"
add action=drop chain=forward comment="Drop all other HB" log=yes log-prefix=\
    "--Drop all other HB--" out-interface=ether10-HB
add action=log chain=-

/ip firewall nat
add action=masquerade chain=srcnat comment="HB NAT out" \
    log-prefix=--HB-- out-interface=ether10-HB
add action=dst-nat chain=dstnat comment=A&A_VoIP_SIP_UDP dst-port=5060 \
    in-interface=ether10-HB log=yes log-prefix="--A&A VoIP UDP in--" \
    protocol=udp src-address=81.187.30.118 to-addresses=192.168.21.2 \
    to-ports=5090
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 \
    enc-algorithm=aes-256,aes-128,3des
/ip kid-control
add mon="" name=Dummy
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set www-ssl certificate=wildcard disabled=no tls-version=only-1.2
set api disabled=yes
set api-ssl disabled=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/system clock
set time-zone-name=Europe/London
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=212.23.8.6
add address=193.150.34.2
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

Very simple config, very simple setup

LAN access to internet is no issue, but router itself is a no go

[adminMikroTik] > ping bbc.co.uk
  SEQ HOST                                     SIZE TTL TIME       STATUS                                         
    0 151.101.64.81                                                timeout                                        
    1 151.101.64.81                                                timeout                                        
    2 151.101.64.81                                                timeout                                        
    3 151.101.64.81                                                timeout                                        
    sent=4 received=0 packet-loss=100%

Simply have no idea what could be causing it

If somebody can help, it would be appreciated

jaclaz · March 8, 2026, 3:38pm

Actual defconf:
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"

sebus46 · March 10, 2026, 5:19pm

But I do not want to have it enabled, why would this rule make any difference to internet access?

The unit does not access internet from its own bridge IP (ie cannot check if there is software update)

sebus

jaclaz · March 10, 2026, 5:28pm

Well, if you ping, you are not really "accessing internet", you are "pinging internet", which is ICMP.

The actual defconf (when you change a rule you should also change the comment to something different from defconf, otherwise actual defconf won't be correctly identifiable anymore) in the standard firewall has an explicit accept rule for ICMP.

My suspect is that it was put there for some reason, and if you change or disable ( or both as you did ) that rule, pinging won't work.

You could try also a traceroute to see what you get.

Post also the output of:
/ip address print
and of
/ip route print

sebus46 · March 10, 2026, 6:01pm

I am not pinging Mikrotik unit from outside, I am pinging from Mikrotik (so rule or not I should get a reply)

In software update I get:

ERROR: no internet connection

The route is correct (a single route to ISP), otherwise nothing would work

Same config worked fine before upgrade to 7.21