I have a problem, where on RB1100x4 router, internet was working fine up until today. Noone touched the router, ports or its config, and i can tracert 8.8.8.8 from the router, the ISP says there is no issue on their end, however the devices inside the network does not have access through pppoe, but can ping themselves from inside the network.

Last month weve been under UDP flood attacks, however as for now the traffic shown by the router is normal.

Please let me know if you can see something that might have went wrong, because im out of any ideas.

Here is the config of the router:

jul/05/2024 12:03:24 by RouterOS 7.6

software id = U90Z-VB9H

model = RB1100x4

/interface bridge
add admin-mac=DC:2C:6E:53:84:53 arp=proxy-arp auto-mac=no comment=defconf name=bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full loop-protect=on rx-flow-control=on tx-flow-control=on
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=****
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.1-192.168.0.99
add name=pptp ranges=192.168.0.199
add name=l2tppool ranges=10.0.0.100-10.0.0.200
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set 0 use-ipv6=no
set FFFFFFFE dns-server=10.0.0.1 local-address=10.0.0.1 remote-address=l2tppool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-out1 list=WAN
add interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=193.33.9.6,193.33.8.6
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=193.33.8.6 list=dns
add address=193.33.9.6 list=dns
/ip firewall filter
add action=accept chain=input comment=“defconf:accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid disabled=yes
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid disabled=yes
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input src-address=104.219.212.211
add action=drop chain=input src-address=158.51.123.107
add action=accept chain=forward
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=“inbound dns” in-interface=ether1 protocol=udp src-address-list=dns src-port=53
add action=accept chain=forward comment=“inbound dns” in-interface=ether1 protocol=udp src-address-list=dns src-port=53
add action=accept chain=output comment=“outbound dns” dst-address-list=dns dst-port=53 out-interface=ether1 protocol=udp
add action=accept chain=forward comment=“outbound dns” dst-address-list=dns dst-port=53 out-interface=ether1 protocol=udp
add action=drop chain=input comment=“Drop DNS” dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment=“Drop DNS” dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input src-address=103.102.230.133
add action=accept chain=input dst-address=192.168.0.49 protocol=udp
add action=drop chain=input src-address=122.155.166.153
add action=drop chain=input dst-port=1-49 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input dst-port=52-499 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input dst-port=501-1700 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input dst-port=1702-4499 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input disabled=yes dst-port=4499-63000 in-interface=pppoe-out1 protocol=udp src-port=“”
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface=pppoe-out1 out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=* dst-port=22 protocol=tcp to-addresses=192.168.0.17 to-ports=22
add action=dst-nat chain=dstnat dst-port=2138 in-interface-list=all protocol=tcp to-addresses=192.168.0.17 to-ports=2138
/ip firewall service-port
set irc disabled=no
set rtsp disabled=no
/ip ipsec policy
add dst-port=1701 peer=*2 protocol=udp src-port=1701
/ip service
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=robert profile=default-encryption service=l2tp
add disabled=yes name=adam profile=default-encryption service=l2tp
/system clock
set time-zone-name=Europe/Warsaw
/system scheduler
add interval=23h59m59s name=reboot policy=reboot start-date=jul/05/2024 start-time=00:00:05
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=pppoe-out1 name=traf1 trigger=always

Nevermind, bought a TP-Link, configured in 15 minutes instead of 24 working hours, configured VPN and now i have built in DOS protection. Call me weak or stupid but the company has internet now.

I think in the end that is most important.

In regards to doing wrong…your firewall config has some space for improvement. Being polite on this.
In addition, are you sure you want to have port 22 available publically?
Who manages this router? This due to the fact it is running 7.6.

Who manages this router?

Apparently no one and OP was forced by CEO to get it fixed. Because OP had no experience/expertise he/she asked in Mikrotik community forum on Jul 05, 2024 12:11 pm for help.
Even less then 3 hours later (Jul 05, 2024 3:02 pm) he/she already threw the RB1100x4 in trash and replaced it with some TP-Link device.

I like the chronology.

Why even bothering other people with your problem at all? Buy whatever device that makes you/your company happy and don’t ask for free help if you can’t await it. You’re whether stupid nor weak. But asking for help and then say “nevermind” is what - to be honest - makes me kind of angry. There may have been several people already examining your config but did not comment because of whatever reasons. But you wasted their time.

Have a nice day!

@infabo
Well, since there is (obviously) no guarantee that someone on the forum will:

1. reply
2. be able to find easily or quickly the cause (that could also - in theory - be something in hardware)
   it is perfectly logical, once the CEO gave the order to solve the problem, that the OP started a multi-path approach:
   a) procure as fast as possible a replacement device (possibly a simpler, more likely to work one)
   b) ask for help on the forum
   c) something else
   d) yet something else
   then, choose the first one that solves the problem.

“Improvise, adapt, overcome”

As a matter of fact OP was very kind to let us know how the problem has been solved, lots of people in a similar situation would have simply never returned.

Then, once the company internet has been restored, there is a crossroad, one can choose to either:

1. use the incident to start learning/studying Ros, using the retired RB1100 as a test device, so that when/if something similar will happen on some other Mikrotik company device they will be ready
2. leave things as they are and next time, get another TP-Link or similar

Which one to choose depends not only on the character of the person - only as an example, personally, I would have difficulties in accepting that a (stupid?) config error would be capable of bringing the internet down for the company - but also on the role the OP has in the company, if he/she is actually an IT related employee or someone working in an altogether different area that happens to have been chosen by the CEO because he/she is the most computer literate around or just the smartest one when it comes to problem solving.

you’re absolutely right. The OP’s approach is legitimate, at least concerning company thingy.

From the OP’s post history, we can see that OP bought this RB sometime in 2022 and already had no idea about the configuration back then. That’s why it is still running on ROS 7.6 - to answer erlinden’s question - because anav recommended it back then. Sprinkled with completely absurd firewall rules and orphaned configs. It’s just a prime example to say: if you don’t want to learn ROS, then go to another manufacturer. It’s that simple. This is neither weak nor stupid. Especially in a professional environment, critical hardware must work. It doesn’t help if a complete layman tries to play network or ROS administrator.

I would be curious to know the non-polite, non-pc, opinion erlinden has on those firewall rules …

Correct, we have no clue as to the background or context of any poster.
The only thing that can and should be and is NOT controlled, is a new poster first post process.
Its educational, helpful and useful for ALL subsequent user posts, let alone efficient for those of us assisting others.

Like anything from a standards or engineering, a process works, and is the most efficient in terms of time/rework/cost etc…

aye, anav, you here. http://forum.mikrotik.com/t/pppoe-doesnt-work-on-rb1100ahx4/162400/4

Hi, Im still here, surprised that the thread took an unexpected turn, so whoever is still wondering what was the situation, Ill explain.

Im working for this company for 4 years now, we we had some old cellular based internet before the older mikrotik was installed. Back then the network was as well simpler, and easier to maintain - no VPNs and such.

Then the company started developing quickly, hence the need for a more “beefy” router. We decided to buy the RB1100x4. There was another sysadmin employed at the time, however he left about a month after the purchase, and I was left with the burden of maintaining it, even though I just had experience in consumer grade routers from TP-Link and CISCO. With theese I could do pretty much everything.

Stuff began to go downhill about a month ago, when we had issues with UDP floods, and the internet was unstable for some time, and I managed to fight off the attack with the “fancy” firewall rules visible in the config. But hey they might not be perfect, but they worked for another month without issues.

When the internet suddenly stopped working I had no idea what happened, therefore I created this thread. The CEO was in fact forcing me to solve the issue ASAP, and the simplest solution was buying a router, that I can maintain, and with some warranty, that next week another yet unknown issue will come up, that I wont be able to solve. I like the “improvise adapt overcome” reference - it was the exact same thing.

So yes, im not saying that we wont be using the mikrotik in the future, but for now its much cheaper and easier to buy a 150$ consumer grade router that will work, then me trying to fix this one with my lack of professional knowledge.

Apart from this, the router I bought is definately enough, the employees even reached back that the VPN is faster than ever, and everyting is stable.

I hope that any DoS attacks will be prevented more by out of the box features of the router, than by mine sketchy firewall that also caused some problems on the way.

Thank you all, for your time you have spent replying to this thread, maybe we will meet again in some time, when Ill be configuring the router.

That’s not any more likely than stopping yourself from asphyxiating when someone stuffs a firehose down your throat by begging time from your attacker to install a dental dam first. It’ll do about as much good.

The proper place for DDoS protection is upstream, where the fat pipes are, which can absorb the excess traffic. Doing it down at the last-mile link works only for the weakest of attacks.

The difference here is that I run public IP addresses everywhere else, with CISCO and TP-Link routers, and I never had an issue once with any kind of attacks. Mikrotiks are targetted, and I had first hand experience of this, and now Ill just have to wait it out and see if anything will happen to the TP-Link.

Targetted mikrotiks are good, if you know how to prevent and stop attacks, for now ill take the fire hose without a dental dam, and trust whatever software is preinstalled there.