iOS Devices Connecting but no internet

warllo · October 29, 2020, 6:02pm

I have a HAP AC and I have most everything up and running working the way I’d like it to other than any Apple devices running IOS will connected to wifi and get valid dhcp info however they are unable to browse the internet and any of the apps that require data are not working. Any suggestions on what to check? I searched the forums and most everything pertains to Apple devices not being able to get dhcp info but as I mentioned that is not my issue. My smart tv’s laptop and other devices work fine on the wifi.

anav · October 29, 2020, 6:45pm

/export hide-sensitive file=anynameyouwish

maigonis · October 29, 2020, 6:49pm

Do they get DNS server from DHCP?

warllo · October 29, 2020, 7:42pm

Clients do indeed get DNS from DHCP

oct/29/2020 14:32:53 by RouterOS 6.47.3

software id = 0MJ8-LSD8

model = RBD52G-5HacD2HnD

serial number = D7170C4DA49B

/interface bridge
add admin-mac=48:8F:5A:73:59:6B auto-mac=no comment=defconf name=bridge
protocol-mode=stp
/interface ethernet
set [ find default-name=ether1 ] comment="WAN Interface"
set [ find default-name=ether2 ] comment=
"LAN - Uplink to 24 port backbone switch"
set [ find default-name=ether3 ] comment=Unused
set [ find default-name=ether4 ] comment=Unused
set [ find default-name=ether5 ] comment=Unused
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n comment="Integrated Wifi"
country="united states" disabled=no distance=indoors frequency=auto
installation=indoor mode=ap-bridge ssid=MT2 station-roaming=enabled
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX comment="Integrated Wifi" country="united states"
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=
MT5 station-roaming=enabled wireless-protocol=802.11
/interface wireless manual-tx-power-table
set wlan1 comment="Integrated Wifi"
set wlan2 comment="Integrated Wifi"
/interface wireless nstreme
set wlan1 comment="Integrated Wifi"
set wlan2 comment="Integrated Wifi"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp ranges=192.168.2.50-192.168.2.99
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge lease-time=8h
name=dhcp-server-lan
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/snmp community
add addresses=::/0 name=warllo
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=chap,mschap2 enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2 network=
192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.2.85 mac-address=B8:27:EB:0E:AA:E1 server=dhcp-server-lan
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.2,192.168.2.1
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
add address=192.168.2.14 name=unifi.warllo.org
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow Managment from VPN" dst-port=
8443 protocol=tcp src-address=192.168.89.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT for HTTPS traffic to Web Proxy"
dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.2.14
to-ports=443
add action=dst-nat chain=dstnat comment="NAT for HTTP traffic to Web Proxy"
dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.2.14
to-ports=80
add action=dst-nat chain=dstnat comment="Open VPN" dst-port=1194
in-interface=ether1 protocol=udp to-addresses=192.168.2.5
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=
192.168.89.0/24
/ip route
add distance=1 dst-address=10.12.13.0/24 gateway=192.168.2.5
/ip service
set www port=8080
set www-ssl certificate=https-cert disabled=no port=8443
/ppp secret
add name=vpn
/snmp
set contact="Lloyd Warren" enabled=yes location=Home trap-community=warllo
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

huntah · October 29, 2020, 8:15pm

You have set the IP Address on interface instead of bridge

/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2 network=\
192.168.2.0

You should change that to Bridge and everthing should work…

/ip address add address=192.168.2.1/24 comment=defconf interface=bridge network=192.168.2.0

warllo · October 29, 2020, 8:49pm

You have set the IP Address on interface instead of bridge
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2 network=\
192.168.2.0
You should change that to Bridge and everthing should work...
/ip address add address=192.168.2.1/24 comment=defconf interface=bridge network=192.168.2.0

Thanks for the suggestion, I did as suggested however I am still experiencing the same issue. Here is the updated config. I find it odd that most devices are working, except for the Apple iOS devices.

oct/29/2020 15:40:33 by RouterOS 6.47.3

software id = 0MJ8-LSD8

model = RBD52G-5HacD2HnD

serial number = D7170C4DA49B

/interface bridge
add admin-mac=48:8F:5A:73:59:6B auto-mac=no comment=defconf name=bridge
protocol-mode=stp
/interface ethernet
set [ find default-name=ether1 ] comment="WAN Interface"
set [ find default-name=ether2 ] comment=
"LAN - Uplink to 24 port backbone switch"
set [ find default-name=ether3 ] comment=Unused
set [ find default-name=ether4 ] comment=Unused
set [ find default-name=ether5 ] comment=Unused
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n comment="Integrated Wifi"
country="united states" disabled=no distance=indoors frequency=auto
installation=indoor mode=ap-bridge ssid=MT2 station-roaming=enabled
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX comment="Integrated Wifi" country="united states"
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=
MT5 station-roaming=enabled wireless-protocol=802.11
/interface wireless manual-tx-power-table
set wlan1 comment="Integrated Wifi"
set wlan2 comment="Integrated Wifi"
/interface wireless nstreme
set wlan1 comment="Integrated Wifi"
set wlan2 comment="Integrated Wifi"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp ranges=192.168.2.50-192.168.2.99
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge lease-time=8h
name=dhcp-server-lan
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/snmp community
add addresses=::/0 name=warllo
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=chap,mschap2 enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=
192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.2.85 mac-address=B8:27:EB:0E:AA:E1 server=dhcp-server-lan
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.2,192.168.2.1
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
add address=192.168.2.14 name=unifi.warllo.org
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow Managment from VPN" dst-port=
8443 protocol=tcp src-address=192.168.89.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT for HTTPS traffic to Web Proxy"
dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.2.14
to-ports=443
add action=dst-nat chain=dstnat comment="NAT for HTTP traffic to Web Proxy"
dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.2.14
to-ports=80
add action=dst-nat chain=dstnat comment="Open VPN" dst-port=1194
in-interface=ether1 protocol=udp to-addresses=192.168.2.5
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=
192.168.89.0/24
/ip route
add distance=1 dst-address=10.12.13.0/24 gateway=192.168.2.5
/ip service
set www port=8080
set www-ssl certificate=https-cert disabled=no port=8443
/ppp secret
add name=vpn
/snmp
set contact="Lloyd Warren" enabled=yes location=Home trap-community=warllo
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · October 29, 2020, 9:14pm

protocol-mode=stp
I would suggest that this be changed to RSTP or none and see if that helps.

/interface detect-internet
set detect-interface-list=all
try changing that to LAN only

Otherwise maybe its something funky in our wifi settings ( I have not used nstreme for ex.)

warllo · October 29, 2020, 9:34pm

Thank you all for your suggestions I have tried them all I’m still not able to get IOS devices working it’s so strange. If you have any other suggestions I’d be grateful but I don’t want to take up too much of your time.

warllo · October 30, 2020, 1:14pm

I’ve done some additional troubleshooting and have discovered that while receiving a valid IP address 192.168.2.74, 255.255.255.0, and a gateway of 192.168.2.1 I am unable to ping the router or anything else on the local network from WIFI but again only on Apple devices. If I use a laptop running Windows 10 it works great. Very odd.

jult · September 25, 2021, 2:58pm

Did you find any solution to this, if so what was it?

olui · March 10, 2024, 7:23am

I have this exact same problem.
hAP ax3, iPhone can connect to both 2.4ghz and 5ghz, but doesn’t get any access to the internet.
I also cannot ping to the iPhone’s local IP from the router.

tangent · March 10, 2024, 8:43am

My iPhone connects to the Internet through my ax³ just fine. Post your sanitized configuration /export in a “code” block. You’ve almost certainly got something configured improperly.

olui · March 10, 2024, 9:43am

Fixed!

It was like this:

/ip address
add address=192.168.10.0/24 interface=bridge network=192.168.10.0
/ip dhcp-client
interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.0 gateway=192.168.10.0

It had to be like this:

/ip address
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
/ip dhcp-client
interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.0 gateway=192.168.10.1

For some reason, Windows and Android had no issues working with the wrong settings, iPhone wouldn’t take it.

I’m still learning