Issue with device connection

rchovan · December 9, 2018, 8:48am

Good morning,
I have bought my hapAC2 and upgraded to latest 6.43.7. I already run RB3011UiAS in my office, so I’m familiar with router config. On My hapAC2 I have strange issues.
Device connected directly with cable to router can be pinged from router only if I delete ARP record for that device. Even after that, ping is working only 2-3 times. See attached pictures:

Here is my configuration. Any ideas?

Thank You.
Description to my config

My simple setup:

ether1-wan - ISP modem
ether2-trunk - Dlink switch in trunk mode
ether3-5 - LAN devices

# dec/09/2018 09:20:23 by RouterOS 6.43.7
# software id = FM9E-58T1
#
# model = RBD52G-5HacD2HnD
# serial number = 9EF709C73784
/interface bridge
add admin-mac=B8:69:F4:5D:2D:21 auto-mac=no name=bridge-home protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] mac-address=64:70:02:F9:24:24 name=ether1-wan
set [ find default-name=ether2 ] name=ether2-trunk
/interface vlan
add interface=ether2-trunk name=vlan1-mngmt vlan-id=1
add interface=ether2-trunk name=vlan2-home vlan-id=2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys name=home supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed name=guest supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto \
    mode=ap-bridge security-profile=home ssid=HomeWifi vlan-id=2 wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=\
    auto mode=ap-bridge security-profile=home ssid=HomeWifi vlan-id=2 wireless-protocol=802.11 wps-mode=disabled
add keepalive-frames=disabled mac-address=BA:69:F4:5D:2D:25 master-interface=wlan1 multicast-buffering=disabled name=\
    guest_2g security-profile=guest ssid=Guest wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool-home ranges=192.168.2.50-192.168.2.200
add name=pool-guest ranges=192.168.9.5-192.168.9.100
/ip dhcp-server
add add-arp=yes address-pool=pool-home always-broadcast=yes disabled=no interface=bridge-home name=dhcp-home
add address-pool=pool-guest always-broadcast=yes disabled=no interface=guest_2g name=dhcp-guest
/interface bridge port
add bridge=bridge-home interface=ether3
add bridge=bridge-home interface=ether4
add bridge=bridge-home interface=ether5
add bridge=bridge-home interface=wlan1
add bridge=bridge-home interface=wlan2
add bridge=bridge-home interface=vlan2-home
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-home tagged=ether2-trunk untagged=ether3,ether4,ether5,wlan1,wlan2 vlan-ids=2
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge-home list=LAN
add comment=defconf interface=ether1-wan list=WAN
/ip address
add address=192.168.2.1/24 interface=bridge-home network=192.168.2.0
add address=192.168.1.1/24 interface=vlan1-mngmt network=192.168.1.0
add address=192.168.9.1/24 interface=guest_2g network=192.168.9.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1-wan
/ip dhcp-server lease
add address=192.168.2.7 client-id=1:0:1e:a0:0:65:42 comment=stb mac-address=00:1E:A0:00:65:42 server=dhcp-home
add address=192.168.2.12 client-id=1:0:5:cd:72:d5:64 mac-address=00:05:CD:72:D5:64 server=dhcp-home
/ip dhcp-server network
add address=192.168.2.0/24 comment=network-home dns-server=192.168.2.5 domain=.lan gateway=192.168.2.1 netmask=24 \
    next-server=192.168.2.5 ntp-server=192.168.2.5
add address=192.168.9.0/24 comment=network-guest dns-server=1.1.1.1,8.8.8.8 domain=.guest gateway=192.168.9.1
/ip dns
set allow-remote-requests=yes servers=192.168.2.5
/ip dns static
add address=192.168.2.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix="drop_invalid: "
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=53 protocol=udp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=\
    "drop_input: "
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix="drop_fwd: "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=22005 protocol=tcp to-addresses=192.168.2.5 to-ports=22
add action=dst-nat chain=dstnat dst-port=18005 protocol=tcp to-addresses=192.168.2.5 to-ports=80
add action=dst-nat chain=dstnat dst-port=22007 protocol=tcp to-addresses=192.168.2.7 to-ports=22
/ip route
add distance=1 dst-address=10.1.1.0/24 gateway=192.168.2.5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Bratislava
/system identity
set name=gw.lan
/tool graphing interface
add allow-address=192.168.0.0/16
/tool graphing resource
add allow-address=192.168.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

sebastia · December 9, 2018, 10:53am

Hey, If i’m not mistaken hapAC2 will be configured from factory for SOHO router. Did you reset that config so that it could function as AP only? So no natting, routing, dhcp server, …

rchovan · December 9, 2018, 10:59am

SOHO function is expected. It is my primary router at home, so NAT function is required.

nescafe2002 · December 9, 2018, 1:00pm

/interface detect-internet
set detect-interface-list=all

This is the culprit. It will enable internet detection for slave interfaces and issue ARP requests with wrong source MAC address.

Disable internet detect and it will work again.

Response from support regarding this issue:

The Detect-Internet should not be enabled on slave ports. We will try to fix this issue in next RouterOS versions, but I cannot say any ETA.

For now, you should avoid using Detect-Internet on all interfaces.

rchovan · December 9, 2018, 1:37pm

Thank You. Now it is working.
For my information, feature detect internet is used only if you have for example primary and backup line ?

/interface detect-internet
set detect-interface-list=all
This is the culprit. It will enable internet detection for slave interfaces and issue ARP requests with wrong source MAC address.

Disable internet detect and it will work again.

Response from support regarding this issue:

The Detect-Internet should not be enabled on slave ports. We will try to fix this issue in next RouterOS versions, but I cannot say any ETA.

For now, you should avoid using Detect-Internet on all interfaces.