LAN randomly stops working after NAT and Hairpin NAT

Hi!
I am kinda new to Mikrotik and learning from the online tutorials. I got however to the point, where an issue does not make much sense to me, so I came for help.

I got the hAp ac routerboard. I got it as an replacement of the default ISP router, because I want to have a public-facing server running on my home network. I am using the default configuration, but:

1. I disabled Wi-Fi and got Tenda cube access points plugged into ether3, set to bridge mode, so I can Port Isolate also the WiFi devices.
2. I tried setting up the Port Isolation to isolate individual LAN ports, where server will be connected to ether4 (I want to separate it from other devices, because if it gets pwned by any chance, I do not want to have other devices exploited) Since the Port Isolation setup I can not ping devices on the other ports, so I guess it worked. Even Tenda app showed only devices connected to the WiFi and the router, not my PC wired to the Mikrotik on ether2.
3. Disabled every service except the WinBox to access the router.
4. I set servers internal IP to static,
5. After this was done, I started looking at the Port Forwarding. I set up the rules.
6. When I wanted to try it, I couldn’t connect from my other devices on the network, I learned that I needed to setup Hairpin NAT, so I did that based on the Mikrotik tutorial.
   YAY! I could connect from outside and the inside!

However, then the issues came.

• After I finished config on my Windows PC, I started the server, tested the server with friend, both could access it.
• Then I turned off the Windows PC. After returning a few hours later, the LAN stopped working. I could access any website. When trying another Windows device, it did not work there either.
• What is surprising is that the WiFi works on any device. And the Ubuntu Server connected to ether4 seems to be able to ping google.com after a while after booting.
• What is also worrying that I started seeing the Ubuntu Server device and also my Windows PC when connected via wire in the ether2 and ether4 (Port Isolation should prevent this, no? Tenda app did not use to show them until I did the steps 4-6 [Not sure which one may be faulty])
• I was running only points 1, 2 for a longer while, back then there were no issues.

So, my questions are:

• How to fix this? What is the issue here? (From my POV I just applied default settings, did non-invasive changes and did port-forwarding; I ran out of ideas what may be wrong here)
• Is Port Isolation reliable for my use-case? (Separating my other devices from the public facing server, to protect them in case of server exploit)
• How is it possible that after doing the port-fowarding stuff and hairpin NAT I can suddently see also the Wired Devices that should be isolated?

I am attaching also my config export. I replaced my Public IP with a string “PUBLIC-IP”.

Do you know by any chance what may be wrong? Do you have any additional recommendations?

Thanks in advance.

# 2024-08-12 19:01:54 by RouterOS 7.15.3
# software id = -
#
# model = RB962UiGS-5HacT2HnT
# serial number = -
/interface bridge
add admin-mac=48:A9:8A:F1:D1:CF auto-mac=no comment=defconf name=bridge
/interface ethernet switch port-isolation
set 1 forwarding-override=ether1
set 2 forwarding-override=ether1
set 3 forwarding-override=ether1
set 4 forwarding-override=ether1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.51 client-id=\
    ff:1:22:10:38:0:2:0:0:ab:11:6f:a9:8:49:72:df:70:e1 mac-address=\
    08:BF:B8:71:3E:B8 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Minecraft dst-address=PUBLIC-IP \
    dst-port=33333 protocol=tcp to-addresses=192.168.88.51 to-ports=25565
add action=dst-nat chain=dstnat comment=SSH dst-address=PUBLIC-IP \
    dst-port=717 protocol=tcp to-addresses=192.168.88.51 to-ports=22
add action=masquerade chain=srcnat dst-address=192.168.88.51 out-interface=\
    bridge protocol=tcp src-address=192.168.88.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Bratislava
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

EDIT: The LAN randomly came back up on my Windows PC device, it happens rarely and I have no idea what is the cause.
EDIT2: After the router restart the described issues are back ofc.
EDIT3: LAN came back for 10 minutes and went back down. It is pretty random. The moment it breaks, the Tenda app starts showing the Wired connections that should be Port Isolated. When LAN works properly, the devices on the Port Isolated ports do not seem to be visible.

One more thing came to my mind. At first I wanted to use Pi-Hole, but found that the RouterOS 7 supports Ad list. I set it up, it worked okay, but then I also had some issues. I reset the configuration then and started anew without Adlist. Can’t it be also related to the OS upgrade? That maybe the RouterOS 7 takes more resources and entry level hAP ac can not handle it? Probably not, but I guess worth mentioning.

Unfortunately, I can’t tell what the problem could be but I can think of a temporary/permanent solution - setting up VLANs after you undo the port isolation. In your case, it could be done from the same menu, from which you set up port isolation, to take advantage of hardware offloading. The VLANs will be configured the following manner:

1. For every VLAN you will create a VLAN interface due to L3 involved, and assign them an IP address;
2. On the necessary VLANs, for instance the PC and WiFi ones, you would set up DHCP servers;
3. You will configure the L2 VLANs through the /ethernet switch menu;
4. interVLAN communication will be dropped on a hardware level through ACL switch rules.

You can read here on how to set up the VLANs and, if you have questions regarding it, feel free to ask:

https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-Inter-VLANrouting

Hi,
thank you for your response. Sorry, I completely forgot to answer. First, I wanted to try downgrading RouterOS back to version 6, and if the issue persisted I’d try your VLAN suggestion. In the end, the downgrade back to version 6 seems to have resolved the issues and everything runs smoothly so far also with Port Isolation.

Have a nice day and thanks again for your time