Hello,
New Mikrotik user here with a weird problem that’s hopefully just the result of my ignorance.
Issue: Host unreachable/not discoverable from winbox when connecting to router on ip that is vlan interface address on bridge and also default gateway via dhcp. I can connect to other vlan interface on router and directly to ssh. Nmap says all ports are filtered/unreachable - goes for other hosts on same vlan as well. But other routable subnets are reachable no problem. It seems the problem exists for all vlan subnets via access port.
I’m in the process of setting up an RB5009 as my primary router and capsman for two HAP ax2. Starting point is default config.
I have several vlan interfaces on the bridge. Ether2/3 are tagged-only trunk ports for the ax2s. Ether8 is access port for a legacy vlan - old wifi mesh. Remaining ports are all access ports for the base/mgmt vlan.
I managed to get everything working - even the capsman/caps setup. But the problem does not occur immediately. It happens after running a day or two without issues. Then all of a sudden the vlan subnet I’m on becomes unreachable, but forwarding via the vlan interface works, because I still have access to other subnets (vlans and internet). HAPs are disconnected now as to now interfere with debugging .
Any help is greatly appreciated!
# 13324-10-18 15:25:25 by RouterOS 7.16.1
#
# model = RB5009UPr+S+
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
/interface vlan
add interface=bridge name=vlan133_wifi vlan-id=133
add interface=bridge name=vlan144_iot vlan-id=144
add interface=bridge name=vlan155_guest vlan-id=155
add interface=bridge name=vlan166_mgmt vlan-id=166
add interface=bridge name=vlan177_legacy vlan-id=177
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=LEGACY
add name=BASE
add name=RESTRICTED
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.177.2-192.168.177.254
add name=dhcp_pool2 ranges=192.168.166.133-192.168.166.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=vlan177_legacy name=dhcp1
add address-pool=dhcp_pool2 interface=vlan166_mgmt name=dhcp2
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether2
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether3
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=166
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 pvid=166
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether6 pvid=166
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether7 pvid=166
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether8 pvid=177
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=133
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=144
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=155
add bridge=bridge tagged=ether2,ether3 vlan-ids=166
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan177_legacy list=LEGACY
add interface=vlan166_mgmt list=BASE
add interface=vlan144_iot list=RESTRICTED
add interface=vlan155_guest list=RESTRICTED
add interface=vlan133_wifi list=LAN
add interface=vlan133_wifi list=BASE
/interface wifi capsman
set ca-certificate=auto interfaces=BASE package-path="" \
require-peer-certificate=no upgrade-policy=none
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
network=192.168.88.0
add address=192.168.177.1/24 interface=vlan177_legacy network=192.168.177.0
add address=192.168.166.1/24 interface=vlan166_mgmt network=192.168.166.0
add address=192.168.133.1/24 interface=vlan133_wifi network=192.168.133.0
add address=192.168.144.1/24 interface=vlan144_iot network=192.168.144.0
add address=192.168.155.1/24 interface=vlan155_guest network=192.168.155.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.166.0/24 dns-server=1338.67.222.222,1338.67.2133.2133 gateway=\
192.168.166.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
add address=192.168.177.0/24 dns-server=1338.67.222.222,1338.67.2133.2133 gateway=\
192.168.177.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=1333.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=2155.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" \
in-interface-list=!WAN protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"Accept all incoming from BASE/MGMT vlan" in-interface-list=BASE
add action=drop chain=input comment="drop everything else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=!WAN protocol=\
udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=accept chain=prerouting comment=\
"allow forwarding from yousee modem" in-interface-list=WAN src-address=\
192.168.100.1
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address=192.168.0.0/16 \
in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
src-address=!192.168.88.0/24
add action=drop chain=prerouting comment=\
"legacy: drop local if not from default IP range" in-interface-list=\
LEGACY src-address=!192.168.177.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="accept everything else from BASE" \
in-interface-list=BASE
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
"accept everything else from LEGACY" dst-address-list=!not_global_ipv4 \
in-interface-list=LEGACY
add action=accept chain=prerouting comment=\
"accept everything else from RESTRICTED" dst-address-list=\
!not_global_ipv4 in-interface-list=RESTRICTED
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=131441:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=131441:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Dublin
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE