I HAVE A REMOTE SITE WITH MIKROTIK ROUTER HEX SERIES


sometimes the connection is down and there is nothing on winbox as you see in attachment

i tried:

• change device
• upgrade firmware
• update firmware

still same

Without seeing the configuration, it’s hard to say why..
Open terminal and paste- /export hide-sensitive

jul/01/2024 10:06:40 by RouterOS 6.47.10

software id = XW0G-29PF

model = RB750Gr3

serial number = CC230FA336F6

/interface bridge
add admin-mac=DC:2C:6E:BB:9B:1D auto-mac=no comment=defconf name=bridge
/interface pptp-client
add connect-to=hcc082k4d45.sn.mynetname.net disabled=no name=WH1 user=WH1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.50.100-192.168.50.220
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.50.1/24 comment=defconf interface=bridge network=192.168.50.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=
invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=
out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing rip interface
add receive=v2
/routing rip network
add network=192.168.50.0/24
add network=172.168.10.0/24
/system clock
set time-zone-name=Asia/Riyadh
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The problem could be in the traffic flow, because the firewall section is missing entries that are responsible for the correct operation of the traffic flow.
You can try changing existing firewall rules to default. After that, restart the router and see if the traffic works correctly.
In the default firewall version, the rules allow everything and prohibit only what you define yourself.
It is also possible to configure so that firewall rules prohibit everything and allow only what you define yourself.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

(1) What is the role of the .88 subnet?
You have a pool for it, but no dhcp server, not on an interface list, NO address (not tied to any particular interface) and yet there is dhcp-server network for it etc..

Suggest from this:
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
TO:
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9

Get rid of the static one!!

(2) Its not clear to me how you reach the remote site. I see no wireguard vpn for example???

(3) What is the purpose of the pptp???

(4) It would seem that the MT does not have a public IP but may get a private IP from an upstream router?
IF so, can you port forward to the MT from t his router??

(5) Does your main MT device have a public IP??

(6) Concur on firewall rules, start with defaults and adjust accordingly.