@erlinden, the Xbox says that I’m not connected to internet. No IP given. Nothing.

Here’s the result from prompt:

1 2 ms 2 ms 51 ms 192.168.0.1
2 3 ms 3 ms 3 ms 10.5.0.1
3 5 ms 3 ms 3 ms 192.168.3.1
4 5 ms 5 ms 4 ms gateway-myauth.persisinternet.com.br [xx.xx.109.1]
5 8 ms 24 ms 12 ms core06-cus-apu-to-vl-410.persistelecom.com.br [xx.xx.62.254]
6 8 ms 9 ms 23 ms core02-ara-at-re1-407.persisinternet.com.br [xx.xx.56.89]
7 8 ms 5 ms 6 ms acesso-56-85.persisinternet.com.br [xx.xx.56.85]
8 9 ms 7 ms 11 ms core02-ara-at-re1-406.persisinternet.com.br [xx.xx.56.81]
9 11 ms 12 ms 28 ms border02-ldb-dc-vl-536.persistelecom.com.br [xx.xx.63.185]
10 * * * Esgotado o tempo limite do pedido.
11 31 ms 20 ms 21 ms ae24-190g.scr4.gru1.gblx.net [xx.xx.100.1]
12 * * * Esgotado o tempo limite do pedido.
13 126 ms 124 ms 123 ms ae1-300g.ar5.mia1.gblx.net [xx.xx.94.249]
14 * * * Esgotado o tempo limite do pedido.
15 245 ms 246 ms 245 ms ae-125-3515.bar1.helsinki1.level3.net [xx.xx.203.26]
16 724 ms 402 ms * xx.xx.123.22
17 407 ms 371 ms 397 ms xx.xx.223.130
18 * * * Esgotado o tempo limite do pedido.
19 * * * Esgotado o tempo limite do pedido.
20 * * * Esgotado o tempo limite do pedido.
21 385 ms 371 ms 370 ms xx.xx.147.205

** insert the “xx” ok


@sob I know what is a public/private IP, I don’t know HOW to see that on mikrotik, sorry.

On IP/addresses I got:

ether 1 192.168.1.100/24 and 192.168.1.0
ether 2 192.168.2.100/24 and 192.168.2.0
ether 3 192.168.4.100/24 and 192.168.4.0
ether 4 192.168.3.101/24 and 192.168.3.0

ether 5 is 10.5.0.0

mine is 10.5.0.234

Here is the “myconfig” file…

aug/26/2019 22:15:29 by RouterOS 6.36.1

software id = 8AZ2-KDTR

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=PPPoE ranges=10.5.0.2-10.5.0.254
/ppp profile
add change-tcp-mss=yes comment=“Toda banda” local-address=10.5.0.1 name=FULL
remote-address=PPPoE use-upnp=yes
add change-tcp-mss=no comment=5mb local-address=10.5.0.1 name=“5 MEGA”
only-one=yes rate-limit=5100k/5100k remote-address=PPPoE
add change-tcp-mss=no comment=10Mb local-address=10.5.0.1 name=“10 MEGA”
only-one=yes rate-limit=10100k/10100k remote-address=PPPoE
add comment=“20 mb” local-address=10.5.0.1 name=“20 MEGA” rate-limit=
20000K/20000K remote-address=PPPoE use-upnp=yes
/interface pppoe-server server
add authentication=pap,chap disabled=no interface=ether5 keepalive-timeout=30
max-mru=1480 max-mtu=1480 one-session-per-host=yes service-name=Server
/ip address
add address=10.5.0.1/24 interface=ether5 network=10.5.0.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no
interface=ether1
add add-default-route=no dhcp-options=hostname,clientid disabled=no
interface=ether2
add add-default-route=no dhcp-options=hostname,clientid disabled=no
interface=ether3
add add-default-route=no dhcp-options=hostname,clientid disabled=no
interface=ether4
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=drop chain=input dst-port=53 protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-type=!local
new-routing-mark=route_1 passthrough=no per-connection-classifier=
both-addresses:4/0
add action=mark-routing chain=prerouting dst-address-type=!local
new-routing-mark=route_2 passthrough=no per-connection-classifier=
both-addresses:4/1
add action=mark-routing chain=prerouting dst-address-type=!local
new-routing-mark=route_3 passthrough=no per-connection-classifier=
both-addresses:4/2
add action=mark-routing chain=prerouting dst-address-type=!local
new-routing-mark=route_4 passthrough=no per-connection-classifier=
both-addresses:4/3
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether3
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether4
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=route_1
add check-gateway=ping distance=2 gateway=192.168.2.1 routing-mark=route_2
add check-gateway=ping distance=3 gateway=192.168.3.1 routing-mark=route_3
add check-gateway=ping distance=4 gateway=192.168.4.1 routing-mark=route_4
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.2.1
add check-gateway=ping distance=3 gateway=192.168.3.1
add check-gateway=ping distance=4 gateway=192.168.4.1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=ether2 type=external
add interface=ether3 type=external
add interface=ether4 type=external
add interface=ether5 type=internal
/ppp secret
add name=teste profile=FULL service=pppoe
*** list of users…
add name=rodrigo profile=“20 MEGA” service=pppoe
/system clock
set time-zone-name=America/Sao_Paulo
/system routerboard settings
set memory-frequency=1200DDR protected-routerboot=disabled

@erlinder
@sob

any ideas?

thanks

Sorry, I sometimes put some topics aside, to have a better look when I have more time, but sometimes it happens that they get lost among other browser tabs.

I see two possible problems:

1. Too many NATs. You have at least three and no easy way to get rid of them. With some luck, the one at ISP may be NAT 1:1 (less bad), but it’s not guaranteed. You could get rid of one from where TP-Link is, but it may not be possible with TP-Link and PPPoE, because it’s simple home router and they usually have only few predefined modes and no advanced config is possible. Before you start playing with that, try to connect your gaming device directly to RB. Add another subnet to free port, enable DHCP server on it, connect the device there and test if works better.

2. PCC (load balancing). I don’t know how much these devices try to punch holes through NAT and make direct connections, but it they do, PCC can be a problem, because connections to different devices can use different uplinks. So start with this, because it’s easy to test. Add new rule:

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-type=!local new-routing-mark=route_1 passthrough=no src-address=10.5.0.X

where 10.5.0.X is your TP-Link’s WAN address, and move it before existing rules. It will make all connections from your network use only single uplink. And see if it helps.

One thing to consider has anyone on the forums actually stated they have a working LIVE XBOX or NINTENDO with MIKROTIK??? By that I mean interactive gaming. I use NINTENDO myself for games and there is another user of XBOX in the house. That person can also play games. These are purchased games with no live interaction - playing against others.
I have never tried interactive gaming with my NINTENDO but the XBOX user couldn’t get it to work when attempted. I tried separate VLANS and many other tricks and never got his XBOX to work in live gaming scenario. So unless someone here can prove they have successfully implemented XBOX or NINTENDO connectivity for interactive gaming, the OP may have a point which has nothing to do with TP link etc… but points to some NAT peculiarity with MT products… nothing surprises me anymore!

VLANs by themselves won’t help you, the problem is incoming traffic and NAT. In ideal world, each device would have own public address and they would be able to connect to each other directly. But there are not enough public IPv4 addresses for everyone, you need to hide multiple devices behind one common address, that’s what NAT does. But it ruins incoming connections, because each internal device is no longer directly addressable.

There are some ways how to get around that (search for “NAT punching”), but those are all hacks with no guarantees. The only reliable way is port forwarding, where ports are really open for anyone. I don’t know if any of those gaming devices support some kind of static config, I’d expect that most people would be too lazy to configure it. So your best chance is working UPnP where devices can open ports automatically. But for that to work, you need public address directly on your router, i.e. only one NAT. If you have double, triple, …, you’d need some UPnP proxy on each router, but it’s definitely not common thing.

Then there’s IPv6 with enough public addresses for everyone, it should be the best solution. But for some reason people seem to put much more effort into NAT traversal (which is dead end), instead of adopting real solution.

My son plays xbox with other players on www, only have Mikrotik in my house

The OPs problem is all the NATs along the path

Can you post your settings for xbox as I cannot get my guest to play games against others over the internet
Also can you list which games specifically work?

@sob tryed the config, but had no sucess…

It looks like this

Action Chain Src. Address Dst. Address Protocol Src. Port Dst. Port Any. Port In. Interface Out. Interface Bytes Packets

• D 0 change MSS forward 6 (tcp) all ppp 0 B 0
• D 0 change MSS forward 6 (tcp) all ppp 306.5 MiB 5 391 646
  -D 1 mark routing prerouting 10.5.0.234 178.9 KiB 1 055
  -D 2 mark routing prerouting 58.4 GiB 370 988 753
  -D 3 mark routing prerouting 72.6 GiB 420 297 717
  -D 4 mark routing prerouting 87.5 GiB 414 299 216
  -D 5 mark routing prerouting 61.7 GiB 422 708 090

But it DOES change something…

1. Xbox says that my NAT is “not available” (xbox.com/xboxone/Teredo). When I run the NAT test, it says that I can’t get an IP Teredo, or something

2. On my TP-Link, under the Status/WAN, the DNS server now says 10.5.0.1 xx.xx.58.254 (before was 10.5.0.1 and 192.168.3.0 or something)

3. On Nintendo Swith the traversal NAT stays.

thanks again

Have nothing special in my FW rules that has not been mentioned / discussed here ad nauseam, but must come with a warning, I make use of UPnP.
My son has not yet had any issues with any of his games, i.e. Minecraft, Battle Field 4, Call of Duty, etc

add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Allow Established / Related" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow New connections from LAN" connection-state=new in-interface-list=Trusted
add action=accept chain=forward comment="Allow if Destination NAT Rule" connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=forward comment="Default Drop" in-interface-list=WAN

So upnp is enabled on the router?? (wondering as you have no special fw rules for it)
Can you post your UPNP settings… there seems to be interfaces and type that are configurable.
Assuming on first page you select enabled vice show dummy rule
(how do you narrow it down and what is minimum required).

Not at laptop now, but the interfaces are just which is internal and which is external, i.e. In my case, PPPoE interface is external and bridge is internal

UPnP will dynamically create the relevant NAT rules, hence the warning, internal devices can open network access to the outside world

@RodrigoBrito: I’m affraid there’s no easy solution for you. It’s probably the “too many NATs” problem. For best chance for success, you’d have to change a lot. You’d need to convince ISP to deliver public addresses directly to your main router. Then you’d probably have to get rid of TP-Links and replace them by something else, because I doubt that you can configure them without NAT while still keeping PPPoE for authentication. Even if that was possible, or if you’d set authentication aside for the moment and configured TP-Links as simple ethernet routers (that could be supported), having user devices in different network would prevent them from using UPnP (which is the best chance to get things working), unless there would be some UPnP proxy on TP-Link (I don’t know how much common is that; RouterOS doesn’t have it). You could probably come up with some other way (instead of PPPoE) how to isolate users’ networks (again not so much likely with TP-Links), make some tunnels to main router and bridge them with users’ networks, so they would be directly connected subnets to main router and devices would be able to use UPnP and everything should work. Only it would be security disaster, because there’s no access control in MikroTik’s UPnP server (*), so anyone would be able to open ports to anyone else’s devices.

(*) Before @anav asks, it’s not problem if you have only your own LAN with trusted devices.

I have a old game, Age Of Mythology. I used to play this game with LAN in my collage days, but unfortunately this is not working. if anyone can help me please reply.