I have a new, freshly configured RB951 (Router OS 6.48.6) with a base-level config, the basics to connect to the internet. While I have internet access, I have issues with virtually every other part of my system.
Here’s my symptoms:
I have a cloud-based application that uses web UIs to control photography equipment - this has lost connection to my cameras and printers.
None of my hosts are able to access any web-based speed test, any might be hyperbole but speedtest.org and fast.com just return errors. Also, ironically, the Mikrotik page behaves the same way. It will load, but every link fails (very frustrating while trying to download winbox).
My Unifi AP’s are broadcasting SSIDs, but those WLANS don’t have access to the internet.
DHCP is running, several devices have valid leases but there are a few devices that will grab a DHCP IP, then disconnect from the LAN. No IP conflicts, just get IP - drop off LAN. When I set them as static everything works. It’s just when they get DHCP addresses.
I have a 100/100 fiber link from Verizon, I’m getting about about 3-4mbps and very poor upload, sub 1 meg. There’s also duplex and auto negotiation errors in the log sporadically.
I have configured hundreds of RB951s over the years with my previous company and have never had these issues. I’m not an expert by any means, in fact - I mostly configure these with scripts - but I feel like I have to be missing something.
Thanks for taking a look, I didn’t realize there were any replies here.
Here’s my testing config (I’ve thoroughly poked holes in it in an attempt to solve some of these issues).
# jun/06/2022 23:23:15 by RouterOS 6.48.6
# software id = QCL1-AXIQ
#
# model = RB951G-2HnD
# serial number = xxxxxxxxxxx
/interface bridge
add admin-mac=x auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-C7588D wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=venue-pool ranges=192.168.2.20-192.168.2.99
/ip dhcp-server
add address-pool=venue-pool disabled=no interface=bridge lease-time=2d name=\
sb-lan
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.2.1/24 interface=bridge network=192.168.2.0
add address=x.x.x.226/30 interface=ether1 network=x.x.x.224
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1,9.9.9.9 gateway=192.168.2.1 \
ntp-server=192.168.2.1
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=9.9.9.9,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=x.x.x.225
/ip service
set telnet disabled=yes
set www-ssl disabled=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=xxxx_6-48-6
/system logging
add topics=firewall
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
The cables are all new, and they’ve been swapped out for new cables. I don’t think it’s physical, unless it’s the actual router or port. I’m not ruling that out completely, but, I’ve installed over 100 of these and I don’t think I’ve ever had a failure out of the box.
There’s a theory that our ISP (Verizon business, 100/100 fiber) maybe blocking some HTTPS traffic.
But if it’s not the cable, my next goto is DNS. You config has 512 packet size limit, that isn’t the default AFAIK & certainly if a DNS lookup failed for a client, it look like an “HTTPS issue”…
That seems like something worth exploring if not DNS. Bad, or older/incomptiable/etc ONT on the Verizon end? Do you regular use their internet service? It’s possible it’s some captive portal, or need some MAC/802.11/etc authentication, etc. to connect to VZ.
If you have switches, you might want to make sure [M/R/]STP isn’t going into blocking mode someplace. That introduce a lot of weird problems (e.g. printer/other device coming online causes STP recalc, all devices would have issue while STP converges).
The default MTU size and auto negotiation were specific configurations Verizon told us to make.
It’s a business fiber link, they sent a configuration email with a /30 address (later changed to /29), an MTU size, as well as speed and duplex of 100 full.
