No access to certain sites

RouterOS General
1

Hi,

It’s been literally a year (20240516) since I last touched the config of my MT devices. The only thing I’ve been doing since has been updating the OS, 7.14.3 then, 7.18.2 now.
Lately I’ve been having more and more problems accessing certain sites and I have the impression it’s MT related.

There’s a MT LHG R providing internet at home. It’s connected to a MT hAP AX3 which deals with DHCP, firewall, etc.
In the LHG I have a sim for the same provider with the same subscription as the sim in my phone. On my phone I can access duckduckgo.com without issues, on my laptop I can not. If I connect my laptop, using the same internet connection, to a VPN all works again. Hence me assuming it’s MT related.

DNS works, I can determine the IP addresses.
I can ping and traceroute google.com by name and IP. I can’t for duckduckgo.com for example.

google.com

traceroute google.com
traceroute to google.com (142.250.201.174), 30 hops max, 60 byte packets
1 _gateway (192.168.1.1) 2.445 ms 2.347 ms 2.309 ms
2 * * *
3 192.168.20.62 (192.168.20.62) 31.866 ms 31.571 ms 31.504 ms
4 192.168.255.17 (192.168.255.17) 31.500 ms 31.491 ms 31.480 ms
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * par21s23-in-f14.1e100.net (142.250.201.174) 36.046 ms

duckduckgo.com

traceroute duckduckgo.com
traceroute to duckduckgo.com (52.142.124.215), 30 hops max, 60 byte packets
1 _gateway (192.168.1.1) 2.406 ms 2.360 ms 2.350 ms
2 * * *
3 192.168.20.62 (192.168.20.62) 30.617 ms 30.426 ms 32.396 ms
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

Ping and traceroute give the same results on my laptop as in the hAP AX3 web UI.

I don’t know where 192.168.20.62 and 192.168.255.17 are coming from, they aren’t different devices on my network nor have I configured anything for it, so I assume it’s a MT internal thing.
For all websites that work it passes through these two addresses, for all the site that do not work it only passes through the first IP address.
There’s aren’t any firewall droping counters going up either.

Attached you’ll find the config of the hAP AX3.

I did not have the mangle rule until today. I added it to test if it would solve the issue, but alas.
I’m at 7.18.2 at the moment. As a test I subsequently downgraded to 7.18.1, 7.18.0 and 7.17.2 as well, but still no go for neither of the versions.

What can be the cause of the problem?
What can I do to determining the cause and most importantly, how can I fix it?
hAPax3.vlan.export-20250515_share.rsc.txt (12.9 KB)

2

You have both ether1 and vlan80-net added to your WAN interface list.

add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=vlan80-net list=WAN

I assume that Internet is deliverd on ether1 vlan id 80, correct?

In that case:

Remove ether1 from the bridge:

/interface bridge port
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10

Remove dhcp-client from ether1:

/ip dhcp-client
add comment=defconf disabled=yes interface=ether1

Change VLAN:

/interface vlan
add interface=bridge name=vlan80-net vlan-id=80

to:

/interface vlan
add interface=ether1 name=vlan80-net vlan-id=80

Because you are doing VLAN all the way, don’t add DHCP server to the bridge:

/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m \
    name=defconf

Ehter1 should have no other VLAN’s (unless it is used as well?) (remove ether1):

/interface bridge vlan
add bridge=bridge comment=domotics disabled=yes tagged=bridge,ether1 \
    vlan-ids=30
add bridge=bridge comment=home tagged=bridge,ether1 vlan-ids=10
add bridge=bridge comment=guest tagged=bridge,ether1 vlan-ids=20
add bridge=bridge comment=man tagged=bridge,ether1 vlan-ids=99

And there should be no vlan tagged on the bridge for vlan id 80 (remove bridge):

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=80

Remove ether1 from list=WAN:

/interface list member
add comment=defconf disabled=yes interface=ether1 list=WAN

No address needed on the bridge (as you go VLAN all the way) (remove it):

/ip address
add address=192.168.1.1/24 comment=defconf disabled=yes interface=bridge \
    network=192.168.1.0

That is…to start with…good luck!

3

Thanks for the input…but I don’t quite understand how all this is needed for a setup that has been working for more than a year without issues, and that it would only break for specific websites now.

vlan80-net is internet from the LHG, yes.
Did you notice the “disabled=yes” in most of the items? :wink:
All the VLAN pass through ether1. The remaining suggested changes will basically break the lot as far as I can tell.

To get a picture of the more complete setup:

The difference with the image is that the switch is managed now, so there’s no untagged traffic any more, with green being vlan10-home now.
signal-2024-05-15-19-21-23-152.png

4

Context is key…can you explain how you want things to work?

5

I'm not sure how to respond to that. I'm not looking to change my setup.
VLANs can be setup up in different ways and mine might not be perfect, but that does not explain how some site work and some don't, especially when all worked before without a change in configuration.

It might help if someone can explain where those two traceroute hops with internal IPs come from. At no point I'm using those IP ranges on any of my devices.
What could cause one site to pass to the second one and another to stop after the first?

6

I mean having an understanding of your network.
I regards to the IP addresses…it looks like you are behand NAT (on the outside), is that possible?