"No Internet Access" Issue on RB1100AHx2 (Hotspot Gateway) - 590 Active Users

RouterOS General
1

Dear Community,
I am experiencing a serious issue with internet access on our MikroTik RB1100AHx2 device (RouterOS v6.49.18), which serves as the primary hotspot gateway for our company’s internal network.
Problem Details:

  • When the number of active users reaches approximately 590, clients start to lose internet access completely (“No Internet Access”).


  • Clients can still connect to the company’s SSID, but they cannot log in to the hotspot landing portal.


  • The estimated peak number of users at any one time can reach 1000 IPs / Devices.

Device Configuration:

  • Device Model: MikroTik RB1100AHx2


  • Function: Hotspot Gateway for wireless clients (the majority of our customers use wireless clients for work).


  • Active Configuration Features: Filter Rules, NAT, DST-NAT, and Simple Queues.


  • External Hotspot Management System: We integrate this device with a third-party hotspot management platform, OpenWiFi from Linkfyi. OpenWiFi functions as the [RADIUS server and captive portal].

Steps Already Taken:

  • If we disable the Hotspot, Internet Access returns to normal.

We are having difficulty identifying the root cause as there are no clear indications from the device logs or our monitoring.
We kindly request your assistance in performing further analysis.

For your reference, I have attached:

  • The device configuration export file (.rsc)

Documentation when the issue occurs
Thank you for your attention and assistance.

Regrads,


# apr/21/2025 00:06:58 by RouterOS 6.49.18
# 
#
# model = 1100AHx2
/interface ethernet
set [ find default-name=ether1 ] comment="Traffic WAN" name=\
    "ether1" 
set [ find default-name=ether2 ] 
set [ find default-name=ether3 ] 
set [ find default-name=ether4 ] 
set [ find default-name=ether5 ] comment="Traffic WAN to RO Client" name=\
    "ether5-Traffic WAN to RO Client" 
set [ find default-name=ether6 ] 
set [ find default-name=ether7 ] 
set [ find default-name=ether8 ] 
set [ find default-name=ether9 ] 
set [ find default-name=ether10 ] 
set [ find default-name=ether11 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether12 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether13 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=ether3 name="VLAN [10]" vlan-id=10
add interface=ether3 name="[60]-HOTSPOTGUEST" vlan-id=60
add interface=ether3 name="[61]-HOTSPOT OWNER" vlan-id=61
add interface=ether3 name="[62]-HOTSPOT PUBLIC AREA" vlan-id=62
add interface=ether3 name=vlan70-BOD vlan-id=70
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=Tiktok regexp="^.+(tiktok.com|musical.ly).*\$"
/ip hotspot profile
add hotspot-address=10.200.0.1 html-directory=***_***_new login-by=\
    cookie,http-chap,http-pap name="Profile ***" use-radius=yes
add hotspot-address=10.200.10.1 html-directory=***_***_new \
    html-directory-override=***_***_new login-by=\
    cookie,http-chap,http-pap name="Profile landing page baru" use-radius=yes
/ip hotspot user profile
set [ find default=yes ] keepalive-timeout=1d shared-users=unlimited
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool2 ranges=192.168.25.2-192.168.25.254
add name=dhcp_pool1 ranges=172.16.10.2-172.16.10.254
add name=dhcp_pool3 ranges=10.200.0.2-10.200.7.254
add name="Pool Hotspot" ranges=10.200.0.50-10.200.7.254
add name=dhcp_pool4 ranges=192.168.100.2-192.168.100.254
add name=dhcp_pool5 ranges=10.200.8.2-10.200.9.0,10.200.9.2-10.200.9.254
add name=dhcp_pool16 ranges=172.16.70.10-172.16.70.254
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
    interface="VLAN [10]" lease-time=5m name=dhcp1
add address-pool="Pool Hotspot" authoritative=after-2sec-delay disabled=no \
    interface="[60]-HOTSPOTGUEST" lease-time=12h name=dhcp2
add address-pool=dhcp_pool5 authoritative=after-2sec-delay disabled=no \
    interface="[61]-HOTSPOT OWNER" lease-time=3d name=dhcp3
add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no \
    interface="[62]-HOTSPOT PUBLIC AREA" lease-time=1d name=dhcp4
add address-pool=dhcp_pool4 authoritative=after-2sec-delay interface=ether3 \
    lease-time=3d name=dhcp5
add address-pool=dhcp_pool16 disabled=no interface=vlan70-BOD lease-time=6h \
    name=dhcp6
/ip hotspot
add address-pool="Pool Hotspot" idle-timeout=3d interface="[60]-HOTSPOTGUEST" \
    name="Hotspot Ether 5" profile="Profile ***"
add address-pool=dhcp_pool2 idle-timeout=3d interface=\
    "[62]-HOTSPOT PUBLIC AREA" name="hs-[62]-HOTSPOTMEETING" profile=\
    "Profile landing page baru"
add address-pool=dhcp_pool2 idle-timeout=30m interface=\
    "[62]-HOTSPOT PUBLIC AREA" name=@*** profile=\
    "Profile landing page baru"
add address-pool="Pool Hotspot" disabled=no idle-timeout=30m interface=\
    "[60]-HOTSPOTGUEST" name=@***_GUEST profile="Profile ***"
/port
set 1 baud-rate=9600
/queue simple
add limit-at=11M/11M max-limit=11M/11M name=BOD target=172.16.70.0/24
/snmp community
set [ find default=yes ] addresses="****" name=prtg
add addresses=10.254.206.27/32 disabled=yes name=checkmk
/system logging action
add name=syslogprtg remote=10.254.206.34 src-address=*** target=\
    remote
/interface l2tp-server server
set enabled=yes ipsec-secret=***#2022 use-ipsec=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=***/29 interface=\
    "ether1-Traffic WAN" network=***
add address=172.16.10.1/24  network=172.16.10.0
add address=120.29.158.193/30 interface="ether5-Traffic WAN to RO Client" \
    network=120.29.158.192
add address=***  interface=\
    "ether1-Traffic WAN to RO.FAILOVER" network=***
add address=***/29  interface=\
    "ether1-Traffic WAN to RO.FAILOVER" network=***
add address=10.200.0.1/21 comment="IP Hotspot" interface="[60]-HOTSPOTGUEST" \
    network=10.200.0.0
add address=10.200.9.1/23 comment="IP Hotspot Owner Area" interface=\
    "[61]-HOTSPOT OWNER" network=10.200.8.0
add address=10.200.10.1/23 comment="IP Hotspot Public Area" interface=\
    "[62]-HOTSPOT PUBLIC AREA" network=10.200.10.0
add address=172.16.70.1/24 interface=vlan70-BOD network=172.16.70.0
/ip dhcp-client
add add-default-route=no interface=ether9
/ip dhcp-server lease
/ip dhcp-server network
add address=10.200.0.0/21 gateway=10.200.0.1
add address=10.200.8.0/23 gateway=10.200.9.1
add address=10.200.10.0/23 gateway=10.200.10.1
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.70.0/24 gateway=172.16.70.1
add address=192.168.25.0/24 gateway=192.168.25.1
add address=192.168.100.0/26 gateway=192.168.100.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,***,****
/ip firewall address-list
add address=172.16.16.0/24 list=whitelist_PMS
add address=10.200.0.0/21 list=IP
add address=10.200.8.0/23 list=IP
add address=10.200.10.0/23 list=IP
add address=172.16.10.0/24 list=IP
add address=172.16.70.0/24 list=IP
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=forward dst-address=***
add action=accept chain=forward dst-address=***
add action=accept chain=forward dst-address=*** dst-port=80,433 \
    protocol=tcp
add action=accept chain=forward dst-address=*** dst-port=\
    80,443,10000-12000 protocol=tcp
add action=accept chain=forward dst-address=*** dst-port=3478,3479 \
    protocol=udp
add action=accept chain=forward dst-address=*** dst-port=\
    80,443,10000-12000 protocol=tcp
add action=accept chain=forward dst-address=*** dst-port=3478,3479 \
    protocol=udp
add action=accept chain=forward dst-address=*** dst-port=80,433 \
    protocol=tcp
add action=accept chain=forward dst-address=*** dst-port=80,433 \
    protocol=tcp
add action=accept chain=forward dst-address=*** dst-port=80,433 \
    protocol=tcp
add action=accept chain=forward dst-address=*** dst-port=80,433 \
    protocol=tcp
add action=accept chain=forward dst-address=***/24
add action=accept chain=forward src-address=***/29
add action=accept chain=input src-address=***/29
add action=accept chain=forward src-address=***/30
add action=accept chain=input src-address=***/30
add action=accept chain=forward comment="rek pak arif" dst-port=110 protocol=\
    tcp
add action=accept chain=forward comment="rek pak arif" protocol=tcp src-port=\
    110
add action=accept chain=forward dst-port=25 protocol=tcp
add action=accept chain=forward protocol=tcp src-port=25
add action=accept chain=forward protocol=tcp src-port=587
add action=accept chain=forward dst-port=587 protocol=tcp
/ip firewall mangle
add action=change-mss chain=forward comment=mangle in-interface=\
    "ether1-Traffic WAN " new-mss=1310 passthrough=yes \
    protocol=tcp tcp-flags=syn tcp-mss=1311-65535
add action=change-mss chain=forward comment=mangle new-mss=1410 \
    out-interface="ether1-Traffic WAN " passthrough=yes \
    protocol=tcp tcp-flags=syn tcp-mss=1411-65535
/ip firewall nat
add action=src-nat chain=srcnat dst-address-list=!IP \
    src-address-list=IP to-addresses=***
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=masquerade chain=srcnat \
    src-address=10.254.154.176/29
add action=src-nat chain=srcnat src-address=192.168.26.0/24 to-addresses=\
    ***
add action=dst-nat chain=dstnat dst-address=10.254.102.89 dst-port=8998 \
    protocol=tcp to-addresses=172.16.200.2 to-ports=8788
add action=dst-nat chain=dstnat  \
    dst-address=*** dst-port=8184 protocol=tcp to-addresses=\
    10.254.102.92 to-ports=8788
add action=dst-nat chain=dstnat dst-address=\
    *** dst-port=8089 protocol=tcp to-addresses=10.254.102.92 \
    to-ports=8089
add action=dst-nat chain=dstnat  \
    dst-address=10.254.102.89 dst-port=8185 protocol=tcp to-addresses=\
    10.254.102.93 to-ports=8788
add action=dst-nat chain=dstnat dst-address=*** dst-port=8190 protocol=tcp \
    to-addresses=172.16.10.244 to-ports=80
add action=dst-nat chain=dstnat dst-address=*** dst-port=8189 protocol=tcp \
    to-addresses=172.16.10.245 to-ports=80
add action=dst-nat chain=dstnat dst-address=*** dst-port=8181 \
    protocol=tcp to-addresses=172.16.10.247 to-ports=80
add action=dst-nat chain=dstnat dst-address=*** dst-port=8182 protocol=tcp to-addresses=\
    172.16.10.248 to-ports=80
add action=dst-nat chain=dstnat dst-address=*** dst-port=\
    8186 protocol=tcp to-addresses=172.16.10.246 to-ports=80
add action=dst-nat chain=dstnat  disabled=yes dst-address=\
    *** dst-port=8180 protocol=tcp to-addresses=172.16.10.251 \
    to-ports=80
add action=dst-nat chain=dstnat \
    disabled=yes dst-address=*** dst-port=8187 protocol=tcp \
    to-addresses=172.16.10.252 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=*** dst-port=\
    8080 protocol=tcp to-addresses=172.16.10.249 to-ports=80
add action=dst-nat chain=dstnat  \
    dst-address=*** dst-port=8188 protocol=tcp to-addresses=\
    172.16.10.253 to-ports=80
add action=dst-nat chain=dstnat  \
    dst-address=*** dst-port=8007 protocol=tcp to-addresses=\
    10.254.102.92 to-ports=8007
add action=dst-nat chain=dstnat \
    disabled=yes dst-address=10.254.102.89 dst-port=2020 protocol=tcp \
    to-addresses=172.16.10.245 to-ports=80
add action=dst-nat chain=dstnat dst-address=\
    10.254.102.89 dst-port=2222 protocol=tcp to-addresses=172.16.100.2 \
    to-ports=22
add action=dst-nat chain=dstnat  dst-address=\
    10.254.102.89 dst-port=8888 protocol=tcp to-addresses=172.16.100.2 \
    to-ports=80
add action=dst-nat chain=dstnat dst-address=\
    10.254.102.89 dst-port=8989 protocol=tcp to-addresses=10.254.102.92 \
    to-ports=8788
add action=dst-nat chain=dstnat dst-address=10.254.102.89 dst-port=8292 \
    protocol=tcp to-addresses=172.16.200.2 to-ports=8788
add action=dst-nat chain=dstnat  dst-address=10.254.102.89 \
    dst-port=212 protocol=tcp to-addresses=172.16.16.2 to-ports=22
add action=dst-nat chain=dstnat  dst-address=\
    10.254.102.89 dst-port=9669 protocol=tcp to-addresses=10.254.102.92 \
    to-ports=8788
add action=dst-nat chain=dstnat  disabled=yes dst-address=\
    10.254.102.92 dst-port=8322 protocol=tcp to-addresses=10.200.0.29 \
    to-ports=80
add action=dst-nat chain=dstnat  disabled=yes dst-address=\
    10.254.102.92 dst-port=8321 protocol=tcp to-addresses=10.200.0.152 \
    to-ports=443
add action=dst-nat chain=dstnat  dst-address=10.254.102.92 \
    dst-port=8322 protocol=tcp to-addresses=10.200.0.145 to-ports=443
add action=dst-nat chain=dstnat dst-address=\
    10.254.102.92 dst-port=8010 protocol=tcp to-addresses=10.200.0.36 \
    to-ports=443
add action=dst-nat chain=dstnat dst-address=10.254.102.92 \
    dst-port=8325 protocol=tcp to-addresses=10.200.8.2 to-ports=443
add action=dst-nat chain=dstnat  dst-address=10.254.102.92 \
    dst-port=8625 protocol=tcp to-addresses=10.200.0.48 to-ports=443
add action=dst-nat chain=dstnat  dst-address=10.254.102.92 \
    dst-port=8323 protocol=tcp to-addresses=10.200.1.218 to-ports=443
add action=dst-nat chain=dstnat \
    dst-address=10.254.102.92 dst-port=8326 protocol=tcp to-addresses=\
    10.200.4.107 to-ports=443
add action=dst-nat chain=dstnat comm dst-address=10.254.102.92 \
    dst-port=8327 protocol=tcp to-addresses=10.200.0.59 to-ports=443
add action=dst-nat chain=dstnat dst-address=\
    10.254.102.92 dst-port=8328 protocol=tcp to-addresses=10.200.10.223 \
    to-ports=443
add action=dst-nat chain=dstnat  \
    dst-address=120.29.158.193 dst-port=49152 protocol=tcp to-addresses=\
    10.200.1.185 to-ports=80
add action=dst-nat chain=dstnat \
    dst-address=120.29.158.193 dst-port=49153 protocol=tcp to-addresses=\
    10.200.3.63 to-ports=80
add action=dst-nat chain=dstnat  dst-address=\
    120.29.158.193 dst-port=49154 protocol=tcp to-addresses=10.200.1.190 \
    to-ports=80
add action=dst-nat chain=dstnat dst-address=\
    120.29.158.193 dst-port=49155 protocol=tcp to-addresses=10.200.1.189 \
    to-ports=80
add action=dst-nat chain=dstnat codst-address=120.29.158.193 dst-port=49155 protocol=tcp \
    to-addresses=10.200.2.43 to-ports=80
add action=dst-nat chain=dstnat dst-address=120.29.158.193 dst-port=49156 protocol=tcp \
    to-addresses=10.200.2.42 to-ports=80
add action=dst-nat chain=dstnat  dst-address=*** \
    dst-port=41957 protocol=tcp to-addresses=10.200.1.208 to-ports=80
add action=dst-nat chain=dstnat dst-address=*** dst-port=\
    41958 protocol=tcp to-addresses=10.200.1.184 to-ports=80
add action=dst-nat chain=dstnat  dst-address=\
    10.254.102.92 dst-port=8324 protocol=tcp to-addresses=10.200.0.49 \
    to-ports=443
add action=src-nat chain=srcnat  src-address=10.10.10.0/24 \
    to-addresses=***
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=***
add dst-host=***
add dst-host=portal.***.id
/ip hotspot walled-garden ip
add action=accept disabled=yes dst-address=115.85.80.74 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=172.16.50.3 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=115.85.80.74 !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=94.23.89.14 !src-address-list
add action=accept disabled=yes dst-address=94.23.89.14 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=172.16.50.3 !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=192.168.100.1 !src-address-list
add action=accept disabled=yes dst-address=192.168.100.1 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=*** !src-address-list
add action=accept disabled=yes dst-address=*** !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=115.85.80.74 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=172.16.50.3 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=115.85.80.74 !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=94.23.89.14 !src-address-list
add action=accept disabled=yes dst-address=94.23.89.14 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=172.16.50.3 !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=192.168.100.1 !src-address-list
add action=accept disabled=yes dst-address=192.168.100.1 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=*** !src-address-list
add action=accept disabled=yes dst-address=*** !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=115.85.80.74 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=172.16.50.3 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=115.85.80.74 !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=94.23.89.14 !src-address-list
add action=accept disabled=yes dst-address=94.23.89.14 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=172.16.50.3 !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=192.168.100.1 !src-address-list
add action=accept disabled=yes dst-address=192.168.100.1 !dst-address-list \
    !dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=*** !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol src-address=35.240.186.103 !src-address-list
add action=accept disabled=no !dst-address !dst-address-list dst-host=\
    ***.id !dst-port !protocol !src-address !src-address-list
add action=accept disabled=no !dst-address !dst-address-list dst-host=\
    *.***.id !dst-port !protocol !src-address !src-address-list
add action=accept disabled=no !dst-address !dst-address-list dst-host=\
    portal.***.id !dst-port !protocol !src-address !src-address-list
add action=accept disabled=no !dst-address !dst-address-list dst-host=\
    *** !dst-port !protocol !src-address !src-address-list
add action=accept disabled=no !dst-address !dst-address-list dst-host=\
    *.portal.***.id !dst-port !protocol !src-address !src-address-list
/ip proxy
set parent-proxy=0.0.0.0 src-address=0.0.0.0
/ip route
add distance=1 gateway=***
add disabled=yes distance=1 dst-address=*** gateway=***
add distance=1 dst-address=*** gateway=***
add check-gateway=ping distance=1 dst-address=100.255.10.0/24 gateway=ether9 \
    pref-src=100.255.10.1 scope=10
add distance=1 dst-address=100.255.10.0/24 gateway=172.16.200.2
add comment="WEB ***" disabled=yes distance=1 dst-address=***/20 \
    gateway=*15
add distance=1 dst-address=172.16.16.0/24 gateway=172.16.200.2
add comment="WEB ***" disabled=yes distance=1 dst-address=***/22 \
    gateway=*15
/ip service
set telnet address=***/29,***/30,***/32 port=\
    2388
set ftp disabled=yes port=2121
set www disabled=yes port=8080
set ssh address=***/29,***/30,***/32 port=\
    2288
set api address=0.0.0.0/0 disabled=yes port=8777
set winbox address=\
    ***/29,***/30,***/32,0.0.0.0/0 port=8788
set api-ssl disabled=yes
/ip socks
set max-connections=1
/radius incoming
set accept=yes
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Jakarta
/system logging
add action=syslogprtg topics=critical
add action=syslogprtg topics=error
add action=syslogprtg topics=info
add action=syslogprtg topics=warning
/system ntp client
set enabled=yes primary-ntp=10.254.250.254 secondary-ntp=10.254.251.254
/tool bandwidth-server
set authenticate=no
/tool netwatch
add down-script=":log info \"FO DOWN\"" host=*** interval=10s \
    up-script=":log info \"FO UP\""
add comment=jobkorea.co.kr host=*** interval=10s
add down-script="/tool netwatch\r\
    \nadd host=10.254.102.92 down-script=\":log warning \"\$host is Down\"\r\
    \n" host=10.254.102.92 up-script="/tool netwatch\r\
    \nadd host=10.254.102.92 up-script=\":log warning \"\$host is UP\";\""
2

CAVEAT, not IT or network trained, take comments as you wish.

  1. RB4011 is not a DPI capable router and this attempt, presumably to block tiktok, is probably not useful and (not sure) may take up valuable cpu bandwidth.
    /ip firewall layer7-protocol
    add name=Tiktok regexp=“^.+(tiktok.com|musical.ly).*$”

All to say is that you should provide an edge router that does this sort of thing, be it facebook, tiktok, youtube etc…

  1. Need to rectify 5 vlans but 7 ip pools?
  • okay some dual use of one of the subnets
    add name=dhcp_pool3 ranges=10.200.0.2-10.200.7.254 (2-7)
    add name=“Pool Hotspot” ranges=10.200.0.50-10.200.7.254 (50-254)

Still have one outstanding to find. :slight_smile:

  1. Not certain why but this entry seems to be missing an interface reference?
    /ip address
    add address=172.16.10.1/24 network=172.16.10.0 ???

  2. I only see one VLAN with an address, which also seems strange.

  3. As to firewall rules,

  • do I read this right that you attempt to allow/accept traffic to specific public WANIPS…
  • you have email traffic on unecrypted port (25)?
  • overall why all the accept rules, when you have no drop all or block rules… it would be just as useful to have no rules.
    in other words, the firewall rules seem meaningless to me as they do not block anything and thus you dont need any rules???
  1. Not sure of the intent of your sourcenat rules.. Seems like there are some intents to include routing and firewall functionality within the sourcenat rules, which is not normal but could be useful in certain cases… I am not clear on why you need the dst-address list entry on the first one?, The second one seems incomplete as no out-interface is identified? The third/fourth ones seems like perhaps could be handled by firewall rules or a routing rule ( or mangle the traffic out the correct WAN ).

/ip firewall nat
add action=src-nat chain=srcnat dst-address-list=!IP
src-address-list=IP to-addresses=***
add action=masquerade chain=srcnat
src-address=10.254.154.176/29
add action=src-nat chain=srcnat src-address=192.168.26.0/24 to-addresses=
***
add action=src-nat chain=srcnat src-address=10.10.10.0/24
to-addresses=***
7. No use of established connected rules or fastrack capabilities in firewall rules…

  1. I see you have telnet active on the router, how is this secured??

  2. It seems winbox is open to the WAN IPs?? how is this secured?

3

I am hoping that someone with far more RoS acumen can assist you!