Please help, my network disconnect after 2-3 minutes connect internet

RouterOS Beginner Basics
1

I have a MikroTik router that I configured by myself, but I am facing an issue. When a client connects to the network I configured through the access point, a problem occurs: after being connected for about 2–3 minutes, the client gets disconnected, and the SSID disappears from the client device and does not appear again. The SSID only comes back after I unplug and reconnect the LAN cable between the access point and the MikroTik router.

I am still a beginner and I don’t know where my mistake is. Could you please help me? Below is my MikroTik configuration.

==================================================

MikroTik Configuration Export

RouterOS : 7.20.6

Device : RB450Gx4

Purpose : Dual ISP Load Balancing (PCC)

==================================================

--------------------

Interface & Bridge

--------------------

/interface bridge
add name=Bridge-Lan

/interface bridge port
add bridge=Bridge-Lan interface=ether3
add bridge=Bridge-Lan interface=ether4
add bridge=Bridge-Lan interface=ether5

--------------------

IP Addressing

--------------------

/ip address
add address=192.168.0.1/24 interface=Bridge-Lan network=192.168.0.0

--------------------

DHCP Server

--------------------

/ip pool
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254

/ip dhcp-server
add name=dhcp1 interface=Bridge-Lan address-pool=dhcp_pool1 lease-time=1h

/ip dhcp-server network
add address=192.168.0.0/24
gateway=192.168.0.1
dns-server=8.8.8.8,1.1.1.1,1.0.0.1,8.8.4.4

--------------------

DNS

--------------------

/ip dns
set allow-remote-requests=yes
servers=8.8.8.8,1.1.1.1,1.0.0.1,8.8.4.4

--------------------

WAN DHCP Client

--------------------

/ip dhcp-client
add interface=ether1 disabled=yes default-route-tables=main
add interface=ether2 default-route-tables=main

--------------------

Routing Tables

--------------------

/routing table
add name=to_ISP1 fib
add name=to-ISP2 fib

--------------------

Firewall Filter

--------------------

/ip firewall filter
add chain=forward action=fasttrack-connection
connection-state=established,related hw-offload=yes
add chain=forward action=accept
connection-state=established,related
add chain=forward action=drop
connection-state=invalid
add chain=forward action=drop
connection-state=new connection-nat-state=dstnat
in-interface=ether2

--------------------

Firewall Mangle (PCC)

--------------------

/ip firewall mangle

Bypass local & internal traffic

add chain=prerouting action=accept dst-address=10.11.24.0/21
add chain=prerouting action=accept dst-address=192.168.1.0/24
add chain=prerouting action=accept dst-address=192.168.0.0/24

Mark connection from WAN

add chain=prerouting in-interface=ether1
action=mark-connection new-connection-mark=ISP1
add chain=prerouting in-interface=ether2
action=mark-connection new-connection-mark=ISP2

PCC Load Balancing from LAN

add chain=prerouting in-interface=Bridge-Lan
action=mark-connection new-connection-mark=ISP2
per-connection-classifier=both-addresses:4/0
add chain=prerouting in-interface=Bridge-Lan
action=mark-connection new-connection-mark=ISP1
per-connection-classifier=both-addresses:4/1
add chain=prerouting in-interface=Bridge-Lan
action=mark-connection new-connection-mark=ISP2
per-connection-classifier=both-addresses:4/2
add chain=prerouting in-interface=Bridge-Lan
action=mark-connection new-connection-mark=ISP2
per-connection-classifier=both-addresses:4/3

Mark routing

add chain=prerouting in-interface=Bridge-Lan
connection-mark=ISP1 action=mark-routing
new-routing-mark=to_ISP1
add chain=prerouting in-interface=Bridge-Lan
connection-mark=ISP2 action=mark-routing
new-routing-mark=to-ISP2

add chain=output connection-mark=ISP1
action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2
action=mark-routing new-routing-mark=to-ISP2

--------------------

NAT

--------------------

/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
add chain=srcnat out-interface=ether2 action=masquerade

--------------------

Routes

--------------------

/ip route

Main routes per routing table

add dst-address=0.0.0.0/0 gateway=10.11.24.1
routing-table=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1
routing-table=to-ISP2 check-gateway=ping

Failover routes

add dst-address=0.0.0.0/0 gateway=192.168.1.1
routing-table=to_ISP1 distance=2
add dst-address=0.0.0.0/0 gateway=10.11.24.1
routing-table=to-ISP2 distance=2

--------------------

Queue

--------------------

/queue simple
add name="Balmon AP 1" target=Bridge-Lan
limit-at=25M/25M max-limit=50M/50M
queue=pcq-upload-default/pcq-download-default

--------------------

System

--------------------

/system clock
set time-zone-name=Asia/Makassar

/system identity
set name="Load Balance 2 ISP"

/system routerboard settings
set enter-setup-on=delete-key

2

Your configuration looks cleaner and more compact than the last time in the other thread, that is an improvement. There are a few issues though:

I assume that you'll enable both WAN. If that's the case, give their default route different distance in the main table, for example distance 2 for WAN1 and distance 1 for WAN2. Otherwise in the main table you'll have an ECMP group, and it might cause problem for what we'll try later on.

Mangle mark-routing is incompatible with Fasttrack. Actually, in your current configuration with Fasttrack enabled like this, the PCC load balancing is probably not working. Same with your simple queue, it's also currently bypassed because Fasttrack is active. If you are currently observing that both WANs are being used, then it's not because your PCC configuration was successful, but instead, it was because ECMP was active in the main table (see previous point above), and you were seeing the effects of ECMP load balancing.

But ECMP means equals distribution, so the 3:1 distribution between ISP2 and IPS1 you wanted to achieve with PCC is not in effect. If you've disabled ECMP (see above), then you'll also need to disable Fasttrack for the PCC connections too. To do that, edit this fasttrack-connection rule and add the condition connection-mark=no-mark to it. The rule will then be skipped for all PCC connections. This will also make your simple queue effective again.

About the mangle rules: you should edit all rules that have action=mark-connection and give them the additional condition connection-mark=no-mark too.

Now about your AP problem: Are you using a locally hosted controller, or are you using a remote UniFi Cloud Controller? If your controller is hosted remotely (not in your LAN), they maybe you should try to exclude the access points from the WAN load balancing:

Identify the IP addresses of all UniFi access points and add these local IP addresses in an UNIFI_APS address list, for example, then at the top of your mangle table, add this rule right after the 3 other action=accept rule:

/ip firewall mangle
add chain=prerouting action=accept src-address-list=UNIFI_APS

(so that this rule is at #4, before any of the mark-connection and mark-routing rules).

But of course, this is only effective if you've also disabled ECMP in the main routing table (by giving the two DHCP clients different default route distances).

Finally, this is unrelated to your AP issue: But currently your firewall is very unsecure, because the filter table is missing important rules. What you should do is to apply the RouterOS 7 defconf firewall rules from this post https://forum.mikrotik.com/t/buying-rb1100ahx4-dude-edition-questions-about-firewall/148996/4:

  • Create the two interface list LAN and WAN

  • Add Bridge-Lan to interface list LAN

  • Add ether1 and ether2 to interface list WAN

    The above can be done with:

    /interface list
add name="LAN"
add name="LAN"

/interface list member
add interface=Bridge-LAN list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=WAN

  • Remove the current rules in the filter table and replace them with the 7.20.8 /ip firewall filter rules from the linked post

  • But don't forget to edit the fasttrack-connection rule again and add the condition connection-mark=no-mark!!

  • Remove your two current rules from the NAT table, and replace them with the single rule under /ip firewall nat from the linked post.

Doing that will give your router a much better protection.

2 Likes
3

After following your instructions, my network became slow and some applications take a long time to open. Unfortunately, the issue is still not resolved. The behavior is the same: after connecting for about 2–3 minutes, the client gets disconnected again.

4

Please post the full output of /export after making those changes. Only censor things like serial number, MAC address, public IP address, keys.

Please do not attempt to split and post only pieces of your configuration like you used to do until now. No need to add headings telling us this or that section is what. Do not omit sections that you think are unimportant. People on this forum won't be able to help you if you only post excerpts of the configuration.

Put the content between this

```routeros
<paste your exported config in one piece here>
```

To have proper formatting and syntax highlighting.

5 
routeros
<
# 2026-02-05 13:11:55 by RouterOS 7.20.6
# model = RB450Gx4
/interface bridge
add name=Bridge-Lan
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Bridge-Lan lease-time=1h name=dhcp1
/port
set 0 name=serial0
/queue simple
add disabled=yes limit-at=25M/25M max-limit=50M/50M name="Balmon AP 1" queue=\
    pcq-upload-default/pcq-download-default target=Bridge-Lan
/routing table
add disabled=no fib name=to_ISP1
add disabled=no fib name=to-ISP2
/interface bridge port
add bridge=Bridge-Lan interface=ether3
add bridge=Bridge-Lan interface=ether4
add bridge=Bridge-Lan interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=Bridge-Lan list=LAN
/ip address
add address=192.168.0.1/24 interface=Bridge-Lan network=192.168.0.0
/ip dhcp-client
add default-route-distance=2 default-route-tables=main interface=ether1
add default-route-tables=main interface=ether2
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,1.0.0.1,1.1.1.1,8.8.4.4 \
    gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1,1.0.0.1,8.8.4.4
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address-list=127.0.0.1 in-interface=lo \
    src-address-list=127.0.0.1
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-mark=no-mark \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=\
    WAN
/ip firewall mangle
add action=accept chain=prerouting dst-address=10.11.24.0/21
add action=accept chain=prerouting dst-address=192.168.1.0/24
add action=accept chain=prerouting dst-address=192.168.0.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether1 new-connection-mark=ISP1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2 new-connection-mark=ISP2
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=Bridge-Lan new-connection-mark=ISP2 \
    per-connection-classifier=both-addresses:4/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=Bridge-Lan new-connection-mark=ISP1 \
    per-connection-classifier=both-addresses:4/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=Bridge-Lan new-connection-mark=ISP2 \
    per-connection-classifier=both-addresses:4/2
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=Bridge-Lan new-connection-mark=ISP2 \
    per-connection-classifier=both-addresses:4/3
add action=mark-routing chain=prerouting connection-mark=ISP1 in-interface=\
    Bridge-Lan new-routing-mark=to_ISP1
add action=mark-routing chain=prerouting connection-mark=ISP2 in-interface=\
    Bridge-Lan new-routing-mark=to-ISP2
add action=mark-routing chain=output connection-mark=ISP1 new-routing-mark=\
    to_ISP1
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=\
    to-ISP2
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether2
/ip route
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=10.11.24.1 \
    routing-table=to_ISP1 suppress-hw-offload=no
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 \
    routing-table=to-ISP2 suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1 \
    routing-table=to_ISP1 suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.11.24.1 \
    routing-table=to-ISP2 suppress-hw-offload=no
/system clock
set time-zone-name=Asia/Makassar
/system identity
set name="Load Balance 2 isp"
/system routerboard settings
set enter-setup-on=delete-key
>
6

Thank you! The config looks ok to me. However, if your UniFi access points use remote controller, then you should add the mangle action=accept rule for them like I wrote above (add their addresses in an address list and add the mangle rule with src-address-list at the 4th position. Something like:

/ip firewall address-list
add address=192.168.0.x comment="AP 1" list=UNIFI_APS
add address=192.168.0.y comment="AP 2" list=UNIFI_APS
add address=192.168.0.z comment="AP 1" list=UNIFI_APS

/ip firewall mangle
add action=accept chain=prerouting src-address-list=UNIFI_APS place-before=4

Other than that, I don't see anything in the config that can cause problems to the APs. If the problem persists, you should look at the access points themselves, to see whether they've crashed, rebooted, or overheated.

7

Concur, few small changes below, Also cleaned up mangling, hopefully it helps!

/ip neighbor discovery-settings
set discover-interface-list=LAN

IF you want to ONLY allow yourself as admin access to the router for config purposes - better security

/ip firewall address-list
add address=192.168.0.X list=TRUSTED comment="admin PC"
add address=192.168.0.X list=TRUSTED comment="admin smartphone"
add address=192.168.0.X list=TRUSTED comment="admin tablet/ipad"
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address-list=127.0.0.1 in-interface=lo \
    src-address-list=127.0.0.1
add action=accept chain=input in-interface-list=LAN src-address-list=TRUSTED
add action=accept chain=input comment="user services" in-interface-list=LAN \
  dst-port=53 protocol=udp
add action=accept chain=input comment="user services" in-interface-list=LAN \
  dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"


I would put your first two mangling rules ( after the 3 accept ones that is) as input chain,  matches up better with corresponding output 
chain ones.  Also, there is nothing wrong, more accurate to note Forward Chain
for incoming traffic PCC from LAN.
8

As far as mangling goes……
Some minor changes, I prefer having different connection marks,
Specifically for troubleshooting logs, easier to know which traffic is which.

/ip firewall address-list
add address=10.11.24.0/21  list=LOCAL
add address=192.168.1.0/24  list=LOCAL
add address=192.168.0.0/24  list=LOCAL

/ip firewall mangle
{ allow local traffic }
add action=accept chain=prerouting dst-address-list=LOCAL
++++++++++++++++++++++++++++++
{ Ensure traffic to both WANs is marked }
add action=mark-connection chain=input connection-mark=no-mark \
    in-interface=ether1 new-connection-mark=incomingISP1
add action=mark-connection chain=input connection-mark=no-mark \
    in-interface=ether2 new-connection-mark=incomingISP2
{ Mark PCC traffic }
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface-list=LAN new-connection-mark=ISP2 \
    dst-address-type=!local per-connection-classifier=both-addresses:4/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface-list=LAN new-connection-mark=ISP1 \
    dst-address-type=!local per-connection-classifier=both-addresses:4/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface-list=LAN new-connection-mark=ISP2 \
    dst-address-type=!local per-connection-classifier=both-addresses:4/2
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface-list=LAN new-connection-mark=ISP2 \
    dst-address-type=!local per-connection-classifier=both-addresses:4/3
{ Apply Route Marks to PCC }
add action=mark-routing chain=prerouting connection-mark=ISP1 \
    new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2 \
    new-routing-mark=to-ISP2 passthrough=no
{ Apply Route Marks to WAN traffic }
add action=mark-routing chain=output connection-mark=incomingISP1 \
    new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=incomingISP2 \
    new-routing-mark=to-ISP2 passthrough=no
9

In terms of routing, I note that you have the main routes already detailed in IP DHCP client settings……..
But its not clear to me if you have check-gateway set for one or both on the main route? which brings up the point? Why did you mangle for traffic to the WANs directly? What traffic do you have that warrants those rules?

In terms of the special routes, I think they are okay but added the below for clarity.
/ip route
{ Special Table for Traffic to WAN1 }
add check-gateway=ping dst-address=0.0.0.0/0 gateway=10.11.24.1 \
routing-table=to_ISP1
add distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1
routing-table=to_ISP1 comment=”failover to available gateway wan2”
+++++++++++++++++++++++++++++++++++++++++++
{ Special Table for traffic to WAN2 }
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.1.1 \
routing-table=to-ISP2
add distance=2 dst-address=0.0.0.0/0 gateway=10.11.24.1 \
routing-table=to-ISP2 comment=”failover to available gateway wan1”

10

I have tried all of the suggestions provided, but the issue still remains. Moreover, after adding the filter rules, some websites are no longer accessible (for example, Roblox), and web browsing has become very slow.

However, when I connect directly to the modem, the internet connection works normally and is fast.

Below is my MikroTik configuration after following your recommendations:

RouterOS 7.20.6

model = RB450Gx4
/interface bridge
add name=Bridge-Lan
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Bridge-Lan lease-time=1h name=dhcp1
/port
set 0 name=serial0
/queue simple
add disabled=yes limit-at=25M/25M max-limit=50M/50M name="Balmon AP 1" queue=
pcq-upload-default/pcq-download-default target=Bridge-Lan
/routing table
add disabled=no fib name=to_ISP1
add disabled=no fib name=to-ISP2
/interface bridge port
add bridge=Bridge-Lan interface=ether3
add bridge=Bridge-Lan interface=ether4
add bridge=Bridge-Lan interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=Bridge-Lan list=LAN
/ip address
add address=192.168.0.1/24 interface=Bridge-Lan network=192.168.0.0
/ip dhcp-client
add default-route-distance=2 default-route-tables=main interface=ether1
add default-route-tables=main interface=ether2
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,1.0.0.1,1.1.1.1,8.8.4.4 
gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1,1.0.0.1,8.8.4.4
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address-list=127.0.0.1 in-interface=lo 
src-address-list=127.0.0.1
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-mark=no-mark 
connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=
WAN
/ip firewall mangle
add action=accept chain=prerouting dst-address=10.11.24.0/21
add action=accept chain=prerouting dst-address=192.168.1.0/24
add action=accept chain=prerouting dst-address=192.168.0.0/24
add action=accept chain=prerouting src-address=192.168.0.226
add action=mark-connection chain=prerouting connection-mark=no-mark 
in-interface=ether1 new-connection-mark=ISP1
add action=mark-connection chain=prerouting connection-mark=no-mark 
in-interface=ether2 new-connection-mark=ISP2
add action=mark-connection chain=prerouting connection-mark=no-mark 
in-interface=Bridge-Lan new-connection-mark=ISP2 
per-connection-classifier=both-addresses:4/0
add action=mark-connection chain=prerouting connection-mark=no-mark 
in-interface=Bridge-Lan new-connection-mark=ISP1 
per-connection-classifier=both-addresses:4/1
add action=mark-connection chain=prerouting connection-mark=no-mark 
in-interface=Bridge-Lan new-connection-mark=ISP2 
per-connection-classifier=both-addresses:4/2
add action=mark-connection chain=prerouting connection-mark=no-mark 
in-interface=Bridge-Lan new-connection-mark=ISP2 
per-connection-classifier=both-addresses:4/3
add action=mark-routing chain=prerouting connection-mark=ISP1 in-interface=
Bridge-Lan new-routing-mark=to_ISP1
add action=mark-routing chain=prerouting connection-mark=ISP2 in-interface=
Bridge-Lan new-routing-mark=to-ISP2
add action=mark-routing chain=output connection-mark=ISP1 new-routing-mark=
to_ISP1
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=
to-ISP2
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether2
/ip route
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=10.11.24.1 
routing-table=to_ISP1 suppress-hw-offload=no
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 
routing-table=to-ISP2 suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1 
routing-table=to_ISP1 suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.11.24.1 
routing-table=to-ISP2 suppress-hw-offload=no
/system clock
set time-zone-name=Asia/Makassar
/system identity
set name="Load Balance 2 isp"
/system routerboard settings
set enter-setup-on=delete-key
11

I am by far no expert, maybe not even fully understood your network, but my remarks:

Don't use check-gateway together with mangle. Remove ether2 from bridge, IP firewall does not work on bridge (unless use IP firewall enabled on bridge, which is not the case here).