Problem with Mikrotik Wireless and Dlink IPCam

Riki90 · March 18, 2019, 10:21pm

Hello,
I have a problem with Mikrotik wireless and Dlink IPCameras because they are disconnecting from the wireless network.

Someone else had a problem with this scenario? i changed routerboard, changed the wireless configuration but nothing, they still don’t work. if i change the wireless AP with another (not mikrotik) che connection is stable and i don’t have any issues.

Thanks,
Riccardo

anav · March 19, 2019, 12:10am

post config
/export hide-sensitive file=yourconfigmarch

Riki90 · March 31, 2019, 8:31am

mar/31/2019 10:28:02 by RouterOS 6.44

software id =

model = RouterBOARD 962UiGS-5HacT2HnT

serial number =

/interface bridge
add fast-forward=no name=BR-LAN protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface pptp-client
add connect-to=xxxxxxx disabled=no name=PPTP-CHR user=xxxxxxxx
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed mode=dynamic-keys name=GV
supplicant-identity=“”
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=
20/40mhz-XX country=italy disabled=no frequency=2437 frequency-mode=
regulatory-domain mode=ap-bridge security-profile=GV ssid=margot
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=2 band=5ghz-a/n/ac
channel-width=20/40mhz-XX country=italy frequency=5220 frequency-mode=
regulatory-domain mode=ap-bridge security-profile=GV ssid=margot
wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=PL-LAN ranges=192.168.1.10-192.168.1.200
/ip dhcp-server
add address-pool=PL-LAN disabled=no interface=BR-LAN name=DHCP-LAN
/interface bridge port
add bridge=BR-LAN interface=wlan1
add bridge=BR-LAN hw=no interface=ether2
add bridge=BR-LAN hw=no interface=ether3
add bridge=BR-LAN hw=no interface=ether4
add bridge=BR-LAN hw=no interface=ether5
add bridge=BR-LAN interface=wlan2
/ip address
add address=192.168.1.1/24 interface=BR-LAN network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.201 client-id=1:b0:c5:54:25:9c:9c mac-address=
B0:C5:54:25:9C:9C server=DHCP-LAN
add address=192.168.1.206 client-id=1:b0:c5:54:25:89:5c mac-address=
B0:C5:54:25:89:5C server=DHCP-LAN
add address=192.168.1.202 client-id=1:b0:c5:54:25:8b:9b mac-address=
B0:C5:54:25:8B:9B server=DHCP-LAN
add address=192.168.1.204 client-id=1:b0:c5:54:25:a7:ed mac-address=
B0:C5:54:25:A7:ED server=DHCP-LAN
add address=192.168.1.205 client-id=1:b0:c5:54:25:9d:2d mac-address=
B0:C5:54:25:9D:2D server=DHCP-LAN
add address=192.168.1.203 client-id=1:b0:c5:54:25:8f:9a mac-address=
B0:C5:54:25:8F:9A server=DHCP-LAN
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment=“Allow OpenVPN” dst-port=1194 protocol=
tcp
add action=accept chain=input comment=“Permit PING” protocol=icmp
add action=accept chain=input comment=“Permit HTTP+WINBOX” dst-port=1080
protocol=tcp
add action=accept chain=input dst-port=18291 protocol=tcp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment=“Permit estabilished and related”
connection-state=established,related
add action=drop chain=input comment=“DROP all packet IN” in-interface=ether1
add action=accept chain=forward comment=“Permit estabilished and related”
connection-state=established,related
add action=drop chain=forward comment=“DROP forward invalid traffic”
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=1001 protocol=tcp to-addresses=
192.168.1.201 to-ports=443
add action=dst-nat chain=dstnat dst-port=1002 protocol=tcp to-addresses=
192.168.1.202 to-ports=443
add action=dst-nat chain=dstnat dst-port=1003 protocol=tcp to-addresses=
192.168.1.203 to-ports=443
add action=dst-nat chain=dstnat dst-port=1004 protocol=tcp to-addresses=
192.168.1.204 to-ports=443
add action=dst-nat chain=dstnat dst-port=1005 protocol=tcp to-addresses=
192.168.1.205 to-ports=443
add action=dst-nat chain=dstnat dst-port=1006 protocol=tcp to-addresses=
192.168.1.206 to-ports=443
/ip route
add distance=1 dst-address=10.1.0.0/24 gateway=PPTP-CHR
/ip service
set www address=0.0.0.0/0 port=1080
set winbox address=0.0.0.0/0 port=18291
/system clock
set time-zone-name=Europe/Rome
/tool romon
set enabled=yes

anav · April 2, 2019, 5:32pm

Who added these rules… they smell of security risk.
Don’t tell me that you actually use the default port for winbox.
(There is no need to identify winbox port on firewall rules).

add action=accept chain=input comment=“Permit HTTP+WINBOX” dst-port=1080
protocol=tcp
add action=accept chain=input dst-port=18291 protocol=tcp
add action=accept chain=input dst-port=8291 protocol=tcp

The only thing that needs to be in the INPUT chain is allow admin to router access.
Typically this is done from the applicable in-interface or interface-list and source address list
source address list=list of PCs or laptops that you expect to access the router from.
In addition any dns queries port 53 udp.tcp from the LAN-interface-list.

Use macwinbox and system services to delineate the port and access for winbox (not visible on fw rules then).
Ensure user name is not the default and passwords included.

your nat rule needs an out-interfaceor whatever is the appropriate actual outgoing interface.
If its a dynamic IP typically one puts out-interface=eth1 and if its a static IP, one uses dest-address=assigned IP and action=srcnat
/ip firewall nat
add action=masquerade chain=srcnat ???

I dont see the general rule required in the firewall filter forward chain for DST to allow you nat rules through the firewall??
connection-state=new connection-nat-state=dstnat in-interface=eth1-wan for example.

I have not seen this rule stated quite this way… If its the last rule in your input chain just need drop all, why only the in-interface=eth1? Dont want crap from any interface.
add action=drop chain=input comment="DROP all packet IN" in-interface=ether1

Remove these from config in future before posting.
/ip service
set www address=0.0.0.0/0 port=1080
set winbox address=0.0.0.0/0 port=18291