Hey Folks, appreciate anyone's thoughts on the following issue I'm facing...

We have the RB4011 connected to Huawei OptiXstar HG8145X6-10 (Orange Slovakia) and it would lose WAN connection sporadically for no apparent reason (every ~10 days). If that happens, everything that is connected to the RB4011 will lose internet access. I am still able to SSH into the RB from a LAN client connected to the Huawei via LAN (note that only RB4011 would lose WAN access, not the client (RaspberryPi).

When RB4011 loses WAN/internet connectivity, I can confirm that:

1. DHCP Client has address from Huawei (the ONT cannot be put into Bridge mode according to Orange, so it acts as DHCP server for the RB),

2. Route table is fine, DHCP release/renew does nothing, all looks fine,

3. the WAN port (ether10) did not seem to flap (no link-down),

4. I can ping the Huawei from the RB4011

5. I cannot ping internet (8.8.8.8) from the RB4011, but the pi can.

6. Everything looks like the Huawei blocks the RB4011 from accessing internet, but not other clients connected to it...

I generated supout approx. 30 mins after it lost connectivity and submitted to MikroTik. Once that happens, the only way how to get the connection back on is to HARD/FACTORY reset the Huawei through a pin-hole (off/on has no impact).

RB4011 runs 7.21.1 (stable). The issue occurred with previous versions too. Orange has replaced the Huawei, but the problem persists. I have tried to change the WAN port from ether1 to ether10, but it had no impact. Swapped Ethernet cable, same thing. Thoughts?

Hi fungogh

Please clarify if RB4011 is configured as a bridge for downstream clients or as WAN/LAN (aka acting as DHCP client for Huawei upstream router, and as DHCP server for downstream clients)

Usually, while asking for help, it is a good idea to post your RB’s config upfront.

yes, I sanitized the config and pasting it below. RB4011 acts as DHCP client to Huawei and DHCP server to my LAN.

2026-02-03 11:14:42 by RouterOS 7.21.1

software id = XXXX-XXXX

model = RB4011iGS+5HacQ2HnD

serial number = A1B2C3D4E5F6

/interface bridge
add igmp-snooping=yes multicast-querier=yes name=Bridge port-cost-mode=short priority=0x7000

/interface wireless
set [ find default-name=wlan2 ] name=wlan1 ssid=MikroTik
set [ find default-name=wlan1 ] name=wlan2 ssid=MikroTik

/interface ethernet
set [ find default-name=ether10 ] poe-out=off

/interface wifi
add radio-mac=AA:BB:CC:DD:EE:01

/interface wireguard
add listen-port=13232 mtu=1280 name=wg_poruba

/interface list
add name=LAN
add name=WAN
add name=INTERNET

/interface wifi configuration
add channel.skip-dfs-channels=all country=Slovakia disabled=no dtim-period=3
mode=ap multicast-enhance=enabled name=H200 qos-classifier=dscp-high-3-bits
security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0/1
.ft=yes .ft-over-ds=yes .wps=disable ssid=H200 station-roaming=yes
steering.neighbor-group=dynamic-H200-12345678 .rrm=yes .wnm=yes

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp_pool2 ranges=192.168.11.2-192.168.11.99
add name=dhcp_pool1 next-pool=dhcp_pool2 ranges=192.168.10.10-192.168.10.99

/ip dhcp-server
add address-pool=dhcp_pool1 interface=Bridge lease-time=1d name=RB4011

/system logging action
set 0 memory-lines=5000
set 1 disk-lines-per-file=5000

/zerotier
set zt1 disabled=no disabled=no

/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=zt1
name=zerotier1 network=1234567890abcdef

/interface bridge port
add bridge=Bridge interface=ether3
add bridge=Bridge interface=ether5
add bridge=Bridge interface=ether6
add bridge=Bridge interface=ether7
add bridge=Bridge interface=ether9
add bridge=Bridge interface=ether8
add bridge=Bridge interface=ether2
add bridge=Bridge interface=ether4
add bridge=Bridge interface=sfp-sfpplus1

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add interface=Bridge list=LAN
add interface=wg_poruba list=LAN
add interface=zerotier1 list=LAN
add comment="Huawei to eth10" disabled=yes interface=ether10 list=WAN
add comment="Huawei to eth10" interface=ether10 list=INTERNET
add comment="Huawei to eth1" disabled=yes interface=ether1 list=WAN
add comment="Huawei to eth1" disabled=yes interface=ether1 list=INTERNET

/interface ovpn-server server
add mac-address=AA:BB:CC:DD:EE:02 name=ovpn-server1

/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=none

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=H200

/interface wireguard peers
add allowed-address=10.0.0.0/8,192.168.18.0/24 endpoint-address=random.example.net
endpoint-port=13232 interface=wg_poruba name=peer1 persistent-keepalive=25s
public-key="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="

/ip address
add address=192.168.10.254/24 interface=Bridge network=192.168.10.0
add address=192.168.18.1/24 interface=wg_poruba network=192.168.18.0

/ip arp
add address=192.168.100.1 interface=ether10 mac-address=AA:BB:CC:DD:EE:03

/ip cloud
set ddns-enabled=yes ddns-update-interval=1h update-time=no

/ip dhcp-client
add default-route-tables=main disabled=yes interface=ether1 use-peer-dns=no use-peer-ntp=no
add default-route-tables=main interface=ether10 use-peer-dns=no use-peer-ntp=no

/ip dhcp-server lease

All MAC addresses randomized

add address=192.168.10.202 mac-address=AA:BB:CC:DD:EE:10 server=RB4011
add address=192.168.10.70 mac-address=AA:BB:CC:DD:EE:11 server=RB4011
add address=192.168.10.29 mac-address=AA:BB:CC:DD:EE:12 server=RB4011
add address=192.168.10.60 mac-address=AA:BB:CC:DD:EE:13 server=RB4011
add address=192.168.10.96 mac-address=AA:BB:CC:DD:EE:14 server=RB4011
add address=192.168.10.15 mac-address=AA:BB:CC:DD:EE:15 server=RB4011
add address=192.168.10.101 mac-address=AA:BB:CC:DD:EE:16 server=RB4011
add address=192.168.10.100 mac-address=AA:BB:CC:DD:EE:17 server=RB4011
add address=192.168.10.34 mac-address=AA:BB:CC:DD:EE:18 server=RB4011
add address=192.168.10.220 mac-address=AA:BB:CC:DD:EE:19 server=RB4011
add address=192.168.10.95 mac-address=AA:BB:CC:DD:EE:1A server=RB4011
add address=192.168.10.230 mac-address=AA:BB:CC:DD:EE:1B server=RB4011
add address=192.168.10.231 mac-address=AA:BB:CC:DD:EE:1C server=RB4011
add address=192.168.10.14 mac-address=AA:BB:CC:DD:EE:1D server=RB4011
add address=192.168.10.201 mac-address=AA:BB:CC:DD:EE:1E server=RB4011
add address=192.168.10.17 mac-address=AA:BB:CC:DD:EE:1F server=RB4011
add address=192.168.10.12 mac-address=AA:BB:CC:DD:EE:20 server=RB4011
add address=192.168.10.13 mac-address=AA:BB:CC:DD:EE:21 server=RB4011
add address=192.168.10.18 mac-address=AA:BB:CC:DD:EE:22 server=RB4011
add address=192.168.10.39 mac-address=AA:BB:CC:DD:EE:23 server=RB4011
add address=192.168.10.24 mac-address=AA:BB:CC:DD:EE:24 server=RB4011
add address=192.168.10.10 mac-address=AA:BB:CC:DD:EE:25 server=RB4011
add address=192.168.10.20 mac-address=AA:BB:CC:DD:EE:26 server=RB4011
add address=192.168.10.16 mac-address=AA:BB:CC:DD:EE:27 server=RB4011
add address=192.168.10.21 mac-address=AA:BB:CC:DD:EE:28 server=RB4011
add address=192.168.10.102 mac-address=AA:BB:CC:DD:EE:29 server=RB4011
add address=192.168.10.11 mac-address=AA:BB:CC:DD:EE:2A server=RB4011
add address=192.168.10.250 mac-address=AA:BB:CC:DD:EE:2B server=RB4011
add address=192.168.10.253 mac-address=AA:BB:CC:DD:EE:2C server=RB4011
add address=192.168.10.251 mac-address=AA:BB:CC:DD:EE:2D server=RB4011
add address=192.168.10.252 mac-address=AA:BB:CC:DD:EE:2E server=RB4011
add address=192.168.10.210 mac-address=AA:BB:CC:DD:EE:2F server=RB4011
add address=192.168.10.27 mac-address=AA:BB:CC:DD:EE:30 server=RB4011
add address=192.168.10.247 mac-address=AA:BB:CC:DD:EE:31 server=RB4011
add address=192.168.10.248 mac-address=AA:BB:CC:DD:EE:32 server=RB4011
add address=192.168.10.211 mac-address=AA:BB:CC:DD:EE:33 server=RB4011
add address=192.168.10.249 mac-address=AA:BB:CC:DD:EE:34 server=RB4011
add address=192.168.10.26 mac-address=AA:BB:CC:DD:EE:35 server=RB4011
add address=192.168.10.23 mac-address=AA:BB:CC:DD:EE:36 server=RB4011
add address=192.168.10.33 mac-address=AA:BB:CC:DD:EE:37 server=RB4011
add address=192.168.10.22 mac-address=AA:BB:CC:DD:EE:38 server=RB4011
add address=192.168.10.25 mac-address=AA:BB:CC:DD:EE:39 server=RB4011

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=10.0.1.200,10.0.1.78 gateway=192.168.10.254 netmask=24

/ip dns
set allow-remote-requests=yes cache-size=102400KiB servers=10.0.1.200,8.8.8.8,9.9.9.9,8.8.4.4

/ip dns static
add address=8.8.8.8 name=gdns type=A

/ip firewall filter
add action=accept chain=input comment="Allow Huawei port forward" dst-port=80
in-interface=ether10 protocol=tcp src-address=192.168.100.1
add action=accept chain=forward comment="DNS to remote Pihole" dst-address=10.0.1.200
dst-port=53 protocol=udp src-address=192.168.10.0/24
add action=accept chain=forward comment="DNS to remote Pihole" dst-address=10.0.1.200
dst-port=53 protocol=tcp src-address=192.168.10.0/24
add action=accept chain=input disabled=yes in-interface-list=INTERNET
add action=accept chain=forward comment="defconf: accept established,related, untracked"
connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward disabled=yes protocol=icmp src-address=10.0.1.19
add action=accept chain=input dst-port=161 protocol=udp
add action=accept chain=output protocol=udp src-port=161
add action=accept chain=input comment="from wall.sk" src-address=195.28.79.20
add action=accept chain=input comment="defconf: accept established,related,untracked"
connection-state=established,related,untracked
add action=accept chain=input dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment=vpn dst-port=500 protocol=udp
add action=accept chain=output protocol=udp src-port=500
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=output protocol=udp src-port=4500
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=output protocol=udp src-port=1701
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=accept chain=input comment=WireGuard dst-port=13232 protocol=udp
add action=accept chain=output protocol=udp src-port=13231
add action=accept chain=output protocol=udp src-port=13232
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="CCR -> Huawei" in-interface=wg_poruba out-interface=ether10
add action=accept chain=forward comment="Huawei -> CCR" in-interface=ether10 out-interface=wg_poruba
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=INTERNET
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=INTERNET
add action=accept chain=forward in-interface-list=LAN out-interface-list=INTERNET
add action=accept chain=forward connection-state=established,related

/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=INTERNET
add action=masquerade chain=srcnat comment="CCR -> Huawei UI" dst-address=192.168.100.0/24
out-interface=ether10 src-address=10.0.0.0/8
add action=dst-nat chain=dstnat disabled=yes dst-port=8161 protocol=udp to-ports=161
add action=dst-nat chain=dstnat disabled=yes dst-port=53 in-interface=Bridge protocol=tcp
src-address=!192.168.10.210 to-addresses=192.168.10.210
add action=dst-nat chain=dstnat disabled=yes dst-port=53 in-interface=Bridge protocol=udp
src-address=!192.168.10.210 to-addresses=192.168.10.210

/ip firewall raw
add action=drop chain=prerouting comment="Block AppleTV from Gemini NAS via WG" disabled=yes
dst-address=10.0.1.3 src-address=192.168.10.101

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5

/ip route
add disabled=no dst-address=10.0.0.0/8 gateway=192.168.18.2 routing-table=main

/ip service
set ftp disabled=yes
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ipv6 firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input protocol=icmpv6
add action=drop chain=input in-interface=ether10
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward protocol=icmpv6
add action=drop chain=forward in-interface=ether10

/ipv6 nd
set [ find default=yes ] advertise-dns=yes

/system clock
set time-zone-autodetect=no time-zone-name=Europe/Bratislava

/system identity
set name=RB4011

/system leds
add interface=wlan2 leds="wlan1_signal1-led,wlan1_signal2-led,wlan1_signal3-led,wlan1_signal4-led,wlan1_signal5-led"
type=wireless-signal-strength
add interface=wlan2 leds=wlan1_tx-led type=interface-transmit
add interface=wlan2 leds=wlan1_rx-led type=interface-receive

/system logging
add disabled=yes topics=caps
add disabled=yes topics=interface
add disabled=yes topics=wireless
add topics=interface,info

/system note
set note="AA:BB:CC:DD:EE:10 - ether3" show-at-login=no

/system ntp client
set enabled=yes

/system ntp client servers
add address=sk.pool.ntp.org
add address=pool.ntp.org
add address=europe.pool.ntp.org

I assume you have static arp entry for Huawei upstream router. Why do so if you 1) have arp enabled on the interface 2) use dhcp client on that interface?

add action=masquerade chain=srcnat out-interface-list=INTERNET
add action=masquerade chain=srcnat comment="CCR -> Huawei UI" dst-address=192.168.100.0/24
out-interface=ether10 src-address=10.0.0.0/8

That also looks weird since the 1st rule implies the 2nd.

Also, your firewall is a mess.

Multiple action=accept chain=output without any action=drop in this chain. Why? There is no implicit drop by default, unless you add it.

thank you Dartmaul! The 2nd rule is just for me to be able to access the huawei ui from outside of the network. Yes, is probably a mess, but it worked in this state for more than a year. Do you insist it affects the described problem? What’s your recommended workaround then?

It is hard to tell what exactly is causing the problem you’ve described, esp considering that messy config, but I would certainly deal with ARP and either disable it on eth10 (which would require static binding on Huawei side as well), or delete static binding on RB.

Also, I would start investigating this issue from this point:

add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related

Since you’re fast-tracking forwarding traffic, this rule pretty much expels client’s traffic from the most of your filter rule table.

Ideally, I would wipe that firewall section entirely and rebuild it from scratch.

Thanks again, Dartmaul… you got me thinking and I took a stab at simplifying the rules… interesting one with fasttrack…:

0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; DNS to remote Pihole
chain=forward action=accept protocol=udp src-address=192.168.10.0/24 dst-address=10.0.1.200 dst-port=53

2 ;;; DNS to remote Pihole
chain=forward action=accept protocol=tcp src-address=192.168.10.0/24 dst-address=10.0.1.200 dst-port=53

3 ;;; fasttrack: established,related
chain=forward action=fasttrack-connection connection-state=established,related

4 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""

5 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

6 ;;; WireGuard
chain=input action=accept protocol=udp dst-port=13232 log=no log-prefix=""

7 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""

8 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

9 ;;; CCR -> Huawei
chain=forward action=accept in-interface=wg_poruba out-interface=ether10 log=no log-prefix=""

10 ;;; Huawei -> CCR
chain=forward action=accept in-interface=ether10 out-interface=wg_poruba log=no log-prefix=""

11 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=INTERNET log=no log-prefix=""

12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""

13 chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=INTERNET log=no log-prefix=""

14 chain=forward action=accept in-interface-list=LAN out-interface-list=INTERNET log=no log-prefix=""

Regarding the above:

Rules 1, 2 and 14 do nothing, as all traffic is permitted by default and there is no chain=forward action=drop rule that would otherwise block previously permitted traffic.

Rule 9, in addition to the previous statement, is questionable, since WG is policy based, and it has it’s own permit list declared here /interface wireguard peers add allowed-address=10.0.0.0/8,192.168.18.0/24

Rule 10, in addition to the previous statements, make no sense at all, since you’re trying to permit traffic coming from upstream port that is covered by NAT.

At this point I’d suggest to refer to some manuals before proceeding. This might be a good point to start.

P.S.

Rules 1 and 2 look like you’ve tried to redirect DNS requests towards your Pihole server (doubt you need TCP53 for that tho). If so, it should be NAT and not filter rule, which looks like this:

/ip firewall nat
add action=dst-nat chain=dstnat comment=Map_DNS dst-port=53 protocol=udp src-address=192.168.10.0/24 to-addresses=10.0.1.200

Also, since you’re running DHCP server as well, it would be much easier (and reasonable) to just declare Pihole address as DNS server. Could be done under /ip/dhcp-server/network menu.

Generally, since you’ve mentioned that Huawei router cannot be set up as bridge, I assume that you don’t really need that double NAT topology. So maybe it would be better to configure RB as a bridge instead, or even consider replacing Huawei router entirely, with, for example, PON SFP.