RB4011 managed system drops internet for some reason

nikko444 · August 9, 2021, 6:09pm

Hello, Everyone!

I’m trying to fix some nasty glitch I’m having with a couple of customers of mine. The whole matter comes to the connected nodes loose internet at some point in time for both CAPsMAN wireless and the hardwired ethernet. While if I try the terminal/winbox on RB4011 it still pings google’s DNS. Something tells me I’m missing out on some small but important detail. If I reboot the RB4011 it gets fixed immediately. I spent hours trying to catch that bug. Really need your help here.d

Here’s the configuration I’m running:

# aug/09/2021 13:54:39 by RouterOS 6.46.8
# software id = 4UR7-DKL5
#
# model = RB4011iGS+
# serial number = F0270E36XXXX
/interface bridge
add admin-mac=2C:C8:1B:31:XX:XX auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan20_guest vlan-id=20
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
    defaultNetwork
add bridge=bridge client-to-client-forwarding=no local-forwarding=no name=\
    guestNetwork vlan-id=20 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm group-encryption=\
    aes-ccm group-key-update=5m name=defaultSecurity passphrase=XXXXXX
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm group-encryption=\
    aes-ccm group-key-update=5m name=guest passphrase=XXXXXX
/caps-man configuration
add datapath=defaultNetwork datapath.bridge=bridge hide-ssid=no installation=\
    indoor mode=ap name=defaultNetwork_2.4G security=defaultSecurity ssid=\
    CalmWater
add datapath=defaultNetwork datapath.bridge=bridge hide-ssid=no installation=\
    indoor mode=ap name=defaultNetwork_5G security=defaultSecurity ssid=\
    CalmWater-5G
add datapath=guestNetwork datapath.bridge=bridge \
    datapath.client-to-client-forwarding=no datapath.local-forwarding=no \
    hide-ssid=no installation=indoor mode=ap name=guest_2.4G security=guest \
    ssid=CalmWaterGuest
add datapath=guestNetwork datapath.bridge=bridge \
    datapath.client-to-client-forwarding=no datapath.local-forwarding=no \
    hide-ssid=no installation=indoor mode=ap name=guest_5G security=guest ssid=\
    CalmWaterGuest-5G
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add
add name=1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.1.0-10.0.1.254
add name=dhcp_pool2 ranges=10.20.30.2-10.20.30.126
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=vlan20_guest name=dhcp1
/interface ovpn-client
add add-default-route=yes certificate=cert_export_SGT-CA.crt_0 connect-to=\
    b86809xxxxxx.sn.mynetname.net mac-address=02:D6:6B:91:XX:XX name=\
    mothershipUplink password=XXXXXX profile=default-encryption user=\
    72PembertonPrime
/caps-man access-list
add action=accept allow-signal-out-of-range=1s disabled=no interface=all \
    signal-range=-80..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=1s disabled=no interface=all \
    signal-range=-120..-81 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=defaultNetwork_2.4G \
    name-format=identity radio-mac=08:55:31:80:XX:XX slave-configurations=\
    guest_2.4G
add action=create-dynamic-enabled master-configuration=defaultNetwork_5G \
    name-format=identity radio-mac=08:55:31:80:XX:XX slave-configurations=\
    guest_5G
add action=create-dynamic-enabled master-configuration=defaultNetwork_2.4G \
    name-format=identity radio-mac=08:55:31:80:XX:XX slave-configurations=\
    guest_2.4G
add action=create-dynamic-enabled master-configuration=defaultNetwork_5G \
    name-format=identity radio-mac=08:55:31:80:XX:XX slave-configurations=\
    guest_5G
add action=create-dynamic-enabled master-configuration=defaultNetwork_2.4G \
    name-format=identity radio-mac=08:55:31:80:XX:XX slave-configurations=\
    guest_2.4G
add action=create-dynamic-enabled master-configuration=defaultNetwork_5G \
    name-format=identity radio-mac=08:55:31:80:XX:XX slave-configurations=\
    guest_5G
add action=create-dynamic-enabled master-configuration=defaultNetwork_2.4G \
    name-format=identity radio-mac=08:55:31:80:XX:XX slave-configurations=\
    guest_2.4G
add action=create-dynamic-enabled master-configuration=defaultNetwork_5G \
    name-format=identity radio-mac=08:55:31:80:XX:XX slave-configurations=\
    guest_5G
add action=create-dynamic-enabled master-configuration=defaultNetwork_2.4G \
    name-format=identity radio-mac=08:55:31:D8:XX:XX slave-configurations=\
    guest_2.4G
add action=create-dynamic-enabled master-configuration=defaultNetwork_5G \
    name-format=identity radio-mac=08:55:31:D8:XX:XX slave-configurations=\
    guest_5G
add action=create-dynamic-enabled master-configuration=defaultNetwork_2.4G \
    name-format=identity radio-mac=08:55:31:80:XX:XX slave-configurations=\
    guest_2.4G
add action=create-dynamic-enabled master-configuration=defaultNetwork_5G \
    name-format=identity radio-mac=08:55:31:80:XX:XX slave-configurations=\
    guest_5G
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.0.0.1/23 comment=defconf interface=bridge network=10.0.0.0
add address=10.20.30.1/25 interface=vlan20_guest network=10.20.30.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=10.0.1.253 client-id=1:c0:51:7e:31:xx:xx comment=CCTV_NVR \
    mac-address=C0:51:7E:31:XX:XX server=defconf
add address=10.0.1.249 client-id=1:8:55:31:91:xx:xx comment=72PembertonSwitch \
    mac-address=08:55:31:91:XX:XX server=defconf
add address=10.0.1.247 client-id=1:8:55:31:80:xx:xx comment=\
    72PembertonBsmtWestAP mac-address=08:55:31:80:XX:XX server=defconf
add address=10.0.1.244 client-id=1:8:55:31:80:xx:xx comment=\
    72PembertonBsmtCentreAP mac-address=08:55:31:80:XX:XX server=defconf
add address=10.0.1.243 client-id=1:8:55:31:80:xx:xx comment=\
    72PembertonBsmtCentreAP mac-address=08:55:31:80:XX:XX server=defconf
add address=10.0.1.241 client-id=1:8:55:31:80:xx:xx comment=\
    72PembertonMainFloorEastAP mac-address=08:55:31:80:XX:XX server=defconf
add address=10.0.1.240 client-id=1:8:55:31:80:xx:xx comment=\
    72PembertonMainFloorWestAP mac-address=08:55:31:80:XX:XX server=defconf
add address=10.0.1.239 client-id=1:8:55:31:d8:xx:xx comment=\
    72PembertonExteriorAP mac-address=08:55:31:D8:XX:XX server=defconf
add address=10.0.1.245 client-id=1:8:55:31:80:xx:xx comment=\
    72PembertonBsmtEastAP mac-address=08:55:31:80:XX:XX server=defconf
/ip dhcp-server network
add address=10.0.0.0/23 comment=defconf gateway=10.0.0.1 netmask=23
add address=10.20.30.0/25 gateway=10.20.30.1
/ip dns
set allow-remote-requests=yes servers=600:ff08:8802:0:100:8:808:404
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface=mothershipUplink
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface=ether1 out-interface-list=WAN src-address=\
    10.0.0.0/23
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
    ether1 out-interface-list=WAN src-address=10.20.30.0/25
/ip route
add distance=1 dst-address=4.4.4.0/23 gateway=mothershipUplink
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/system clock
set time-zone-name=America/Toronto
/system identity
set name=72PembertonPrime
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I sincerely appreciate any input on this one!
Cheers!

anav · August 9, 2021, 6:28pm

capsman I know nothing about and would state turn it off and then see if the problem occurs as a very basic troubleshooting step.

The other thing is you have a vlan assigned to the bridge and I dont know why because its not assigned to any bridge ports etc…

nikko444 · August 9, 2021, 7:29pm

Hey, Anav!

Thanks for your reply.

Well, I have the vlan20 assigned to the main bridge to have its own separate DHCP server, router address, etc. From there I use it with the CAPSsMAN “guest” datapath through hardware offload on the bridge.

CAPsMan Shouldn’t be an issue since I have all the local traffic routed with no problem; It’s only the internet uplink that gives me the headache.

May I kindly ask how do you prefer configuring VLANs without assignment to a primary bridge?

Thank you!

anav · August 9, 2021, 10:49pm

When I assign them to a bridge, it is for the purpose of sending out the vlans one or more on trunk ports and a single one for access ports…

nikko444 · August 9, 2021, 11:03pm

Thank you.

That’s exactly what I’m doing. With the exception for it’s working right inside of the RB4011 exclusively for slave config of CAPsMAN. Hence, I don’t have any physical trunk on the bridge as the tagged traffic never leaves the physical router. While still one of my CAPsMAN datapaths uses the “20” VLAN tag. That’s for the “guest network” traffic to remain on a separate broadcast domain.

I’m almost sure it shouldn’t be the root of it.

rextended · August 9, 2021, 11:20pm

something strange on interface list, remove the two parasites at the end:

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add
add name=1

nikko444 · August 10, 2021, 2:17pm

Fair call, my friend.
I got those interface lists removed.

While I’m still a bit puzzled how those lists could be screwing with the NAT.

The thing is it may work fine for days and then with no obvious reason the connected clients loose internet, while the router itself stays connected.

Another thing is that I have that OVPN client interface, that I use for remote service. In a sense that it connects to my office router’s open VPN server and therefore I can access the connected device from the office. Maybe that’s the reason for this issue. But I’m not putting it on any of the lists so it shouldn’t mingle with the internet uplink.

nikko444 · August 18, 2021, 11:09pm

Ok!

After testing with PRTG monitor I found out that one of my access points was running a DHCP server. Obviously it was messing with the proper DHCP.

Consider this thread closed.

Thanks everyone!