rsalmar
December 31, 2022, 9:42am
1
When I reboot my RB5009 (v7.6) it attempts to use DoH and gets stuck being unable to reach the server with the following error.
DoH server connection error: Network unreachable
Sometimes it works after a small amount of errors, I imagine it manages to connect. However it usually takes 10+ reboots for this to work. I’ve read of other problems with DoH, but except for the reboot issue I have had DoH working on NextDNS without issue (and really like the NextDNS service).
I can’t see the error logs for the previous reboots, so I am so far assuming this is related.
If this is the case, is it possible that the router fails to use the default DNS server provided to resolve the NextDNS server?
rsalmar
December 31, 2022, 10:33am
2
I removed DoH and the router still hangs on reboot. Totally lost now. I must admit that after 12 years with Mikrotik today I surrendered and ordered Omada kit.
Lol…thanks for informing us. Hope this other vendor will solve your problem.
Btw, if you share your current config (minus all personal info) we can have a look at it.
rsalmar
December 31, 2022, 12:47pm
4
Wasn’t a moan, apologies if it sounded like that. Between poor WiFi performance and the router issues, I gave up. Maybe I try the other and return it, who knows. I’ll put up the config but it’s very vanilla. Running on an hAP ac³ without issue. I’ll post config here after New Year.
rsalmar
December 31, 2022, 1:26pm
5
Here’s the configuration… help appreciated!
# dec/31/2022 14:20:45 by RouterOS 7.6
# model = RB5009UG+S+
/caps-man channel
add band=5ghz-onlyac name=5Ghz reselect-interval=1h
add band=2ghz-g/n name=2.4Ghz reselect-interval=1h
/interface bridge
add admin-mac=2C:... auto-mac=no comment=defconf name=bridge
add name=guest-bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full speed=1Gbps
/caps-man datapath
add bridge=bridge client-to-client-forwarding=no local-forwarding=yes name=\
MyRouter-Datapath
add bridge=guest-bridge client-to-client-forwarding=no local-forwarding=no \
name=MyRouter-Guest-Datapath
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=MyRouter-Security
add authentication-types=wpa2-psk encryption=aes-ccm name=\
MyRouter-Guest-Security
/caps-man configuration
add channel=5Ghz channel.skip-dfs-channels=no country=spain datapath=\
MyRouter-Datapath mode=ap name="MyRouter (5Ghz Only)" security=\
MyRouter-Security ssid=MyRouter
add channel=5Ghz channel.skip-dfs-channels=no country=spain datapath=\
MyRouter-Datapath mode=ap name=MyRouter-5Ghz security=MyRouter-Security ssid=\
MyRouter-5Ghz
add channel=2.4Ghz country=spain datapath=MyRouter-Datapath mode=ap name=\
"MyRouter (2.4Ghz Only)" security=MyRouter-Security ssid=MyRouter
add channel=2.4Ghz country=spain datapath=MyRouter-Guest-Datapath mode=ap name=\
"MyRouter Guest (2.4Ghz Only)" security=MyRouter-Guest-Security ssid=\
MyRouterGuest
/interface list
add name=WAN
add name=LAN
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan-pool ranges=192.168.1.64-192.168.1.254
add name=guest-pool ranges=192.168.2.16-192.168.2.254
/ip dhcp-server
add address-pool=lan-pool interface=bridge name=lan-dhcp
add address-pool=guest-pool interface=guest-bridge name=guest-dhcp
/caps-man access-list
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=\
no disabled=no signal-range=-81..120 ssid-regexp="" time=\
0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=\
-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
"MyRouter (2.4Ghz Only)" name-format=prefix-identity name-prefix=MyRouter \
slave-configurations="MyRouter Guest (2.4Ghz Only)"
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
"MyRouter (5Ghz Only)" name-format=prefix-identity name-prefix=MyRouter \
slave-configurations=MyRouter-5Ghz
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=*2000014
/interface detect-internet
set detect-interface-list=all lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=ether1 list=LAN
add interface=ether1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=bridge list=discover
add interface=guest-bridge list=discover
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=guest-bridge list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=192.168.2.1/24 interface=guest-bridge network=192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
45.90.28.0,45.90.30.0
/ip firewall filter
add action=drop chain=input comment="Drop requests from guest network to route\
r - stops ALL traffic, so external access fails" disabled=yes \
src-address=192.168.2.0/24
add action=drop chain=forward comment=\
"Drop guest network requests to main network" dst-address=192.168.1.0/24 \
src-address=192.168.2.0/24
add action=drop chain=forward dst-address=192.168.2.0/24 src-address=\
192.168.1.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=\
192.168.1.1 to-ports=53
/ip firewall service-port
set ftp disabled=yes
/ip service
set ftp disabled=yes
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name="MikroTik RB5009UG"
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN