Setup
- Mikrotik LTAP Mini - RB912R-2nD-LTm&EC200A-EU - Issue replicated across multiple devices
- RouterOS 17.12.2 & 17.16.1
- Quectel EC2000A-EU LTE Modem - FW: EC200AEUHAR01A12M16 & EC200AEUHAR01A19M16
- The LTE card provides the WAN/internet connection on a private APN
- Firewall rules allow all inbound on LTE interface
- Computer connected to the LAN port for debugging
Issue
Inbound traffic to the Mikrotik on its LTE WAN interface never reaches the device until outbound traffic is sent. E.g., an SSH connection to the Mikrotik results in a “connection refused” response until a ping to an external WAN address is made from the Mikrotik.
The issue reappears after a few minutes of no outbound traffic on the WAN interface.
Pinging the LTE interface of the Mikrotik from an external WAN device always worked, even when other traffic like SSH did not. I believe the LTE modem itself was responding to the pings. A packet capture revealed that the Mikrotik didn’t receive the ping packets until an outbound ping was performed.
On boot up this issue presented itself as a delayed connection to SSH, but a packet capture revealed that the Mikrotik makes a DNS query to cloud2.mikrotik.com after a few minutes which temporarily fixed the issue. After disabling this, an SSH connection to the Mikrotik from an external WAN device was never possible.
To diagnose this issue, I had to create firewalls to block traffic from LAN to WAN and outbound WAN DNS to prevent this outbound traffic from it.
Running “AT+QIACT?” on the modem itself showed it has an active PDP context with the correct WAN IP address. And the modem also reports it’s correctly connected to the 4G network. Not sure if this is important, but it might provide some extra info.
This issue completely disappeared when the EC2000A-EU was replaced with an EC25-AU. The router configuration was left unchanged.
Config
# 2024-10-17 14:02:36 by RouterOS 7.16.1
# software id = **ELIDED**
#
# model = RB912R-2nD
# serial number = **ELIDED**
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=MikroTik-4E82B7 wireless-protocol=802.11
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" sms-protocol=auto sms-read=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=test.co.nz use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment=defconf disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.99
/port
set 0 name=serial0
/queue type
add fq-codel-ecn=no kind=fq-codel name=fq-codel-ethernet-default
/queue interface
set ether1 queue=fq-codel-ethernet-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow remote access ssh" dst-port=22 in-interface=lte1 protocol=tcp
add action=accept chain=input comment="allow remote access https" dst-port=443 in-interface=lte1 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set www-ssl certificate=ssl-web-mgmt disabled=no
/ip ssh
set always-allow-password-login=yes forwarding-enabled=both strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Pacific/Auckland
/system gps
set port=serial0 set-system-time=no
/system leds
set 2 interface=lte1 type=interface-status
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add interval=1d name=reboot7am on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2024-01-01 start-time=07:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Help
Curious if I am doing something wrong or if this is a issue with RouterOS & this specific Quectel card. Any help would be much appreciated.