I just bought a router based on recommendation from the ones that installed my system in the house (two AP).

After the switch of router there is one thing that doesn’t work and it seems to be a common problem.
In Sweden we have a brand called “Plejd” which is a smart-home-lightning-producer.
They have a gateway so that I can control my lights when away.
Now with the new router, the gateway can’t get contact with their cloud and they don’t know exactly how to fix this.
I know it might be hard, but trying to find some answers where the experts are

Typically outgoing, there should not be a lot which gets blocked. Unless you changed it (or someone else).

What type of router are you using and how does the config look like ?
How is that Plejd device connected to your network ?

It’s hEx RB750Gr if that says something? I haven’t changed anything. So not exactly sure if it’s configured correctly, but as everything else works it can’t be that bad.

The Plejd-gateway is connected directly to the router with a cable.

Fiber network into the house directly to the router and then wifi out via 2 AP.

Have you tried connecting the Plejd-gateway into different Ethernet port?

No, but I also have a switch and moved it from the switch to the router without any difference.
It’s something that these routers do that this gateway doesn’t like. I can see it’s connected and that there is activity, but something makes it not connect to their cloud.

Most likely some incoming connection being blocked. But then you need to know what.
If you set the gateway to fixed ip, you can foresee a firewall rule to that ip and log all activity. Gradually open ports as you see them being logged.
Should allow you to determine what is needed.

Another option
Disconnect the port from bridge where gateway is connected to and put it in DMZ. Straight connected to WAN.
But personally I am not a fan of doing that.

(deleted)

The only way to (maybe) find a solution or a workaround is having a look at your configuration.

Follow this:
http://forum.mikrotik.com/t/forum-rules/173010/1

to retrieve and post the configuration.

Do you know which IP address(es), ports, protocols does this Plejd device use?
Is it this thingy here?
GWY-01 Gateway
https://plejd.com/products/GWY-01
the manual seems particularly void of technical info, there is on installer page:
https://plejd.com/installer
a rather interesting statement:

Outstanding support

With our knowledgeable support of experienced and trained electricians, you will always get the help you need, when you need it. We develop all our products in-house and have the necessary expertise close at hand to assist with optimal support in all different cases, from simple questions to technical support and advice.

though it has to be seen if it applies only to installers and you as “final” user will be excluded.

From other sources, it seems like it wants to talk with https://cloud.plejd.com/ but without knowing if it uses a particular service or port it will be difficult to find which (if any) firewall rule blocks it.

The thingy has a solid yellow light (meaning it cannot connect) right?

Thank you for the info.
I will try to get this file and post here.

You’re correct with the yellow light.
The electricians and support at Plejd don’t know what makes this problem. I’ve read somewhere about certain ports that has to be open, but some others says this is not the case.

Looking around for answers on the internet.
Some suggestions that IPv6 might be enabled. Could this be it? How do I enable that (for testing)?

Here it says: https://plejd.com/contact

When GWY-01 has a solid yellow light, it means that it is installed, but that it currently has no connection to Plejd’s cloud. See the app for troubleshooting to identify which link in the chain is failing

Have you already used the app for troubleshooting as advised there?

Yes. Doesn’t find anything unfortunately (more than the info that the Gateway can’t reach the servers of Plejd).

My config:

jan/29/2024 11:11:49 by RouterOS 6.49.12

software id = BHVS-Z3WR

model = RB750Gr3

serial number = HE108HAFC5B

/interface bridge
add admin-mac=** auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=**
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=** comment=defconf interface=bridge network=
**
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=** comment=defconf gateway=**
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=** comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I would try first thing to add a dns server, google one 8.8.8.8 and/or 8.8.4.4 would do:

/ip dns set servers=8.8.8.8,8.8.4.4

It is possible that the thingy needs to resolve its https://cloud.plejd.com/ via a DNS server on the gateway.

To check if the DNS is working (on the hex) run from terminal:

put [:resolve google.com]
put [:resolve plejd.com]

I’ve tried the DNS-checking (without adding DNS). But what should the result be?

Is it possible to remove the DNS if it doesn’t help?

I have no idea how that thingy works.

Normally, a device needs a DNS server explicited to be able to resolve names, if there isn’t any set it looks for one on the gateway.

On the mikrotik, the:

put [:resolve google.com]

should return an IP address like when you do on windows nslookup, something like 216.58.204.238.

But it is well possible that your plej device has a DNS hardcoded, so that whatever you set on the hex is ignored.

Sure, you can remove them:

/ip dns set servers=""

You should see IP address on the terminal:

[user@router] > put [:resolve cloud.plejd.com ]
52.209.92.67

If you get nothing, then DNS resolver on your mikrotik doesn’t work.

Even more … if you didn’t redact too much, then you have

/ip dhcp-server network
add address=** comment=defconf gateway=**

which misses dns-server setting … I’m not sure if ROS uses some fall back (I suspect it doesn’t) by adding own address if none of DNS servers are included. But you really should add at least two DNS server here, in most cases you can use some well known public DNS servers (such as 8.8.8.8 or 8.8.4.4 - google - or 1.1.1.1 - cloudflare).

In addition to that, you should check if your ISP sends DNS servers with DHCP leases. Execute /ip/dns/print, DNS servers included in DHCP lease will be listed under dynamic-servers. You don’t seem to have servers set statically and if DHCP lease doesn’t come with its own servers, then router can’t resolve anything either. If this is the case, then set at least one DNS server here as well, e.g.

/ip/dns
set servers=8.8.8.8

or something similar.

Note that settings in /ip/dns only matter for client devices if router is set as DNS resolver in DHCP leases (or static config on clients, e.g. if /ip/dhcp-server/network settings include dns-server=<router’s LAN IP>).

I do see an IP here. So this shouldn’t be the problem?

It only proves that router itself can resolve FQDN to IP address. IMO it’s still doubtful if wireless stations can do it as it’s highly possible that they don’t receive DNS server addresses with DHCP lease.

Activating IPv6 didn’t help either…