Router can't reach external hosts, clients work just fine

Parking4754 · November 7, 2023, 9:40pm

I have a routerboard RB850Gx2 with fw and rOS 7.11.2 running on a fibre connection. IPoE by DHCP via a vlan over ethernet to an ONT. This setup works (clients can access the internet) but the router itself can’t access the internet. All traffic from the router seems to disappear:

Wireguard traffic is received and sent out but never arrives at the client. I tried a lot of different extra fw rules but none worked (the same config works on my

I started to troubleshoot and found out:

DNS lookups by the router also fail (updates, NTP, resolving names for ping) and thus it can’t update itself or the time
Accessing the router directly from a remote IP by adding a firewall rule also fails (tried ssh via port 22, http via 80 and Winbox), again I can see the traffic coming in and going out (TX & RX)
PING to an IP address works
Traceroute to an IP address works

I’m baffled, the routing table is as vanilla as you’d expect. Where should I look next? Thanks for any pointers. Config below:

# 2023-11-07 22:18:24 by RouterOS 7.11.2
# software id = **ELIDED**
#
# model = RB850Gx2
# serial number = **ELIDED**
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1450 name=wireguard1
/interface vlan
add disabled=yes interface=ether1 name=vlan100 vlan-id=100
add interface=ether1 name=vlan300 vlan-id=300
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vlan300 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.255.255.3/32 comment=laptop-A endpoint-address="" \
    endpoint-port=13231 interface=wireguard1 public-key=\
    "xxx"
add allowed-address=10.255.255.7/32 comment=laptop-B endpoint-port=13231 \
    interface=wireguard1 public-key=\
    "xxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.255.255.1/24 comment=wg interface=wireguard1 network=\
    10.255.255.0
/ip dhcp-client
add add-default-route=special-classless comment=defconf interface=vlan300 \
    use-peer-dns=no use-peer-ntp=no
add add-default-route=no comment=management disabled=yes interface=vlan100
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
    62.58.48.20,37.143.84.228 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=37.143.84.228,62.58.48.20
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=svl-ssh dst-port=22 log=yes log-prefix=\
    svl protocol=tcp
add action=accept chain=input comment="allow wg" dst-port=13231 log=yes \
    log-prefix=wg protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Parking4754 · November 10, 2023, 12:03pm

Did some more testing. ICMP works but TCP and UDP traffic doesn’t see to actually leave the router (but is seen by the firewall). Someone recommended that this could be an offloading bug and that I should disable fasttrack to test but unfortunately the RB850 got itself stuck in a bootloop during the upgrade to 7.12 last night. Will first try a Hex S and see if that one will work with the same config.

Parking4754 · November 12, 2023, 10:14am

The Hex S worked, it’s probably an offloading issue. Can’t test atm as the RB850 got caught in a boot loop while upgrading to 7.12