Router started blocking all external web browsing and pinging over night for some reason

LMinTX · September 21, 2023, 9:28pm

Hi all, I am a bit new to RouterOS, etc. Two nights ago my RouterOS 6.49.5, RB951G-2HnD stopped allowing external web browsing or pinging to the internet. I have a smart home device (UDI ISY) that is still sending me internet down (ping) reports info via gmail.com and I can reach it from the internet via it’s portal. I can also still access my network from remote with my PPTP VPN on the router. All other router features seem to be fully functional.

I can also attach to the router with Winbox and everything seems normal from my limited perspective. Also I can use Winbox to ping the internet and all internal devices without any issues. I haven’t logged into the router in months, much less changed anything on the router or even on the network in general. I have powered off rebooted many times with no changes and I did a restore of my last backup from 9 months ago. Still no change. I have also plugged my laptop directly into the router switch and it still can’t browse the internet or ping outside. All inside local connections are working as expected.

I am using the wireless feature on the RB and it’s connections show the same problems. Nothing in the logs area seem to indicate a problem.

I am lost at where to start or look for the issue. Any suggestions? I am about to the point of pulling out my old dd-wrt router out and reinstalling it!

mkx · September 22, 2023, 4:01am

Hiw about creating text export of full config and post it here for review? Open terminal window, execute /export file=anynameyouwish, fetch it off router, open it in text editor, redact sensitive information (serial number, public IP addresses, wifi passwords, etc.) and copy-paste it inside [__code] [/code] blick (the icon in button bar above post editing window).

LMinTX · September 22, 2023, 9:20pm

OK, @mkx thanks for the reply. Lots and lots of redaction. I will update you to further items that are relevant in my next reply.

# sep/22/2023 15:52:46 by RouterOS 6.49.5
# software id = xxxxxxxxxxxx
#
# model = 951G-2HnD
# serial number = xxxxxxxxx
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country=\
    "united states" disabled=no distance=indoors frequency-mode=\
    manual-txpower mode=ap-bridge multicast-helper=full ssid="XXXXXX" \
    wireless-protocol=802.11
/interface bridge
add admin-mac=xxxxxxxxxxxxxxx auto-mac=no fast-forward=no mtu=1500 name=\
    bridge-local protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment="Connection to Spectrum Cable Modem" \
    mac-address=xxxxxxxx name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master-local speed=100Mbps
set [ find default-name=ether3 ] comment="Ethernet3 to Study and Upstairs" \
    name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
/interface wireless wds
add disabled=no master-interface=wlan1 name=wds1
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
    "xxxxxx" wpa2-pre-shared-key="xxxx"
/ip dhcp-server option
add code=1 name=Router value="'<local IP>1'"
add code=6 name="DNS Servers" value="'<local IP>1'"
add code=15 name="DNS Domain Name" value="'infinet.local'"
add code=66 name="Boot Server Host Name - Wave" value="'<local IP>201'"
/ip dhcp-server option sets
add name=OptionSet1 options="Router,DNS Servers,DNS Domain Name"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=
add name=dhcp_pool2 ranges=<local IP>100-<local IP>199
add name=PPTP-pool ranges=1
/ip dhcp-server
add address-pool=dhcp_pool2 authoritative=after-2sec-delay bootp-support=none \
    disabled=no interface=bridge-local lease-time=30m name="DHCP Server 1"
/ppp profile
add local-address=PPTP-pool name=PPTP-profile remote-address=PPTP-pool
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether1-gateway list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=bridge-local list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
/interface pptp-server server
set max-mru=1460 max-mtu=1460
/ip address
/ip dns
set allow-remote-requests=yes
/ip dns static
/ip firewall address-list
/ip firewall filter
add action=drop chain=input comment="Drop Inbound RDP packets" log=yes \
    log-prefix=RDPdrops protocol=rdp
add action=drop chain=input comment="Drop zBlacklisted list Addresses" \
    src-address-list=zBlackList
add action=drop chain=input comment="Block Lokey Virus sites inbound" \
    src-address-list="Lokey Virus"
add action=drop chain=forward comment="Block Lokey Virus sites forward" \
    src-address-list="Lokey Virus"
add action=drop chain=output comment="Block Lokey Virus sites outbound" \
    src-address-list="Lokey Virus"
add action=accept chain=input comment="default configuration ICMP Ping On" \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established
add action=accept chain=input comment="default configuration" \
    connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add action=accept chain=forward comment="default configuration" \
    connection-state=established
add action=accept chain=forward comment="default configuration" \
    connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
/ip firewall nat
add action=dst-nat chain=dstnat comment=RemoteWebWP disabled=yes dst-port=\
    4125 in-interface=ether1-gateway protocol=tcp to-addresses=<local IP>2 \
    to-ports=4125
add action=dst-nat chain=dstnat comment="HTTP to Email Server" disabled=yes \
    dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=\
    <local IP>2
add action=dst-nat chain=dstnat comment="HTTPS to ISY" dst-port=443 \
    in-interface=ether1-gateway protocol=tcp to-addresses=<local IP>10 \
    to-ports=443
add action=dst-nat chain=dstnat comment=WaveMobileUdp disabled=yes dst-port=\
    50070 in-interface=ether1-gateway protocol=udp to-addresses=<local IP>201 \
    to-ports=50070
add action=dst-nat chain=dstnat comment=WaveMobileTcp disabled=yes dst-port=\
    50070 in-interface=ether1-gateway protocol=tcp to-addresses=<local IP>201 \
    to-ports=50070
add action=dst-nat chain=dstnat comment="AccessLine to Wave Phone System" \
    disabled=yes dst-port=50070 in-interface=ether1-gateway protocol=tcp \
    src-address=to-addresses=<local IP>201 to-ports=50070
add action=src-nat chain=srcnat disabled=yes out-interface=ether1-gateway \
    src-address=<local IP>89 to-addresses=
add action=dst-nat chain=dstnat comment="SIP TEST Inbound from AccessLine" \
    disabled=yes dst-port=5060 in-interface=ether1-gateway protocol=tcp \
    src-address=64.28.113.10 to-addresses=<local IP>201 to-ports=5060
add action=dst-nat chain=dstnat comment=\
    "SIP INFIWAVE Inbound from AccessLine" disabled=yes dst-port=6060 \
    in-interface=ether1-gateway protocol=tcp src-address= \
    to-addresses=<local IP>201 to-ports=6060
add action=dst-nat chain=dstnat comment="SMTP MxLogic#1" disabled=yes \
    dst-port=25 in-interface=ether1-gateway port="" protocol=tcp src-address=\
     to-addresses=<local IP>2 to-ports=25
add action=dst-nat chain=dstnat comment="SMTP MxLogic#2" disabled=yes \
    dst-port=25 in-interface=ether1-gateway protocol=tcp src-address=\
    to-addresses=<local IP>2 to-ports=25
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
/ip proxy
set cache-path=web-proxy1 parent-proxy=0.0.0.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1-gateway type=external
/ppp secret
add name=XXX password="xxxxx" profile=PPTP-profile
/system clock
set time-zone-autodetect=no time-zone-name=CST6CDT
/system clock manual
set time-zone=-06:00
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes primary-ntp= secondary-ntp=
/system scheduler
add comment="Reboot automatically" disabled=yes name="Auto Reboot" policy=\
    reboot start-date=jul/09/2014 start-time=01:00:00
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

LMinTX · September 22, 2023, 9:40pm

Additional updates, also sorry for the long delays, my posts have to be approved first before you can see them. Hopefully that is not forever.

After posting the original item last night and after 2 days of being down and while waiting another 12 hours waiting for approval to post, I was desperate to try some troubleshooting. There was one “default” rule in my firewall rules list that I was concerned about. It drops incoming packets that originated externally on the wan port.

add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway

So I disabled it. Immediately things started working and the logs window started showing inbound “attacks” using telnet. But I ran a few ping tests and web browsing attempts and it was all working. So I reenabled the rule to stop the inbound attempts. They stopped in the logs immediately, but the pinging and web browsing did not stop and continued to work.

But I noticed in the continuous pings to 8.8.8.8 I would get 4-8 second gaps of packet loss every few minutes, clearly in blocks and not random losses. Still it was better than it was. I had to go on a video conference for a couple of hours. About every 3-5 minutes, my connection would break and after about 15-30 seconds it would reconnect, almost like clockwork.

This morning after checking the continuous ping test, it appears during the night that the ping losses stopped and now everything seems to be running as normal.

Again, the only thing I did concerning the network troubles last night was to disable and reenable that one rule, nothing else, no reboots or anything.

My probable next step would be to update my RouterOS. I am running about a year old version. Any other suggestions are welcome.

Thanks!

mkx · September 23, 2023, 7:04am

It’s playing funny games indeed.

Try to check RAM and CPU usage when device misbehaves. Also check connection tracking list for number of active connections.

The firewall filter ruleset could be improved IMHO … have a look at defaults, it might inspire you (execute /system default-config print in a really wide terminal window).

And a last-resort notice: sometimes devices develop some weird behaviour which can not be explained by visible configuration. Often the problem is solved by resetting to factory default and re-applying previous config (config has to be exported to text file, using binary backup doesn’t help), if that doesn’t help netinstall (and re-configuring) does.

anav · September 23, 2023, 12:11pm

You have a router mutation, very rare life form. Could be worth a lot of money. The first smart AI router and it has run amok.

LMinTX · September 23, 2023, 2:33pm

OMG, it has decided to attack me!! In the words of Dr. Who? “RUN”

tangent · September 23, 2023, 4:20pm

I believe the threshold to bypass mandatory moderation is 3 approved posts, which is why your latest post didn’t require moderator approval.

another 12 hours waiting for approval to post

I was the one to approve the initial post in this thread, with a 5 hour 18 minute delay. As many moderators as there now are, I was surprised it was even that long. More than once, I’ve been looking into a post’s details to decide if it’s kosher and have had the decision taken out of my hands by another mod who decided to approve it before I could.

Your second and third posts in this thread were approved by another of the mods, back-to-back, which means that despite the 20 minute gap between you posting them, the moderation delays were different, at 4 hours and 46 minutes for the second post and 4:26 for the third.

So no, not “12 hours.” Please don’t exaggerate. We have logs.

LMinTX · September 23, 2023, 4:32pm