RouterOS 7 VLAN Bug

RouterOS General
1

I recently upgraded my CCR2004-1G-12S+2XS from RouterOS v6 to v7.10.2. After the upgrade, I am unable to resolve DNS on VLAN 101:

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=120 time=14.7 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=120 time=14.6 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=120 time=14.6 ms




$ nslookup google.com 8.8.8.8
;; communications error to 8.8.8.8#53: connection refused
;; communications error to 8.8.8.8#53: connection refused
;; communications error to 8.8.8.8#53: connection refused
;; no servers could be reached

DNS resolution on VLANs 102, 103, 104, and 201 (all of which are tagged on the same sfp-sfpplus1 interface) work just fine. I’m relatively new to RouterOS and am not sure how to determine if this is a bug that needs to be reported or if it’s a config issue that needs to be changed to work with RouterOS 7.

I am planning to rollback to v6.49.8 tonight if I can’t figure this out.

Any help/insight would be appreciated!

# 2023-08-14 11:29:25 by RouterOS 7.10.2
# software id = LGM4-DTDZ
#
# model = CCR2004-1G-12S+2XS
# serial number = D4F10CA1207B
/interface bridge
add ingress-filtering=no name=bridge1 vlan-filtering=yes
add name=vpn_bridge
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp-sfpplus3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp-sfpplus5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp-sfpplus7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp-sfpplus8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp-sfpplus9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp-sfpplus10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp-sfpplus11 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus12 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp28-1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp28-2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface l2tp-server
add name=l2tp-in1 user=""
/interface vrrp
/interface vlan
add interface=sfp-sfpplus1 name=vlan101 vlan-id=101
add interface=sfp-sfpplus1 name=vlan102 vlan-id=102
add interface=sfp-sfpplus1 name=vlan103 vlan-id=103
add interface=sfp-sfpplus1 name=vlan104 vlan-id=104
add interface=sfp-sfpplus3 name=vlan201 vlan-id=201
add interface=sfp-sfpplus3 name=vlan301 vlan-id=301
add interface=sfp-sfpplus9 name=vlan1010 vlan-id=1010
add interface=sfp-sfpplus11 name=vlan1044_SAN vlan-id=1044
add interface=sfp-sfpplus9 name=vlan1046_OSInternal vlan-id=1046
add interface=sfp-sfpplus11 name=vlan1047_Servers vlan-id=1047
add interface=sfp-sfpplus9 name=vlan1048_OSServers vlan-id=1048
add interface=sfp-sfpplus9 name=vlan1049_IPMI vlan-id=1049
add interface=sfp-sfpplus1 name=vlan1063 vlan-id=1063
add interface=sfp-sfpplus3 name=vlan1064 vlan-id=1064
add interface=sfp-sfpplus3 name=vlan1065 vlan-id=1065
add interface=sfp-sfpplus1 name=vlan1066 vlan-id=1066
add interface=sfp-sfpplus11 name=vlan1067Server_mgmt vlan-id=1067
add interface=sfp-sfpplus9 name=vlan1068_OpenStackSwitch vlan-id=1068
/interface bonding
add mode=802.3ad name=OpenstackAggSwitches slaves=sfp-sfpplus7,sfp-sfpplus8
/interface vrrp
/interface vlan
add interface=OpenstackAggSwitches name=vlan2010_FW_IPMI_NET vlan-id=2010
add interface=OpenstackAggSwitches name=vlan2020_RPC_MGMT_NET vlan-id=2020
add interface=OpenstackAggSwitches name=vlan2040_RPC_PROVIDER vlan-id=2040
add interface=OpenstackAggSwitches name=vlan2041_RPC_PROVIDER vlan-id=2041
add interface=OpenstackAggSwitches name=vlan2042_RPC_PROVIDER vlan-id=2042
add interface=OpenstackAggSwitches name=vlan2043_RPC_PROVIDER vlan-id=2043
add interface=OpenstackAggSwitches name=vlan2044_RPC_PROVIDER vlan-id=2044
add interface=OpenstackAggSwitches name=vlan2080_RPC_OCTAVIA_MGMT vlan-id=2080
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des name=profile1
add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=aes-128 lifetime=8h name=Amazon
/ip ipsec peer
add address=<redacted> local-address=<redacted> name=AmazonVPC2 profile=Amazon
add address=<redacted> local-address=<redacted> name=AmazonVPC profile=Amazon
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add enc-algorithms=aes-128-cbc lifetime=1h name=ipsec-vpn-070053c6ddad646ce-0
add enc-algorithms=aes-128-cbc lifetime=1h name=ipsec-vpn-070053c6ddad646ce-1
/ip pool
add name=pool101 ranges=192.168.128.11-192.168.131.254
add name=pool102 ranges=192.168.136.11-192.168.139.254
add name=pool103 ranges=192.168.144.11-192.168.147.254
add name=pool104 ranges=192.168.152.11-192.168.155.254
add name=pool301 ranges=192.168.168.2-192.168.171.254
add name=pool201 ranges=192.168.160.3-192.168.163.254
add name=VPNPOOL ranges=192.168.32.2-192.168.32.254
/ip dhcp-server
add address-pool=pool101 interface=vlan101 lease-time=23h59m name=server101
add address-pool=pool102 interface=vlan102 lease-time=23h59m name=server102
add address-pool=pool103 interface=vlan103 lease-time=23h59m name=server103
add address-pool=pool104 interface=vlan104 lease-time=23h59m name=server104
add address-pool=pool201 interface=vlan201 lease-script=internal_Wifi lease-time=23h59m name=server201 server-address=192.168.160.1
add address-pool=pool301 interface=vlan301 lease-script=Guest_WiFi lease-time=1h name=server301 server-address=192.168.168.1
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *0 change-tcp-mss=default wins-server=192.168.5.40
add dns-server=192.168.8.101 local-address=192.168.32.1 name=vpn_profile remote-address=VPNPOOL use-encryption=yes wins-server=192.168.8.101
/queue tree
/routing bgp template
set default as=65016 disabled=no output.network=bgp-networks .no-client-to-client-reflection=yes .redistribute=connected,static,vpn,dhcp router-id=<redacted>
add as=65000 disabled=no name=AWSVPC1 output.network=bgp-networks .no-client-to-client-reflection=yes redistribute=connected,static,vpn,dhcp router-id=<redacted>
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
/routing table
add fib name=fsr-backup
/snmp community
add addresses=192.168.8.124/32,192.168.8.13/32 authentication-protocol=SHA1 encryption-protocol=AES security=private
/system logging action
set 0 memory-lines=10000
set 3 remote=192.168.5.71 remote-port=10514 src-address=192.168.5.1
/interface bridge nat
add action=accept chain=srcnat
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus3
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus4
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus5
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus6
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
/interface l2tp-server server
set default-profile=vpn_profile enabled=yes use-ipsec=yes
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=<redacted> interface=sfp-sfpplus12 network=redacted>
add address=192.168.128.1/22 interface=vlan101 network=192.168.128.0
add address=192.168.136.1/22 interface=vlan102 network=192.168.136.0
add address=192.168.144.1/22 interface=vlan103 network=192.168.144.0
add address=192.168.152.1/22 interface=vlan104 network=192.168.152.0
add address=192.168.65.1/24 interface=vlan1065 network=192.168.65.0
add address=192.168.160.1/22 interface=vlan201 network=192.168.160.0
add address=192.168.168.1/22 interface=vlan301 network=192.168.168.0
add address=192.168.64.1/24 interface=vlan1064 network=192.168.64.0
add address=192.168.32.1/24 interface=vpn_bridge network=192.168.32.0
add address=192.168.66.1/24 interface=vlan1066 network=192.168.66.0
add address=192.168.5.1/24 interface=vlan1047_Servers network=192.168.5.0
add address=192.168.67.1/24 interface=vlan1067Server_mgmt network=192.168.67.0
add address=10.44.44.2/24 interface=vlan1044_SAN network=10.44.44.0
add address=192.168.68.1/24 interface=vlan1068_OpenStackSwitch network=192.168.68.0
add address=192.168.7.1/24 interface=vlan1049_IPMI network=192.168.7.0
add address=192.168.8.1/22 interface=vlan1046_OSInternal network=192.168.8.0
add address=10.10.10.1/24 interface=vlan1010 network=10.10.10.0
add address=<redacted> interface=vlan1048_OSServers network=<redacted>
add address=192.168.63.1/24 interface=vlan1063 network=192.168.63.0
add address=192.168.70.1/24 interface=vlan1049_IPMI network=192.168.70.0
add address=192.168.20.1/24 interface=vlan1049_IPMI network=192.168.20.0
add address=10.20.10.1/24 interface=vlan2010_FW_IPMI_NET network=10.20.10.0
add address=10.20.20.1/22 interface=vlan2020_RPC_MGMT_NET network=10.20.20.0
add address=10.20.40.1/24 interface=vlan2040_RPC_PROVIDER network=10.20.40.0
add address=10.20.80.1/22 interface=vlan2080_RPC_OCTAVIA_MGMT network=10.20.80.0
add address=10.20.41.1/24 interface=vlan2041_RPC_PROVIDER network=10.20.41.0
add address=10.20.42.1/24 interface=vlan2042_RPC_PROVIDER network=10.20.42.0
add address=10.20.43.1/24 interface=vlan2043_RPC_PROVIDER network=10.20.43.0
add address=10.20.44.1/24 interface=vlan2044_RPC_PROVIDER network=10.20.44.0
/ip dhcp-server lease
add address=192.168.160.2 client-id=1:b4:fb:e4:2a:4a:11 mac-address=B4:FB:E4:2A:4A:11 server=server201
add address=192.168.163.77 client-id=1:a8:93:4a:94:f1:c6 mac-address=A8:93:4A:94:F1:C6 server=server201
add address=192.168.163.7 client-id=1:b0:68:e6:f2:dd:c7 mac-address=B0:68:E6:F2:DD:C7 server=server201
add address=192.168.160.10 client-id=1:10:6f:d9:81:e8:9e mac-address=10:6F:D9:81:E8:9E server=server201
add address=192.168.160.9 client-id=1:40:23:43:e:f7:f3 mac-address=40:23:43:0E:F7:F3 server=server201
add address=192.168.162.163 client-id=1:ac:50:de:4e:71:bd mac-address=AC:50:DE:4E:71:BD server=server201
/ip dhcp-server network
add address=192.168.128.0/22 dns-server=192.168.8.101,192.168.8.102,192.168.8.103 gateway=192.168.128.1 netmask=22
add address=192.168.136.0/24 dns-server=192.168.8.101,192.168.8.102,192.168.8.103 gateway=192.168.136.1 netmask=22
add address=192.168.144.0/22 dns-server=192.168.8.101,192.168.8.102,192.168.8.103 gateway=192.168.144.1 netmask=24
add address=192.168.152.0/22 dns-server=192.168.8.101,192.168.8.102,192.168.8.103 gateway=192.168.152.1 netmask=22
add address=192.168.160.0/22 dns-server=192.168.8.101,192.168.8.102,192.168.8.103 gateway=192.168.160.1 netmask=22
add address=192.168.168.0/22 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.168.1 netmask=22
/ip dns
set servers=8.8.8.8,192.168.8.101,182.168.8.102,192.168.8.103,172.16.1.1
/ip firewall address-list
add address=192.168.5.0/24 list=bgp-networks
add address=192.168.136.0/22 list=users
add address=192.168.144.0/22 list=users
add address=192.168.152.0/22 list=users
add address=192.168.32.0/24 list=users
add address=192.168.5.0/24 list=servers
add address=63.247.65.242 list=netdepot
add address=65.254.34.186 list=netdepot
add address=66.248.200.0/22 list=sucuri
add address=185.93.228.0/22 list=sucuri
add address=192.88.134.0/23 list=sucuri
add address=<redacted> list=servers
add address=192.168.160.0/22 list=users
add address=192.168.168.0/22 list=guests
add address=192.168.65.0/24 list=cameras
add address=192.168.66.0/24 list=Routers
add address=10.44.44.0/24 list=servers
add address=192.168.65.2 list=users
add address=192.168.65.3 list=users
add address=192.168.65.0/24 list=Routers
add address=192.168.67.0.24 list=Routers
add address=192.168.68.0/24 list=Routers
add address=192.168.65.2 list=johnson_list
add address=192.168.65.3 list=johnson_list
add address=192.168.65.4 list=johnson_list
add address=192.168.65.5 list=johnson_list
add address=192.168.8.0/22 list=servers
add address=192.168.7.0/24 list=IPMI
add address=192.168.8.0/22 list=OpenStack
add address=192.168.33.3 list=users
add address=192.168.7.0/24 list=Routers
add address=192.168.7.12 list=Routers
add address=10.10.10.0/24 list=OpenStack
add address=10.10.10.0/24 list=servers
add address=<redacted> list=OpenStackPublic
add address=192.168.33.4 list=users
add address=192.168.63.2 list=meraki_firewall_mgmt
add address=192.168.63.3 list=meraki_firewall_mgmt
add address=192.168.70.0/24 list="OpenStack Switches"
add address=10.20.10.0/24 list=OpenStack
add address=10.20.20.0/22 list=OpenStack
add address=10.20.40.0/24 list=OpenStack
add address=10.20.80.0/22 list=OpenStack
add address=10.20.10.0/24 list=servers
add address=192.168.7.11 list=Routers
add address=10.20.41.0/24 list=OpenStack
add address=10.20.42.0/24 list=OpenStack
add address=10.20.43.0/24 list=OpenStack
add address=10.20.44.0/24 list=OpenStack
add address=10.20.40.0/24 list=servers
add address=10.20.41.0/24 list=servers
add address=10.20.42.0/24 list=servers
add address=10.20.43.0/24 list=servers
add address=10.20.44.0/24 list=servers
add address=192.168.64.0/24 list=Routers
add address=192.168.64.0/24 list=network_equip
add address=54.203.27.225 list=jumpcloud_radius
add address=18.204.0.31 list=jumpcloud_radius
add address=192.168.66.0/24 list=network_equip
add address=192.168.68.0/24 list=network_equip
add address=192.168.70.0/24 list=network_equip
add address=192.168.67.0/24 list=network_equip
add address=192.168.144.0/22 list=bgp-networks
add address=192.168.8.0/22 list=bgp-networks
add address=<redacted> list=bgp-networks
/ip firewall filter
add action=accept chain=input dst-address=<redacted> protocol=udp src-port=1812-1813
add action=accept chain=forward related connection-state=established,related
add action=accept chain=input dst-port=500,1701,4500,450 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward connection-state=related
add action=accept chain=forward src-address-list=cameras
add action=accept chain=input src-address-list=cameras
add action=accept chain=forward src-address-list=users
add action=accept chain=input src-address-list=users
add action=accept chain=forward src-address-list=Routers
add action=accept chain=input src-address-list=Routers
add action=accept chain=forward src-address-list="OpenStack Switches"
add action=accept chain=input src-address-list="OpenStack Switches"
add action=accept chain=input src-address-list=servers
add action=accept chain=forward src-address-list=servers
add action=accept chain=input dst-port=53 protocol=udp src-address-list=guests
add action=accept chain=forward src-address-list=guests
add action=accept chain=forward src-address=10.49.49.0/24
add action=accept chain=forward dst-address-list=OpenStackPublic
add action=accept chain=forward src-address-list=OpenStackPublic
add action=accept chain=forward dst-address-list=johnson_list src-address=192.168.33.2
add action=accept chain=input dst-address-list=johnson_list src-address=192.168.33.2
add action=accept chain=forward dst-address-list=IPMI src-address=192.168.33.0/24
add action=accept chain=input dst-address-list=IPMI src-address=192.168.33.0/24
add action=accept chain=forward dst-address-list=OpenStack src-address=192.168.33.0/24
add action=accept chain=input dst-address-list=OpenStack src-address=192.168.33.0/24
add action=accept chain=forward dst-address-list=Routers src-address=192.168.33.0/24
add action=accept chain=input dst-address-list=Routers src-address=192.168.33.0/24
add action=accept chain=forward dst-address-list="OpenStack Switches" src-address=192.168.33.0/24
add action=accept chain=input dst-address-list="OpenStack Switches" src-address=192.168.33.0/24
add action=accept chain=forward dst-address=192.168.160.2 dst-address-list="" src-address=192.168.33.10
add action=accept chain=input dst-address=192.168.160.2 src-address=192.168.33.10
add action=drop chain=forward dst-address=192.168.5.0/24 src-address=192.168.33.0/24
add action=drop chain=forward dst-address=192.168.65.0/24 src-address=192.168.33.0/24
add action=drop chain=forward dst-address=192.168.66.0/24 src-address=192.168.33.0/24
add action=drop chain=forward dst-address=192.168.67.0/24 src-address=192.168.33.0/24
add action=drop chain=forward dst-address=192.168.128.0/22 src-address=192.168.33.0/24
add action=drop chain=forward dst-address=192.168.136.0/22 src-address=192.168.33.0/24
add action=drop chain=forward dst-address=192.168.144.0/22 src-address=192.168.33.0/24
add action=drop chain=forward dst-address=192.168.152.0/22 src-address=192.168.33.0/24
add action=drop chain=forward dst-address=192.168.160.0/22 src-address=192.168.33.0/24
add action=accept chain=forward icmp-options=8:0 protocol=icmp
add action=accept chain=forward icmp-options=3:0-255 protocol=icmp
add action=drop chain=input src-address-list=invalid_login
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=input connection-state=established,related
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input src-address=10.49.49.0/24
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=8291 in-interface=!sfp-sfpplus12 protocol=tcp
add action=accept chain=input dst-port=5022 in-interface=!sfp-sfpplus12 protocol=tcp
add action=add-src-to-address-list address-list=invalid_login address-list-timeout=30m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=login_stage_3
add action=add-src-to-address-list address-list=login_stage_3 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=login_stage_2
add action=add-src-to-address-list address-list=login_stage_2 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=login_stage_1
add action=add-src-to-address-list address-list=login_stage_1 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp
add action=reject chain=forward reject-with=icmp-port-unreachable
add action=reject chain=input reject-with=icmp-port-unreachable
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=voip-conn passthrough=yes protocol=udp src-port=5060-5099
add action=mark-connection chain=forward new-connection-mark=voip-conn passthrough=yes protocol=tcp src-port=5060-5099
add action=mark-connection chain=forward new-connection-mark=voip-conn passthrough=yes protocol=udp src-port=8000-8200
add action=mark-connection chain=forward new-connection-mark=voip-conn passthrough=yes protocol=tcp src-port=8801-8802
add action=mark-connection chain=forward dscp=46 new-connection-mark=voip-conn passthrough=yes protocol=udp src-port=16384-65535
add action=mark-packet chain=prerouting connection-mark=voip-conn new-packet-mark=voip passthrough=no
add action=mark-packet chain=forward connection-mark=user-conn new-packet-mark=user passthrough=no
add action=mark-routing chain=prerouting backup new-routing-mark=fsr-backup passthrough=no src-address-list=fsr
/ip firewall nat
add action=accept chain=srcnat dst-address-list=jumpcloud_radius src-address=<redacted>
add action=src-nat chain=srcnat dst-address-list=jumpcloud_radius src-address-list=network_equip to-addresses=redacted>
add action=masquerade chain=srcnat dst-address=192.168.20.0/24
add action=accept chain=srcnat dst-address=169.254.175.169 src-address=169.254.175.170
add action=accept chain=srcnat dst-address=169.254.157.33 src-address=169.254.157.34
add action=accept chain=srcnatdst-address=172.30.0.0/16 src-address=192.168.5.0/24
add action=accept chain=srcnatdst-address=192.168.5.0/24 src-address=172.30.0.0/16
add action=accept chain=srcnatdst-address=172.30.0.0/16 src-address=192.168.144.0/22
add action=accept chain=srcnatdst-address=172.30.0.0/16 src-address=192.168.8.0/22
add action=accept chain=srcnatdst-address=192.168.8.0/22 src-address=172.30.0.0/16
add action=accept chain=srcnat dst-address=172.30.0.0/16 src-address=<redacted>
add action=accept chain=srcnat dst-address=<redacted> src-address=172.30.0.0/16
add action=masquerade chain=srcnat dst-address=192.168.5.37 src-address=172.16.0.0/16
add action=masquerade chain=srcnat dst-address=192.168.5.37 src-address=192.168.5.0/24
add action=src-nat chain=srcnat out-interface=sfp-sfpplus12 to-addresses=redacted>
add action=masquerade chain=srcnat dst-address=192.168.5.80 src-address=172.16.0.0/16
add action=masquerade chain=srcnat dst-address=192.168.5.80 src-address=192.168.5.0/24
add action=src-nat chain=srcnat src-address=192.168.5.80 to-addresses=<redacted>
add action=dst-nat chain=dstnat dst-address=redacted> dst-port=10051 protocol=tcp to-addresses=172.16.1.1
add action=dst-nat chain=dstnat dst-address=redacted> dst-port=80,443,990,5022,7000-7009 protocol=tcp to-addresses=192.168.5.40
add action=src-nat chain=srcnat src-address=192.168.5.37 to-addresses=<redacted>
add action=dst-nat chain=dstnat dst-address=<redacted> dst-port=80,443,5005,5008 protocol=tcp to-addresses=192.168.5.37
add action=masquerade chain=srcnat dst-address=192.168.63.0/24 src-address=192.168.32.0/24
add action=masquerade chain=srcnat dst-address=192.168.64.0/24 src-address=192.168.32.0/24
add action=masquerade chain=srcnat dst-address=192.168.66.0/24 src-address=192.168.32.0/24
add action=src-nat chain=srcnat src-address=10.20.40.0/24 to-addresses=<redacted>
add action=src-nat chain=srcnat src-address=10.20.41.0/24 to-addresses=<redacted>
add action=src-nat chain=srcnat src-address=10.20.42.0/24 to-addresses=<redacted>
add action=src-nat chain=srcnat src-address=10.20.43.0/24 to-addresses=<redacted>
add action=src-nat chain=srcnat src-address=10.20.44.0/24 to-addresses=<redacted>
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=CoreRouter
/system logging
add action=remote topics=info
add topics=radius,!packet
/system note
set show-at-login=no
/system resource irq rps
set ether1 disabled=no
/tool bandwidth-server
set enabled=no
/tool sniffer
set file-name=test.pcap filter-interface=sfp-sfpplus1 filter-ip-address=<redacted> filter-ip-protocol=udp filter-port=dns filter-stream=yes memory-limit=1000KiB streaming-server=64.126.168.206
/user aaa
set default-group=full use-radius=yes
2

There was a bunch of posts with similar DNS problems, downgrade appears to be the only solution.

3

Not a DNS problem since you aren’t even using the MT DNS. Seems like a firewall problem. Vlan 101 has range 192.168.128.11-192.168.131.254 and no firewall address list entry exists within this range (or another firewall accept rule). Therefore the last rule applies to forwarded traffic:


add action=reject chain=forward reject-with=icmp-port-unreachable

The solution would be to add an allow rule before the reject:


add action=accept chain=forward src-address=192.168.128.0/22

Kentzo


This is not a very helpful answer without referencing to similar case topics or documentation.

4

What is the reason for upgrading? Any particular reason?

The first (and only) thing I notice is that I was expecting this line:

add address=192.168.128.0/22 list=users

This list is used in the firewall (which is in my opinion a bit unreadable…I’m still a fw-rooky).
Could that be the reason for having no access to the DNS servers?

5

I was going to suggest the firewall… The “nslookup” from the VLAN 101 is using the far end 8.8.8.8 as the DNS server and its failing, so it’s forwarded traffic. So hard to blame the poor Mikrotik DNS server here…

Was the same config working in V6 before you upgrade? If so…I’d look for other items that might not have converted as expected by comparing any config backup from V6 with the one generated after upgrade to V7. The OSPF and BGP stuff had significant changes, and while the internal V6->V7 converter should handle it all… there are corner cases where it does not…

6

My apologies if this is a redundant post. After searching through the forum, I think I found some of the posts @kenzo was referring to:
http://forum.mikrotik.com/t/dns-issue-after-upgrade/168062/13
http://forum.mikrotik.com/t/mysterious-dns-issues-pingable-but-cant-get-a-response/168694/3

@nescafe2002 I didn’t make any changes to the firewall after the upgrade; this config was working in v6. Would this rule not apply to responses from a public DNS server?

add action=accept chain=forward related connection-state=established,related

7

That rule applies to established and related traffic, not new connections.

The address list entry approach as suggested by erlinden is a tad nicer.

8

Yes, this was working in RouterOS v6. The only backup I have is a .backup file; I didn’t export the config before hand so I don’t have a text-based way to compare until after I rollback this evening.

9

The primary reason was mitigation of https://nvd.nist.gov/vuln/detail/CVE-2023-30799. I could have upgraded to 6.49.8 but I thought I'd take the opportunity to upgrade to v7 at the same time.

10

Agree :smiley:

But still…I doubt if this has worked before…assuming the config remained unchanged.

From V6 to V7 is a huge step. Needs some good testing before making it. Think about the best upgrade strategy before doing so.

11

Yeah, I’d roll it back to V6 – at least now have the config for V7 to compare when you do :wink:.

I think something didn’t convert right – your firewall has a lot of stuff, so bit hard debug quickly – but if it worked before…should work after as the logic hasn’t changed between V6 and V7

But what has changed is OSPF / BGP… But hard to spot an issue in routing from config alone. And I’m not the expert on V6 → V7 differences in BGP/OSPF… but that’s where I’d be looking.

12

[deleted]

13

I checked the firewall address list and as @erlinden pointed out, the 192.168.128.0/22 subnet was missing from the "users" list. It was definitely there before the upgrade to v7 so conversion performed as part of the upgrade is almost certainly the problem. An address list seems like a stupid thing for the conversion to mess up though...

After adding that subnet range back to the "user" address list, everything started working again!

Thank you all for your help! I'll definitely be making a config export before future upgrades and diffing them after that fact to catch bugs like this!

14

And that’s the mystery here – address-list requires NO complex logic to convert…

If the backup wasn’t encrypted, you can might be able to use a text editor to figure it out…

15

The backup wasn’t encrypted. I tried using https://github.com/BigNerd95/RouterOS-Backup-Tools but didn’t find a way to generate a text export of the config. However, I did install v6.49.8, restored the backup, and diffed the configs. The /ip firewall address-list add address=192.168.128.0/22 list=users entry is there in v6. Based on the order of the rules, it appears that the conversion from v6 to v7 overwrote the first firewall address list entry with add address=192.168.5.0/24 list=bgp-networks, which is an address list that doesn’t appear anywhere in the v6 config.

v6

...
/ip firewall address-list
add address=192.168.128.0/22 list=users
add address=192.168.136.0/22 list=users
add address=192.168.144.0/22 list=users
add address=192.168.152.0/22 list=users
...
/ip firewall filter
...

v7

...
/ip firewall address-list
add address=192.168.5.0/24 list=bgp-networks
add address=192.168.136.0/22 list=users
add address=192.168.144.0/22 list=users
add address=192.168.152.0/22 list=users
...
add address=<redacted> list=bgp-networks
add address=192.168.8.0/22 list=bgp-networks
add address=<redacted> list=bgp-networks
/ip firewall filter
...

I’m not sure if the conversion script is public or if there’s a place to report this, but I’m guessing there’s a bug in the code that handles the BGP conversion.

16

It’s not public, I think they call it “crossfig” but it just an internal part of the upgrade process. I personally never seen it mess up a firewall…routing rules/tables, yes :wink:

Might want to file a bug at help.mikrotik.com.

17

Finally got a response from MikroTik support. They confirmed this bug and said they will fix it in an upcoming release of RouterOS but didn’t provide an ETA for a fix.

Until then, if your RoS v6 config uses BGP, make sure to export your firewall address list config before upgrading to v7 and then double-check your firewall address list after upgrading.