Hello,
I have looked at some topics considering some websites not working, but none helped me.
I have set up a new RB4011iGS.
Config:
/export hide-sensitive
# jan/01/2002 07:05:43 by RouterOS 6.47.4
# software id = M61N-V7EK
#
# model = RB4011iGS+
# serial number = D4480CCAABC5
/interface bridge
add admin-mac=48:8F:5A:71:EF:5E auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=74:83:C2:FA:6A:CC
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 10 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
add name=dhcp_pool1 ranges=192.168.3.10-192.168.3.30
add name=dhcp_pool2 ranges=192.168.4.100-192.168.4.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=ether3 lease-time=30m name=Ext
add address-pool=dhcp_pool2 disabled=no interface=ether4 lease-time=1d name=LocalLan
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US up-port=1700
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set full policy=\
local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
add address=87.244.xxx.xxx/27 interface=ether1 network=87.244.xxx.xxx
add address=192.168.3.1/24 comment=Ext interface=ether3 network=192.168.3.0
add address=192.168.4.1/24 comment=LocalLan interface=ether4 network=192.168.4.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
add address=192.168.3.0/24 dns-server=192.168.3.1,217.119.121.225 domain=HPMExt gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=192.168.4.1,217.119.121.225 domain=HPMLocalLan gateway=192.168.4.1
/ip dns
set allow-remote-requests=yes servers=217.119.121.225,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="accept established, related" connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 protocol=icmp
add action=accept chain=input comment="allow winbox" in-interface=ether1 port=8291 protocol=tcp
add action=accept chain=input comment="allow ssh" in-interface=ether1 port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=ether1
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=87.244.xxx.xxx
/ip service
set telnet disabled=yes
/system clock
set time-zone-name=Europe/Bratislava
/system identity
set name=HPMMikroTik
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool user-manager database
set db-path=user-manager
Quite few sites (www.whatismyipaddress.com, https://www.researchgate.net/, https://www.webex.com/, https://www.ardmediathek.de/daserste/, https://go.microsoft.com/, http://mediathek.daserste.de) are not working (timing out: ERR_CONNECTION_TIMED_OUT). I have also used SG TCP/IP Analyzer which outputted:
« SpeedGuide.net TCP Analyzer Results »
Tested on: 2020.10.06 05:12
IP address: 87.244.xxx.xxx
Client OS/browser: Windows 10 (Chrome 85.0.4183.121)
TCP options string: 020405b40103030801010402
MSS: 1460
MTU: 1500
TCP Window: 131328 (not multiple of MSS)
RWIN Scaling: 8 bits (2^8=256)
Unscaled RWIN : 513
Recommended RWINs: 64240, 128480, 256960, 513920, 1027840
BDP limit (200ms): 5253kbps (657KBytes/s)
BDP limit (500ms): 2101kbps (263KBytes/s)
MTU Discovery: ON
TTL: 112
Timestamps: OFF
SACKs: ON
IP ToS: 00000000 (0)
I had used traceroute to
whatismyipaddress.com
from router:
[admin@HPMMikroTik] > /tool traceroute whatismyipaddress.com
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 87.244.xxx.xxx 0% 46 3.2ms 1.2 0.5 3.3 0.9
2 87.244.210.142 0% 46 0.8ms 1.4 0.8 3.5 0.5
3 87.244.210.254 0% 46 1.3ms 1.4 0.8 6 0.8
4 217.119.114.73 0% 46 1.9ms 2.5 1.9 7.1 1
5 185.171.140.154 0% 46 3.5ms 4.8 3.3 32.5 4.6 <MPLS:L=1694,E=0 L=49213,E=0,T=1>
6 185.171.140.152 0% 46 3.5ms 6 3.4 42.1 7.6 <MPLS:L=1619,E=0 L=49213,E=0,T=2>
7 185.171.140.148 0% 46 6.6ms 4.6 3.4 6.9 1.1 <MPLS:L=3975,E=0 L=49213,E=0,T=3>
8 185.171.140.57 0% 46 12.5ms 5.7 3.1 36.4 5.3 <MPLS:L=2422,E=0 L=49213,E=0,T=4>
9 100% 46 timeout
10 100% 46 timeout
11 100% 46 timeout
12 100% 46 timeout
13 100% 46 timeout
and from different network from different ISP:
C:\Users>tracert whatismyipaddress.com
Tracing route to whatismyipaddress.com [104.16.154.36]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms xxxx.xxxx [192.168.1.1]
2 * * * Request timed out.
3 21 ms 20 ms 26 ms dupdevs-static-65.213-81-253.xx.xx [213.81.xx.xx]
4 * * * Request timed out.
5 20 ms 22 ms 20 ms brat-b1-link.telia.net [62.115.155.166]
6 31 ms 31 ms 31 ms win-bb2-link.telia.net [62.115.119.188]
7 31 ms 36 ms 31 ms prag-b3-link.telia.net [62.115.137.41]
8 40 ms 40 ms 40 ms cloudflare-ic-154352-prag-b3.c.telia.net [80.239.194.86]
9 36 ms 36 ms 36 ms 104.16.154.36
Trace complete.
My PC is connected to ether2 which is bridged.
Any help would be appreciated.