Suddenly can't connect to internet

Hi all,

I picked up a hAP ax3 router recently for my business; The reason I got it was that our ISP (the only one available in the building) has some specific configuration requirements that a more basic home router didn't have options for. It was a little tricky to set up, but I somehow got it working after poking around in the settings for a bit. Until a couple days ago, for some reason it randomly lost the connection completely, and I haven't been able to get it up and running again. I've been in touch with the ISP and there is no issue on their side, they said that they can detect the router so AFAIK the link up that point is stable. I'm pretty sure it's some kind of configuration issue, but a lot of the options in RouterOS are way over my head (not an IT pro). If someone can point me in the right direction I'd be incredibly grateful!

Here's what our ISP provided us with for configuration requirements:

xxx is handing off your network circuit as 100Mbps Full Duplex. Your network hardware must be configured as 100Mbps Full Duplex with auto-negotiation off to ensure maximum network throughput and stability.

Circuit ID: xxxx

CIDR: ELIDED.114/31

IP Address: ELIDED.115

Subnet Mask: 255.255.255.254

Gateway: ELIDED.114

DNS1: 66.28.0.61

DNS2: 207.126.96.248

Steps I've taken so far, based on what I understand the usual setup process to be:

-Did reset on the overall configuration, except users

-Reset the Wifi SSID/password to what I had before

-Added ...114/31 under IP/Adresses, with interface ether1 (where the fiber converter is plugged in). The "Gateway" field populated automatically to ...114.

-Turned off autonegotiation on ether1 and set to 100M full duplex. The link appears to be good, although it requires disabling and re-enabling the interface one time.

-Added a default route; I first added 0.0.0.0/0 -> ...114; However, the status showed "unreachable", and when I tried pinging 8.8.8.8, I got a "no route to host" message, so I tried changing the target to "%ether1" and that shows as active.

That's pretty much it so far; When I try a ping now it alternates between timeouts and "...114: host unreachable". Full configuration is below for reference. Apologies if I'm missing something glaringly obvious here - Definitely not my area of expertise! Thanks in advance for your help

# 2025-09-11 11:49:22 by RouterOS 7.19.6
# software id = **ELIDED**
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = [redacted]
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no speed=100M-baseT-full
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=**ELIDED** disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=**ELIDED** disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=...114/31 interface=ether1 network=...114
/ip dhcp-client
add comment=defconf default-route-tables=main interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=66.28.0.61,207.126.96.248
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ether1 routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

This step is not correct. The entry you add should have ELIDED.115/31 as value for address not ELIDED.114/31. You want to assign .115 to your router, not .114!

Once that is corrected, change your default route back to gateway=ELIDED.114 instead of ether1.

Thank you, I will try that! I guess maybe that was a typo in the instructions they gave me?

No typo. The instructions they gave you are correct. You get the IP address ELIDED.115 while their end (the gateway) has the IP address ELIDED.114.

with /ip address add address=... you assign an IP address to your router. So it's logical to assign the .115 address here (because that's what the ISP gives to you) and not .114 (the address on their end).

Thank you, that makes sense! So the "CIDR" address they gave me is the gateway, not my IP address?

It's the subnet, not a single IP address (that's why it has /31 at the end). You can use this website to "calculate":

IP Subnet Calculator

And see that that /31 subnet has two addresses, one .114 and one .115. Of course being only /31 there is no address usable for "broadcast" as well as "network address" and in your case it's like a point-to-point network between the .114 host (the ISP gateway) and the .115 host (your router).

With a /30 subnet you'll get the "network" and "broadcast" addresses too, and in that case normally the ISP gateway would be .113 and your devices .114. But that is wasteful, the ISP lose two precious IP addresses for no purpose.

Really appreciate the detailed explanation I'll try updating those settings tomorrow!

Hmmm.

Shouldn't it be:

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=...114 routing-table=main suppress-hw-offload=no

?
Maybe witrh a /31 the gateway set as ether1 works, but normally you would set the gateway (as per ISP instructions) to the IP address of the device connected to ether1.

Yes, OP wrote that they modified the gateway in the route in their debug attempt, it should be changed back to gateway=ELIDED.114 (as I wrote in #2 above).

OK, I changed the address to x.x.x.115/31, and the route back to x.x.x.114 - That's now showing as active, thank you!

Still not getting Internet though, a ping just gets me the same "host unreachable" message from x.x.x.115... Anything else look off?

Here is my updated configuration:

[admin@MikroTik] > export hide-sensitive 
# 2025-09-13 04:14:46 by RouterOS 7.19.6
# software id = xxxxxx
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = xxxxxxx
/interface bridge
add admin-mac=xxxxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no speed=100M-baseT-full
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=xxxxxxx disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=xxxxxxx disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=x.x.x.115/31 interface=ether1 network=x.x.x.114
/ip dhcp-client
add comment=defconf default-route-tables=main disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=66.28.0.61,207.126.96.248
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=x.x.x.114 routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >  

Settings look fine to me.

Post the output of:
/ip address print
and of:
/ip route print

Is the issue pinging from the router or from a PC on the LAN (or both)?

What happens if doing a traceroute (both from a PC and from the router itself)?

Here's what comes up:

[admin@MikroTik] > ip address print 
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS          NETWORK       INTERFACE
;;; defconf
0 192.168.88.1/24  192.168.88.0  bridge   
1 x.x.x.115/31  x.x.x.114  ether1   
[admin@MikroTik] > ip route print 
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
#     DST-ADDRESS      GATEWAY       ROUTING-TABLE  DISTANCE
0  As 0.0.0.0/0        x.x.x.114  main                  1
  DAc x.x.x.114/31  ether1        main                  0
  DAc 192.168.88.0/24  bridge        main                  0
[admin@MikroTik] >  

I have been trying to ping from the router OS itself, no connectivity from a pc on the LAN either

Same thing with traceroute, timeouts interspersed with a "host unreachable" status from x.x.x.115

try to ping .114 from router
look at ip->arp table
is there ANY arp entry from ether1 ?

Same result from pinging .114 - "host unreachable"

The ARP table does have an entry for .114 with interface ether1, but the MAC address is blank and the status is going between "incomplete" and "failed"

ok, my guess is ether1 link with forced 100FD

reset counters on ether1
try to ping 114
look at counters, TX/RX should increase

Unfortunately that didn't do the trick - still no activity on Rx

ok, please do NOT force 100FD

turn on autonegotiation !!!
and clear all items from list
leave only 100M baseT full in advertise list

Ok that was weird - I turned on autonegotiation with just the one option as you suggested, but that didn't help - link just went dead. However, when I turned autonegotiation back off and disabled/re-enabled the interface to restart the link, there was a sudden burst of Rx activity and my Wi-Fi status indicator went from "no internet" to "connected". But, my pings are still timing out. And now the WiFi status is back to "no internet". Not sure what to make of that!

Thank you for all the help, by the way!!!