I’ve just set up my hEX S + cAP ac combo and ran eventually into three problems or questions.
Case 1. I have an influxDB database on my desktop PC (static address 192.168.0.50) and the RPi (192.168.0.99) collects data and writes it to the PC over LAN (influxDB listens at port 8086 as per default). After I changed the router, this stopped working. I have not touched the config at all and if I put the old router back, everything works fine. I never set any special rules there either.
What is strange is that I have Grafana running on the PC, listening on port 3000 and that can be accessed from the RPi (as well as from the internet as I’ve forwarded the port).
What can I do about this?
/interface bridge
add admin-mac=08:55:31:9C:3C:E8 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.99 client-id=x comment=PI \
mac-address=x server=defconf
add address=192.168.0.50 client-id=x comment=TEHOMYLLY \
mac-address=x server=defconf
add address=192.168.0.75 client-id=x comment=SYN \
mac-address=x server=defconf
add address=192.168.0.29 client-id=x comment=VU+ \
mac-address=x server=defconf
add address=192.168.0.25 client-id=x comment=COREELEC \
mac-address=x server=defconf
add address=192.168.0.60 comment=VALLOX mac-address=x server=\
defconf
add address=192.168.0.10 comment=DAIKIN mac-address=x server=\
defconf
add address=192.168.0.15 comment=NETATMO mac-address=x \
server=defconf
add address=192.168.0.38 client-id=x comment=FRONIUS \
mac-address=x server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=45.90.28.225,45.90.30.225
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=3000 in-interface=ether1 protocol=\
tcp to-addresses=192.168.0.50
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Helsinki
/system leds settings
set all-leds-off=after-1h
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Case 2. I have set up a guest wifi on the cAP ac to put some IoT things there. However, I can connect to it but no Internet connectivity. Once I get this working, I intend to make sure that the IoT network cannot access my normal LAN.
/interface bridge
add name=bridge1
add name=guest_bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik wpa-pre-shared-key=xxxx \
wpa2-pre-shared-key=xxxx
add authentication-types=wpa2-psk mode=dynamic-keys name=Olohuone \
supplicant-identity="" wpa2-pre-shared-key=xxxx
add authentication-types=wpa2-psk mode=dynamic-keys name=Arska_5G \
supplicant-identity="" wpa2-pre-shared-key=xxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=finland disabled=no distance=indoors frequency=2422 installation=\
indoor mode=ap-bridge security-profile=Olohuone ssid=Olohuone \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee country=finland disabled=no distance=indoors \
installation=indoor mode=ap-bridge security-profile=Arska_5G ssid=\
Arska_5G wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=xxxx \
master-interface=wlan1 multicast-buffering=disabled name=guest-wifi \
security-profile=Olohuone ssid=IoT wds-cost-range=0 wds-default-cost=0 \
wmm-support=enabled wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=guest_pool ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=guest_bridge name=dhcp1
/interface bridge filter
add action=drop chain=input dst-port=68 in-interface=ether1 ip-protocol=udp \
mac-protocol=ip
/interface bridge port
add bridge=bridge1 comment=defconf interface=wlan1
add bridge=bridge1 comment=defconf interface=wlan2
add bridge=bridge1 interface=ether1
add bridge=guest_bridge interface=guest-wifi
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes network=192.168.88.0
add address=192.168.1.1/24 interface=guest_bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=bridge1
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
0.0.0.0 netmask=24
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 \
netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=\
192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=192.168.1.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether2 type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Helsinki
/system leds settings
set all-leds-off=immediate
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
Case 3. One wireless client doesn’t show up in the lease list
I have one wireless client which is connected to a wifi extender. I cannot see it in the lease list so that I could give it a static address (it’s one device related to home automation). I can see it connected in the cAP ac config in Winbox and I can connect to it at least for now. It used to have a static IP with the old router and seems to have kept it even though I have power rebooted it twice already. Is there a way to see it in the GUI, or should I just add the necessary things in the manual config?
I’ve just set up my hEX S + cAP ac combo and ran eventually into three problems or questions.
Case 1. I have an influxDB database on my desktop PC (static address 192.168.0.50) and the RPi (192.168.0.99) collects data and writes it to the PC over LAN (influxDB listens at port 8086 as per default). After I changed the router, this stopped working. I have not touched the config at all and if I put the old router back, everything works fine. I never set any special rules there either.
What is strange is that I have Grafana running on the PC, listening on port 3000 and that can be accessed from the RPi (as well as from the internet as I’ve forwarded the port).
What can I do about this?
/interface bridge
add admin-mac=08:55:31:9C:3C:E8 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.99 client-id=x comment=PI \
mac-address=x server=defconf
add address=192.168.0.50 client-id=x comment=TEHOMYLLY \
mac-address=x server=defconf
add address=192.168.0.75 client-id=x comment=SYN \
mac-address=x server=defconf
add address=192.168.0.29 client-id=x comment=VU+ \
mac-address=x server=defconf
add address=192.168.0.25 client-id=x comment=COREELEC \
mac-address=x server=defconf
add address=192.168.0.60 comment=VALLOX mac-address=x server=\
defconf
add address=192.168.0.10 comment=DAIKIN mac-address=x server=\
defconf
add address=192.168.0.15 comment=NETATMO mac-address=x \
server=defconf
add address=192.168.0.38 client-id=x comment=FRONIUS \
mac-address=x server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=45.90.28.225,45.90.30.225
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=3000 in-interface=ether1 protocol=\
tcp to-addresses=192.168.0.50
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Helsinki
/system leds settings
set all-leds-off=after-1h
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I found a solution for case 1. On the PC, I had set the Windows Firewall to block connections from that are from a “Public” network, i.e. the internet. I have now changed the rules so that traffic is allowed if the source IP belongs to my LAN. I also had my network marked as Public even though I’m behind a NAT so now it’s Private.
Weird thing still is how it works with the old router with the block rule in place..
karlisi
October 27, 2023, 11:50am
5
Windows network profile is the same with old and new router? If Windows computer is connected directly to router, it detects hardware change and can change network profile, even if new router is configured exactly as other.
Windows network profile is the same with old and new router? If Windows computer is connected directly to router, it detects hardware change and can change network profile, even if new router is configured exactly as other.
Didn’t check but I’d expect that it is the same. After all, Windows should always ask about the new network when it detects one but it didn’t ask me anything about it.