Traffic are bloced for one devices (WIznet)

eldzi · December 3, 2021, 9:34am

Hi,
I have a problem with my RB2011iL (6.49), its confuse me.
In my network I have a gateway for my boiler, it connects to the external server using ports 51000-52000 starting from 51652.

but when this gateway is connected directly to the Mikrotik router not working, the device restarts because the connection to the server is not established.
When I put between RB and gateway the tp-link with gargoyle (default settings) its works very well.

Firewall settings below with my excesise

when i disable “drop” has no impact on this

anav · December 3, 2021, 7:29pm

Could be this scenario?
It may depend on DNS, if the boiler DNS is not in the proper format non-standard (wrong letter case) , the MT router will correct the format which then may be rejected with return traffic as unrecognized by the client (boiler).
Most brands simply copy the DNS name and regurgitate it back and no issues.

eldzi · December 7, 2021, 6:10am

Thx for your answer but what I should do now? and how of course where I be able to check translation DNS?

Sob · December 7, 2021, 1:46pm

If it is this thing with dns, you can test (and fix it) by giving different dns servers to this device. Either manually, or add special config for it in dhcp server. Give it static lease and then own config:

If you have e.g. this for whole network:

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

Then make a copy, change address to this device’s address with /32 mask, add netmask=24 and custom dns:

/ip dhcp-server network
add address=192.168.88.50/32 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1 netmask=24

eldzi · December 20, 2021, 10:48am

If it is this thing with dns, you can test (and fix it) by giving different dns servers to this device. Either manually, or add special config for it in dhcp server. Give it static lease and then own config:

If you have e.g. this for whole network:
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
Then make a copy, change address to this device’s address with /32 mask, add netmask=24 and custom dns:
/ip dhcp-server network
add address=192.168.88.50/32 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1 netmask=24

as i know i made as you shown above but not working
any ideas how solve this issue ?

Sob · December 20, 2021, 6:46pm

It won’t just start working, the device first needs to get new dns servers, so you’d have to either wait until it renews dhcp lease, or restarting the device should help too.

You can verify what the device uses using logging rules:

/ip firewall mangle
add chain=prerouting src-address=<device's address> protocol=udp dst-port=53 action=log
add chain=prerouting src-address=<device's address> protocol=tcp dst-port=53 action=log

If it uses correct servers (i.e. not RB), and it still doesn’t work, then it must be something else. But what exacly, it’s hard to say. For start, check firewall, but chain=forward, not chain=input, and make sure that you don’t block device’s access to internet there. If it doesn’t help either, you could play with packet sniffer and look for clues there, compare what happens with RB and what happends with TP-Link, and hopefully there will be something obvious. But it’s something a bit more advanced.

eldzi · December 22, 2021, 9:39am

It won’t just start working, the device first needs to get new dns servers, so you’d have to either wait until it renews dhcp lease, or restarting the device should help too.

You can verify what the device uses using logging rules:
/ip firewall mangle
add chain=prerouting src-address=<device's address> protocol=udp dst-port=53 action=log
add chain=prerouting src-address=<device's address> protocol=tcp dst-port=53 action=log
If it uses correct servers (i.e. not RB), and it still doesn’t work, then it must be something else. But what exacly, it’s hard to say. For start, check firewall, but chain=forward, not chain=input, and make sure that you don’t block device’s access to internet there. If it doesn’t help either, you could play with packet sniffer and look for clues there, compare what happens with RB and what happends with TP-Link, and hopefully there will be something obvious. But it’s something a bit more advanced.

thank you for your answer
messeges in log’s as below

I try to put the Google DNS

try to add many different addresses but without result, when the device (wiznet) not established the internet connection then it restarts automatically
e.g i use addres IP my mobile phone and use this addres as a static for wiznet devices and does not working.

Sob · December 22, 2021, 4:22pm

The goal was to make the device itself use external dns resolvers, i.e. not router. So either give it some using dhcp:

/ip dhcp-server network
add address=192.168.1.158/32 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24

And then the logging rule should show requests from 192.168.1.158 going directly to 8.8.8.8/8.8.4.4 (and not to 192.168.1.1 like now). Or you can redirect dns queries from device to external server using dstnat:

/ip firewall nat
add chain=dstnat src-address=192.168.1.158 protocol=udp dst-port=53 action=dst-nat to-addresses=8.8.8.8
add chain=dstnat src-address=192.168.1.158 protocol=tcp dst-port=53 action=dst-nat to-addresses=8.8.8.8

eldzi · December 23, 2021, 7:03am

Thank you for solution i will try asap

eldzi · January 4, 2022, 10:19am

Sob thank you so much, my problem was solved by your advices i so appreciate your knowledge.
Now i see connection with server

Sob · January 4, 2022, 11:03am

Good. And when you upgrade to RouterOS v7 in future (you don’t have to rush), this shouldn’t be necessary anymore.