Unable to nslookup against router

inneedofhelp · May 27, 2026, 5:01am

I have inherited a hEX PoE (v6.49.19) and trying to get the router to handle DNS for the network. We've had to change DHCP on the LAN to assign 8.8.8.8 as DNS for now, but I need the endpoints to be able to resolve static records that I have setup on the router. Allow Remote Requests is already ticked but doing a nslookup against gateway fails to return anything. I can't ping the gateway either.

When I do a torch, I can see DNS traffic hit the gateway but I don't see any response back.

It looks like the LAN has been configured as a bridge, so I'm not if that's playing any part in it.

Hoping someone can help review the configuration for me and point me in the right direction. This platform is not one I'm comfortable with.

aldek · May 27, 2026, 5:23am

It is difficult to do this without the configuration itself.

Please provide export of your config without sensitive data.

inneedofhelp · May 27, 2026, 6:42am

Heres the dump sorry.

# may/27/2026 18:08:14 by RouterOS 6.49.19
# software id = **ELIDED**
# 
# model = 960PGS
# serial number = **ELIDED**
/interface bridge
add fast-forward=no name=bridge-cult
/interface ethernet
set \[ find default-name=ether1 \] name=ether1-WAN speed=100Mbps
set \[ find default-name=ether2 \] speed=100Mbps
set \[ find default-name=ether3 \] speed=100Mbps
set \[ find default-name=ether4 \] speed=100Mbps
set \[ find default-name=ether5 \] speed=100Mbps
set \[ find default-name=sfp1 \] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=ether1-WAN name=vlan10 vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10 name=pppoe-out1 
use-peer-dns=yes user=**ELIDED**
/interface list
add name=LAN
/interface wireless security-profiles
set \[ find default=yes \] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 dpd-interval=10s enc-algorithm=3des lifetime=1h name=
profile_1
add dh-group=modp1024 enc-algorithm=3des name=profile_2
/ip ipsec peer … **ELIDED**
/ip pool
add name=dhcp_pool0 ranges=192.168.2.100-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge-cult name=dhcp1
/snmp community
add addresses=**ELIDED**/32 name=CENSOL security=authorized
/system logging action
set 3 remote=192.168.0.195
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikapp”
/interface bridge port
add bridge=bridge-cult interface=ether2
add bridge=bridge-cult interface=ether3
add bridge=bridge-cult interface=ether4
add bridge=bridge-cult interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=bridge-cult list=LAN
/ip address
add address=192.168.2.1/24 interface=bridge-cult network=192.168.2.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=103.247.37.37,103.247.36.36
/ip dns static
add address=10.100.x.y name=**ELIDED**.local
/ip firewall filter
add action=drop chain=input comment="drop invalid input chain” 
connection-state=invalid
add action=drop chain=forward comment="drop invalid foward chain” 
connection-state=invalid
add action=accept chain=input comment="winbox remote access" dst-port=8291 
in-interface=pppoe-out1 protocol=tcp
add action=accept chain=input comment="CENSOL SNMP" dst-port=161 
in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="Accept IPSEC" protocol=ipsec-esp
add action=accept chain=input comment=
"accept all lan established input chain" connection-state=established
add action=accept chain=input comment="accept all lan input chain” 
connection-state=new src-address=192.168.2.0/24
add action=accept chain=forward comment="Accept all Sydney" src-address=
192.168.0.0/24
add action=accept chain=forward dst-address=192.168.2.0/24
add action=accept chain=forward comment="Accept all Azure" src-address=
10.100.0.0/16
add action=accept chain=forward comment="To Azure" dst-address=10.100.0.0/16
add action=accept chain=input comment="accept all lan related input chain” 
connection-state=related
add action=accept chain=forward comment=
"accept all new forward chain from lan" connection-state=new src-address=
192.168.2.0/24
add action=accept chain=forward comment=
"accept all established forward chain" connection-state=established
add action=accept chain=forward comment="accept all related forward chain” 
connection-state=related
add action=accept chain=input comment="Allow LAN DNS TCP" dst-port=53 
protocol=tcp src-address=192.168.2.0/24
add action=accept chain=input comment="Allow LAN DNS UDP" dst-port=53 
protocol=udp src-address=192.168.2.0/24
add action=drop chain=input comment="drop all input chain”
add action=drop chain=forward comment="drop all forward chain”
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=
192.168.2.0/24
add action=accept chain=srcnat dst-address=10.100.0.0/16 src-address=
192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade” 
out-interface=pppoe-out1
add action=accept chain=srcnat disabled=yes dst-address=192.180.0.0/24 
out-interface=ether1-WAN src-address=192.168.2.0/24
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add my-id=address:**ELIDED** peer=peer2
add mode-config=request-only my-id=address:**ELIDED** peer=peer3
/ip ipsec policy … **ELIDED**
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/snmp
set contact=CENSOL enabled=yes location=CENSOL src-address=114.23.234.120 
trap-community=CENSOL trap-interfaces=all trap-target=0.0.0.0 
trap-version=3
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=CULT
/system logging
add topics=ipsec
/system ntp client
set enabled=yes primary-ntp=103.242.68.69 secondary-ntp=216.239.35.12
/system routerboard settings

# Firmware upgraded successfully, please reboot for changes to take effect!

set auto-upgrade=yes
/tool e-mail
set address=smtp.office365.com from=**ELIDED** port=587 start-tls=yes 
user=alerts@nfc.co.nz
/tool sniffer
set file-name="c:\\temp\\log.log" filter-interface=bridge-cult 
filter-ip-protocol=53

rextended · May 27, 2026, 9:19am

Serious Security Flaw has been detected.
Analysis interrupted.

inneedofhelp · May 27, 2026, 10:32am

Thanks for flagging that. I have updated the src on those to our WAN IP.

jaclaz · May 27, 2026, 12:44pm

I think that what rextended meant was
"do not open port 8291 to any WAN (connected to the outside) port unless it is on a (secure) tunnel".