Hello everyone,
This is my first time configuring my home network with MikroTik devices.
Recently I asked my ISP to switch their router to bridged mode, then I connected my MikroTik devices like in the drawing here (sorry if its ugly).
Before I start I’ll upload my topology and configuration on both MikroTik hEX S and wireless router.
This is MikroTik hEX S configuration:
# jun/08/2023 15:59:22 by RouterOS 7.9.2
# software id = TTK9-13PL
#
# model = RB760iGS
/interface ethernet
set [ find default-name=ether1 ] mtu=1400 name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN-WiFi
set [ find default-name=ether3 ] name=ether3-LAN-PC
set [ find default-name=ether4 ] disabled=yes name=ether4-LAN
set [ find default-name=ether5 ] disabled=yes name=ether5-LAN
set [ find default-name=sfp1 ] disabled=yes
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.20.10.20
add name=dhcp_pool1 ranges=172.20.10.20-172.20.10.50
add name=dhcp_pool2 ranges=172.25.15.20-172.25.15.50
add name=dhcp_pool3 ranges=172.20.10.20-172.20.10.50
add name=dhcp_pool4 ranges=172.20.10.50-172.20.10.100
/ip dhcp-server
add address-pool=dhcp_pool4 interface=ether3-LAN-PC lease-time=1d name=dhcp1
/port
set 0 name=serial0
/queue type
add kind=pfifo name=global
add kind=pfifo name="Web Browsing"
add kind=pfifo name="Video Streaming"
add kind=pfifo name=Gaming
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=*7 ingress-filtering=no interface=ether2-LAN-WiFi
add bridge=*7 ingress-filtering=no interface=ether3-LAN-PC
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1-WAN list=WAN
add interface=ether2-LAN-WiFi list=LAN
add interface=ether3-LAN-PC list=LAN
add interface=ether4-LAN list=LAN
add interface=ether5-LAN list=LAN
add list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.20.10.1/24 interface=ether3-LAN-PC network=172.20.10.0
add address=172.20.10.2/24 interface=ether2-LAN-WiFi network=172.20.10.0
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server lease
add address=172.20.10.30 mac-address=A8:A1:59:09:DC:94
/ip dhcp-server network
add address=172.20.10.0/24 dns-server=83.139.121.8,8.8.8.8 gateway=172.20.10.1
/ip dns
set servers=83.139.121.8,83.139.103.3
/ip firewall filter
add action=accept chain=forward comment="Allow established/related connections" connection-state=established,related
add action=accept chain=output comment="Allow established/related connections" connection-state=established,related
add action=accept chain=input comment="Allow established/related connections" connection-state=established,related
add action=accept chain=forward comment="Allow LAN to WAN" in-interface=ether3-LAN-PC out-interface=ether1-WAN
add action=accept chain=forward comment="Allow WLAN to WAN" in-interface=ether2-LAN-WiFi out-interface=ether1-WAN
add action=accept chain=input comment="Allow ICMP (ping) traffic" protocol=icmp
add action=accept chain=output comment="Allow ICMP (ping) traffic" protocol=icmp
add action=accept chain=input comment="Allow DNS queries" dst-port=53 protocol=udp
add action=accept chain=output comment="Allow DNS responses" dst-port=53 protocol=udp
add action=accept chain=input comment="Allow DHCP client requests" dst-port=67-68 protocol=udp src-port=67-68
add action=accept chain=output comment="Allow DHCP client requests" dst-port=67-68 protocol=udp src-port=67-68
add action=drop chain=input comment="Drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment="LAN -> WAN" out-interface=ether1-WAN src-address=172.20.10.0/24
add action=masquerade chain=srcnat comment="WLAN -> WAN" out-interface=ether1-WAN src-address=172.25.15.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add disabled=no dst-address=172.25.15.0/24 gateway=172.20.10.3
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Loading...
/system note
set show-at-login=no
This is my AP configuration:
# jun/08/2023 15:59:04 by RouterOS 7.9.2
# software id = SDEF-5JXN
#
# model = RB941-2nD
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] name="ether2 - WAN-WiFi"
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=croatia disabled=no frequency=auto installation=indoor mode=ap-bridge name=WLAN radio-name=BabaRoga ssid=BabaRoga wireless-protocol=\
802.11 wps-mode=push-button-5s
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=172.25.15.20-172.25.15.50
add name=dhcp_pool1 ranges=172.25.16.20-172.25.16.50
add name=dhcp_pool2 ranges=172.25.16.20-172.25.16.50
add name=dhcp_pool3 ranges=172.20.10.51-172.20.10.100
add name=dhcp_pool4 ranges=172.25.15.20-172.25.15.50
/ip dhcp-server
add address-pool=dhcp_pool4 interface=WLAN lease-time=1d name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.20.10.3/24 interface="ether2 - WAN-WiFi" network=172.20.10.0
add address=172.25.15.1/24 interface=WLAN network=172.25.15.0
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server network
add address=172.25.15.0/24 dns-server=1.1.1.1,8.8.4.4,8.8.8.8 gateway=172.25.15.1
/ip dns
set servers=1.1.1.1,8.8.4.4,8.8.8.8
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.20.10.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=RouterOS
/system note
set show-at-login=no
This is the list of things that sometimes work and sometimes not:
From PC:
- can open Twitch, YouTube, Reddit and similar “big” sites, but after some time I cant access those sites either (connection timed out)
- can open Steam, Battle.net and Microsoft Teams but half of the things on these programs don’t even load, mostly pictures. Steams is connection all the time and Battle net needs 5 minutes to connect.
- can’t ping 8.8.8.8 or 8.8.4.4 but I can ping 1.1.1.1, also can’t ping second ISP DNS server
- heX S router can ping every public IP (both ISP DNS servers)
- some websites will open but parts with pictures won’t (says connection timed out where pictures would be)
- very slow download speeds, max 5 MB/s but should be around 25MB/s (not Mb)
- can’t ping MikroTik gateway 172.20.10.1
- websites that were working normaly won’t load an hour later after rebooting MikroTik
From phone connected to AP:
- YouTube is extremely slow (sometimes will not even load)
- Can access sites but not links pointing to those sites
- can download apps from Google Play
- same problems as PC
- I can also ping 8.8.8.8 from WinBox connected to MikroTik AP but not from phone
This is very urgent for me because I can’t work on my projects and I don’t have anyone else to help me. Reverting the ISP router to router mode will not be done until monday because of national holiday.