What is wrong with my router?

jamajamajaaama · August 15, 2021, 7:34pm

Dear gurus, please help, this is weird.

Recently I purchased an small HAP ac2 router to serve as a home DHCPserver, one of the WIFI and firewall. It is located after the ISP optical modem.

Everything was working fine, pages opening, wife happy, until I noticed that some hosts as subdomains, f.e status.kali.org, secure.gravatar.com, pbs.twimg.com are not resolving. I noticed, because could not update Kali virtual machine, as it could not resolve distribution servers. I was thinking than maybe DNS is what to blame, but no - it is resolving the correct IP addresses.
Traceroute to all of the sites returns " Destination host unreachable."

C:\WINDOWS\system32>tracert status.kali.org
Tracing route to status.kali.org [192.124.249.56]
over a maximum of 30 hops:

  1  pc.name.lv [192.168.100.11]  reports: Destination host unreachable.

Trace complete.

When I connect my PC to the mobile phone hostspot, everything works fine. Sites are resolving and opening.

So please, wise mans/girls help me figure out, where I should start digging?

BartoszP · August 15, 2021, 7:48pm

Have you set the admin password?
If not, netinstall the router, set the password and then configure it from scratch.

anav · August 15, 2021, 8:03pm

Remember these wise words!
To ERR is not Mikrotik, or something to that effect

Another wise sage once stated,

MT forum helpers do not have a crystal ball so please
/export hide-sensitive file=anynameyouwish

jamajamajaaama · August 16, 2021, 6:00am

There is my cnfig rsc

aug/16/2021 08:56:43 by RouterOS 6.48.3

software id = 9IQJ-750S

model = RBD52G-5HacD2HnD

serial number = C6140E51A3A1

/interface bridge
add admin-mac=2C:C8:1B:8F:59:DA auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
country=latvia disabled=no distance=indoors frequency=auto installation=
indoor mode=ap-bridge ssid=wireless-gar4g wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX country=latvia disabled=no distance=indoors frequency=
auto installation=indoor mode=ap-bridge ssid=wireless-gar
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.100.5-192.168.100.99
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/8 comment=defconf interface=bridge network=192.0.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add comment=defconf dns-server=1.1.1.1,8.8.8.8 gateway=192.168.0.1
add address=192.0.0.0/8 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.0.1
netmask=8
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Riga
/system leds
add interface=ether1 leds=user-led type=interface-activity
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

rextended · August 16, 2021, 7:14am

Why you set /8 on your IPs?
Do not mix 10.0.0.0/8 concept with 192.168.0.0/16.
192.168.0.0/8 = IP range from 192.0.0.0 to 192.255.255.255
Only 192.168.x.x are private addresses, the others are all pubblic IPs used on Internet!!!
if you want use all 192.168.x.x space, from 192.168.0.0 to 192.168.255.255 you must use a /16

paste this inside terminal without omit { } !!!

{
/interface bridge set bridge protocol=none
/interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk
/interface detect-internet set detect-interface-list=none
/ip address set [find where address="192.168.0.1/8"] address=192.168.0.1/16
/ip dhcp-server network
remove [find]
add address=192.168.0.0/16 comment=defconf dns-server=1.1.1.1,8.8.8.8 gateway=192.168.0.1 netmask=16
}

jamajamajaaama · August 16, 2021, 7:43am

Thank you!
It worked out, but still it is unclear for me, why this was related only for some subdomains, not all of them.

Why you set /8 on your IPs?
Do not mix 10.0.0.0/8 concept with 192.168.0.0/16.
192.168.0.0/8 = IP range from 192.0.0.0 to 192.255.255.255
Only 192.168.x.x are private addresses, the others are all pubblic IPs used on Internet!!!
if you want use all 192.168.x.x space, from 192.168.0.0 to 192.168.255.255 you must use a /16

paste this inside terminal without omit { } !!!
{
/interface bridge set bridge protocol=none
/interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk
/interface detect-internet set detect-interface-list=none
/ip address set [find where address="192.168.0.1/8"] address=192.168.0.1/16
/ip dhcp-server network
remove [find]
add address=192.168.0.0/16 comment=defconf dns-server=1.1.1.1,8.8.8.8 gateway=192.168.0.1 netmask=16
}

rextended · August 16, 2021, 7:50am

The subdomain can have a different IP than the main domain.
If any subdomain has, for example, 192.78.44.15 it is unreachable because you tell your router that the domain is within your network rather than on the internet.

AND

All this DNS Root Servers are all inside 192.0.0.0/8 range, and on your configuration aren’t reachables:
c.root-servers.net 192.33.4.12
e.root-servers.net 192.203.230.10
f.root-servers.net 192.5.5.241
g.root-servers.net 192.112.36.4
i.root-servers.net 192.36.148.17
j.root-servers.net 192.58.128.30

jamajamajaaama · August 16, 2021, 7:55am

Ok, thank you very much for solving my mistery!