Wireless unable to connect to Internet...

dixonka74 · August 15, 2020, 8:16pm

I am having trouble getting no less than 3 items to connect to the internet wirelessly on my Mikrotik cloud switch series (CRS109-8G-1S-2HnD-IN) I’m unable to connect my Philips Hue hub, my Google Chromcast and my Nintendo Switch… My cell phone connects to the wireless and is able to browse but apps like Pandora can’t connect to the Internet… LAN has no issues at all connecting… shrug

For reference, here is my current config:

aug/15/2020 15:19:33 by RouterOS 6.47.1

software id = MFL1-HBQH

model = CRS109-8G-1S-2HnD

serial number = 522D04157625

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=“Internet (Xfinity Modem)”
set [ find default-name=ether3 ] comment=“My Computer”
set [ find default-name=ether5 ] comment=“Phillips Hue (Home Automation)”
set [ find default-name=ether7 ] comment=“HyperV host (Web Server)”
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap
group-ciphers=tkip mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=tkip wpa2-pre-shared-key=Painfull1
add authentication-types=wpa2-psk eap-methods=“” management-protection=
allowed mode=dynamic-keys name=profile supplicant-identity=“”
wpa2-pre-shared-key=NONESHALLPASS
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce
country=etsi1 disabled=no distance=indoors frequency=auto mode=ap-bridge
multicast-helper=full preamble-mode=long security-profile=profile ssid=
“o==:::::::::::::::::::::::::>” wireless-protocol=802.11 wmm-support=
enabled wps-mode=disabled
/interface wireless nstreme
set wlan1 enable-polling=no
/ip pool
add name=dhcp ranges=10.0.0.1-10.0.0.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=wlan1 trusted=yes
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=10.0.0.1/24 interface=ether2 network=10.0.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=10.0.0.2 client-id=1:0:15:5d:0:eb:3 mac-address=00:15:5D:00:EB:03
server=dhcp1
add address=10.0.0.5 client-id=1:8:62:66:2d:8a:96 mac-address=
08:62:66:2D:8A:96 server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1,8.8.8.8 gateway=10.0.0.1 netmask=
24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=10.0.0.2 disabled=yes name=www.mymfpc.com type=A
add address=10.0.0.2 disabled=yes name=www.SylviasCraveableCreations.com
type=A
add address=10.0.0.2 disabled=yes name=www.kbdixon.com type=A
/ip firewall address-list
add address=0.0.0.0/8 comment=“Self-Identification [RFC 3330]” list=bogons
add address=10.0.0.0/8 comment=“Private[RFC 1918] - CLASS A # Check if you nee
d this subnet before enable it” disabled=yes list=bogons
add address=127.0.0.0/8 comment=“Loopback [RFC 3330]” list=bogons
add address=169.254.0.0/16 comment=“Link Local [RFC 3330]” list=bogons
add address=172.16.0.0/12 comment=“Private[RFC 1918] - CLASS B # Check if you
need this subnet before enable it” disabled=yes list=bogons
add address=192.168.0.0/16 comment=“Private[RFC 1918] - CLASS C # Check if you
_need this subnet before enable it” disabled=yes list=bogons
add address=192.0.2.0/24 comment=“Reserved - IANA - TestNet1” list=bogons
add address=192.88.99.0/24 comment=“6to4 Relay Anycast [RFC 3068]” list=
bogons
add address=198.18.0.0/15 comment=“NIDB Testing” list=bogons
add address=198.51.100.0/24 comment=“Reserved - IANA - TestNet2” list=bogons
add address=203.0.113.0/24 comment=“Reserved - IANA - TestNet3” list=bogons
add address=224.0.0.0/4 comment=
“MC, Class D, IANA # Check if you need this subnet before enable it”
disabled=yes list=bogons
/ip firewall filter
add action=drop chain=forward comment=“Drop invalid packets”
connection-state=invalid
add action=drop chain=input comment=“Anti-DNS Amplification UDP” dst-port=53
in-interface=ether1 protocol=udp
add action=drop chain=input comment=“Anti-DNS Amplification TCP” dst-port=53
in-interface=ether1 protocol=tcp
add action=drop chain=input comment=“Country Block” src-address-list=
CountryIPBlocks
add action=add-src-to-address-list address-list=Syn_Flooder
address-list-timeout=30m chain=input comment=
“Add Syn Flood IP to the list” connection-limit=30,32 protocol=tcp
tcp-flags=syn
add action=drop chain=input comment=“Drop to syn flood list”
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner
address-list-timeout=1w chain=input comment=“Port Scanner Detect”
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=“Drop to port scan list”
src-address-list=Port_Scanner
add action=jump chain=input comment=“Jump for icmp input flow” jump-target=
ICMP protocol=icmp
add action=drop chain=input comment=
“Block all access to the winbox - except to support list” dst-port=8291
protocol=tcp src-address-list=!support
add action=jump chain=forward comment=“Jump for icmp forward flow”
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment=“Drop to bogon list” dst-address-list=
bogons
add action=add-src-to-address-list address-list=spammers
address-list-timeout=3h chain=forward comment=
“Add Spammers to the list for 3 hours” connection-limit=30,32 dst-port=
25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment=“Avoid spammers action” dst-port=25,587
protocol=tcp src-address-list=spammers
add action=accept chain=input comment=“Accept DNS - UDP” port=53 protocol=udp
add action=accept chain=input comment=“Accept DNS - TCP” port=53 protocol=tcp
add action=accept chain=input comment=“Accept to established connections”
connection-state=established
add action=accept chain=input comment=“Accept to related connections”
connection-state=related
add action=accept chain=input comment=“Full access to SUPPORT address list”
src-address-list=support
add action=drop chain=input comment="Drop anything else! "
add action=accept chain=ICMP comment=
“Echo request - Avoiding Ping Flood, adjust the limit as needed”
icmp-options=8:0 limit=2,5:packet protocol=icmp
add action=accept chain=ICMP comment=“Echo reply” icmp-options=0:0 protocol=
icmp
add action=accept chain=ICMP comment=“Time Exceeded” icmp-options=11:0
protocol=icmp
add action=accept chain=ICMP comment=“Destination unreachable” icmp-options=
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment=“Drop to the other ICMPs” protocol=icmp
add action=jump chain=output comment=“Jump for icmp output” jump-target=ICMP
protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=
10.0.0.2 to-ports=80
add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp to-addresses=
10.0.0.5 to-ports=3389
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1 type=external
/lcd
set backlight-timeout=never default-screen=stats read-only-mode=yes
touch-screen=disabled
/lcd interface pages
set 0 interfaces=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp1
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I also have a hAPac2 that seems to have the same issues… It HAS to be in the config somewhere but I can’t seem to nail it down… Any help is appreciated!!

Thanks,
Keith

w32pamela · August 17, 2020, 12:12pm

/ip address
add address=10.0.0.1/24 interface=ether2 network=10.0.0.0

I think the interface should be brige1 not ether2

dixonka74 · August 17, 2020, 2:19pm

Thanks for the quick response… I’m not sure why it says ether2 in the exported config… it’s actually on bridge1 where it should be (if I’m not mistaken).

The wired computers work just fine, it’s some of the wireless connections that’s giving me troubles…

anav · August 17, 2020, 3:28pm

I dont usually see this…
/interface bridge settings
set use-ip-firewall=yes

Most times unless you are very adept at settings does one use firewall on bridge settings.
Most just use the firewall settings in the NORMAL filter rules.

/ip address
add address=10.0.0.1/24 interface=ether2 network=10.0.0.0

As pointed out makes no sense at all.
You have associated DHCP with your bridge AND
You have added ether2 to the bridge at bridge ports…so how does the above setting work for you??? It should clearly be the bridge!!

Your firewall rules order is messy.
For ease of configuring yourself and for the sake of us looking at your config its best to put all in the input chain rules first, then all the forward chain rules.
You can see the result below and quite quickly I can see you are missing key forward chain elements and you have been sucked into the void of far too many useless firewall rules.
By the way, no need to tell anybody what winbox port you are using…I dont put it in firewall rules and I never show it in any configs…I always change it from default.

/ip firewall filter
add action=drop chain=input comment="Anti-DNS Amplification UDP" dst-port=53 \
in-interface=ether1 protocol=udp
add action=drop chain=input comment="Anti-DNS Amplification TCP" dst-port=53 \
in-interface=ether1 protocol=tcp
add action=drop chain=input comment="Country Block" src-address-list=\
CountryIPBlocks
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment=\
"Block all access to the winbox - except to support list" dst-port=8291 \
protocol=tcp src-address-list=!support
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
connection-state=established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=drop chain=input comment="Drop anything else! "


add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers

add action=accept chain=ICMP comment=\
"Echo request - Avoiding Ping Flood, adjust the limit as needed" \
icmp-options=8:0 limit=2,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp

Here is the basics of what you need the missing has been added and the garbage fluff removed…
..

/ip firewall filter
add action=accept chain=input comment=“Accept to established connections”
connection-state=established
add action=accept chain=input comment=“Accept to related connections”
connection-state=related
add action=drop chain=input comment=“Drop invalid packets”
connection-state=invalid
add action=accept chain=input in-interface-list=LAN comment=
"Allow admin access to the ROUTER
src-address-list=support ***** You will first need to make a firewall address list of the IPs you wish to be able to access the router ( for winbox or anything else).
(I see you have this listed as
(add action=accept chain=input comment=“Full access to SUPPORT address list” )
(src-address-list=support)
add action=accept chain=input comment=“Accept DNS - UDP” port=53 protocol=udp in-interface-list=lan
add action=accept chain=input comment=“Accept DNS - TCP” port=53 protocol=tcp in-interface-list=lan
************* only time you give LAN access to the router is for common services such as dns********
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment="Drop anything else! "

add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, " connection-state=
established,related
add action=drop chain=forward comment=“Drop invalid packets”
connection-state=invalid
add action=accept in-interface-list=lan out-interface-list=wan (gives your lan access to the internet)
add action=drop chain=forward comment=“Drop all else”

dixonka74 · August 17, 2020, 5:51pm

I appreciate the candid response… I wiped out the firewall rules and applied the basics you provided.

When I get home, I’ll test the wireless items I was having issues with…

dixonka74 · August 17, 2020, 9:54pm

Got home and checked… all 3 items are still unable to connect to the Internet via wireless… My cellphone connects just fine but my Nintendo Switch, Google Chromecast and Phillips Hue are unable to connect to the Internet via wireless…

Here is the latest config I have running:

aug/17/2020 17:35:25 by RouterOS 6.47.1

software id = MFL1-HBQH

model = CRS109-8G-1S-2HnD

serial number = 522D04157625

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=“Internet (Xfinity Modem)”
set [ find default-name=ether3 ] comment=“My Computer”
set [ find default-name=ether5 ] comment=“Phillips Hue (Home Automation)”
set [ find default-name=ether7 ] comment=“HyperV host (Web Server)”
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap
group-ciphers=tkip mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=tkip wpa2-pre-shared-key=********
add authentication-types=wpa2-psk eap-methods=“” management-protection=
allowed mode=dynamic-keys name=profile supplicant-identity=“”
wpa2-pre-shared-key=********
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce
disabled=no distance=indoors frequency=auto mode=ap-bridge
multicast-helper=full preamble-mode=long security-profile=profile ssid=
“o==:::::::::::::::::::::::::>” wireless-protocol=802.11 wmm-support=
enabled wps-mode=disabled
/interface wireless nstreme
set wlan1 enable-polling=no
/ip pool
add name=dhcp ranges=10.0.0.1-10.0.0.125
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=10.0.0.2 client-id=1:0:15:5d:0:eb:3 mac-address=00:15:5D:00:EB:03
server=dhcp1
add address=10.0.0.5 client-id=1:8:62:66:2d:8a:96 mac-address=
08:62:66:2D:8A:96 server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1,8.8.8.8 gateway=10.0.0.1 netmask=
24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=10.0.0.2 name=www.mymfpc.com type=A
add address=10.0.0.2 name=www.SylviasCraveableCreations.com type=A
add address=10.0.0.2 name=www.kbdixon.com type=A
/ip firewall address-list
/ip firewall filter
add action=drop chain=input comment=“Country Block” src-address-list=
CountryIPBlocks
add action=accept chain=input comment=“Accept to established connections”
connection-state=established
add action=accept chain=input comment=“Accept to related connections”
connection-state=related
add action=drop chain=input comment=“Drop invalid packets” connection-state=
invalid
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment="Drop anything else! "
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, " connection-state=
established,related
add action=drop chain=forward comment=“Drop invalid packets”
connection-state=invalid
add action=accept chain=forward comment=
“gives your lan access to the internet” in-interface-list=LAN
out-interface-list=WAN
add action=drop chain=forward comment=“Drop all else”
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=
10.0.0.2 to-ports=80
add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp to-addresses=
10.0.0.5 to-ports=3389
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1 type=external
/lcd
set backlight-timeout=never default-screen=stats read-only-mode=yes
touch-screen=disabled
/lcd interface pages
set 0 interfaces=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp1
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · August 18, 2020, 1:59am

Nothing I saw stands out at the moment?

biomesh · August 18, 2020, 2:47am

I would disable wpa2-eap, change the group and unicast ciphers to aes-ccm, and set the channel width to 20 mhz only. You might also want to specify a channel instead of auto.

dixonka74 · August 18, 2020, 12:41pm

Well, unfortunately it’s still an issue… I know Mikrotik are rock solid (I have the same one at my house running for years without any issues) but, in this case I’m just going to hang it up for now and get a regular wireless router and be done with it.

I’ve been fighting with this for far too long already (before posting here) so for now, I’ll hang it up. I’ll be back later to try again…

Thanks everyone for the help!! I learned quite a bit which is a win in my book!!

Kindis · August 18, 2020, 1:28pm

So do I understand that the phone works great on the same wireless network but a Nintendo Switch does not?
I would move away from using internal DNS unless you need it. I would provide the users with “real” DNS servers instead so give them 8.8.8.8 or 1.1.1.1 as primary DNS server and see if this helps.
You can also try to set logging into debug and see if you have any issues. If you manage to connect to the network but have other wireless issues this should pop up in the logs.