When testing from outside my network
HTTPS://sonarr.jerseyknoll.com resolves fine. From within my network the connection times out and I have to connect via IP address. This creates a problem on mobile devices while at home using services like nextcloud and bitwarden. I'm going to repost my current info from both routers and CAP because a made a few changes while trying to get the CAP setup correctly (which I'm still having trouble with also. Mobile devices are working fine but wireless Windows clients can connect to the CAP but don't get internet access). Thanks for the help. I really want to understand how this all works so that I can fix issues on my own and maybe be able to help others later too.
From the RB3011
[admin@Mikrotik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf
address=192.168.88.1/24 network=192.168.88.0 interface=bridge actual-interface=bridge
1 D address=207.119.172.190/32 network=207.119.172.1 interface=pppoe-out1
actual-interface=pppoe-out1
[admin@Mikrotik] >
Export RB3011
[admin@Mikrotik] > /export hide-sensitive
# aug/14/2019 10:34:14 by RouterOS 6.45.3
# software id = W44L-WQN2
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEE0A0F8170
/interface bridge
add admin-mac=74:4D:28:30:C7:24 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 service-name=\
centurylink user=CTL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/caps-man manager
set enabled=yes
/caps-man manager interface
add disabled=no interface=ether10
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip accounting
set enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.254 mac-address=00:18:61:07:E4:5B server=defconf
add address=192.168.88.250 client-id=1:0:2:c9:52:74:ba mac-address=00:02:C9:52:74:BA server=\
defconf
add address=192.168.88.246 client-id=1:b8:27:eb:72:1b:c9 mac-address=B8:27:EB:72:1B:C9 \
server=defconf
add address=192.168.1.245 client-id=1:0:2:c9:52:6d:6e mac-address=00:02:C9:52:6D:6E server=\
defconf
add address=192.168.88.243 client-id=1:5c:41:5a:20:27:8f mac-address=5C:41:5A:20:27:8F \
server=defconf
add address=192.168.88.242 client-id=1:cc:f7:35:ad:b6:35 mac-address=CC:F7:35:AD:B6:35 \
server=defconf
add address=192.168.88.240 client-id=1:74:4d:28:c5:ad:eb mac-address=74:4D:28:C5:AD:EB \
server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.246,192.168.88.2
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=52.85.184.245 name="upgrade.mikrotik.com "
/ip firewall filter
add action=accept chain=forward comment=PLEX dst-port=32400 in-interface=pppoe-out1 protocol=\
tcp
add action=accept chain=forward comment=PLEX dst-port=32400 in-interface=pppoe-out1 protocol=\
udp
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log
log-prefix=FI_D_port-test
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)"
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\
in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=
out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-st
established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked"
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" \
connection-nat-state=dstnat disabled=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment=Letsencrypt dst-address=!192.168.88.1 \
dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.88.245 to-ports
add action=dst-nat chain=dstnat comment=Letsencrypt dst-address=!192.168.88.1 \
dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.88.245 to-port
1443
add action=dst-nat chain=dstnat dst-port=32400 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.88.245 to-ports=32400
add action=dst-nat chain=dstnat dst-port=32400 in-interface=pppoe-out1 protocol=udp \
to-addresses=192.168.88.245 to-ports=32400
add action=masquerade chain=srcnat comment=LetsencrypLocal dst-address=192.168.88.254 \
dst-port=180,1443 protocol=tcp
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface-list=WAN
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Mikrotik
/system logging
add prefix=MikroTik topics=dhcp
add prefix=MikroTik topics=!debug
add prefix=MikroTik topics=!debug
/system scheduler
add disabled=yes interval=5m name="Data to Splunk" on-event=Data_to_Splunk_using_Syslog
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=\
aug/11/2019 start-time=16:01:38
/tool graphing interface
add allow-address=192.168.88.250/32
/tool graphing queue
add allow-address=192.168.88.250/32
/tool graphing resource
add allow-address=192.168.88.250/32
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
From the CRS305
[admin@MikroTik10G] > /export hide-sensitive
# jan/05/1970 21:34:18 by RouterOS 6.45.3
# software id = KUUU-7KNA
#
# model = CRS305-1G-4S+
# serial number = AB5C0AB4352D
/interface bridge
add admin-mac=74:4D:28:85:B4:16 auto-mac=no comment=defconf name=bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=sfp-sfpplus1 network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=bridge
/ip dns static
add address=52.85.184.245 disabled=yes name="upgrade.mikrotik.com "
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=America/Chicago
/system identity
set name=MikroTik10G
/system routerboard settings
set boot-os=router-os
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
From the CAP AC
[admin@MikroTik] > /export hide-sensitive
# aug/14/2019 10:41:42 by RouterOS 6.44.1
# software id = 4EN7-XA7R
#
# model = RBcAPGi-5acD2nD
# serial number = B9380AAA7B33
/interface bridge
add admin-mac=74:4D:28:C5:AD:EB auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
MikroTik-C5ADED wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
MikroTik-C5ADEE wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=bridge \
use-peer-dns=no
/ip dns static
add address=52.85.184.245 disabled=yes name=upgrade.mikrotik.com
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=America/Chicago
/system leds
add interface=ether1 leds=user-led type=interface-activity
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "