I'm not sure I've seen a straight answer to this, but I'm trying to find out whether "Detect Internet" actually does anything that influences the router's behaviour. The only effect that I think I've seen is on the Mikrotik mobile app where it determines whether the app shows a graph or Internet activity or not. Can the detected statuses actually be used in routing, firewall, NAT or other rules?

You can control what it does with the lists:
The manual explains how the states change. Now, it will run the detection on interfaces that are in the "detect-interface-list", and, depending of the state, add them to the differen <state>-interface-list. The idea is that you can use those lists in your firewall, etc.

You can check the current state with something like
(This is an example from a router with two connections and an inactive ipv6 tunnel...)

Thanks, I was already reasonably clear on all that, however I still can't see where the status is used. I can't see how for example you apply a filter, NAT or mangle rule based on detected status of "internet". The match address list options only offer the statically defined lists, or some functional options like "all" or "dynamic". Could you help me out with an example of a rule that takes effect only if the interface has detected status "internet"?

Actually I think I may have worked it out. Say I create a new Interface List "INTERNET-DETECTED", and set that in the Detect Internet settings, theoretically it should add the interface into that list, and I would match my rules against the list "INTERNET-DETECTED". Does that sound right? And does it also move the interface out of any other statically defined list(s)? I'm not quite clear whether an interface can be a member or more than one list at a time.
Thanks Tony S

Same interface can be in multiple lists. And yes, you can use these lists in firewall rules. Question is, what useful thing can you actually do with it? I wonder about that myself.

It's quite understandable to treat LAN and WAN differently, typically to have access from WAN more limited. But assignment of that tends to be static. Even if you accidentally plug cable in wrong port, it won't change from one to the other, because it won't have proper config for that. Your LAN port won't accidentally become WAN. And even though WAN port may lose internet access, you still want to keep all protection, simply because it's connected to upstream router and potentially dangerous network.

The difference between WAN (port that may have internet access) and Internet (port that actually has internet access), that sounds as something that could be useful. It would be nice to have such info in routes. But in firewall? What could I want to do with one that I wouldn't want to do with the other? I'd like to hear some good example.

I need to think a bit about lists. I have a router that will have three potential Internet connections, one needs NAT and firewall, one just needs firewall, and the third doesn't need either (the LTE has it's own firewall).

Does anyone have an idea how Mikrotik detect Internet judge WAN or LAN, please?
My sfp1, sfp2, sfp3 are my WAN1, WAN2, WAN3 but sfp3 being detected as LAN...

Here are the rules that are used for detection: https://help.mikrotik.com/docs/display/ ... t+Internet

Yes, it is used to automatically populate interface lists. For example if you accidentally plug in a cable with internet access, you might open up your router to unrestricted access from the internet. This can prevent it, if it detects, that the newly active interface has internet access, your firewall rulrs will automatically protect it.

Here are the rules that are used for detection: https://help.mikrotik.com/docs/display/ ... t+Internet

Yes, it is used to automatically populate interface lists. For example if you accidentally plug in a cable with internet access, you might open up your router to unrestricted access from the internet. This can prevent it, if it detects, that the newly active interface has internet access, your firewall rulrs will automatically protect it.

I read that document, but it didn't tell how it judge LAN or WAN, only said interfaces can reach cloud.mikrotik.com using UDP protocol port 30000 can obtain "Internet status". (My sfp1 & sfp2 marked as Internet correctly)

My sfp3 set up as WAN3 being detected as LAN, and BridgeLAN and Ether5 being detected as WAN, while they are all LAN.

Apparently RouterOS was able to reach internet though those interefaces. Maybe your bridge setup is incorrect or something else is wrong

Apparently RouterOS was able to reach internet though those interefaces. Maybe your bridge setup is incorrect or something else is wrong

I have my trust in RouterOS, therefore i am looking my settings for mistakes. It would be better for me to find them if i can know under what circumstance the interface will be judged as LAN or WAN. (I already know when will be judged as Internet according to your share knowledge base)

My bridge setup is simple, just put together all LAN ethernet ports. Ether4 & Ether5 are on a PowerEdge Server running windows server.

sfp3 is a WAN and capable of accessing Internet, even not, at least a WAN, but judged as a LAN.

As @normis said: this function is intended to detect (and autoconfigure to certain extent) WAN-facing interfaces (which is a very good thing). However, the experience is that detection success rate is lower than we would all love to see and when it fails, then the whole router starts to behave in random unexpected ways. Which means that if the router is administered at least half decently (which includes some thought when plugging in any data cable), its mostly better to disable the feature ... Specially so as it relies on setup which closely resembles (or builds on) default setup. If somebody tears it apart, then leaving detect-internet enabled doesn't make any sense what so ever.

As @normis said: this function is intended to detect (and autoconfigure to certain extent) WAN-facing interfaces (which is a very good thing). However, the experience is that detection success rate is lower than we would all love to see and when it fails, then the whole router starts to behave in random unexpected ways. Which means that if the router is administered at least half decently (which includes some thought when plugging in any data cable), its mostly better to disable the feature ... Specially so as it relies on setup which closely resembles (or builds on) default setup. If somebody tears it apart, then leaving detect-internet enabled doesn't make any sense what so ever.

The detection results apparently also applied to Quickset, i am troubleshooting why when i added sfp3 (WAN3), then my LAN (use default 192.168.88.1) will be replaced by the new WAN3 IP. It offers a very good insight since it also list every interfaces attribute (WAN or LAN).

Especially the bandwidth usage diagram on Android phone are rather pretty and useful, i can't resist to try to make it work.

Most likely your setup is too customized for this feature to be useful to you. Just disable internet detection and put the interfaces where you need them. Manually.

RoS feature I would quietly retire.

Normis, on a side note, does RoS use the input chain default rule dst-address=127.0.0.1 for anything other than internal capsman use?????