Community discussions

MikroTik App
 
mauro75
just joined
Topic Author
Posts: 6
Joined: Sat Mar 13, 2021 5:59 pm

[SOLVED] Google ChromeCast not working  [SOLVED]

Sat Mar 13, 2021 6:14 pm

Hello everybody.
I'm new and don't know RouterOS well, just bought a RB2011UiAS-2HnD.
I saw that there are many posts on this topic (chromecast) - I checked them carefully, but none solved my problem.

The problem: ChromeCast (first version, 2.4GHz) connects to WiFi but cannot access the Internet.
The installation is pretty standard, but I write my configuration, I have obscured some data that I thought sensitive.

Some posts I've found recommend:
have strong wifi: done!
olny b / g with 20-10-5Mhz: done!
is in ap bridge? yes!
enable forward: done! two wifi devices can communicate through wifi: my smartphone can access via http to volumio interface (raspberry connected via wifi).

the problem remains.
Can anyone help me?

---------------------
SOLUTION:

The problem is the NAT rule for TCP port 80.
If I deactivate that chromecast works and even the wife's smartphone does not have the "X" in the wifi connection.
I didn't understand why though. Probably the NAT should not be written like this or I need to add other filters.

---------------------


# mar/13/2021 16:32:30 by RouterOS 6.48.1
# software id = WWWW-YYYY
#
# model = RB2011UiAS-2HnD
# serial number = xxxxxxx
/interface bridge
add admin-mac=48:8F:5A:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=italy disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=XXX station-roaming=enabled wireless-protocol=\
802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip ipsec policy group
add name="Gruppo N5"
/ip ipsec profile
add dh-group=modp1536 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=\
3des lifetime=1h name="Profile N5"
/ip ipsec peer
add address=aaa.bbb.ccc.ddd/32 exchange-mode=aggressive name=SedeN5 profile=\
"Profile N5"
/ip ipsec proposal
add enc-algorithms=3des lifetime=8h name="Proposal N5" pfs-group=modp1536
/ip pool
add name=dhcp ranges=192.168.79.100-192.168.79.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.79.254/24 comment=defconf interface=bridge network=\
192.168.79.0
add address=192.168.78.253/24 interface=ether1 network=192.168.78.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.79.108 comment=RaspberryKODI mac-address=\
B8:27:EB:xx:xx:xx
add address=192.168.79.159 comment=HP_M225dn mac-address=48:0F:CF:xx:xx:xx
add address=192.168.79.163 comment=VOLUMIO mac-address=DC:A6:32:xx:xx:xx
add address=192.168.79.132 comment=allarme mac-address=AC:CF:23:xx:xx:xx
add address=192.168.79.250 comment=NAS4FREE mac-address=E8:39:35:xx:xx:xx
add address=192.168.79.164 comment=MOODE mac-address=B8:27:EB:xx:xx:xx
add address=192.168.79.155 mac-address=50:65:F3:xx:xx:xx
add address=192.168.79.168 mac-address=D4:D2:D6:xx:xx:xx
add address=192.168.79.99 mac-address=90:EF:68:xx:xx:xx
/ip dhcp-server network
add address=192.168.79.0/24 comment=defconf gateway=192.168.79.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=176.103.130.130,176.103.130.131
/ip dns static
add address=192.168.79.254 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add chain=input dst-port=15443 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=192.168.248.0/21 \
src-address=192.168.79.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=SSH dst-port=9022 protocol=tcp \
to-addresses=192.168.79.250 to-ports=22
add action=dst-nat chain=dstnat comment=Torrent dst-port=51413 protocol=tcp \
to-addresses=192.168.79.250 to-ports=51413
add action=dst-nat chain=dstnat comment="vb.net update" dst-port=80 protocol=\
tcp to-addresses=192.168.79.250 to-ports=80
/ip ipsec identity
add my-id=user-fqdn:account1@domain.local notrack-chain=output peer=SedeN5 \
policy-template-group="Gruppo N5" remote-id=\
user-fqdn:account2@domain.local
/ip ipsec policy
set 0 disabled=yes
add comment=N5 dst-address=192.168.248.0/21 peer=SedeN5 proposal=\
"Proposal N5" sa-dst-address=AAA.BBB.CCC.DDD sa-src-address=192.168.78.253 \
src-address=192.168.79.0/24 tunnel=yes
add comment=Test dst-address=10.254.0.0/16 peer=SedeN5 proposal=\
"Proposal N5" sa-dst-address=AAA.BBB.CCC.DDD sa-src-address=192.168.78.253 \
src-address=192.168.79.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.78.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=certtest disabled=no port=15443 tls-version=only-1.2
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=10m
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Rome
/system ntp client
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.105
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by mauro75 on Tue Mar 30, 2021 3:52 pm, edited 1 time in total.
 
mauro75
just joined
Topic Author
Posts: 6
Joined: Sat Mar 13, 2021 5:59 pm

Re: Google ChromeCast not working

Thu Mar 18, 2021 10:49 am

No one?
 
sarah
newbie
Posts: 27
Joined: Mon Feb 29, 2016 1:41 am

Re: Google ChromeCast not working

Thu Mar 18, 2021 11:05 am

1 of the problem I find is that you did not have dns server in your dhcp-server network.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Google ChromeCast not working

Thu Mar 18, 2021 11:11 am

Bit puzzled why one would buy an RB2011 in 2021. Though it is a great device, it lacks (at least) 5G wifi.

In regards to your question: never use 20/40MHz bandwidth for 2.4G radio as it will interfere with...well, everything on that band.
Instead, use 20MHz and and use a fixed channel (1, 6 or 11). And use the scanner to find the best channel.
Next...turn down TX power. "Strong wifi" is something else then screaming as much as possible. Just use as needed for a stable connection.
Unless you really need to....don't use 802.11b. It is legacy (and beyond). Just use 802.11g/n instead.
Only use AES, TKIP was...legacy as well.

Hope this helps!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Google ChromeCast not working

Thu Mar 18, 2021 1:00 pm

Concur with erlinden (dns on dhcp server missing etc.)
Here are my 2.4ghz settings (yes 20Mhz only for 2.4ghz
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=canada \
disabled=no frequency=2437 mode=ap-bridge name=EntertainmentWifi \
rate-set=configured security-profile=Mediawifi ssid=MediaConnect \
supported-rates-b="" wireless-protocol=802.11 wmm-support=enabled \
wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
management-protection=allowed mode=dynamic-keys name=homewifi \
supplicant-identity=""

As for the rest of the config, looks okay (second the bit on buying an old underpowered router??)
Next lets look at the firewall rules.
They should be in ORDER (ie within a chain the rule order is very important to prevent unexpected results or to maximize efficiency of processing packets).

/ip firewall filter
add action=accept chain=input comment=\ {order fixed}
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add chain=input dst-port=15443 in-interface=ether1 protocol=tcp {Remove doesnt belong here, no purpose}
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Forward chain looks fine.


Lastly NAT RULES.
What is the purpose of this rule as you already have the standard source-nat masquerade rule??
add action=accept chain=srcnat disabled=yes dst-address=192.168.248.0/21 \
src-address=192.168.79.0/24
??

All your destination-nat rules are missing, in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment=SSH dst-port=9022 protocol=tcp \
to-addresses=192.168.79.250 to-ports=22
add action=dst-nat chain=dstnat comment=Torrent dst-port=51413 protocol=tcp \
to-addresses=192.168.79.250 to-ports=51413
add action=dst-nat chain=dstnat comment="vb.net update" dst-port=80 protocol=\
tcp to-addresses=192.168.79.250 to-ports=80
 
mauro75
just joined
Topic Author
Posts: 6
Joined: Sat Mar 13, 2021 5:59 pm

Re: Google ChromeCast not working

Thu Mar 18, 2021 8:28 pm

thanks to all of the answers and valuable suggestions.
I answer:
I chose this product because it is cheap, still good and does what I need (many interfaces including gigabit, wifi, routing, vpn) the performances are not a problem at the moment.

sarah: dns missing, done.
erlinden: static channel done, 20MHz done, tkip removed, 2.4 now is only g / n
anav: disable-pmkid done, firewall rules now sorted (15433, at the moment it is to allow the management from outside, then I will activate the vpn, the NATs were missing as you indicated, I simply forgot to put them).
now everything is as you suggested but the problem remains.

I realized that my wife's smartphone (a motorola) has the same problem, connected to wifi but without internet. I also tried to set a static ip and google dns to him without success. my pc works, my smartphone also, both ping the chrome cast and the motorola.

I write the updated configuration


# mar/18/2021 18:49:05 by RouterOS 6.48.1
# software id = 8QNB-xxxx
#
# model = RB2011UiAS-2HnD
# serial number = D5AB0Cxxxxxx
/interface bridge
add admin-mac=48:8F:5A:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=italy disabled=no \
distance=indoors installation=indoor mode=ap-bridge ssid=myWiFi \
station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes \
mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec policy group
add name="Gruppo N5"
/ip ipsec profile
add dh-group=modp1536 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=\
3des lifetime=1h name="Profile N5"
/ip ipsec peer
add address=aaa.bbb.ccc.ddd/32 exchange-mode=aggressive name=SedeN5 profile=\
"Profile N5"
/ip ipsec proposal
add enc-algorithms=3des lifetime=8h name="Proposal N5" pfs-group=modp1536
/ip pool
add name=dhcp ranges=192.168.79.100-192.168.79.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.79.254/24 comment=defconf interface=bridge network=\
192.168.79.0
add address=192.168.78.253/24 interface=ether1 network=192.168.78.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.79.108 comment=RaspberryKODI mac-address=\
B8:27:EB:xx:xx:xx
add address=192.168.79.159 comment=HP_M225dn mac-address=48:0F:CF:xx:xx:xx
add address=192.168.79.163 comment=VOLUMIO mac-address=DC:A6:32:xx:xx:xx
add address=192.168.79.132 comment=allarme mac-address=AC:CF:23:xx:xx:xx
add address=192.168.79.250 comment=NAS4FREE mac-address=E8:39:35:xx:xx:xx
add address=192.168.79.164 comment=MOODE mac-address=B8:27:EB:xx:xx:xx
add address=192.168.79.155 mac-address=50:65:F3:xx:xx:xx
add address=192.168.79.168 mac-address=D4:D2:D6:xx:xx:xx
add address=192.168.79.99 mac-address=90:EF:68:xx:xx:xx
/ip dhcp-server network
add address=192.168.79.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.79.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.79.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add chain=input dst-port=15443 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=192.168.248.0/21 \
src-address=192.168.79.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=SSH dst-port=20022 protocol=tcp \
to-addresses=192.168.79.250 to-ports=22
add action=dst-nat chain=dstnat comment=Torrent dst-port=51413 protocol=tcp \
to-addresses=192.168.79.250 to-ports=51413
add action=dst-nat chain=dstnat comment="vb.net update" dst-port=80 protocol=\
tcp to-addresses=192.168.79.250 to-ports=80
/ip ipsec identity
add my-id=user-fqdn:ueser1@dom.local notrack-chain=output peer=SedeN5 \
policy-template-group="Gruppo N5" remote-id=\
user-fqdn:user2@dom.local
/ip ipsec policy
set 0 disabled=yes
add comment=N5 dst-address=192.168.248.0/21 peer=SedeN5 proposal=\
"Proposal N5" sa-dst-address=aaa.bbb.ccc.ddd sa-src-address=192.168.78.253 \
src-address=192.168.79.0/24 tunnel=yes
add comment=service1 dst-address=10.254.0.0/16 peer=SedeN5 proposal=\
"Proposal N5" sa-dst-address=aaa.bbb.ccc.ddd sa-src-address=192.168.78.253 \
src-address=192.168.79.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.78.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=mycert disabled=no port=15443 tls-version=only-1.2
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=10m
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Rome
/system ntp client
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.105
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
mauro75
just joined
Topic Author
Posts: 6
Joined: Sat Mar 13, 2021 5:59 pm

Re: Google ChromeCast not working

Thu Mar 18, 2021 10:20 pm

errata corrige:
the smartphone can resolve domain name, and can ping/tracert outside (eg. 8.8.8.8).
but the wifi icon in the top of the screen have the "x" (connected without internet) and browsing works.
 
mauro75
just joined
Topic Author
Posts: 6
Joined: Sat Mar 13, 2021 5:59 pm

Re: Google ChromeCast not working

Sun Mar 21, 2021 9:06 pm

I did a new test:
connected the old router, turned on chromecast, everything works. I turned off the old router and turned on the new one. The chromecast was on, and it works! If I restart it, the error message comes out.
As if during the boot it tries to connect somewhere to verify the connection.

I tried to log the dropped connections, but they are too many.
In any case these are some of the chormecast (after the boot), with the comment of the rule that blocks his head.

defconf: drop invalid
20:04:43 firewall,info drop forward forward: in:bridge out:ether1, src-mac 6c:ad:f8:xx:xx:xx, proto TCP (RST), 192.168.79.101:56439->142.250.184.35:443, len 40
20:04:43 firewall,info drop forward forward: in:bridge out:ether1, src-mac 6c:ad:f8:xx:xx:xx, proto TCP (RST), 192.168.79.101:56439->142.250.184.35:443, len 40
20:04:48 firewall,info drop forward forward: in:bridge out:ether1, src-mac 6c:ad:f8:xx:xx:xx, proto TCP (RST), 192.168.79.101:56448->142.250.184.35:443, len 40
20:04:48 firewall,info drop forward forward: in:bridge out:ether1, src-mac 6c:ad:f8:xx:xx:xx, proto TCP (RST), 192.168.79.101:56448->142.250.184.35:443, len 40
20:04:51 firewall,info drop forward forward: in:bridge out:ether1, src-mac 6c:ad:f8:xx:xx:xx, proto TCP (RST), 192.168.79.101:56454->142.250.184.35:443, len 40
20:04:51 firewall,info drop forward forward: in:bridge out:ether1, src-mac 6c:ad:f8:xx:xx:xx, proto TCP (RST), 192.168.79.101:56454->142.250.184.35:443, len 40


I tried for 30 seconds to leave this rule off, but the chromecast still didn't connect.
Anyone want to help me?
 
mauro75
just joined
Topic Author
Posts: 6
Joined: Sat Mar 13, 2021 5:59 pm

Re: [SOLVED] Google ChromeCast not working

Tue Mar 30, 2021 3:54 pm

up.

Who is online

Users browsing this forum: Ahrefs [Bot] and 33 guests