Hello everybody.
I'm new and don't know RouterOS well, just bought a RB2011UiAS-2HnD.
I saw that there are many posts on this topic (chromecast) - I checked them carefully, but none solved my problem.
The problem: ChromeCast (first version, 2.4GHz) connects to WiFi but cannot access the Internet.
The installation is pretty standard, but I write my configuration, I have obscured some data that I thought sensitive.
Some posts I've found recommend:
have strong wifi: done!
olny b / g with 20-10-5Mhz: done!
is in ap bridge? yes!
enable forward: done! two wifi devices can communicate through wifi: my smartphone can access via http to volumio interface (raspberry connected via wifi).
the problem remains.
Can anyone help me?
---------------------
SOLUTION:
The problem is the NAT rule for TCP port 80.
If I deactivate that chromecast works and even the wife's smartphone does not have the "X" in the wifi connection.
I didn't understand why though. Probably the NAT should not be written like this or I need to add other filters.
---------------------
# mar/13/2021 16:32:30 by RouterOS 6.48.1
# software id = WWWW-YYYY
#
# model = RB2011UiAS-2HnD
# serial number = xxxxxxx
/interface bridge
add admin-mac=48:8F:5A:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=italy disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=XXX station-roaming=enabled wireless-protocol=\
802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip ipsec policy group
add name="Gruppo N5"
/ip ipsec profile
add dh-group=modp1536 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=\
3des lifetime=1h name="Profile N5"
/ip ipsec peer
add address=aaa.bbb.ccc.ddd/32 exchange-mode=aggressive name=SedeN5 profile=\
"Profile N5"
/ip ipsec proposal
add enc-algorithms=3des lifetime=8h name="Proposal N5" pfs-group=modp1536
/ip pool
add name=dhcp ranges=192.168.79.100-192.168.79.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.79.254/24 comment=defconf interface=bridge network=\
192.168.79.0
add address=192.168.78.253/24 interface=ether1 network=192.168.78.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.79.108 comment=RaspberryKODI mac-address=\
B8:27:EB:xx:xx:xx
add address=192.168.79.159 comment=HP_M225dn mac-address=48:0F:CF:xx:xx:xx
add address=192.168.79.163 comment=VOLUMIO mac-address=DC:A6:32:xx:xx:xx
add address=192.168.79.132 comment=allarme mac-address=AC:CF:23:xx:xx:xx
add address=192.168.79.250 comment=NAS4FREE mac-address=E8:39:35:xx:xx:xx
add address=192.168.79.164 comment=MOODE mac-address=B8:27:EB:xx:xx:xx
add address=192.168.79.155 mac-address=50:65:F3:xx:xx:xx
add address=192.168.79.168 mac-address=D4:D2:D6:xx:xx:xx
add address=192.168.79.99 mac-address=90:EF:68:xx:xx:xx
/ip dhcp-server network
add address=192.168.79.0/24 comment=defconf gateway=192.168.79.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=176.103.130.130,176.103.130.131
/ip dns static
add address=192.168.79.254 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add chain=input dst-port=15443 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=192.168.248.0/21 \
src-address=192.168.79.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=SSH dst-port=9022 protocol=tcp \
to-addresses=192.168.79.250 to-ports=22
add action=dst-nat chain=dstnat comment=Torrent dst-port=51413 protocol=tcp \
to-addresses=192.168.79.250 to-ports=51413
add action=dst-nat chain=dstnat comment="vb.net update" dst-port=80 protocol=\
tcp to-addresses=192.168.79.250 to-ports=80
/ip ipsec identity
add my-id=user-fqdn:account1@domain.local notrack-chain=output peer=SedeN5 \
policy-template-group="Gruppo N5" remote-id=\
user-fqdn:account2@domain.local
/ip ipsec policy
set 0 disabled=yes
add comment=N5 dst-address=192.168.248.0/21 peer=SedeN5 proposal=\
"Proposal N5" sa-dst-address=AAA.BBB.CCC.DDD sa-src-address=192.168.78.253 \
src-address=192.168.79.0/24 tunnel=yes
add comment=Test dst-address=10.254.0.0/16 peer=SedeN5 proposal=\
"Proposal N5" sa-dst-address=AAA.BBB.CCC.DDD sa-src-address=192.168.78.253 \
src-address=192.168.79.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.78.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=certtest disabled=no port=15443 tls-version=only-1.2
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=10m
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Rome
/system ntp client
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.105
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN