Replaced my AirPort Extreme with brand new hAp AX2.
Now I'm having certain issues with Playstation 4 and Youtube app on both Android and Apple TV.
When PS4 wakes up after sleep mode it has internet connection but can not enter PlayStation Network. PS4 shows (NW-31254-5) DNS error.
Same time Youtube app keep saying that there is no internet connection, despite the fact that Speedtest on the same devices shows that internet is available there.
Both issues are disappearing if I'll reboot client devices. Then the issue comes back when they wake up from sleep mode. Reboot of client devices is temporarily fixing the problem, until next sale.
I presume, that there is something wrong with NAT / Port Forwarding.
A have almost factory setup on my hAp AX2. I also have static IP from my ISP.
Any advices would be highly appreciated.
Re: Playstation & Youtube errors
probably instead of configure ax2 only as plain switch+ap, you set it as router and the multiple NAT and DNS cache cause issues...
Re: Playstation & Youtube errors
here is my setupprobably instead of configure ax2 only as plain switch+ap, you set it as router and the multiple NAT and DNS cache cause issues...
Code: Select all
# dec/28/2022 17:09:37 by RouterOS 7.7rc3
# software id = AHJZ-PQ1I
#
# model = C52iG-5HaxD2HaxD
/interface bridge
add admin-mac=18:FD:74:BB:CB:C9 auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Ukraine .mode=ap .ssid="AirPort Extreme Slow" disabled=no mtu=1500 name=Private2GHz \
security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi1 ] channel.skip-dfs-channels=all configuration.country=Ukraine .mode=ap .ssid="AirPort Extreme" disabled=no mtu=1500 name=Private5GHz \
security.authentication-types=wpa2-psk,wpa3-psk
add configuration.country=Ukraine .mode=ap .ssid="Glory to Ukraine app.191" disabled=no mac-address=1A:FD:74:BB:CB:CE master-interface=Private2GHz name=Guest2GHz
add configuration.country=Ukraine .mode=ap .ssid="Glory to Ukraine app.191" disabled=no mac-address=1A:FD:74:BB:CB:CD master-interface=Private5GHz name=Guest5GHz
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1w name=defconf
/port
set 0 name=serial0
/interface bridge filter
add action=drop chain=forward in-interface=Guest5GHz
add action=drop chain=forward out-interface=Guest5GHz
add action=drop chain=forward in-interface=Guest2GHz
add action=drop chain=forward out-interface=Guest2GHz
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=Private5GHz
add bridge=bridge comment=defconf interface=Private2GHz
add bridge=bridge interface=Guest5GHz
add bridge=bridge interface=Guest2GHz
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set www-ssl certificate=Webfig disabled=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Kiev
/system logging
add action=disk topics=critical
add action=disk topics=error
add action=disk topics=warning
/system package update
set channel=testing
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by smotrov on Wed Dec 28, 2022 5:18 pm, edited 1 time in total.
Re: Playstation & Youtube errors
Serial number should be removed from the previous post.
Also as per rextendeds query, does the ax3 get a public IP or is it attached to an ISP router??
Who advised you to use bridge filters, vice the standard firewall filters,,,,,use of them is an advanced user type of knowledge!
I also dont understand why you dont at least use two different vlans, one for home use and one for guest use ???
(or more clearly two different subnets).
Also as per rextendeds query, does the ax3 get a public IP or is it attached to an ISP router??
Who advised you to use bridge filters, vice the standard firewall filters,,,,,use of them is an advanced user type of knowledge!
I also dont understand why you dont at least use two different vlans, one for home use and one for guest use ???
(or more clearly two different subnets).
Re: Playstation & Youtube errors
Thank you Anav, for your reply.Serial number should be removed from the previous post.
Also as per rextendeds query, does the ax3 get a public IP or is it attached to an ISP router??
Who advised you to use bridge filters, vice the standard firewall filters,,,,,use of them is an advanced user type of knowledge!
I also dont understand why you dont at least use two different vlans, one for home use and one for guest use ???
I removed my serial from the previous post.
Regarding firewall filters. This setup is just from default automated setup from MikroTik app. So strictly speaking it was MikroTik advice
Do you think this setup is not correct and should be changed completely?
Re: Playstation & Youtube errors
SHOWING MAJOR CHANGES
# dec/28/2022 17:09:37 by RouterOS 7.7rc3
/interface bridge
add admin-mac=18:FD:74:BB:CB:C9 auto-mac=no comment=defconf name=bridge vlan-filtering=yes { done after config is completed last step }
/interface vlan
add interface=bridge name=VLANH-10 vlan-ids=10
add interface=bridge name=VLANG-20 vlan-ids=20
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-guest ranges=192.168.28.10-192.168.28.254
/ip dhcp-server
add address-pool=dhcp interface=VLANH-10 lease-time=1w name=defconf
add address-pool=dhcp-guest interface=VLANG-20 lease-time=1w name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=ether3 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=ether4 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=ether5 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=Private5GHz ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=Private2GHz ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge interface=Guest5GHz ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=20
add bridge=bridge interface=Guest2GHz ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5,Private5GHz,Private2GHz vlan-ids=10
add bridge=bridge tagged=bridge untagged=Guest5GHz,Guest2GHz vlan-ids=20
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add comment=defconf interface=VLANH-10 list=LAN
add comment=interface=VLANG-20 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLANH-10 list=MANAGE { the guest network should not be part of certain list items }
/ip address
add address=192.168.88.1/24 comment=defconf interface=VLANH-10 network=192.168.88.0
add address=192.168.28.1/24 comment=defconf interface=VLANG-20 network=192.168.28.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.28.0/24 comment=defconf dns-server=192.168.28.1 gateway=192.168.28.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow home subnet" in-interface-list=MANAGE
add action=accept chain=input in-interface=VLANG-20 dst-port=53 protocol=tcp comment="allow dns services"
add action=accept chain=input in-interface=VLANG-20 dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else" { put this in rule only after the three above }
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN {allows internet traffic}
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip upnp
set enabled=yes ???????? WHy do you need UPNP, normally not required!!
/tool mac-server
set allowed-interface-list=NONE { not a secure method of connection no not used }
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
# dec/28/2022 17:09:37 by RouterOS 7.7rc3
/interface bridge
add admin-mac=18:FD:74:BB:CB:C9 auto-mac=no comment=defconf name=bridge vlan-filtering=yes { done after config is completed last step }
/interface vlan
add interface=bridge name=VLANH-10 vlan-ids=10
add interface=bridge name=VLANG-20 vlan-ids=20
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-guest ranges=192.168.28.10-192.168.28.254
/ip dhcp-server
add address-pool=dhcp interface=VLANH-10 lease-time=1w name=defconf
add address-pool=dhcp-guest interface=VLANG-20 lease-time=1w name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=ether3 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=ether4 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=ether5 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=Private5GHz ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=Private2GHz ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge interface=Guest5GHz ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=20
add bridge=bridge interface=Guest2GHz ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5,Private5GHz,Private2GHz vlan-ids=10
add bridge=bridge tagged=bridge untagged=Guest5GHz,Guest2GHz vlan-ids=20
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add comment=defconf interface=VLANH-10 list=LAN
add comment=interface=VLANG-20 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLANH-10 list=MANAGE { the guest network should not be part of certain list items }
/ip address
add address=192.168.88.1/24 comment=defconf interface=VLANH-10 network=192.168.88.0
add address=192.168.28.1/24 comment=defconf interface=VLANG-20 network=192.168.28.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.28.0/24 comment=defconf dns-server=192.168.28.1 gateway=192.168.28.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow home subnet" in-interface-list=MANAGE
add action=accept chain=input in-interface=VLANG-20 dst-port=53 protocol=tcp comment="allow dns services"
add action=accept chain=input in-interface=VLANG-20 dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else" { put this in rule only after the three above }
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN {allows internet traffic}
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip upnp
set enabled=yes ???????? WHy do you need UPNP, normally not required!!
/tool mac-server
set allowed-interface-list=NONE { not a secure method of connection no not used }
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
Re: Playstation & Youtube errors
If the MT router is not getting a public IP, then perhaps you are looking at more a switch/AP setup?
If so, how much access to the ISP router do you have ( can forward ports at least ?? )
If so, how much access to the ISP router do you have ( can forward ports at least ?? )
Re: Playstation & Youtube errors
Dear anav, thank you for such a comprehensive reply!
Have few issues.
-----
Can't add records to DHCP server. Should I delete existing one first?
-----
/interface/bridge/port does not allowing frame-types=admit-priority-and-untagged
If hitting TAB in the terminal it suggests following option
admit-all admit-only-untagged-and-priority-tagged admit-only-vlan-tagged
-----
So I presume I should put something instead of MANAGE everywhere?
Thank you.
Have few issues.
-----
Can't add records to DHCP server. Should I delete existing one first?
Code: Select all
[admin@MikroTik] /ip/dhcp-server> print
Columns: NAME, INTERFACE, ADDRESS-POOL, LEASE-TIME
# NAME INTERFACE ADDRESS-POOL LEASE-TIME
0 defconf bridge dhcp 1w
[admin@MikroTik] /ip/dhcp-server> add address-pool=dhcp interface=VLANH-10 lease-time=1w name=defconf
failure: server with such name already exists
[admin@MikroTik] /ip/dhcp-server> add address-pool=dhcp-guest interface=VLANG-20 lease-time=1w name=defconf
failure: server with such name already exists
-----
/interface/bridge/port does not allowing frame-types=admit-priority-and-untagged
Code: Select all
/interface/bridge/port> add bridge=bridge comment=defconf interface=ether2 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
syntax error (line 1 column 86)
admit-all admit-only-untagged-and-priority-tagged admit-only-vlan-tagged
-----
So I presume I should put something instead of MANAGE everywhere?
Thank you.
Last edited by smotrov on Wed Dec 28, 2022 10:25 pm, edited 2 times in total.
Re: Playstation & Youtube errors
Previous router (Apple AirPort Extreme) was saying that I have double NAT.probably instead of configure ax2 only as plain switch+ap, you set it as router and the multiple NAT and DNS cache cause issues...
Re: Playstation & Youtube errors
Regardless of the apple, what is in between the MT router and the internet???
Yes my syntax is probably not correct, its close enough for you to make the right selections.
No I meant MANAGE,
note that first you have to add the list MANAGE,
then the VLAN subnet to the list as a member, and then we use the list MANAGE in various spots
The only way to get those issues is if you have duplicates......... modify the first one and then add the second one, should have worked fine.
Yes my syntax is probably not correct, its close enough for you to make the right selections.
No I meant MANAGE,
note that first you have to add the list MANAGE,
then the VLAN subnet to the list as a member, and then we use the list MANAGE in various spots
The only way to get those issues is if you have duplicates......... modify the first one and then add the second one, should have worked fine.
Re: Playstation & Youtube errors
I have twisted pair cable from my provider right into my apartment. I suppose there is ISP's router somewhere in the building which connected via optic fiber to their base. I'm a software developer and have pretty limited knowledge in networking. Only basic staff. Can I ask you to give me a hint how can I found what is in between MT and internet?Regardless of the apple, what is in between the MT router and the internet???
---
Based on your suggestions did following configuration. I believe I did something wrong. Because there is no internet after it was applied. Restored from backup.
Code: Select all
[admin@MikroTik] > export hide-sensitive
# dec/28/2022 23:48:07 by RouterOS 7.7rc3
# software id = AHJZ-PQ1I
#
# model = C52iG-5HaxD2HaxD
/interface bridge
add admin-mac=18:FD:74:BB:CB:C9 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface wifiwave2
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Ukraine .mode=ap .ssid="AirPort Extreme Slow" disabled=no mtu=1500 name=Private2GHz security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi1 ] channel.skip-dfs-channels=all configuration.country=Ukraine .mode=ap .ssid="AirPort Extreme" disabled=no mtu=1500 name=Private5GHz security.authentication-types=wpa2-psk,wpa3-psk
/interface vlan
add interface=bridge name=VLANG-20 vlan-id=20
add interface=bridge name=VLANH-10 vlan-id=10
/interface wifiwave2
add configuration.country=Ukraine .mode=ap .ssid="Glory to Ukraine app.191" disabled=no mac-address=1A:FD:74:BB:CB:CE master-interface=Private2GHz name=Guest2GHz
add configuration.country=Ukraine .mode=ap .ssid="Glory to Ukraine app.191" disabled=no mac-address=1A:FD:74:BB:CB:CD master-interface=Private5GHz name=Guest5GHz
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-guest ranges=192.168.28.10-192.168.28.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1w name=defconf
add address-pool=dhcp interface=VLANH-10 lease-time=1w name=privat
add address-pool=dhcp-guest interface=VLANG-20 lease-time=1w name=guest
/port
set 0 name=serial0
/interface bridge filter
add action=drop chain=forward in-interface=Guest5GHz
add action=drop chain=forward out-interface=Guest5GHz
add action=drop chain=forward in-interface=Guest2GHz
add action=drop chain=forward out-interface=Guest2GHz
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=Private5GHz
add bridge=bridge comment=defconf interface=Private2GHz
add bridge=bridge interface=Guest5GHz
add bridge=bridge interface=Guest2GHz
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5,Private5GHz,Private2GHz vlan-ids=10
add bridge=bridge tagged=bridge untagged=Guest5GHz,Guest2GHz vlan-ids=20
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=VLANH-10 list=LAN
add comment=defconf interface=VLANG-20 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.88.1/24 comment=defconf interface=VLANH-10 network=192.168.88.0
add address=192.168.28.1/24 comment=defconf interface=VLANG-20 network=192.168.28.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.28.0/24 comment=defconf dns-server=192.168.28.1 gateway=192.168.28.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow home subnet" in-interface-list=LAN
add action=accept chain=input comment="allow dns services" dst-port=53 in-interface=VLANG-20 protocol=tcp
add action=accept chain=input dst-port=53 in-interface=VLANG-20 protocol=udp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set www-ssl certificate=Webfig disabled=no
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Kiev
/system logging
add action=disk topics=critical
add action=disk topics=error
add action=disk topics=warning
/system package update
set channel=testing
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LANRe: Playstation & Youtube errors [SOLVED]
It looks like I did fixed the issue.
I've just switched dns server from MT (192.168.88.1) to public ones and all clients (Apple TV, PlayStation 4, Mi TV Stick) now working flawlessly.
Do not really understand why they didn't not liked own MT DNS...
Code: Select all
[admin@MikroTik] > /ip/dhcp-server/network/print
Columns: ADDRESS, GATEWAY, DNS-SERVER
# ADDRESS GATEWAY DNS-SERVER
;;; defconf
0 192.168.88.0/24 192.168.88.1 8.8.8.8
8.8.4.4
9.9.9.9
Do not really understand why they didn't not liked own MT DNS...
Re: Playstation & Youtube errors
Because in your setup you had MT to be your DNS, but you forgot to add DNS servers where your MT should have made query to.
So your clients pointed to a resolver which didn't have upstream DNS to query.
So your clients pointed to a resolver which didn't have upstream DNS to query.
Code: Select all
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,9.9.9.9
Re: Playstation & Youtube errors
@accarda
Do not forgot any on that RouterBOARD if the DHCP Server on previous router give correct DNSs:
/ip dhcp-client
add comment=defconf interface=ether1
Do not forgot any on that RouterBOARD if the DHCP Server on previous router give correct DNSs:
/ip dhcp-client
add comment=defconf interface=ether1
Re: Playstation & Youtube errors
In that case he would need to check what the other router was passing as DNS servers through DHCP server… may be it was passing router’s IP itself, but we can only guess at this point.
Who is online
Users browsing this forum: No registered users and 18 guests