Community discussions

MikroTik App
 
ehubb1
just joined
Topic Author
Posts: 8
Joined: Mon Mar 22, 2021 3:11 am

Strange one

Mon Mar 22, 2021 3:25 am

First post, but I've searched the forum without much luck. I'm somewhat technical on the software side, not a network engineer though so the mikrotik is really at the edge of my abilities. Anyway, I have a Lockly deadbolt which comes with a small wifi interface that separately plugs into the wall nearby to bridge the lock to the internet. With my old EdgeMax router I had no issues with this little device, but with the mikrotik it just can't connect to its backend for some reason. I checked the DHCP leases and it is picking up an IP address from the mikrotik, but that's about it. I have a pretty plain vanilla setup except I have the mikrotik setup with a primary net connection to my cable modem with a backup connection on a Netgear cellular modem. I also have the remote winbox stuff setup so I can get to it when I'm away. *Any* pointers would be much appreciated!

Here's the config from the export with some obfuscations here and there:

[admin@MikroTik] > /export hide-sensitive
# mar/21/2021 20:04:04 by RouterOS 6.48.1
# software id = 206L-N8ZR
#
# model = RB750Gr3
# serial number = xxxxxxxxxxxxxxxx
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=XX:XX:XX:XX:XX:XX name=\
"ether1 - Spectrum WAN"
set [ find default-name=ether2 ] mac-address=XX:XX:XX:XX:XX:XX name=\
"ether2 - ATT (cell) WAN"
set [ find default-name=ether3 ] mac-address=XX:XX:XX:XX:XX:XX
set [ find default-name=ether4 ] mac-address=XX:XX:XX:XX:XX:XX
set [ find default-name=ether5 ] mac-address=XX:XX:XX:XX:XX:XX
/interface sstp-client
add comment="Remote Winbox connection for xxxxxxxxx" connect-to=\
vpn1.remotewinbox.com disabled=no name=RemoteWinboxVPN1 user=\
xxxxxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.254.10-192.168.254.210
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=10h name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1 - Spectrum WAN" list=WAN
/ip address
add address=192.168.254.250/24 comment="DHCP bridge IP address range" \
interface=ether3 network=192.168.254.0
/ip dhcp-client
add comment=defconf disabled=no interface="ether1 - Spectrum WAN"
add default-route-distance=10 disabled=no interface="ether2 - ATT (cell) WAN"
/ip dhcp-server network
add address=192.168.254.0/24 comment=defconf gateway=192.168.254.250 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1,8.8.4.4
/ip dns static
add address=192.168.254.250 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow Remote Winbox" in-interface=\
RemoteWinboxVPN1
add action=accept chain=input comment="Allow Remote Winbox" in-interface=\
RemoteWinboxVPN1
# no interface
add action=accept chain=input comment="Allow Remote Winbox" in-interface=*9
add action=accept chain=input comment="Allow Remote Winbox" in-interface=\
RemoteWinboxVPN1
add action=accept chain=input comment="Allow Remote Winbox" in-interface=\
RemoteWinboxVPN1
add action=accept chain=input comment="Allow Remote Winbox" in-interface=\
RemoteWinboxVPN1
add action=accept chain=input comment="Allow Remote Winbox" in-interface=\
RemoteWinboxVPN1
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface="ether1 - Spectrum WAN" out-interface-list=WAN
add action=masquerade chain=srcnat out-interface="ether2 - ATT (cell) WAN"
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-mac-address=XX:XX:XX:XX:XX:XX/FF:FF:FF:FF:FF:FF
[admin@MikroTik] >
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Strange one

Mon Mar 22, 2021 2:23 pm

In your /ip dhcp-server network, I can see no dns-server value on the single row, address=192.168.254.0/24 comment=defconf gateway=192.168.254.250 netmask=24, but this just means that the router sends its own address in that subnet as the DNS server.

I have seen cases where the fact that the DNS proxy in RouterOS has not forwarded some "useless" contents of a DNS response, or changed upper case letters in the domain name to lower case ones in the response, has prevented some smart devices from working properly.

So as a test, set dns-server=8.8.8.8,1.1.1.1 on that line and restart the WiFi module to see whether telling it to use the public DNS servers directly resolves the issue. If that helps, you can reserve an IP address for that device's MAC address, and create a dedicated row in /ip dhcp-server network for that single address with this modification, and undo it on the generic row.

Off topic, the idea of a stateful firewall is that only packets initiating new connections have to be matched against more rules in filter than the "accept established or related" one. So by moving your "accept Winbox from x.x.x.x" rules below that one and the "drop invalid" one, you'll save a tiny bit of CPU.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Strange one

Mon Mar 22, 2021 3:20 pm

Here are my concerns:.

(1) /ip address
add address=192.168.254.250/24 comment="DHCP bridge IP address range" \
interface=ether3 network=192.168.254.0
Should be
add address=192.168.254.250/24 comment="DHCP bridge IP address range" \
interface=bridge network=192.168.254.0

(2) As noted by Sindy
/ip dhcp-server network
add address=192.168.254.0/24 comment=defconf gateway=192.168.254.250 netmask=24
TRY
/ip dhcp-server network
add address=192.168.254.0/24 dns-server=192.168.254.1 gateway=192.168.0.1 netmask=24
Or USE dns-server=9.9.9.9 fore xample.

(3) NAT Rule, Dont double up on the in-interface!! You can have out-interface-list=WAN as long as both your ether1 wan and backup wan are included as list members in WAN, OR as you have done you can do (I prefer) two separate listings

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface="ether1 - Spectrum WAN" out-interface-list=WAN
add action=masquerade chain=srcnat out-interface="ether2 - ATT (cell) WAN"
TO
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none [out-interface="ether1 - Spectrum WAN
add action=masquerade chain=srcnat out-interface="ether2 - ATT (cell) WAN"

(4) Lets fix your interface list members
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1 - Spectrum WAN" list=WAN
add interface="ether2 - ATT (cell) WAN" list=WAN

(5) FW rules, ORDER within a chain is important and for reviewing CONFIFS, separating the two chains is very helpful.
Looking at the rules...........WTF there are a gazillion remotewinbox vpn1 rules.................. WHy???? I dont see any VPN config, so have no clue whats going on here!!
Get rid of junk is my motto!!

TO
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 <------- Disable this rule if not required (greyed out)
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \ <----------------- Replace this rule with two rules that make it clear !!!
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
TO
add action=accept chain=forward comment="allow port forwarding"\ <---------------- <------- Disable this rule if not required (greyed out)
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all other traffice" <---------------- very good security rule as the last rule in the forward chain!.

Note: If you have any traffic you wish to allow, it has to go before the last rule example.
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment="Allow Internet Traffic"
 
ehubb1
just joined
Topic Author
Posts: 8
Joined: Mon Mar 22, 2021 3:11 am

Re: Strange one

Mon Mar 22, 2021 3:29 pm

Many thanks, I will give all the above a try today and report back tonight.
 
ehubb1
just joined
Topic Author
Posts: 8
Joined: Mon Mar 22, 2021 3:11 am

Re: Strange one

Tue Mar 23, 2021 3:42 am

Well, sindy and anav, you're both quite good at what you do! I followed all of your recommends and things are working quite well now. To answer the vpn entries question - there were so many of the remotewinbox vpn entries because when I set things up the first time, I ended up running the script a few times, which obviously left all those entries. Also, I've left the goog and cloudflare DNS entries for now as everything is working smoothly. I will probably play with moving back to the spectrum DNS server later and forcing those little IoT devices to use the public DNS servers, but that's enough for tonight. Again, many thanks!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Strange one

Tue Mar 23, 2021 8:00 am

The thing with the VPN firewall rules is not their count but their position. If you move the "accept established or related" rule in chain input to the beginning of that chain, everything will keep working the same but less CPU will be spent per packet, that's all.

The importance of this depends on the traffic volumes you transport via the VPNs. Traffic to the router itself is normally negligible, but each packet for a LAN device that arrives via a VPN comes encapsulated in a VPN transport packet whose destination is the router itself.
 
ehubb1
just joined
Topic Author
Posts: 8
Joined: Mon Mar 22, 2021 3:11 am

Re: Strange one

Tue Mar 23, 2021 5:44 pm

Yes, I re-ordered everything based on the input here. Things still running smooth. Thanks again!
 
ehubb1
just joined
Topic Author
Posts: 8
Joined: Mon Mar 22, 2021 3:11 am

Re: Strange one

Wed Mar 24, 2021 4:55 pm

Gents, I have a different lock (I don't know why locks have so many problems with the mikrotik!) that has an IP address after a reboot of everything, works properly, etc. Then, some hours later, it complains of not having an IP address. The DHCP server still shows the device with an IP, but the lock says its offline. I've increased the lease time thinking perhaps this lock is sensitive to that, but still have the same issue. Any other ideas for an IoT device like this claiming to not have an IP address? This also didn't happen with the EdgeMax, all of these little issues only popped up after trying to transition. Thx!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Strange one

Wed Mar 24, 2021 6:50 pm

What does /ip dhcp-server lease print detail where mac-address=the:one:of:the:lo:ck show when the lock starts saying it has no IP address?

In general IoT devices may have just limited hardware resources available and thus use small footprint protocol stacks made for them, which haven't been tested in production as deeply as those of Windows, Linux and other popular OSes.
 
ehubb1
just joined
Topic Author
Posts: 8
Joined: Mon Mar 22, 2021 3:11 am

Re: Strange one

Wed Mar 24, 2021 7:33 pm

Flags: X - disabled, R - radius, D - dynamic, B - blocked
0 D address=192.168.254.47 mac-address=xxxxxxxxx address-lists=""
server=defconf dhcp-option="" status=bound expires-after=3h26m41s
last-seen=6h33m19s active-address=192.168.254.47
active-mac-address=xxxxxxxxx active-server=defconf
host-name="HALO-GAUX-AB"
[admin@MikroTik] >

Its a Kwikset Halo lock, as you can see from above.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Strange one

Wed Mar 24, 2021 8:40 pm

expires-after=3h26m41s and last-seen=6h33m19s not only indicate that you've set the DHCP server to assign the address for 10 hours but also that the client failed to renew the lease at 1/2 of the lease lifetime as instructed by the server in the DHCPACK message (this is not configurable). I don't remember what is the correct action at client side when the renewal fails, but clients usually keep trying and keep using that address until the lease lifetime expires.

So I'd suggest to reduce the lease time back to 10m, issue a /system logging add topics=dhcp command, run /log print follow-only file=dhcp-log where topics~"dhcp" and power cycle the lock. After the lock starts complaining for not having an address again, stop the /log print, download the file and see what was going on.

But chances are low that the issue can be fixed through configuration.
 
ehubb1
just joined
Topic Author
Posts: 8
Joined: Mon Mar 22, 2021 3:11 am

Re: Strange one

Wed Mar 24, 2021 8:50 pm

Will give that a try and a few other time spans for the lease. I'll report back here. Owe you a beer / coffee if you're ever in Austin!
 
ehubb1
just joined
Topic Author
Posts: 8
Joined: Mon Mar 22, 2021 3:11 am

Re: Strange one

Wed Mar 31, 2021 4:06 am

UPDATE: Had to give up on the MikroTik. The Lutron system wasn't working either. There's just too many things that don't work with these. Back to the EdgeMax unfortunately (which works perfectly).

Who is online

Users browsing this forum: Ahrefs [Bot], andreacar, Bing [Bot], emunt6 and 66 guests