Here are some details:
- Everything seems to be OK with access to Internet from router itself. I successfully upgraded to RouterOS 6.48.3 and upgraded LTE modem firmware
- For testing purposes connected laptop to ethernet port. DHCP works fine, it obtained valid IP address
- DNS works fine. I can successfully use nslookup, dig, ping by domain name
- Browsers timed out. In general, seems to be a problem with TCP connections. I can see a lot of connections hanging in SYN SENT state.
Here's my config (I enabled Bridge in Quick set and set MTU to 1450 because this is the max size when ping packets able to come through without fragmentation):
Code: Select all
[admin@MikroTik] > /export compact hide-sensitive
# may/29/2021 00:29:33 by RouterOS 6.48.3
# software id = RBT8-H6YA
#
# model = RBLHGR
/interface lte
set [ find ] allow-roaming=no name=lte1
/interface bridge
add arp=local-proxy-arp mtu=1450 name=bridge1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=defconf
/interface bridge port
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge1 network=192.168.88.0
/ip dhcp-client
add
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf gateway=0.0.0.0 netmask=24
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log-prefix=nat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Minsk
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sms
set port=lte1 receive-enabled=yes