I hope someone here can help me figure this out...
I've got a Chateau LTE12 and I'm trying to configure it in a way that it basically handles two functions at once.
- it provides the LTE passthrough to my core router (also Mikrotik)
- it forwards all the wifi clients to the core router (eth2), which acts as the central firewall for those
Additionally, I connected a second link to the chateau which is part of the bridge and also acts as a regular DHCP client.
The problem now is the following..
While I have verified that the LTE indeed works, the main router correctly receives a public IP address and I already see some random internet connections coming to the core router via the LTE link, no packet ever makes it back out.
Regardless whether it's a reply to an incoming connection or a ping from my internal network.
Everything I tried ended in a timeout so far.
So far I could indeed verify that the issue is likely not with the core router as packets are indeed received on the passthrough interface (Rx) on the chateau and then forwarded via Fast Path (FP Rx).
But I never see any traffic on the lte1 interface itself.
But that's where I'm at the end of my wisdom.
Except for the DHCP replies nothing ever is transmitted toward the core router on the passthrough interface. I verified that by packet logging on the core router. Leading me to believe that it's somewhere dropped within the passthrough from ether1 to lte1.
I already tried various configs in the firewall including basically accepting everything. I'm currently thinking that this might be some routing table issue since eth2 is a regular DHCP client and creates the default route. However, when I tried moving passthrough interface to its own routing table with the default route set to lte1 and the other network routes hardcoded, the whole setup was rather unimpressed by that and nothing changed.
This is the current simplified config on the Chateau:
Code: Select all
# jan/22/2022 10:55:09 by RouterOS 7.2rc1
# software id = L9QH-9KW9
#
# model = D53G-5HacD2HnD
/interface bridge
add admin-mac=DC:2C:6E:52:DB:18 auto-mac=no comment=defconf name=bridge
/interface lte
set [ find ] allow-roaming=no band="" name=lte1
/interface ethernet
set [ find default-name=ether1 ] name=lte-passthrough
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=austria disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=<ssid> wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=austria disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=<ssid> wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] add-default-route=no apn=<isp-apn> passthrough-interface=lte-passthrough passthrough-mac=auto use-network-apn=no use-peer-dns=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip dhcp-client
add interface=bridge
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
Did anyone experience this before?
Am I missing something completely obvious?
I'd appreciate any hint.
I also tested with these ROS versions: 7.1, 7.1.1, 7.2rc1 (as it contains the "lte - fixed packet forwarding on R11e-4G and R11e-LTE-US;")