Community discussions

MikroTik App
 
NorfLoud
just joined
Topic Author
Posts: 2
Joined: Fri May 12, 2023 4:06 pm

Problems with any Linux and Android

Fri May 12, 2023 4:49 pm

Hi.
Router: mikrotik rbd52g-5hacd2hnd
Connection: from l2tp to bridge
Problem: not all sites open, I can't log in to the "Steam" client on Linux; there is no internet access via wifi on android, the app store doesn't open.

I think that the router does not skip some of the linux and android packages, but I do not understand on what principle. There are no problems with a windows computer. If you replace the router with any "simple" one (for example, tp-link TL-WR841N), then everything starts working. Maybe you need to configure something. Please tell me what I need to fix in the configuration of my mikrotik router.

Config: "mypassword" is a stub - it hides the password
# may/12/2023 16:22:05 by RouterOS 6.43.13
# software id = FFQX-QD2F
#
# model = RBD52G-5HacD2HnD

/interface bridge
add admin-mac=74:4D:28:69:6F:84 arp=proxy-arp arp-timeout=30m auto-mac=no \
    comment=defconf name=bridge1
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp mtu=1460 name=ether1-beeline
set [ find default-name=ether2 ] mtu=1460
set [ find default-name=ether3 ] mtu=1460
set [ find default-name=ether4 ] mtu=1460
set [ find default-name=ether5 ] arp=proxy-arp mtu=1460
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto mode=ap-bridge mtu=1460 \
    ssid=MikroTik-696F89 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=profile1 supplicant-identity="" \
    wpa2-pre-shared-key="mypassword"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=2447 l2mtu=1598 mode=ap-bridge \
    mtu=1460 name=wifi1 security-profile=profile1 ssid=NL-F7913 tx-power=18 \
    tx-power-mode=all-rates-fixed wireless-protocol=802.11 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-pool ranges=17.172.68.2-17.172.68.254
add name=pptp-pool ranges=17.172.68.30-17.172.68.40
/ip dhcp-server
add address-pool=dhcp-pool disabled=no interface=bridge1 name=dhcp1
/ppp profile
add change-tcp-mss=yes name=beeline1 use-compression=no use-encryption=no \
    use-mpls=no use-upnp=yes
/interface l2tp-client
add add-default-route=yes allow=chap,mschap2 connect-to=\
    tp.internet.beeline.ru disabled=no max-mru=1500 max-mtu=1460 name=\
    l2tp-beeline password="mypassword" profile=beeline1 user="mypassword"
/user group
set read policy="local,telnet,ssh,read,test,winbox,password,web,sniff,api,romo\
    n,tikapp,!ftp,!reboot,!write,!policy,!sensitive,!dude"
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=ether5
add bridge=bridge1 comment=defconf interface=wifi1
add bridge=bridge1 comment=defconf disabled=yes interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=default ipsec-secret=\
    "mypassword" use-ipsec=yes
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1-beeline list=WAN
/interface pptp-server server
set max-mru=1460 max-mtu=1460
/interface wireless access-list
add interface=wifi1 mac-address=04:92:26:7C:87:CD vlan-mode=no-tag
/ip address
add address=17.172.68.1/24 comment=defconf interface=bridge1 network=\
    17.172.68.0
/ip dhcp-client
add comment=defconf default-route-distance=5 dhcp-options=hostname,clientid \
    disabled=no interface=ether1-beeline
/ip dhcp-server lease
add address=17.172.68.2 client-id=1:bc:5f:f4:85:18:fc comment=pc-main \
    mac-address=BC:5F:F4:85:18:FC server=dhcp1
add address=17.172.68.10 client-id=1:4:92:26:7c:87:cd comment=phone-main \
    mac-address=04:92:26:7C:87:CD server=dhcp1
add address=17.172.68.3 comment=pc-linux mac-address=\
    BC:5F:F4:8D:3E:A8 server=dhcp1
/ip dhcp-server network
add address=17.172.68.0/24 comment=defconf: gateway=17.172.68.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=reject chain=input comment="myconf: DNA amplification" dst-port=53 \
    in-interface-list=WAN protocol=tcp reject-with=icmp-port-unreachable
add action=reject chain=input dst-port=53 in-interface-list=WAN protocol=udp \
    reject-with=icmp-port-unreachable
add action=drop chain=input comment="myconf: drop ssh brute forcers" \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=input comment="myconf: drop ssh from ethernet" \
    dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="myconf: block Winbox from ethernet" \
    dst-port=8291 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="myconf: drop WWW from ethernet" \
    dst-port=80 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "myconf: drop all other from WAN to LAN" in-interface-list=WAN \
    out-interface-list=LAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp \
    tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
add action=netmap chain=dstnat comment="myconf: torrents" disabled=yes \
    dst-port=6881 in-interface=l2tp-beeline protocol=tcp to-addresses=\
    17.172.68.3 to-ports=6881
add action=netmap chain=dstnat disabled=yes to-addresses=17.172.68.3
add action=netmap chain=dstnat disabled=yes dst-port=443 in-interface=\
    ether1-beeline protocol=tcp to-addresses=17.172.68.6
add action=netmap chain=dstnat disabled=yes dst-port=53 in-interface=\
    ether1-beeline protocol=tcp to-addresses=17.172.68.6
add action=netmap chain=dstnat disabled=yes dst-port=80 in-interface=\
    ether1-beeline protocol=tcp to-addresses=17.172.68.6
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=l2tp-beeline
/ip firewall raw
add action=drop chain=prerouting comment="myconf: drop NetBios Service" \
    dst-port=137,138,139 in-interface-list=WAN protocol=udp
/ip route
add distance=1 dst-address=85.21.66.0/24 gateway=100.110.128.1
add distance=1 dst-address=85.21.192.3/32 gateway=100.110.128.1
add distance=1 dst-address=213.234.192.8/32 gateway=100.110.128.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=17.172.68.0/24
set ssh address=17.172.68.0/24
set api disabled=yes
set winbox address=17.172.68.0/24
set api-ssl disabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add disabled=yes interface=wifi1 type=internal
add interface=l2tp-beeline type=external
/system clock
set time-zone-name=Europe/Moscow
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Problems with any Linux and Android  [SOLVED]

Fri May 12, 2023 8:47 pm

Setting MTU on LAN ports and interfaces to anything other than standard 1500 calls for trouble. It can work just fine, but every other device on same subnet has to be set to same setting.
 
NorfLoud
just joined
Topic Author
Posts: 2
Joined: Fri May 12, 2023 4:06 pm

Re: Problems with any Linux and Android

Mon May 15, 2023 10:01 am

Setting MTU on LAN ports and interfaces to anything other than standard 1500 calls for trouble. It can work just fine, but every other device on same subnet has to be set to same setting.
I changed the MTU to 1500 in all places and everything worked. Thank you. However, I set the MTU to 1460 when I set up the connection, and then I used the instructions.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Problems with any Linux and Android

Fri May 19, 2023 7:26 pm

Router has multiple L3 interfaces and is routing IP packets between them. In a simple case there are two interfaces: LAN (bridge interface) and WAN (PPPoE). Each L3 interface can have different MTU and router will fragment packets (unless forbidden) if they are too large for outgoing interface. If fragmenting is forbidden (e.g. because sender set DF - don't fragment - flag), then router will drop over-size packet and reply with ICMP size exceeded message ... which is integral part of "Path MTU Discovery" process. Most senders adjust transmitted packet size accordingly.

On the other hand there's L3 subnet (e.g. LAN) where all devices have to agree on MTU size, it has to be the same for all communicating devices. There's no mechanism to agree about MTU on same subnet (e.g. inside same ethernet network), so it has to be set (by admins) to same value on all devices. Industry standard is 1500 byte MTU and it's safe to simply keep using that default.

Who is online

Users browsing this forum: ccrsxx, nickhoulton, Semrush [Bot] and 66 guests