I just started a basic configuration on my Hap ac2 and i am having an issue with the DNS , it can not resolve anything . I had tried to add static dns (1.1.1.1 / 8.8.8. , dynamic DNS from ISP still nothing , i can ping 1.1.1.1 or other ip's but no hostnames . I suspect that something is going wrong with my NordVPN configuration since the out of the box config working fine but after configuring nord i experience this issue . Bellow you will find the export of my config ,
ether1 is the wan connected to ISP router ,
ether 2-4 and wlan1 are under lan bridge
ether 5 and wlan2 are under vpn bridge to route traffic through NordVPN .
I managed to make it work sometimes adding static DNS from ISP but it is randomly stops
# jan/27/2023 08:50:20 by RouterOS 6.49.7
# software id = PRJS-BQEG
#
# model = RBD52G-5HacD2HnD
# serial number =
/interface bridge
add name=br_vpn
add name=lan_br
/interface list
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profile1 supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors mode=ap-bridge security-profile=profile1 ssid=
Wlan-M1.0 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no installation=indoor mode=ap-bridge security-profile=profile1 ssid=Wlan-M1.1
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local use-responder-dns=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=uk26.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.87.2-192.168.87.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=lan_br name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=br_vpn name=dhcp2
/interface bridge port
add bridge=lan_br interface=ether2
add bridge=lan_br interface=ether3
add bridge=lan_br interface=ether4
add bridge=lan_br interface=wlan1
add bridge=br_vpn interface=ether5
add bridge=br_vpn interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=lan_br list=listBridge
add interface=br_vpn list=listBridge
/ip address
add address=192.168.88.1/24 interface=lan_br network=192.168.88.0
add address=192.168.87.1/24 interface=br_vpn network=192.168.87.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.87.0/24 gateway=192.168.87.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=192.168.87.0/24 list=local
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 log=yes port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=ether1
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related src-address-list=\
"[!]local"
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=VPN new-connection-mark=NordVPN passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN \
username=
/ip ipsec policy
add action=none dst-address=192.168.87.0/24 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.2.0/24,192.168.3.0/24,192.168.87.0/24
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge