Community discussions

MikroTik App
 
Nick123
just joined
Topic Author
Posts: 2
Joined: Thu May 18, 2023 4:18 pm

DNS can not resolve

Thu May 18, 2023 4:29 pm

Hi guys ,

I just started a basic configuration on my Hap ac2 and i am having an issue with the DNS , it can not resolve anything . I had tried to add static dns (1.1.1.1 / 8.8.8.8) , dynamic DNS from ISP still nothing , i can ping 1.1.1.1 or other ip's but no hostnames . I suspect that something is going wrong with my NordVPN configuration since the out of the box config working fine but after configuring nord i experience this issue . Bellow you will find the export of my config ,

ether1 is the wan connected to ISP router ,

ether 2-4 and wlan1 are under lan bridge

ether 5 and wlan2 are under vpn bridge to route traffic through NordVPN .

I managed to make it work sometimes adding static DNS from ISP but it is randomly stops


# jan/27/2023 08:50:20 by RouterOS 6.49.7
# software id = PRJS-BQEG
#
# model = RBD52G-5HacD2HnD
# serial number =
/interface bridge
add name=br_vpn
add name=lan_br
/interface list
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profile1 supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors mode=ap-bridge security-profile=profile1 ssid=
Wlan-M1.0 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no installation=indoor mode=ap-bridge security-profile=profile1 ssid=Wlan-M1.1
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local use-responder-dns=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=uk26.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.87.2-192.168.87.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=lan_br name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=br_vpn name=dhcp2
/interface bridge port
add bridge=lan_br interface=ether2
add bridge=lan_br interface=ether3
add bridge=lan_br interface=ether4
add bridge=lan_br interface=wlan1
add bridge=br_vpn interface=ether5
add bridge=br_vpn interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=lan_br list=listBridge
add interface=br_vpn list=listBridge
/ip address
add address=192.168.88.1/24 interface=lan_br network=192.168.88.0
add address=192.168.87.1/24 interface=br_vpn network=192.168.87.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.87.0/24 gateway=192.168.87.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=192.168.87.0/24 list=local
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 log=yes port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=ether1
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related src-address-list=\
"[!]local"
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=VPN new-connection-mark=NordVPN passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN \
username=
/ip ipsec policy
add action=none dst-address=192.168.87.0/24 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.2.0/24,192.168.3.0/24,192.168.87.0/24
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS can not resolve

Thu May 18, 2023 5:15 pm

I am confused by your use of ether1?
Do you get a private IP from an upstream router?
Why are you masquerading traffic as dont see any rules applied to that traffic.
I see no routes
 
Nick123
just joined
Topic Author
Posts: 2
Joined: Thu May 18, 2023 4:18 pm

Re: DNS can not resolve

Thu May 18, 2023 5:37 pm

correct , actually ether1 is the wan interface which connected to the ISP router and gets private IP from the DHCP server on ISP's router .

routes learned dynamically from the DHCP client on ether1

ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.2.1 1
1 ADC 192.168.2.0/24 192.168.2.23 ether1 0
2 ADC 192.168.87.0/24 192.168.87.1 br_vpn 0
3 ADC 192.168.88.0/24 192.168.88.1 lan_br 0
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS can not resolve

Thu May 18, 2023 5:49 pm

I am no ipsec expert but this looks off to me..........
Namely, that both lines contain a source address of 0.0.0.0
It makes sense to me on the first line if what is being said, anybody from the internet can access the local subnet
The second line does not, it seems really open 0 dst, 0 src, but as stated no nothing about ispec.

/ip ipsec policy
add action=none dst-address=192.168.87.0/24 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes

Who is online

Users browsing this forum: holvoetn and 36 guests