Community discussions

MikroTik App
 
JerTX
just joined
Topic Author
Posts: 5
Joined: Fri Mar 18, 2022 3:24 am

New CCR2004, can't connect to some services

Thu May 25, 2023 5:14 am

I believe I have this set up properly as a pretty basic setup. I can connect to any website in my browser, but my android tv (nvidia shield) doesn't connect to HBO Max nor does it play any of the Plex media that I have on a local NAS. HBO app on android TV just complains about not being able to connect, it doesn't even get far enough into the app to show anything. Plex on the other hand opens the app fully, and I can see all my content that lives on my local network, but it refuses to play any of it.

Strangely, I can Cast from my laptop to my Shield and it plays all content just fine. If I connect my Shield to my phones hotspot, it plays all content just fine, so clearly there is something wrong with how I've configured the mikrotik. This was all working perfectly before I got this router.

I have ATT's 5Gb internet using their BGW320-500 modem in Passthrough mode it's connected to the mikrotik using an sfp+ transceiver. I've attached my config below. The reason Flow Control is on on the Wan connection is because for some reason thats the only way I can reach full 5Gbit speed. Without it, it struggles to reach 4Gb. The firewall rules I got from mikrotik's setup article here: https://help.mikrotik.com/docs/display/ ... t+Firewall

Any ideas?
# may/24/2023 21:09:36 by RouterOS 7.9
# software id = N6TJ-1046
#
# model = CCR2004-16G-2S+
# serial number = HED08XY1TZX
/interface bridge
add mtu=1500 name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=WAN1 rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus2 ] name=crs305
set [ find default-name=ether2 ] comment="Macbook Dock"
set [ find default-name=ether4 ] comment=PoE
/interface list
add name=AllPorts
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp_pool1 always-broadcast=yes insert-queue-before=bottom interface=bridge1 lease-time=10m name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=AllPorts
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=AllPorts
add interface=crs305 list=AllPorts
add interface=ether2 list=AllPorts
add interface=ether3 list=AllPorts
add interface=ether4 list=AllPorts
add interface=ether5 list=AllPorts
add interface=ether6 list=AllPorts
add interface=ether7 list=AllPorts
add interface=ether8 list=AllPorts
add interface=ether9 list=AllPorts
add interface=ether10 list=AllPorts
add interface=ether11 list=AllPorts
add interface=ether12 list=AllPorts
add interface=ether13 list=AllPorts
add interface=ether14 list=AllPorts
add interface=ether15 list=AllPorts
add interface=ether16 list=AllPorts
add interface=WAN1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether15 network=192.168.88.0
add address=10.10.10.1/24 interface=bridge1 network=10.10.10.0
/ip dhcp-client
add interface=WAN1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8 gateway=10.10.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=10.10.10.2-10.10.10.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=\
    bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new \
    in-interface=WAN1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=WAN1 log=yes log-prefix=!public \
    src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=yes log-prefix=LAN_!LAN \
    src-address=!10.10.10.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=dst-nat chain=dstnat comment="Seedbox TCP" dst-port=58951 protocol=tcp to-addresses=10.10.10.79
add action=dst-nat chain=dstnat comment="Seedbox UDP" dst-port=58951 protocol=udp to-addresses=10.10.10.79
add action=dst-nat chain=dstnat comment=Nginx dst-port=80 protocol=tcp to-addresses=10.10.10.20
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 protocol=tcp to-addresses=10.10.10.227
add action=dst-nat chain=dstnat comment="Plex UDP" dst-port=32400 protocol=udp to-addresses=10.10.10.227
add action=dst-nat chain=dstnat comment="Desktop Torrent" dst-port=55628 protocol=tcp to-addresses=10.10.10.253
add action=dst-nat chain=dstnat comment="Desktop Torrent" dst-port=55628 protocol=udp to-addresses=10.10.10.253
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ip upnp interfaces
add interface=crs305 type=external
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing interface
add
/tool graphing resource
add
 
JerTX
just joined
Topic Author
Posts: 5
Joined: Fri Mar 18, 2022 3:24 am

Re: New CCR2004, can't connect to some services

Fri May 26, 2023 4:17 am

Small update. Torrents are also not working properly. My torrent client, which as you can see in my export has been port forwarded, still times out when trying to connect to the tracker. If I disable all firewall rules, it can connect to one of the trackers I use, but not another one. Any ideas?
 
JerTX
just joined
Topic Author
Posts: 5
Joined: Fri Mar 18, 2022 3:24 am

Re: New CCR2004, can't connect to some services

Fri May 26, 2023 5:59 am

Found the problem. Configuring NAT as detailed in the setup guide isn't quite accurate, or perhaps theres a bug somewhere. It says to add a NAT rule on your WAN interface as masquerade like so:
/ip firewall nat
  add chain=srcnat out-interface=ether1 action=masquerade
This is how I set it up originally, and for the vast majority of the internet, this worked. But as outlined above, a few specific websites weren't working. I found this fairly random youtube video and in it they suggest creating the rule on an address instead of an interface. So I changed the rule remove the WAN "out-interface" and instead changed the Src address to my local network (in my case 10.10.10.0/24) and now _everything_ is working.

This feels like a bug to me.
 
gabacho4
Member
Member
Posts: 329
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: New CCR2004, can't connect to some services

Fri May 26, 2023 7:12 am

There
 
JerTX
just joined
Topic Author
Posts: 5
Joined: Fri Mar 18, 2022 3:24 am

Re: New CCR2004, can't connect to some services

Fri May 26, 2023 10:31 pm

There
?

Who is online

Users browsing this forum: BrateloSlava, Ellaham, GoogleOther [Bot], qatar2022 and 51 guests