this is my first Mikrotik device ever. Bought it for using it at a different house 200km away. Did a setup at my home with lte and ether1 as possible wan for using it later as a mobile device.
lte1 and ether1 are WAN, ether2-ether4 are bridged LAN. The configuration was solid while setting it up 2 days at my home. Tried implementing wireguard, but removed (except peer config) all settings. ALso used the script for restarting lte connection when sim is locked after reboot.
But rightnow I have a problem I can't find a solution after I took the device to the other location: after every 10-20 seconds the connection / packets are lost and (ping or any other traffic) isn't going to the bridge for 10+ seconds. After that ether2/bridge is accessable, the network behind the hAP is reachable for the next 10-20 seconds.
lte <> hAP <> (via ether2) unifi switch <> AP
<> Cloudkey
<> RPi
Unifi AP and Cloud Key and RPi (for Remote Access / configuration)
RPi can ping without problems to unifi switch/Cloudkey, but the problem is communication to the hAP - access to internet is gone too while packets are lost.
This is my current config (after disabling ether1 and other settings trying to find out/test what may be the cause in every 20 seconds frame - like hw offloading or other possible problems), tried different OS Versions (7.13 to current testing 7.14beta)) - base setup was default config:
Code: Select all
# 2024-02-05 06:56:17 by RouterOS 7.14beta9
# software id = XXXXXX
#
# model = L41G-2axD&FG621-EA
# serial number = XXXXXXX
/interface bridge
add admin-mac=78:9A:18:76:CD:A9 auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=wan1
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40mhz configuration.country=Germany .mode=ap .ssid=\
"SSID" security.authentication-types=wpa2-psk,wpa3-psk \
.connect-priority=0 .ft=yes .ft-over-ds=yes
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" sms-read=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.telekom default-route-distance=4 name=\
telekom use-network-apn=no
/ip pool
add name=dhcp ranges=10.42.242.50-10.42.242.150
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=14w0d0h name=defconf
/ip smb users
set [ find default=yes ] read-only=yes
/port
set 0 name=serial0
/queue type
add fq-codel-ecn=no kind=fq-codel name=fq-codel-ethernet-default
/queue interface
set ether2 queue=fq-codel-ethernet-default
set ether3 queue=fq-codel-ethernet-default
set ether4 queue=fq-codel-ethernet-default
set wan1 queue=fq-codel-ethernet-default
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface sstp-server server
set ciphers=aes256-sha
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xyz.dyndns.org \
endpoint-port=51820 interface=*D public-key=\
"ZQAI9AdN1kIBVEpzdM9/S1MeparB2/wVfdbO3Ll37SQ="
/ip address
add address=10.42.242.1/24 comment=defconf interface=bridge network=\
10.42.242.0
/ip dhcp-client
add interface=wan1
/ip dhcp-server network
add address=10.42.242.0/24 comment=defconf dns-server=\
10.42.242.1,8.8.8.8,1.1.1.1 gateway=10.42.242.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.42.242.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system identity
set name=BergTik
/system note
set show-at-login=no
/system package update
set channel=testing
/system scheduler
add interval=10s name=refresh_locked_SIM on-event=":local lteInterfaces [/inte\
rface print as-value where type=lte and disabled=no]\r\
\n:foreach lte in=\$lteInterfaces do={\r\
\n :if ([/interface/lte/monitor (\$lte->\"name\") as-value once]->\"statu\
s\"=\"sim locked\") do={\r\
\n /interface lte set (\$lte->\"name\") disabled=yes\r\
\n :delay 3s\r\
\n /interface lte set (\$lte->\"name\") disabled=no\r\
\n }\r\
\n }\r\
\n" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/system script
add dont-require-permissions=no name=lte_restart_check owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
system scheduler remove [find name=refresh_locked_SIM]\
\n/system scheduler add name=refresh_locked_SIM start-time=startup interva\
l=10s on-event=\"\\\
\n :local lteInterfaces [/interface print as-value where type=lte and d\
isabled=no]\\r\\\
\n \\n:foreach lte in=\\\$lteInterfaces do={\\r\\\
\n \\n :if ([/interface/lte/monitor (\\\$lte->\\\"name\\\") as-value o\
nce]->\\\"status\\\"=\\\"sim locked\\\") do={\\r\\\
\n \\n /interface lte set (\\\$lte->\\\"name\\\") disabled=yes\\r\\\
\n \\n :delay 3s\\r\\\
\n \\n /interface lte set (\\\$lte->\\\"name\\\") disabled=no\\r\\\
\n \\n }\\r\\\
\n \\n }\\r\\\
\n \\n\""
/system watchdog
set watch-address=8.8.8.8 watchdog-timer=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN