I have just received my first RouterOS hardware (CRS326-24S+2Q+RM) which should replace my consumer-grade switch (fiber-to-the-home) and router.
Currently, network attached devices can ping most IPv4 addresses and also resolve domain names. Devices also receive an IP within the expected address range on the correct network. However, there are still many connection issues: using a browser on an attached PC, hardly any website loads.
I think I have managed to set up these things:
- PPPoE connection via AON fiber SFP module
- DHCP server (LAN) and client (WAN)
- DNS
I have also created some firewall rules, but this is probably the part I have least knowledge and suspect this being the source of the issues.
Filter Rules
NATFlags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; drop invalid
chain=input action=drop connection-state=invalid
3 ;;; accept ICMP
chain=input action=accept protocol=icmp
4 ;;; accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
5 ;;; drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
6 ;;; accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
7 ;;; accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 ;;; fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
9 ;;; accept established, related, untracked
chain=forward action=accept connection-state=established,related,untracked
10 ;;; drop invalid
chain=forward action=drop connection-state=invalid
11 ;;; drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
MangleFlags: X - disabled, I - invalid; D - dynamic
0 I ;;;
chain=srcnat action=masquerade src-address-list=LAN out-interface=pppoe-out1 log=no log-prefix=""
1 ;;; masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
Do you have a hint for me where to look for the issue? Maybe you even have a possible solution?Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough
3 I ;;;
chain=forward action=change-mss new-mss=1452 passthrough=yes tcp-flags=syn protocol=tcp out-interface=pppoe-out1 tcp-mss=1453-65535 log=no log-prefix=""
Best,
Sven