Community discussions

MikroTik App
 
mmotti
newbie
Topic Author
Posts: 25
Joined: Thu Nov 17, 2022 9:50 pm

Helldivers 2 connection issues with Mikrotik configuration?

Wed Apr 24, 2024 9:26 pm

Hi,

I'm at my wits end with this being somewhat of a beginner with networking.

Long story short; Helldivers 2 will work, and I can connect to other players, and they can join me if I use my ISP supplied router (BT HomeHub) and yet with my RB5009 I only get "failed to join game lobby" etc.

I've tried opening my firewall completely (temporarily) on both the router and Windows Firewall, disabling IPv6 on the PC and router, Enabling UPnP (only for testing purposes and confirmed UPnP itself does work) and various other things.

Is anyone able to have a quick look through my config to see whether I've erroneously included anything particularly in the firewall rules that could potentially cause connections issues (particularly with P2P game servers)?

My setup is as follows:
DrayTek Vigor 130 -> RB5009 (PPPoE) -> PC (Ethernet)

My PC itself has a static IP of 192.168.1.10 on vlan91 which is the most “trusted” within my firewall rules and should have access to any interface.
# 2024-04-24 18:54:39 by RouterOS 7.14.2
# software id = 46E2-14LJ
#
# model = RB5009UG+S+
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=18:XX:XX:XX:XX:3B auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mac-address=18:XX:XX:XX:XX:3A
set [ find default-name=ether2 ] mac-address=18:XX:XX:XX:XX:3B
set [ find default-name=ether3 ] mac-address=18:XX:XX:XX:XX:3C
set [ find default-name=ether4 ] mac-address=18:XX:XX:XX:XX:3D
set [ find default-name=ether5 ] mac-address=18:XX:XX:XX:XX:3E
set [ find default-name=ether6 ] mac-address=18:XX:XX:XX:XX:3F
set [ find default-name=ether7 ] mac-address=18:XX:XX:XX:XX:40
set [ find default-name=ether8 ] mac-address=18:XX:XX:XX:XX:41
set [ find default-name=sfp-sfpplus1 ] mac-address=18:XX:XX:XX:XX:42
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name="ISP PPPoE" \
    service-name=internet user=bthomehub@btbroadband.com
/interface wireguard
add comment="External -> Home" listen-port=13231 mtu=1420 name=wg0
add comment=Mullvad listen-port=61468 mtu=1420 name=wg1
/interface vlan
add interface=bridge name=vlan91 vlan-id=91
add interface=bridge name=vlan92 vlan-id=92
add interface=bridge name=vlan95 vlan-id=95
/interface list
add name=WAN
add name=LAN
add name=WG_VPN_Provider_Clients
add name=LAN_UNTRUSTED
add name=WG_WAN
add name=WG_CHG_MSS
add name=LAN_TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=6 name="Mullvad DNS (Adblock)" value="'100.64.0.1'"
/ip pool
add name=bridge ranges=192.168.88.100-192.168.88.199
add name=vlan92 ranges=192.168.2.100-192.168.2.199
add name=vlan95 ranges=192.168.5.100-192.168.5.199
add name=vlan91 ranges=192.168.1.100-192.168.1.199
add name=rescue ranges=192.168.89.100-192.168.89.199
/ip dhcp-server
add address-pool=bridge disabled=yes interface=bridge lease-time=10m name=\
    bridge
add address-pool=vlan95 interface=vlan95 lease-time=10m name=vlan95
add address-pool=vlan92 interface=vlan92 lease-time=10m name=vlan92
add address-pool=vlan91 interface=vlan91 lease-time=10m name=vlan91
add address-pool=rescue interface=ether8 lease-time=10m name=rescue
/ip smb users
set [ find default=yes ] disabled=yes
/queue type
add cake-diffserv=diffserv4 cake-nat=yes kind=cake name=cake-up
add cake-diffserv=diffserv4 kind=cake name=cake-down
/queue tree
add limit-at=5M max-limit=19M name=QT_Upload packet-mark=no-mark parent=\
    "ISP PPPoE" queue=cake-up
add limit-at=15M max-limit=74M name=QT_Download packet-mark=no-mark parent=\
    bridge queue=cake-down
/routing table
add fib name=wg_mullvad
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10 pvid=91
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10 pvid=91
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10 pvid=91
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10 pvid=91
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
    path-cost=10 pvid=91
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10 pvid=95
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
    10 path-cost=10 pvid=91
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 untagged=ether7 vlan-ids=95
add bridge=bridge tagged=bridge,ether3 vlan-ids=92
add bridge=bridge tagged=bridge untagged=\
    ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=91
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface="ISP PPPoE" list=WAN
add interface=vlan95 list=WG_VPN_Provider_Clients
add interface=vlan91 list=LAN
add interface=vlan92 list=LAN_UNTRUSTED
add interface=wg0 list=LAN
add interface=ether8 list=LAN
add interface=wg1 list=WG_WAN
add interface=bridge list=LAN_TRUSTED
add interface=vlan91 list=LAN_TRUSTED
add interface=wg0 list=LAN_TRUSTED
add interface=ether8 list=LAN_TRUSTED
add interface=vlan92 list=LAN
add interface=vlan95 list=LAN
/interface wireguard peers
add allowed-address=192.168.10.10/32 interface=wg0 public-key=\
    "XXXXXXXXXX"
add allowed-address=0.0.0.0/0,::/0 endpoint-address=\
    xxxxx.mullvad.net endpoint-port=51820 interface=wg1 \
    public-key="XXXXXXXXXX"
/ip address
add address=192.168.88.1/24 comment="bridge default" interface=bridge \
    network=192.168.88.0
add address=192.168.5.1/24 interface=vlan95 network=192.168.5.0
add address=192.168.2.1/24 interface=vlan92 network=192.168.2.0
add address=192.168.10.1/24 interface=wg0 network=192.168.10.0
add address=10.xxx.xxx.xxx interface=wg1 network=10.xxx.xxx.xxx
add address=192.168.0.1/24 interface=ether1 network=192.168.0.0
add address=192.168.1.1/24 interface=vlan91 network=192.168.1.0
add address=192.168.89.1/24 comment="rescue port" interface=ether8 network=\
    192.168.89.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.2.50 mac-address=1C:XX:XX:XX:XX:A2 server=vlan92
add address=192.168.5.199 client-id=1:1c:XX:XX:XX:XX:44 dhcp-option=\
    "Mullvad DNS (Adblock)" mac-address=1C:XX:XX:XX:XX:44 server=vlan95
add address=192.168.1.10 client-id=1:2c:XX:XX:XX:XX:7d mac-address=\
    2C:XX:XX:XX:XX:7D server=vlan91
add address=192.168.1.198 client-id=1:f0:XX:XX:XX:XX:3f mac-address=\
    F0:XX:XX:XX:XX:3F server=vlan91
add address=192.168.2.198 client-id=1:f0:XX:XX:XX:XX:3f mac-address=\
    F0:XX:XX:XX:XX:3F server=vlan92
/ip dhcp-server network
add address=192.168.1.0/24 comment=vlan91 dns-server=192.168.1.1 gateway=\
    192.168.1.1 netmask=24
add address=192.168.2.0/24 comment=vlan92 dns-server=192.168.2.1 gateway=\
    192.168.2.1
add address=192.168.5.0/24 comment=vlan95 dns-server=10.64.0.1 gateway=\
    192.168.5.1 netmask=24
add address=192.168.88.0/24 comment=bridge dns-server=192.168.88.1 gateway=\
    192.168.88.1 netmask=24
add address=192.168.89.0/24 comment=rescue dns-server=192.168.89.1 gateway=\
    192.168.89.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.10 comment="Reservation address for my machine" list=\
    "Main PC"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow WireGuard (Home)" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment=\
    "allow unrestricted access to the input chain from trusted LANs" \
    in-interface-list=LAN_TRUSTED
add action=accept chain=input comment="allow LAN DNS queries (UDP)" dst-port=\
    53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="allow LAN DNS queries (TCP)" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop remaining traffic on input chain"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="VPN Safety Net" in-interface-list=\
    WG_VPN_Provider_Clients out-interface-list=WAN
add action=accept chain=forward comment=\
    "allow trusted LAN to forward to all interface lists" in-interface-list=\
    LAN_TRUSTED out-interface-list=all
add action=accept chain=forward comment=\
    "allow untrusted LAN to forward only to WAN" in-interface-list=\
    LAN_UNTRUSTED out-interface-list=WAN
add action=accept chain=forward comment=\
    "allow specific clients through the WG provider tunnels" \
    in-interface-list=WG_VPN_Provider_Clients out-interface-list=WG_WAN
add action=accept chain=forward comment="allow Remote Play UDP from vlan95" \
    dst-address-list="Main PC" dst-port=27031,27036 in-interface=vlan95 \
    protocol=udp
add action=accept chain=forward comment="allow Remote Play TCP from vlan95" \
    dst-address-list="Main PC" dst-port=27036,27037 in-interface=vlan95 \
    protocol=tcp
add action=drop chain=forward comment=\
    "drop remaining traffic on the forward chain"
/ip firewall mangle
add action=change-mss chain=forward comment="WireGuard EXT. MSS Change - OUT" \
    disabled=yes new-mss=1380 out-interface-list=WG_CHG_MSS passthrough=yes \
    protocol=tcp tcp-flags=syn tcp-mss=1381-65535
add action=change-mss chain=forward comment="WireGuard EXT. MSS Change - IN" \
    disabled=yes in-interface-list=WG_CHG_MSS new-mss=1380 passthrough=yes \
    protocol=tcp tcp-flags=syn tcp-mss=1381-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="wg masquerade" ipsec-policy=\
    out,none out-interface-list=WG_WAN
/ip route
add dst-address=0.0.0.0/0 gateway=wg1 routing-table=wg_mullvad
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=wg1 routing-table=\
    wg_mullvad scope=30 target-scope=10
/ip smb shares
set [ find default=yes ] directory=/pub
/ip upnp interfaces
add interface="ISP PPPoE" type=external
add interface=vlan91 type=internal
/ipv6 address
add address=fc00:XXXX:XXXX:XXXX::X:XXXX/128 advertise=no interface=wg1
add address=::1 from-pool=IPv6_ISP_Prefix interface=bridge
add address=::1 from-pool=IPv6_ISP_Prefix interface=vlan91
add address=::1 from-pool=IPv6_ISP_Prefix interface=vlan92
add address=::1 from-pool=IPv6_ISP_Prefix interface=vlan95
/ipv6 dhcp-client
add interface="ISP PPPoE" pool-name=IPv6_ISP_Prefix prefix-hint=\
    XXXX:XXXX:XXXX:XXXX::/56 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment=\
    "Allow full access to the LAN input chain from trusted LANs" disabled=yes \
    in-interface-list=LAN_TRUSTED
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=input comment="Allow LAN multicast (UDP)" disabled=\
    yes dst-address=ff00::/8 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries (UDP)" disabled=\
    yes dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries (TCP)" disabled=\
    yes dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=\
    "Drop remaining traffic on the input chain" disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="VPN Safety Net" in-interface-list=\
    WG_VPN_Provider_Clients out-interface-list=WAN
add action=accept chain=forward comment=\
    "Allow trusted LAN to forward to all interface lists" in-interface-list=\
    LAN_TRUSTED out-interface-list=all
add action=accept chain=forward comment=\
    "Allow untrusted LAN to forward only to WAN" in-interface-list=\
    LAN_UNTRUSTED out-interface-list=WAN
add action=accept chain=forward comment=\
    "Allow specific clients through the WG provider tunnels" \
    in-interface-list=WG_VPN_Provider_Clients out-interface-list=WG_WAN
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" disabled=yes \
    in-interface-list=!LAN
add action=drop chain=forward comment=\
    "Drop remaining traffic on the forward chain"
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface-list=WG_WAN
/ipv6 nd
set [ find default=yes ] disabled=yes
add disabled=yes interface=bridge
add interface=vlan91
add advertise-dns=no disabled=yes interface=vlan92
add advertise-dns=no disabled=yes interface=vlan95
/routing rule
add action=lookup-only-in-table comment=\
    "Default routing table to be used for the path back to the main subnet" \
    disabled=no dst-address=192.168.1.0/24 table=main
add action=lookup-only-in-table comment=\
    "All IPv4 traffic on vlan95 must only use the wg_mullvad table" disabled=\
    no dst-address=0.0.0.0/0 interface=vlan95 table=wg_mullvad
add action=lookup-only-in-table comment=\
    "All IPv6 traffic on vlan95 must only use the wg_mullvad table" disabled=\
    no dst-address=::/0 interface=vlan95 table=wg_mullvad
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.uk.pool.ntp.org
add address=1.uk.pool.ntp.org
add address=2.uk.pool.ntp.org
add address=3.uk.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by mmotti on Fri May 03, 2024 3:54 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19744
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Helldivers 2 connection issues with Mikrotik configuration?

Wed Apr 24, 2024 11:00 pm

First take any subnet off the bridge and create another vlan.
viewtopic.php?t=143620


State clearly the requirments
a. identify users/devices and groups of users/devices including admin
b. identify what traffic they should accomplish. Too confusing at the moment.
 
mmotti
newbie
Topic Author
Posts: 25
Joined: Thu Nov 17, 2022 9:50 pm

Re: Helldivers 2 connection issues with Mikrotik configuration?

Wed Apr 24, 2024 11:30 pm

First take any subnet off the bridge and create another vlan.
viewtopic.php?t=143620
Sorry, please could you clarify what you mean by "take any subnet off the bridge" or the specific part of the config you're referring to?

I had assigned an IP address to the bridge interface itself and there was a DHCP server "network" specified for the 192.168.88.0/24 range however this was just left there as a "if I've missed something"; it's not actively used. I'm not sure whether this may be what you're referring to?

As far as I understand from when I set this up a while ago I have:
  • Three VLANs; vlan91 (unrestricted / given the most freedome), vlan92 (IOT device separation - not really used), vlan95 (Mullvad VPN tunnel for IPv4/6 traffic)
  • Two WireGuard interfaces; wg0 (external -> home access), wg1 (Mullvad VPN)
  • PPPoE interface for internet connectivity (through ether1)
  • "Rescue" port disconnected from the bridge (ether8) in case I make a configuration mistake on the bridge
  • Bridge itself with an address of 192.168.88.1/24
  • Various interface lists but the most relevant list is LAN_TRUSTED (which my PC is in as part of vlan91) and should allow the most access through the firewall rules
State clearly the requirments
a. identify users/devices and groups of users/devices including admin
b. identify what traffic they should accomplish. Too confusing at the moment.
The requirements are for my PC (static 192.168.1.10 on vlan91 and member of LAN_TRUSTED) to be able to communicate effectively with P2P servers and essentially allow me to play Helldivers 2 which is currently not possible for whatever reason.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26439
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Helldivers 2 connection issues with Mikrotik configuration?

Thu Apr 25, 2024 8:38 am

Isn't Helldivers like this for everyone, regardless of their router? This game is famous for the connection issues right now, because of the number of players.
 
mmotti
newbie
Topic Author
Posts: 25
Joined: Thu Nov 17, 2022 9:50 pm

Re: Helldivers 2 connection issues with Mikrotik configuration?

Thu Apr 25, 2024 2:48 pm

Isn't Helldivers like this for everyone, regardless of their router? This game is famous for the connection issues right now, because of the number of players.
To an extent, yes. The server capacity issue was more of an issue at launch - This issue is different.

If disconnect my RB5009 / modem combo and connect my ISP router back in I can get into lobbies without issue after a little fiddling with verifying game file integrity. I can replicate this over and over so it's not just a fluke.

As soon as I plug my RB5009 back in everything stops working again.

I seem to have narrowed it down to something to do with IPv6 on the RB5009; if I disable IPv6 within Windows or connect to a VPN (with IPv6 support disabled) with the Mullvad app I can play after verifying game file integrity again. Which makes it even more odd as my ISP router uses IPv6 without issue.

Sadly I don't know enough about IPv6 to be able to understand the differences between the configuration on the Mikrotik router and my ISP router.

The one thing I have tweaked since posting this is putting my IPv6 firewall rules pretty much back to default but no joy.
 
p3rad0x
Long time Member
Long time Member
Posts: 638
Joined: Fri Sep 18, 2015 5:42 pm
Location: South Africa
Contact:

Re: Helldivers 2 connection issues with Mikrotik configuration?

Wed May 01, 2024 2:14 am

Not a MT issue, its something with the game itself. I suspect the anti cheat does not know how to handle it properly. My game will be working fine with IPV6 disabled. As soon as I enable it again then the game cannot connect to other players. I have to disable IPV6, change my IPV4 to a different address and re install the game. only then it starts to work again.
 
User avatar
vingjfg
Member
Member
Posts: 357
Joined: Fri Oct 20, 2023 1:45 pm

Re: Helldivers 2 connection issues with Mikrotik configuration?

Wed May 01, 2024 8:03 am

I'll get a look at your config later today. Meanwhile, can you send the output of "ipconfig /all" on your gaming computer with the isp router and then with the rb5009?
 
mmotti
newbie
Topic Author
Posts: 25
Joined: Thu Nov 17, 2022 9:50 pm

Re: Helldivers 2 connection issues with Mikrotik configuration?

Fri May 03, 2024 3:49 am

I'll get a look at your config later today. Meanwhile, can you send the output of "ipconfig /all" on your gaming computer with the isp router and then with the rb5009?
Sorry for the delay in replying!

Please see the config for my RB5009 below; probably commented out more than necessary but honestly I don't understand enough about what is identifying and what's not.

The only differences between the Mikrotik output and my ISP router output were:
1. ISP router had a "Connection-specific DNS Suffix" assigned and it has a DNS search something or other.
2. ISP router shows a link-local IPv6 DNS server address whereas my RB5009 doesn't show any available IPv6 DNS servers at all unless I disable IPv4 on my network adapter.
3. The router would have been using the ISP DNS servers (although through the link local address)

Before you ask I did also try manually assigning IPv6 DNS addresses (same as advertised with RA) and the issue persisted.
Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe 2.5GbE Family Controller
   Physical Address. . . . . . . . . : 2C-F0-XX-XX-XX-7D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXd(Preferred)
   Temporary IPv6 Address. . . . . . : 2XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXX6(Preferred)
   Temporary IPv6 Address. . . . . . : 2XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXX0(Deprecated)
   Link-local IPv6 Address . . . . . : fe80::890a:XXXX:XXXX:7b6%7(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 02 May 2024 20:24:15
   Lease Expires . . . . . . . . . . : 03 May 2024 01:49:13
   Default Gateway . . . . . . . . . : fe80::1afd:XXXX:fecc:b03b%7
                                       192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 103XXXX13
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-XX-XX-XX-XX-XX-XX-XX-XX-7D
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Screenshot 2024-05-03 015728.png
Screenshot 2024-05-03 015716.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
vingjfg
Member
Member
Posts: 357
Joined: Fri Oct 20, 2023 1:45 pm

Re: Helldivers 2 connection issues with Mikrotik configuration?  [SOLVED]

Fri May 03, 2024 7:35 pm

Hi. I will do a few IPv6 tests over the weekend.

Reading your configuration, I have a few comments and questions. Here are the configuration bits and my notes.
/interface pppoe-client
   add add-default-route=yes disabled=no interface=ether1 name="ISP PPPoE" \
       service-name=internet user=bthomehub@btbroadband.com
# CHECK MTU
# CHECK IF CLAMP MSS IS PRESENT
/interface wireguard
   add comment="External -> Home" listen-port=13231 mtu=1420 name=wg0
   add comment=Mullvad listen-port=61468 mtu=1420 name=wg1

CHECK IF CLAMP MSS IS PRESENT
/ipv6 firewall nat
   add action=masquerade chain=srcnat out-interface-list=WG_WAN

CHECK IF USEFUL. 
/ipv6 nd
   add interface=vlan91

# CONSIDER advertise-dns=yes dns-servers=2606:4700:4700::1111,2606:4700:4700::1001 other-configuration=yes 
 
mmotti
newbie
Topic Author
Posts: 25
Joined: Thu Nov 17, 2022 9:50 pm

Re: Helldivers 2 connection issues with Mikrotik configuration?

Sat May 04, 2024 12:54 am

Thanks for your help!
Hi. I will do a few IPv6 tests over the weekend.

Reading your configuration, I have a few comments and questions. Here are the configuration bits and my notes.
/interface pppoe-client
   add add-default-route=yes disabled=no interface=ether1 name="ISP PPPoE" \
       service-name=internet user=bthomehub@btbroadband.com
# CHECK MTU
# CHECK IF CLAMP MSS IS PRESENT
/interface/pppoe-client/monitor 0
MTU and MRU are both 1492. I assume these are automatically negotiated values as I haven't set them.

I haven't specified any clamping options for my ISP connection and honestly I have no idea how what MSS clamping is or whether I need it?
/ipv6 firewall nat
   add action=masquerade chain=srcnat out-interface-list=WG_WAN

CHECK IF USEFUL. 
I was using IPv6 with Mullvad too but have since disabled on that VLAN. My IPv6 VPN traffic would not work without this rule.
/ipv6 nd
   add interface=vlan91

# CONSIDER advertise-dns=yes dns-servers=2606:4700:4700::1111,2606:4700:4700::1001 other-configuration=yes 
Oddly enough I have advertise-dns=yes specified it just doesn't show up for that one vlan in the export?! I don't use the DNS server boxes on that screen though.

If I disable IPv6 on my PC's network adapter, it picks up the IPv6 addresses (from RA) that are specified in /ip/dns. It seems like a common issues with Windows and dualstack IPv4/IPv6. When I setup an IPv6 DHCP server with the DNS option I could assign an IPv6 DNS and the clients would receieve them with both IPv4/6 enabled. It just doesn't work through RA if both IPv4/6 are enabled.

DNS Settings
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
I have advertise-dns & mac-address enabled.
[admin@MikroTik] /ipv6/nd> print detail
Flags: X - disabled, I - invalid; * - default 
 0 X* interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified 
      reachable-time=unspecified retransmit-interval=unspecified 
      ra-lifetime=30m ra-preference=medium hop-limit=unspecified 
      advertise-mac-address=yes advertise-dns=yes 
      managed-address-configuration=no other-configuration=no dns="" pref64="" 

 1 X  interface=bridge ra-interval=3m20s-10m ra-delay=3s mtu=unspecified 
      reachable-time=unspecified retransmit-interval=unspecified 
      ra-lifetime=30m ra-preference=medium hop-limit=unspecified 
      advertise-mac-address=yes advertise-dns=yes 
      managed-address-configuration=no other-configuration=no dns="" pref64="" 

 2    interface=vlan91 ra-interval=3m20s-10m ra-delay=3s mtu=unspecified 
      reachable-time=unspecified retransmit-interval=unspecified 
      ra-lifetime=30m ra-preference=medium hop-limit=unspecified 
      advertise-mac-address=yes advertise-dns=yes 
      managed-address-configuration=no other-configuration=no dns="" pref64="" 

 3 X  interface=vlan92 ra-interval=3m20s-10m ra-delay=3s mtu=unspecified 
      reachable-time=unspecified retransmit-interval=unspecified 
      ra-lifetime=30m ra-preference=medium hop-limit=unspecified 
      advertise-mac-address=yes advertise-dns=no 
Yet it doesn't show on my export?!
/ipv6 nd
set [ find default=yes ] disabled=yes
add disabled=yes interface=bridge
add interface=vlan91
add advertise-dns=no disabled=yes interface=vlan92
add advertise-dns=no disabled=yes interface=vlan95
/interface wireguard
add comment="External -> Home" listen-port=13231 mtu=1420 name=wg0
add comment=Mullvad listen-port=61468 mtu=1420 name=wg1

CHECK IF CLAMP MSS IS PRESENT
As previously mentioned I don't understand MSS Clamping at all. However I do have rules that I had to previously apply to a specific WireGuard interface when I used Nord/SurfShark. Web browsing wouldn't work at all without it. Since using Mullvad it's been fine without any need for clamping.

I only knew about trying an MSS Clamping rule for that in the first place because I came across a similar forum post on the issue I was having.

Also to note - My PC goes out directly to my ISP and not through any WireGuard interfaces.
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

 3 X  ;;; WireGuard EXT. MSS Change - OUT
      chain=forward action=change-mss new-mss=1380 passthrough=yes 
      tcp-flags=syn protocol=tcp out-interface-list=WG_CHG_MSS 
      tcp-mss=1381-65535 log=no log-prefix="" 

 4 X  ;;; WireGuard EXT. MSS Change - IN
      chain=forward action=change-mss new-mss=1380 passthrough=yes 
      tcp-flags=syn protocol=tcp in-interface-list=WG_CHG_MSS 
      tcp-mss=1381-65535 log=no log-prefix="" 
 
mmotti
newbie
Topic Author
Posts: 25
Joined: Thu Nov 17, 2022 9:50 pm

Re: Helldivers 2 connection issues with Mikrotik configuration?

Sat May 04, 2024 1:58 am

Hi. I will do a few IPv6 tests over the weekend.

Reading your configuration, I have a few comments and questions. Here are the configuration bits and my notes.
/interface pppoe-client
   add add-default-route=yes disabled=no interface=ether1 name="ISP PPPoE" \
       service-name=internet user=bthomehub@btbroadband.com
# CHECK MTU
# CHECK IF CLAMP MSS IS PRESENT
That was it! MSS Clamping!!!

IPv4 PPPoE (1492 - 40b header = 1452) -> Apply only for packets that exceed threshold

/ip/firewall/mangle
 5    ;;; Change MSS --> out for all packets above the threshold
      chain=forward action=change-mss new-mss=1452 passthrough=yes tcp-flags=syn protocol=tcp out-interface=ISP PPPoE 
      tcp-mss=1453-65535 log=no log-prefix="" 

 6    ;;; Change MSS <-- in for all packets above the threshold
      chain=forward action=change-mss new-mss=1452 passthrough=yes tcp-flags=syn protocol=tcp in-interface=ISP PPPoE 
      tcp-mss=1453-65535 log=no log-prefix="" 
IPv6 PPPoE (1492-60b = 1432) -> /ipv6/firewall/mangle -> Apply only for packets that exceed threshold
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; Change MSS --> out for all packets above the threshold
      chain=forward action=change-mss new-mss=1432 passthrough=yes protocol=tcp tcp-flags=syn out-interface=ISP PPPoE 
      tcp-mss=1433-65535 log=no log-prefix="" 

 1    ;;; Change MSS <-- in for all packets above the threshold
      chain=forward action=change-mss new-mss=1432 passthrough=yes protocol=tcp tcp-flags=syn in-interface=ISP PPPoE 
      tcp-mss=1433-65535 log=no log-prefix="" 

Who is online

Users browsing this forum: infabo, svh79 and 27 guests