Community discussions

MikroTik App
 
dualB
just joined
Topic Author
Posts: 13
Joined: Sun May 17, 2020 11:22 am

Firewall/PPPoE connection issue

Sun Sep 25, 2022 11:07 am

Hello all,

I have a Hap Ac2 ros 7.5; after 6 months on LTE I just got VDSL. I'm having some issues. I have used VDSL previously without issues.

Problem 1: Websites either do not load or are slow to load. For example, https://mt.lv/winbox64 is inaccessible!
Problem 2: Since adding the new PPPoE client, the ether1 DHCP client does not renew. The route is not maintained.

Firewall seems to be dropping a lot of packets on the forward chain, so I suspected it's a packet size issue. However, the PPPoE client is already configured and a mangle rule is in place.
The VDSL connection is via Telekom DE, so MTU 1492 is supported and is the actual value for the connected AC.

Physical connections:
ISP <--> TP-Link VR400 bridge mode <--> Managed switch <--VLAN 400--> Hap AC2 ether 2
LTE router <--> Hap Ac2 ether 1

I tested the connection directly from the VR400, the internet works fine.

# model = RBD52G-5HacD2HnD
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2422,2427,2432,2437,2442,2412,2417 name=channel2g_1 reselect-interval=12h tx-power=19
add band=5ghz-a/n/ac extension-channel=Ce frequency=5220 name=channel5g-44 reselect-interval=12h skip-dfs-channels=no tx-power=23
add band=5ghz-a/n/ac extension-channel=Ce frequency=5260 name=channel5g-52 reselect-interval=12h tx-power=23
add band=5ghz-a/n/ac extension-channel=Ce frequency=5300 name=channel5g-60 reselect-interval=12h tx-power=23
add band=2ghz-g/n control-channel-width=20mhz frequency=2457,2462,2452,2447 name=channel2g_2 reselect-interval=12h tx-power=19
add band=2ghz-b/g/n name=channel2g reselect-interval=12h tx-power=19
/interface bridge
add admin-mac=74:4D:28:8B:99:2A auto-mac=no comment=defconf ingress-filtering=no name=bridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-half,100M-full,1000M-half,1000M-full comment=WAN/nc
set [ find default-name=ether2 ] advertise=100M-full,1000M-full comment=TRUNK
/interface wireless
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(16dBm), SSID: MxL, local forwarding
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor keepalive-frames=disabled mode=ap-bridge multicast-helper=disabled preamble-mode=short ssid=MOL station-roaming=enabled wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5785/20-Ce/ac/DP(17dBm), SSID: MxL, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MxL station-roaming=enabled wireless-protocol=802.11
# managed by CAPsMAN
# SSID: MxL Guest, local forwarding
add disabled=no mac-address=76:4D:28:8B:99:2E master-interface=wlan1 mode=station name=wlan3 station-roaming=enabled
# managed by CAPsMAN
# SSID: MxL IOT, CAPsMAN forwarding
add mac-address=76:4D:28:8B:99:2F master-interface=wlan1 mode=station name=wlan4 station-roaming=enabled
add mac-address=76:4D:28:8B:99:30 master-interface=wlan2 mode=station name=wlan5 station-roaming=enabled
/interface pppoe-client
add add-default-route=yes interface=ether1 keepalive-timeout=30 name=SSEbb user=**** data removed ****
/interface wireguard
add listen-port=15331 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlanGuest vlan-id=55
add interface=bridge name=vlanIOT vlan-id=33
add disabled=yes interface=bridge name=vlanLTE vlan-id=2
add interface=bridge name=vlanMain vlan-id=88
add interface=ether2 name=vlanVR400 vlan-id=400
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlanVR400 keepalive-timeout=30 max-mru=1492 max-mtu=1492 name=pppoe-telekom use-peer-dns=yes user=**** data removed ****
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=securityMain
add authentication-types=wpa2-psk encryption=aes-ccm name=securityIOT
add authentication-types=wpa2-psk encryption=aes-ccm name=securityGuest
/caps-man configuration
add channel.band=5ghz-a/n/ac .extension-channel=Ce .frequency=5260,5300,5500,5540,5560,5220,5240 .reselect-interval=12h .tx-power=23 country="united kingdom" datapath.bridge=bridge .client-to-client-forwarding=yes .local-forwarding=no .vlan-id=88 .vlan-mode=use-tag installation=indoor name=cfgMain5g security=securityMain ssid=MxL
add country="united kingdom" datapath.bridge=bridge .vlan-id=33 .vlan-mode=use-tag name=CfgIOT security=securityIOT ssid="MxL IOT"
add channel=channel2g_1 country="united kingdom" datapath.bridge=bridge .client-to-client-forwarding=yes .local-forwarding=no .vlan-id=88 .vlan-mode=use-tag name=cfgMain2g security=securityMain ssid=MxL
add country="united kingdom" datapath.bridge=bridge .client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=55 .vlan-mode=use-tag name=cfgGuest security=securityGuest ssid="MxL Guest"
add channel.band=5ghz-a/n/ac .extension-channel=Ce .frequency=5640,5680,5700,5745,5785,5620,5660,5540,5580 .reselect-interval=12h .tx-power=23 country="united kingdom" datapath.bridge=bridge .client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=88 .vlan-mode=use-tag installation=indoor name=cfgMain5g_Ch2 security=securityMain ssid=\
    MxL
add channel=channel2g_2 country="united kingdom" datapath.bridge=bridge .client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=88 .vlan-mode=use-tag name=cfgMain2g_ch2 security=securityMain ssid=MxL
/interface ethernet switch port
set 4 default-vlan-id=88
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Main
add name=OtherInterfaces
add name=LocalWLAN
add name=CAPsMAN
add comment="Allowed to access internet" name=toInternet
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name="profile wlan3 IOT" supplicant-identity=MOL
/ip pool
add name=dhcpMain ranges=192.168.88.5-192.168.88.254
add name=poolVlanGuest ranges=192.168.55.10-192.168.55.200
add name=poolVlanIOT ranges=192.168.33.10-192.168.33.200
add name=dhcpBridge ranges=192.168.77.10-192.168.77.200
/ip dhcp-server
add add-arp=yes address-pool=dhcpMain interface=vlanMain lease-time=1d name=dhcpMain
add address-pool=poolVlanGuest interface=vlanGuest lease-time=1h name=dhcpVlanGuest
add add-arp=yes address-pool=poolVlanIOT interface=vlanIOT lease-time=3d name=dhcpVlanIOT
add add-arp=yes address-pool=dhcpBridge interface=bridge lease-time=1d name=dhcpBridge
/ppp profile
set *0 use-compression=no use-encryption=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,rest-api
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=yes signal-range=-77..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject allow-signal-out-of-range=10s disabled=yes signal-range=-120..-80 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no interface=ether2
add disabled=no interface=bridge
add disabled=no forbid=yes interface=SSEbb
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac identity-regexp=cAPAC master-configuration=cfgMain5g name-format=prefix-identity name-prefix=5G slave-configurations=cfgGuest
add action=create-dynamic-enabled hw-supported-modes=gn identity-regexp=cAPAC master-configuration=cfgMain2g name-format=prefix-identity name-prefix=2G slave-configurations=cfgGuest,CfgIOT
add action=create-dynamic-enabled hw-supported-modes=ac identity-regexp=ac2 master-configuration=cfgMain5g_Ch2 name-format=prefix-identity name-prefix=5G
add action=create-dynamic-enabled hw-supported-modes=gn identity-regexp=ac2 master-configuration=cfgMain2g_ch2 name-format=prefix-identity name-prefix=2G slave-configurations=cfgGuest,CfgIOT
/interface bridge port
add bridge=bridge comment="Trunk to CAPac" interface=ether2
add bridge=bridge comment=Xbox ingress-filtering=no interface=ether3 pvid=88
add bridge=bridge comment=yamaha ingress-filtering=no interface=ether4 pvid=88
add bridge=bridge comment=Jetson ingress-filtering=no interface=ether5 pvid=88
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,wlan1,wlan2 untagged=ether3,ether4,ether5,ether2 vlan-ids=88
add bridge=bridge tagged=ether2,bridge,wlan1,wlan2 vlan-ids=55
add bridge=bridge tagged=ether2,bridge,wlan1,wlan2 vlan-ids=33
add bridge=bridge disabled=yes tagged=ether2,bridge vlan-ids=2
add bridge=bridge disabled=yes tagged=ether2 vlan-ids=7
/interface list member
add comment=defconf interface=ether1 list=WAN
add disabled=yes interface=SSEbb list=WAN
add interface=vlanMain list=LAN
add interface=vlanGuest list=LAN
add interface=vlanIOT list=LAN
add interface=vlanMain list=Main
add interface=vlanGuest list=OtherInterfaces
add interface=vlanIOT list=OtherInterfaces
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
add interface=bridge list=CAPsMAN
add interface=ether2 list=CAPsMAN
add interface=wlan1 list=CAPsMAN
add interface=wlan2 list=CAPsMAN
add interface=bridge list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=vlanGuest list=toInternet
add interface=vlanMain list=toInternet
add interface=wireguard1 list=toInternet
add interface=wireguard1 list=LAN
add comment="LTE VLAN" interface=vlanLTE list=WAN
add interface=vlanVR400 list=LAN
add interface=pppoe-telekom list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
**** data removed ****
/interface wireless cap
# 
set bridge=bridge caps-man-addresses=127.0.0.1 certificate=request enabled=yes interfaces=wlan1,wlan2 static-virtual=yes 
/ip address
add address=192.168.88.1/24 comment=defconf interface=vlanMain network=192.168.88.0
add address=192.168.55.1/24 interface=vlanGuest network=192.168.55.0
add address=192.168.33.1/24 interface=vlanIOT network=192.168.33.0
add address=192.168.77.1 interface=bridge network=192.168.77.1
add address=10.0.88.1/24 interface=wireguard1 network=10.0.88.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-ntp=no
add interface=vlanVR400
/ip dhcp-server lease
add address=192.168.88.241 client-id=1:44:d2:44:6e:bc:7 mac-address=44:D2:44:6E:BC:07 server=dhcpMain
add address=192.168.88.12 client-id=ff:fa:72:cc:8:0:2:0:0:ab:11:6f:6b:9a:54:bf:ce:f5:f5 mac-address=B8:27:EB:93:38:2E server=dhcpMain
add address=192.168.88.11 mac-address=D8:CB:8A:5D:CD:81 server=dhcpMain
add address=192.168.88.14 client-id=1:e0:d4:e8:18:87:f6 mac-address=E0:D4:E8:18:87:F6 server=dhcpMain
add address=192.168.77.100 client-id=1:60:32:b1:ec:bd:f3 mac-address=60:32:B1:EC:BD:F3 server=dhcpBridge
add address=192.168.77.99 client-id=1:c4:ad:34:6d:43:4c mac-address=C4:AD:34:6D:43:4C server=dhcpBridge
/ip dhcp-server network
add address=10.8.0.0/24 comment="OpenVPN clients" dns-server=192.168.88.11 gateway=192.168.88.11
add address=192.168.33.0/24 comment=IOT domain=iot.mylittlemi.com gateway=192.168.33.1 netmask=24
add address=192.168.55.0/24 comment=Guest dns-server=208.67.222.123,208.67.220.123,1.1.1.1 domain=guest.mylittlemi.com gateway=192.168.55.1 netmask=24
add address=192.168.77.0/24 comment=Bridge gateway=192.168.77.1
add address=192.168.88.0/24 comment=dhcpMain dns-server=208.67.222.123,208.67.220.123 domain=lan.mylittlemi.com gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.123,208.67.220.123
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.88.11 disabled=yes name=gitlab.mylittlemi.com
add address=192.168.88.11 regexp="(^|.\\\\.)mylittlemi.com"
add address=159.148.147.204 disabled=yes name=download.mikrotik.com
add address=159.148.172.226 disabled=yes name=upgrade.mikrotik.com
/ip firewall address-list
add address=192.168.88.1-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.77.1-192.168.77.254 list=allowed_to_router
add address=127.0.0.1 list=allowed_to_router
add address=10.8.0.0/24 list=OpenVPN_lease
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow internet access" in-interface-list=toInternet out-interface-list=WAN
add action=accept chain=forward comment="main vlan to cap" connection-state=established,related,new dst-address=192.168.77.0/24 in-interface=vlanMain
add action=accept chain=forward comment="vlan main -> IOT" in-interface=vlanMain out-interface=vlanIOT
add action=accept chain=forward comment="vlan IOT -> main" in-interface=vlanIOT out-interface=vlanMain
add action=accept chain=output comment="Allow internet traffic for scripts" disabled=yes out-interface-list=WAN
add action=accept chain=output comment="CAPsMAN out" disabled=yes dst-address-list=allowed_to_router dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=forward comment="wireguard1 -> VLAN IOT" in-interface=wireguard1 out-interface=vlanIOT
add action=accept chain=forward comment="wireguard1 <-> VLAN MAIN" in-interface=wireguard1 in-interface-list=Main out-interface=wireguard1 out-interface-list=Main
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop vlanGuest and vlanIOT > vlanMain" in-interface-list=OtherInterfaces out-interface=vlanMain
add action=drop chain=forward comment="Drop all else"
add action=accept chain=input comment="Accept UDP from allowed addr CAPsMAN" protocol=udp src-address-list=allowed_to_router
add action=accept chain=input comment="Accept ICMP on LAN" in-interface-list=LAN protocol=icmp
add action=accept chain=input comment=wg1 dst-port=15331 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related in-interface-list=LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: accept ICMP" in-interface=!vlanMain protocol=icmp
/ip firewall mangle
add action=change-mss chain=postrouting new-mss=clamp-to-pmtu out-interface=pppoe-telekom passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=22488 in-interface=SSEbb log-prefix=itx protocol=tcp to-addresses=192.168.88.11 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-port=80,443,8855,25 in-interface=SSEbb protocol=tcp to-addresses=192.168.88.11
add action=dst-nat chain=dstnat disabled=yes dst-port=1194 in-interface=SSEbb protocol=udp to-addresses=192.168.88.11
/ip route
add disabled=no dst-address=192.168.77.0/24 gateway=bridge pref-src=192.168.77.1
add comment=OpenVPN disabled=yes distance=1 dst-address=10.8.0.0/24 gateway=192.168.88.11 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=arp disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.77.99 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2222
set api disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.88.0/24 interface=vlanMain table=main
add action=lookup disabled=no dst-address=192.168.77.0/24 interface=vlanMain table=main
/system clock
set time-zone-name=Europe/London
/system identity
set name=MxL_hapac2
/system leds
add leds=user-led type=poe-fault
/system leds settings
set all-leds-off=after-1min
/system logging
add disabled=yes topics=pppoe
add disabled=yes topics=dns
add topics=debug,dhcp,caps,wireless
add disabled=yes topics=caps
add disabled=yes topics=wireguard
add disabled=yes topics=pppoe,ppp
/system ntp client servers
add address=0.uk.pool.ntp.org
add address=1.uk.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
loloski
Member Candidate
Member Candidate
Posts: 296
Joined: Mon Mar 15, 2021 9:10 pm

Re: Firewall/PPPoE connection issue

Sun Sep 25, 2022 11:19 am

can you moved l2 function to your switch and make your hapac2 as a router only?, i can see that you are asking too much for your hapac2, not to mentioned the way you configure vlan on your hapac2 is wrong that approach you take is for CRS3XX series
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall/PPPoE connection issue

Sun Sep 25, 2022 5:18 pm

... not to mentioned the way you configure vlan on your hapac2 is wrong that approach you take is for CRS3XX series

It is definitely not wrong approach ... inefficient at best. But perhaps the only working one in this particular case. I've had a case where hAP ac2 running 6.4x and with VLANs configured on switch chip improperly handled tags for PPPoE initial packets. MT support acknowledged the problem, but they wrote that fix might not be possible and explicitly said there was no ETA for fix. I've never seen anything remotely similar mentioned in any of change logs since then so I never again tried the switch-chip way of VLANs on that device.

@dualB: there are two PPPoE clients configured, one on ether1 and one on vlanVR400, make sure you only run the right one. And since your WAN is PPPoE, you don't want DHCP client on ether1 to add default route at all (set add-default-route=no).
Personally I'd stop blocking ICMP ... security through obscurity is IMO a wrong approach. And ICMP is needed to signal other devices about reduced MTU on a certain interface.
Other than this I agree that configuration is a (mild) mess.
 
dualB
just joined
Topic Author
Posts: 13
Joined: Sun May 17, 2020 11:22 am

Re: Firewall/PPPoE connection issue

Wed Sep 28, 2022 10:06 pm

Thank you both for taking the time to review and feedback. Yes the configuration is not wonderful but then I am not an expert and have little spare time for this... having said that I like to play/learn.

Regards the tips: I deleted the unneeded interfaces. I also physically moved the device to co-locate it with the VR400. This simplified things a lot (i.e. it worked instantly with no dropped packets), I was trying to avoid relocating but via VLAN it didn't work: the PPPoE responses were always lost. Whether it was the switch or the hap ac2, I have no idea.

Since it's a domestic scenario with only a few devices, the CPU/memory load is really low. It's never had an issue keeping up and runs at full bandwidth of the WAN, a mere 50+ Mbps, via ethernet and wifi. CAPsMAN is fantastic, as APs are pretty much plug and play. Overall it's good value for money.

Who is online

Users browsing this forum: 0xAA55, CJWW, EmuAGR, Google [Bot], LeoNaXe and 40 guests