I have a Hap Ac2 ros 7.5; after 6 months on LTE I just got VDSL. I'm having some issues. I have used VDSL previously without issues.
Problem 1: Websites either do not load or are slow to load. For example, https://mt.lv/winbox64 is inaccessible!
Problem 2: Since adding the new PPPoE client, the ether1 DHCP client does not renew. The route is not maintained.
Firewall seems to be dropping a lot of packets on the forward chain, so I suspected it's a packet size issue. However, the PPPoE client is already configured and a mangle rule is in place.
The VDSL connection is via Telekom DE, so MTU 1492 is supported and is the actual value for the connected AC.
Physical connections:
ISP <--> TP-Link VR400 bridge mode <--> Managed switch <--VLAN 400--> Hap AC2 ether 2
LTE router <--> Hap Ac2 ether 1
I tested the connection directly from the VR400, the internet works fine.
Code: Select all
# model = RBD52G-5HacD2HnD
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2422,2427,2432,2437,2442,2412,2417 name=channel2g_1 reselect-interval=12h tx-power=19
add band=5ghz-a/n/ac extension-channel=Ce frequency=5220 name=channel5g-44 reselect-interval=12h skip-dfs-channels=no tx-power=23
add band=5ghz-a/n/ac extension-channel=Ce frequency=5260 name=channel5g-52 reselect-interval=12h tx-power=23
add band=5ghz-a/n/ac extension-channel=Ce frequency=5300 name=channel5g-60 reselect-interval=12h tx-power=23
add band=2ghz-g/n control-channel-width=20mhz frequency=2457,2462,2452,2447 name=channel2g_2 reselect-interval=12h tx-power=19
add band=2ghz-b/g/n name=channel2g reselect-interval=12h tx-power=19
/interface bridge
add admin-mac=74:4D:28:8B:99:2A auto-mac=no comment=defconf ingress-filtering=no name=bridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-half,100M-full,1000M-half,1000M-full comment=WAN/nc
set [ find default-name=ether2 ] advertise=100M-full,1000M-full comment=TRUNK
/interface wireless
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(16dBm), SSID: MxL, local forwarding
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor keepalive-frames=disabled mode=ap-bridge multicast-helper=disabled preamble-mode=short ssid=MOL station-roaming=enabled wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5785/20-Ce/ac/DP(17dBm), SSID: MxL, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MxL station-roaming=enabled wireless-protocol=802.11
# managed by CAPsMAN
# SSID: MxL Guest, local forwarding
add disabled=no mac-address=76:4D:28:8B:99:2E master-interface=wlan1 mode=station name=wlan3 station-roaming=enabled
# managed by CAPsMAN
# SSID: MxL IOT, CAPsMAN forwarding
add mac-address=76:4D:28:8B:99:2F master-interface=wlan1 mode=station name=wlan4 station-roaming=enabled
add mac-address=76:4D:28:8B:99:30 master-interface=wlan2 mode=station name=wlan5 station-roaming=enabled
/interface pppoe-client
add add-default-route=yes interface=ether1 keepalive-timeout=30 name=SSEbb user=**** data removed ****
/interface wireguard
add listen-port=15331 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlanGuest vlan-id=55
add interface=bridge name=vlanIOT vlan-id=33
add disabled=yes interface=bridge name=vlanLTE vlan-id=2
add interface=bridge name=vlanMain vlan-id=88
add interface=ether2 name=vlanVR400 vlan-id=400
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlanVR400 keepalive-timeout=30 max-mru=1492 max-mtu=1492 name=pppoe-telekom use-peer-dns=yes user=**** data removed ****
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=securityMain
add authentication-types=wpa2-psk encryption=aes-ccm name=securityIOT
add authentication-types=wpa2-psk encryption=aes-ccm name=securityGuest
/caps-man configuration
add channel.band=5ghz-a/n/ac .extension-channel=Ce .frequency=5260,5300,5500,5540,5560,5220,5240 .reselect-interval=12h .tx-power=23 country="united kingdom" datapath.bridge=bridge .client-to-client-forwarding=yes .local-forwarding=no .vlan-id=88 .vlan-mode=use-tag installation=indoor name=cfgMain5g security=securityMain ssid=MxL
add country="united kingdom" datapath.bridge=bridge .vlan-id=33 .vlan-mode=use-tag name=CfgIOT security=securityIOT ssid="MxL IOT"
add channel=channel2g_1 country="united kingdom" datapath.bridge=bridge .client-to-client-forwarding=yes .local-forwarding=no .vlan-id=88 .vlan-mode=use-tag name=cfgMain2g security=securityMain ssid=MxL
add country="united kingdom" datapath.bridge=bridge .client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=55 .vlan-mode=use-tag name=cfgGuest security=securityGuest ssid="MxL Guest"
add channel.band=5ghz-a/n/ac .extension-channel=Ce .frequency=5640,5680,5700,5745,5785,5620,5660,5540,5580 .reselect-interval=12h .tx-power=23 country="united kingdom" datapath.bridge=bridge .client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=88 .vlan-mode=use-tag installation=indoor name=cfgMain5g_Ch2 security=securityMain ssid=\
MxL
add channel=channel2g_2 country="united kingdom" datapath.bridge=bridge .client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=88 .vlan-mode=use-tag name=cfgMain2g_ch2 security=securityMain ssid=MxL
/interface ethernet switch port
set 4 default-vlan-id=88
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Main
add name=OtherInterfaces
add name=LocalWLAN
add name=CAPsMAN
add comment="Allowed to access internet" name=toInternet
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name="profile wlan3 IOT" supplicant-identity=MOL
/ip pool
add name=dhcpMain ranges=192.168.88.5-192.168.88.254
add name=poolVlanGuest ranges=192.168.55.10-192.168.55.200
add name=poolVlanIOT ranges=192.168.33.10-192.168.33.200
add name=dhcpBridge ranges=192.168.77.10-192.168.77.200
/ip dhcp-server
add add-arp=yes address-pool=dhcpMain interface=vlanMain lease-time=1d name=dhcpMain
add address-pool=poolVlanGuest interface=vlanGuest lease-time=1h name=dhcpVlanGuest
add add-arp=yes address-pool=poolVlanIOT interface=vlanIOT lease-time=3d name=dhcpVlanIOT
add add-arp=yes address-pool=dhcpBridge interface=bridge lease-time=1d name=dhcpBridge
/ppp profile
set *0 use-compression=no use-encryption=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,rest-api
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=yes signal-range=-77..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject allow-signal-out-of-range=10s disabled=yes signal-range=-120..-80 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no interface=ether2
add disabled=no interface=bridge
add disabled=no forbid=yes interface=SSEbb
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac identity-regexp=cAPAC master-configuration=cfgMain5g name-format=prefix-identity name-prefix=5G slave-configurations=cfgGuest
add action=create-dynamic-enabled hw-supported-modes=gn identity-regexp=cAPAC master-configuration=cfgMain2g name-format=prefix-identity name-prefix=2G slave-configurations=cfgGuest,CfgIOT
add action=create-dynamic-enabled hw-supported-modes=ac identity-regexp=ac2 master-configuration=cfgMain5g_Ch2 name-format=prefix-identity name-prefix=5G
add action=create-dynamic-enabled hw-supported-modes=gn identity-regexp=ac2 master-configuration=cfgMain2g_ch2 name-format=prefix-identity name-prefix=2G slave-configurations=cfgGuest,CfgIOT
/interface bridge port
add bridge=bridge comment="Trunk to CAPac" interface=ether2
add bridge=bridge comment=Xbox ingress-filtering=no interface=ether3 pvid=88
add bridge=bridge comment=yamaha ingress-filtering=no interface=ether4 pvid=88
add bridge=bridge comment=Jetson ingress-filtering=no interface=ether5 pvid=88
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,wlan1,wlan2 untagged=ether3,ether4,ether5,ether2 vlan-ids=88
add bridge=bridge tagged=ether2,bridge,wlan1,wlan2 vlan-ids=55
add bridge=bridge tagged=ether2,bridge,wlan1,wlan2 vlan-ids=33
add bridge=bridge disabled=yes tagged=ether2,bridge vlan-ids=2
add bridge=bridge disabled=yes tagged=ether2 vlan-ids=7
/interface list member
add comment=defconf interface=ether1 list=WAN
add disabled=yes interface=SSEbb list=WAN
add interface=vlanMain list=LAN
add interface=vlanGuest list=LAN
add interface=vlanIOT list=LAN
add interface=vlanMain list=Main
add interface=vlanGuest list=OtherInterfaces
add interface=vlanIOT list=OtherInterfaces
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
add interface=bridge list=CAPsMAN
add interface=ether2 list=CAPsMAN
add interface=wlan1 list=CAPsMAN
add interface=wlan2 list=CAPsMAN
add interface=bridge list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=vlanGuest list=toInternet
add interface=vlanMain list=toInternet
add interface=wireguard1 list=toInternet
add interface=wireguard1 list=LAN
add comment="LTE VLAN" interface=vlanLTE list=WAN
add interface=vlanVR400 list=LAN
add interface=pppoe-telekom list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
**** data removed ****
/interface wireless cap
#
set bridge=bridge caps-man-addresses=127.0.0.1 certificate=request enabled=yes interfaces=wlan1,wlan2 static-virtual=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=vlanMain network=192.168.88.0
add address=192.168.55.1/24 interface=vlanGuest network=192.168.55.0
add address=192.168.33.1/24 interface=vlanIOT network=192.168.33.0
add address=192.168.77.1 interface=bridge network=192.168.77.1
add address=10.0.88.1/24 interface=wireguard1 network=10.0.88.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-ntp=no
add interface=vlanVR400
/ip dhcp-server lease
add address=192.168.88.241 client-id=1:44:d2:44:6e:bc:7 mac-address=44:D2:44:6E:BC:07 server=dhcpMain
add address=192.168.88.12 client-id=ff:fa:72:cc:8:0:2:0:0:ab:11:6f:6b:9a:54:bf:ce:f5:f5 mac-address=B8:27:EB:93:38:2E server=dhcpMain
add address=192.168.88.11 mac-address=D8:CB:8A:5D:CD:81 server=dhcpMain
add address=192.168.88.14 client-id=1:e0:d4:e8:18:87:f6 mac-address=E0:D4:E8:18:87:F6 server=dhcpMain
add address=192.168.77.100 client-id=1:60:32:b1:ec:bd:f3 mac-address=60:32:B1:EC:BD:F3 server=dhcpBridge
add address=192.168.77.99 client-id=1:c4:ad:34:6d:43:4c mac-address=C4:AD:34:6D:43:4C server=dhcpBridge
/ip dhcp-server network
add address=10.8.0.0/24 comment="OpenVPN clients" dns-server=192.168.88.11 gateway=192.168.88.11
add address=192.168.33.0/24 comment=IOT domain=iot.mylittlemi.com gateway=192.168.33.1 netmask=24
add address=192.168.55.0/24 comment=Guest dns-server=208.67.222.123,208.67.220.123,1.1.1.1 domain=guest.mylittlemi.com gateway=192.168.55.1 netmask=24
add address=192.168.77.0/24 comment=Bridge gateway=192.168.77.1
add address=192.168.88.0/24 comment=dhcpMain dns-server=208.67.222.123,208.67.220.123 domain=lan.mylittlemi.com gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.123,208.67.220.123
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.88.11 disabled=yes name=gitlab.mylittlemi.com
add address=192.168.88.11 regexp="(^|.\\\\.)mylittlemi.com"
add address=159.148.147.204 disabled=yes name=download.mikrotik.com
add address=159.148.172.226 disabled=yes name=upgrade.mikrotik.com
/ip firewall address-list
add address=192.168.88.1-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.77.1-192.168.77.254 list=allowed_to_router
add address=127.0.0.1 list=allowed_to_router
add address=10.8.0.0/24 list=OpenVPN_lease
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow internet access" in-interface-list=toInternet out-interface-list=WAN
add action=accept chain=forward comment="main vlan to cap" connection-state=established,related,new dst-address=192.168.77.0/24 in-interface=vlanMain
add action=accept chain=forward comment="vlan main -> IOT" in-interface=vlanMain out-interface=vlanIOT
add action=accept chain=forward comment="vlan IOT -> main" in-interface=vlanIOT out-interface=vlanMain
add action=accept chain=output comment="Allow internet traffic for scripts" disabled=yes out-interface-list=WAN
add action=accept chain=output comment="CAPsMAN out" disabled=yes dst-address-list=allowed_to_router dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=forward comment="wireguard1 -> VLAN IOT" in-interface=wireguard1 out-interface=vlanIOT
add action=accept chain=forward comment="wireguard1 <-> VLAN MAIN" in-interface=wireguard1 in-interface-list=Main out-interface=wireguard1 out-interface-list=Main
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop vlanGuest and vlanIOT > vlanMain" in-interface-list=OtherInterfaces out-interface=vlanMain
add action=drop chain=forward comment="Drop all else"
add action=accept chain=input comment="Accept UDP from allowed addr CAPsMAN" protocol=udp src-address-list=allowed_to_router
add action=accept chain=input comment="Accept ICMP on LAN" in-interface-list=LAN protocol=icmp
add action=accept chain=input comment=wg1 dst-port=15331 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related in-interface-list=LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: accept ICMP" in-interface=!vlanMain protocol=icmp
/ip firewall mangle
add action=change-mss chain=postrouting new-mss=clamp-to-pmtu out-interface=pppoe-telekom passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=22488 in-interface=SSEbb log-prefix=itx protocol=tcp to-addresses=192.168.88.11 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-port=80,443,8855,25 in-interface=SSEbb protocol=tcp to-addresses=192.168.88.11
add action=dst-nat chain=dstnat disabled=yes dst-port=1194 in-interface=SSEbb protocol=udp to-addresses=192.168.88.11
/ip route
add disabled=no dst-address=192.168.77.0/24 gateway=bridge pref-src=192.168.77.1
add comment=OpenVPN disabled=yes distance=1 dst-address=10.8.0.0/24 gateway=192.168.88.11 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=arp disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.77.99 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2222
set api disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.88.0/24 interface=vlanMain table=main
add action=lookup disabled=no dst-address=192.168.77.0/24 interface=vlanMain table=main
/system clock
set time-zone-name=Europe/London
/system identity
set name=MxL_hapac2
/system leds
add leds=user-led type=poe-fault
/system leds settings
set all-leds-off=after-1min
/system logging
add disabled=yes topics=pppoe
add disabled=yes topics=dns
add topics=debug,dhcp,caps,wireless
add disabled=yes topics=caps
add disabled=yes topics=wireguard
add disabled=yes topics=pppoe,ppp
/system ntp client servers
add address=0.uk.pool.ntp.org
add address=1.uk.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN