Community discussions

MikroTik App
 
farmgeluk
just joined
Topic Author
Posts: 7
Joined: Sat May 23, 2020 5:37 pm

Router Blocks some internet Trafic

Sat May 23, 2020 6:32 pm

Hello, I bought a little HAp Lite Rouer and did a very basic AP Bridge of all the lan ports setup.
Followed this tutorial (https://www.youtube.com/watch?v=fwz54ty ... x=2&t=287s)
On the firewall I did a NAT rule I did the recommended srcnat / Masquerade setup. Everything seemed to be working and I can connect to the internet through the LAN ports as well as the W-LAN port. The only problem that I found is that I have an Openhabian server running and the cloud connector is not able to connect to the proxy server. Also node red has a Projects node where you can push your setup to a Repository, this is also blocked.
All of this does work if I connect directly to the LTE router so I am pretty sure that the Microtk router block some port of sort.

Where should I start looking to find the problem?
 
netpinamar
just joined
Posts: 7
Joined: Sat May 23, 2020 3:35 am

Re: Router Blocks some internet Trafic

Sat May 23, 2020 11:18 pm

Hello, can you paste an export of your current configuration? (New Terminal ---> export)
 
anav
Forum Guru
Forum Guru
Posts: 4261
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Router Blocks some internet Trafic

Sun May 24, 2020 12:01 am

/export hide-sensitive file=anynameyouwish

open in notepad++ and copy here. (ensure for client WANIP that its removed).

Just a note, much of hte stuff on youtube is outdated or full of extra unecessary garbage.
The default rules are good to go out of the box.
Will have you up and running in no time.

One question. Do you wish users on the same LAN as the server to access the server via dyndns name/url as well as external users??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
farmgeluk
just joined
Topic Author
Posts: 7
Joined: Sat May 23, 2020 5:37 pm

Re: Router Blocks some internet Trafic

Sun May 24, 2020 6:28 am

One question. Do you wish users on the same LAN as the server to access the server via dyndns name/url as well as external users??
Thankyou for the feedback! - All the local devices must have access to the Server. Openhab has a Cloud Proxy Server ( I hope I named it correctly) Using the Cloud Connector "Plugin" You use a key and system ID that then connects to the cloud server. I then have access to the server without the need to do Portfarward as it is linked to my Openhab account,

The main reason for getting the router is to monitor the internet traffic and possibly block some of the devices that do not need the internet. ( For instance, I have an old DVR and when I had the router running I could see, via Torch, that it constantly was sending packets to some remote server, So that I would want to block :)

Also attached is the rsc file.
You do not have the required permissions to view the files attached to this post.
 
farmgeluk
just joined
Topic Author
Posts: 7
Joined: Sat May 23, 2020 5:37 pm

Re: Router Blocks some internet Trafic

Sun May 24, 2020 8:50 am

As suggested I reset the router and accepted the default settings. ( Note I got two separate default configs 1 when you do a hard reset and the other a soft reset, soft reset had the config that I wanted)
Everything seems to be working and I will go through all the settings to see what they all do , thank you for the "push" in the right direction.

Just one last question, for now :). I notice that there is a significant difference between the LAN connection speed and the Wifi port - The wifi is at full ISP speed but the lan is severely throttled. If I do a file download from think board on my PC Ill go a max download speed of 20k but on my phone connected to the Wifi with the phones mobile network switched off it will download at 20m.
Where should I look to see how the lan ports is limited.
Attached is the default config file.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1625
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Router Blocks some internet Trafic

Sun May 24, 2020 10:59 am

Its better if you post the config directly and not just the file, but like this:
# may/24/2020 07:40:23 by RouterOS 6.46.6
# software id = 0Q6R-8P8C
#
# model = RB941-2nD
# serial number = 9D740A0996CE
/interface bridge
add admin-mac=74:4D:28:33:0F:88 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=myProfile supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country="south africa" disabled=no distance=indoors \
    frequency=auto frequency-mode=superchannel mode=ap-bridge \
    security-profile=myProfile ssid=MYSSID wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.8.10-192.168.8.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.8.1/24 comment=defconf interface=ether2 network=\
    192.168.8.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.8.105 mac-address=F0:E7:7E:97:E9:0E server=defconf
add address=192.168.8.101 client-id=1:b8:27:eb:77:c2:7 mac-address=\
    B8:27:EB:77:C2:07 server=defconf
/ip dhcp-server network
add address=192.168.8.0/24 comment=defconf gateway=192.168.8.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.8.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.8.20 list="Block Internet"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment="Block users from Accessing Internet" \
    src-address-list="Block Internet"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=MyTimeZone
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
First thing I do se wrong is that you have put the innside IP on Ethernet 2 that is part of a bridge.
It should be some like this:
/ip address
add address=192.168.8.1/24 comment=defconf interface=bridge network=\
    192.168.8.0
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
farmgeluk
just joined
Topic Author
Posts: 7
Joined: Sat May 23, 2020 5:37 pm

Re: Router Blocks some internet Trafic

Sun May 24, 2020 12:39 pm

Thank you for the feedback , I have made the change as suggested but it does not make any difference to the download speed of the LAN connection. The maximum download speed that I can get , so far , was about 3.5M in Speed test , if I change the connection to Wifi it will go up to 15M, My isp provides a 20m connection.

I have also compared the two interfaces but can see any apparent differences. Any ideas?
 
anav
Forum Guru
Forum Guru
Posts: 4261
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Router Blocks some internet Trafic

Sun May 24, 2020 2:04 pm

Yes the presentation as Jotne noted is possible with the code links...........
I will look to see if I see anything.

(1) Here is the main error I see.
/ip address
add address=192.168.8.1/24 comment=defconf interface=ether2 network=\
192.168.8.0

should be
add address=192.168.8.1/24 comment=defconf interface=bridge network=\
192.168.8.0

(2) slight modification needed here. The order of rules is important so move the block internet rule after the invalid rule........ like so.
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="Block users from Accessing Internet" \
src-address-list="Block Internet"
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
farmgeluk
just joined
Topic Author
Posts: 7
Joined: Sat May 23, 2020 5:37 pm

Re: Router Blocks some internet Trafic

Sun May 24, 2020 2:34 pm

I have made the changes as suggested. But with no luck. What makes this difficult is that the W-Lan and ether2 is part of the same bridge so why is the eth port been throttled and not the W-lan port.
This is what the relevant setting looks lke now
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
and:
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="Block users from Accessing Internet" \
    src-address-list="Block Internet"
 
anav
Forum Guru
Forum Guru
Posts: 4261
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Router Blocks some internet Trafic

Sun May 24, 2020 2:36 pm

You have to be careful,
All I asked you to do was move that block internet forward chain rule down from where it was to below the forward chain invalid rule.
It looks like you did something different........... ?? (why do you have the invalid input chain rule there, it belongs in the input chain??)


Did you change the IP address as Jotne noted. I didnt state that one because he already covered it!!
/ip address
add address=192.168.8.1/24 comment=defconf interface=ether2 network=\
192.168.8.0

should be
add address=192.168.8.1/24 comment=defconf interface=bridge network=\
192.168.8.0
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
anav
Forum Guru
Forum Guru
Posts: 4261
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Router Blocks some internet Trafic

Sun May 24, 2020 2:44 pm

I am more concerned that you learn from the help vice get the config right LOL.
In other words, if we are putting all the interfaces on the bridge, and the bridge is providing DHCP, I hope you can see that mixing the config between bridge and eth2 is wrong.
Eth2 is not in play its simply like any other ethernet interface now on the router that is connected to the bridge
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1625
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Router Blocks some internet Trafic

Sun May 24, 2020 3:00 pm

As I can see, he did fix this after my first post abut it.
I have made the change as suggested but it does not make any difference to the download speed of the LAN connection.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
farmgeluk
just joined
Topic Author
Posts: 7
Joined: Sat May 23, 2020 5:37 pm

Re: Router Blocks some internet Trafic

Sun May 24, 2020 3:55 pm

Correct I did the change the Bridge, but it did not make any difference. From what I could understand all the traffic will run through the firewall and the rules will apply to all the interfaces. Same with the bridge so why would there be a difference in internet speed?
 
anav
Forum Guru
Forum Guru
Posts: 4261
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Router Blocks some internet Trafic

Sun May 24, 2020 4:54 pm

Check your cables and terminations.........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
farmgeluk
just joined
Topic Author
Posts: 7
Joined: Sat May 23, 2020 5:37 pm

Re: Router Blocks some internet Trafic

Sun May 24, 2020 5:38 pm

Could be but it was the first thing that I checked, also if I connect the same cable directly into the LTE Rouer I get the full speed. Keep in mind that I used the default settings from the router. I also swapped out the cables just for incase.
 
anav
Forum Guru
Forum Guru
Posts: 4261
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Router Blocks some internet Trafic

Sun May 24, 2020 8:15 pm

Hmmm, I cannot see why else that would occur??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: solar77 and 57 guests