I still haven't had a chance to switch back to the MK, but I'm pretty sure it's an MTU issue. I used to have a static IP from my ISP. Then some trunk was cut in Colorado and everyone with a static IP in town only saw half of the internet. So I went to a dynamic IP and that's when the problems started. My ISP uses CGNAT. I don't really know much about it, but I'm thinking that's adding to the packet size. I can't ping google.com with a size any larger than 1472.
When I go back to the MK, I'm gonna drop the MTU on my WAN port. I'll also try to get a static IP again. That might wait until our AirBnB guests leave.
# jul/18/2020 20:56:38 by RouterOS 6.47.1
# software id = R9RF-MAEY
#
# model = 2011UiAS-2HnD r2
# serial number = 91DF099E8A71
/interface bridge
add comment="Hospitality House network" name=bridgeGuest
add admin-mac=##:##:##:##:##:## auto-mac=no comment=DTJNet name=bridgeMain
add name=bridgePhone
add name=bridgeSecurity
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment="DTJ Desktop"
set [ find default-name=ether3 ] comment=Printer/Scanner
set [ find default-name=ether4 ] comment="*VLAN TEST*"
set [ find default-name=ether5 ] comment="*VLAN TEST*"
set [ find default-name=ether6 ] comment="Media Switch"
set [ find default-name=ether9 ] comment="Hospitality House trunk"
set [ find default-name=ether10 ] comment="VoIP (Phone)"
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
20/40mhz-XX country="united states" disabled=no distance=indoors \
frequency=2437 frequency-mode=manual-txpower mode=ap-bridge ssid=DTJNet \
station-roaming=enabled wireless-protocol=802.11
/interface ethernet switch port
set 4 default-vlan-id=12 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=******** \
wpa2-pre-shared-key=********
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
supplicant-identity=MikroTik wpa-pre-shared-key=newJoy123 \
wpa2-pre-shared-key=newJoy123
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=secure-proposal \
pfs-group=modp4096
/ip pool
add name=dhcp ranges=192.168.0.101-192.168.0.150
add name=poolHH ranges=192.168.1.101-192.168.1.150
add name=poolOpenVPN ranges=192.168.10.10-192.168.10.99
add name=poolPhones ranges=192.168.6.100-192.168.6.110
add name=poolHome ranges=192.168.10.100-192.168.10.199
add name=poolMedia ranges=192.168.13.100-192.168.13.199
add name=poolGuest ranges=192.168.15.100-192.168.15.199
add name=poolSecurity ranges=192.168.12.100-192.168.12.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridgeMain lease-time=12h name=\
dhcpDTJ
add address-pool=poolHH disabled=no interface=bridgeGuest lease-time=12h \
name=dhcpHH
add address-pool=poolPhones disabled=no interface=bridgePhone lease-time=12h \
name=dhcpPhone
add address-pool=poolHome disabled=no lease-time=12h name=dhcpHome
add address-pool=poolMedia disabled=no lease-time=12h name=dhcpMedia
add address-pool=poolGuest disabled=no lease-time=12h name=dhcpGuest
add address-pool=poolSecurity disabled=no lease-time=12h name=dhcpSecurity
/ipv6 pool
add name=IPv6Blacklist prefix=ff12::8384/128 prefix-length=128
/ppp profile
add local-address=192.168.10.33 name=OpenVPN remote-address=poolOpenVPN \
use-encryption=required
add dns-server=192.168.10.250 local-address=192.168.10.250 name=vpn-profile \
remote-address=poolOpenVPN use-encryption=yes
/queue simple
add comment="Bandwidth limit Dropbox" max-limit=5M/10M name=Dropbox \
packet-marks=dropbox target=192.168.0.0/24
add comment="Bandwidth limit the guest network" dst=ether1 max-limit=5M/25M \
name=Guest target=192.168.1.0/24
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge filter
# in/out-bridge-port matcher not possible when interface (bridgeGuest) is not slave
add action=drop chain=forward in-interface=*E
# in/out-bridge-port matcher not possible when interface (bridgeGuest) is not slave
add action=drop chain=forward out-interface=*E
/interface bridge port
add bridge=bridgeMain comment=defconf interface=ether2
add bridge=bridgeMain comment=defconf interface=ether3
add bridge=bridgeMain comment=defconf interface=ether4
add bridge=bridgeMain comment=defconf interface=ether5
add bridge=bridgeMain comment=defconf interface=ether6
add bridge=bridgeMain comment=defconf interface=ether7
add bridge=bridgeMain comment=defconf interface=ether8
add bridge=bridgeGuest comment="Hospitality House Router" hw=no interface=\
ether9
add bridge=bridgePhone comment="VoiP Adapter" interface=ether10
add bridge=bridgeMain comment=defconf interface=sfp1
add bridge=bridgeMain comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set rp-filter=strict
/interface detect-internet
set detect-interface-list=all
/interface ethernet switch vlan
add independent-learning=yes ports=ether2,ether3,ether4,ether5 switch=switch1 \
vlan-id=12
/interface list member
add comment="DTJNet bridge interface" interface=bridgeMain list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="Hospitality House bridge interface" interface=bridgeGuest list=\
LAN
add comment="IP Phone bridge interface" interface=bridgePhone list=LAN
add comment="Security bridge interface" interface=bridgeSecurity list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 \
default-profile=vpn-profile enabled=yes keepalive-timeout=disabled \
require-client-certificate=yes
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
192.168.0.0
add address=192.168.0.1/24 comment=defconf interface=bridgeMain network=\
192.168.0.0
add address=192.168.1.2/24 interface=bridgeGuest network=192.168.1.0
add address=192.168.6.1/24 interface=bridgePhone network=192.168.6.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.110 mac-address=00:16:E3:FE:C7:82 server=dhcpDTJ
add address=192.168.0.107 client-id=1:b4:f1:da:ed:ea:3b mac-address=\
B4:F1:DA:ED:EA:3B server=dhcpDTJ
add address=192.168.0.113 mac-address=3C:59:1E:E5:EC:B7 server=dhcpDTJ
add address=192.168.0.90 mac-address=00:24:D7:B9:28:F8 server=dhcpDTJ
/ip dhcp-server network
add address=192.168.0.0/24 comment=DTJNet gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 comment="Hospitality House" gateway=192.168.1.2
add address=192.168.6.0/24 comment=VoIP gateway=192.168.6.1
add address=192.168.10.0/24 comment=vlanHome gateway=192.168.10.1 netmask=24
add address=192.168.11.0/24 comment=vlanPrinter gateway=192.168.11.1 netmask=\
24
add address=192.168.12.0/24 comment=vlanSecurity gateway=192.168.12.1 \
netmask=24
add address=192.168.13.0/24 comment=vlanMedia gateway=192.168.13.1 netmask=24
add address=192.168.14.0/24 comment=vlanVoIP gateway=192.168.14.1 netmask=24
add address=192.168.15.0/24 comment=vlanGuest gateway=192.168.15.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4,64.6.64.6
/ip dns static
add address=192.168.0.1 name=router.lan type=A
/ip firewall address-list
add address=192.168.0.0/24 list=DTJnet
add address=192.168.1.0/24 list=HHnet
add address=192.168.0.0/16 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=0.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
add address=192.168.6.0/24 list=PhoneNet
add address=192.168.0.13 list=Camera
add address=192.168.0.14 list=Camera
add address=192.168.0.1 list=Routers
add address=192.168.1.3 list=Routers
add address=192.168.0.100 list=AdminPC
add address=192.168.0.90 list=AdminPC
add address=192.168.0.107 list=AdminPC
add address=162.125.0.0/16 list=Dropbox
/ip firewall filter
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop Bogon forward" in-interface=\
ether1 log=yes log-prefix="Bogon forward" src-address-list=Bogon
add action=drop chain=forward comment="Drop all traffic from closesecure addre\
sses until scheduled script can delete the secure address list" \
src-address-list=closesecure
add action=add-src-to-address-list address-list=secure address-list-timeout=\
5m chain=forward comment=\
"Refresh source address list timer for data coming from that source." \
src-address-list=secure
add action=jump chain=forward comment=\
">> Incoming camera access: Jump to SECURE-IN" dst-address-list=Camera \
jump-target=SECURE-IN
add action=jump chain=forward comment=\
">> Outgoing camera: Jump to SECURE-OUT" jump-target=SECURE-OUT \
src-address-list=Camera
add action=jump chain=forward comment=">> Guest-to-main: Jump to OTHER2MAIN" \
in-interface=bridgeGuest jump-target=OTHER2MAIN out-interface=bridgeMain
add action=accept chain=forward comment=\
"Allow connections from main network to Hosp House" in-interface=\
bridgeMain out-interface=bridgeGuest
add action=accept chain=forward comment="Allow responses from Phone network to\
\_main network for established connections" connection-state=\
established,related in-interface=bridgePhone out-interface=bridgeMain
add action=drop chain=forward comment=\
"Drop new connections from Phone to main network" connection-state=\
invalid,new in-interface=bridgePhone out-interface=bridgeMain
add action=accept chain=forward comment=\
"Allow connections from main network to Phone network" in-interface=\
bridgeMain out-interface=bridgePhone
add action=add-src-to-address-list address-list=AbuseLog \
address-list-timeout=none-dynamic chain=forward comment=\
"Add incoming Abuse IP to AbuseLog list." src-address-list=Abuse
add action=drop chain=forward comment=\
"Drop all incoming from Abuse addresses" src-address-list=Abuse
add action=drop chain=forward comment="Drop all outgoing to Abuse addresses" \
dst-address-list=Abuse
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Enable LAN to WAN for main network" \
in-interface=bridgeMain out-interface=ether1
add action=accept chain=forward comment="Enable LAN to WAN for Hosp House" \
in-interface=bridgeGuest out-interface=ether1
add action=accept chain=forward comment="Enable LAN to WAN for phone network" \
in-interface=bridgePhone out-interface=ether1
add action=accept chain=forward comment="Enable LAN to WAN for Security" \
in-interface=bridgeSecurity out-interface=ether1
add action=accept chain=forward comment=\
"Accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="Allow Port Forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all other incoming traffic"
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment=\
"Always allow access to routers and switches from desktop PC." \
dst-address-list=Routers src-address-list=AdminPC
add action=add-src-to-address-list address-list=knockport1 \
address-list-timeout=3s chain=input comment="Port knock 1" dst-port=##### \
protocol=tcp
add action=add-src-to-address-list address-list=knockport2 \
address-list-timeout=3s chain=input comment="Port knock 2" dst-port=##### \
protocol=udp src-address-list=knockport1
add action=add-src-to-address-list address-list=secure address-list-timeout=\
5m chain=input comment="Port knock 3 - Add address to secure list" \
dst-port=##### log=yes log-prefix="Knocked port open" protocol=tcp \
src-address-list=knockport2
add action=add-src-to-address-list address-list=closesecure \
address-list-timeout=5m chain=input comment="Close open knocked port on re\
quest. This blocks the source IP until a timer can remove the closesecure \
and secure address lists." dst-port=##### protocol=tcp src-address-list=\
secure
add action=drop chain=input comment=\
"Drop access to routers and switches from other networks" \
dst-address-list=Routers
add action=accept chain=input comment="Accept established,related,untracked" \
connection-state=established,related,untracked
add action=accept chain=input comment="Accept ICMP only from main network" \
protocol=icmp src-address-list=DTJnet
add action=drop chain=input comment=\
"Drop all other traffic destined to router." in-interface-list=!LAN
add action=add-src-to-address-list address-list=secure address-list-timeout=\
5m chain=SECURE-IN comment="SECURE-IN: Incoming packets from secure remote\
\_address restart secure timer" src-address-list=secure
add action=accept chain=SECURE-IN comment=\
"SECURE-IN: Allow security camera access if secured by port knocks" \
dst-port=##### protocol=tcp src-address-list=secure
add action=log chain=SECURE-IN comment=\
"SECURE-IN: Log incoming camera access" connection-state=\
invalid,new,untracked dst-address-list=Camera log=yes log-prefix=\
CAMERA-INBOUND
add action=drop chain=SECURE-IN comment=\
"SECURE-IN: Drop all other incoming camera access" dst-address-list=\
Camera
add action=log chain=SECURE-OUT comment=\
"SECURE-OUT: Log outgoing camera access" connection-state=\
invalid,new,untracked log=yes log-prefix=CAMERA-OUTBOUND \
src-address-list=Camera
add action=add-dst-to-address-list address-list=_CameraOutbound \
address-list-timeout=none-dynamic chain=SECURE-OUT comment="SECURE-OUT: Bu\
ild camera outgoing address list (detect abuse activity from camera)" \
dst-address-list=!secure src-address-list=Camera
add action=drop chain=SECURE-OUT comment=\
"SECURE-OUT: Drop all outgoing camera traffic except knock secured" \
dst-address-list=!secure src-address-list=Camera
add action=accept chain=OTHER2MAIN comment="Allow responses from other subnet \
to main network for established connections only" dst-address-list=\
AdminPC src-address-list=Routers
add action=drop chain=OTHER2MAIN comment=\
"Drop all other access from other subnet to main network " \
connection-state=""
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Dropbox outgoing" \
dst-address-list=Dropbox new-connection-mark=dropbox_conn passthrough=yes
add action=mark-connection chain=prerouting comment="Dropbox incoming" \
new-connection-mark=dropbox_conn passthrough=yes src-address-list=Dropbox
add action=mark-packet chain=prerouting comment="Dropbox packet mark" \
connection-mark=dropbox_conn new-packet-mark=dropbox passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat comment="Remote DTJ Desktop access" dst-port=\
22 protocol=tcp to-addresses=192.168.0.100 to-ports=22
add action=dst-nat chain=dstnat comment="Remote VNC connection" dst-port=5900 \
protocol=tcp to-addresses=192.168.0.100 to-ports=5900
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=ether1
/ip firewall raw
add action=drop chain=prerouting dst-port=22 in-interface=ether1 protocol=tcp \
src-address-list=!secure
/ip ipsec policy
set 0 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set domain=DTJNet
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridgeMain type=internal
add interface=bridgeGuest type=internal
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/lcd
set backlight-timeout=never default-screen=stats
/lcd interface
set wlan1 disabled=yes
set sfp1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/lcd interface pages
set 0 interfaces=wlan1
/ppp secret
add name=Andrew password="********"
add name=vpnuser password="********" profile=vpn-profile
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=DTJR1
/system note
set note="DTJ Software. Authorized administrators only. Access to this device \
is monitored."
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=132.163.97.3 \
server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system routerboard settings
set silent-boot=yes
/system scheduler
add interval=5s name=AutoPortKnockClose on-event=":if ([:len [/ip firewall add\
ress-list find list=\"closesecure\"]] != 0) do={\r\
\n :local i [/ip firewall address-list get value-name=address [find list=\
\"closesecure\"]];\r\
\n /ip firewall address-list remove [find list=\"secure\" address=\$i];\r\
\n /ip firewall address-list remove [find list=\"closesecure\" address=\$i\
];\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add disabled=yes interval=1d name=Auto-Upgrade on-event="/system package updat\
e\r\
\ncheck-for-updates once\r\
\n:delay 1s;\r\
\n:if ( [get status] = \"New version is available\") do={ install }" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/2017 start-time=03:00:20
/system watchdog
set ping-timeout=5m watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1
add interface=ether10
add interface=bridgeMain
add interface=wlan1
add interface=bridgeGuest
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no