Community discussions

MikroTik App
 
Hunty
just joined
Topic Author
Posts: 20
Joined: Mon May 28, 2018 11:37 am

Openfiber + hap ac2

Mon Jun 27, 2022 2:38 pm

Hi,
I'm using openfiber connection (italian 1gb/300mbit ftth). Internet provider provided an external ONT and a zte router that I have replaced with the ac2.
So the connection is:
fiber -> ont -> (ethernet) ac2
I'm not able to reach the same speed connection (680/280 mbit) that I had with the provider router (zte, 910/280 mbit), maybe I've made some mistake in configuration.
I'm facing also some issues:
- fing desktop tells that some devices are not able to join my network, but the only device that I'm aware of having this issue is a smart scale
- i'm not able to update the ac2 firmware, could not resolve DNS name, but other devices wired/wireless work well
- sometimes my mi9 se mobile phone loses the IP if connected using wifi 5ghz, with 2.4ghz this issue is not present

Here the configuration:
# jun/26/2022 20:31:11 by RouterOS 6.49.6
# software id = ZNKV-4BZ0
#
# model = RBD52G-5HacD2HnD
# serial number = 8FDE09971078
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=openfiber
/interface wireless
set [ find default-name=wlan1 ] country=italy disabled=no frequency=auto mode=\
    ap-bridge name=wlan2.4 ssid=Tiscalli wps-mode=disabled
set [ find default-name=wlan2 ] disabled=no frequency=auto mode=ap-bridge name=\
    wlan5G ssid="Tiscalli 5G" wps-mode=disabled
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.3-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan2.4
add bridge=bridge1 interface=wlan5G
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.2/24 interface=bridge1 network=192.168.1.0
/ip dhcp-server lease
add address=192.168.1.3 client-id=1:78:f2:9e:90:86:da mac-address=\
    78:F2:9E:90:86:DA server=dhcp1
add address=192.168.1.7 mac-address=60:01:94:D8:E3:F5 server=dhcp1
add address=192.168.1.9 client-id=1:48:0:33:ae:66:37 mac-address=\
    48:00:33:AE:66:37 server=dhcp1
add address=192.168.1.251 mac-address=40:9F:38:D0:C5:0D server=dhcp1
add address=192.168.1.252 mac-address=40:9F:38:D0:F3:CC server=dhcp1
add address=192.168.1.250 mac-address=40:9F:38:D0:FA:E6 server=dhcp1
add address=192.168.1.253 mac-address=40:9F:38:D0:D6:C7 server=dhcp1
add address=192.168.1.254 mac-address=40:9F:38:D1:07:06 server=dhcp1
add address=192.168.1.6 mac-address=24:0A:C4:10:5A:EC server=dhcp1
add address=192.168.1.8 mac-address=84:F3:EB:2A:7B:24 server=dhcp1
add address=192.168.1.15 mac-address=70:EE:50:1F:05:0C server=dhcp1
add address=192.168.1.5 client-id=1:78:24:af:41:bc:3d mac-address=\
    78:24:AF:41:BC:3D server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.2 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=input connection-state=\
    established,related connection-type=""
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=drop chain=input
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN log-prefix=\
    "[443]" protocol=tcp to-addresses=192.168.1.3 to-ports=443
add action=dst-nat chain=dstnat dst-port=6881 in-interface-list=WAN log-prefix=\
    "[443]" protocol=tcp to-addresses=192.168.1.5 to-ports=6881
add action=dst-nat chain=dstnat dst-port=6881 in-interface-list=WAN log-prefix=\
    "[443]" protocol=udp to-addresses=192.168.1.5 to-ports=6881
/ip service
set telnet address=192.168.1.0/24
set ftp address=192.168.1.0/24
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24
set api address=192.168.1.0/24
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24
/system clock
set time-zone-name=Europe/Rome
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: Openfiber + hap ac2

Mon Jun 27, 2022 4:27 pm

- Missing country on 5 GHz, probably using channels phone does not support
- Firewall input rules do not have "accept" for established connections, probably why update check is broken
- Fasttrack on PPPOE does not work AFAIK
 
Hunty
just joined
Topic Author
Posts: 20
Joined: Mon May 28, 2018 11:37 am

Re: Openfiber + hap ac2

Mon Jun 27, 2022 6:38 pm

- Missing country on 5 GHz, probably using channels phone does not support
I've tried but no luck, I'll check in next days
- Firewall input rules do not have "accept" for established connections, probably why update check is broken
does not resolve, now I have:

/ip firewall filter
add action=fasttrack-connection chain=input connection-state=established,related connection-type=""
add action=fasttrack-connection chain=forward connection-state=established,related
add action=drop chain=input
add action=drop chain=input
add action=accept chain=input connection-state=established
- Fasttrack on PPPOE does not work AFAIK
I have to check with and without fasttrack
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: Openfiber + hap ac2

Tue Jun 28, 2022 12:29 am

The accept input rule must be above any default drop rule. I would also suggest avoiding "auto" frequency on 5 GHz and use something like 5180-Ceee. Try to avoid upper bands.
 
Hunty
just joined
Topic Author
Posts: 20
Joined: Mon May 28, 2018 11:37 am

Re: Openfiber + hap ac2

Tue Jun 28, 2022 2:51 pm

Ok now I have this:
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=fasttrack-connection chain=input connection-state=\
    established,related connection-type=""
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=drop chain=input
and the update is working!

for wifi 5ghz:
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee \
    country=italy disabled=no frequency=5200 mode=ap-bridge name=wlan5G ssid=\
    "Tiscalli 5G" wps-mode=disabled
but my android phone shows exclamation mark inside wifi signal strength and it shows no ip in configuration panel.
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: Openfiber + hap ac2

Wed Jun 29, 2022 12:21 am

Your firewall input drop rule is blocking your phone's DHCP request (and presumably every other device on your LAN). I am not sure why the default firewall rules were deleted as they take care of this.

You should add a rule to input, action=accept, in-interface=bridge1 to trust all traffic on your LAN bridge, or change the drop rule to only drop the traffic coming from WAN (pppoe-out1) since the input chain default is allow. I'm curious how your network even functions and how you are able to connect to the router with that drop rule...
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Openfiber + hap ac2

Wed Jun 29, 2022 8:29 am

DHCP is bound to the interface before the firewall, so although the DHCP packets from the clients do pass through the firewall and can even be dropped there, they actually get there when already processed by the DHCP stack. This is not the case for DHCPv6.

DNS is another thing, though. If you tell the DHCP clients to use the router as their DNS, input chain must accept DNS requests from them (protocol=udp dst-port=53 and protocol=tcp dst-port=53).
 
Hunty
just joined
Topic Author
Posts: 20
Joined: Mon May 28, 2018 11:37 am

Re: Openfiber + hap ac2

Wed Jun 29, 2022 1:49 pm

DHCP is working for every device except for smart scale
anyway I've modified the drop rule to drop traffic from wan:
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=fasttrack-connection chain=input connection-state=\
    established,related connection-type=""
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=drop chain=input in-interface-list=WAN
dhcp server assign 8.8.8.8 as dns server
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.2 netmask=24
/ip dns
set servers=8.8.8.8

Who is online

Users browsing this forum: No registered users and 39 guests