DoH DNS redirect not working properly on ROS7.9 and Cloudflare for Family

zlobster · Sat May 06, 2023 6:50 pm

Another day, another DNS-over-Hell with MT! This time in ROS7.9 on a Chateau 5G.

After I've watched tons of videos and read tons of forums and blogs, and after I tried more of less everything, I'm still facing serious issue with DNS redirects from LAN clients. Basically, all hosts on the LAN bridge can't get their DNS requests processed.

Some prior information: Chateau 5G with ROS7.9(stable); RouterBOARD and modem firmware are the latest one available. Only a simple setup after configuration reset with no backup and no default config. Then I added a simple bridge with all the LAN ports, put an IP on it and created a DHCP server on it. Then a simple srcnat masquerading rule and that's it!

With lte1 option for disabled remote DNS fetching and no static DNS entries, I put "https://1.1.1.3/dns-query" with its specific root CA already imported,(it's not the same as with 1.1.1.1) and enabled remote requests. As per @normis' otherwise excellent video, I also added the firewall rules for port 53 redirection.

The odd part is that the router itself can resolve all IP addresses correctly over port 443. It successfully retrieves MT's packet repos, MT's own cloud service, time.cloudflare.com, and also pretty much everything else that I pinged by domain name from console (1.1.1.3:443 and the subsequent ICMP traffic is visible when torching lte1), yet NO host on the LAN can resolve any IP...
I can also see that 1.1.1.3 is working as intended as it returns NXDOMAIN when pinging the spicy stuff and malicious addresses. No thing on Earth I tried was able to let LAN hosts get their DNS requests working, yet LAN hosts can successfully ping by IP address (tried with 1.1.1.1 and 8.8.8.

.

At this point I'm pretty sure it's just another DoH bug in ROS, but since I don't have the device with me now and I can't make the support.rif, I decided to ask the experts here.

I'll also post the whole config here as soon as I can.

anav · Sat May 06, 2023 7:15 pm

Yes, I am pretty sure its your config as the router simply follows orders.
It works quite well on 7.9Rc2/c3 have not moved to 7.9 stable yet but expect no difference.
Config will provide proof/evidence.

rextended · Sat May 06, 2023 7:24 pm

[...] At this point I'm pretty sure it's just another DoH bug in ROS, but since I don't have the device with me now [...]

At this point I'm pretty sure it's just another random user posting without any relevance or proof.
Right assumes that he did everything perfectly, and that therefore there is a bug on RouterOS, it is not conceivable that he was wrong...

zlobster · Sat May 06, 2023 8:03 pm

Yeah, a simple misconfiguration would be the most desirable explanation, since I'd rather have this working soon by a simple fix, in comparison to it being really a bug and MT needing to work on in a month or so.

With a bit of a luck I'll be able to post config tomorrow. Hopefully all will be clear afterwards.

anav · Sat May 06, 2023 8:35 pm

Good plan!

zlobster · Sun May 07, 2023 4:41 pm

Here is configuration export. I've tried some other tweaks after yesterday but to no avail, so I'm posting the "original" config, which is confirmed broken. Also, both wlan interfaces were put in the bridge. WLAN clients are also reporting "Connected, without internet".

# may/07/2023 16:19:24 by RouterOS 7.9
# software id = 
#
# model = D53G-5HacD2HnD
# serial number = 
/interface bridge
add name=bridge1
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" nr-band=""
/interface wireless
set [ find default-name=wlan1 ] ssid=
/interface lte apn
set [ find default=yes ] use-peer-dns=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes mode=dynamic-keys name=\
    5ghz supplicant-identity=""
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
    20/40/80mhz-XXXX disabled=no frequency=auto mode=ap-bridge \
    security-profile=5ghz ssid= wireless-protocol=802.11 wmm-support=\
    enabled wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.88.200-192.168.88.220
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 fast-leave=yes interface=static
/ipv6 settings
set disable-ipv6=yes
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.3/dns-query \
    verify-doh-cert=yes
/ip firewall filter
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=redirect chain=dstnat dst-port=53 protocol=udp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
add action=drop chain=output
/system clock
set time-zone-name=
/system identity
set name=
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=static
/tool mac-server ping
set enabled=no

To give some more info - I've also tried putting 192.168.88.1 and/or 192.168.88.0 as DNS in the (only) DHCP server for bridge1. Still, no DNS available to clients.

I'm also attaching a screenshot from the cetrificate store.

So, have at it!

rextended · Sun May 07, 2023 4:53 pm

After seeing the config, I suggest you to revert al lthe mess resetting to default and do not touch anything except adding later the DoH settings.....

zlobster · Sun May 07, 2023 4:58 pm

After seeing the config, I suggest you to revert al lthe mess resetting to default and do not touch anything except adding later the DoH settings.....

OK, and what would be the recommended settings for even the simplest bridge with only LAN ports in it?

rextended · Sun May 07, 2023 5:03 pm

The default ones are perfect, why did you change them?

(if you do not want the wlan on the bridge, simply remove wlan port from the bridge ports or disable the wlan...)

anav · Sun May 07, 2023 6:34 pm

Four things I see.

(1) Be NORMAL with bridge port.
/interface bridge port
add bridge=bridge1 interface=etherX
add bridge=bridge1 interface=etherY
add bridge=bridge1 interface=etherZ
add bridge=bridge1 interface=WLAN1
add bridge=bridge1 interface=WLAN2

(2) FIX DNS entries........
.
(a) /ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1

(b) /ip dns
set allow-remote-requests=yes server=public-server-of-choice use-doh-server=https://1.1.1.3/dns-query \
verify-doh-cert=yes

The doh server needs to be reached for the initial connection so you do need to provide one public server, recommend 1.1.1.2 (cloudflare)

(3) A reasonable firewall.

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment="internet traffic"
******
add action=drop chain=forward comment="Drop all else"

***** optional location for a port forwarding rule if required.
add action=accept chain=forward connection-nat-state=dstnat

(4) FiX NAT setttings

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=redirect chain=dstnat dst-port=53 protocol=udp

zlobster · Mon May 08, 2023 12:16 am

Thank you both for your time and guidance!

I now realized how botched my original config was! Pro tip - don't conf under the influence.

I've ditched all with /system/reset-configuration no-defaults=yes skip-backup=yes and started from scratch. I used "Quick Set" for the most simple default "LTE" config. Check the attached screenshot(s). The only thing "Quick Set" didn't actually set properly was the DHCP server IP and network, all were 0.0.0.0/24. After fixing these manually all seemed to work fine, laptop was getting IP and DNS settings automatically. No more of the dreaded "Connected, no internet" in Windows. All was sunshine and roses! Or so I thought...

As is evident from the screenshots, LAN clients still can't get DNS lookups working properly, even though I'm now with the default config and pings to IP addresses seem to work just fine i.e., there is proper routing (unlike like with my previous conf).

# may/07/2023 21:27:59 by RouterOS 7.9
# software id = 
#
# model = D53G-5HacD2HnD
# serial number = 
/interface bridge
add name=bridge1
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" nr-band=""
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.200
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=lte1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip dhcp-client
add disabled=yes interface=*8
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    netmask=24
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

This config is the default(y) one from "Quick Set". I then fixed only the following thing by just deleting it. It was an artefact left from the botched default config.

/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24

Even with this config now clients only have routing but no working DNS. DNS servers are the ones pushed by the mobile operator. SIM card is working just fine in an Android phone, working as an Wi-Fi hotspot for tethering. Go figure!

I've dumped the support.rif from this config and I'll open a ticket with MT support for a good measure. In the meantime, I'd still appreciate any other ideas. Could it be a specific issue with the Chateau 5G?

rextended · Mon May 08, 2023 2:20 am

You screwed up again.

/ip dhcp-client
add disabled=yes interface=*8
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24

If I tell you to reset everything to defaults and don't touch anything, it doesn't mean "delete everything"...

WHY no-defaults=yes ???

You are not able to config from 0 the device, so start with default first.

Until you have a device that works without making useless tweaks here and there, you don't have a working base from which to start.

At least you must just set the apn and do not touch band or frequency, for exampe,

AND FORGET QUICKSET, or stop to ask help on forum.

anav · Mon May 08, 2023 4:30 am

Are you being slow on purpose.

(1) How can you consider this entry correct????? Why didnt you remove it???
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
netmask=24

(2) As for LTE settings that is your issue to put in what the ISP provided. I dont think you need IP DHCP client setting as that is done in LTE settings.

(3) Your firewall rules do not match what was provided, a bit better.

(4) why did you remove your redirect rules and DOH settings???.

I have done what I can here. Moving on.

Mon May 08, 2023 8:10 am

Guys, please be civil and respectful.

zlobster · Mon May 08, 2023 1:32 pm

Oh, hey Normis! What a way to have your attention... Now that I have it anyway, what's your take on this matter? And why should Quick Set require default settings?

Mon May 08, 2023 1:43 pm

You are using Wrong QuickSet template (LTE only, no wifi), should be Home AP LTE
Start with factory defaults, then enable only your DNS redirect. If it works, work from there.

Always, if there is something that should work, but is not working, do a full reset. Enable one feature. Check, then continue.

Mon May 08, 2023 2:02 pm

why should Quick Set require default settings?

MikroTik, not being idiots, have provided sensible starting defaults.

If you're asking why these sensible starting defaults aren't the same as an empty configuration, it's because an empty configuration says "do nothing," and so it does nothing, just like you told it to.

If an empty configuration were the same as the default configuration, it wouldn't be possible to pare elements of it away when doing clever things. For example, the default configuration for a "router" class device typically puts all network interfaces into a single bridge except for the one marked as the "Internet" (uplink) port on the front panel. But what if you wanted two uplinks, with ISP failover? How then would you pry the second uplink port free from the default bridge?

Under MikroTik's scheme, where QuickSet gives you a non-empty default configuration, you can easily remove one port from the default bridge and reassign it to this second ISP.

zlobster · Mon May 08, 2023 7:54 pm

OK, OK. This was news to me. I assumed Quick Set was providing its own default config. NEVER assume!

Resetting with defaults enabled, loaded the defconf script sucessfully. Then, I started working from there.

Pure defconf was working fine with the APN-provided DNS servers for LAN clients. Remember - it was a pure defconf with no Wi-Fi setup, so I didn't even bother trying to connect via wireless.

Then I imported the Cloudflare for Families CA chain again and pretty much followed the rest as Normis explained in his YT DoH video, incl. disabling the APN-provided DNS.

Here is the setup after my little mods. I explicitly exported the verbose version.

# may/08/2023 19:35:32 by RouterOS 7.9
# software id = 
#
# model = D53G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=DC:2C:6E:C4:F5:7D ageing-time=5m arp=enabled arp-timeout=auto \
    auto-mac=no comment=defconf dhcp-snooping=no disabled=no fast-forward=yes \
    forward-delay=15s igmp-snooping=no max-message-age=20s mtu=auto name=\
    bridge priority=0x8000 protocol-mode=rstp transmit-hold-count=6 \
    vlan-filtering=no
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=DC:2C:6E:C4:F5:7D mtu=1500 \
    name=ether1 orig-mac-address=DC:2C:6E:C4:F5:7D rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=DC:2C:6E:C4:F5:7E mtu=1500 \
    name=ether2 orig-mac-address=DC:2C:6E:C4:F5:7E rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=DC:2C:6E:C4:F5:7F mtu=1500 \
    name=ether3 orig-mac-address=DC:2C:6E:C4:F5:7F rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=DC:2C:6E:C4:F5:80 mtu=1500 \
    name=ether4 orig-mac-address=DC:2C:6E:C4:F5:80 rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=DC:2C:6E:C4:F5:81 mtu=1500 \
    name=ether5 orig-mac-address=DC:2C:6E:C4:F5:81 rx-flow-control=off \
    tx-flow-control=off
/queue interface
set bridge queue=no-queue
/interface ethernet switch
set 0 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 1 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 2 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 3 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 4 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 5 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" \
    name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" \
    name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" \
    include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" \
    include="" name=static
add comment=defconf exclude="" include="" name=WAN
add comment=defconf exclude="" include="" name=LAN
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=\
    none default-route-distance=2 ip-type=auto name=default use-network-apn=\
    yes use-peer-dns=no
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=default band="" \
    disabled=no !modem-init mtu=1500 name=lte1 network-mode=3g,lte,5g \
    nr-band=""
/queue interface
set lte1 queue=no-queue
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wireless security-profiles
set [ find default=yes ] authentication-types="" disable-pmkid=no \
    eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m \
    interim-update=0s management-protection=disabled mode=none \
    mschapv2-username="" name=default radius-called-format=mac:ssid \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-sta-private-algo=none static-transmit-key=key-0 \
    supplicant-identity=MikroTik tls-certificate=none tls-mode=\
    no-certificates unicast-ciphers=aes-ccm
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods=passthrough \
    group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
    management-protection=disabled mode=dynamic-keys mschapv2-username="" \
    name=2.4ghz radius-called-format=mac:ssid radius-eap-accounting=no \
    radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\
    disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-sta-private-algo=none static-transmit-key=key-0 \
    supplicant-identity="" tls-certificate=none tls-mode=no-certificates \
    unicast-ciphers=aes-ccm
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods=passthrough \
    group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
    management-protection=disabled mode=dynamic-keys mschapv2-username="" \
    name=5ghz radius-called-format=mac:ssid radius-eap-accounting=no \
    radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\
    disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-sta-private-algo=none static-transmit-key=key-0 \
    supplicant-identity="" tls-certificate=none tls-mode=no-certificates \
    unicast-ciphers=aes-ccm
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=none allow-sharedkey=\
    no ampdu-priorities=0 amsdu-limit=8192 amsdu-threshold=8192 antenna-gain=\
    2 area="" arp=enabled arp-timeout=auto band=2ghz-onlyn basic-rates-a/g=\
    6Mbps basic-rates-b=1Mbps bridge-mode=enabled channel-width=20mhz \
    compression=no country=no_country_set default-ap-tx-limit=0 \
    default-authentication=yes default-client-tx-limit=0 default-forwarding=\
    yes disable-running-check=no disabled=yes disconnect-timeout=3s distance=\
    indoors frame-lifetime=0 frequency=auto frequency-mode=superchannel \
    frequency-offset=0 guard-interval=any hide-ssid=no ht-basic-mcs=\
    mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-supported-mcs="mcs-0,mc\
    s-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,m\
    cs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-2\
    3" hw-fragmentation-threshold=disabled hw-protection-mode=none \
    hw-protection-threshold=0 hw-retries=7 installation=indoor \
    interworking-profile=disabled keepalive-frames=enabled l2mtu=1600 \
    mac-address=DC:2C:6E:C4:F5:82 max-station-count=2007 mode=ap-bridge mtu=\
    1500 multicast-buffering=enabled multicast-helper=default name=wlan1 \
    nv2-cell-radius=30 nv2-downlink-ratio=50 nv2-mode=dynamic-downlink \
    nv2-qos=default nv2-queue-count=2 nv2-security=disabled nv2-sync-secret=\
    "" on-fail-retry-time=100ms preamble-mode=both radio-name=DC2C6EC4F582 \
    rate-selection=advanced rate-set=default rx-chains=0,1 scan-list=default \
    secondary-frequency="" security-profile=2.4ghz skip-dfs-channels=disabled \
    ssid=MTK station-bridge-clone-mac=00:00:00:00:00:00 station-roaming=\
    disabled supported-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 tx-chains=0,1 \
    tx-power-mode=default update-stats-interval=disabled vlan-id=1 vlan-mode=\
    no-tag wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 \
    wds-ignore-ssid=no wds-mode=disabled wireless-protocol=802.11 \
    wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=none allow-sharedkey=\
    no ampdu-priorities=0 amsdu-limit=8192 amsdu-threshold=8192 antenna-gain=\
    4 area="" arp=enabled arp-timeout=auto band=5ghz-onlyac basic-rates-a/g=\
    6Mbps bridge-mode=enabled channel-width=20/40/80mhz-XXXX compression=no \
    country=bulgaria default-ap-tx-limit=0 default-authentication=yes \
    default-client-tx-limit=0 default-forwarding=yes disable-running-check=no \
    disabled=no disconnect-timeout=3s distance=indoors frame-lifetime=0 \
    frequency=auto frequency-mode=regulatory-domain frequency-offset=0 \
    guard-interval=any hide-ssid=no ht-basic-mcs=\
    mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-supported-mcs="mcs-0,mc\
    s-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,m\
    cs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-2\
    3" hw-fragmentation-threshold=disabled hw-protection-mode=none \
    hw-protection-threshold=0 hw-retries=7 installation=indoor \
    interworking-profile=disabled keepalive-frames=enabled l2mtu=1600 \
    mac-address=DC:2C:6E:C4:F5:83 max-station-count=2007 mode=ap-bridge mtu=\
    1500 multicast-buffering=enabled multicast-helper=default name=wlan2 \
    nv2-cell-radius=30 nv2-downlink-ratio=50 nv2-mode=dynamic-downlink \
    nv2-qos=default nv2-queue-count=2 nv2-security=disabled nv2-sync-secret=\
    "" on-fail-retry-time=100ms preamble-mode=both radio-name=DC2C6EC4F583 \
    rate-selection=advanced rate-set=default rx-chains=0,1 scan-list=default \
    secondary-frequency="" security-profile=5ghz skip-dfs-channels=all ssid=\
    MTK station-bridge-clone-mac=00:00:00:00:00:00 station-roaming=disabled \
    supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
    tdma-period-size=2 tx-chains=0,1 tx-power-mode=default \
    update-stats-interval=disabled vht-basic-mcs=mcs0-7 vht-supported-mcs=\
    mcs0-9,mcs0-9,mcs0-9 vlan-id=1 vlan-mode=no-tag wds-cost-range=50-150 \
    wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=\
    disabled wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=\
    3200 framer-policy=none
set wlan2 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=\
    3200 framer-policy=none
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
    hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=\
    0.0.0.0:0 install-hotspot-queue=no login-by=cookie,http-chap name=default \
    smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none \
    !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=\
    default !parent-queue !queue-type shared-users=1 status-autorefresh=1m \
    transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=\
    exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m \
    dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
    lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
    modp1024
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=yes disabled=no interface=bridge \
    lease-script="" lease-time=30m name=defconf use-radius=no
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=usb1 parity=none \
    stop-bits=1
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default \
    !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list \
    !local-address name=default on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address \
    !session-timeout use-compression=default use-encryption=default use-ipv6=\
    yes use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default \
    !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list \
    !local-address name=default-encryption on-down="" on-up="" only-one=\
    default !outgoing-filter !parent-queue !queue-type !rate-limit \
    !remote-address !session-timeout use-compression=default use-encryption=\
    yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 \
    pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 \
    pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB \
    pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
set wlan1 queue=wireless-default
set wlan2 queue=wireless-default
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\
    bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\
    17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\
    T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\
    7:17"
set wlan2 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\
    bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\
    17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\
    T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\
    7:17"
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=\
    no encryption-protocol=DES name=public read-access=yes security=none \
    write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=flash/log disk-lines-per-file=1000 \
    disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=\
    0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=\
    bsd-syslog target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
    eb,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
    ssword,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
    winbox,password,web,sniff,sensitive,api,romon,rest-api" skin=default
/caps-man aaa
set called-format=mac:ssid interim-update=disabled mac-caching=disabled \
    mac-format=XX:XX:XX:XX:XX:XX mac-mode=as-username
/caps-man manager
set ca-certificate=none certificate=none enabled=no package-path="" \
    require-peer-certificate=no upgrade-policy=none
/caps-man manager interface
set [ find default=yes ] disabled=no forbid=no interface=all
/certificate settings
set crl-download=yes crl-store=ram crl-use=yes
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=yes interface=ether1 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=yes interface=ether2 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=yes interface=ether3 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=yes interface=ether4 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=yes interface=ether5 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none ingress-filtering=yes interface=wlan1 internal-path-cost=10 \
    learn=auto multicast-router=temporary-query path-cost=10 point-to-point=\
    auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no \
    tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none ingress-filtering=yes interface=wlan2 internal-path-cost=10 \
    learn=auto multicast-router=temporary-query path-cost=10 point-to-point=\
    auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no \
    tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes \
    tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=\
    1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m \
    udp-stream-timeout=3m udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN lldp-med-net-policy-vlan=disabled mode=\
    tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes \
    arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    max-neighbor-entries=8192 route-cache=yes rp-filter=no secure-redirects=\
    yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=\
    yes-if-forwarding-disabled disable-ipv6=no forward=yes \
    max-neighbor-entries=4096
/interface detect-internet
set detect-interface-list=none internet-interface-list=none \
    lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no \
    authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \
    default-profile=default-encryption enabled=no keepalive-timeout=30 \
    l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
    !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=\
    unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface list member
add comment=defconf disabled=no interface=bridge list=LAN
add comment=defconf disabled=no interface=lte1 list=WAN
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc \
    default-profile=default enable-tun-ipv6=no enabled=no ipv6-prefix-len=64 \
    keepalive-timeout=60 mac-address=FE:0C:0D:FA:78:42 max-mtu=1500 mode=ip \
    netmask=24 port=1194 protocol=tcp redirect-gateway=disabled reneg-sec=\
    3600 require-client-certificate=no tls-version=any tun-server-ipv6=::
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
    default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
    disabled pfs=no port=443 tls-version=any verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
    00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
    frames-per-second=25 receive-all=no ssid-all=no
/interface wireless cap
set bridge=none caps-man-addresses="" caps-man-certificate-common-names="" \
    caps-man-names="" certificate=none discovery-interfaces="" enabled=no \
    interfaces="" lock-to-caps-man=no static-virtual=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
    multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
    no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip address
add address=192.168.88.1/24 comment=defconf disabled=no interface=bridge \
    network=192.168.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=\
    5m
/ip dhcp-server network
add address=192.168.88.0/24 caps-manager="" comment=defconf dhcp-option="" \
    dns-server=192.168.88.1 gateway=192.168.88.1 !next-server ntp-server="" \
    wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    doh-max-concurrent-queries=50 doh-max-server-connections=5 doh-timeout=5s \
    max-concurrent-queries=100 max-concurrent-tcp-sessions=20 \
    max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s \
    servers="" use-doh-server=https://1.1.1.3/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf disabled=no name=router.lan ttl=1d
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN !to-addresses !to-ports
add action=redirect chain=dstnat !connection-bytes !connection-limit \
    !connection-mark !connection-rate !connection-type !content disabled=no \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    dst-port=53 !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority protocol=tcp !psd !random !routing-mark !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss \
    !time !to-addresses !to-ports !ttl
add action=redirect chain=dstnat !connection-bytes !connection-limit \
    !connection-mark !connection-rate !connection-type !content disabled=no \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    dst-port=53 !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority protocol=udp !psd !random !routing-mark !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss \
    !time !to-addresses !to-ports !ttl
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=yes
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" \
    disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=\
    all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster \
    cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
    max-cache-object-size=2048KiB max-cache-size=unlimited \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no \
    src-address=::
/ip service
set telnet address="" disabled=yes port=23 vrf=main
set ftp address="" disabled=yes port=21
set www address="" disabled=yes port=80 vrf=main
set ssh address="" disabled=yes port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes port=443 tls-version=any \
    vrf=main
set api address="" disabled=yes port=8728 vrf=main
set winbox address="" disabled=no port=8291 vrf=main
set api-ssl address="" certificate=none disabled=yes port=8729 tls-version=\
    any vrf=main
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
    all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/flash/pub \
    disabled=no max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=\
    200 port=1080 version=4 vrf=main
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no \
    host-key-size=2048 host-key-type=rsa strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=64k enabled=no \
    inactive-flow-timeout=15s interfaces=all packet-sampling=no \
    sampling-interval=0 sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes \
    dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
    igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes \
    ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=\
    yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes \
    out-interface=yes packets=yes protocol=yes src-address=yes \
    src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes \
    tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes tcp-window-size=yes tos=yes \
    ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" disabled=no \
    dynamic=no list=bad_ipv6
add address=::1/128 comment="defconf: lo" disabled=no dynamic=no list=\
    bad_ipv6
add address=fec0::/10 comment="defconf: site-local" disabled=no dynamic=no \
    list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=no \
    dynamic=no list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" disabled=no dynamic=no list=\
    bad_ipv6
add address=100::/64 comment="defconf: discard only " disabled=no dynamic=no \
    list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" disabled=no \
    dynamic=no list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" disabled=no dynamic=no \
    list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" disabled=no dynamic=no list=\
    bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes \
    disabled=no dns="" hop-limit=unspecified interface=all \
    managed-address-configuration=no mtu=unspecified other-configuration=no \
    pref64="" ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m \
    ra-preference=medium reachable-time=unspecified retransmit-interval=\
    unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no \
    use-radius=no
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/snmp
set contact="" enabled=no engine-id="" location="" src-address=:: \
    trap-community=public trap-generators=temp-exception trap-target="" \
    trap-version=1 vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
    "jan/01/1970 00:00:00" time-zone=+00:00
/system identity
set name=MikroTik
/system leds
# using RSRP, modem-signal-threshold ignored
set 0 disabled=no interface=lte1 leds=led1,led2,led3,led4,led5 \
    modem-signal-threshold=-91 type=modem-signal
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=no
/system ntp client
set enabled=yes mode=unicast servers=time.cloudflare.com vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no \
    local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=\
    main
/system ntp client servers
add address=time.cloudflare.com auth-key=none disabled=no iburst=yes \
    max-poll=10 min-poll=6
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
set 8 cpu=auto
set 9 cpu=auto
set 10 cpu=auto
set 11 cpu=auto
set 12 cpu=auto
set 13 cpu=auto
set 14 cpu=auto
/system resource irq rps
set ether1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
/system resource usb settings
set authorization=no
/system routerboard settings
set auto-upgrade=yes boot-device=nand-if-fail-then-ethernet boot-protocol=\
    bootp force-backup-booter=no preboot-etherboot=disabled \
    preboot-etherboot-server=any protected-routerboot=disabled \
    reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system routerboard mode-button
set enabled=yes hold-time=0s..1m on-event=dark-mode
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard wps-button
set enabled=no hold-time=0s..1m on-event=""
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m \
    ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
    100
/tool e-mail
set address=0.0.0.0 from=<> port=25 tls=no user="" vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" auto-erase=no channel=0 port=none receive-enabled=no
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any \
    filter-dst-ip-address="" filter-dst-ipv6-address="" \
    filter-dst-mac-address="" filter-dst-port="" filter-interface="" \
    filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" \
    filter-mac-address="" filter-mac-protocol="" \
    filter-operator-between-entries=or filter-port="" filter-size="" \
    filter-src-ip-address="" filter-src-ipv6-address="" \
    filter-src-mac-address="" filter-src-port="" filter-stream=no \
    filter-vlan="" memory-limit=100KiB memory-scroll=yes only-headers=no \
    streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no \
    stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
    use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0

And here we are again in funny territory. Router itself can ping and resolve everything, but my LAN clients didn't have this luck. What you're seeing in the attached screenshot is more or less self-explanatory. When I ping google.com I get the error in PS, while nothing seemingly happens in the router. However, when I nslookup google.com from PS, I get a response from 192.168.88.1 and the dstnat redirect rule counters increase, as well as router's internal DNS cache is being properly populated (marked in red rectangles).

While I now realize my previous mistakes and I'm (hopefully) learning from them, this time I'm completely lost...

rextended · Mon May 08, 2023 7:57 pm

Why do you always have to find a way to complicate simple things?
A verbose export is unwatchable, nobody asked you to.
Make it a "normal" one, and don't keep "guessing", like assuming that doing verbose is better, or assuming that the quickset restores the defaults if they're not there, etc...

zlobster · Mon May 08, 2023 8:00 pm

# may/08/2023 19:59:02 by RouterOS 7.9
# software id = 
#
# model = D53G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=DC:2C:6E:C4:F5:7D auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" nr-band=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] use-peer-dns=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes mode=dynamic-keys name=\
    2.4ghz supplicant-identity=""
add authentication-types=wpa2-psk disable-pmkid=yes mode=dynamic-keys name=\
    5ghz supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn country=no_country_set \
    distance=indoors frequency=auto frequency-mode=superchannel installation=\
    indoor mode=ap-bridge security-profile=2.4ghz ssid=MTK wireless-protocol=\
    802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
    20/40/80mhz-XXXX country=bulgaria disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge security-profile=5ghz \
    skip-dfs-channels=all ssid=MTK wireless-protocol=802.11 wmm-support=\
    enabled wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/certificate settings
set crl-download=yes crl-use=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.3/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=redirect chain=dstnat dst-port=53 protocol=udp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
/system routerboard settings
set auto-upgrade=yes
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Eh, WTF was with the formatting here?

anav · Mon May 08, 2023 8:02 pm

Read my post #10 and try harder.

TRY again...................
/ip dns (missing servers=1.1.1.2, one needs to connect to the DOH server via a public DNS first then all queries are encrypted )
set allow-remote-requests=yes use-doh-server=https://1.1.1.3/dns-query \
verify-doh-cert=yes

(good news is that you did modify the source nat rule)

rextended · Mon May 08, 2023 8:05 pm

–––

anav · Mon May 08, 2023 8:07 pm

What???
My understanding that is a viable way of ensuring all users go out Router for DNS.........

Ahh i see what you mean.
/ip firewall nat
add action=redirect chain=dstnat dst-port=53 protocol=tcp in-interface-list=LAN
add action=redirect chain=dstnat dst-port=53 protocol=udp in-interface-list=LAN

zlobster · Mon May 08, 2023 8:18 pm

Read my post #10 and try harder.

TRY again...................
/ip dns (missing servers=1.1.1.2, one needs to connect to the DOH server via a public DNS first then all queries are encrypted )
set allow-remote-requests=yes use-doh-server=https://1.1.1.3/dns-query \
verify-doh-cert=yes

(good news is that you did modify the source nat rule)

It was the defconf script that set the srcnat rule properly. I was too... incapable to comprehend what was missing when I was doing it manually.

As for the missing servers, I don't agree on it this time. If an IP address like 1.1.1.2 was missing, then it wouldn't make sense for the router to be able to lookup anything even for itself. I used the https://1.1.1.3/dns-query specifically for this reason, as there is no domain name, it is an IP address itself.

As for the dstnat redirect rules, I took them directly from https://www.youtube.com/watch?v=w4erB0VzyIE The commands are also available in the video's comments, apart from the video itself.

rextended · Mon May 08, 2023 8:27 pm

The correct config is this, just delete wrong nat rules and paste this on terminal.

/ip dns
set cache-max-ttl=30m servers=1.1.1.3,1.0.0.3 use-doh-server=https://1.1.1.3/dns-query verify-doh-cert=yes

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=!192.168.88.0/24 dst-port=53 protocol=tcp src-address=192.168.88.0/24 to-addresses=192.168.88.1
add action=dst-nat chain=dstnat dst-address=!192.168.88.0/24 dst-port=53 protocol=udp src-address=192.168.88.0/24 to-addresses=192.168.88.1

For all I attach all correct certificates.

cert_1.0.0.3.zip

If you omit the standard DNS, no longer used when DoH work, and used as failover if DoH fail, the Router is not able to solve the list and can't verify if the cert is still valid....
Inside the certs is writed:
http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl
and
http://crl3.digicert.com/DigiCertGlobalRootG2.crl

and until you do not allow first normal DNS query for solve crl3.digicert.com to the right IP, DoH must not be considered valid because CRL has not been downloaded.

zlobster · Mon May 08, 2023 8:41 pm

Hmm, bad news... Even with the modded defconf LAN clients still can't ping by domain name.

# may/08/2023 20:34:50 by RouterOS 7.9
# software id = 
#
# model = D53G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=DC:2C:6E:C4:F5:7D auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" nr-band=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] use-peer-dns=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes mode=dynamic-keys name=\
    2.4ghz supplicant-identity=""
add authentication-types=wpa2-psk disable-pmkid=yes mode=dynamic-keys name=\
    5ghz supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn country=no_country_set \
    distance=indoors frequency=auto frequency-mode=superchannel installation=\
    indoor mode=ap-bridge security-profile=2.4ghz ssid=MTK wireless-protocol=\
    802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
    20/40/80mhz-XXXX country=bulgaria disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge security-profile=5ghz \
    skip-dfs-channels=all ssid=MTK wireless-protocol=802.11 wmm-support=\
    enabled wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/certificate settings
set crl-download=yes crl-use=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=30m servers=1.1.1.3,1.0.0.3 \
    use-doh-server=https://1.1.1.3/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=!192.168.88.0/24 dst-port=53 \
    protocol=tcp src-address=192.168.88.0/24 to-addresses=192.168.88.1
add action=dst-nat chain=dstnat dst-address=!192.168.88.0/24 dst-port=53 \
    protocol=udp src-address=192.168.88.0/24 to-addresses=192.168.88.1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
/system routerboard settings
set auto-upgrade=yes
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I'm using the exact same certs. I've checked their SHA256 values with cetrutil. Tried rebooting the router and the PC, no luck either.

I still can't understand why things Nomris said aren't working here? Also, I still can't understand why I need the 1.1.1.3 DNS IP entry.

zlobster · Mon May 08, 2023 8:43 pm

If you omit the standard DNS, no longer used when DoH work, and used as failover if DoH fail, the Router is not able to solve the list and can't verify if the cert is still valid....
Inside the certs is writed:
http://crl3.digicert.com/DigiCertGlobal ... 0CA1-1.crl
and
http://crl3.digicert.com/DigiCertGlobalRootG2.crl

and until you do not allow first normal DNS query for solve crl3.digicert.com to the right IP, DoH must not be considered valid because CRL has not been downloaded.

Hmm, makes sense, and yet I was getting CRL hits even without adding 1.1.1.3.

anav · Mon May 08, 2023 8:43 pm

Get rid of the default static DNS
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

rextended · Mon May 08, 2023 8:48 pm

It's not that everything I write, anav or normis is the absolute truth.
Some other factors can be involved.

Move "masquerade" rule to the bottom of NAT chain

Can you ping 8.8.8.8 from routerboard? (avoid screenshot)

On the configuration you have now I don't see any errors.

On the windows terminal what do you get with

windows terminal code

ipconfig /all

?
(remove username or pc name, but don't alter the rest)

anav · Mon May 08, 2023 8:57 pm

EDITED: Sorry for my confusion, THERE Is no adguard or pihole server, done so many lately its on the brain. Thanks to rextended for waking me up LOL.

Regardless the default static DNS rule must be removed.

METHOD1 -- Correct Method for DoH service on OWN router.......
Ip dhpc-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1

Discussion: We inform the router that users should be pointed to the router for DNS (gateway IP of interface). Normally this suffices but however, some users may have a separate DNS setting on their personal device. To move these users/devices to the router only we use DST NAT RULES>
The redirect action 'forces' users/devices to a Router IP (interface) for DNS.
Done. The initial request from the user/device will go to the DOH server in the cloud, noted in settings. in the cloud, which in turn will first connect with the entered DOH server, via the available public DNS server 1.1.1.3 ( the first and only public resolve). After that communication is established all subsquent DNS requests will go out directly encrypted.

NOTE: There is no necessity to include the in-interface=list=LAN (optional). The only time its required is if one allows access to DNS from internet to Router ( from WAN). Very rare!

/ip firewall nat
..................
add action=redirect chain=dstnat dst-port=53 protocol=tcp /
in-interface-list=LAN (optional)
add action=redirect chain=dstnat dst-port=53 protocol=udp
in-interface-list=LAN (optional)

METHOD2 -- Correct METHOD FOR Separate PIHOLE or ADGUARD Server on LAN.

Needs to be true for Method2

(1) /ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.X gateway=192.168.88.1
Where 192.168.88.X is the LANIP of your pihole!!

(2) /ip firewall address-list
add 192.168.88.X list=excluded

/ip firewall nat
..................
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp /
src-address-list=!excluded to-addresses=192.168.88.X \
in-interface-list=LAN
add action=dst-nat chain=dstnat dst-port=53 protocol=udp /
src-address-list=!excluded to-addresses=192.168.88.X \
in-interface-list=LAN

zlobster · Mon May 08, 2023 8:58 pm

Get rid of the default static DNS
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

With this change I still can't ping anything by domain name. The only thing that changed for clients is that now nslookup returns "unknown".

With masquerade rule moved at the very bottom, I can ping 8.8.8.8 from router, also dns.google.com and pretty much everything else.

I now inclined to believe that there is something with the NAT part of the firewall. It's evident that router can lookp IP addresses just fine when clients issue nslookup, but when ping or a web browser is used, it all goes to hell...

Anyway, thanks for all the support! I'll have to call it a day now as I need to move to other activities, but I'll resume soon.

rextended · Mon May 08, 2023 9:01 pm

But from the picture, your PC have the correct DNS reply... one IPv4 142.... and one IPv6 2a00:....

(for various reason the name must be at least router.local and not .lan)

/ip dns static
add address=192.168.88.1 comment=defconf name=router.local

(But this do not interfere at all.)

rextended · Mon May 08, 2023 9:05 pm

This is my, is identical to your, except IPs because I'm on another country (and another language).

powershell code

PS C:\WINDOWS\system32> nslookup google.com
Server:  router.local
Address:  192.168.0.101

Risposta da un server non autorevole:
Nome:    google.com
Addresses:  2a004002:406::200e
          142.250.180.174

PS C:\WINDOWS\system32>

rextended · Mon May 08, 2023 9:10 pm

From my point of view, since the DNS resolution is clear that works on the PC,
it is that you have some other problem on the PC, and the router has nothing to do with it.

There is no reason for the router to correctly communicate the DNS and then from the PC,
which resolves the DNS correctly, then the ping does not start at all...

rextended · Mon May 08, 2023 9:11 pm

@anav???

What pihole?

Where is?

anav · Mon May 08, 2023 9:15 pm

Good point getting confused.............

rextended · Mon May 08, 2023 9:18 pm

I doubt is a router configuration, is something on OS, if OS resolve correctly the DNS but ping do not start...

Frederick88 · Tue May 09, 2023 2:11 am

RE: DoH Server Settings

I'm successfully using DoH without Server= defined.

/ip/dns/set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

Therefore I don't believe you need to define the standard (non DoH) DNS server. (even if I clear DNS cache, DoH will still work without Server=)

WHY?

DNS is not needed to connect to a DoH Server Address that's already an IP, such as 1.1.1.1 or 1.1.1.3.....
The CloudFlare Certificate includes the IPs of 1.1.1.1 and 1.1.1.3 as verified. No further lookup is needed.

.
Keeping DNS Server=blank helps ensure there'll never be any DNS leakage... DoH in this instance works fine without it, so I don't see any reason why you'd want to define DNS Server=

**Assumes you already have the DoH certificate. If you don't, then yes you'll need to define DNS Server= to download the certificate. Once you have imported certificate, you can remove Server=**

/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=””

anav · Tue May 09, 2023 3:09 am

Without posting your full config hard to say, perhaps the router is using an ISP provided DNS to do the initial lookup.
Without evidence as you state its belief not fact!

rextended · Tue May 09, 2023 3:29 am

@Frederick88
[offtopic]
RE: Ahahahahah....
You could have spared yourself the harping, since you also wrote something wrong...

**Assumes you already have the DoH certificate. If you don't, then yes you'll need to define DNS Server= to download the certificate. Once you have imported certificate, you can remove Server=**

For downloading the file, the DNS server can ALSO not be set...
How? Since you know things, you can tell us, instead of having me write...
[/offtopic]

The problem is another, what you wrote does not contribute to solve the problem of the topic.
Apparently it's something in the operating system, since DNS resolves correctly in windows 11.

anav · Tue May 09, 2023 4:01 am

Yeah I missed that part.........
**Assumes you already have the DoH certificate. If you don't, then yes you'll need to define DNS Server= to download the certificate. Once you have imported certificate, you can remove Server=**

How do you get it ............... problem is every time your reboot the router...... you will need to put it back in .......... pain in the ass, and how will there be any leakage??? Sounds like a false fear flag.

The router should work for you, not you a slave to it.

rextended · Tue May 09, 2023 4:09 am

@anav
Look, everyone wants to be an expert, but when their certificates expire on April 19, 2024 and the DoH stop working, then I laugh...
If, on the other hand, they had left the backup standard DNS, if the DoH doesn't work, everyone continued to browse with the same 1.1.1.3...
But anyway, there's always someone who knows more...
P.S.: It's true, there's no need to set up any DNS to download the certificate... if the certificate always remains in the same position on the web...

Frederick88 · Tue May 09, 2023 6:49 am

@rextended
I feel as though using standard DNS as a failover for DoH, defeats the purpose of using DoH in the first place...?

@anav
once you've imported the cert into RouterOS, it stays there until it expires, regardless of reboot... not sure what you mean by "you will need to put it back in"?

@rextended
when I said "**Assumes you already have the DoH certificate. If you don't, then yes you'll need to define DNS Server= to download the certificate. Once you have imported certificate, you can remove Server=**", I'm talking about the initial download of certificate from https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem before you enable DoH. (you'll need to resolve cacerts.digicert.com at least once)...

@anav
I won't bore you with my whole config, but I will say that my WAN IP is static, with no DNS defined.
try using 1.1.1.1 DoH without standard DNS - it'll work!

I'm no expert sure, but one thing I do know is that DNS is not a requirement for HTTPS to function - so I don't know why you guys are insisting otherwise?

rextended · Tue May 09, 2023 10:29 am

I feel as though using standard DNS as a failover for DoH, defeats the purpose of using DoH in the first place...?

If you don't understand that if for some reason DoH doesn't work, without now considering why or how, you're just not okay with it, it's not my fault.
A concrete example: you forget to update the certificate. (It has an EXPIRATION, you know?), on the considered 1.1.1.3 is the 2024-04-19

To be precise, DoH began as a protocol to be used directly in the application.
Using it on the routerboard and forcing DNS is exactly what the inventors of DoH wanted to avoid.
However SOMETHING intercepts the application's DNS calls instead of the application consulting the DoH directly.
So by using it, you yourself are infringing on why it was invented.

once you've imported the cert into RouterOS, it stays there until it expires, regardless of reboot... not sure what you mean by "you will need to put it back in"?

You know, he just didn't understand what you meant about having to download the certificate every time.

when I said "[…]", I'm talking about the initial download of certificate from https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem before you enable DoH.
(you'll need to resolve cacerts.digicert.com at least once)...

Ignoring that not setting a backup DNS is foolish, there is not the slightest need to enter a DNS of any kind or enter a permanent static DNS in the configuration to download certificates or .CRLs

I'm no expert sure, but one thing I do know is that DNS is not a requirement for HTTPS to function - so I don't know why you guys are insisting otherwise?

Let's see if I can explain it to you better:
To download a file with https, there are basically two cases: the IP is enough or you need to resolve the name.
The name can also be resolved statically into "/dns static", but there is no guarantee that the IP will remain the same.
In a properly configured DoH, initially the application MUST download the .CRLs (or other verification method) before considering the certificate valid and using it. Only that in the URL of the .CRL there isn't an IP, but a domain. How does it resolve the domain name at first if it can't use DoH because without .CRL it is still considered unsafe? Hence the need to set up a normal backup DNS. And reserve it is, even if for some reason the DoH doesn't work.

In summary there is no valid reason why the DoH shouldn't first be placed directly in the application (if supported), rather than on the router,
and there's no valid reason why a backup DNS shouldn't be put in order to avoid the network locking completely if you forget to renew the certificate or for some reason the DoH is offline.
Nothing is always online™...

windows terminal code

powershell code

Who is online