Router: mikrotik rbd52g-5hacd2hnd
Connection: from l2tp to bridge
Problem: not all sites open, I can't log in to the "Steam" client on Linux; there is no internet access via wifi on android, the app store doesn't open.
I think that the router does not skip some of the linux and android packages, but I do not understand on what principle. There are no problems with a windows computer. If you replace the router with any "simple" one (for example, tp-link TL-WR841N), then everything starts working. Maybe you need to configure something. Please tell me what I need to fix in the configuration of my mikrotik router.
Config: "mypassword" is a stub - it hides the password
Code: Select all
# may/12/2023 16:22:05 by RouterOS 6.43.13
# software id = FFQX-QD2F
#
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=74:4D:28:69:6F:84 arp=proxy-arp arp-timeout=30m auto-mac=no \
comment=defconf name=bridge1
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp mtu=1460 name=ether1-beeline
set [ find default-name=ether2 ] mtu=1460
set [ find default-name=ether3 ] mtu=1460
set [ find default-name=ether4 ] mtu=1460
set [ find default-name=ether5 ] arp=proxy-arp mtu=1460
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto mode=ap-bridge mtu=1460 \
ssid=MikroTik-696F89 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=profile1 supplicant-identity="" \
wpa2-pre-shared-key="mypassword"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=2447 l2mtu=1598 mode=ap-bridge \
mtu=1460 name=wifi1 security-profile=profile1 ssid=NL-F7913 tx-power=18 \
tx-power-mode=all-rates-fixed wireless-protocol=802.11 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-pool ranges=17.172.68.2-17.172.68.254
add name=pptp-pool ranges=17.172.68.30-17.172.68.40
/ip dhcp-server
add address-pool=dhcp-pool disabled=no interface=bridge1 name=dhcp1
/ppp profile
add change-tcp-mss=yes name=beeline1 use-compression=no use-encryption=no \
use-mpls=no use-upnp=yes
/interface l2tp-client
add add-default-route=yes allow=chap,mschap2 connect-to=\
tp.internet.beeline.ru disabled=no max-mru=1500 max-mtu=1460 name=\
l2tp-beeline password="mypassword" profile=beeline1 user="mypassword"
/user group
set read policy="local,telnet,ssh,read,test,winbox,password,web,sniff,api,romo\
n,tikapp,!ftp,!reboot,!write,!policy,!sensitive,!dude"
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=ether5
add bridge=bridge1 comment=defconf interface=wifi1
add bridge=bridge1 comment=defconf disabled=yes interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=default ipsec-secret=\
"mypassword" use-ipsec=yes
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1-beeline list=WAN
/interface pptp-server server
set max-mru=1460 max-mtu=1460
/interface wireless access-list
add interface=wifi1 mac-address=04:92:26:7C:87:CD vlan-mode=no-tag
/ip address
add address=17.172.68.1/24 comment=defconf interface=bridge1 network=\
17.172.68.0
/ip dhcp-client
add comment=defconf default-route-distance=5 dhcp-options=hostname,clientid \
disabled=no interface=ether1-beeline
/ip dhcp-server lease
add address=17.172.68.2 client-id=1:bc:5f:f4:85:18:fc comment=pc-main \
mac-address=BC:5F:F4:85:18:FC server=dhcp1
add address=17.172.68.10 client-id=1:4:92:26:7c:87:cd comment=phone-main \
mac-address=04:92:26:7C:87:CD server=dhcp1
add address=17.172.68.3 comment=pc-linux mac-address=\
BC:5F:F4:8D:3E:A8 server=dhcp1
/ip dhcp-server network
add address=17.172.68.0/24 comment=defconf: gateway=17.172.68.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=reject chain=input comment="myconf: DNA amplification" dst-port=53 \
in-interface-list=WAN protocol=tcp reject-with=icmp-port-unreachable
add action=reject chain=input dst-port=53 in-interface-list=WAN protocol=udp \
reject-with=icmp-port-unreachable
add action=drop chain=input comment="myconf: drop ssh brute forcers" \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=4w2d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input comment="myconf: drop ssh from ethernet" \
dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="myconf: block Winbox from ethernet" \
dst-port=8291 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="myconf: drop WWW from ethernet" \
dst-port=80 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
"myconf: drop all other from WAN to LAN" in-interface-list=WAN \
out-interface-list=LAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp \
tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
add action=netmap chain=dstnat comment="myconf: torrents" disabled=yes \
dst-port=6881 in-interface=l2tp-beeline protocol=tcp to-addresses=\
17.172.68.3 to-ports=6881
add action=netmap chain=dstnat disabled=yes to-addresses=17.172.68.3
add action=netmap chain=dstnat disabled=yes dst-port=443 in-interface=\
ether1-beeline protocol=tcp to-addresses=17.172.68.6
add action=netmap chain=dstnat disabled=yes dst-port=53 in-interface=\
ether1-beeline protocol=tcp to-addresses=17.172.68.6
add action=netmap chain=dstnat disabled=yes dst-port=80 in-interface=\
ether1-beeline protocol=tcp to-addresses=17.172.68.6
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=l2tp-beeline
/ip firewall raw
add action=drop chain=prerouting comment="myconf: drop NetBios Service" \
dst-port=137,138,139 in-interface-list=WAN protocol=udp
/ip route
add distance=1 dst-address=85.21.66.0/24 gateway=100.110.128.1
add distance=1 dst-address=85.21.192.3/32 gateway=100.110.128.1
add distance=1 dst-address=213.234.192.8/32 gateway=100.110.128.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=17.172.68.0/24
set ssh address=17.172.68.0/24
set api disabled=yes
set winbox address=17.172.68.0/24
set api-ssl disabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add disabled=yes interface=wifi1 type=internal
add interface=l2tp-beeline type=external
/system clock
set time-zone-name=Europe/Moscow
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN