I think that the whole story is DNS "hijacking" aka redirection from ISP. This is the only reasonable explanation why the packets never reached 4011 and of course never triggered firewall etc. This is the only reasonable explanation why the problem was only at port 53. This is the only rea...

I am almost pretty sure its ISP related... Putting 4011 behind 941 made 4011 work as expected. Still its a mystery why 941 is not affected by ISP. Still to find out why the fast scan without -p 53 works fine and what the specific scan with -p 53 triggers maybe in ISPs WAN to redirect the packets... ...

i am now creating a virtual environment that actually i will set the router behind another router (double NAT) and i will try to test again.
To set ISP DNS interference out.

I will post my findings.

yes i have tried -p with all possible combinations. -p 53 -p T:53 -p U:53 same results. As long as there is -p argument the packets either not coming or coming invisible. same command in same environment with RB941, packets are coming and blocked. Tried to change WAN port to ether10, same results. S...

i have used Packet sniffer inside routerOS. Filters: ether 01, tcp 53, direction any, filter operation AND. When sudo nmap -sS -Pn <IP> packets are visible, firewall is working and packets blocked. Nmap says all ports are filtered. When sudo nmap -sS -Pn -p 53 <IP> packets not coming, and obviously ...

@anav My firewall rules are not the problem. Why? Because my first no1 rule in the filter is chain=input action=drop protocol=tcp in-interface=ether_01 dst_port=53 log=yes What is the result of this rule? When i run sudo nmap -sS -sU -Pn <WAN IP> all ports are fitered AND the firewall is working bec...

Tried netinstall and failed.
Followed the instructions carefully but the router didnt came visible to the application.
i dont know...

The commands are from my router WAN.
The exact same commands (nmap and nc -w5 -z -v <MyIP> 53) when tested at the exact same config with RB941 that i had spare, working as expected. POrt 53 is closed.
WTF?
Should i netinstall clean firmware?
And how can i do it?

I tried also
nc -w5 -z -v <MyIP> 53
and
Connection to <MyIP> 53 port [tcp/domain] succeeded!

I dont know what to say....

How my ISP can make a port in my router to respond to requests?

My last input rule is a DROP add action=drop chain=input in-interface-list=!LAN log=yes I have tried something different: Scan without -p53 (specific port argument in nmap) shows all ports filtered and the counters of the rules at the top of my firewall is increasing. When i run the exact same comma...

Your results are different. TCP filtered means blocked by firewall. UDP open/filtered means no response from the server ==> blocked by firewall. Your machine seems to work as expected. In my 4011 when i perform the test: 1. The ports are open, that means that the router responds with an ACK to the S...

Configuration looks OK. Normally you should not need to block port 53 on outside, nor should it be open by it self. I have no linux server outside, so can not test my port. https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap Just try a free scan ? It will test 53 a...

Configuration looks OK. Normally you should not need to block port 53 on outside, nor should it be open by it self. I have no linux server outside, so can not test my port. Do you see any count increase on your firewall rule when you test port 53? No, the counters are freeze. I think that the whole...

How can i filter the logs only for port 53 in firewall?

Here is the command in nmap and the result: sudo nmap -sS -sU -sV -Pn -p 53 <external IP address> (from a machine outside the LAN) Starting Nmap 7.70 ( https://nmap.org ) at 2021-04-02 19:55 EEST Nmap scan report for ****************************** Host is up (0.0025s latency). PORT STATE SERVICE VER...

Here is the complete export RB 4011 apr/02/2021 20:05:20 by RouterOS 6.47.9 /interface bridge add admin-mac=******** auto-mac=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge_lan vlan-filtering=yes /interface ethernet set [ find default-name=ether1 ] name=ether_01 set [ find d...

ip dns set allow-requests=no I have declare DNS 1.1.1.1 dig google.com shows as dns server the 1.1.1.1 and i am just fine with that. Why do you need my LAN config for a firewall problem? The ether 1 is the WAN and all the others lan ports in bridge are LAN. Not so complicated. All the relevant info ...

Here is my setup. Internet is coming in through ethernet 1 I added also 2 drop rules in the forward chain, but same results. /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface list member add comment="WAN interface" interface=ether_01 list=WAN add interfac...

These are my first 4 firewall rules in ip>firewall>filter add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related add action=drop chain=input connection-state=invalid add action=drop chain=input dst-port=53 in-interface-list=WAN prot...

The problem is now how can i secure my router from external dns requests when "allow remote requests" is enabled? It's firewall rules for chain=input . Default firewall setup (in recent ROS version on SOHO devices) already blocks most connections from WAN, but it really depends on changes...

Thank you so much for your reply. The problem seems to be that i haven't enabled the "allow remote requests". So with that disabled, only dynamic dns servers from ISP are used (peer dns in dhcp client) despite that i had configured static dns servers in ip/dns and in ip/dhcp/networks. Thes...

Hi to all, Very new to Mikrotik. Very simple network architecture: WAN = ether1 LAN = bridge (ether2 to ether 10), 2 vlans, (vlan ///10 192.168.10.x/// and vlan 20 ///192.168.20.x///) with the relevant dhcp addresses etc. No firewall resctrictions. Everything working fine. I can access one Windows d...

Found the answer after a lot of search: My configuration is: ISP modem >> Router 4011 >> AP hAP ac2. In router everything is moving in vlans and AP is connecting to a trunk port in router for vlan 120. AP itself: ports 2,3,4 are access ports for vlan 120 wifi ports are access ports for other vlans. ...

Any idea? Make sure the bridge is untagged! If the bridge itself is tagged (or admit only tagged frames is selected), the DHCP-client will never work. Thank you so much for your reply, it helped me a lot. Actually i have the classic topology ISP>>router (4011) with vlans, dhcp etc >> access point w...

Still the problem persists in my hAP ac2. Bought it new, starting the setup via the web browser and i selected the bridge mode as i was intended to use it as an AP behind my router. And voila... lost all web interface. Access it through Winbox (mac address). All the ether ports in one bridge. DHCP s...

Good afternoon, Very newbie in MT products. I have an RB4011 and an hAP ac2 as access point. Configuration is relatively simple: ISP modem>>4011>> hAP ac2 (in bridge mode). I started the hap ac2 in bridge mode but i lost access immediately thereafter. It is accesible only through Winbox. My question...

Thank you so much for this excellent review of VLANs @ Mikrotik. I need your help regarding my simple home setup: Internet >> RB4011 (router) >> hAP ac2 (bridge mode AP) RB4011: base network and vlan aware port 6 that is connected to hap ac2. hap AC2: port 2,3,4 are vlan 120 wlan-mp2 (2.4) and wlan-...