Problem after updating to 7.16.2

Jokery · Mon Dec 02, 2024 12:22 am

Hello everyone,

Its my first time being here since i am not sure where to ask for some help.

Like the title says after updating from 7.16.1 to 7.16.2 i cant access my router remote, but can locally, for some reason filter rule doesnt even pick any traffic coming for that port no matter where the rule i set it. Even my plex server cant keep a remote access anymore, even though i set up manual port for it, I even disable it and let it auto with upnp to see if anything different.

Most of my settings are default, i just added more, not edited or delete. in case of firewall just some extra checks for port scanners and allow certain ports access.

If you guys need anything from me to help find a solution to this problem.

Its very strange that this happened after i updated a minor version.

MxDx · Mon Dec 02, 2024 1:35 am

post your config.

I also upgraded from 7.16.1 to 7.16.2 and no issues, all went well and I've got bunch of firewall rules, route rules, queues, mangle rules, 5 wireguard tunnels, bunch of VLANs, dual ISP w/ failover. suffice to say my RB5009 it's got some load and no issues on 7.16.2

Jokery · Mon Dec 02, 2024 6:17 pm

how should i post the config ? the backup config ?

forgot to mention i even reset the configuration back to default, was the same behavior as before.

Thank you for the reply.

Mon Dec 02, 2024 6:19 pm

Open terminal
/export file=anynameyouwish
Move file to PC
Open file with text editor and remove serial number, passwds, public IP,...
Post contents between [code] [/code] quotes for easier readability.

Jokery · Mon Dec 02, 2024 6:43 pm

# 2024-12-02 18:24:14 by RouterOS 7.16.2
# software id = removed
#
# model = RB5009UG+S+
# serial number = removed
/interface bridge
add admin-mac=45:A9:8B:BD:C8:6D auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
add disabled=yes name=dockers port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full,2.5G-baseT \
    mac-address=18:A6:F7:7F:4A:13
set [ find default-name=ether2 ] advertise=\
    100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full
set [ find default-name=ether3 ] advertise=\
    100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full
set [ find default-name=ether4 ] advertise=\
    100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full
set [ find default-name=ether5 ] advertise=\
    100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full
set [ find default-name=ether6 ] advertise=\
    100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full
set [ find default-name=ether7 ] advertise=\
    100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full
set [ find default-name=ether8 ] advertise=\
    100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full
set [ find default-name=sfp-sfpplus1 ] advertise="1G-baseT-half,1G-baseT-full,\
    1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseCR\
    " sfp-shutdown-temperature=90C
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus1 name=pppoe-out2 \
    use-peer-dns=yes user=deleted
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=10.20.88.10-10.20.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=12h name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
add bridge=dockers disabled=yes interface=*D internal-path-cost=10 path-cost=\
    10
add bridge=bridge interface=ether1 trusted=yes
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add disabled=yes interface=*B list=WAN
add interface=pppoe-out2 list=WAN
/ip address
add address=10.20.88.1/24 comment=defconf interface=bridge network=10.20.88.0
add address=10.30.0.1/24 disabled=yes interface=dockers network=10.30.0.0
/ip arp
add address=10.20.88.245 interface=bridge mac-address=xxxx
add address=10.20.88.250 interface=bridge mac-address=xxxx
add address=10.20.88.239 interface=bridge mac-address=xxxx
add address=10.20.88.228 interface=bridge mac-address=xxxx
add address=10.20.88.252 interface=bridge mac-address=xxxx
add address=10.20.88.222 interface=bridge mac-address=xxxx
add address=10.20.88.217 interface=bridge mac-address=xxxx
add address=10.20.88.251 interface=bridge mac-address=xxxx
add address=10.20.88.238 interface=bridge mac-address=xxxx
add address=10.20.88.208 interface=bridge mac-address=xxxx
add address=10.20.88.206 interface=bridge mac-address=xxxx
add address=10.20.88.200 interface=bridge mac-address=xxxx
add address=10.20.88.199 comment="TRUENAS SERVER" interface=bridge \
    mac-address=xxxx
add address=10.20.88.198 interface=bridge mac-address=xxxx
add address=10.20.88.185 interface=bridge mac-address=xxxx
add address=10.20.88.168 interface=bridge mac-address=xxxx
add address=10.20.88.163 interface=bridge mac-address=xxxx
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=sfp-sfpplus1
/ip dhcp-server lease
add address=10.20.88.250 client-id=xxxx mac-address=\
    xxxx server=defconf
add address=10.20.88.245 client-id=xxxx mac-address=\
    xxxx server=defconf
add address=10.20.88.239 mac-address=xxxx server=defconf
add address=10.20.88.238 client-id=xxxx mac-address=\
    xxxx server=defconf
add address=10.20.88.217 client-id=xxxx mac-address=\
    xxxx server=defconf
add address=10.20.88.208 client-id=xxxx mac-address=\
    xxxx server=defconf
add address=10.20.88.206 client-id=xxxx mac-address=\
    xxxx server=defconf
add address=10.20.88.199 mac-address=xxxx server=defconf
add address=10.20.88.198 client-id=xxxx mac-address=\
    xxxx server=defconf
add address=10.20.88.251 client-id=xxxx mac-address=\
    xxxx server=defconf
add address=10.20.88.185 client-id=xxxx mac-address=\
    xxxx server=defconf
add address=10.20.88.252 client-id=xxxx mac-address=\
    xxxx server=defconf
add address=10.20.88.228 client-id=xxxx mac-address=\
    xxxx server=defconf
add address=10.20.88.168 client-id=xxxx mac-address=\
    xxxx server=defconf
add address=10.20.88.164 client-id=xxxx mac-address=\
    xxxx server=defconf
add address=10.20.88.163 client-id=xxxx mac-address=\
    74:56:3C:5D:E5:FB server=defconf
/ip dhcp-server network
add address=10.20.88.0/24 comment=defconf dns-server=10.20.88.1 gateway=\
    10.20.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.20.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=drop chain=input comment="Blocked Port Scanners" src-address-list=\
    Port-Scanners
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=32411 in-interface=pppoe-out2 \
    protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=add-src-to-address-list address-list=Port-Scanners \
    address-list-timeout=1d5h30m chain=input comment="Port Scanner Detection" \
    log=yes log-prefix="TCP-SCANNER: " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Port-Scanners \
    address-list-timeout=1d5h30m chain=input comment="Port Scanner Detection" \
    log=yes log-prefix="UDP-SCANNER: " protocol=udp psd=21,3s,3,1
add action=accept chain=input comment=WinBox dst-port=8321 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=pppoe-out2
add action=dst-nat chain=dstnat comment=satisfactory disabled=yes dst-port=\
    15777 in-interface=pppoe-out2 protocol=udp to-addresses=10.20.88.199 \
    to-ports=15777
add action=dst-nat chain=dstnat comment=satisfactory dst-port=7777 \
    in-interface=pppoe-out2 protocol=udp to-addresses=10.20.88.199 to-ports=\
    7777
add action=dst-nat chain=dstnat comment=satisfactory dst-port=7777 \
    in-interface=pppoe-out2 protocol=tcp to-addresses=10.20.88.199 to-ports=\
    7777
add action=dst-nat chain=dstnat comment=satisfactory disabled=yes dst-port=\
    15000 in-interface=pppoe-out2 protocol=udp to-addresses=10.20.88.199 \
    to-ports=15000
add action=dst-nat chain=dstnat comment=Plex dst-port=32411 in-interface=\
    pppoe-out2 protocol=tcp to-addresses=10.20.88.199 to-ports=32400
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip nat-pmp
set enabled=yes
/ip nat-pmp interfaces
add interface=bridge type=internal
add interface=pppoe-out2 type=external
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.20.88.0/24 port=2230
set api disabled=yes
set winbox port=8321
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=pppoe-out2 type=external
add interface=bridge type=internal
/ipv6 dhcp-server
add address-pool="" interface=bridge lease-time=12h name=defconfv6
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=deleted
/system identity
set name=xxxx
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=auto_start_nas on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=06:30:00
add disabled=yes interval=5m name=auto_start on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-22 start-time=07:26:26
add interval=1d name=schedule1 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=08:30:00
add interval=1d name=schedule2 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=09:30:00
add interval=1d name=schedule3 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=10:30:00
add interval=1d name=schedule4 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=11:30:00
add interval=1d name=schedule5 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=12:30:00
add interval=1d name=schedule13 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=20:30:00
add interval=1d name=schedule7 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=14:30:00
add interval=1d name=schedule8 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=15:30:00
add interval=1d name=schedule9 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=16:30:00
add interval=1d name=schedule10 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=17:30:00
add interval=1d name=schedule11 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=18:30:00
add interval=1d name=schedule12 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=19:30:00
add interval=1d name=schedule14 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=21:30:00
add interval=1d name=schedule15 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=22:30:00
add interval=1d name=schedule16 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=23:30:00
add interval=1d name=schedule17 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=00:30:00
add interval=1d name=schedule18 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=01:30:00
add interval=1d name=schedule19 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=02:30:00
add interval=1d name=schedule6 on-event=truenas policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-03-05 start-time=13:30:00
add disabled=yes name=upgrade on-event=upg policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add disabled=yes interval=1d name=upg on-event=/system/reboot policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-07-18 start-time=04:05:00
/system script
add dont-require-permissions=no name=truenas owner=xxxx policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/tool wol mac=xxxx interface=ether1"
add dont-require-permissions=no name=upg owner=xxxx policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system routerboard\
    \n:if ([get current-firmware] != [get upgrade-firmware]) do={\
    \n    upgrade\
    \n    :delay 20\
    \n    /system reboot\
    \n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user settings
set minimum-password-length=6

Mon Dec 02, 2024 7:09 pm

Move this rule as first on input chain

add action=accept chain=input comment=WinBox dst-port=8321 protocol=tcp

Jokery · Mon Dec 02, 2024 8:30 pm

did that first time and nothing happens, no packets/bytes are logged, only from local network. I dont have any other router or firewalls, comes directly from the modem the cable to the mikrotik router.

did manual testing of ports with ping, but nothing reached, even ports that i knew worked before for gaming server were showing 0 packet/bytes.

I mean cloudflare connection works, can access my nas, but not the router which i connect to it using direct ip. Plex is affected can't have a remote connection, gaming server 7777 i have doesn't work, no traffic is being seen in nat, tested even fowarding in the filter to be sure still no traffic detected on any port i assign.

From all the tests i made, I may think its being blocked from ISP, but why would that happen, it never happened to have any direct connection not work in 10y since i have the subscription on them.

In plex now tells me i may have double nat in remote connection.

Mon Dec 02, 2024 9:36 pm

Whenever you change something in firewall, clear all connections or wait 10 minutes or reboot.

anovojr · Mon Dec 02, 2024 10:14 pm

I’d double-check the firewall and NAT rules, sometimes they don’t apply properly after an update. If UPnP isn’t helping, maybe try manually re-adding the port forwards. Also, if there’s an option to export logs or debug traffic, that might give you a clue about what’s blocking the remote connections. Worst case, rolling back to 7.16.1 could be worth testing.

infabo · Mon Dec 02, 2024 10:55 pm

/interface detect-internet
set detect-interface-list=all

Please remove that detect internet thing by:

/interface detect-internet
set detect-interface-list=none

You already know where your WAN "lives". No need to detect and mess up your config with that crzy magic wand.

You did not tell use by which address you try to access your router from remote. If it is by using the Mikrotik "sn.myname.net" address, then you may be out of luck because of:

/ip cloud advanced
set use-local-address=yes

Apparently afraid of "port scanners", but leave Winbox management port open to internet. GOOD JOB.

add action=accept chain=input comment=WinBox dst-port=8321 protocol=tcp

So I will end here. Leaving Winbox port open to internet is a no go for me and I won't look further below that line in the export.

Good luck.

Jokery · Tue Dec 03, 2024 1:00 am

Code: Select all
/interface detect-internet
set detect-interface-list=all
Please remove that detect internet thing by:
Code: Select all
/interface detect-internet
set detect-interface-list=none
You already know where your WAN "lives". No need to detect and mess up your config with that crzy magic wand.

You did not tell use by which address you try to access your router from remote. If it is by using the Mikrotik "sn.myname.net" address, then you may be out of luck because of:
Code: Select all
/ip cloud advanced
set use-local-address=yes
Apparently afraid of "port scanners", but leave Winbox management port open to internet. GOOD JOB.
Code: Select all
add action=accept chain=input comment=WinBox dst-port=8321 protocol=tcp
So I will end here. Leaving Winbox port open to internet is a no go for me and I won't look further below that line in the export.

Good luck.

thank you for the reply, my ip is dynamic it always changes every day, i know is a bad idea to keep that port open. Apparently there are plenty of port scanners since i get around 4 new ips per day flagged even as port scanners, didn't know that till i added the rule and saw and checked the ips.
I will try disabling the detect internet.
I am connecting to the router using the public ip, i disabled the cloud dns today, I have cloudflare letting me know the new ip also have someone on premise in case that is down, i am not going on router that often just once a week.

I’d double-check the firewall and NAT rules, sometimes they don’t apply properly after an update. If UPnP isn’t helping, maybe try manually re-adding the port forwards. Also, if there’s an option to export logs or debug traffic, that might give you a clue about what’s blocking the remote connections. Worst case, rolling back to 7.16.1 could be worth testing.

I did a rollback to that version even reset the configurations, but still same problem. Will go personally to the location in a few days, and run some test on the modem so the problem doesnt come from the ISP, but overall from the test i did, no trafic from outside that I trigger isnt registered in the router, even place a log for all traffic, in pppoe shows ip 100.101 but in whatsmyip is 80. as an example. Maybe thats the problem. Saw this ip change after the update, maybe its related. I know that before, my upnp would place my real ip.

I did place ports manually, since upnp doesnt work to check, the gaming server i have has already manually set ports so i cant even access that.

Tue Dec 03, 2024 8:02 am

My initial comment to move that one rule to the top was based on the rest not being secure enough already.

The only true way to solve this:
Use outgoing vpn to some public accessible ip ( either your own or some cloud server) and use that as pivot point to get back in.

And then you can close that open access and only allow entry via VPN.

Having a port wide open for entry is asking for trouble, sooner or later.
Same with having upnp wide open even to outside ... it may have worked but that doesn't mean it's a good idea.

You haven't specified either why you want remote access to that router ?
I see some mentioning of plex server, so I assume that needs to be accessible as well ?
Another reason to go for VPN solution since it looks like you want your complete LAN behind that router to be reachable ?
Please clarify in case there are other things we don't know yet.

CGGXANNX · Tue Dec 03, 2024 10:42 am

in pppoe shows ip 100.101 but in whatsmyip is 80. as an example. Maybe thats the problem.

Yes, that's the reason, CGNAT is active.

katsj · Wed Dec 04, 2024 1:51 am

I had problems too with 7.16.2 in many of my customers mikrotik routers that I upgraded had several problems with internet access most of them had no internet for many minutes. I finally downgraded to 7.16.1 and everything is ok! I will wait till mikrotik fixes 7.16.2 and finds what the problem is and then I will try to upgrade again to a newer version.

Jokery · Wed Dec 04, 2024 6:00 pm

thank you all for the support its the CGNAT for some reason was activate by ISP on my account. I dont think your problem is from the update. At least for me internet always worked no matter how many updates.

CoffeeEngineer · Tue Dec 10, 2024 6:12 pm

I have a strange issue where after the update yesterday, the Grandstream UCM6304 stopped allowing outbound SIP calls saying all circuits are busy inbound SIP calls and internal calls still work perfectly. The Mikrotik is a CCR1009-8G-1S-1S+. Did this update do anything to the way SIP messages are handled, i.e. adding a extra character somewhere? Traceroutes and pings work fine both ways, but no outbound phone calls. I know it's the Mikrotik because the time stamp of when I did the upgrade from 7.16.1 to 7.16.2, the phones stopped making outbound calls. I've been unable to downgrade back to 7.16.1 either. Tried uploading the routeros-7.16.1-tile.npk to the Mikrotik files (via Winbox), clicking System/Packages and then Downgrade. Tried that method and then rebooting and trying, still locked on 7.16.2.

Update: I read another post about removing custom SIP headers, I wasn't sure what those would be, but I tried to simplify the headers by changing SIP line SRTP from Optional (would send the available ciphers in the SIP message) to Disabled and then everything worked after that.

Problem after updating to 7.16.2

Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Re: Problem after updating to 7.16.2

Who is online