ESP32 goes unreachable with AP mikrotik, ESP8266 works fine

marathoneer · Sat Sep 22, 2018 11:32 am

Hello!
I facing a really strange problem. 2 different setup, same rsult:
I have ESP32 and ESP8266 on my WIFI network. At some point, ESP32 becomes unreachable from all local clients (no matter WIFI on LAN), but pings ok from Mikrotik (AP). Once u ping it from Mikrotik AP (/tools/ping) all other devices can reach ESP32 normally. Almost looks like Mikrotik FORGETS the route to ESP32. While ESP8266 works perfectly, reachable always.

1) RB751U, plain and simple - AP. Wan and LAN interfaces on same bridge.
http://share2.hostmit.net/ss/winbox_201 ... -24-17.png
http://share2.hostmit.net/ss/winbox_201 ... -24-43.png

2) RB751G running CAPSMAN. Same setup. WAN and LAN interfaces on same bridge.
http://share2.hostmit.net/ss/winbox_201 ... -28-57.png
http://share2.hostmit.net/ss/winbox_201 ... -31-17.png
http://share2.hostmit.net/ss/winbox_201 ... -32-46.png

If I use any other router (TPLINK for instance) both devices works perfectly, always reachable to each other and other LAN/WIFI members.

Any ideas?

pe1chl · Sat Sep 22, 2018 2:30 pm

Please post configuration /export instead of screenshots.

marathoneer · Sat Sep 22, 2018 3:19 pm

# sep/22/2018 15:17:17 by RouterOS 6.43.1
# software id = ULPL-PZAD
#
# model = 751G-2HnD
# serial number = 2F860295F138
/caps-man channel
add band=2ghz-onlyg name=channel1
/caps-man datapath
add arp=enabled bridge=bridge-local client-to-client-forwarding=yes \
    local-forwarding=yes name=local-path
add bridge=bridge-public name=public-path
add bridge=bridge-free name=free-path
/caps-man configuration
add datapath=free-path mode=ap name=free-cfg ssid=luchfree
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
    group-encryption=aes-ccm name=luchmtk passphrase=
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
    group-encryption=aes-ccm name=public passphrase=
add authentication-types=wpa-psk,wpa2-psk,wpa2-eap encryption=aes-ccm,tkip \
    name=free passphrase=
/caps-man configuration
add channel=channel1 datapath=local-path \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
    mode=ap name=local-cfg security=luchmtk ssid=luchmtk
add datapath=public-path mode=ap name=public-cfg rx-chains="" security=public \
    ssid=luch4 tx-chains=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=local-cfg name-format=\
    identity slave-configurations=public-cfg,free-cfg

marathoneer · Sat Sep 22, 2018 3:22 pm

bridge

/interface bridge
add fast-forward=no name=bridge-free
add admin-mac=D4:CA:6D:26:2A:DC auto-mac=no fast-forward=no name=bridge-local
add fast-forward=no name=bridge-public
/interface bridge port
add bridge=bridge-local interface="3 - local_switch"
add bridge=bridge-public interface="2 - UNUSED"

pe1chl · Sat Sep 22, 2018 3:47 pm

Ok so it is fully in bridge mode without routing and DHCP?
I would have guessed maybe some problem with DHCP or ARP but this is not used in bridge mode.
In that case I don't know. I personally have used ESP8266 without any issue (weeks of uptime) but that works for you too...

marathoneer · Sat Sep 22, 2018 9:59 pm

The fun part - i made a periodical http request from ESP32 to ESP8266, like every minute. And it works. I've checked on downtime the bridge/hosts - ESP32 MAC present.
My head gonna explode. I dont understand what da hell happening. Why esp32, why not esp8266?

dhcp

# sep/22/2018 21:53:10 by RouterOS 6.43.1
# software id = ULPL-PZAD
#
# model = 751G-2HnD
# serial number = 2F860295F138
/ip dhcp-server
add address-pool=local-dhcp authoritative=after-2sec-delay disabled=no \
interface=bridge-local lease-time=3d name=dhcpserver-local
add address-pool=neighbors authoritative=after-2sec-delay disabled=no \
interface="5 - neighbor switch" lease-time=3d name=dhcpserver-neightboors
add address-pool="public pool" disabled=no interface=bridge-public name=\
dhcpserver-public
add address-pool="pool free" disabled=no interface=bridge-free name=\
dgcpserver-free
/ip dhcp-server network
add address=10.7.7.0/24 comment=FREE dns-server=8.8.8.8,8.8.4.4 gateway=\
10.7.7.1
add address=10.8.8.0/24 comment="luch4+luch5 WIFI" dns-server=8.8.8.8,8.8.4.4 \
gateway=10.8.8.1 netmask=24
add address=10.9.9.0/24 comment=neighbor dns-server=8.8.8.8,8.8.4.4 gateway=\
10.9.9.1 netmask=24
add address=10.10.10.0/24 comment="default configuration" dns-server=\
8.8.8.8,8.8.4.4 gateway=10.10.10.1 netmask=24

Firefall

# sep/22/2018 21:54:59 by RouterOS 6.43.1
# software id = ULPL-PZAD
#
# model = 751G-2HnD
# serial number = 2F860295F138

/ip firewall filter
add action=drop chain=forward disabled=yes src-address=10.10.10.13
add action=drop chain=forward disabled=yes src-address=10.10.10.17
add action=drop chain=forward disabled=yes out-interface=sitv_pppoe \
src-address=10.7.7.12
add action=accept chain=forward disabled=yes dst-address=10.7.7.0/24 \
src-address=10.10.10.4
add action=accept chain=forward disabled=yes dst-address=10.7.7.0/24 \
src-address=10.10.10.10
add action=accept chain=forward disabled=yes dst-address=10.10.10.4 \
src-address=10.7.7.0/24
add action=accept chain=forward disabled=yes dst-address=10.10.10.10 \
src-address=10.7.7.0/24
add action=accept chain=forward disabled=yes dst-address=10.7.7.0/24 \
src-address=10.10.10.20
add action=accept chain=forward disabled=yes dst-address=10.7.7.0/24 \
src-address=10.10.10.100
add action=accept chain=forward disabled=yes dst-address=10.10.10.20 \
src-address=10.7.7.0/24
add action=accept chain=forward disabled=yes dst-address=10.10.10.100 \
src-address=10.7.7.0/24
add action=accept chain=forward comment="allow VB to internal net" \
dst-address=10.10.10.0/24 src-address=10.1.1.0/24
add action=accept chain=forward comment=\
"win7my ip list allowed, see address list main" dst-address-list=main \
src-address=10.1.1.2
add action=accept chain=forward comment=marius dst-address-list=marius \
src-address=10.1.1.10
add action=accept chain=forward comment=\
"rodad ip list allowed, see address list rodad" dst-address-list=rodad \
src-address=10.1.1.12
add action=accept chain=forward comment=\
"ro ip list allowed, see address list ro" dst-address-list=ro \
src-address=10.1.1.13
add action=accept chain=forward comment=\
"vm47 ip list allowed, see address list vm47" src-address=10.1.1.100
add action=accept chain=forward comment="allow VB to DNS 8.8.8.8" \
dst-address=8.8.8.8 src-address=10.1.1.0/24
add action=accept chain=forward comment="allow VB to DNS 8.8.4.4" \
dst-address=8.8.4.4 src-address=10.1.1.0/24
add action=drop chain=forward comment="DROP ALL VB traffic" src-address=\
10.1.1.0/24
add action=accept chain=forward comment=\
"main ip list allowed, see address list main" dst-address-list=main \
src-address=10.1.1.20
add action=drop chain=forward comment=\
"IP cams list deny internet, unless ip 148.251.193.37" dst-address=\
!148.251.193.37 log-prefix=cams src-address-list=ip_cams_to_deny
add action=drop chain=forward comment=\
"IP cams list deny internet via chereda" disabled=yes log-prefix=cams \
out-interface=*8 src-address-list=ip_cams_to_deny
add action=drop chain=forward comment="DROP FROM NEIGHBORS TO LOCAL SWITCH" \
in-interface="5 - neighbor switch" out-interface=bridge-local protocol=\
!icmp
add action=accept chain=forward comment=\
"PUBLIC BRIDGE: allow internet via sitv_pppoe" in-interface=bridge-public \
out-interface=sitv_pppoe
add action=drop chain=forward comment="PUBLIC BRIDGE: DROP ALL" in-interface=\
bridge-public
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
"My Office PC mark in case I need to route via something" disabled=yes \
new-routing-mark=via_chereda passthrough=yes src-address=10.10.10.20
add action=mark-routing chain=prerouting comment=\
"Mark with \"ru\" IP from BlockedRuIP list" dst-address-list=BlockedRuIp \
new-routing-mark=ru passthrough=yes
add action=mark-routing chain=prerouting comment=\
"VERA NOTEBOOK MARK VIA CHEREDA" disabled=yes new-routing-mark=\
via_chereda passthrough=yes src-address=10.10.10.12
add action=mark-routing chain=prerouting comment=\
"KOSTYA NOTEBOOK MARK VIA CHEREDA" disabled=yes new-routing-mark=\
via_chereda passthrough=yes src-address=10.10.10.34
add action=mark-routing chain=prerouting comment="VERA PC MARK VIA CHEREDA" \
disabled=yes new-routing-mark=via_chereda passthrough=yes src-address=\
10.10.10.98
add action=mark-routing chain=prerouting comment=\
"10.10.10.100 mark via_chereda" disabled=yes new-routing-mark=via_chereda \
passthrough=yes src-address=10.10.10.100
add action=mark-routing chain=prerouting comment=\
"VBOX mark via_chereda ALL UNLESS DEST to 10.10.10.0/24" disabled=yes \
dst-address=!10.1.1.1 new-routing-mark=via_chereda passthrough=yes \
src-address=10.1.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT 10.10.10.0/24" src-address=\
10.10.10.0/24
add action=masquerade chain=srcnat comment="NAT NEIGHBOT 10.9.9.0/24" \
out-interface=sitv_pppoe src-address=10.9.9.0/24
add action=masquerade chain=srcnat comment="NAT public 10.8.8.0/24" \
out-interface=sitv_pppoe src-address=10.8.8.0/24
add action=masquerade chain=srcnat comment=\
"NAT free 10.7.7.0/24 via sitv_pppoe" out-interface=sitv_pppoe \
src-address=10.7.7.0/24
add action=masquerade chain=srcnat comment="VBOX NAT" src-address=10.1.1.0/24
add action=masquerade chain=srcnat comment=\
"NAT from 10.10.10.0/24 to VBOXES for VNC/ETC" dst-address=10.1.1.0/24 \
src-address=10.10.10.0/24 to-addresses=10.1.1.0/24

marathoneer · Mon Sep 24, 2018 7:20 am

Okey so new data. Upon investigating I find the ESP32 arp is missing. arp -a shows no ip/mac pair.... Once I open winbox - it magically appears

Who to blame? Mikrotik or ESP32?

multiplek · Mon Sep 24, 2018 4:28 pm

Hi,

I am facing a similar situation right now. We have around ~350 ESP32 with the main MikroTik router(several access points also). And they are either can't connect or dropping from the connection.

On MikroTik, sometimes it says "Waiting" and the devices can't connect to the internet in the meantime.

Did you come up with a solution/fix to this inconsistency?

marathoneer · Tue Sep 25, 2018 9:15 am

Problem solved, lost a day and got a headache.

#include "esp_wifi.h"
esp_wifi_set_ps(WIFI_PS_NONE);

Has nothing to do with mikrotik. Wireshark helped. Detailed explanation is on following video
http://share2.hostmit.net/file/2018-09-25_09-02-23.mp4
http://share2.hostmit.net/file/2018-09-25_09-04-17.mp4

Apparently on WIFI_PS_MIN_MODEM, which is default, modem goes to sleep for a short periods of time and missing ARP broadcast request from time to time.

multiplek · Tue Sep 25, 2018 10:30 am

Pretty good catch. Thank you for sharing it. I will try soon.

tdnet · Sat Apr 20, 2019 3:13 pm

Pretty good catch. Thank you for sharing it. I will try soon.

Have you tried it yet?

I also have 150+ esp32 connected to mikrotik also.
And very appriciate if you have some advice

ESP32 goes unreachable with AP mikrotik, ESP8266 works fine

ESP32 goes unreachable with AP mikrotik, ESP8266 works fine

Re: ESP32 goes unreachable with AP mikrotik, ESP8266 works fine

Re: ESP32 goes unreachable with AP mikrotik, ESP8266 works fine

Re: ESP32 goes unreachable with AP mikrotik, ESP8266 works fine

Re: ESP32 goes unreachable with AP mikrotik, ESP8266 works fine

Re: ESP32 goes unreachable with AP mikrotik, ESP8266 works fine

Re: ESP32 goes unreachable with AP mikrotik, ESP8266 works fine

Re: ESP32 goes unreachable with AP mikrotik, ESP8266 works fine

Re: ESP32 goes unreachable with AP mikrotik, ESP8266 works fine

Re: ESP32 goes unreachable with AP mikrotik, ESP8266 works fine

Re: ESP32 goes unreachable with AP mikrotik, ESP8266 works fine