Community discussions

MikroTik App
  4. RouterOS
  5. General

hAP ac2's started blocking inbound connections

Post Reply
 
raidu
just joined
Topic Author
Posts: 6
Joined: Sun Jun 12, 2016 3:29 pm

hAP ac2's started blocking inbound connections

Sat Nov 23, 2019 11:59 pm

As some point I have lost the ability to connect to couple of hap ac2's from the wan side.

Winbox, ping, pptp, nothing from wan side. Is there a hidden feature somewhere that blocks all connections from outside world?
Not internet issue, because I cannot even ping from local pfsense server simulating "wan side".

Tried even accepting all in firewall. Still nothing. No winbox not even a ping response from the wan side.
And the weirdest part of all is that firewall logs the ICMP packets. Looks like Router sends no response.
23:54:27 firewall,info input: in:InternetBr out:(unknown 0), src-mac 00:00:5e:00:0
1:01, proto ICMP (type 8, code 0), 193.40.XX.XX->84.50.XX.XX, len 60

Code: Select all
/interface bridge
add admin-mac=CC:2D:E0:A3:74:E1 auto-mac=no name=InternetBr
add admin-mac=CC:2D:E0:A3:74:DE auto-mac=no comment=defconf name=LanBr
add name=dTVBr
add name=pfSBr
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-A374E2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-A374E3 \
    wireless-protocol=802.11
/interface vlan
add comment=LAN interface=ether1 name=eth1.10 vlan-id=10
add comment=dTV interface=ether1 name=eth1.4 vlan-id=4
add comment=pfS interface=ether1 name=eth1.6 vlan-id=6
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.11.10-192.168.11.140
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LanBr name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=LanBr comment=defconf interface=ether2
add bridge=LanBr comment=defconf interface=ether3
add bridge=LanBr comment=defconf interface=ether4
add bridge=LanBr comment=defconf interface=ether5
add bridge=LanBr comment=defconf interface=wlan1
add bridge=LanBr comment=defconf interface=wlan2
add bridge=LanBr interface=eth1.10
add bridge=dTVBr interface=eth1.4
add bridge=pfSBr interface=eth1.6 trusted=yes
add bridge=InternetBr interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=LanBr list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.11.1/24 comment=defconf interface=ether2 network=\
    192.168.11.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    InternetBr
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
    interface=pfSBr
add add-default-route=no dhcp-options=hostname,clientid interface=dTVBr
/ip dhcp-server network
add address=192.168.11.0/24 comment=defconf gateway=192.168.11.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.11.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Input ALL!!!"
add action=accept chain=forward comment="Forward ALL!!!"
add action=accept chain=output comment="Output ALL!!!"
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow ping" protocol=icmp
add action=accept chain=input comment="allow winbox" dst-port=8291 protocol=\
    tcp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip route
add distance=1 dst-address=172.17.0.0/16 gateway=192.168.6.1
add distance=5 dst-address=193.40.5.245/32 gateway=192.168.6.1
add distance=5 dst-address=193.40.7.92/32 gateway=192.168.6.1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=LanBr type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Tallinn
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11317
Joined: Mon Dec 04, 2017 9:19 pm

Re: hAP ac2's started blocking inbound connections

Sun Nov 24, 2019 5:41 pm

It is a wrong setup to use ether1 as a carrier one for /interface vlan and at the same time use it as a member port of a bridge. If etherX has already been used as a carrier interface for some /interface vlan, RouterOS refuses to make it a member port of a bridge (at least if you try to do this using command line).

So you have to
either remove the membership of ether1 in InternetBr and move the dhcp client from InternetBr directly to ether1,
or use the contemporary (6.41+) way of handling VLANs on a bridge, i.e. move all the /interface vlan from ether1 to InternetBr.

Any of the two should resolve your issue.

If it is not enough, try running /tool sniffer quick ip-protocol=icmp to see what is really going on while you ping the WAN IP from outside.
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: hAP ac2's started blocking inbound connections

Sun Nov 24, 2019 7:27 pm

or use the contemporary (6.41+) way of handling VLANs on a bridge, i.e. move all the /interface vlan from ether1 to InternetBr
+1
Agree with @sindy
Top
Post Reply
  4. RouterOS
  5. General