WIFI, Internet, DNS, DHCP working ...... but somethings wrong with IoT devices

MarkusT · Wed Apr 17, 2024 4:29 pm

Hello,

I'm struggling with my home network since weeks now.
My setup is very basic i think:
Internet <-> MT LTE Modem (RBSXTLTE3-7) <-> MT Router (RB962UiGS-5HacT2HnT) <-> Wireless 2,4gHz + 5GHz / LAN <-> PC's, Laptops, Smartphones, Smarthome, Printer, Streaming Sticks, Synology NAS

Meanwhile i changed the MT router to a newer MT hAP ax^3 (C53UiG+5HPaxD2HPaxD) Model, so the actual setup looks like this:
Internet <-> MT LTE Modem (RBSXTLTE3-7) <-> MT hAP ax^3 (C53UiG+5HPaxD2HPaxD) <-> Wireless 2,4gHz + 5GHz / LAN <-> PC's, Laptops, Smartphones, Smarthome, Printer, Streaming Sticks, Synology NAS

Whats working:
- Internet access on Clients (Smartphones, PCs, Streaming Sticks) -> OK
- 2,4GHz and 5GHz Wifi -> OK
- LAN -> OK
- Wireguard VPN -> OK

So, for the "standard" home user all would look ok.

Whats not working (listed in chronologically order of occurrance):
1) Binding my Bambulab 3D Printer over the smartphone with the Bambu Cloud service -> (was not a big deal by using it only in locally, so a good and even better solution) -> additionally i can say that during this cloud binding the printer gets an IP from my DHCP
2) Downloading of audio content to a kids toy (Ravensburger SAMI) -> Toy gives audio info that internet access was possible but server communication failed
3) Binding of a water irrigation WLAN device (WOOX R4238) with the smartphone -> Not showing up in app. But IP was provided by my DHCP
4) External access to my home automation system (Loxone) -> App gives info that downloading the structure file from the Miniserver failed
5) Internal API requests to weather services (openweather) on the Loxone Miniserver failed with error 500, recognized because is tried to add new requests which also fails
6) Website www.netztest.at will not load in Browser -> relatively new problem since last weekend during testing
7) Toniebox Kids Toy -> new content could not downloaded

All this problems maybe connected to the same issue, because all this stuff was working before without a problem for some years!?
I had the first issues end of february starting my 3D printer again after 2 weeks pause.

I can remember that i did a ROS update in january on both devices (modem and router). At this time i was on V6 on both devices. Meanwhile i'm running the latest V7 on both devices!
So maybe it had something todo with that update! Hard to say now because i faced the problem a little bit later. I also can't say from which V6 i was coming during this update.

I was used to start with the preloaded configs on the devices, which worked for me and from there on i made my preferred changes (Port forwarding, SSIDs, Passwords,....)
But even by doing that i see the same problems.
Then i started to configure, especially the router, from ground up. Same Problems again.

At the moment i cannot say how many config rounds i did. Everytime with the same results.

I also need to say that i'm no expert in this but as an electronics engineer i'm used to learn and find solutions for problems, but now i need really help!
Maybe this is a simple checkbox, rule, route or something very basic topic/solution, so please be patient if somethings comletely odd/wrong in my configs.

I would be grateful for every tip, no matter how small!

Here are my configs of both devices:

MODEM:

# 2024-04-17 15:09:02 by RouterOS 7.14.2
# software id = SRZM-W3AB
#
# model = RBSXTLTE3-7
# serial number = 745705E20641
/interface bridge
add admin-mac=E4:8D:8C:B1:0D:C4 auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=yes band="" name=SPUSU sms-read=\
    no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=mass.at ip-type=ipv4 name=spusu use-network-apn=\
    no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/queue type
add fq-codel-ecn=no kind=fq-codel name=fq-codel-ethernet-default
/queue interface
set ether1 queue=fq-codel-ethernet-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=SPUSU list=WAN
/ip address
add address=192.168.188.1/24 comment=defconf interface=bridge network=\
    192.168.188.0
/ip dhcp-server lease
add address=192.168.188.254 client-id=1:d4:1:c3:3d:ed:82 mac-address=\
    D4:01:C3:3D:ED:82 server=defconf
/ip dhcp-server network
add address=192.168.188.0/24 comment=defconf dns-server=\
    8.8.8.8,8.8.4.4,1.1.1.1,192.168.188.1 gateway=192.168.188.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip dns static
add address=192.168.188.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix="DROPPED - "
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix="DROPPED - "
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix="DROPPED - "
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "DROPPED - "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="LOXONE TCP" dst-port=7090 \
    in-interface=SPUSU protocol=tcp to-addresses=192.168.188.254 to-ports=\
    7090
add action=dst-nat chain=dstnat comment=WIREGUARD dst-port=13231 \
    in-interface=SPUSU protocol=udp to-addresses=192.168.188.254 to-ports=\
    13231
add action=dst-nat chain=dstnat comment=SYNOLOGY dst-port=5000 in-interface=\
    SPUSU protocol=tcp to-addresses=192.168.188.254 to-ports=5000
add action=dst-nat chain=dstnat comment="LOXONE UDP" dst-port=7090 \
    in-interface=SPUSU protocol=udp to-addresses=192.168.188.254 to-ports=\
    7090
/ip service
set www-ssl disabled=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Vienna
/system logging
add topics=lte,!raw
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-limit=3000KiB file-name=packet_sniff_modem filter-interface=all \
    memory-scroll=no

ROUTER:

# 2024-04-17 15:09:34 by RouterOS 7.14.2
# software id = I3WL-DXNA
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HG609JYQ9S5
/interface bridge
add admin-mac=D4:01:C3:3D:ED:83 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Austria .mode=ap .ssid=CMB+MT_5GHz disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Austria .mode=ap .ssid=CMB+MT disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=""
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard_vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.1.11-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-source-route=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard_vpn list=LAN
/interface wireguard peers
add allowed-address=192.168.2.100/32 interface=wireguard_vpn public-key=\
    "7J5hS22+i2RNQQ7SpvvCksigzEyWVgwbklLiq7P2xBk="
/ip address
add address=192.168.1.10/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.2.10/24 interface=wireguard_vpn network=192.168.2.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.100 mac-address=50:4F:94:10:00:25 server=defconf
add address=192.168.1.20 client-id=1:0:11:32:11:50:fc mac-address=\
    00:11:32:11:50:FC server=defconf
add address=192.168.1.30 client-id=1:1c:ca:e3:78:67:28 mac-address=\
    1C:CA:E3:78:67:28 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=\
    8.8.8.8,8.8.4.4,1.1.1.1,192.168.1.10 gateway=192.168.1.10 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.1.10 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix="DROPPED - "
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes log=yes log-prefix="DROPPED - "
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "DROPPED - "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="LOXONE TCP" dst-port=7090 \
    in-interface=ether1 protocol=tcp src-port="" to-addresses=192.168.1.100 \
    to-ports=80
add action=dst-nat chain=dstnat comment=WIREGUARD dst-port=13231 \
    in-interface=ether1 protocol=udp src-port="" to-addresses=192.168.1.10 \
    to-ports=13231
add action=dst-nat chain=dstnat comment=SYNOLOGY dst-port=5000 in-interface=\
    ether1 protocol=tcp src-port="" to-addresses=192.168.1.20 to-ports=5000
add action=dst-nat chain=dstnat comment="LOXONE UDP" dst-port=7090 \
    in-interface=ether1 protocol=udp src-port="" to-addresses=192.168.1.100 \
    to-ports=80
/ip service
set www-ssl disabled=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Vienna
/system logging
add topics=wireless,debug
add topics=dns,debug
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=packet_sniff filter-interface=all memory-scroll=no

MarkusT · Wed Apr 24, 2024 2:19 am

Hi,

For problem 3 & 7 i used packet sniffer on modem and router to trace the connection.

The devices got a valid IP address from the DHCP.

They performed queries to DNS (Google 8.8.8. and got response (manual ping on IPs and domain names is also succesful)

Then TCP SYN packets were sent but no SYN/ACK happens

Why the connection is not acknowledged?

Router:

2024-04-24 01_09_17-packet_sniff_router.png

Modem:

2024-04-24 01_10_48-packet_sniff_modem.png

MarkusT · Mon Apr 29, 2024 9:36 am

Hi,

The problem is fixed.

After replacing the current SIM to another one from the same operator the problems disappeared.
Changing SIM back and all problems were present.

At the end changing my static IP fixed the problem, at least for me!

I got no more detailed Info whats wrong on provider side or with this IP!

bye

WIFI, Internet, DNS, DHCP working ...... but somethings wrong with IoT devices [SOLVED]

WIFI, Internet, DNS, DHCP working ...... but somethings wrong with IoT devices

Re: WIFI, Internet, DNS, DHCP working ...... but somethings wrong with IoT devices

Re: WIFI, Internet, DNS, DHCP working ...... but somethings wrong with IoT devices [SOLVED]

Who is online