Community discussions

MikroTik App
 
Selbie
just joined
Topic Author
Posts: 11
Joined: Mon Feb 10, 2020 8:13 pm

Internet issues (InvalidPackets) after upgrading ROSv6>v7

Fri Oct 21, 2022 11:44 pm

Hello everyone,

I have been trying to upgrade my router (RB4011) from router OS v6.48.6 to v7.x
The upgrade process itself works and I am able to login to the router.

DHCP/DNS seems to be working -> obtains new public IP and private IPs.

But then I have issues reaching websites like 'nu.nl' & 'tweakers.net' (yeah I am dutch).
This pages load (slow) using my Windows computer, but from my mobile (connected via wireless/CAPsMan) I receive the following errors:

ERR_CONNECTION_REFUSED
ERR_HTTP2_PROTOCOL_ERROR

In the firewall I see lots of 'Invalid' packets with the following messages:
'connection-state: invalid src-mac 00:E0:00:00:00:01' coming from the WAN towards my public IPv4 address.
I have extended the timeouts in the connection-tracker but that doesn't help.

Could anyone, point me to an direction where I should be looking for?
I went back to routerOS 6 and all issues where 'resolved'

Thank you in advance

Selbie
 
erlinden
Forum Guru
Forum Guru
Posts: 1299
Joined: Wed Jun 12, 2013 1:59 pm

Re: Internet issues (InvalidPackets) after upgrading ROSv6>v7

Sat Oct 22, 2022 10:47 am

Can you share your config? /export file=anynameyoulike
Make sure to remove any privacy information
 
Selbie
just joined
Topic Author
Posts: 11
Joined: Mon Feb 10, 2020 8:13 pm

Re: Internet issues (InvalidPackets) after upgrading ROSv6>v7

Fri Nov 11, 2022 3:42 pm

Another attempt to upgrade;
I disabled the fastpath as I thought this was causing issues, so far no luck.

See the attached screenshot, got no clue what is causing this MAC: 00:0e:00:00:00:01
The connection was new, and I got an answer (but with invalid src-mac)

This ROS device is directly connected trough an fiberline using VLAN-300 see:
https://www.t-mobile.nl/Consumer/media/ ... lingen.pdf

The following config was used;
# nov/11/2022 14:19:21 by RouterOS 7.6
#
# model = RB4011iGS+5HacQ2HnD
/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2412 name=ch24.1
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2437 name=ch24.6
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2462 name=ch24.11
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XX \
    frequency=5180 name=ch5.36 skip-dfs-channels=yes
add band=5ghz-n/ac control-channel-width=20mhz frequency=5220 name=ch5.44 \
    skip-dfs-channels=yes
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XX name=\
    ch5-auto save-selected=no
add band=5ghz-n/ac control-channel-width=20mhz frequency=5200 name=ch5.40 \
    skip-dfs-channels=yes
add band=2ghz-g/n control-channel-width=20mhz name=ch24-auto \
    reselect-interval=30m save-selected=yes
add band=5ghz-n/ac control-channel-width=20mhz frequency=5240 name=ch5.48 \
    skip-dfs-channels=yes
/interface bridge
add name=bridgeGuests pvid=115 vlan-filtering=yes
add frame-types=admit-only-vlan-tagged name=bridgeIoT pvid=117 \
    vlan-filtering=yes
add admin-mac=74:4D:28:BE:82:B6 auto-mac=no name=bridgeLAN
add name=bridgeWAN pvid=300 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN l2mtu=1500
set [ find default-name=ether2 ] comment="Werkkamer 1"
set [ find default-name=ether3 ] comment="Werkkamer 2" full-duplex=no speed=\
    10Mbps
set [ find default-name=ether4 ] comment="Zolder LACP1"
set [ find default-name=ether5 ] comment="Zolder LACP2"
set [ find default-name=ether6 ] comment=KleineKamer-1
set [ find default-name=ether7 ] comment=KleineKamer-2
set [ find default-name=ether8 ] comment=WoonKamer-1
set [ find default-name=ether9 ] comment=WoonKamer-2
set [ find default-name=ether10 ] comment=Woonkamer-AP
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(17dBm), SSID: Pleiades-2G, CAPsMAN forwarding
set [ find default-name=wlan2 ] amsdu-limit=2048 band=2ghz-g/n country=\
    netherlands distance=indoors frequency=2422 installation=indoor mode=\
    ap-bridge name=wlan-2G ssid=Pleiades-2G station-roaming=enabled wps-mode=\
    disabled
# managed by CAPsMAN
# channel: 5180/20-Ce/ac/P(20dBm), SSID: Pleiades-5G, CAPsMAN forwarding
set [ find default-name=wlan1 ] amsdu-limit=2048 amsdu-threshold=2048 band=\
    5ghz-n/ac channel-width=20/40/80mhz-XXXX country=netherlands frequency=\
    5220 installation=indoor mode=ap-bridge name=wlan-5G ssid=Pleiades-5G \
    station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/interface bonding
add min-links=1 mode=802.3ad name=lacp-zolder slaves=ether4,ether5 \
    transmit-hash-policy=layer-2-and-3
/caps-man datapath
add bridge=bridgeLAN client-to-client-forwarding=yes name=datapath-lan
add bridge=bridgeGuests client-to-client-forwarding=no name=datapath-guests \
    vlan-id=115 vlan-mode=use-tag
add bridge=bridgeIoT client-to-client-forwarding=yes name=datapath-iot \
    vlan-id=117 vlan-mode=use-tag
/caps-man rates
add basic=24Mbps comment="YT=QYGggSiV7aA" ht-basic-mcs=mcs-3 \
    ht-supported-mcs="mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,\
    mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-\
    22,mcs-23" name=Rates-CSPE supported=24Mbps,36Mbps,48Mbps,54Mbps \
    vht-basic-mcs="" vht-supported-mcs=""
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=5m name=secure-lan
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=5m name=guest-wifi
/caps-man configuration
add channel=ch24.1 country=netherlands datapath=datapath-lan distance=indoors \
    hide-ssid=no installation=indoor mode=ap name=2G-CH1 rates=Rates-CSPE \
    security=secure-lan ssid=Pleiades-2G
add channel=ch5.36 country=netherlands datapath=datapath-lan distance=indoors \
    hide-ssid=no installation=indoor mode=ap name=5G-CH36 rates=Rates-CSPE \
    security=secure-lan ssid=Pleiades-5G
add channel=ch24.6 country=netherlands datapath=datapath-lan distance=indoors \
    hide-ssid=no installation=indoor mode=ap name=2G-CH6 rates=Rates-CSPE \
    security=secure-lan ssid=Pleiades-2G
add channel=ch24.11 country=netherlands datapath=datapath-lan distance=\
    indoors hide-ssid=no installation=indoor mode=ap name=2G-CH11 rates=\
    Rates-CSPE security=secure-lan ssid=Pleiades-2G
add channel=ch5-auto comment=5G-Auto country=netherlands datapath=\
    datapath-lan distance=indoors hide-ssid=no installation=indoor mode=ap \
    name=5G-Auto rates=Rates-CSPE security=secure-lan ssid=Pleiades-5G
add channel=ch24-auto country=netherlands datapath=datapath-lan distance=\
    indoors hide-ssid=no installation=indoor mode=ap name=2G-Auto rates=\
    Rates-CSPE security=secure-lan ssid=Pleiades-2G
add country=netherlands datapath=datapath-guests distance=indoors hide-ssid=\
    no installation=indoor mode=ap name=5G-Guest rates=Rates-CSPE security=\
    guest-wifi ssid="Pleiades Guest"
/interface list
add name=WAN
add name=LAN-Filtered
add name=LAN-Secure
add name="LAN PPP"
add include="LAN-Filtered,LAN-Secure,LAN PPP" name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=wifi-guests supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=wifi-iot supplicant-identity=""
/ip dhcp-server option
add code=15 name="15 Domain Name" value="s'int.example.nl'"
add code=12 name="12 HostName Suricata" value="s'suricata'"
add code=12 name="12 HostName eVeNG" value="s'eve-ng'"
add code=66 name="66 TFTP Server Name" value="s'192.168.160.8'"
add code=42 name="42 NTP Servers" value="'192.168.160.1'"
add code=4 name="04 Time Server" value="'192.168.160.1'"
/ip dhcp-server option sets
add name=DefaultOptions options=\
    "15 Domain Name,42 NTP Servers,04 Time Server"
add name=RaspberryPi options=\
    "15 Domain Name,42 NTP Servers,04 Time Server,66 TFTP Server Name"
/ip firewall layer7-protocol
add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bitt\
    orrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?inf\
    o_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[\
    RP]"
add name=Steam regexp="^..+\\\\.(steam|valve|steampowered|steamcommunity|steam\
    ga\\\r\
    \n    mes|steamusercontent|steamcontent|steamstatic).*\\\$"
add name=SSH regexp="^ssh-[12]\\.[0-9]"
add name=SIP regexp="^(invite|register|cancel|message|subscribe|notify) sip[\\\
    x09-\\x0d -~]*sip/[0-2]\\.[0-9]"
add name=RDP regexp=rdpdr.*cliprdr.*rdpsnd
add name=NNTP regexp=\
    "^(20[01][\\x09-\\x0d -~]*AUTHINFO USER|20[01][\\x09-\\x0d -~]*news)"
add name=HTTP regexp="http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\\x09-\\x0d -~\
    ]*(connection:|content-type:|content-length:|date:)|post [\\x09-\\x0d -~]*\
    \_http/[01]\\.[019]"
add name=FTP regexp="^220[\\x09-\\x0d -~]*ftp"
add name=DNS regexp="^.\?.\?.\?.\?[\\x01\\x02].\?.\?.\?.\?.\?.\?[\\x01-\?][a-z\
    0-9][\\x01-\?a-z]*[\\x02-\\x06][a-z][a-z][fglmoprstuvz]\?[aeop]\?(um)\?[\\\
    x01-\\x10\\x1c][\\x01\\x03\\x04\\xFF]"
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc pfs-group=modp2048
/ip pool
add name=lan-dhcp ranges=192.168.160.200,192.168.160.254
add name=vpn-pool ranges=192.168.161.10,192.168.161.127
add name=vpn-server-pool ranges=192.168.161.1,192.168.161.9
add name=iot-dhcp ranges=192.168.117.2,192.168.117.254
add name=guests-dhcp ranges=192.168.115.2,192.168.115.10
/ip dhcp-server
add add-arp=yes address-pool=lan-dhcp dhcp-option-set=DefaultOptions \
    interface=bridgeLAN lease-time=3d name="lan dhcp"
add add-arp=yes address-pool=iot-dhcp interface=bridgeIoT lease-time=3d name=\
    "iot dhcp" server-address=192.168.117.1
add add-arp=yes address-pool=guests-dhcp dhcp-option-set=DefaultOptions \
    interface=bridgeGuests lease-time=2h name="guests dhcp" server-address=\
    192.168.115.1
/ipv6 dhcp-server
add address-pool=lan-dhcp disabled=yes interface=bridgeLAN name=lan-dhcp
/ipv6 pool
add name=lan-dhcp prefix=fd00::/8 prefix-length=8
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add dns-server=192.168.160.17 interface-list="LAN PPP" local-address=\
    vpn-server-pool name=ipsec_vpn remote-address=vpn-pool
add change-tcp-mss=yes dns-server=192.168.160.17,192.168.160.1 \
    interface-list="LAN PPP" local-address=vpn-server-pool name=sstp_vpn \
    remote-address=vpn-pool use-encryption=yes
add interface-list="LAN PPP" local-address=vpn-server-pool name=openvpn_vpn \
    remote-address=vpn-pool use-encryption=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=yes name=default-v2
add disabled=yes name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/system logging action
set 1 disk-file-count=4 disk-lines-per-file=4096
/caps-man access-list
/caps-man manager
set ca-certificate=CAPsMAN-CA-744D28BE82B5 certificate=CAPsMAN-744D28BE82B5 \
    enabled=yes require-peer-certificate=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridgeLAN
/caps-man provisioning
add action=create-dynamic-enabled comment=RB4011 hw-supported-modes=ac \
    master-configuration=5G-CH36 name-format=prefix-identity name-prefix=5G \
    radio-mac=74:4D:28:BE:82:C0 slave-configurations=5G-Guest
add action=create-dynamic-enabled comment=RB4011 hw-supported-modes=gn \
    master-configuration=2G-CH1 name-format=prefix-identity name-prefix=2G \
    radio-mac=B8:69:F4:E9:2D:60
add comment=AC-Lite hw-supported-modes=gn master-configuration=2G-Auto \
    name-format=prefix-identity name-prefix=2G radio-mac=08:55:31:C1:9C:73
add action=create-dynamic-enabled comment=CAP1 hw-supported-modes=ac \
    master-configuration=5G-Auto name-format=prefix-identity name-prefix=5G \
    radio-mac=DC:2C:6E:E0:48:62 slave-configurations=5G-Guest
add action=create-dynamic-enabled comment=CAP2 hw-supported-modes=ac \
    master-configuration=5G-Auto name-format=prefix-identity name-prefix=5G \
    radio-mac=DC:2C:6E:E0:3E:C4 slave-configurations=5G-Guest
add action=create-dynamic-enabled comment=CAP1 hw-supported-modes=gn \
    master-configuration=2G-CH6 name-format=prefix-identity name-prefix=2G \
    radio-mac=DC:2C:6E:E0:48:61
add action=create-dynamic-enabled comment=CAP2 hw-supported-modes=gn \
    master-configuration=2G-CH11 name-format=prefix-identity name-prefix=2G \
    radio-mac=DC:2C:6E:E0:3E:C3
add comment=AC3 hw-supported-modes=gn master-configuration=2G-Auto \
    name-format=prefix-identity name-prefix=2G radio-mac=08:55:31:D4:6E:B4
add action=create-dynamic-enabled comment=AC3 hw-supported-modes=ac \
    master-configuration=5G-Auto name-format=prefix-identity name-prefix=5G \
    radio-mac=08:55:31:D4:6E:B5
add action=create-dynamic-enabled comment=AC-Lite hw-supported-modes=ac \
    master-configuration=5G-Auto name-format=prefix-identity name-prefix=5G \
    radio-mac=08:55:31:C1:9C:72
/interface bridge port
add bridge=bridgeLAN ingress-filtering=no interface=ether6
add bridge=bridgeLAN ingress-filtering=no interface=ether7
add bridge=bridgeLAN ingress-filtering=no interface=ether8
add bridge=bridgeLAN ingress-filtering=no interface=ether9
add bridge=bridgeLAN ingress-filtering=no interface=ether10
add bridge=bridgeLAN ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridgeLAN ingress-filtering=no interface=wlan-5G
add bridge=bridgeLAN ingress-filtering=no interface=wlan-2G
add bridge=bridgeWAN frame-types=admit-only-vlan-tagged interface=ether1 \
    pvid=300
add bridge=bridgeLAN ingress-filtering=no interface=ether2
add bridge=bridgeLAN ingress-filtering=no interface=lacp-zolder
add bridge=bridgeLAN ingress-filtering=no interface=ether3
/interface bridge settings
set allow-fast-path=no use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set allow-fast-path=no max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridgeWAN tagged=ether1 vlan-ids=300
add bridge=bridgeIoT tagged=*25 vlan-ids=117
add bridge=bridgeGuests tagged=*28 untagged=bridgeGuests vlan-ids=115
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ipsec_vpn enabled=yes \
    keepalive-timeout=disabled use-ipsec=yes
/interface list member
add interface=bridgeWAN list=WAN
add interface=bridgeIoT list=LAN-Filtered
add interface=bridgeGuests list=LAN-Filtered
add interface=bridgeLAN list=LAN-Secure
add interface=*3D list=LAN-Secure
/interface ovpn-server server
set auth=sha1 certificate=*4 cipher=aes128,aes192,aes256 default-profile=\
    openvpn_vpn require-client-certificate=yes
/interface sstp-server server
set authentication=mschap2 certificate=example.nl.pem_0 default-profile=\
    sstp_vpn enabled=yes tls-version=only-1.2
/interface wireguard peers
add comment=ABC-PC interface=*3D public-key=\
    "example.com"
add allowed-address=192.168.119.20/32 comment="Phone - All" interface=*3D \
    public-key="example.com"
add allowed-address=192.168.119.21/32 comment="Phone - PrivateNetOnly" \
    interface=*3D public-key="example.com"
/interface wireless access-list
add comment="P1meter " interface=wlan-2G mac-address=B8:27:EB:26:30:41
add comment=mobile-sony-xpremium interface=wlan-5G mac-address=\
    84:C7:EA:90:D9:B8
add comment=mobile-sony-xcompact interface=wlan-5G mac-address=\
    9C:5C:F9:E6:4E:27
add comment="Chromecast " interface=wlan-5G mac-address=88:3D:24:04:90:0A
add allow-signal-out-of-range=30s comment=Wifi-NanoStick interface=wlan-2G \
    mac-address=74:DA:38:0E:3F:87 time=0s-1d,sun,mon,tue,wed,thu,fri,sat \
    vlan-mode=no-tag
add comment="Samsung TV" interface=wlan-5G mac-address=84:A4:66:89:21:10
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 certificate=CAP-744D28BE82B5 enabled=yes \
    interfaces=wlan-2G,wlan-5G lock-to-caps-man=yes
/interface wireless snooper
set channel-time=2s
/ip address
add address=192.168.160.1/24 interface=bridgeLAN network=192.168.160.0
add address=192.168.117.1/24 interface=bridgeIoT network=192.168.117.0
add address=192.168.115.1/24 interface=bridgeGuests network=192.168.115.0
add address=192.168.180.1/24 interface=bridgeLAN network=192.168.180.0
add address=192.168.119.1/24 interface=*3D network=192.168.119.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=5 interface=bridgeWAN use-peer-ntp=no
/ip dhcp-server lease
/ip dhcp-server matcher
add address-pool=lan-dhcp code=43 name="Raspberry Pi Boot" value=43
/ip dhcp-server network
add address=192.168.115.0/24 dns-server=192.168.160.17 domain=\
    guest.example.nl gateway=192.168.115.1 netmask=24 ntp-server=\
    192.168.115.1
add address=192.168.117.0/24 dns-server=192.168.160.17 domain=\
    iot.example.nl gateway=192.168.117.1 netmask=24 ntp-server=\
    192.168.117.1
add address=192.168.119.0/24 dns-server=192.168.160.17,192.168.119.1 domain=\
    manage.example.nl gateway=192.168.119.1 netmask=24 ntp-server=\
    192.168.119.1
add address=192.168.160.0/24 dhcp-option-set=DefaultOptions dns-server=\
    192.168.160.17 domain=int.example.nl gateway=192.168.160.1 netmask=24 \
    ntp-server=192.168.160.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-concurrent-queries=200
/ip firewall address-list
add address=192.168.160.17 list=PiHole
add address=192.168.160.0/24 list=LAN
add address=192.168.160.17 list=DNS-Servers
add address=192.168.160.1 list=Router
add address=192.168.160.1 list=DNS-Servers
add address=dns.google list="DoH Servers"
add address=cloudflare-dns.com list="DoH Servers"
add address=dns9.quad9.net list="DoH Servers"
add address=dns10.quad9.net list="DoH Servers"
add address=doh.cleanbrowsing.org list="DoH Servers"
add address=dns.dnsoverhttps.net list="DoH Servers"
add address=doh.crypto.sx list="DoH Servers"
add address=doh.powerdns.org list="DoH Servers"
add address=doh-jp.blahdns.com list="DoH Servers"
add address=dns.dns-over-https.com list="DoH Servers"
add address=doh.securedns.eu list="DoH Servers"
add address=dns.rubyfish.cn list="DoH Servers"
add address=doh.dnswarden.com list="DoH Servers"
add address=doh.captnemo.in list="DoH Servers"
add address=doh.tiar.app list="DoH Servers"
/ip firewall filter
add action=reject chain=forward comment="Drop not-allowed DNS" disabled=yes \
    dst-port=53 log-prefix="dropped DNS udp-53" packet-mark=!allowed-dns \
    protocol=udp reject-with=icmp-admin-prohibited
add action=reject chain=forward comment="Drop not-allowed DNS" disabled=yes \
    dst-port=53 log-prefix="dropped DNS tcp-53" packet-mark=!allowed-dns \
    protocol=tcp reject-with=icmp-admin-prohibited
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="accept IPsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="accept IPsec 1701, 500, 4500" port=\
    1701,500,4500 protocol=udp
add action=accept chain=input comment="accept SSTP 443" dst-port=443 \
    protocol=tcp
add action=accept chain=input comment="accept WireGuard 13231" dst-port=13231 \
    log=yes log-prefix=wireQ protocol=udp
add action=accept chain=input comment="accept DNS from vpn" dst-address-list=\
    DNS-Servers in-interface=all-ppp packet-mark=allowed-dns
add action=accept chain=input comment="accept DNS LanFiltered" \
    dst-address-list=PiHole dst-port=53 in-interface-list=LAN-Filtered \
    protocol=udp
add action=accept chain=input comment="accept CAPsMAN localhost" dst-port=\
    5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="accept CAPsMAN lan" dst-port=5246,5247 \
    in-interface=bridgeLAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=drop-invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix=drop-notLan
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked in-interface-list=LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="accept DNS from Guests" dst-address=\
    192.168.160.17 in-interface-list=LAN-Filtered out-interface-list=\
    LAN-Secure packet-mark=allowed-dns
add action=drop chain=forward comment="drop all DoH" dst-address-list=\
    "DoH Servers" log=yes log-prefix="DoH Drop" port=443 protocol=tcp \
    src-address-list=!PiHole
add action=reject chain=forward comment=\
    "drop all from insecure lan to secure LAN" in-interface-list=LAN-Filtered \
    out-interface-list=LAN-Secure reject-with=icmp-admin-prohibited
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark as DNS-packet" \
    dst-port=53 in-interface-list=LAN new-packet-mark=dns-packet passthrough=\
    yes protocol=udp
add action=mark-packet chain=prerouting comment="Mark as DNS-packet" \
    dst-port=53 in-interface-list=LAN new-packet-mark=dns-packet passthrough=\
    yes protocol=tcp
add action=mark-packet chain=prerouting comment="Mark as DNS-packet" \
    dst-port=53 in-interface=all-ppp new-packet-mark=dns-packet passthrough=\
    yes protocol=udp
add action=passthrough chain=prerouting comment=\
    "dummy for DNS-packets towards router" dst-address-list=Router \
    log-prefix="DNS-Packet towards router" packet-mark=dns-packet
add action=mark-packet chain=prerouting comment=\
    "Mark Filtered-DNS-Clients-->!PiHole as intercept-dns" dst-address-list=\
    !PiHole log-prefix="DNS-Packet intercept-dns" new-packet-mark=\
    intercept-dns packet-mark=dns-packet passthrough=yes src-address-list=\
    Filtered-DNS-Clients
add action=mark-packet chain=prerouting comment=\
    "Mark DNS->DNS-Servers as allowed-dns" dst-address-list=Router \
    log-prefix="DNS-Packet allowed-dns" new-packet-mark=allowed-dns \
    packet-mark=dns-packet passthrough=yes src-address-list=DNS-Servers
add action=mark-packet chain=prerouting comment=\
    "Mark DNS->!DNS-Servers as intercept-dns" dst-address-list=!DNS-Servers \
    log-prefix="DNS-Packet intercept-dns" new-packet-mark=intercept-dns \
    packet-mark=dns-packet passthrough=yes src-address-list=\
    !Unfiltered-DNS-Clients
add action=mark-packet chain=prerouting comment=\
    "Mark DNS->!DNS-Servers as intercept-dns" dst-address-list=!DNS-Servers \
    log-prefix="DNS-Packet intercept-dns" new-packet-mark=intercept-dns \
    packet-mark=dns-packet passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "Mark DNS->DNS-Servers as allowed-dns" dst-address-list=DNS-Servers \
    log-prefix="DNS-Packet allowed-dns" new-packet-mark=allowed-dns \
    packet-mark=dns-packet passthrough=yes
add action=change-mss chain=forward comment="change MMS (PMTU)" new-mss=\
    clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none log=yes log-prefix="NAT MASQ" out-interface-list=\
    WAN
add action=dst-nat chain=dstnat comment="Win7 RDP" disabled=yes dst-port=\
    3389 protocol=tcp to-addresses=192.168.160.33 to-ports=3389
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 protocol=tcp \
    src-port="" to-addresses=192.168.160.34 to-ports=32400
add action=dst-nat chain=dstnat comment="Intercept DNS" disabled=yes \
    log-prefix=dst-nat-to-pihole packet-mark=intercept-dns to-addresses=\
    192.168.160.17
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=*1
set api disabled=yes
set api-ssl disabled=yes
/ipv6 address
add address=fd00::1 interface=bridgeLAN
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
    jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
    "defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
    "defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \
    hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" \
    icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\
    2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\
    3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\
    4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: Mobile home agent address discovery" icmp-options=144:0-255 \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: Mobile home agent address discovery" icmp-options=145:0-255 \
    protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \
    icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \
    icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \
    icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \
    icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 \
    icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
    icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 \
    icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
    icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 \
    icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
    icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=\
    equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=\
    equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=\
    equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet \
    protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=\
    icmpv6
/ipv6 nd
add advertise-mac-address=no interface=bridgeLAN \
    managed-address-configuration=yes other-configuration=yes
/ipv6 nd prefix
add autonomous=no interface=bridgeLAN
/ppp secret
add name=LaptopWerk profile=sstp_vpn service=sstp
add name=SonyMobiel profile=ipsec_vpn service=l2tp
add name=LaptopMSI profile=sstp_vpn service=sstp
add name=ABC-PC profile=sstp_vpn service=sstp
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=Router
/system leds
add interface=wlan-2G leds="wlan-2G_signal1-led,wlan-2G_signal2-led,wlan-2G_si\
    gnal3-led,wlan-2G_signal4-led,wlan-2G_signal5-led" type=\
    wireless-signal-strength
add interface=wlan-2G leds=wlan-2G_tx-led type=interface-transmit
add interface=wlan-2G leds=wlan-2G_rx-led type=interface-receive
/system logging
add action=disk topics=critical
add action=disk topics=error
add action=disk topics=warning
/system ntp client
set enabled=yes
/system ntp client servers
add address=93.94.224.67
add address=185.172.91.110
add address=95.179.131.82
add address=174.138.107.7
add address=94.198.159.11
add address=154.51.12.220
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system scheduler
add interval=1h name=dhcp-client on-event="/system script run dhcp-client" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/22/2019 start-time=13:00:00
add interval=1d name=ntp-update on-event=\
    "/system script run ntp-client-update" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/22/2019 start-time=03:15:00
/system script
add dont-require-permissions=no name=dhcp-client owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Modified to add comments instead of hostnames.    \
    \n:local zone \"int.example.nl\";\
    \n:local ttl \"00:05:00\"\
    \n:local hostname\
    \n:local comment\
    \n:local ip\
    \n:local dnsip\
    \n:local dhcpip\
    \n:local dnsnode\
    \n:local dhcpnode\
    \n\
    \n/ip dns static;\
    \n:foreach i in=[find where name ~ (\".*\\\\.\".\$zone) ] do={\
    \n  :set hostname [ get \$i name ];\
    \n  :set comment [get \$i comment ];\
    \n  :local foundttl [get \$i ttl ];\
    \n  :set hostname [ :pick \$hostname 0 ( [ :len \$hostname ] - ( [ :len \$\
    zone ] + 1 ) ) ];\
    \n\
    \n  /ip dhcp-server lease;\
    \n  :set dhcpnode [ find where comment=\$hostname ];\
    \n  :if ( [ :len \$dhcpnode ] > 0) do={\
    \n    :log debug (\"Lease for \".\$hostname.\" still exists. Not deleting.\
    \");\
    \n  } else={\
    \n    # there's no lease by that name. Maybe this mac has a static name.\
    \n    :local found false\
    \n    /system script environment\
    \n\
    \n    :foreach n in=[ find where name ~ \"shost[0-9A-F]+\" ] do={\
    \n       :if ( [ get \$n value ] = \$hostname ) do={\
    \n         :set found true;\
    \n       }\
    \n    }\
    \n\
    \n    :log debug (\"Checking for static\")\
    \n    :if ( comment=\"static\" ) do={\
    \n        :log debug (\"Found static, setting found to true\");\
    \n        :set found true;\
    \n    }\
    \n    :if ( foundttl != ttl ) do={\
    \n        :log debug (\"Hostname \".\$hostname.\" has different ttl, assum\
    e manual entry\");\
    \n        :set found true;\
    \n    }\
    \n    :if ( found ) do={\
    \n      :log debug (\"Hostname \".\$hostname.\" is static\");\
    \n    } else={\
    \n      :log info (\"Lease expired for \".\$hostname.\", deleting DNS entr\
    y.\");\
    \n      /ip dns static remove \$i;\
    \n    }\
    \n  }\
    \n}    \
    \n\
    \n/ip dhcp-server lease;\
    \n:foreach i in=[find] do={\
    \n  :set hostname \"\"\
    \n  :local mac\
    \n  :set dhcpip [ get \$i address ];\
    \n  :set mac [ get \$i mac-address ];\
    \n  :while (\$mac ~ \":\") do={\
    \n    :local pos [ :find \$mac \":\" ];\
    \n    :set mac ( [ :pick \$mac 0 \$pos ] . [ :pick \$mac (\$pos + 1) 999 ]\
    );\
    \n  };\
    \n  :foreach n in=[ /system script environment find where name=(\"shost\" \
    \_. \$mac) ] do={\
    \n    :set hostname [ /system script environment get \$n value ];\
    \n  }\
    \n  :if ( [ :len \$hostname ] = 0) do={\
    \n    :set hostname [ get \$i comment ];\
    \n  }\
    \n  :if ( [ :len \$hostname ] > 0) do={\
    \n    :set hostname ( \$hostname . \".\" . \$zone );\
    \n\
    \n    /ip dns static;\
    \n    :set dnsnode [ find where name=\$hostname ];\
    \n    :if ( [ :len \$dnsnode ] > 0 ) do={\
    \n      # it exists. Is its IP the same\?\
    \n      :set dnsip [ get \$dnsnode address ];\
    \n      :if ( \$dnsip = \$dhcpip ) do={\
    \n        :log debug (\"DNS entry for \" . \$hostname . \" does not need u\
    pdating.\");\
    \n      } else={\
    \n        :log info (\"Replacing DNS entry for \" . \$hostname);\
    \n        /ip dns static remove \$dnsnode;\
    \n        /ip dns static add name=\$hostname address=\$dhcpip ttl=\$ttl;\
    \n      }\
    \n    } else={\
    \n      # it doesn't exist. Add it\
    \n      :log info (\"Adding new DNS entry for \" . \$hostname);\
    \n      /ip dns static add name=\$hostname address=\$dhcpip ttl=\$ttl;\
    \n    }\
    \n  }\
    \n }"
add dont-require-permissions=no name=ntp-client-update owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system ntp client set primary-ntp=[:resolve 0.nl.pool.ntp.org]\r\
    \n/system ntp client set secondary-ntp=[:resolve 1.nl.pool.ntp.org]"
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=LAN-Secure
/tool mac-server mac-winbox
set allowed-interface-list=LAN-Secure
/tool sniffer
set filter-interface=bridgeLAN filter-stream=yes streaming-enabled=yes \
    streaming-server=192.168.160.50
Last edited by Selbie on Sat Dec 17, 2022 12:11 am, edited 2 times in total.
 
mkx
Forum Guru
Forum Guru
Posts: 8970
Joined: Thu Mar 03, 2016 10:23 pm

Re: Internet issues (InvalidPackets) after upgrading ROSv6>v7

Sat Nov 12, 2022 2:15 pm

Since your ISP is using routed upstream, it's very likely that upstream router (at least one of them) uses the weird MAC address.
 
Selbie
just joined
Topic Author
Posts: 11
Joined: Mon Feb 10, 2020 8:13 pm

Re: Internet issues (InvalidPackets) after upgrading ROSv6>v7

Tue Nov 15, 2022 11:52 pm

Since your ISP is using routed upstream, it's very likely that upstream router (at least one of them) uses the weird MAC address.
Thank you for the reply, I will try to create an pcap to investigate.

However, if this is the case how is it that ROS 6.48 isn't having this issue with the same configuration?
 
mkx
Forum Guru
Forum Guru
Posts: 8970
Joined: Thu Mar 03, 2016 10:23 pm

Re: Internet issues (InvalidPackets) after upgrading ROSv6>v7  [SOLVED]

Wed Nov 16, 2022 12:01 am

Just noticed a weird setting you have: why setting l2mtu to 1500 on ether1? This means setting it lower than most gear expects it (with vlan overhead it should be at least 1504 not to cause any issues).
 
Selbie
just joined
Topic Author
Posts: 11
Joined: Mon Feb 10, 2020 8:13 pm

Re: Internet issues (InvalidPackets) after upgrading ROSv6>v7

Tue Nov 22, 2022 9:38 pm

Just noticed a weird setting you have: why setting l2mtu to 1500 on ether1? This means setting it lower than most gear expects it (with vlan overhead it should be at least 1504 not to cause any issues).
Thank you for pointing this out, your right this is a slight misconfiguration, and I did alter it.
The Mac: 00:0e:00:00:00:01 is indeed from the ISP network (it's the default gateway; as provided by DHCP), the following packages have been captured on my ether1 (using ROS v6).
__DiagWireShark.png
Another thing i noticed; I see packages received using VLAN 300 (as expected), but packages send from the router appear to not have been tagged, Wireshark gives a 'bad checksum' error, but this might be related with the used TZSP capture.
__DiagWireSharkIN.png
__DiagWireSharkOUT.png
Is there is misconfiguration inside the bridge and/or routing that is not correctly tagging outbound as VLAN-300?

Thank you in advance,
Selbie



Is there

I see incomming package
You do not have the required permissions to view the files attached to this post.
 
mkx
Forum Guru
Forum Guru
Posts: 8970
Joined: Thu Mar 03, 2016 10:23 pm

Re: Internet issues (InvalidPackets) after upgrading ROSv6>v7

Tue Nov 22, 2022 10:09 pm

WAN configuration is a bit awkward (why do you use bridgeWAN with only single port member? why set PVID if it's supposed to be tagged for that VLAN?) but shouldn't cause any big problems, perhaps slight performance drop.

I guess that kack of VLAN tag for egress packets is a bug in packet capture ... and that would explain error about bad checksum as well. If both problems were real, then most likely your WAN link wouldn't work.
 
Selbie
just joined
Topic Author
Posts: 11
Joined: Mon Feb 10, 2020 8:13 pm

Re: Internet issues (InvalidPackets) after upgrading ROSv6>v7

Fri Dec 16, 2022 4:44 pm

Update:

I have been running ROS 7.6 for some time now, and the MTU change from 1500>1504 is likely to have caused this issue.
@mkx thank you for your help

WAN configuration is a bit awkward (why do you use bridgeWAN with only single port member? why set PVID if it's supposed to be tagged for that VLAN?) but shouldn't cause any big problems, perhaps slight performance drop.
The documentation/wiki was caused confusion; and this 'worked'. Vlan configuration inside MK can be done on interface/switch/bridge level depending on which device you got. I couldn't completely understand which I should use for an RB4011

I guess that kack of VLAN tag for egress packets is a bug in packet capture ... and that would explain error about bad checksum as well. If both problems were real, then most likely your WAN link wouldn't work.
Changing any value on the bridge causes the WAN to fail. so your right probably a bug in the capture

Who is online

Users browsing this forum: Ahrefs [Bot], dxun and 21 guests