Hello,
this is my first Mikrotik device ever. Bought it for using it at a different house 200km away. Did a setup at my home with lte and ether1 as possible wan for using it later as a mobile device.
lte1 and ether1 are WAN, ether2-ether4 are bridged LAN. The configuration was solid while setting it up 2 days at my home. Tried implementing wireguard, but removed (except peer config) all settings. ALso used the script for restarting lte connection when sim is locked after reboot.
But rightnow I have a problem I can't find a solution after I took the device to the other location: after every 10-20 seconds the connection / packets are lost and (ping or any other traffic) isn't going to the bridge for 10+ seconds. After that ether2/bridge is accessable, the network behind the hAP is reachable for the next 10-20 seconds.
lte <> hAP <> (via ether2) unifi switch <> AP
<> Cloudkey
<> RPi
Unifi AP and Cloud Key and RPi (for Remote Access / configuration)
RPi can ping without problems to unifi switch/Cloudkey, but the problem is communication to the hAP - access to internet is gone too while packets are lost.
This is my current config (after disabling ether1 and other settings trying to find out/test what may be the cause in every 20 seconds frame - like hw offloading or other possible problems), tried different OS Versions (7.13 to current testing 7.14beta)) - base setup was default config:Thanks.
this is my first Mikrotik device ever. Bought it for using it at a different house 200km away. Did a setup at my home with lte and ether1 as possible wan for using it later as a mobile device.
lte1 and ether1 are WAN, ether2-ether4 are bridged LAN. The configuration was solid while setting it up 2 days at my home. Tried implementing wireguard, but removed (except peer config) all settings. ALso used the script for restarting lte connection when sim is locked after reboot.
But rightnow I have a problem I can't find a solution after I took the device to the other location: after every 10-20 seconds the connection / packets are lost and (ping or any other traffic) isn't going to the bridge for 10+ seconds. After that ether2/bridge is accessable, the network behind the hAP is reachable for the next 10-20 seconds.
lte <> hAP <> (via ether2) unifi switch <> AP
<> Cloudkey
<> RPi
Unifi AP and Cloud Key and RPi (for Remote Access / configuration)
RPi can ping without problems to unifi switch/Cloudkey, but the problem is communication to the hAP - access to internet is gone too while packets are lost.
This is my current config (after disabling ether1 and other settings trying to find out/test what may be the cause in every 20 seconds frame - like hw offloading or other possible problems), tried different OS Versions (7.13 to current testing 7.14beta)) - base setup was default config:
Code:
# 2024-02-05 06:56:17 by RouterOS 7.14beta9# software id = XXXXXX## model = L41G-2axD&FG621-EA# serial number = XXXXXXX/interface bridgeadd admin-mac=78:9A:18:76:CD:A9 auto-mac=no comment=defconf name=bridge \ protocol-mode=none/interface ethernetset [ find default-name=ether1 ] disabled=yes name=wan1/interface wifiset [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\ 10min-cac .width=20/40mhz configuration.country=Germany .mode=ap .ssid=\ "SSID" security.authentication-types=wpa2-psk,wpa3-psk \ .connect-priority=0 .ft=yes .ft-over-ds=yes/interface lteset [ find default-name=lte1 ] allow-roaming=no band="" sms-read=no/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface lte apnset [ find default=yes ] apn=internet.telekom default-route-distance=4 name=\ telekom use-network-apn=no/ip pooladd name=dhcp ranges=10.42.242.50-10.42.242.150/ip dhcp-serveradd address-pool=dhcp interface=bridge lease-time=14w0d0h name=defconf/ip smb usersset [ find default=yes ] read-only=yes/portset 0 name=serial0/queue typeadd fq-codel-ecn=no kind=fq-codel name=fq-codel-ethernet-default/queue interfaceset ether2 queue=fq-codel-ethernet-defaultset ether3 queue=fq-codel-ethernet-defaultset ether4 queue=fq-codel-ethernet-defaultset wan1 queue=fq-codel-ethernet-default/interface bridge portadd bridge=bridge comment=defconf hw=no interface=ether2add bridge=bridge comment=defconf interface=ether3add bridge=bridge comment=defconf interface=ether4add bridge=bridge comment=defconf interface=wifi1/interface bridge settingsset allow-fast-path=no use-ip-firewall=yes/ip neighbor discovery-settingsset discover-interface-list=LAN/interface list memberadd comment=defconf interface=bridge list=LANadd comment=defconf interface=lte1 list=WAN/interface sstp-server serverset ciphers=aes256-sha/interface wireguard peersadd allowed-address=0.0.0.0/0 endpoint-address=xyz.dyndns.org \ endpoint-port=51820 interface=*D public-key=\ "ZQAI9AdN1kIBVEpzdM9/S1MeparB2/wVfdbO3Ll37SQ="/ip addressadd address=10.42.242.1/24 comment=defconf interface=bridge network=\ 10.42.242.0/ip dhcp-clientadd interface=wan1/ip dhcp-server networkadd address=10.42.242.0/24 comment=defconf dns-server=\ 10.42.242.1,8.8.8.8,1.1.1.1 gateway=10.42.242.1 netmask=24/ip dnsset allow-remote-requests=yes/ip dns staticadd address=10.42.242.1 comment=defconf name=router.lan/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LANadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN/system identityset name=BergTik/system noteset show-at-login=no/system package updateset channel=testing/system scheduleradd interval=10s name=refresh_locked_SIM on-event=":local lteInterfaces [/inte\ rface print as-value where type=lte and disabled=no]\r\ \n:foreach lte in=\$lteInterfaces do={\r\ \n :if ([/interface/lte/monitor (\$lte->\"name\") as-value once]->\"statu\ s\"=\"sim locked\") do={\r\ \n /interface lte set (\$lte->\"name\") disabled=yes\r\ \n :delay 3s\r\ \n /interface lte set (\$lte->\"name\") disabled=no\r\ \n }\r\ \n }\r\ \n" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup/system scriptadd dont-require-permissions=no name=lte_restart_check owner=admin policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\ system scheduler remove [find name=refresh_locked_SIM]\ \n/system scheduler add name=refresh_locked_SIM start-time=startup interva\ l=10s on-event=\"\\\ \n :local lteInterfaces [/interface print as-value where type=lte and d\ isabled=no]\\r\\\ \n \\n:foreach lte in=\\\$lteInterfaces do={\\r\\\ \n \\n :if ([/interface/lte/monitor (\\\$lte->\\\"name\\\") as-value o\ nce]->\\\"status\\\"=\\\"sim locked\\\") do={\\r\\\ \n \\n /interface lte set (\\\$lte->\\\"name\\\") disabled=yes\\r\\\ \n \\n :delay 3s\\r\\\ \n \\n /interface lte set (\\\$lte->\\\"name\\\") disabled=no\\r\\\ \n \\n }\\r\\\ \n \\n }\\r\\\ \n \\n\""/system watchdogset watch-address=8.8.8.8 watchdog-timer=no/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LANStatistics: Posted by f1f0 — Mon Feb 05, 2024 9:55 am