Konfigurace pro MikroTik nefunguje po aktualizaci

[imc]

Zdar,
nevie niekto poradit, co sa zmenilo pri firmware?
Konfiguracia funkcna pri ver.7.8 nefunguje na 7.11.2, model = RB750Gr3.

Zda sa, ze je problem s DNS...

Kód: [Vybrat]

/ip dns
set allow-remote-requests=yes servers=1.1.1.1, 8.8.8.8
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
dik za pripadne rady...

imc

[Reklama]

[robac]

Mne DNS v 7.11.2 funguje (netinstall z 6.x). Nevim, co vic na takto formulovany dotaz napsat.

[Vantomas]

/ip dns
set allow-remote-requests=yes servers=1.1.1.1, 8.8.8.8

Za čárkou nesmí být mezera. A pokud to tím není, tak by bylo dobrý poslat co to vypíše za chyby.

[5nik]

Především prosíme o úplnou konfiguraci, tato není úplná. A pokud ano, chybí tam spousta věcí.

[imc]

Tu je cela konfiguracia. Na zaciatku to precita jednu stanku na webe. Pri druhej stranke to nevie preniest data - nerozozna DNS. Pri vytvoreni VPN z klientov sa vsetko rozbehne. Downgrade softu a ide vsetko bez zasahu do konfiguracie.

dik

# sep/29/2023 12:41:50 by RouterOS 7.8
#
# model = RB750Gr3

/interface bridge
add admin-mac=******** auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=disabled name=pppoe-out1 use-peer-dns=yes user=******
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.10.101-192.168.10.199
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out1 list=WAN
add disabled=yes interface=ether1 list=WAN
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=192.168.10.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Bratislava
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

[Reklama]

[robac]

V prve rade by se hlavne hodilo, kdyby tazatel popsal v cem spociva problem.

Ja nevlastnim vesteckou kouli, takze netusim, co si mam predstavit pod vetou "Zda sa, ze je problem s DNS...".

• Zda se?
• Je problem na Mikrotiku? Porad, obcas? Jaka je konfigurace Mikrotiku? Upgrade na ROS 7 pres netinstall? Jsou nastavene DNS servery dostupne? Co vraci :resolve? Co je v logu (/system logging add action=memory target=dns)? Jake je vytizeni Mikrotiku? Co jste odchytil v /tool sniffer pri DNS dotazu?
• Problem je v klientech? Porad, obcas? Na vsech klientech nebo jen nejakych? Jak maji nastaveni DNS? Jaka je konfigurace Mikrotiku? Upgrade na ROS 7 pres netinstall? Co vraci napr. nslookup? Co je v packet capture (Mikrotik, client)?

[Martin-2]

Tady těžko radit když není zřejmé co nejde ale zkuste ještě upgradovat firmware v System > routerboard > routerboard
Předpokládám že jste dělal pouze System > Packages

Pokud to pořád nepůjde stáhněte a aplikujte 7.12beta, hodně věcí opravuje

[imc]

Zatial dakujem. Mal som pocit, ze chodim v kruhu... Upgrade cez routerboard rovnako nechodi.

Vyskusam mikrotik sniffer.
Nemam moznost to vyskusat ihned, je to ina lokalita. Ked budem mat viac info, napisem podrobnosti.

[jjrsk]

Hele to ze mikrotik po aktualizaci nechodi, je spis jejich firemni standard nez vyjimka, sam sem to zazil nekolikrat, nejjednodusi lecba je vratit zpet puvodni verzi.

V tom co tu pises je zminka na tema

"Pri vytvoreni VPN z klientov sa vsetko rozbehne"

Coz je naprosto typicka vec, mikrotik proste VPNky neumi, a s kazdou verzi je neumi nejak jinak. (ve skutecnosti toho neumi mnohem vic, a na spoustu veci je treba vyrabet narovnavaky na vohejbaky, ktery samozrejme s kazdou aktualizaci je treba predelat)

Takze prvni co bych udelal je prave shozeni vseho kolem VPN, overeni, ze to funguje jako hloupy router / nat ... ale to se nadalku dela dost blbe.

[Martin-2]

Ještě je možnost že: "use-peer-dns=yes" v pppoe dělá neplechu v nové verzi. Co jsem se díval tak sám mám všude nastaveno na vypnuto.

Doporučuju variantu porovnání a to tak, že verzi 7.11.2 nastavit vše ručně od začátku tak aby to bylo stejné jako konfigurace z 7.8.
Pak vyexportovat a porovnat oba exporty v čem se konfigurace rozchází. Je to zdlouhavější ale budete přesně vědět co to způsobilo.

[imc]

Konfiguracia je od nuly v 7.11.2 - ta co je uvedena. Tam nechodi. Ked spravim downgrade, tak chodi.
Vsetky dalsie nastavenia este nerobim, kym nechodi zaklad... Ako som napisal, asi potrebujem kontrolu dalsich oci. Ale skusam sniffer a tdpdump kazdej verzii firmware a napisem, ake su rozdiely.
Vyskusam, aj  "use-peer-dns=yes" v pppoe.

[ja.]

A dozvieme sa aj niekedy, co konkretne nechodi? Zatial vsetko co vieme, je "Zda sa, ze je problem s DNS...".

Robac sa na nieco pytal a nikdy neprisla odpoved. Potom je tazko radit.

[imc]

Ahoj,
ospravedlnujem sa za neskoru odozvu a nie jednoznacne vyjadrenia.
Najprv k problemu. Z uzivatelskeho hladiska sa to nedarilo replikovat uplne rovnako. DNS neodpovedalo po druhom az piatom dotaze. Mal som pocit, ze sa tocim a neviem najst problem, preto som v strese napisal...
Nam tu pevnu IP od poskytovatela a z nejakeho dovodu som mal pusteneho DHCP klienta /DHCP Client enabled/, co sposobovalo problem - dhcp nedavalo korektny DNS server. Neviem preco v kofiguracii, ktoru som sem dal, to tak nie je.
Nakopli ma rady na sniffer v mikrotiku  atd.

Tak vsetkym, ktori dali otazky, dakujem.