Mikrotik, ping works, but any request to a specific port results in No route to host. Why?

N

Nikolai2019-04-23 14:42:09

Mikrotik

Nikolai, 2019-04-23 14:42:09

About a little over a month ago, I purchased a MikroTik hap hac2 router, configured it using Quick set, then configured only the dns server and a couple of static addresses in DHCP. All this time he worked flawlessly.
But a couple of days ago, for some reason, I began to issue no route to host to public addresses, although ping to the host works and telnet on the port from the router is successful (no route to host - from clients). That is, from clients:

$ ping github.com
PING github.com (140.82.118.3) 56(84) bytes of data.
64 bytes from lb-140-82-118-3-ams.github.com (140.82.118.3): icmp_seq=1 ttl=56 time=51.8 ms

$ telnet github.com 22
Trying 140.82.118.3...
Trying 140.82.118.4...
telnet: Unable to connect to remote host: No route to host

Everything is ok from the router terminal. What could be the problem?
Yes, after rebooting for a while, the problem disappears for about a few hours.
I bring the config:

export compact

# apr/23/2019 15:37:56 by RouterOS 6.44.2
# software id = L82U-UTWW
#
# model = RBD52G-5HacD2HnD
# serial number = B4A00AF34868
/interface bridge
add admin-mac=74:4D:28:1E:30:C0 arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=<pass> user=<user>
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-eC disabled=no distance=indoors frequency=2447 mode=ap-bridge ssid=<SSID> wireless-protocol=802.11
set [ find default-name=wlan2 ] arp=proxy-arp band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=<SSID> tx-power=22 tx-power-mode=\
    all-rates-fixed wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key="<password>" wpa2-pre-shared-key="<password>"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.5-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge lease-time=50m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.6 client-id=1:d0:50:99:6:39:68 mac-address=D0:50:99:06:39:68 server=defconf
add address=192.168.88.7 mac-address=D4:3B:04:7B:46:89 server=defconf
add address=192.168.88.9 client-id=1:ac:ed:5c:cc:c4:50 mac-address=AC:ED:5C:CC:C4:50 server=defconf
add address=192.168.88.8 mac-address=BC:A8:A6:84:78:2B server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ssh
set allow-none-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/system clock
set time-zone-name=Europe/Saratov
/system identity
set name=kolyan
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

P

Platinum Thinker, 2019-04-23
@PlatinumThinker

Try disabling ddns, and also make a Flush Cache for the caching dns server. The problem is obviously in the DNS, maybe even with the provider. For the test, try on the system in which you work to set Google DNS 8.8.8.8