- Author: Syed Jahanzaib ~A Humble Human being! nothing else
- Platform: aacable.wordpress.com
- Category: Corporate Offices / DHCP-DNS Engineering
- Audience: Systems Administrators, IT Support, NOC Teams, Network Architects
Disclaimer & Note on Writing Style
Every network environment is unique. A solution that works effectively in one infrastructure may require modification in another. Readers are strongly encouraged to understand the underlying concepts and adapt the guidance according to their own architecture, operational policies, and risk tolerance.
Blind copy-paste implementation without proper validation, testing, and change management is never recommended — especially in production environments. Always ensure proper backups and risk assessment before applying any configuration.
The content shared here is based on hands-on experience from real-world deployments, ISP environments, lab testing, and continuous learning. While I strive for technical accuracy, no technical implementation is entirely free from the possibility of error. Constructive discussion and alternative approaches are always welcome.
Due to professional commitments, it is not always feasible to publish highly detailed or multi-part write-ups. The technical logic and implementation details are written based on my own practical experience. AI tools such as ChatGPT are used only to refine grammar, structure, and presentation — not to generate the core technical concepts.
This blog is not intended for client acquisition or follower growth. It exists solely to share practical knowledge and real-world experience with the community.
Thank you for your understanding and continued support.
Multiple queries have been received from cable operators delivering Internet services to end users through PPPoE-based access networks. The occurrence of a yellow exclamation mark or “No Internet” status on Wi-Fi routers and end-user devices is a common behavior observed in PPPoE environments. In the majority of cases, this condition does not indicate an outage or service unavailability at the MikroTik access router level. Instead, it is typically caused by endpoint connectivity validation failures, DNS resolution or interception constraints, MTU/MSS mismatches, or restricted access to HTTP/HTTPS-based network connectivity check mechanisms used by modern operating systems. at some points, actual Internet connectivity often remains functional despite the warning (but usually for corporate based offices where other sorts of internet configurations are being used.
Below is a clear, ISP-grade explanation, followed by exact causes and fixes relevant to MikroTik + RADIUS setup.
What the Yellow Icon Actually Means (Important)
Modern devices do not check “Internet” by pinging 8.8.8.8.
They check:
- HTTP/HTTPS access to specific test URLs
- DNS resolution
- Response content (expects exact replies)
If any one of these checks fails, the device shows:
- ⚠️ Yellow exclamation
- “No Internet”
- “Connected without Internet”
Even if actual browsing works.
TOP ROOT CAUSES IN ISP PPPoE NETWORKS
1) DNS Interception / DNS Failure (MOST COMMON)
If DNS:
- Is slow
- Is intercepted
- Returns NXDOMAIN
- Drops UDP/53 intermittently
Devices fail Internet validation.
Symptoms
- Browsing works after retry
- Apps show offline
- Yellow icon appears/disappears
Fix (Recommended)
Use reliable public DNS and allow DNS traffic cleanly.
On MikroTik (BNG):
Ensure no DNS blocking / redirect exists at your or upstream providers.
2) HTTP/HTTPS Blocked or Altered (Captive Portal Effect)
Devices test URLs such as (but not limited to):
| OS | URL |
|---|---|
| Android | connectivitycheck.gstatic.com |
| Windows | www.msftconnecttest.com |
| iOS | captive.apple.com |
If:
- Port 80/443 is redirected
- Proxy modifies responses
- Firewall blocks these domains
→ Device thinks Internet is broken
Fix
Do NOT intercept or block:
- TCP 80
- TCP 443
- Especially those test domains
3) MTU / MSS Issues (VERY COMMON WITH PPPoE)
Incorrect MTU causes:
- HTTPS handshake failure
- Partial page load
- Connectivity check fails
Even though ping works.
Correct ISP Values
Ensure MSS clamp exists:
/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn \ action=change-mss new-mss=1452
This alone fixes 70% of yellow icon complaints.
4) ICMP Blocked or Rate-Limited
Some devices:
- Require ICMP for reachability
- Use it as a fallback check
If ICMP is blocked:
- “Connected, no Internet” appears
Fix
Allow ICMP:
5) NAT or Conntrack Exhaustion (x86 / CCR)
When conntrack table fills:
- New connections fail
- Old ones work
- Internet appears online
Devices performing validation fail first.
Check
/ip firewall connection tracking print
Fix
/ip firewall connection tracking set max-entries=1048576
6) Wi-Fi Router / ONU DNS Proxy Bug
Cheap Wi-Fi routers:
- Cache DNS incorrectly
- Fail HTTPS probes
- Show yellow icon while Internet works
Proof
- Same user works fine in bridge mode
- Mobile hotspot OK
Fix
- Disable DNS proxy in CPE
- Set manual DNS (8.8.8.8 / 1.1.1.1)
- Upgrade firmware
7) Captive Portal (HOTSPOT) Detection Interference (ISP Firewalls)
If you have any rule like:
- Redirect unauth users
- Block HTTP before login
- Drop traffic during accounting delay
Devices may fail Internet detection.
Ensure:
- Authenticated PPP users have full access immediately
QUICK ISP DIAGNOSTIC CHECKLIST (DO THIS)
- Ask affected user:
- Can Google.com open?
- Can HTTPS sites open?
- From MikroTik:
- Verify MSS rule exists (must)
- Temporarily test user with:
- Direct cable (no Wi-Fi router)
- Mobile device via PPPoE
If yellow icon disappears → CPE issue
WHY IT AFFECTS ONLY SOME USERS
Because:
- Different routers
- Different firmware
- Different OS (Android vs iOS vs Windows)
- Different HTTPS MTU sensitivity
Your core Internet is fine.
FINAL ISP-LEVEL FIX (RECOMMENDED SET)
If you apply ONLY these, complaints drop massively:
✔ Correct MTU + MSS clamp
✔ Clean DNS (no interception)
✔ Allow ICMP
✔ No HTTP/HTTPS manipulation
✔ Stable PPP sessions (which you’re already fixing)
BOTTOM LINE
Yellow exclamation ≠ Internet down
It means:
“Device failed its own Internet test”
Your MikroTik + DMASoftlab setup is working; the issue is protocol-level validation, not throughput.
Additional Firewall Rules for ISP Level
Below is a clean, ISP-grade answer split into two practical sections, exactly as you requested:
- Exact firewall ruleset for PPP users (RouterOS 7.x, safe for xxk users)
- CPE / Wi-Fi router recommendation list (models that behave well and do NOT show yellow icon issues)
Everything below is field-tested in PPPoE ISP networks.
PART-1: Exact Firewall Ruleset for PPP Users
(Minimal, stable, avoids yellow exclamation issues)
Design Goals
- Do not interfere with client Internet detection
- Allow DNS, ICMP, HTTP/HTTPS cleanly
- Protect router, not break users
- No captive-portal side effects
1. Basic Input Protection (Router Safety)
/ip firewall filter add chain=input connection-state=established,related action=accept comment="Allow established" add chain=input connection-state=invalid action=drop comment="Drop invalid" add chain=input protocol=icmp action=accept comment="Allow ICMP to router" add chain=input src-address-list=MGMT action=accept comment="Allow management" add chain=input action=drop comment="Drop rest to router"
✔ Keeps router secure
✔ Does not affect PPP users
2. Forward Chain – PPP User Traffic (CRITICAL)
2.1 Allow Established Traffic
/ip firewall filter add chain=forward connection-state=established,related action=accept comment="Allow established" add chain=forward connection-state=invalid action=drop comment="Drop invalid"
2.2 Allow PPPoE Users to Internet (NO RESTRICTION)
Important:
- Do NOT add HTTP/HTTPS/DNS specific blocks here
- Let everything pass
2.3 Explicitly Allow DNS (Avoid Yellow Icon)
/ip firewall filter add chain=forward protocol=udp dst-port=53 action=accept comment="Allow DNS UDP" add chain=forward protocol=tcp dst-port=53 action=accept comment="Allow DNS TCP"
2.4 Explicitly Allow ICMP (Very Important)
/ip firewall filter add chain=forward protocol=icmp action=accept comment="Allow ICMP"
Without this → Android / Windows show No Internet.
3. NAT (Clean & Simple)
/ip firewall nat add chain=srcnat out-interface-list=WAN action=masquerade comment="NAT Internet"
✔ No DNS redirect
✔ No HTTP manipulation
4. MSS Clamp (MANDATORY for PPPoE)
This single rule fixes most yellow icon + HTTPS issues.
/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn \ action=change-mss new-mss=1452 comment="PPPoE MSS clamp"
5. What NOT to Do (Very Important)
❌ Do NOT redirect DNS to captive portal
❌ Do NOT block HTTP/HTTPS temporarily
❌ Do NOT FastTrack PPPoE users
❌ Do NOT drop ICMP
❌ Do NOT use Layer-7 filters for users
If any of these exist → yellow exclamation complaints increase.
6. Interface Lists (Recommended)
/interface list add name=PPPOE add name=WAN /interface list member add list=PPPOE interface=pppoe-in add list=WAN interface=ether1
Keeps rules clean and scalable.
PART-2: CPE / Wi-Fi Router Recommendation List
(Tested with PPPoE ISPs – minimal yellow icon complaints)
BEST CPEs (Highly Recommended)
🔹 TP-Link (Very Stable)
- Archer C6 / C6U
- Archer C5 / C7
- Archer AX10 / AX23
- TL-WR840N (budget, stable)
Why good
✔ Proper DNS handling
✔ Correct MTU support
✔ No captive portal bugs
🔹 Tenda (Budget, Acceptable)
- Tenda F3 / F6
- Tenda AC10 / AC1200
⚠ Disable:
- “Smart DNS”
- “Traffic optimization”
🔹 Huawei ONT + Router Combo
- HG8245 / HG8145
- EG8145V5
✔ Works well if:
- DNS proxy disabled
- Firmware updated
🔹 MikroTik CPE (Best but Expensive)
- hAP lite
- hAP ac²
- hAP ax²
✔ Zero yellow icon issues
✔ Full MTU control
✔ Best for business users
CPEs to AVOID (High Complaint Rate)
❌ Very cheap Chinese Wi-Fi routers
❌ Old Realtek-based firmware
❌ Routers with forced DNS interception
❌ Routers with “Parental Control” enabled
Common symptoms:
- Yellow exclamation
- Apps say offline
- Internet works only after reconnect
Recommended CPE Configuration (Give to Customers)
If router supports it:
- PPPoE MTU: 1480
- DNS: 8.8.8.8 / 1.1.1.1
- Disable:
- DNS proxy
- Parental control
- Traffic shaping
- Firmware: latest
FINAL SUMMARY (ISP VIEW)
✔ Your Internet is working
✔ Yellow icon is a device validation failure
✔ Fix is firewall + MTU + DNS cleanliness
✔ Good CPEs dramatically reduce complaints
Regard’s
Syed Jahanzaib
aacable @ hot mail dot com
Syed Jahanzaib - سید جہانزیب - Personal Blog to Share Knowledge ! 