Hello all,
I am new to MikroTik, I have a 3011 Router.
Layout
Ether1 WAN /29 subnet
Ether 2 LAN 192.168.1.0/24
Ether 3 to 10 is part of Lan Address

I can access my pc inside network from external and port forwarding to camera system is working fine too.

I can ping from inside the network to outside fine, dns resolving good.
Traceroute shows 192.168.1.1 twice which I thought was interesting.
But biggest problem is web browsing outside of the network is not working correctly, sometimes get the first page, but click a link and times out.

I figure it was firewall and removed most items down to a basic, did not make it better.

Here is my info I think you can use to help me understand what I did wrong.

Thanks in advance if you can help me.


[admin@IbeamIsp-LBC] /ip> export
# feb/09/2017 10:03:48 by RouterOS 6.38.1
# software id = TVTQ-HUHL
#
/ip pool
add name=dhcp ranges=192.168.1.50-192.168.1.254
/ip address
add address=98.6.39.202/29 interface=ether1 network=98.6.39.200
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge2 name=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall address-list
add address=192.168.1.0/24 comment=LAN list=local
add address=192.168.1.0/24 list=support
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add chain=input comment="Accept established and related packets" connection-state=established,related
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add chain=forward comment="Accept established and related packets" connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=accept chain=forward connection-nat-state=dstnat connection-state=established,related in-interface=ether1
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=dst-nat chain=dstnat comment=VideoSystem1 dst-port=80 protocol=tcp to-addresses=192.168.1.12 to-ports=80
add action=dst-nat chain=dstnat comment=VideoSystem2 dst-port=6036 protocol=tcp to-addresses=192.168.1.12 to-ports=6036
add action=accept chain=input comment="Local access to RB for Winbox" dst-port=8291 protocol=tcp src-address-list=local
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add check-gateway=arp distance=1 gateway=98.6.39.201
/ip service
set telnet disabled=yes

Your dst-nat's to 192.168.1.12 are too broad. They have no filter other than tcp & port. So all traffic through the router with dst port 80 or 6036 is being redirected there. Need to specify incomming interface, dst-addr, dst-addr-type or a combination of those to narrow the dst-nat.

Thats interesting to catch that, I will try it. I just remotely enabled a proxy and it worked!. So now will correct what you saw and disable proxy and report back.

Ok got that, but the proxy also works pretty nice too!
Thank you for seeing that.

I am looking forward to working with this router, and intend to put a sector on to feed a few other buildings.

needed to get the darn thing understood, I will now use one port and go to a 48 port switch with trunking vlan, so that will be my next stumbling block I am sure.
I get a bit confused with some examples but am learning.

Thank you for your assistance.

Glad you're off and running.

Proxy will take up resources on the router, plus can put lots of wear on the internal flash storage, so I wouldn't use it unless you have another need for it.... and then set up a separate disk.

VLANS, trunking and switches can be a little tricky to initially learn, especially with Mikrotik's different switch chips each having slightly different quirks/tricks. (And the 2011 has two different switch chips!)
Once you learn and get them set up though, they are extremely useful and efficient.

Check out this page if you haven't: http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features

Yes getting past first step has been interesting.
I have a HP Pro curve 2650.
I intend to trunk vlans out one port to it. I am trying to get a grasp on it. Wish I had a second RB3011 to lab with but this unit is in production now, so learning backup and restore first was most important. Fortunately I have key to building so will experiment on weekends. So much specific items on each piece to learn.