Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Can't connect to internet from management or public address interface LAN to WAN

Post Reply
 
TrustNo1UK
just joined
Topic Author
Posts: 6
Joined: Fri Mar 15, 2024 3:07 pm

Can't connect to internet from management or public address interface LAN to WAN

Thu Apr 11, 2024 1:36 pm

I have setup a new router for a wires-only leased line connection. The WAN is up and I can trace a route out to the internet from WinBox. However, if I plug into the management port (ether8) I am unable to connect to the internet. I also have an issue where I assign a public I.P address in our static range and plug into ether1 on the Mikrotik, this also doesn't connect to the internet. I am a bit lost I think I have something wrong, this is the config exported before connecting SFP and plugging in. Help or guidance on troubleshooting appreciated.
Code: Select all
/interface ethernet
set [ find default-name=ether8 ] comment=OOB
/interface list
add name=MACWinbox
add name=Discovery
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether8 lease-time=1h name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=Discovery
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether8 list=MACWinbox
add interface=ether8 list=Discovery
add interface=ether1 list=Discovery
/ip address
add address=192.168.88.1/24 comment=OOB interface=ether8 network=192.168.88.0
add address=XXX.XXX.30.33/28 comment=LAN interface=ether1 network=XXX.XXX.30.32
add address=XXX.XXX.73.58 comment=WAN disabled=yes interface=sfp-sfpplus1 \
    network=XXX.XXX.73.58
/ip cloud
set update-time=no
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set servers=212.23.3.100,212.23.6.100
/ip firewall address-list
add address=192.168.88.0/24 list=WinboxAllowed
add address=185.128.57.233 list=WinboxAllowed
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=accept chain=input comment=\
    "Allow Remote Management by SSH and Winbox from Trusted Address List" \
    dst-port=22,8291 protocol=tcp src-address-list=WinboxAllowed
add action=jump chain=input jump-target=icmp4 protocol=icmp
add action=accept chain=input comment="Allow DNS & DHCP from OOB" dst-port=\
    53,67,68 in-interface=ether8 protocol=udp
add action=drop chain=input comment="Drop All other INPUT traffic"
add action=drop chain=forward comment=\
    "Drop invalid public addresses from being forward to WAN" \
    dst-address-list=not_in_internet out-interface=sfp-sfpplus1
add action=accept chain=forward comment=\
    "Allow traffic from ether1 forward out sfp-sfpplus1" in-interface=ether1 \
    out-interface=sfp-sfpplus1
add action=accept chain=forward comment=\
    "Allow traffic from OOB (ether8) forward out sfp-sfpplus1" in-interface=\
    ether8 out-interface=sfp-sfpplus1
add action=accept chain=forward comment=\
    "Allow traffic from sfp-sfpplus1 forward out ether1" in-interface=\
    sfp-sfpplus1 out-interface=ether1
add action=drop chain=forward comment="Drop All other forward"
add action=accept chain=icmp4 comment=\
    "ICMP: Echo reply 0:0 and limit for 5pac/s" icmp-options=0:0 limit=\
    5,5:packet protocol=icmp
add action=accept chain=icmp4 comment="ICMP: Destination unreachable" \
    icmp-options=3:0-1 limit=5,5:packet protocol=icmp
add action=accept chain=icmp4 comment=\
    "ICMP: Port unreachable and limit for 5pac/s" icmp-options=3:3 limit=\
    5,5:packet protocol=icmp
add action=accept chain=icmp4 comment=\
    "ICMP: Fragmentation neeeded and limit for 5pac/s" icmp-options=3:4 \
    limit=5,5:packet protocol=icmp
add action=accept chain=icmp4 comment=\
    "ICMP: Echo request - 8:0 and limit for 5pac/s" icmp-options=8:0 limit=\
    5,5:packet protocol=icmp
add action=accept chain=icmp4 comment=\
    "ICMP: Time exceeded 11:0 and limit for 5pac/s" icmp-options=11:0 limit=\
    5,5:packet protocol=icmp
add action=drop chain=icmp4 comment="Drop everything else" protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "NAT Traffic with src-address of OOB network" out-interface=sfp-sfpplus1 \
    src-address=192.168.88.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/London
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.uk.pool.ntp.org
add address=1.uk.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MACWinbox
/tool mac-server mac-winbox
set allowed-interface-list=MACWinbox
Top
 
greggio
just joined
Posts: 12
Joined: Fri Feb 16, 2024 8:24 pm

Re: Can't connect to internet from management or public address interface LAN to WAN

Fri Apr 12, 2024 10:58 pm

Hi bro, welcome to Mikrotik universe.

You forgot to make a masquerade rule so you private IPs use NAT to connect to internet.

Put the command bellow and you good to go.
Code: Select all
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface="your wan interface"
Top
 
jaclaz
Long time Member
Long time Member
Posts: 676
Joined: Tue Oct 03, 2023 4:21 pm

Re: Can't connect to internet from management or public address interface LAN to WAN

Sat Apr 13, 2024 12:16 pm

You forgot to make a masquerade rule so you private IPs use NAT to connect to internet.
The OP's posted configuration already contains this:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "NAT Traffic with src-address of OOB network" out-interface=sfp-sfpplus1 \
    src-address=192.168.88.0/24

Must be *something else*, likely some firewall filter rule. :-?
Top
 
TheCat12
Member Candidate
Member Candidate
Posts: 182
Joined: Fri Dec 31, 2021 9:13 pm

Re: Can't connect to internet from management or public address interface LAN to WAN

Sat Apr 13, 2024 1:09 pm

Is there a default route to the WAN gateway?
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 20 guests
  4. RouterOS
  5. Beginner Basics