Ether1 is connected to ISP, there is a DHCP client on it that is receiving public IP address
Ether3-Ether5 and wlan1-wlan2 are in a bridge and there is a local IP address assigned to the bridge.
There is src-nat with masquerading configured for WAN interface (Ether1)
The issue I noticed is that the IP packets from Internet resources are going out to the ether1 interface instead of bridge Here is a snippet of the log on IP Firewall NAT rule and IP Filter rule, when a host on LAN (say 192.168.0.142) is pinging public IP on Internet
Code: Select all
# may/12/2024 02:19:59 by RouterOS 6.49.15
/interface bridge
add admin-mac=2C:C8:1B:24:B4:C3 auto-mac=no comment=defconf name=bridge
add name=bridge1-car
/interface ethernet
set [ find default-name=ether1 ] mac-address=E4:FA:C4:AF:47:0D
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid="Guest" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no frequency=auto mode=ap-bridge ssid="Guest"
/interface eoip
add allow-fast-path=no local-address=201.201.107.131 mac-address=02:D5:5E:E0:70:C2 name=eoip-tunnel1-c remote-address=201.201.75.181 tunnel-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=server1
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
add name=admin policy=local,ftp,reboot,read,write,test,winbox,password,web,sniff,sensitive,romon,dude,tikapp,!telnet,!ssh,!policy,!api
/interface bridge port
add bridge=bridge1-car comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge1-car interface=eoip-tunnel1-car
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1 comment=defconf interface=bridge network=192.168.0.0
add address=192.168.90.99/24 interface=eoip-tunnel1-car network=192.168.90.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add disabled=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,8.8.4.4,8.8.8.8 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="accept all coming from WAN and ip" in-interface-list=WAN src-address=201.201.75.181
add action=accept chain=input comment="accept all coming from WAN and ip" src-address=192.168.90.0/24
add action=accept chain=input comment="accept all coming from LAN" disabled=yes in-interface-list=LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related log=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log=yes out-interface-list=WAN to-addresses=178.251.107.131
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes port=12414
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Chisinau
/system logging
add disabled=yes prefix=ipsec topics=ipsec
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether1 filter-ip-protocol=udp
What would make the reply IP packets from 8.8.8.8 for local LAN IP 192.168.0.142 to go to ether1 (WAN) instead of bridge (LAN) ?