1 wan 2 LAN (wan dhcp ip assigned to LAN devices)

RouterOS General
1

I bought rb433, when configuring it as a router, I found wan side ip address got assigned to the LAN computers. I have eth1 as WAN(address assigned by dhcp client from isp), and bridged to LAN eth 2,3 and wlan1 ( all have 172.20.0.1/24 DHCP enabled), enabled NAT on the bridge, is there anything wrong on this setting, why I got ip addresss from WAN side assigned to LAN devices? How can I isolate the DHCP service in LAN?
Anybody can help?

Many thanks,

driver733

2

Do not bridge WAN and LAN ports together, your WAN interface is dhcp client and it gets public ip from your ISP. After that you create bridge interface and put eth2, eth3 and wlan to that bridge interface, put the ip addres to BRIDGE interface from subnet 172.20.0.0/24, enable dhcp server for BRIDGE interface. last step is to configure masquarade in ip firewall nat for internet traffic

3

Thanks for help :slight_smile: I did exactly what you have written. I did not add WAN to the bridge. And I also enabled nat (masquarade) for the bridge. The result is the same (not working).

4

Do you have default route on mikrotik which is pointing to your ISP?

5

Yes, it`s enabled.

# jan/02/1970 19:39:09 by RouterOS 5.23
# software id = NSZA-GABH
#
/interface bridge
add l2mtu=1522 name=bridge1
/interface wireless
set 0 band=2ghz-b/g/n basic-rates-b="" channel-width=20/40mhz-ht-above \
    disabled=no frequency=2412 frequency-mode=superchannel \
    ht-ampdu-priorities=0,1 ht-guard-interval=long ht-rxchains=0,1 \
    ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs\
    -8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15" ht-txchains=0,1 \
    hw-retries=4 l2mtu=2290 mode=ap-bridge periodic-calibration=enabled \
    periodic-calibration-interval=10 rate-set=configured ssid=\
    "DRIVER's Network" supported-rates-b="" tx-power-mode=card-rates \
    wireless-protocol=any
/interface ethernet
set 0 comment=WAN
set 1 comment=LAN
/interface wireless nstreme
set wlan1 enable-polling=no
/interface wireless security-profiles
set [ find default=yes ] group-ciphers="" supplicant-identity=MikroTik \
    unicast-ciphers=""
add authentication-types=wpa-psk eap-methods=passthrough group-ciphers=\
    tkip management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity="" unicast-ciphers=tkip wpa-pre-shared-key=\
    111111111
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=pool ranges=192.168.2.100-192.168.2.150
add name=dhcp_pool1 ranges=172.20.0.2-172.20.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp1
/port
set 0 baud-rate=9600 flow-control=hardware
/ppp profile
set 0 change-tcp-mss=no
add change-tcp-mss=no name=aist
set 2 change-tcp-mss=no
/interface pptp-client
add add-default-route=yes connect-to=192.168.0.4 disabled=no name=\
    pptp-out1 password=... profile=aist user=...
/system logging action
set 3 remote=0.0.0.0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
/interface wireless access-list
add interface=wlan1 mac-address=00:1D:0D:72:9B:88
add interface=wlan1 mac-address=00:21:5D:A7:67:54
add interface=wlan1 mac-address=00:23:6C:6E:46:50
add interface=wlan1 mac-address=00:23:45:3A:6C:6A
add interface=wlan1 mac-address=2C:81:58:E4:A0:0B
add interface=wlan1 mac-address=C4:2C:03:CA:25:B8
add interface=wlan1 mac-address=58:55:CA:2D:D7:21
add interface=wlan1 mac-address=F0:7D:68:6C:66:19
add interface=wlan1 mac-address=78:DD:08:C8:EB:5E
add interface=wlan1 mac-address=A4:67:06:8E:3D:85
add interface=wlan1 mac-address=00:21:91:F3:C5:DD
add interface=wlan1 mac-address=A4:67:06:8E:3D:85
add interface=wlan1 mac-address=00:21:91:F3:C5:DD
add interface=wlan1 mac-address=DC:A9:71:15:6F:17
add interface=wlan1 mac-address=0C:74:C2:4F:18:A7
add interface=wlan1 mac-address=A4:67:06:8E:3D:85
add interface=wlan1 mac-address=00:21:5D:A7:67:54
/ip address
add address=172.20.0.1/24 interface=bridge1
add address=172.18.0.1/24 interface=ether2
add address=172.19.0.1/24 interface=wlan1
/ip dhcp-client
add default-route-distance=2 disabled=no interface=ether1
/ip dhcp-server network
add address=172.18.0.0/24 gateway=172.18.0.1
add address=172.19.0.0/24 gateway=172.19.0.1
add address=172.20.0.0/24 gateway=172.20.0.1
/ip dns
set max-udp-packet-size=512 servers=81.28.160.1,81.28.160.111
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 protocol=tcp tcp-flags=\
    syn tcp-mss=1453-65535
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.20.0.0/24
add action=dst-nat chain=dstnat dst-address=213.178.37.185 dst-port=3389 \
    protocol=tcp to-addresses=172.18.0.15 to-ports=3389
add action=dst-nat chain=dstnat dst-address=213.178.37.185 dst-port=21 \
    protocol=tcp to-addresses=172.18.0.15 to-ports=21
add action=dst-nat chain=dstnat dst-address=213.178.37.185 dst-port=\
    32400 protocol=tcp to-addresses=172.18.0.11 to-ports=32400
add action=dst-nat chain=dstnat comment="utorrent webui (driver1-pc)" \
    dst-address=... dst-port=54321 protocol=tcp to-addresses=\
    172.20.0.237 to-ports=54321
/ip neighbor discovery
set wlan1 disabled=yes
/ip proxy
set max-cache-size=none
/ip route
add distance=1 dst-address=10.0.0.0/8 gateway=10.3.64.129
add distance=1 dst-address=172.16.0.0/12 gateway=10.3.64.129
add distance=1 dst-address=192.168.0.0/24 gateway=10.3.64.129
add distance=1 dst-address=192.168.0.4/32 gateway=10.3.64.129
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api port=2210
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
/system health
set fan-mode=manual use-fan=auxiliary
/system identity
set name=MikroTik_DRIVER
/system watchdog
set auto-send-supout=yes send-email-to=... \
    send-smtp-server=...
/tool bandwidth-server
set max-sessions=10
/tool e-mail
set address=... password=... user=...
/tool graphing interface
add
6

you can try ping your default gateway (ISP side) from mikrotik

7

it pings well, but I still don`t understand why nothing works.

8

I have also noticed:

  1. It doesn`t matter if bridge dhcp server is on or off, lan devices get wan ip address
  2. Without bridge everything works fine.
9

from your computer try ping: www.google.com and 4.2.2.2 also from mikrotik too

10

you also have ip address on eth2 and wlan??? they are in bridge, try remove that ip addresses… your nar rule says masquarade src address 172.20.0./24 and you have 172.18/172.19 on eth2 and wlan

11

Just removed it, didn`t help.

# jan/02/1970 00:36:23 by RouterOS 5.23
# software id = NSZA-GABH
#
/interface bridge
add l2mtu=1522 name=bridge1
/interface wireless
set 0 band=2ghz-b/g/n basic-rates-b="" channel-width=20/40mhz-ht-above \
    disabled=no frequency=2412 frequency-mode=superchannel \
    ht-ampdu-priorities=0,1 ht-guard-interval=long ht-rxchains=0,1 \
    ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs\
    -8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15" ht-txchains=0,1 \
    hw-retries=4 l2mtu=2290 mode=ap-bridge periodic-calibration=enabled \
    periodic-calibration-interval=10 rate-set=configured ssid=\
    "DRIVER's Network" supported-rates-b="" tx-power-mode=card-rates \
    wireless-protocol=any
/interface ethernet
set 0 comment=WAN
set 1 comment=LAN
/interface wireless nstreme
set wlan1 enable-polling=no
/interface wireless security-profiles
set [ find default=yes ] group-ciphers="" supplicant-identity=MikroTik \
    unicast-ciphers=""
add authentication-types=wpa-psk eap-methods=passthrough group-ciphers=\
    tkip management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity="" unicast-ciphers=tkip wpa-pre-shared-key=\
    111111111
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=pool ranges=192.168.2.100-192.168.2.150
add name=dhcp_pool1 ranges=172.20.0.2-172.20.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp1
/port
set 0 baud-rate=9600 flow-control=hardware
/ppp profile
set 0 change-tcp-mss=no
add change-tcp-mss=no name=aist
set 2 change-tcp-mss=no
/interface pptp-client
add add-default-route=yes connect-to=192.168.0.4 disabled=no name=\
    pptp-out1 password=436398 profile=aist user=1820073596
/system logging action
set 3 remote=0.0.0.0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
/interface wireless access-list
add interface=wlan1 mac-address=00:1D:0D:72:9B:88
add interface=wlan1 mac-address=00:21:5D:A7:67:54
add interface=wlan1 mac-address=00:23:6C:6E:46:50
add interface=wlan1 mac-address=00:23:45:3A:6C:6A
add interface=wlan1 mac-address=2C:81:58:E4:A0:0B
add interface=wlan1 mac-address=C4:2C:03:CA:25:B8
add interface=wlan1 mac-address=58:55:CA:2D:D7:21
add interface=wlan1 mac-address=F0:7D:68:6C:66:19
add interface=wlan1 mac-address=78:DD:08:C8:EB:5E
add interface=wlan1 mac-address=A4:67:06:8E:3D:85
add interface=wlan1 mac-address=00:21:91:F3:C5:DD
add interface=wlan1 mac-address=A4:67:06:8E:3D:85
add interface=wlan1 mac-address=00:21:91:F3:C5:DD
add interface=wlan1 mac-address=DC:A9:71:15:6F:17
add interface=wlan1 mac-address=0C:74:C2:4F:18:A7
add interface=wlan1 mac-address=A4:67:06:8E:3D:85
add interface=wlan1 mac-address=00:21:5D:A7:67:54
/ip address
add address=172.20.0.1/24 interface=bridge1
/ip dhcp-client
add default-route-distance=2 disabled=no interface=ether1
/ip dhcp-server network
add address=172.20.0.0/24 gateway=172.20.0.1
/ip dns
set max-udp-packet-size=512 servers=81.28.160.1,81.28.160.111
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 protocol=tcp tcp-flags=\
    syn tcp-mss=1453-65535
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.20.0.0/24
add action=dst-nat chain=dstnat dst-address=213.178.37.185 dst-port=3389 \
    protocol=tcp to-addresses=172.18.0.15 to-ports=3389
add action=dst-nat chain=dstnat dst-address=213.178.37.185 dst-port=21 \
    protocol=tcp to-addresses=172.18.0.15 to-ports=21
add action=dst-nat chain=dstnat dst-address=213.178.37.185 dst-port=\
    32400 protocol=tcp to-addresses=172.18.0.11 to-ports=32400
add action=dst-nat chain=dstnat comment="utorrent webui (driver1-pc)" \
    dst-address=213.178.37.185 dst-port=54321 protocol=tcp to-addresses=\
    172.20.0.237 to-ports=54321
/ip neighbor discovery
set wlan1 disabled=yes
/ip proxy
set max-cache-size=none
/ip route
add distance=1 dst-address=10.0.0.0/8 gateway=10.3.64.129
add distance=1 dst-address=172.16.0.0/12 gateway=10.3.64.129
add distance=1 dst-address=192.168.0.0/24 gateway=10.3.64.129
add distance=1 dst-address=192.168.0.4/32 gateway=10.3.64.129
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api port=2210
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
/system health
set fan-mode=manual use-fan=auxiliary
/system identity
set name=MikroTik_DRIVER
/system watchdog
set auto-send-supout=yes send-email-to=... \
    send-smtp-server=...
/tool bandwidth-server
set max-sessions=10
/tool e-mail
set address=... password=... user=...
/tool graphing interface
add