192.168.1.1 wont work as gateway suddenly

RouterOS General
1

I had my system set up and working for a year now with it’s default gateway IP set as 192.168.1.1, which worked great until yesterday… I told it to do a routerboard firmware upgrade to the latest version, and suddenly I had no internet access after it rebooted.

I could ping everything in the 192.168.1.0/24 range including the gateway 192.168.1.1, I could connect via winbox, but for some reason the internet would not work at all.

I did a config reset and it went back to 192.168.88.1 and everything worked great.. so started rebuilding the config (restoring the config just went to the same issue immediately, requiring another reset).
Everything worked until I switched the router’s IP back to 192.168.1.1, then suddenly I had “limited connectivity” according to windows… nothing outside my LAN would talk again. but still could ping it fine…

did another reset, and this time used quick set to set it up as a 192.168.1.1 gateway IP and DHCP range 192.168.1.100 - 254 and again no internet…

did a reset, and quick setup set it to 192.168.2.1 and a same DHCP range 192.168.2.x and worked…

change DHCP to 192.168.1.100 - 256 and widened my sub net to 255.255.0.0 and still worked as long as 192.168.2.1 was the gateway…

added 192.168.1.1/24 to the address list so I have it as a gateway too… switched my PC to talk to that gateway… and once again… no internet

reverted my firmware back, didn’t help… rolled the routeros back to 6.40.5 and no change in behavior (was previously running an RC build to test out the bridge offloading)

I can’t figure out what is going on… here’s what my config looks like right now

MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 6.40.5 (c) 1999-2017       http://www.mikrotik.com/

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level
[admin@MikroTik] > export
# dec/06/2017 21:00:59 by RouterOS 6.40.5
# software id = JGID-4PLY
#
# model = RouterBOARD 3011UiAS
# serial number = 5D6A05225239
/interface bridge
add admin-mac=E4:8D:8C:7E:46:92 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/ip neighbor discovery
set ether1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2-master network=\
    192.168.2.0
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=51.202.2.221/28 list=work_block
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp src-address-list=\
    work_block to-addresses=192.168.88.10 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 protocol=udp src-address-list=\
    work_block to-addresses=192.168.88.10 to-ports=3389
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/New_York
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
[admin@MikroTik] >
2

Remove the bridge and all related settings. You are mixing ip ranges on the bridge and on the ether2 as its member. Correct the ip addresses everywhere, don’t you see the 1.0, 2.0 and 88.0 mess in your export?

3

That’s actually the wrong export… I was in the middle of making changes and dumped the wrong one ugh, wasn’t thinking…

Like I said if I do a factory reset and take the default config then switch from 192.168.88.x to 192.168.1.x using quick set the same problem happens

It’s only when it’s set up to be 192.168.1.1 as the gateway… which never caused this issue before…

I can’t even restore backup configs suddenly, as soon as I do that winbox wont even connect by MAC address (backup configs are from the same build)

4

Need to also add that my MAC address of the router keeps changing in winbox’s neighbors lookup… one time it’s E4:8D:8C:7E:46:92 the next it’s E4:8D:8C:7E:46:97 it keeps alternating between those two… and usually when it switches it tells me the alternate one and I have to change it to the other to connect… I am not changing which ports I am plugged into, it just keeps seeing a different MAC address randomly

5

Did another reset and built some simple rules that I use for RDP in NAT but this is basically the initial config but with changed IP’s… and once again internet will not work but I can ping 192.168.1.1 fine

MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 6.41rc61 (c) 1999-2017       http://www.mikrotik.com/

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level
[admin@MikroTik] > export
# dec/07/2017 08:48:14 by RouterOS 6.41rc61
# software id = JGID-4PLY
#
# model = RouterBOARD 3011UiAS
# serial number = 5D6A05225239
/interface bridge
add admin-mac=E4:8D:8C:7E:46:92 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether6 ] name=ether6-master
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2-master network=\
    192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.100 client-id=1:44:8a:5b:9c:a5:94 mac-address=\
    44:8A:5B:9C:A5:94 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall address-list
add address=51.202.2.221/28 list=Work_Range
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp src-address-list=\
    Work_Range to-addresses=192.168.1.100 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 protocol=udp src-address-list=\
    Work_Range to-addresses=192.168.1.100 to-ports=3389
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/New_York
/system package update
set channel=release-candidate
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
[admin@MikroTik] >
6

What IP, Gateway etc is your router receiving on its WAN port?

7

WAN is just a DHCP’ed address from the ISP (Comcast) but it’s current values are:

IP: 71.206.244.49
Mask: 255.255.254.0
Gateway: 71.206.244.1

I get the same address for all my tests issued to me, so I doubt it’s a ISP gateway issue.

I need to add this also, when the internet doesn’t work it’s just on the lan side, I can ping and tracert perfectly fine from the winbox terminal window… so the router itself does have internet access

8

Put ip address on bridge instead of the ether2. Check the mac address of the bridge against other mac addresses of the router. To which port it corresponds?

9

Bridge MAC - E4:8D:8C:7E:46:92

ether1-E4:8D:8C:7E:46:91
ether2-E4:8D:8C:7E:46:92
ether3-E4:8D:8C:7E:46:93
ether4-E4:8D:8C:7E:46:94
ether5-E4:8D:8C:7E:46:95
ether6-E4:8D:8C:7E:46:97
ether7-E4:8D:8C:7E:46:98
ether8-E4:8D:8C:7E:46:99
ether9-E4:8D:8C:7E:46:9A
ether10-E4:8D:8C:7E:46:9B
sfp1- E4:8D:8C:7E:46:96

bridge and ether2 have the same mac from what I can see

putting the IP on the bridge instead doesn’t help, same issue, internet doesn’t work with the 192.168.1.1 address but does when changed to 192.168.2.1

10

Are you sure there’s no device on your network that is running on that IP address. try and isolate the router and connect only your PC to it. How many port is the router? you can change the port as well.

11

Remove ip dns static. You should get outer dns server from your isp via dhcp or set 8.8.8.8 for testing purposes. By this setting you are looping the dns requests so you are not able to resolve ip addresses from domain names.

12

Use stable instead release candidate. Latest stable is 6.40.5.

13

already did that, no luck, doesn’t mater what port the lan or wan is in either

14

Like I said in the original post, I’ve went back to that version to test and same issue, went back forward again to see if anything changed and still same issue

15

changing DNS doesn’t make a difference, I’ve tried using comcasts 75.75.75.75 and googles 8.8.8.8 and quad9’s 9.9.9.9

16
17

Post your actual config and the working config for comparison.

18

Go to redo the config tonight to get the configs… and now it’s not acting up…

ugh… I’m on 192.168.1.1 just fine right now as the gateway

19

Are you saying it’s okay now? If yes. What and where went wrong from your own observations please.

20

Put here the config that works with 1.1 network.