Am I going nuts?

doctauri · February 13, 2015, 12:57am

Ok, so this is my first MikroTik product, and my first exposure to RouterOS or it’s web interface, but I’m having a wierd issue.

I just received my MikroTik CRS125-24G-1S-IN today. I booted it up and it’s running RouterOS 6.6, so I upgraded to 6.27.

The first time it came up after that, everything was great, it was set up for routing, DHCP on the WAN interface, and had the DHCP and NAT set on the LAN interface.

I messed with it a bit, then hit “Reset Configuration” from the System menu to reset it to the factory configuration, but it would never ping or bring the web interface up after that. I let it sit for a good 10 minutes, nothing. So, I used the reset button and reset to factory default. The next time in, the WAN interface came up as static, and the DHCP and NAT were unchecked for the LAN interface.

So, I set DHCP and NAT on and set a dhcp range, hit apply config, then reloaded the page. NAT was set, but DHCP was unchecked again.

Some more messing around, then “Reset Configuration” again, and again, it won’t come up. Factory reset, and the same thing. Static on WAN, NAT and DHCP off.

I tried a few more times, and sure enough, whenever I hit “Reset Configuration” it will never come back up, and I end up having to factory reset with a paperclip.

So, I reset the config, came up to the main page, and simply set the WAN interface from STATIC to DHCP then hit Apply Config. Same thing, stops pinging and wont’ come back.

Is this just me, do I have a bad unit, is this a known problem with MikroTik, or with 6.27?

Any insight would be greatly appreciated.

Thanks.
Doc

PaulsMT · February 13, 2015, 9:19am

If you do simple system reset-configuration, it should reset to factory defaults, with static ip on ether1, and LAN on all other ports
If you do system reset-configuration no-defaults=yes there should be no configuration on board,
Witch one you used ?

And could you please try to connect board after system reset-configuration trought any port from ether2-24? And do you see board in winbox neighbor tab after reset ?

doctauri · February 13, 2015, 12:03pm

Hi, thanks for responding.

When I do the Reset Configuration, I do NOT have the “No Default Configuration” checkmark set, yet it certainly acts like No Default Configuration has been loaded.

I did some more testing this morning:

Paperclip reset
WAN plugged into ether1, external side of router network is 192.168.0.0/24
My computer is plugged into ether5

LCD shows 192.168.88.1 for local IP, 192.168.88.1 for “ether1-master-loca”

Brought up Web GUI

WAN set to static at 192.168.88.1
LAN set to static at 192.168.88.1
Netmask set to /24
NAT & DHCP unchecked
Note: I can web and winbox into 192.168.88.1

Set WAN to automatic and hit “Apply”

LCD now shows 192.168.88.1 for local IP, 192.168.0.113 for “ether1-master-loca”
** I can’t web or winbox to 192.168.88.1 anymore
** ping 192.168.88.1 gives “host is down”
** If I put a 192.168.0.x address on my computer, I CAN web to 192.168.0.113
WAN has grabbed a DHCP address
LAN Is now set for 0.0.0.0
Netmask is now /8
Question: Why did LAN IP change when all I did was set the WAN interface to automatic?
Question: Why does the LCD display still show 192.168.88.1 when the gui shows 0.0.0.0?

Set the LAN interface back to 192.168.88.1 and netmask to /24 and hit “Apply”
** I can now ping and admin it on 192.168.88.1

Check the “NAT” option and hit Apply
** I can’t ping or admin on 192.168.88.1 anymore

Pull up the GUI on 192.168.0.113 and everything appears to be right (the local IP is still 192.168.88.1)
Power it off and back on

LCD now shows 192.168.0.113 for “ether1-master-loca” but does NOT display any information for local IP
GUI still shows 192.168.88.1 for LAN

Let it sit for a few minutes

GUI now shows 0.0.0.0 for LAN

Set LAN back to 192.168.88.1/24

LCD now shows 192.168.88.1 as the local IP
I can ping and admin on 192.168.88.1 again
Question: Why does check marking the NAT box make the LAN interface reset back to 0.0.0.0?
Question: Why did the GUI initially show 192.168.88.1 for the local IP, then a few minutes later show 0.0.0.0 when no configuration change had occurred?

Test connections to external side of the router, unable to connect, but if I put an external address (192.168.0.x) on my computer, I can get there, so my traffic IS crossing the router, but it doesn’t appear to be routing or nat’ing.

So I realize some of this is new user unfamiliarity with the product, but the IP dropping off when simply turning on automatic on the WAN or NAT on the LAN sure doesn’t sound right.

Also, is there some configuration for reset that just sets inital settings to make it act like a standard SOHO router? It seems to have done just that when I upgraded from 6.6 to 6.27, but after the first paperclip reset, I can’t get it to do that again.

Thanks,
Doc

PaulsMT · February 13, 2015, 12:59pm

When you do system reset-configuration, router sets back to default settings:

All ports are switched now - ether1-master-local is master ports for all other ports this means, that ip 192.168.88.1 is on all ports

Now when you add dhcp on ether1-master-local, there are 2 ip addreses, one remains from 192.168.88.0 network, and other comes from your WAN.

but i’m not sure why “GUI now shows 0.0.0.0 for LAN”

Can you please open terminal and type:

/ip address print

/interface ethernet print

And copy output here.

And there should be an option to do system reset-configuration with no defaults, this can also be done by pasting command in terminal:

/system reset-configuration no-defaults=yes

doctauri · February 14, 2015, 12:14pm

I have attached 5 files, through various stages.

1: After paperclip reset
2: After setting WAN interface for “Automatic”
3: After setting Local interface to 192.168.88.1
4: After setting subnet mask on Local interface to /24
5: After checking the “DHCP Server” option, leaving Range at 0.0.0.0

Thanks!
Tony

doctauri · February 14, 2015, 12:16pm

Remaining attachments

doctauri · February 14, 2015, 3:10pm

So, it appears that, after a lot of research, and taking into account what PaulsMT said above, that the CRS definately comes up in a different state than most every example of RouterOS default configuraitons that I’ve found online. I think the thing that really threw me for a loop was that, the first time I brought it up, after the 6.6 to 6.27 upgrade, it DID act like I wanted, but after a paperclip reset, it went into a different mode, so half of my frustration has been trying to get it back to that state (pounding around for some switch or setting that would put it there), but there’s not.

So, now that I know… I want to use my MikroTik CRS125-24G-1S-IN to replace my Cisco 2924XL, a Netgear 8-port gigabit dumb switch, and a Linksys WRT54GL with dd-wrt.
I want to use ether1 for my ISP
ether2 I’d like to reserve for port mirroring
ether3-ether4 for dmz
ether5-ether24 for internal network

Currently, I have ether1 pulling a dhcp address from upstream, ether5 is acting as a dhcp server to the local network, and I have them passing traffic. I obviously need more though as it’s passing traffic bidirectionally, so I need to block inbound traffic.

Additionally, I’m not sure whether to set ether6-ether24 as slaves of ether5 or if I should set a bridge, or use a vlan (I admit I’m not a network guru), so some advice there would be welcome.

Also, does someone know of a default configuration script that I could cut & paste into the terminal that would do similar to what I’m looking for, so I can toy with it?

Thanks,
Doc

doctauri · February 14, 2015, 5:57pm

So here’s what I came up with based on details from http://wiki.mikrotik.com/wiki/How_to_configure_a_home_router.

This seems to do what I want, though I was confused why my test machine at 192.168.3.200 could NOT ping my machine at 192.168.88.200 (which I expected), but it COULD ping 192.168.88.1. I added a firewall rule blocking all ether3 to 192.168.88.0/24 which fixed it, just not sure why I had to do that.

Also, apparently when I set ether1 to do dhcp
/ip dhcp-client add interface=ether1 add-default-route=yes use-peer-dns=yes
it comes up in a disabled state, so I had to use
/ip dhcp-client add interface=ether1 add-default-route=yes use-peer-dns=yes disabled=no

If someone with more experience wouldn’t mind taking a look and tell me if I’m missing something?

Thanks!

Set slave ports

/interface ethernet
set [find name=ether4] master-port=ether3
set [find name=ether6] master-port=ether5
set [find name=ether7] master-port=ether5
set [find name=ether8] master-port=ether5
set [find name=ether9] master-port=ether5
set [find name=ether10] master-port=ether5
set [find name=ether11] master-port=ether5
set [find name=ether12] master-port=ether5
set [find name=ether13] master-port=ether5
set [find name=ether14] master-port=ether5
set [find name=ether15] master-port=ether5
set [find name=ether16] master-port=ether5
set [find name=ether17] master-port=ether5
set [find name=ether18] master-port=ether5
set [find name=ether19] master-port=ether5
set [find name=ether20] master-port=ether5
set [find name=ether21] master-port=ether5
set [find name=ether22] master-port=ether5
set [find name=ether23] master-port=ether5
set [find name=ether24] master-port=ether5

Set WAN interface to DHCP

/ip dhcp-client
add interface=ether1 add-default-route=yes use-peer-dns=yes disabled=no

Set IP addresses on the master interfaces

/ip address
add address=192.168.3.1/24 interface=ether3
add address=192.168.88.1/24 interface=ether5

Set up IP pools for DHCP server

/ip pool
add name=DHCP-Pool-dmz ranges=192.168.3.100-192.168.3.200
add name=DHCP-Pool-internal ranges=192.168.88.100-192.168.88.200

Set up DHCP server networks

/ip dhcp-server network
add address=192.168.3.0/24 comment=dmz dns-server=192.168.3.1 gateway=192.168.3.1
add address=192.168.88.0/24 comment=internal dns-server=192.168.88.1 gateway=192.168.88.1

Set up DHCP servers

/ip dhcp-server
add address-pool=DHCP-Pool-dmz authoritative=yes bootp-support=static disabled=no interface=ether3 lease-time=3h name=DHCP-dmz
add address-pool=DHCP-Pool-internal authoritative=yes bootp-support=static disabled=no interface=ether5 lease-time=3h name=DHCP-internal

Set up the firewall input filters

/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input action=drop dst-address=192.168.88.0/24 in-interface=ether3 log=no log-prefix=“”
add chain=input connection-state=invalid action=drop
add chain=input in-interface=ether3 action=accept
add chain=input in-interface=ether5 action=accept
add chain=input action=drop

Set up the firewall forwarding filters

/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=ether5 action=accept
add chain=forward in-interface=ether3 out-interface=ether1 action=accept
add chain=forward action=drop

/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade

Set up an NTP client

/system ntp client
set enabled=yes primary-ntp=192.5.41.40 secondary-ntp=192.5.41.41

/ip dns
set allow-remote-requests=yes

yancho · February 15, 2015, 9:07am

Advice! Start with a very basic configuration like IP, routes, DNS, DHCP, NAT. Disable everything in /firewall filter . When all is working fine, keep this configuration, maybe make backup or create export files and then start securing network using firewall.