I recently purchased a CCR2116 and several switches from Mikrotik.
I have an extensive home automation system, and my previous ASUS networking solutions were no longer satisfactory. I'm a complete beginner when it comes to Mikrotik.
I knew they weren't P&P devices, but I didn't expect such complexity. This is all new to me, so please bear with me.
The first problem I encountered was the lack of internet access from the router.
My ISP is a ZTE MC889A Pro configured as a bridge, connected via a Mikrotik copper module to an SFP+1. With the current configuration, I can ping any server, but I have no internet access.
When you say you can ping any server, do you mean on your network or across the internet?
I suggest you go to [Tools -> Ping] on your CCR2116 [using WebFig or WinBox] and try pinging 1.1.1.1, which will show whether you have any connectivity to the internet. If you have, then try pinging time.google.com, [or any other url which is known to respond to pings] which I expect to work if a ping to 1.1.1.1 works
If none of that works, you have a problem between your router and the ISP router [assuming that the ISP router is known to work. But if you can ping time.google.com from the CCR2116, but not from the rest of your network, it looks like you are probably not forwarding your DNS properly. Look at [IP -> DNS] and also look at [DHCP -> Networks] which should define the DNS servers for your network.
#3 your interfaces are currently not categorized, they should normally be:
/interface list
add name=WAN
add name=MGMT
add name=LAN <- you see ...
/interface list member
add interface=bridge_lan list=LAN
add interface=ether13_mgmt list=MGMT
add interface=sfp-sfpplus1_wan list=WAN
The management interface should also be a member of the LAN interface ( aka thus can use the firewall rule allow traffic )
/interface list member
add interface=ether13_mgmt list=MGMT
add interface=sfp-sfpplus1_wan list=WAN
add interface=bridge_lan list=LAN
add interface=ether13_mgmt list=LAN
Failed to identify the management interface with an addressā¦ā¦ā¦ā¦..
/ip address
add address=192.168.77.1/30 interface=ether13_mgmt network=192.168.77.0 ( edited)
(note simply plug your laptop into the port, change ipv4 settings to 192.168.77.2 and with username and password you will have access.
Firewall rulesā¦ā¦. Do not reflect the fact that ONLY the admin needs full access to the router itself and the need to identify which LAN IPs belong to the admin (input chain). First create the address list:
Then: Modify this rule:
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
TO:
add action=accept chain=input comment=āadmin accessā src-address-list=Authorized
add action=accept chain=input comment=āusers to servicesā in-interface-list=LAN \
dst-port=53 protocol=udp
add action=accept chain=input comment=āusers to servicesā in-interface-list=LAN \
dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all elseā
Modify this vague and incomplete rule:
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed"
connection-nat-state=!dstnat in-interface-list=WAN
TO:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN \
comment=āinternet accessā
add action=accept chain=forward src-address-list=Authorized out-interface-list=LAN \
comment=āadmin access to LANā
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required or REMOVE )
add action=drop chain=forward comment=ādrop all elseā
Since you are not doing any port forwarding that aspect of the ācute default ruleā should be removed as per the note.
The missing parts:
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
add action=accept chain=input src-address-list=Authorized
add action=drop chain=input comment=ādrop all elseā
@Czeczenski
Once you have modified your configuration according to anav's suggestions, do connect to it via the MGMT port and check that you are getting a valid IP and route/gateway from the DHCP client on sfp-sfpplus1_wan.
I.e. run: /ip address print
and /ip route print
0 10.10.0.1/24 10.10.0.0 bridge_lan main
1 D 100.80.40.114/30 100.80.40.112 sfp-sfpplus1_wan main
2 192.168.77.1/30 192.168.77.0 ether13_mgmt main
and ip route print:
DAd 0.0.0.0/0 100.80.40.113 main 1
DAc 10.10.0.0/24 bridge_lan main 0
DAc 100.80.40.112/30 sfp-sfpplus1_wan main 0
DAc 192.168.77.0/30 ether13_mgmt main 0
Apart from an unconfigured DHCP server and a bit of firewall chaos, everything else seems to be fixed. Correct route is received via DHCP client, NAT is correct, DNS is configured. Could there be a missing underlying authentication protocol like PPPoE? And what does a traceroute show when performed?
1. Why is dhcp server disabled???
/ip dhcp-server
add disabled=yes interface=bridge_lan lease-time=1d name=server1_dhcp_lan
None of your admin devices are yet identified on the address listā¦ā¦ā¦. replace X, Y, Z with actual IP addresses and ensure they are static on the dhcp server.
The input chain rules dealing with dst-port=53 have to go UP to just after the admin access rule and just before the input chain drop all rule.
You also now have duplicate rules that need to be rectified.
!