Can’t connect to the internet from the LAN devices

MiM1 · May 22, 2026, 1:37pm

I’m new to the Mikrotik routers.

I set up my WAN and LAN IP for accessing the router, I can login from Winbox, etc.
However, I’m running into an issue where I assign Computer to port 1-3 or WIFI.
Connect to internet doesnt work.
192.168.88.1 is our gateway
Here is my configuration:

may/22/2026 10:56:09 by RouterOS 6.49.19

software id = 2ZR9-L3QT

model = RB951Ui-2nD

/interface bridge
add admin-mac=04:F4:1C:F9:60:81 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
disabled=no distance=indoors frequency=auto installation=indoor mode=
ap-bridge ssid=MikroTik-F96085 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk comment=
defconf disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
wpa-pre-shared-key=123123123 wpa2-pre-shared-key=123123123
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.2/24 comment=defconf interface=bridge network=
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.2,8.8.8.8
gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.2 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes
protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related disabled=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid disabled=yes
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input
add action=accept chain=forward
add action=accept chain=output
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.88.1
add disabled=yes distance=1 gateway=192.168.1.1
/system clock
set time-zone-name=Europe/Prague
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thank you!

ortazebra · May 22, 2026, 1:52pm

Mikrotik address is 192.168.88.2, but lan gateway is 192.168.88.1.

jaclaz · May 22, 2026, 2:10pm

Post the output of:
/ip addrsss print

and of:

/ip route print

anav · May 22, 2026, 3:24pm

Concur with ortaz.

It should be ( and get rid of netmask not required )

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.2,8.8.8.8
gateway=192.168.88.2

Why are you creating manual routes for your subnet, not required.
They are created automatically when you create the Ip address for the subnet.

remove ( plus its wrong )
/ip route
add distance=1 gateway=192.68.88.1 ???

anav · May 22, 2026, 3:26pm

Why are all the rules protecting your router disabled?
If you have hooked this up to the internet, then you need to netinstall the latest firmware.

and get rid of these three last rules.
add action=accept chain=input
add action=accept chain=forward
add action=accept chain=output

rextended · May 22, 2026, 5:12pm

Please read more carefully.
The hAP must be configured only as a Switch + AP.
I don't see any need for WAN, DHCP Server, firewall (except self-security...),
or other things that only the router should do.
As per the OP's description.

anav · May 22, 2026, 5:23pm

Lets get the information extracted,
MiM1, is your WANIP a public IP address or are you getting a private IP address from an ISP modem/router?

If the latter, is your intention to use the MT as a router? OR as an access point and switch, on the private subnet from an ISP modem/router??

MiM1 · May 25, 2026, 6:06am

\[admin@MikroTik\] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic

# ADDRESS            NETWORK         INTERFACE

0   ;;; defconf
192.168.88.2/24    192.168.88.0    bridge
1 D 192.168.1.6/24     192.168.1.0     ether1
\[admin@MikroTik\] > /ip route  print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

# DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE

0 A S  0.0.0.0/0                          192.168.88.1              1
1  DS  0.0.0.0/0                          192.168.1.1               1
2 X S  0.0.0.0/0                          192.168.1.1               1
3 ADC  192.168.1.0/24     192.168.1.6     ether1                    0
4 ADC  192.168.88.0/24    192.168.88.2    bridge

MiM1 · May 25, 2026, 6:06am

Its OK. 192.168.88.1 is our t-mobile router.

MiM1 · May 25, 2026, 6:06am

I know, its only test

MiM1 · May 25, 2026, 6:35am

192.168.88.1 Gateway, T-Mobile router (internet) WAN port

192.168.88.2 Mikrotik (dhcp server)

192.168.88.10-100 (dhcp clients) LAN 2-4 ports

CGGXANNX · May 25, 2026, 8:19am

That doesn't look like the case at all. If your hAP is connected to the T-Mobile router on its ether1 port, then from this output:

MiM1:

/ip route  print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

# DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE

0 A S  0.0.0.0/0                          192.168.88.1              1
1  DS  0.0.0.0/0                          192.168.1.1               1
2 X S  0.0.0.0/0                          192.168.1.1               1
3 ADC  192.168.1.0/24     192.168.1.6     ether1                    0
4 ADC  192.168.88.0/24    192.168.88.2    bridge

It looks like the T-Mobile is located at 192.168.1.1 and it gave your hAP the address 192.168.1.6 on ether1 via DHCP. In that case you should modify your /ip dhcp-server network entry and change gateway to 192.168.88.2 (the hAP). Alternatively, change the hAP IP address to 192.168.88.1 if you want to keep gateway=192.168.88.1. Both these have been suggested by others above in this thread.

But if the T-Mobile router is not connected to ether1, but to one of the ports of the bridge bridge, then the way you've configured the hAP (as a router with DHCP server and NAT) is wrong. You should configure the hAP as a Switch + AP like @rextended suggested above instead.

anav · May 25, 2026, 11:59am

Yes, you have not made your desires any clearer AS I requested?? Do you want the Mikrotik device to be simply an access point switch and your ISP provides all DHCP for all devices OR, do you want the MT device to be its own router with its own subnet providing dhcp for clients??

anav · May 25, 2026, 2:59pm

As an access point switch.
First thing take ether5 off the bridge and give it an IP address as per below and ensure its part of the LAN interface list you currently have, then you should be able to access the router by connecting your PC to ether5 and changing ipv4 settings to 192.168.55.2 and with user name and password gain access and make the rest of the changes. Same same if you want to make device a router.

/interface bridge
add admin-mac=04:F4:1C:F9:60:81 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
disabled=no distance=indoors frequency=auto installation=indoor mode=
ap-bridge ssid=MikroTik-F96085 wireless-protocol=802.11
/interface list
add comment=defconf name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk comment=
defconf disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
wpa-pre-shared-key=123123123 wpa2-pre-shared-key=123123123
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface list member
add comment=defconf interface=bridge list=TRUSTED
add comment=defconf interface=OffBridge5 list=TRUSTED
/ip address
add address=192.168.1.6/24 interface=bridge network=
192.168.1.0
add address=192.168.55.1/30 interface=OffBridge5 network=192.1658.55.0
/ip dhcp-client
add comment=defconf disabled=yes
/ip dns
set server=192.168.1.1
/ip route
add distance=1 gateway=192.168.1.1
/system clock
set time-zone-name=Europe/Prague
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

anav · May 25, 2026, 4:48pm

As a router............

/interface bridge
add admin-mac=04:F4:1C:F9:60:81 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
disabled=no distance=indoors frequency=auto installation=indoor mode=
ap-bridge ssid=MikroTik-F96085 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk comment=
defconf disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
wpa-pre-shared-key=123123123 wpa2-pre-shared-key=123123123
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=OffBridge5 list=LAN
add interface=OffBridge5 list=TRUSTED
add interface=bridge list=TRUSTED
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.55.1/30 interface=OffBridge5 network=192.168.55.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1 src-address=127.0.0.1 interface=lo
add action=accept comment="LAN access" in-interface-list=LAN
add action=drop chain=input comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid disabled=yes
add action=accept comment="internet" in-interface-list=LAN out-interface-list=WAN
add action=accept comment="port forwarding connection-nat-state=dstnat \
disabled=yes
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.1.1
/system clock
set time-zone-name=Europe/Prague
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

after getting to this point, successfully, then we can considering limiting access to the router from the LAN, aka allow LAN users to dns only, and allowing admin by IP address firewall address list to the router for config purposes