Cannot route LAN traffic out WAN

Hello there.

I’m brand new to Mikrotik and am working on implementing the CCR1072-1G-8S+ as the main router for our subnets. So far it is doing the routing great so I wanted to also add firewall and NAT to it’s functionality since our firewall has only given us problems. I configured the rules and added the port forwarding but I got stuck on, what I thought would be, a very simple configuration. Right now the firewall sits at 192.168.10.1 with the ether1 connection on the router being 192.168.10.2. The router’s default gateway is set to 192.168.10.1 and all works great.

I thought it’d be as simple as changing the router’s ether1 address to the public IP, and set the default gateway to the WAN gateway, just like what the firewall has. Unfortunately I lost internet on all of our subnets when I made this change. However, the router could reach the internet just fine. When I did a tracert on a Window machine behind the router it successfully got to the router then failed. But if I SSH directly to the router, it can reach everything on the LAN and WAN side with no issues. I must be missing something because this is very strange behavior. I disabled all firewall and NAT rules to verify I didn’t misconfigure anything or inadvertently block my traffic. See the configuration below for what it currently is set as. The only change I’m thinking it needs to make ether1 work as my WAN connection is change the IP address and the default gateway to what the WAN is specified as. Is there something else I need to do?

Thanks.

export
# dec/14/2015 17:11:03 by RouterOS 6.30.2
# software id = 7YIZ-4D96
#
/interface vlan
add interface=sfp-sfpplus8 l2mtu=1576 name=Basement_11 vlan-id=15
add interface=sfp-sfpplus8 l2mtu=1576 name=Basement_129 vlan-id=1
add interface=sfp-sfpplus8 l2mtu=1576 name=Bottom vlan-id=11
add interface=sfp-sfpplus8 l2mtu=1576 name=Hout vlan-id=16
add interface=sfp-sfpplus8 l2mtu=1576 name=Lab vlan-id=14
add interface=sfp-sfpplus8 l2mtu=1576 name=Mez vlan-id=13
add interface=sfp-sfpplus8 l2mtu=1576 name=Top vlan-id=12
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Bottom_DHCP_Pool ranges=192.1.1.100-192.1.1.199
add name=Top_DHCP_Pool ranges=192.1.2.100-192.1.2.199
add name=Mez_DHCP_Pool ranges=192.1.3.100-192.1.3.199
add name=Lab_DHCP_Pool ranges=192.1.4.100-192.1.4.199
/ip dhcp-server
add address-pool=Bottom_DHCP_Pool disabled=no interface=Bottom lease-time=3d \
    name=Bottom_DHCP
add address-pool=Top_DHCP_Pool disabled=no interface=Top lease-time=3d name=\
    Top_DHCP
add address-pool=Mez_DHCP_Pool disabled=no interface=Mez lease-time=3d name=\
    Mez_DHCP
add address-pool=Lab_DHCP_Pool disabled=no interface=Lab lease-time=3d name=\
    Lab_DHCP
/ip address
add address=192.1.1.1/24 interface=Bottom network=192.1.1.0
add address=192.1.2.1/24 interface=Top network=192.1.2.0
add address=192.1.4.1/24 interface=Lab network=192.1.4.0
add address=192.1.11.1/24 interface=Basement_11 network=192.1.11.0
add address=192.1.16.2/24 interface=Hout network=192.1.16.0
add address=129.1.3.2/24 interface=Basement_129 network=129.1.3.0
add address=192.1.3.1/24 interface=Mez network=192.1.3.0
add address=192.168.10.2/24 interface=ether1 network=192.168.10.0
/ip dhcp-server network
add address=129.1.3.0/24 gateway=129.1.3.1
add address=192.1.1.0/24 dns-server=192.1.11.2,192.168.10.1 gateway=192.1.1.1 \
    wins-server=129.1.3.10
add address=192.1.2.0/24 dns-server=192.1.11.2,192.168.10.1 gateway=192.1.2.1 \
    wins-server=129.1.3.10
add address=192.1.3.0/24 dns-server=192.1.11.2,192.168.10.1 gateway=192.1.3.1 \
    wins-server=129.1.3.10
add address=192.1.4.0/24 dns-server=192.1.11.2,192.168.10.1 gateway=192.1.4.1 \
    wins-server=129.1.3.10
/ip dns
set allow-remote-requests=yes servers=75.75.75.75,75.75.76.76,8.8.8.8
/ip firewall address-list
/ip firewall filter
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
/ip route
add distance=1 gateway=192.168.10.1
add distance=1 dst-address=192.1.5.0/24 gateway=192.1.4.250
add distance=1 dst-address=192.1.6.0/24 gateway=192.1.4.250
add distance=1 dst-address=192.1.7.0/24 gateway=192.1.4.250
add distance=1 dst-address=192.1.17.0/24 gateway=192.1.16.254
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Test_Router
/system routerboard settings
set cpu-frequency=1000MHz memory-frequency=1600DDR protected-routerboot=\
    disabled
/tool graphing interface
add store-on-disk=no
/tool romon port
add

I must be missing something because this is very strange behavior. I disabled all firewall and NAT rules to verify I didn’t misconfigure anything or inadvertently block my traffic. See the configuration below for what it currently is set as. The only change I’m thinking it needs to make ether1 work as my WAN connection is change the IP address and the default gateway to what the WAN is specified as. Is there something else I need to do?

Does it also happen if you disable firewall, but not NAT masquerading? You need masquerading!!

Assign the public IP address (guess this is what you meant) to the public interface, make sure you can reach the gateway and can ping to the outside from the routerboard.

This being set all, you need for the rest of the network to reach internet is masquerading.

You need to configure a source address in your NAT RULE, like this

ip firewall nat add chain=srcnat src-address=192.168.1.0/24 action=masquerade

Thank you for the help! It was in fact the masquerading that was missing. From my config you can see I configured it (since I read about it somewhere) but it looks like I never actually enabled it. Once the rule was enabled then everything worked great.

Telnetpr, while you’re not wrong, this config wouldn’t be applicable in a multi-subnet environment. I could have configured a bigger subnet as well but it was easiest just to use:

out-interface=WAN

(renamed ether1 to WAN to ease confusion) then to specify a specific subnet. Unless you see any reason to not do that?

Appreciate the help guys. Being new to MikroTik it’s a little intimidating but I think I’m getting the hang of it!

Keep on, once you get the hang of it (i.e. where are the knobs) it becomes second nature!

No problem, since i dont masquerade all my subnets i apply only the one i need to but the idea was that.

Oh interesting, I never thought of doing that. Do you do this so you can keep certain subnets off the internet? I’m implementing a rule like that but instead I just blocked traffic from subnet X to WAN. It might just be solving the same problem two different ways but I’m curious about your application and why you went that route.

Yes i keep certain subnets off the internet, and i do that because is the way to allow only the subnets you want to be “natted”

It’s better to block traffic than to just break it by breaking layer 3… (see below)

Confusedwan - I recommend your method over telnetpr’s method. If you “block” internet access by not doing masqerade, then outbound packets from the un-masqueraded LAN will still go out to the Internet, and now your network is a source of traffic with “fake” source IP addresses on it.

It’s best practice to do each job with the correct portion of the firewall - NAT is simply there to map IPs from one to another so that everything is reachable. If you want to affect policiy and block certain kinds of traffic, then do this with filters. Later, if X cannot reach Y, then you know to look in filters.

The simple fact of the matter is that in a single IP / single WAN environment, anything going out the WAN must have the single IP address on it or else it won’t work, so configure NAT accordingly. That way, any packet that does follow this path will work properly. If you want to disallow packets from taking that path, it’s logical that this be done in a filter policy and not a “well, it’s a broken path if an unauthorized host was trying to use it” scenario.

Thanks