can't connect to hEX S after factory reset / netinstall

sandman2211 · April 30, 2020, 10:04pm

Hi, I have a hEX S model RB760iGS and I’m having trouble connecting to it. It worked fine initially. I used the onboard reset button to do a factory reset a few times, and on the latest time the router never came back up. I was able to get NetInstall working and connect to it and I pushed the correct version of RouterOS. It connected, formatted, installed, and said everything was successful. But it still won’t let me connect after rebooting. It won’t hand out an IP and it won’t accept connections if I hardcode my IP to be 192.168.88.2. I’ve spent a few evenings searching the forums and found a lot of ideas, none worked unfortunately. Here’s what I’ve tried:

Installing both RouterOS MMIPS versions 6.45.8 and 6.46.6
Running Netinstall in WINE in Windows 8 compatibility mode
Running NetInstall from a Windows 10 laptop
Tried 2 different network cables
Connecting from different ethernet ports after performing the OS install

NetInstall always acts like it worked fine, but I can’t access the router at 192.168.88.1 or get an IP from it. Is there anything else I can try or is it toast? Any help would be appreciated, thanks in advance!

andriys · May 1, 2020, 10:34am

Have you tried connecting by MAC?
Can you see your device on the “Neighbors” tab on Login dialog in WinBox?

sandman2211 · May 1, 2020, 1:02pm

Haven’t tried winbox yet, I’ll give that a shot

sandman2211 · May 1, 2020, 1:52pm

Thanks, that helped! It had a blank config, no default bridges, dhcp, nothing. I went to the terminal and used /system reset-configuration and it had all that stuff again after it rebooted.

One of the guides I’m trying to follow says to use this command:
/system interface
But it says “bad command interface, row1 column9” or something like that. Is “interface” a new feature or a deprecated one or something?

Thanks again!

mkx · May 1, 2020, 8:07pm

I’ve been using ROS for quite a few years and quoted command did not exist in my era. So it must be some kind of an error. Can you qoute some part from the guide to see the context?

Zacharias · May 1, 2020, 8:12pm

/system interface

How sure are you of that command ?

sandman2211 · May 1, 2020, 10:09pm

Not very sure. Here’s the guide, it seemed to go OK aside from the very first part. I’m testing it right now to confirm it’s working as expected.

https://github.com/hallzhallz/Articles/tree/master/2020-04-25%20Mikrotik%20hEX%20S

sandman2211 · May 1, 2020, 10:19pm

Here’s the config I ended up with. Next up is client isolation for the IOT vlan, getting an ipsec VPN working, figuring out how to get the WAP to have 3 different SSIDs (one for each VLAN), QoS, subscribe to some blacklists for ad/scam blocking, maybe figure out how to get a Route 53 domain redirect going, fun stuff like that. It will probably take a long time to work thru that list but I know where to go if I get completely stuck, thanks again!

# may/01/2020 17:11:41 by RouterOS 6.45.8
# software id = LZ31-HQH9
#
# model = RB760iGS
/interface bridge
add admin-mac=C4:AD:34:50:16:49 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=guest-vlan vlan-id=102
add interface=bridge name=iot-vlan vlan-id=101
add interface=bridge name=main-vlan vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MGMT
/ip pool
add name=main-pool ranges=192.168.100.10-192.168.100.254
add name=iot-pool ranges=192.168.101.10-192.168.101.254
add name=guest-pool ranges=192.168.102.10-192.168.102.254
/ip dhcp-server
add address-pool=main-pool disabled=no interface=main-vlan name=main-dhcp
add address-pool=iot-pool disabled=no interface=iot-vlan name=iot-dhcp
add address-pool=guest-pool disabled=no interface=guest-vlan name=guest-dhcp
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=101
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=102
add bridge=bridge comment=defconf interface=ether5 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp1 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge untagged=ether2,ether5,sfp1 vlan-ids=100
add bridge=bridge comment=iot-vlan tagged=bridge,ether5 untagged=ether3 vlan-ids=101
add bridge=bridge comment=guest-vlan tagged=bridge,ether5 untagged=ether4 vlan-ids=102
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=main-vlan list=LAN
add interface=iot-vlan list=LAN
add interface=guest-vlan list=LAN
add interface=main-vlan list=VLAN
add interface=iot-vlan list=VLAN
add interface=guest-vlan list=VLAN
add interface=main-vlan list=MGMT
/ip address
add address=192.168.100.1/24 interface=main-vlan network=192.168.100.0
add address=192.168.101.1/24 interface=iot-vlan network=192.168.101.0
add address=192.168.102.1/24 interface=guest-vlan network=192.168.102.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.100.0/24 comment=main-dhcp-network gateway=192.168.100.1
add address=192.168.101.0/24 comment=iot-dhcp-network gateway=192.168.101.1
add address=192.168.102.0/24 comment=guest-dhcp-network gateway=192.168.102.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow main-vlan/MGMT access to all router services" in-interface-list=MGMT
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN ICMP Ping" in-interface-list=VLAN protocol=icmp
add action=drop chain=input comment="Drop all other traffic"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access Only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT - enable if need server" connection-nat-state=dstnat connection-state=new disabled=yes in-interface-list=\
    WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all other traffic"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=webfig disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Chicago
/system scheduler
add interval=2d name=Upgrade_Router on-event="run DownloadAndUpdate" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=apr/25/2020 start-time=03:00:01
/system script
add dont-require-permissions=no name=DownloadAndUpdate owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/system upgrade\r\
    \nrefresh\r\
    \n:delay 20\r\
    \ndownload 0\r\
    \n/\r\
    \n/system reboot \r\
    \n:delay 60\r\
    \ny\r\
    \n/"
/tool graphing interface
add allow-address=192.168.100.0/24 interface=ether1
add allow-address=192.168.100.0/24 interface=main-vlan
add allow-address=192.168.100.0/24 interface=iot-vlan
add allow-address=192.168.100.0/24 interface=guest-vlan
/tool graphing resource
add allow-address=192.168.100.0/24
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

mkx · May 2, 2020, 9:24am

This guide seems quite OK. Apart from the first part, where author shows nonexisting command.