Hello,
I’m trying to switch from old faithful 951G-2HnD to E50UG in my home environment. On E50UG itself, I confirmed I have internet connectivity, however when clients connect to it, they can’t access internet. I’m mostly using default configuration on the device, just tweaked a few things. It felt like a firewall issue since clients can connect to E50UG just fine but can’t go further. So, for testing I disabled all the rules, but it didn’t change anything; I don’t know what else to change sadly.
Here is my E50UG export:
/interface bridge
add admin-mac=F4:1E:57:73:E3:1D auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=MODEM
set [ find default-name=ether2 ] comment=OMV
set [ find default-name=ether3 ] comment=ATLAS
set [ find default-name=ether4 ] comment=WIFI
/interface pppoe-client
add add-default-route=yes comment=VDSL disabled=no interface=ether1 name=TurkNet user=adsl@turk.net
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=LAN_POOL ranges=10.81.41.241-10.81.41.252
/ip dhcp-server
add address-pool=LAN_POOL interface=bridge name=LAN_DHCP
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.81.41.254/28 interface=bridge network=10.81.41.240
/ip dhcp-server lease
add address=10.81.41.252 mac-address=00:27:0E:0A:B4:88 server=LAN_DHCP
/ip dhcp-server network
add address=10.81.41.240/28 dns-server=10.81.41.254 gateway=10.81.41.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1,9.9.9.9,149.112.112.112
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set irc disabled=no
set rtsp disabled=no
/ip service
set www-ssl disabled=no
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=input comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack6” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1” hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=forward comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Istanbul
/system ntp client
set enabled=yes
/system ntp client servers
add address=tr.pool.ntp.org
add address=pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Also an export from 951G-2HnD, for comparison:
/interface bridge
add admin-mac=D4:CA:6D:06:DA:8C auto-mac=no comment=“Data Bridge” name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n comment=Wireless country=turkey frequency=2472 frequency-mode=manual-txpower installation=indoor mode=ap-bridge rx-chains=0 ssid=MikroTik station-roaming=enabled tx-chains=0 wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether1 ] disabled=yes speed=100Mbps
set [ find default-name=ether2 ] comment=Modem speed=100Mbps
set [ find default-name=ether3 ] comment=Atlas
set [ find default-name=ether4 ] comment=OMV speed=100Mbps
set [ find default-name=ether5 ] comment=“Huawei Router” speed=100Mbps
/interface pppoe-client
add add-default-route=yes comment=VDSL disabled=no interface=ether2 keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=TurkNet user=adsl@turk.net
/interface wireless manual-tx-power-table
set wlan1 comment=Wireless
/interface wireless nstreme
set wlan1 comment=Wireless
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods=“” management-protection=allowed mode=dynamic-keys name=Guest supplicant-identity=“”
/interface wireless
add comment=“Wireless Guest” keepalive-frames=disabled mac-address=D6:CA:6D:06:DA:8F master-interface=wlan1 multicast-buffering=disabled name=Guest security-profile=Guest ssid=MikroTikGuest station-roaming=enabled wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set Guest comment=“Wireless Guest”
/interface wireless nstreme
set *A comment=“Wireless Guest”
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add comment=“Data Bridge” name=dhcp_pool0 ranges=10.1.81.249-10.1.81.253
add comment=Wireless name=dhcp_pool1 ranges=10.1.41.249-10.1.41.253
add comment=“Wireless Guest” name=dhcp_pool2 ranges=172.16.81.249-172.16.81.253
add comment=“Huawei Router” name=dhcp_pool3 ranges=172.16.41.249-172.16.41.252
/ip dhcp-server
add address-pool=dhcp_pool0 authoritative=after-2sec-delay disabled=no interface=bridge1 lease-time=1w name=“dhcp Data Bridge”
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=wlan1 lease-time=1w name=“dhcp Wireless”
add address-pool=dhcp_pool2 disabled=no interface=Guest lease-time=30m name=“dhcp Wireless Guest”
add address-pool=dhcp_pool3 authoritative=after-2sec-delay disabled=no interface=ether5 lease-time=1w name=“dhcp Huawei Router”
/snmp community
set [ find default=yes ] disabled=yes name=Dr5mak
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether1 list=discover
add interface=ether2 list=discover
add interface=bridge1 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=TurkNet list=discover
/ip address
add address=10.1.14.254/30 comment=“TP-Link Modem” disabled=yes interface=ether2 network=10.1.14.252
add address=10.1.81.254/29 comment=“Data Bridge” interface=bridge1 network=10.1.81.248
add address=10.1.41.254/29 comment=Wireless interface=wlan1 network=10.1.41.248
add address=172.16.81.254/29 comment=“Guest Wireless” interface=Guest network=172.16.81.248
add address=172.16.41.254/29 comment=“Huawei Router” interface=ether5 network=172.16.41.248
/ip dhcp-server network
add address=10.1.41.248/29 gateway=10.1.41.254
add address=10.1.81.248/29 gateway=10.1.81.254
add address=172.16.41.248/29 gateway=172.16.41.254
add address=172.16.81.248/29 gateway=172.16.81.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1,9.9.9.9,149.112.112.112
/ip firewall nat
add action=masquerade chain=srcnat out-interface=TurkNet
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes
/snmp
set trap-generators=“” trap-version=2
/system clock
set time-zone-name=Europe/Istanbul
/system clock manual
set time-zone=+03:00
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes primary-ntp=86.108.190.23 secondary-ntp=162.159.200.1 server-dns-names=tr.pool.ntp.org
/system package update
set channel=testing
/tool bandwidth-server
set enabled=no
/tool netwatch
add disabled=yes down-script=“:log info "Ping to 8.8.8.8 failed"” host=8.8.8.8 interval=1s up-script=“:log info "Ping to 8.8.8.8 successful"”
Looking for any advice and suggestions, thank you very much in advance.