Config problem, cannot find the problem

rfrancocantero · March 25, 2019, 3:37pm

Hi,

I bought a Mikrotik to learn it and I must say, it’s going pretty good so far.

I have two problems:

1.) I have also a Ubiquiti AP AC Pro which connects to our hosted controller. The controller is saying that my AP AC is offline but it’s actually online. So I think there’s no interconnection between them.
2.) I have a server which I can reach through server.domain.com:8080 However, when I’m locally connected I can’t reach the device through server.domain.com:8080. I thought it would be something with dns static but it didn’t help.

What could this be? ( I hid some passwords and names )

Here’s my config:

# model = RB4011iGS+
# serial number = XXX

/interface bridge
add fast-forward=no name=Bridge_1_Internet
add fast-forward=no name=Bridge_2_IPTV

/interface vlan
add interface=ether1 name=vlan_4_IPTV vlan-id=4
add interface=ether1 name=vlan_6_Internet vlan-id=6

/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=vlan_6_Internet name=ProviderName password=XXXX use-peer-dns=yes user=XXXX

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=RFC_Pool ranges=13.13.13.2-13.13.13.254

/ip dhcp-server
add address-pool=RFC_Pool disabled=no interface=Bridge_1_Internet name=RFC_dhcp

/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=RFC_Pool name=VPN_RFC only-one=yes remote-address=RFC_Pool use-encryption=yes

/snmp community
set [ find default=yes ] addresses=XXXX authentication-password=XXX encryption-password=XXXX name=XXXX

/system logging action
set 3 bsd-syslog=yes remote=XXXXX

/interface bridge port
add bridge=Bridge_2_IPTV interface=vlan_4_IPTV
add bridge=Bridge_2_IPTV interface=ether9
add bridge=Bridge_1_Internet interface=ether1
add bridge=Bridge_1_Internet interface=ether2
add bridge=Bridge_1_Internet interface=ether3
add bridge=Bridge_1_Internet interface=ether4
add bridge=Bridge_1_Internet interface=ether5
add bridge=Bridge_1_Internet interface=ether6
add bridge=Bridge_1_Internet interface=ether7
add bridge=Bridge_1_Internet interface=ether8
add bridge=Bridge_1_Internet interface=ether10

/interface pptp-server server
set authentication=chap,mschap1,mschap2 default-profile=VPN_RFC enabled=yes

/ip address
add address=13.13.13.1/24 interface=Bridge_1_Internet network=13.13.13.0

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=Bridge_1_Internet

/ip dhcp-server lease
add address=13.13.13.13 client-id=1:80:b0:3d:d5:15:c4 comment="XXXX" mac-address=80:B0:3D:D5:15:C4 server=RFC_dhcp
add address=13.13.13.6 comment="XXXXX" mac-address=8C:3B:AD:08:C0:28 server=RFC_dhcp

/ip dhcp-server network
add address=13.13.13.0/24 dns-server=8.8.8.8 gateway=13.13.13.1

/ip dns static
add address=13.13.13.13 name=nas.domain.com ttl=10m
add address=13.13.13.6 name=server.domain.com

/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input comment=PING protocol=icmp
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment=Observium dst-address=195.222.117.95 in-interface=ProviderName src-address=136.144.139.174
add action=accept chain=input comment="XXX" src-address=145.131.238.225
add chain=input comment=RFC_VPN dst-port=1723 protocol=tcp
add action=accept chain=input comment="XXXX" src-address=77.XXXX
add action=accept chain=forward connection-state=established,related
add action=drop chain=input src-address=!13.13.13.0/24

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ProviderName
add action=dst-nat chain=dstnat comment=Domoticz dst-port=8080 protocol=tcp to-addresses=13.13.13.6 to-ports=8080
add action=dst-nat chain=dstnat comment=Synology dst-port=5000 protocol=tcp src-port="" to-addresses=13.13.13.13 to-ports=5000
add action=dst-nat chain=dstnat comment=Synology dst-port=5001 protocol=tcp to-addresses=13.13.13.13 to-ports=5001
add action=dst-nat chain=dstnat comment=Synology dst-port=6690 protocol=tcp to-addresses=13.13.13.13 to-ports=6690

/system clock
set time-zone-name=Europe/Amsterdam

/system identity
set name=MT_Geldrop

/system logging
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=warning

/system ntp client
set enabled=yes server-dns-names=nl.pool.ntp.org

/system routerboard settings
set silent-boot=no

sebastia · March 26, 2019, 9:45am

Hey

Welcome on the forum!

Regarding your second question:
you have dns “redirect” (static entry: /ip dns static add address=13.13.13.6 name=server.domain.com) pointing to local ip, then you don’t need to do nat on all interfaces

# change
add action=dst-nat chain=dstnat comment=Domoticz dst-port=8080 protocol=tcp to-addresses=13.13.13.6 to-ports=8080
# to
add action=dst-nat chain=dstnat comment=Domoticz dst-port=8080 in-interface=ProviderName protocol=tcp to-addresses=13.13.13.6

rfrancocantero · March 26, 2019, 5:58pm

Unfortunately your solution did not work.

anav · March 26, 2019, 6:42pm

This does not seem right to me…
/interface bridge port
add bridge=Bridge_2_IPTV interface=vlan_4_IPTV

For two reasons.
a. one does not put vlans as a bridge port! Bridge ports are for etheports or wlans!
b. that vlan vlan-_4_IPTV is already associated with ether1 and thus is not a member of the bridge anyway!!
/interface vlan
add interface=ether1 name=vlan_4_IPTV vlan-id=4

Also I dont see any subnet information for vlan4???