Configuration not working

astronomicz · April 15, 2024, 9:12am

Hi, I’m setting up a MikroTik for the following configuration:

Ether1 for the company’s WAN output
Ether2 for clients’ WAN output
Ether10 for a switch where both networks will be divided by VLAN, as they will be distributed via Wi-Fi with Ubiquiti devices.

My problem is that with the configuration I have, I can’t reach the internet. When I ping from the MikroTik RB3011 UiAS-RM router itself, it tells me that it doesn’t have a route to the destination.

I’ll attach the configuration to see if you can identify any issues.

/interface bridge
add name=bridge-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WANCORP
set [ find default-name=ether2 ] name=ether2-WANCLIENTES
/interface vlan
add interface=bridge-local name=vlan-clientes vlan-id=20
add interface=bridge-local name=vlan-local vlan-id=1
/interface list
add name=vlan
/ip pool
add name=dhcp_clients ranges=192.168.143.10-192.168.143.90,192.168.143.100-192.168.143.254
add name=dhcp_lan ranges=192.168.43.10-192.168.43.85,192.168.43.120-192.168.43.200
/ip dhcp-server
add address-pool=dhcp_clients comment="DHCP PARA VLAN CLIENTE" interface=vlan-clientes name=dhcp-clientes
add address-pool=dhcp_lan comment="DHCP PARA VLAN TRABAJO" interface=vlan-local lease-time=1h name=dhcp-work
/port
set 0 name=serial0
/routing table
add fib name=WORK
add fib name=CLIENTS
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
add bridge=bridge-local interface=ether9
add bridge=bridge-local interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge-local tagged=ether10,bridge-local vlan-ids=1
add bridge=bridge-local tagged=bridge-local,ether10 vlan-ids=20
/interface list member
add interface=vlan-local list=vlan
add interface=vlan-clientes list=vlan
/ip address
add address=192.168.43.2/24 interface=bridge-local network=192.168.43.0
add address=192.168.43.1/24 interface=ether1-WANCORP network=192.168.43.0
add address=192.168.143.1/24 interface=ether2-WANCLIENTES network=192.168.143.0
add address=192.168.43.3/24 interface=vlan-local network=192.168.43.0
add address=192.168.143.2/24 interface=vlan-clientes network=192.168.143.0
/ip dhcp-server network
add address=192.168.43.0/24 dns-server=192.168.201.85,8.8.8.8,8.8.4.4 gateway=192.168.43.98
add address=192.168.143.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.143.98
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=forward disabled=yes out-interface=ether1-WANCORP src-address=19.168.43.0/24
add action=accept chain=forward disabled=yes out-interface=ether2-WANCLIENTES src-address=192.168.143.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WANCORP src-address=192.168.43.0/24
add action=masquerade chain=srcnat out-interface=ether2-WANCLIENTES src-address=192.168.143.0/24
/ip route
add dst-address=0.0.0.0/0 gateway=ether1-WANCORP routing-table=WORK
add dst-address=0.0.0.0/0 gateway=ether2-WANCLIENTES routing-table=CLIENTS
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.43.0/24 table=WORK
add action=lookup-only-in-table disabled=no src-address=192.168.143.0/24 table=CLIENTS
/system note
set show-at-login=no

anav · April 15, 2024, 11:15am

Dont use vlan1 use vlan10 for example…

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

astronomicz · April 15, 2024, 3:34pm

Just did that and my dhcp is not working now. any idea?
mikrotik.rsc (3.53 KB)

anav · April 15, 2024, 5:24pm

BIG PROBLEM or BAD JOKE< why do you have WANIP addresses that are identical to local LAN VLAN addresses ?????
If your wanips are Public IPs and static, just put in X.X.X.X and Y.Y.Y.Y, if they are private you enter them as they are not a security issue.
If your wanips are dynamic then you should be using IP DHCP client or PPPOE etc...................
If the WANIPs are private and as shown, thats fine, we have to change the LAN address nomenclature.......
WHY hardly any firewall rules???

So you get internet from one upstream ISP router or two upstream ISP routers.
Do they do full dhcp and vlans as well.
The arrangement needs to be clarified in detail as it almost seems the router is simply acting as a switch in some ways vice routing...........

So far, but got stopped cold by the revelation that your network setup is hosed!

model = RB3011UiAS

serial number = "do not show"

/interface list
add name=WAN
add name=LAN
add name=MGMT
/routing table
add fib name=WORK
add fib name=CLIENTS
/interface bridge port
add bridge=bridge-local interface=ether3 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge-local interface=ether4 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge-local interface=ether5 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge-local interface=ether6 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge-local interface=ether7 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge-local interface=ether8 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge-local interface=ether9 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge-local interface=ether10 ingress-filtering=yes frame-types=admit-only-vlan-tagged
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan { ports are identical for both vlans }
add bridge=bridge-local tagged=bridge-local,ether3,ether4,ether5,ether6,ether7,ether8,ether9
ether10 vlan-ids=43,143
/interface list member
add interface=ether1-WANCORP
add interface=ether2-WANCLIENTES list=WAN
add interface=vlan-local list=LAN
add interface=vlan-clientes list=LAN
add interface=vlan-local list=MGMT
/ip address
UNABLE TO FIX UNTIL WE KNOW TRUTH

astronomicz · April 18, 2024, 1:27pm

Hi, I think I misfocused the configuration from the beginning.

Answering the questions:

This device is connected to two different routers from different ISPs, one of them for the company’s output and the other for clients. Neither of them has VLANs and DHCP is disabled.

I want this device to be the DHCP server and in charge of handling because the WAN traffic depends on whether it comes from the client network or from work.

There are no rules or anything, since this is not yet applied in a functional router, it is a testing laboratory until an appropriate and functional configuration is achieved.

The internal LAN IP range needs to be respected, which is the same as the respective WANs in their internal range.

Sorry for any inconvenience and the delay

llamajaja · April 18, 2024, 3:47pm

Okay to confirm,
You have a mikrotik device, that you would like to act also as a router in terms of providing DHCP services etc..
You are simply terminating the WANIP connections at the two upstream ISP routers.
These routers are providing the Mikrotik router a private IP address on their respective LANs.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Yes, the mikrotk router can ensure the correct port or subnets or vlans are directed to the proper WAN source.

What I cannot do is have the LAN on either MT subnet be identical to the LAN on the routers, which are providing a private IP to the router.
If thats what you want, then simply use an MT switch vice router and have the ISP routers do DHCP and routing and the MT device just switching.
In this case I would vlan the incoming inputs to the MT switch on the two different ports ( tag on way in, and untag on way out) and push the traffic out to the downstream devices as necessary.

LdB · April 21, 2024, 1:22pm

The router itself has no access to the internet because there is no default route for unmarked packets.

These are your only routes … do you actually understand what that means?

/ip route
add dst-address=0.0.0.0/0 gateway=ether1-WANCORP routing-table=WORK
add dst-address=0.0.0.0/0 gateway=ether2-WANCLIENTES routing-table=CLIENTS

The traffic from the router itself and its services (DNS, NTP etc) are never going to be in the table WORK or CLIENTS they won’t match any of the route rules. The router service traffic will always from the public IP of the default WAN traffic leaves unless it is mangled or from one of the services you can set the source IP like Radius.

You need to decide which gateway the router services need to exit and provide a default route or mangle mark traffic so it goes into one of the two tables

So for example a simple additional route will do the trick … the last route is the route unmarked traffic will take.

 /ip route
add dst-address=0.0.0.0/0 gateway=ether1-WANCORP routing-table=WORK
add dst-address=0.0.0.0/0 gateway=ether2-WANCLIENTES routing-table=CLIENT
add dst-address=0.0.0.0/0 gateway=ether1-WANCORP

Next you need to be really careful allow remote DNS requests

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

You need to firewall that to limit the remote addresses down to you and your clients otherwise you will get smashed by DNS attacks.

NOTE THE BIG GREEN BOX ON THE DNS GUIDE THEY HIGHLIGHTED FOR YOU
https://help.mikrotik.com/docs/display/ROS/DNS