connection problems after first install

zsero · December 6, 2011, 9:22pm

I have installed my first RouterBOARD, a 750GL.

I updated it out of the box to 5.9. I left everything intact, except for three settings:

I modified the IP address to 192.168.0.254/24
I modified the DHCP server to 192.168.0.100-199, by deleting the default pool and all the existing settings and running the setup wizard for DHCP
I set up port forwarding for a few incoming ports.

However there are problems with the above configuration:
1. FTP cannot connect to outgoing connections from inside the network. The FTP clients get timout errors before connection could be established.
2. The users say they have no internet access in any of the computers. I don’t know how is it possible, because I can remote-desktop into a Win 2003 server and that one has perfect internet connection. The user’s computers don’t have.
The network is set-up to static IP, so there shouldn’t be a DHCP problem. The server’s IP is 192.168.0.1, the user computer’s IP are 80-99. The router’s IP is 192.168.0.254/24.

I have never configured RouterOS before and I don’t know how could the above two problems happen. For the FTP I would think it’s a FW rule but I have no clue how is it possible that I can connect to the server from the outside and the users in the static IP range 80-99 cannot use the internet browsers. Do you think it’s a problem that I created the default pool? But the computers are on static IP, is it possible that the firewall is not allowing computers with static IP?

I am trying to help remotely, it makes the problem even harder.

ojsa · December 6, 2011, 9:27pm

And you added correct routing and nat on the outgoing interface?

zsero · December 6, 2011, 9:32pm

No, that’s all I did. I modified the IP and the DHCP server. The port forwarding was only to open up incoming connections. Can you tell me how can I do it? I can export any kind of information from telnet, if you tell me what command I should run I can copy-paste it.

ojsa · December 6, 2011, 9:51pm

Change “out-interface” in the sentence below and paste it in terminal window.

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=out-interface

The routing depends if you have pppoe, dhcp or static configured wan link.

zsero · December 6, 2011, 11:11pm

ojsa:

Change “out-interface” in the sentence below and paste it in terminal window.
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=out-interface
The routing depends if you have pppoe, dhcp or static configured wan link.

It’s there from the original, out-of-the-box configuration.

Here is my firewall export. Can you tell me why outgoing FTP doesn’t work, and the client web-browsers doesn’t work?

# dec/06/2011 23:09:42 by RouterOS 5.9
# software id = ZRZ7-X4SW
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    no out-interface=ether1-gateway
add action=dst-nat chain=dstnat disabled=no dst-port=9876 protocol=tcp \
    to-addresses=192.168.0.1 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-port=21 protocol=tcp \
    to-addresses=192.168.0.1
add action=dst-nat chain=dstnat disabled=no dst-port=5000-5100 protocol=tcp \
    to-addresses=192.168.0.1
add action=dst-nat chain=dstnat disabled=no dst-port=9999 protocol=tcp \
    to-addresses=192.168.0.1 to-ports=80
add action=dst-nat chain=dstnat disabled=no dst-port=6662 protocol=tcp \
    to-addresses=192.168.0.1
add action=dst-nat chain=dstnat disabled=no dst-port=6662 protocol=udp \
    to-addresses=192.168.0.1
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no