Crs305 not able to get ip on Wan port

Uzusama · December 30, 2019, 7:58pm

Hi all,

Good day . I just got a crs305 router . It is really rare to find 1 in Singapore. Waited almost a year from any vendor that carry this. I am planing to replace my dlink router with this. But The crs305 Wan port is not able to get dhcp ip from my fiber modem.

I have place it behind my dlink router with RouterOS loaded and turn on its own dhcp.
Dlink on 192.168.0.2.24
Crs305 on192.168.1.1/24 uplink using eth1 to dlink lan port
My laptop connected to crs305 port sfp1

CRS is able to get an ip on the eth1 via dlink dhcp. 19 .168.0.154, but when I remove the dlink router and connect the eth1 to the fiber modem. The cra305 will not be able to get an ip. Is there any setting that I need to do or add?

I have try to factory default the box. Use the static ip I got by connecting my laptop directly to the modem.

The router can not get the Wan ip . Lan seems fine. Or it needs another layer 3 device in between the modem and the crs305.

Hope that any1 can help to point out if I miss any setting. As this is my first MikroTik router I am new to their setup. I only have basis Cisco networking background. I will get my router config once I get the network up after I roll back to my dlink router.

Uzusama · January 1, 2020, 3:31pm

this is the current config.

The eth1 port is now connected to the modem and not able to get any ip using auto mode. i have try using static ip it is not able to connect to the modem.
SFP1 is connected to my laptop.

https://www.dropbox.com/s/122wnvglzullo4z/wan%20port.JPG?dl=0

jan/01/2020 23:05:38 by RouterOS 6.42.12

software id = PXND-9U1Q

model = CRS305-1G-4S+

serial number = AB5C0A164A3E

/interface bridge
add admin-mac=74:4D:28:6E:AC:D3 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=1Gbps
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no speed=1Gbps
set [ find default-name=sfp-sfpplus3 ] auto-negotiation=no speed=1Gbps
set [ find default-name=sfp-sfpplus4 ] auto-negotiation=no speed=1Gbps
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/interface list member
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf disabled=yes interface=bridge
network=192.168.1.0
add address=192.168.1.2/24 comment=defconf disabled=yes interface=
sfp-sfpplus2 network=192.168.1.0
add address=192.168.1.2/24 comment=defconf interface=sfp-sfpplus1 network=
192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.1.2 disabled=no interface=bridge name=relay1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.2 netmask=24
/ip dns
set servers=43.245.107.5,43.245.107.38
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=yes distance=1 gateway=49.245.0.1
/system clock
set time-zone-name=Asia/Singapore
/system routerboard settings
set boot-os=router-os

mkx · January 1, 2020, 4:11pm

You have to remove ether1 from the bridge. It is not enough to have it disabled.

Remove address 192.168.1.2/24 and correct the DHCP server settings to reflect 192.168.1.1 as default gateway.

Definitely introduce firewall filter rules, CRS is completely open to attacks right now. Add sfp-sfpplus1 to interface list LAN. FYI I’m including default firewall filter rules of SOHO units (CRS is not one, so it comes without firewall by default) at the end of post. You’ll need NAT rule as well, default one is included …

And disable DHCP relay.

/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
/ip firewall {
    filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
    filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
    filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
    filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
    filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
    filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
    filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
    filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
    filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
    filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
    filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}

jimbobst · January 1, 2020, 4:46pm

Isp is using vlans? What are the working settings/screenshot from the dlink for comparison?

Nevermind just checked and looks like no vlans required for M1 broadband. Try steps as per previous post

\

Uzusama · January 2, 2020, 1:08pm

https://www.dropbox.com/s/820v38z6jf7v4vc/wan%20port%202.JPG?dl=0

i have did some update, was wondering if this did fix the issue? i will be testing it now after i post my updated config.

jan/01/2020 20:12:29 by RouterOS 6.42.12

software id = PXND-9U1Q

model = CRS305-1G-4S+

serial number = AB5C0A164A3E

/interface bridge
add admin-mac=74:4D:28:6E:AC:D3 auto-mac=no comment=defconf disabled=yes
name=bridge
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=1Gbps
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no speed=1Gbps
set [ find default-name=sfp-sfpplus3 ] auto-negotiation=no speed=1Gbps
set [ find default-name=sfp-sfpplus4 ] auto-negotiation=no speed=1Gbps
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
add address-pool=dhcp disabled=no interface=sfp-sfpplus1 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/interface list member
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=ether1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=sfp-sfpplus1 network=
192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.1.2 interface=bridge name=relay1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip dns
set servers=43.245.107.5,43.245.107.38
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=yes distance=1 gateway=49.245.0.1
/system clock
set time-zone-name=Asia/Singapore
/system routerboard settings
set boot-os=router-os

You have to remove ether1 from the bridge. It is not enough to have it disabled.

Remove address 192.168.1.2/24 and correct the DHCP server settings to reflect 192.168.1.1 as default gateway.

Definitely introduce firewall filter rules, CRS is completely open to attacks right now. Add sfp-sfpplus1 to interface list LAN. FYI I’m including default firewall filter rules of SOHO units (CRS is not one, so it comes without firewall by default) at the end of post. You’ll need NAT rule as well, default one is included …

And disable DHCP relay.

mkx · January 2, 2020, 7:39pm

You mixed my recomendations with some other recipes you got somewhere. Which makes the whole setup a huge mess from the ground up and you should fix the foundations first (and that’s bridge and ether1 issues … there are plenty).

It’s RPITA to help somebody with his problems but that person doesn’t follow advice to the point or doesn’t wait for feedback so when feedback does come it doesn’t apply any more as the state of problematic device is not the same any more.
So: either hold your horses and follow the advice you get here or just don’t come here with your problems at all.

Uzusama · January 3, 2020, 12:04am

Hi mkx,

I will do some read up and follow your recommendations. But do bear with me. I am very new to MT device. Kinda struggling with it. Is there any basic setup guide that I can follow? I understand I shouldn’t just ask for help for every single issue.

mkx · January 3, 2020, 9:52am

My suggestion: first reset to factory defaults. Hopefully this will restore LAN functionality so you can do further steps while using your old internet gateway.
Then upgrade ROS to latest long-term (version 6.44.6 at the time of writing this post). Hopefully you’ll have LAN IP connectivity via your current gateway so upgrade should work pseudo-automatically (go to System → Packages → Check for updates … if it offers higher version, e.g. 6.46.1, change channel to long term).
Then reset to factory defaults again (they might have evolved since ROS currently installed on your device).
Then export running config (/export) and post it here (inside [__code] [/code] environment) so we can have something to work on.
Then implement the default firewall I posted in one of previous posts.
Then wait for further instructions …

Uzusama · January 3, 2020, 3:49pm

HI mkx,

I have follow you steps. reset all config.
update to 6.44.6 Long term
eth1 is connected to my Dlink router lan port to get ip.
sfp1 is connected to my laptop
eth1,sfp1&2 are set to 1gb full duplex
below is the running config.

# jan/03/2020 23:33:19 by RouterOS 6.44.6
# software id = PXND-9U1Q
#
# model = CRS305-1G-4S+
# serial number = AB5C0A164A3E
/interface ethernet
set [ find default-name=ether1 ] advertise=1000M-full speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no
set [ find default-name=sfp-sfpplus3 ] speed=10Gbps
set [ find default-name=sfp-sfpplus4 ] speed=10Gbps
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.250
/ip dhcp-server
add address-pool=dhcp disabled=no name=dhcp1
add address-pool=dhcp disabled=no interface=sfp-sfpplus1 name=dhcp2
/interface bridge port
add interface=sfp-sfpplus1
add interface=sfp-sfpplus2
add interface=sfp-sfpplus3
add interface=sfp-sfpplus4
/interface list member
add interface=ether1 list=WAN
add list=LAN
add list=LAN
/ip address
add address=192.168.1.1/24 interface=sfp-sfpplus1 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Asia/Singapore
/system package update
set channel=long-term
/system routerboard settings
set boot-os=router-os

mkx · January 3, 2020, 7:08pm

OK, let’s proceed.

According to running config, CRS should have received IP address on ether1 interface (from your current router I presume). You can check this by running /ip address print … it should show two addresses, one bound to sfp-sfpplus1 and one (dynamic) to ether1.

The wrong (as far as I see) part of config is the LAN config. Currently CRS is not configured for switching between SFP ports, it’s only routing between ether1 and sfp-sfpplus1. If you intend to use all SFP ports as LAN ports, then do the following:

Create bridge
add SFP ports to the new bridge
move IP address from sfp-sfpplus1 to bridge
ditto DHCP server for LAN

Command script could look something like this:

Part1:

The in the script should be set as follows: take MAC address of one of SFP ports (can get them using /interface ethernet print) and add 2 to second HEX-digit … e.g. if MAC address is B8:69:F4:20:A5:49, then resulting MAC address for bridge is BA:69:F4:20:A5:49

/interface bridge
add name=bridge admin-mac=<admin MAC> auto-mac=no
/interface bridge port
# don't do the following for sfp-sfpplus1 yet or you'll likely loose management access
set [ find interface=sfp-sfpplus2 ] bridge=bridge
set [ find interface=sfp-sfpplus3 ] bridge=bridge
set [ find interface=sfp-sfpplus4 ] bridge=bridge
/interface list member
remove [ find list=LAN ]
add list=LAN interface=sfp-sfpplus1
add list=LAN interface=sfp-sfpplus2
add list=LAN interface=sfp-sfpplus3
add list=LAN interface=sfp-sfpplus4
add list=LAN interface=bridge
/ip address
# temporary address, make sure it's not used by other devices in LAN
add address=192.168.1.2/24 interface=bridge

After executing the commands above connect your management PC to one of SFP2-4 and reconnect to CRS using the temporary IP address.
After that, continue using the second part:

/interface bridge port
set [ find interface=sfp-sfpplus1 ] bridge=bridge
/ip address
remove [ find interface=sfp-sfpplus1 ]
add address=192.168.1.1/24 interface=bridge
/ip dhcp-server
remove [ find ]
add address-pool=dhcp interface=bridge name=LAN
# protect MAC access ... only allow it from LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Now you should be able to connect to CRS via any SFP port and using “permanent” IP address 192.168.1.1 … only thing to do is to remove the temporary IP address 192.168.1.2 from bridge.

And, before connecting ether1 directly to modem make sure your firewall is set.

Uzusama · January 7, 2020, 4:33pm

i have slowly and carefully read and check all the settings. i think i better call up my isp to ask is there any issue if i change the router. it can work as a router behind the dlink router. but when connected to the modem. it just cannot get any ip on eth1. i do not think its a crs305 issue. or guess it is not the crs305 issue. but do let me know if I have miss any settings

thank you for your help..

# jan/07/2020 23:55:53 by RouterOS 6.44.6
# software id = PXND-9U1Q
#
# model = CRS305-1G-4S+
# serial number = AB5C0A164A3E
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no
set [ find default-name=sfp-sfpplus3 ] auto-negotiation=no
set [ find default-name=sfp-sfpplus4 ] auto-negotiation=no
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=LAN
/interface bridge port
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=sfp-sfpplus2
add bridge=bridge interface=sfp-sfpplus3
add bridge=bridge interface=sfp-sfpplus4
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=bridge list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Asia/Singapore
/system package update
set channel=long-term
/system routerboard settings
set boot-os=router-os
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

this was the output when crs305 eth1 is still connected to the dlink lan port
tested internet working just fine. i can ping 8.8.8.8, 192.168.0.2 my dlink router . ping 192.168.1.1 and any pc in the both network.

[admin@MikroTik] > ip add print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                               
 0   192.168.1.1/24     192.168.1.0     bridge                                                                                                                  
 1 D 192.168.0.153/24   192.168.0.0     ether1

the moment I change to the fiber modem the eth1 just cannot get any ip.
no internet on my laptop.

admin@MikroTik] > ip add print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                               
 0   192.168.1.1/24     192.168.1.0     bridge                                                                                                                  
 1 D 192.168.0.153/24   192.168.0.0     ether1                                                                                                                  
[admin@MikroTik] > ip add print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                               
 0   192.168.1.1/24     192.168.1.0     sfp-sfpplus1                                                                                                            
[admin@MikroTik] > ip add print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                               
 0   192.168.1.1/24     192.168.1.0     sfp-sfpplus1

CZFan · January 7, 2020, 5:03pm

What does your ISP use, DHCP or PPPoE?

Uzusama · January 7, 2020, 6:23pm

so i will use this setup first.

crs305 behind the dlink router
added a port forwading for my ovpn server 192.168.0.135 port 1194 .

[admin@MikroTik] > /export                                                                                                     
# jan/08/2020 02:19:07 by RouterOS 6.44.6
# software id = PXND-9U1Q
#
# model = CRS305-1G-4S+
# serial number = AB5C0A164A3E
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no
set [ find default-name=sfp-sfpplus3 ] auto-negotiation=no
set [ find default-name=sfp-sfpplus4 ] auto-negotiation=no
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=LAN
/interface bridge port
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=sfp-sfpplus2
add bridge=bridge interface=sfp-sfpplus3
add bridge=bridge interface=sfp-sfpplus4
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=bridge list=LAN
/ip address
add address=192.168.1.1/24 interface=sfp-sfpplus1 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-type=local dst-port=1194 protocol=udp to-addresses=192.168.0.135
/ip route
add disabled=yes distance=1 gateway=192.168.0.2
/system clock
set time-zone-name=Asia/Singapore
/system package update
set channel=long-term
/system routerboard settings
set boot-os=router-os
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] > 
[admin@MikroTik] > ip add print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                               
 0   192.168.1.1/24     192.168.1.0     sfp-sfpplus1                                                                                                            
 1 D 192.168.0.153/24   192.168.0.0     ether1                                                                                                                  
[admin@MikroTik] >

Uzusama · January 7, 2020, 6:37pm

Hi CZFan,

DHCP, my other 3 routers just use auto to pick up the ip. as a matter of fact i have placed a dummy switch to the modem then connect all the router behind the switch so that my family still have the main internet and wifi while i got another 2 router to play with. 1 of the router is the crs305, the other is a LTE router that i am using to test out the setting that crs305 has fail. e.g. why is the eth1 not able to get an ip but the other other router can get it.

the dlink is the router from the isp - so it will work
the lte router i got it from the shop , was planing to move to lte and get rid of the fiber isp link.
the crs305 works fine behind the dlink with auto but just go blank when connected to the modem directly or through the switch which is connected to the modem

So i am guessing 2 things, either the isp modem do not take the crs eth1 port due to the mac address or the ip address setup is something special. as the crs305 works fine behind another router. so it should not be the layer 3 routing.

throughput is just fine, getting close to 1gbps from my isp . Cant wait to let it be my main router then add in the ovpn settings(the ovpn is running from my nas).

Uzusama · January 8, 2020, 3:35pm

Hi all.

Thank you for your help. Found the issue. The huawei modem is holding on the old router setting causing any other router not able to work.

Need to wait for 15min to pick up the new router or call the isp to clear it.

Thanks mkx for the firewall rules. The only outstanding is the port forwarding of ovpn setting in the router . I will go read up the other post and try again. No luck so far on that.

Can’t wait to run full 10g speed on this little beast .