Hello!
Could anyone point to a guide(or correct me) how to move “WAN port” from eth1 to sfp1? I just bought S-RJ01 and would like to free other 1Gb ports.
The other frustraing thing that backup doesn’t work. Before moving to sfp I backed up to quick revert in case of failure. Just nothing happend: DHCP options, Firewall rules, OpenVPN… literally nothing, everything stays as before. Nothing in log as well.
Device: RB2011UiAS-2HnD-IN
pukkita
September 27, 2017, 11:26am
2
How was your WAN setup? Does it use DHCP to get the WAN IP?
Are you sure sfp interface is linked and running? (Look at Interfaces > SFP1 > status)
[admin@MikroTik] /interface list member> print
Flags: X - disabled, D - dynamic
# LIST INTERFACE
0 ;;; defconf
LAN bridge
1 ;;; defconf
WAN sfp1
[admin@MikroTik] /interface ethernet> print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 S ether1 1500 64:D1:54:2C:EF:78 enabled none switch1
1 RS ether2-master 1500 64:D1:54:2C:EF:79 enabled none switch1
2 RS ether3 1500 64:D1:54:2C:EF:7A enabled ether2-master switch1
3 RS ether4 1500 64:D1:54:2C:EF:7B enabled ether2-master switch1
4 RS ether5 1500 64:D1:54:2C:EF:7C enabled ether2-master switch1
5 RS ether6-master 1500 64:D1:54:2C:EF:7D enabled none switch2
6 S ether7 1500 64:D1:54:2C:EF:7E enabled ether6-master switch2
7 RS ether8 1500 64:D1:54:2C:EF:7F enabled ether6-master switch2
8 RS ether9 1500 64:D1:54:2C:EF:80 enabled ether6-master switch2
9 S ether10 1500 64:D1:54:2C:EF:81 enabled ether6-master switch2
10 R sfp1 1500 64:D1:54:2C:EF:77 enabled none switch1
[admin@MikroTik] /ip dhcp-client> print
Flags: X - disabled, I - invalid
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 sfp1 yes yes searching...
[admin@MikroTik] /ip dhcp-client> /interface ethernet monitor
numbers: 10
name: sfp1
status: link-ok
auto-negotiation: done
rate: 1Gbps
full-duplex: yes
tx-flow-control: no
rx-flow-control: no
advertising:
link-partner-advertising:
sfp-module-present: yes
sfp-rx-loss: no
sfp-type: SFP-or-SFP+
sfp-connector-type: LC
sfp-link-length-copper: 100m
sfp-vendor-name: Mikrotik
sfp-vendor-part-number: S-RJ01
sfp-vendor-revision: 1.0
sfp-vendor-serial: 61B103BD0A44
sfp-manufacturing-date: 15-03-11
eeprom-checksum: good
eeprom: 0000: 03 04 07 00 00 00 08 00 00 00 00 01 0d 00 00 00 ........ ........
0010: 00 00 64 00 4d 69 6b 72 6f 74 69 6b 20 20 20 20 ..d.Mikr otik
0020: 20 20 20 20 00 20 20 20 53 2d 52 4a 30 31 20 20 . S-RJ01
0030: 20 20 20 20 20 20 20 20 31 2e 30 20 00 00 00 9e 1.0 ....
0040: 00 00 00 00 36 31 42 31 30 33 42 44 30 41 34 34 ....61B1 03BD0A44
0050: 20 20 20 20 31 35 30 33 31 31 20 20 00 00 00 87 1503 11 ....
0060: 00 00 11 ea 6c 4d 7c 27 11 db 35 ba 1b dc e6 ce ....lM|' ..5.....
0070: 99 dc 97 00 00 00 00 00 00 00 00 00 5a d5 b3 e9 ........ ....Z...
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
ISP says that nothing comes from me, despite this I see in logs that at least Mikrotik is trying to(attached).
I guess this because of interface rate which is 1Gbps now. I tried to set Speed to 100Mbps but nothing has changed.
Well, I’m back to ether1 and using sfp1 for local NAS. Works like a charm. But still wondering why DHCP client doesn’t work via sfp1?
pcunite
September 28, 2017, 7:39pm
7
Please run this command and then paste the output here in code block/export compact file=MyFile.rsc hide-sensitive
Well, I currently use ether1 as WAN, do you want me to try sfp1 again and then paste a config?
pcunite
September 28, 2017, 7:54pm
9
You might post the ether1 setup (which works) and then the sfp1 setup (which does not). I’ll compare them for you.
Oh, thank you very much.
ether1 as WAN(DHCP)
# sep/28/2017 23:06:20 by RouterOS 6.40.3
# software id = UVM1-F323
#
# model = 2011UiAS-2HnD
# serial number = 7A6707093BBC
/interface bridge
add admin-mac=64:D1:54:2C:EF:79 auto-mac=no comment=defconf name=bridge
add name=openvpn1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=russia disabled=no distance=indoors mode=ap-bridge ssid=danilabagroff \
wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.1.0.100-10.1.0.254
add name=openvpn1 ranges=10.7.0.2-10.7.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=openvpn1 dns-server=10.1.0.1 local-address=10.7.0.1 name=openvpn1 \
remote-address=openvpn1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
{...}
/ip address
add address=10.1.0.1/24 comment=defconf interface=ether2-master network=\
10.1.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
{...}
/ip dhcp-server network
add address=10.1.0.0/24 comment=defconf gateway=10.1.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
{...}
/ip firewall filter
add action=accept chain=input comment=OpenVPN dst-port=1194 in-interface=\
ether1 protocol=tcp
add action=accept chain=input comment="Access from VPN network" src-address=\
10.7.0.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=netmap chain=dstnat comment="HTTP Proxy" dst-port=80 in-interface=\
ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=80
add action=netmap chain=dstnat comment="HTTPS Proxy" dst-port=443 \
in-interface=ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=443
/ip route
add comment="266 Subnet" distance=1 dst-address=10.2.0.0/24 gateway=10.7.0.2
/ip service
set telnet disabled=yes
set www address=10.1.0.0/24,10.7.0.0/24 port=8080
set ssh address=10.1.0.0/24,10.7.0.0/24
set winbox disabled=yes
/ppp secret
{...}
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=gw1
/system ntp client
set enabled=yes server-dns-names=0.ru.pool.ntp.org,1.ru.pool.ntp.org
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
sfp1 as WAN(DHCP)
# sep/28/2017 23:15:46 by RouterOS 6.40.3
# software id = UVM1-F323
#
# model = 2011UiAS-2HnD
# serial number = 7A6707093BBC
/interface bridge
add admin-mac=64:D1:54:2C:EF:79 auto-mac=no comment=defconf name=bridge
add name=openvpn1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=russia disabled=no distance=indoors mode=ap-bridge ssid=danilabagroff \
wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.1.0.100-10.1.0.254
add name=openvpn1 ranges=10.7.0.2-10.7.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=openvpn1 dns-server=10.1.0.1 local-address=10.7.0.1 name=openvpn1 \
remote-address=openvpn1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
/interface ovpn-server server
{...}
/ip address
add address=10.1.0.1/24 comment=defconf interface=ether2-master network=\
10.1.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1
/ip dhcp-server lease
{...}
/ip dhcp-server network
add address=10.1.0.0/24 comment=defconf gateway=10.1.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
{...}
/ip firewall filter
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=accept chain=input comment=OpenVPN dst-port=1194 in-interface=\
ether1 protocol=tcp
add action=accept chain=input comment="Access from VPN network" src-address=\
10.7.0.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=masquerade chain=srcnat out-interface=ether1
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=netmap chain=dstnat comment="HTTP Proxy" dst-port=80 in-interface=\
ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=80
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=netmap chain=dstnat comment="HTTPS Proxy" dst-port=443 \
in-interface=ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=443
/ip route
add comment="266 Subnet" distance=1 dst-address=10.2.0.0/24 gateway=10.7.0.2
/ip service
set telnet disabled=yes
set www address=10.1.0.0/24,10.7.0.0/24 port=8080
set ssh address=10.1.0.0/24,10.7.0.0/24
set winbox disabled=yes
/ppp secret
{..}
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=gw1
/system ntp client
set enabled=yes server-dns-names=0.ru.pool.ntp.org,1.ru.pool.ntp.org
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
pcunite
September 28, 2017, 9:01pm
11
A couple of things stand out.
Under /interface bridge port , disabled=yes is set for the sfp1 interface. However, you might try removing it from the bridge. That might be what is causing the error in/out-interface matcher not possible when interface (ether1) is slave that appear under the nat rules.
That error is your real problem.
So, under /ip firewall filter and /ip firewall nat , you have ether1 as your WAN interface, you need to change it to be sfp1 .
pcunite:
A couple of things stand out.
Under /interface bridge port , disabled=yes is set for the sfp1 interface. That is apparently also causing the error in/out-interface matcher not possible when interface (ether1) is slave in the nat rules.
On clean setup(after reset) I did not include sfp in this bridge(even as disabled). How it has to be configured, then?
pcunite
September 28, 2017, 9:12pm
13
I edited my post. Read it again. Then let me know if you have an issue.
pcunite
September 28, 2017, 9:18pm
14
You have ether1 in your bridge, then you also are setting to use it as your in-interface and out-interface interface under firewall and nat rules. That is incorrect. You need to carefully change over all ether1 references to be sfp1.
I have, actually ;( Hope that I have missed something again.
# sep/29/2017 00:28:14 by RouterOS 6.40.3
# software id = UVM1-F323
#
# model = 2011UiAS-2HnD
# serial number = 7A6707093BBC
/interface bridge
add admin-mac=64:D1:54:2C:EF:79 auto-mac=no comment=defconf name=bridge
add name=openvpn1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=russia disabled=no distance=indoors mode=ap-bridge ssid=danilabagroff \
wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.1.0.100-10.1.0.254
add name=openvpn1 ranges=10.7.0.2-10.7.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=openvpn1 dns-server=10.1.0.1 local-address=10.7.0.1 name=openvpn1 \
remote-address=openvpn1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
/interface ovpn-server server
{...}
/ip address
add address=10.1.0.1/24 comment=defconf interface=ether2-master network=\
10.1.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1
/ip dhcp-server lease
{...}
/ip dhcp-server network
add address=10.1.0.0/24 comment=defconf gateway=10.1.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
{...}
/ip firewall filter
add action=accept chain=input comment=OpenVPN disabled=yes dst-port=1194 \
in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Access from VPN network" src-address=\
10.7.0.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=sfp1
add action=netmap chain=dstnat comment="HTTP Proxy" disabled=yes dst-port=80 \
in-interface=ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=80
add action=netmap chain=dstnat comment="HTTPS Proxy" disabled=yes dst-port=\
443 in-interface=ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=443
/ip route
add comment="266 Subnet" distance=1 dst-address=10.2.0.0/24 gateway=10.7.0.2
/ip service
set telnet disabled=yes
set www address=10.1.0.0/24,10.7.0.0/24 port=8080
set ssh address=10.1.0.0/24,10.7.0.0/24
set winbox disabled=yes
/ppp secret
{...}
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=gw1
/system ntp client
set enabled=yes server-dns-names=0.ru.pool.ntp.org,1.ru.pool.ntp.org
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
pcunite
September 28, 2017, 9:37pm
16
This is incorrect. You are using ether1 in your firewall and nat rules. ether1 should not be your wan interface. I’ll post some updated rules. But, this should be obvious to you now.
pcunite
September 28, 2017, 9:49pm
17
Here is a config that will work. I have removed extraneous settings that don’t apply. You’ll need to add those back.
Note, that I can’t see you ppp settings. Make sure you’re using sfp1 there. Also, later, change ether1 to be master (instead of ether2), naturally.
# sfp1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/ip neighbor discovery
set sfp1 discover=no
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
/ip address
add address=10.1.0.1/24 comment=defconf interface=ether2-master network=10.1.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1
/ip firewall filter
add action=accept chain=input comment=OpenVPN dst-port=1194 in-interface=sfp1 protocol=tcp
add action=accept chain=input comment="Access from VPN network" src-address=10.7.0.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=sfp1
add action=netmap chain=dstnat comment="HTTP Proxy" dst-port=80 in-interface=sfp1 protocol=tcp to-addresses=10.1.0.51 to-ports=80
add action=netmap chain=dstnat comment="HTTPS Proxy" dst-port=443 in-interface=sfp1 protocol=tcp to-addresses=10.1.0.51 to-ports=443
I thought disabling is enough. Anyway, still the same – no luck.
# sep/29/2017 00:47:10 by RouterOS 6.40.3
# software id = UVM1-F323
#
# model = 2011UiAS-2HnD
# serial number = 7A6707093BBC
/interface bridge
add admin-mac=64:D1:54:2C:EF:79 auto-mac=no comment=defconf name=bridge
add name=openvpn1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=russia disabled=no distance=indoors mode=ap-bridge ssid=danilabagroff \
wireless-protocol=802.11
/ip neighbor discovery
set sfp1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.1.0.100-10.1.0.254
add name=openvpn1 ranges=10.7.0.2-10.7.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=openvpn1 dns-server=10.1.0.1 local-address=10.7.0.1 name=openvpn1 \
remote-address=openvpn1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=gw1.megrabyan.pro cipher=aes256 default-profile=\
openvpn1 enabled=yes keepalive-timeout=disabled mode=ethernet \
require-client-certificate=yes
/ip address
add address=10.1.0.1/24 comment=defconf interface=ether2-master network=\
10.1.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1
/ip dhcp-server lease
{...}
/ip dhcp-server network
add address=10.1.0.0/24 comment=defconf gateway=10.1.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
{...}
/ip firewall filter
add action=accept chain=input comment=OpenVPN disabled=yes dst-port=1194 \
in-interface=sfp1 protocol=tcp
add action=accept chain=input comment="Access from VPN network" src-address=\
10.7.0.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=sfp1
add action=netmap chain=dstnat comment="HTTP Proxy" disabled=yes dst-port=80 \
in-interface=sfp1 protocol=tcp to-addresses=10.1.0.51 to-ports=80
add action=netmap chain=dstnat comment="HTTPS Proxy" disabled=yes dst-port=\
443 in-interface=sfp1 protocol=tcp to-addresses=10.1.0.51 to-ports=443
/ip route
add comment="266 Subnet" distance=1 dst-address=10.2.0.0/24 gateway=10.7.0.2
/ip service
set telnet disabled=yes
set www address=10.1.0.0/24,10.7.0.0/24 port=8080
set ssh address=10.1.0.0/24,10.7.0.0/24
set winbox disabled=yes
/ppp secret
{...}
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=gw1
/system ntp client
set enabled=yes server-dns-names=0.ru.pool.ntp.org,1.ru.pool.ntp.org
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
I think my last one is nearly the same.
There is no such option.
i have the same issue
but starten with a clean config with my 2011.
/ip dhcp-client