I’m new to Mikrotik and recently bought an L009. The main goal of the device is to act as a device from an ISP would, to summarize:
On the WAN side: get an IP from a device fro: the ISP
On the LAN side: Be a DHCP Server for other devices
Do NAT between both interfaces
Allow for some port forwarding
First issue (and the main one):
The config at the end shows the way I’ve setup my device and everything seems to work fine accept for two devices: Windows 11 laptop (through Wifi and Ethernet port), Samsung TV and mi Xiaomi tv setup box. Both give an error that here is no internet access. After checking on my Windows 11 Laptop (and the mikrotik device) I see that it definitely got an IP lease from the DHCP server. But the other config (DNS servers, subnet mask and default gateway are not being being set. (checked with ipconfig).
Second issue:
Port forwarding does not seem to be working correctly for the setup rules? I can’t reach the ports on the specified devices from my WAN interface.
Anyone got an idea? GF is complaining
# 2024-01-01 22:30:00 by RouterOS 7.11.2
# software id = **ELIDED**
#
# model = L009UiGS
# serial number = XXXXXXXXX
/interface ethernet
set [ find default-name=ether1 ] name="Ether1 - LAN1"
set [ find default-name=ether4 ] name="ether4 "
set [ find default-name=ether5 ] name="ether5 - WAN1"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="LAN Pool" ranges=10.0.0.151-10.0.0.254
/ip dhcp-server
add address-pool="LAN Pool" interface="Ether1 - LAN1" lease-time=23h59m59s name="DHCP - LAN1"
/port
set 0 name=serial0
/ip address
add address=10.0.0.1/24 interface="Ether1 - LAN1" network=10.0.0.0
/ip dhcp-client
add interface="ether5 - WAN1"
/ip dhcp-server network
add address=10.0.0.0/32 dns-server=10.0.0.51,1.1.1.1 gateway=10.0.0.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.0.0/24
add action=dst-nat chain=dstnat dst-address=10.0.0.20 dst-port=5001 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.30
add action=dst-nat chain=dstnat dst-address=10.0.0.53 dst-port=80 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.53
add action=dst-nat chain=dstnat dst-address=10.0.0.53 dst-port=443 in-interface="ether5 - WAN1" protocol=tcp to-addresses=10.0.0.53
/system clock
set time-zone-name=Europe/Brussels
/system clock manual
set time-zone=+01:00
/system identity
set name=L009
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
PLEASE CONFIRM ASAP that you get a private IP address from the ISPs device.
If you get a public IP then you need to unplug your router immediately and perhaps netinstall it because you HAVE NO protection because you have NO firewall rules at all.
All traffic is permitted. Which means hackers have full access to your router and your LAN.
I am assuming you are working behind another router and the WANIP you get is something like 192.168.1.XX or something.
@anav:
My WAN-IP is definitely private (192.168.0.x), nevertheless I’ve implemented the changes you proposed. (you never know).
Great spotting on the error in my forwarding config though!
Can’t really see any difference with the NAT forwarding but it really is more clear using the interface name
@jaclaz:
This fixed the DHCP issue, not really sure why I put it in like that…
And for anyone that should have the same issue, this is the resulting config:
Well, I only noticed that you had this “added” netmask parameter which I had not seen before in the DHCP settings examples I could find, but from reading the documentation it seems like “legit”. Likely it is another case of lacking details in the syntax of the parameter for the “special” case where the address is set as /32 or settings the address as a /32 is considered absurd by good network engineering standards and thus it is not mentioned while the GUI (or CLI or both) accepts it without problems.
