dijsil
November 20, 2018, 8:49pm
1
I have a mikrotik router (RG) that is working fine and I need to copy the configuration on another different model of mikrotik (RB952),
I have exported the configuration using the export file=filename,
opened in text file and copied the commands
Resetted the RB952 without a configuration
opened terminal and pasted all the commands
however I am not getting an ip address and in the dhcp server it is showing as red, below please find the configuration + screenshot.
/interface bridge
add admin-mac=*** auto-mac=no name=bridge-LAN protocol-mode=\
none
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface eoip
add !keepalive mac-address=**** name=eoip-tunnel remote-address=\
10.0.0.7 tunnel-id=102
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add authoritative=after-2sec-delay interface=bridge-LAN name=default
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name="DHCP Local" ranges=192.168.50.100-192.168.50.200
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool="DHCP Local" authoritative=after-2sec-delay disabled=no \
interface=ether5 lease-time=4h name="DHCP Local"
/ppp profile
add change-tcp-mss=yes name=PPTP-profile use-encryption=yes
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface pptp-client
add allow=mschap2 comment="VPN Connection to ****" connect-to=\
******** disabled=no name=pptp-**** password=\
****** profile=PPTP-profile user=****
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge-LAN interface=eoip-tunnel
add bridge=bridge-LAN interface=ether3
add bridge=bridge-LAN interface=ether4
add bridge=bridge-LAN interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set ipsec-secret=****** use-ipsec=yes
/interface list member
add interface=bridge-LAN list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=eoip-tunnel list=discover
add interface=bridge-LAN list=mactel
add interface=bridge-LAN list=mac-winbox
add interface=ether3 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether5 list=mac-winbox
add interface=wlan2 list=WAN
/ip address
add address=192.168.50.1/24 comment="dhcp server" interface=ether5 network=\
192.168.50.0
add address=192.168.11.5/24 interface=ether1 network=192.168.11.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
ether1
add comment="default configuration" dhcp-options=hostname,clientid interface=\
ether1
add dhcp-options=hostname,clientid disabled=no interface=wlan2
/ip dhcp-server network
add address=192.168.11.0/24 comment="default configuration" dns-server=\
192.168.11.5 gateway=192.168.11.5 netmask=24
add address=192.168.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.50.1
/ip dns
set allow-remote-requests=yes servers=*******,******
/ip dns static
add address=192.168.11.5 name=router
/ip firewall address-list
add address=***** list="Allowed DNS"
add address=***** list="Allowed DNS"
add address=**** list="Allowed DNS"
/ip firewall filter
add action=accept chain=forward comment="default configuration" \
connection-state=established
add action=accept chain=forward comment="default configuration" \
connection-state=related
add action=accept chain=forward src-address=192.168.50.0/24
add action=accept chain=input comment="To allow winbox connection Everyone" \
dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
"To allow winbox connection only DNS in Address lists" dst-port=8291 \
protocol=tcp src-address-list="Allowed DNS"
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
# no interface
add action=masquerade chain=srcnat out-interface=pptp-***
/ip route
add disabled=yes distance=1 gateway=****.1
add disabled=yes distance=1 gateway=****.1
/ppp secret
add disabled=yes name=vpn password=*****
/system clock
set time-zone-autodetect=no time-zone-name=Europe/***
/system identity
set name="*****"
/system ntp client
set enabled=yes primary-ntp=138.96.64.10 secondary-ntp=78.140.251.2
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
anav
November 21, 2018, 1:25am
2
/ip dhcp-server
Where is the IP dhcp-pool, IP address, IP server network for this entry??
You also have three listing for the same bridge under interfaces listing, not sure if thats normal/okay?
Hello
A DHCP server is red if it’s assigned to a slaved interface (I.e. ether port under a bridge) but it doesn’t look like it.
I’ll Go with Anav’s idea: I’m seeing the bridge and ether5 in the same interface list; not sure…
Envoyé de mon LG-H873 en utilisant Tapatalk
Anav pointed it out right - /ip dhcp-server needs correct /ip address on the same interface as well as properly configured /ip dhcp-server network and /ip pool in order to run correctly./ip address will make the DHCP server red. Missing /ip dhcp-server network and /ip pool will prevent it from working as expected but it won’t make it red. (unless you missed them on purpose)/ip dhcp-server on slave interface will also make it red, but there will be clear description, that it was mis-configured on slave interface and due to that it is running on master interface (so it is like warning that running state is different than configuration)
dijsil
November 21, 2018, 5:56am
5
I am still new to networking and mikrotik, it should connect to another mikrotik using a vpn connection and wish to use ports as per below
port 1 is for the gateway (static ip from isp not configured yet)
I still cannot understand, if I copied the configuration from a working mikrotik how come I am getting an error on this one ? shouldn’t the export command exports all configuration that the mikrotik has ?
Jotne
November 21, 2018, 6:45am
6
Not sure if anav have read the complete post, I can see all of the config.
ethernet 5 config
/ip pool
add name="DHCP Local" ranges=192.168.50.100-192.168.50.200
/ip dhcp-server
add address-pool="DHCP Local" authoritative=after-2sec-delay disabled=no \
interface=ether5 lease-time=4h name="DHCP Local"
/ip address
add address=192.168.50.1/24 comment="dhcp server" interface=ether5 network=\
192.168.50.0
/interface bridge port
add bridge=bridge-LAN interface=eoip-tunnel
add bridge=bridge-LAN interface=ether3
add bridge=bridge-LAN interface=ether4
add bridge=bridge-LAN interface=ether2
It has IP, DHCP and its not connected to the Bridge, so should be OK. But Is the port online, some consented to it?
dijsil
November 22, 2018, 8:47pm
7
ok managed to get internet from port 5 (using dhcp) however when connecting to ports 2-4 I am not getting ip address from the dhcp on the remote vpn router
checked the vpn connection and it is connected however cannot ping the other side router 192.168.11.1 and not getting ip from dhcp on remote location
(from the config above I changed the dhcp from .50.0 to .60.0)
ingdaka
November 23, 2018, 9:02pm
8
As you can see from italic font of ether5 it indicates that port is notconnected!
dijsil
November 24, 2018, 7:53am
9
with regards to port 5 it is working fine and getting ip from the local dhcp server.
My issue (last issue I hope) is that the pptp connection is connecting to a vpn connection to another mikrotik router and I wish that I get an ip from the vpn server in Site A. The pptp connection is connecting with local ip 10.0.0.3 and remote 10.0.0.4 and I can ping both ips however I cannot ping the devices on the other side from site C from the mikrotik and also my pc is not getting ip from the vpn server
Site A - mikrotik with vpn server
Below please find my current config:
# nov/24/2018 08:46:38 by RouterOS 6.43.4
# software id = 075F-13J8
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = ****
/interface bridge
add admin-mac=**** auto-mac=no mtu=1500 name=bridge-LAN \
protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether5 ] name=ether5-local
/interface wireless
set [ find default-name=wlan1 ] disabled=no hide-ssid=yes mode=ap-bridge \
ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] disabled=no hide-ssid=yes mode=ap-bridge \
ssid=MikroTik wireless-protocol=802.11
/interface eoip
add !keepalive mac-address=*** name=eoip-tunnel remote-address=\
10.0.0.3 tunnel-id=103
/interface list
add name=WAN
add name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add authoritative=after-2sec-delay interface=bridge-LAN name=default
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name="DHCP Local" ranges=192.168.60.100-192.168.60.200
add name=vpn ranges=192.168.90.2-192.168.90.255
/ip dhcp-server
add address-pool="DHCP Local" authoritative=after-2sec-delay disabled=no \
interface=ether5-local lease-time=4h name="DHCP Local"
/ppp profile
add change-tcp-mss=yes name=PPTP-profile use-encryption=yes
set *FFFFFFFE local-address=192.168.90.1 remote-address=vpn
/interface pptp-client
add allow=mschap2 comment="VPN Connection" connect-to=\
****** disabled=no name=pptp-**** password=\
**** profile=PPTP-profile user=****
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge-LAN interface=eoip-tunnel
add bridge=bridge-LAN interface=ether3
add bridge=bridge-LAN interface=ether4
add bridge=bridge-LAN interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set ipsec-secret=**** use-ipsec=yes
/interface list member
add interface=ether1-gateway list=WAN
add list=LAN
add interface=bridge-LAN list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5-local list=discover
add interface=eoip-tunnel list=discover
add interface=bridge-LAN list=mactel
add interface=bridge-LAN list=mac-winbox
add interface=ether3 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether5-local list=mactel
add interface=ether5-local list=mac-winbox
add interface=bridge-LAN list=LAN
/ip address
add address=192.168.11.8/24 interface=ether2 network=192.168.11.0
add address=192.168.60.1/24 comment="Giving Local internet" interface=\
ether5-local network=192.168.60.0
add address=192.168.11.7/24 interface=ether2 network=192.168.11.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.11.0/24 comment="default configuration" dns-server=\
192.168.11.8 gateway=192.168.11.8 netmask=24
add address=192.168.60.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.60.1
/ip dns
set allow-remote-requests=yes servers=***,***
/ip dns static
add address=192.168.11.8 name=router
/ip firewall address-list
add address=**** list="Allowed DNS"
add address=**** list="Allowed DNS"
add address=**** list="Allowed DNS"
/ip firewall filter
add action=accept chain=forward comment="default configuration" \
connection-state=established
add action=accept chain=forward comment="default configuration" \
connection-state=related
add action=accept chain=forward src-address=192.168.60.0/24
add action=accept chain=input comment="To allow winbox connection Everyone" \
disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
"To allow winbox connection only DNS in Address lists" dst-port=8291 \
protocol=tcp src-address-list="Allowed DNS"
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" out-interface=\
ether1-gateway
add action=masquerade chain=srcnat disabled=yes out-interface=pptp-****
/ip route
add disabled=yes distance=1 gateway=213.165.184.1
add disabled=yes distance=1 gateway=213.165.184.1
/ppp secret
add disabled=yes name=vpn password=***
/system clock
set time-zone-autodetect=no time-zone-name=Europe/***
/system identity
set name="*** ***"
/system ntp client
set enabled=yes primary-ntp=138.96.64.10 secondary-ntp=78.140.251.2
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
dijsil
November 24, 2018, 3:50pm
10
issue solved. Had to create eoip tunnel on the vpn server and assign it to the bridge.
