Hi,
I am after some guidance.
My config (it seems that I cannot get an address from DHCP):
I would appreciate if someone would help me to get my router connected. Thanks
Do you have any firewall rules that might block?
anav
April 25, 2024, 8:45pm
3
You need to go to IP DHCP client next…select vlan 911 as the interface ( not vlanfiber! )
vlanfibre is a vlan created and set to vlan 911 the only other option I have is Fiber_eth1, I cannot add vlan 911 as you mentioned in DHCP client?
Amm0
April 26, 2024, 12:42am
5
The 1st requirement is kinda odd: “IP over ethernet”. If that mean PPPoE (or perhaps Mikrotik specific EoIP?) that be different story, but I presume they just mean it has VLAN. But step 1 is an odd way to state a requirement.
One thing might help here, is if you can use /tool/torch on the fiber or VLAN, and just see what kinda of packets are flowing over the line and/or what VLAN they appear.
Does not seem like there is anything that could block it?
Amm0
April 26, 2024, 12:45am
7
Did you add “vlanfiber” VLAN interface as a LAN in /interface/list?
Amm0
April 26, 2024, 1:04am
9
Yeah I meant WAN. So that’s right.
Try the ether1 in torch, to see if you getting any traffic from upstream. The torch above shows your dhcp-client looking for an address on VLAN 911.
Might want to post your config too. In terminal, :export file=config.rsc then download from Files.
Yeah I meant WAN. So that’s right.
Try the ether1 in torch, to see if you getting any traffic from upstream. The torch above shows your dhcp-client looking for an address on VLAN 911.
Might want to post your config too. In terminal, :export file=config.rsc then download from Files.
ether1 results in torch:
config:
# apr/26/2024 02:08:43 by RouterOS 7.8
# model = RB5009UPr+S+
/interface bridge
add admin-mac=********** auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=Port1 name=Fiber_eth1
/interface vlan
add interface=Fiber_eth1 name=vlanfiber vlan-id=911
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vlanfiber list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add interface=vlanfiber
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Amm0
April 26, 2024, 1:33am
11
This all looks right. The odd thing is that it does look like the ISP thinks your IP is 10.2.118.106 on VLAN 911.
You’re running an older version. And I want to say some version had some bug in dhcp-client around that time.
You may want to download latest stable release, and copy it to the root of Files, then reboot:https://download.mikrotik.com/routeros/7.14.3/routeros-7.14.3-arm64.npk
This all looks right. The odd thing is that it does look like the ISP thinks your IP is 10.2.118.106 on VLAN 911.
You’re running an older version. And I want to say some version had some bug in dhcp-client around that time.
You may want to download latest stable release, and copy it to the root of Files, then reboot:https://download.mikrotik.com/routeros/7.14.3/routeros-7.14.3-arm64.npk
After the update torch results:
config:
# 2024-04-26 02:38:02 by RouterOS 7.14.3
# model = RB5009UPr+S+
/interface bridge
add admin-mac=********** auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
# poe-out status: short_circuit
set [ find default-name=ether1 ] comment=Port1 name=Fiber_eth1
/interface vlan
add interface=Fiber_eth1 name=vlanfiber vlan-id=911
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vlanfiber list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add interface=vlanfiber
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I am at a bit of a loss, it’s never easy…
Amm0
April 26, 2024, 2:06am
13
Maybe disable PoE on ether1? e.g. you have this message:
# poe-out status: short_circuit
Possible that interfering with the traffic, since your not getting anything back (or at least only a few packets).
Can also look at Logs, and see if anything there has errors/warning.
But I’m kinda out of suggestions here. Maybe someone else has an idea here.
Maybe disable PoE on ether1? e.g. you have this message:
# poe-out status: short_circuit
Possible that interfering with the traffic, since your not getting anything back (or at least only a few packets).
Can also look at Logs, and see if anything there has errors/warning.
But I’m kinda out of suggestions here. Maybe someone else has an idea here.
Disabled it, rebooted the router - error disappeared
did another torch scan:
I hope someone can help, I raised this with ISP too, will see what they say as I am out of ideas
Amm0
April 26, 2024, 2:27am
15
I supose you can try disabling the “input” firewall filter rule with “drop” and “!LAN” & see if you get a DHCP address after that.
And/or, just assign the IP address it’s showing torch as an /ip/address for the VLAN. e.g.
I supose you can try disabling the “input” firewall filter rule with “drop” and “!LAN” & see if you get a DHCP address after that.
If that works, then you might have to allow DHCP from the VLAN 911 to the firewall to allow it I guess.
And/or, just assign the IP address it’s showing torch as an /ip/address for the VLAN. e.g.
Disabled the “input” firewall filter rule with “drop” and “!LAN” & rebooted the router, did not get DHCP address after that
I assigned the IP address, does not seem to ping:
sent=180 received=0 packet-loss=100%
SEQ HOST SIZE TTL TIME STATUS
180 10...... timeout
181 10....... timeout
182 10....... timeout
183 10....... 84 64 31ms535us host unreac...
sent=200 received=0 packet-loss=100%
Amm0
April 26, 2024, 3:05am
17
Okay, that all I got. I was guessing at the default gateway, and it’s unclear why touchthe dst-addr of 10.x.x.x
Is there a modem to reboot? But I think you’re going to have to confirm with your ISP the needed settings. As I said, the first step “IP over ethernet” is just pretty vague.
Okay, that all I got. I was guessing at the default gateway, and it’s unclear why touchthe dst-addr of 10.x.x.x
Is there a modem to reboot? But I think you’re going to have to confirm with your ISP the needed settings. As I said, the first step “IP over ethernet” is just pretty vague.
Am I missing PPPoe settings or set up on the router? can they use PPPoe without a username and password? would I have to potentially clone the MAC address of the ISP’s router on my Mikrotik router (if that’s even possible)? as I assume they would have provided it when I contacted them regarding router set-up…https://forums.thinkbroadband.com/fibre/4740572-gigabit-networks-installing-3rd-party-router.html?vc=1
I have contacted the ISP again for clarification and support, but if anyone else has any ideas I would appreciate your support. Thanks
Amm0
April 26, 2024, 4:18am
19
Yeah, they may need to know your MAC address. You can “clone it” but simply entering your old router’s MAC address on the ether1 interface, obviously your older router have be unplugged after.
Cloning MAC address of ISP’s router did not work, still seems to be doing the same thing where it does not pick up IP from DHCP, still waiting for a response from ISP…
