Fallen at the first hurdle!

jasons6930 · December 7, 2019, 1:18pm

Hi guys,

Just taken delivery of my 4011 and i am trying to set everything up before i plug it into my internet.

First problem i am having is on the quick setup page, i put in my static ISP internet details, and change the network to the usual 192.168.1.10-254, with the router being assigned 192.168.1.1

Now, for some reason, when i apply the changes, it hands out an IP to my laptop (1.254), but when i try to get access via 1.1 it refuses to connect, so i have to keep doing a hard reset.

I check the network settings, and it is showing the 1.1 defulat gateway etc

That is all i am doing for now and can’t seem to get any further!

Thanks

mkx · December 7, 2019, 1:25pm

Download winbox utility, it has MAC connection mode (so management workstation does not have to be in same IP subnet). After you set things and you loose connectivity, connect using winbox and check if everything is set up correctly.

If you can’t find the problem, open terminal window, execute command

/export hide-sensitive file=export20191207.rsc

, transfer the resulting file (you should find it in Files section) to your PC, open it using text editor, obfuscate your public IP address, any username and password, and then copy-paste it here (use [__code][/code] environment).

jasons6930 · December 7, 2019, 2:00pm

Hi and thanks.

Config below.

I will be setting up IPV6 at some point.

Also, Eth1 will be my WAN, with 2-5 as single LAN
/interface bridge
add admin-mac=C4:AD:34:55:CB:73 auto-mac=no comment=defconf name=bridge
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=
192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=
ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
add address=::224.0.0.0/100 comment=“defconf: other” list=bad_ipv6
add address=::127.0.0.0/104 comment=“defconf: other” list=bad_ipv6
add address=::/104 comment=“defconf: other” list=bad_ipv6
add address=::255.0.0.0/104 comment=“defconf: other” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp
add action=accept chain=input comment=
“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=input comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=
“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1”
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

jasons6930 · December 7, 2019, 5:49pm

Ok I gave up trying to reconfigure it in the end.

I have updated to the latest stable release but not really bothered trying again.

Thanks

Nollitik · December 7, 2019, 7:33pm

The attitude to success is never given up…so, when you were setting up, did you create a user and password? Are you sure it not your browser preventing you? Did you download and try Winbox?

jasons6930 · December 7, 2019, 7:53pm

Sorry yes It does seem like I have given up but I haven’t really!

I just needed to get the internet and network back online as soon as I could so I left it at the default for now.

I haven’t yet set up a password, but I did use winbox for the config I posted above!

sid5632 · December 7, 2019, 8:24pm

It’s fairly obvious what the problem was:
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/ip address add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0

If you can’t work it out then you need to do some more reading,..
And don’t use Quick Set!

jasons6930 · December 7, 2019, 8:45pm

Sorry, new to MikroTik.

And in depth networking, and yes i did use Quickset as it seemed the quickest way to get back up and running.

mkx · December 7, 2019, 8:57pm

Not really OP’s fault, seems like there’s a bug in how QuickSet handles setting default LAN address on bridge (could be remnant from the “master port” times).

@jasons6930: follow advice by @sid5632 and don’t ever use QuickSet on this unit again. Then go to IP->address, select address 192.168.1.1/24 and change interface to bridge. Chances are that it’ll start to work afterwards.

jasons6930 · December 7, 2019, 9:02pm

Thanks.

Message understood about quick set.

To be honest, i am using Winbox now but still trying to figure it all out!

I knew it was going to be a steep learning curve, but i have heard so many good things about MT, i decided to jump in feet first.