Fresh installation issues.

mwbreur · February 11, 2025, 5:41pm

Hello,

I’m not new to routers but i am new to RouterOS 7.17. Currently using a Ubiquiti Edgerouter 3 lite (And some previous trials with PFsense/Opnsense).
I took a Dell Optiplex and installed RouterOS and got a license (should’ve tried before i bought it but ok).
The machine has 2 network ports, 1 onboard and 1 pci-e Intel
I’m currently connected on the onboard NIC ether1, Winbox shows ether1 and ether2 and Io.
My DNS server at 192.168.1.2 seems to timeout (used to work previously before trying RouterOS no clue what’s going on there).

Currently i want to keep the 192.168.1.x/24 range since i got systems set to a static IP.
And i want to set the "RouterOS’ to the same IP my current router is configured at : 192.168.1.1 (i know this will give conflicts).

Did a complete reset prior to posting here.
Currently connected using Winbox and used the following to configure it.

/interface vlan
add interface=ether1 name=vlan1.300 vlan-id=300

/ip dhcp-client
add interface=vlan1.300 add-default-route=yes disabled=no use-peer-dns=no use-peer-ntp=no

/interface bridge
add name=local arp=proxy-arp

/interface bridge port
add bridge=local interface=ether2

/ip address
add address=192.168.1.1/24 interface=local

/ip dns
set allow-remote-requests=yes servers=192.168.1.2,1.1.1.1

/ip firewall filter
add action=accept chain=input in-interface=vlan1.300 protocol=icmp
add action=accept chain=input connection-state=established,related
add action=drop chain=input in-interface=vlan1.300

/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan1.300

/ip pool
add name=homenetwork ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=homenetwork authoritative=yes interface=local lease-time=8h name=dhcp-home
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 domain=mwbreur.local gateway=192.168.1.1

I also have a question regarding existing devices like switch/dns server etc.
Should i keep them on the current static IP? or do i set (where possible) to DHCP and set them to static through the UI?
Also i have looked through some documents but i can’t quite figure out how to do NAT/Portforwarding?

jaclaz · February 11, 2025, 7:00pm

If you use a DHCP client,besides the configuration you need to post also the output of commands:

/ip address print

and

/ip route print

so that we can see also the Dynamic part of the configuration.

What you posted till now seems fine, with the exception of the firewall, I would advise you to start from the default settings that the Mikrotik soho devices have, see here:
http://forum.mikrotik.com/t/rb5009-in-the-hands-of-a-newbie-gateway-problem/180795/1

Usuallly new users firewall rules tend to be either too strict or too wide, and besides, if you get familiar withe concept of interface lists your configurations if not “better” will be more “flexible”.

About network addresses there are - as always happens - different schools of thought, personally I like any device that is physically “static” (routers, switches, desktop PC’s, NAS. printers, etc.) to have static addresses and whatever is physically “mobile” (including laptop PC’s connected by wire that can be moved from one room to the other) dynamically assigned, but of course one can use DHCP with some static addresses reserved/assigned by MAC.
As I see it with everything demanded to a DHCP server If the DHCP server (that usually is also the router) fails, you not only have not anymore internet connection, you cannot even print or move files inside your lan (if the lease ends or of the device has been switched on or connected after the failure).

mwbreur · February 11, 2025, 11:31pm

If you use a DHCP client,besides the configuration you need to post also the output of commands:
/ip address print
and
/ip route print
so that we can see also the Dynamic part of the configuration.

What you posted till now seems fine, with the exception of the firewall, I would advise you to start from the default settings that the Mikrotik soho devices have, see here:
RB5009 in the hands of a newbie, Gateway problem

Usuallly new users firewall rules tend to be either too strict or too wide, and besides, if you get familiar withe concept of interface lists your configurations if not “better” will be more “flexible”.

About network addresses there are - as always happens - different schools of thought, personally I like any device that is physically “static” (routers, switches, desktop PC’s, NAS. printers, etc.) to have static addresses and whatever is physically “mobile” (including laptop PC’s connected by wire that can be moved from one room to the other) dynamically assigned, but of course one can use DHCP with some static addresses reserved/assigned by MAC.
As I see it with everything demanded to a DHCP server If the DHCP server (that usually is also the router) fails, you not only have not anymore internet connection, you cannot even print or move files inside your lan (if the lease ends or of the device has been switched on or connected after the failure).

Thanks for the reply,

Here’s the information requested:

#   ADDRESS            NETWORK       INTERFACE
0   192.168.1.1/24     192.168.1.0   local    
1 D 188.90.176.210/23  188.90.176.0  vlan1.300

Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS      GATEWAY       DISTANCE
DAd 0.0.0.0/0        188.90.176.1         1
DAc 188.90.176.0/23  vlan1.300            0
DAc 192.168.1.0/24   local                0

Currently trying to get my portforwards going, but it’s messy. i checked some guides but they seem different from the interface i have. CLI however?
I’m afraid if i try this i break stuff.
What i want to do:
Nginx Proxy Manager is running on 192.168.1.5 so i thought this would be correct?

/ip firewall nat

add action=dst-nat chain=dstnat dst-address=188.90.176.210 dst-port=443 \
protocol=tcp to-addresses=192.168.1.5 to-ports=443

add action=dst-nat chain=dstnat dst-address=188.90.176.210 dst-port=80 \
protocol=tcp to-addresses=192.168.1.5 to-ports=80

add action=masquerade chain=srcnat dst-address=192.168.1.0/24 \
dst-address-type=!local src-address=192.168.1.0/24 src-address-type=\
!local

Ok, Wireguard is acting weirdly, i followed a guide which didn’t work for me? https://www.youtube.com/watch?v=meamyOwG7cc
Then i took my old .conf from my server and compared those. Entered everything in ‘Peer’ and eventually got a QR code i couldn’t scan? Went to used my Ubuntu server to generate QRcode using the setting from RouterOS that are above the QRcode. I can’t get it to work, either it works when i’m on wifi but… can’t figure it out. Compared .conf files from the Ubuntu Server. Edited them and even manually added everything. For whatever reason it just doesn’t work?

Got it up and running now though, seems stable. (seemed to be some cable that caused some issues, got 8 cables to check).

Also i noticed a “conflict” but not sure what to do about it. Not much info given there and from what i can tell mostly everything is working and i honestly have no clue what device this is.

Detected conflict by ARP response for 192.168.1.101 from 0C:F4:D5:33:AD:F0

This is the entire config :

/interface bridge
add arp=proxy-arp name=local
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether2 ] disable-running-check=no rx-flow-control=auto \
    tx-flow-control=auto
/interface vlan
add interface=ether1 name=vlan1.300 vlan-id=300
/iot lora servers
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip pool
add name=homenetwork ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=homenetwork interface=local lease-time=8h name=dhcp-home
/ip smb users
add comment=admin name=admin
/port
set 0 name=serial0
set 1 name=serial4
/ip smb
set domain=WORKGROUP
/dude
set enabled=yes
/interface bridge port
add bridge=local interface=ether2
/interface detect-internet
set detect-interface-list=all
/iot lora traffic options
set crc-errors=no
set crc-errors=no
/ip address
add address=192.168.1.1/24 interface=local network=192.168.1.0
/ip dhcp-client
add interface=vlan1.300 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 domain=mwbreur.local gateway=\
    192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.2,1.1.1.1
/ip firewall filter
add action=accept chain=input in-interface=vlan1.300 protocol=icmp
add action=accept chain=input connection-state=established,related
add action=drop chain=input in-interface=vlan1.300
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan1.300
add action=dst-nat chain=dstnat dst-address=188.90.176.210 dst-address-list="" \
    in-interface=vlan1.300 protocol=tcp src-port=51820 to-addresses=192.168.1.2 \
    to-ports=51280
/ip nat-pmp
set enabled=yes
/ip smb shares
set [ find default=yes ] disabled=no
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no

For whatever reason : https://help.mikrotik.com/docs/spaces/RKB/pages/154042388/Port+forwarding this doesn’t even work, i have no idea where to go from here, something seems wrong but i don’t know why or what. Internet is working.

My domain is pointing in the right direction but i can’t get it to forward ports to my internal network.
It makes no sense…

mwbreur · February 12, 2025, 11:17am

I gave up, i was running into so many issues. Used a different machine to do something else.

For some reason my interface list was empty, quickset broke the entire installation, port forwarding even using guides didn’t work at all.
Winbox is really nice, however in the latest beta QR codes are bugged, using 3.40 QR codes were correct.

Going to give PFsense a go now. Already spent to much time getting the basic stuff to work.
A simple port forward shouldn’t be this hard, having wireguard in the router should make things easier but it just doesn’t, the one on my Ubuntu server just works.

Sorry for the bother.

mwbreur · February 12, 2025, 11:18am

I gave up, i was running into so many issues. Used a different machine to do something else.

For some reason my interface list was empty, quickset broke the entire installation, port forwarding even using guides didn’t work at all.
Winbox is really nice, however in the latest beta QR codes are bugged, using 3.40 QR codes were correct.

Going to give PFsense a go now. Already spent to much time getting the basic stuff to work.
A simple port forward shouldn’t be this hard, having wireguard in the router should make things easier but it just doesn’t, the one on my Ubuntu server just works.

Sorry for the bother.

Moba · February 12, 2025, 11:48pm

You can find step-by-step tutorials online to get you started, but some are outdated due to changes in ROS.

Never use Quickset - use an empty config from a test machine
Configure the firewall for WAN
Forward ports as required
Set your VLANs (a big step)
Secure the firewall (hardening)

WireGuard and any reverse proxy should be configured after, when you understand some of the basics of ROS. If you have a basic understanding of how Linux firewalls work, you’ll get a basic setup up and running quickly. Granted, the GUI is not as polished as other offerings, but ROS is very powerful for those who need those extra features.

https://www.youtube.com/watch?v=OXZAXPZce4U
https://www.youtube.com/watch?v=a_8AV6vIDYQ
https://www.youtube.com/watch?v=4G_TAiBQisE
https://www.youtube.com/watch?v=xpepZgIvVYY