Hi all,
Please bear with me, I am lack a lot of knowledge about vlans, routing, and firewalls.
I have two issues, one about the connectivity and another about restoring a configuration on reset.
I have an FTTH connection at home, terminated in an ONT. I’ve replaced the modem-router provided by the ISP with a Mikrotik HAP3 that worked for the last 6 months. Since last night, suddenly it doesn’t and this is making me very suspicious. After speaking with thier helpdesk, they said they set my mac address again as allowed on their side, and after a while the mikrotik detected the internet connection. My ISP is a bit shady when not using the router they provide, the only indication they give is to tag the vlan id 835 on the wan interface.
Now the mikrotik it pings public ips and fqdns, but the lan clients don’t (wifi and wired network).
I am the only one that can access the router and I am sure the configuration was not modified.
All this makes me think that I have a very basic config that has something missing and the ISP was “tollerant” about this, now they made some change on their side and I’m missing something.
Do you think mine is a standard config for FTTH? Am I missing something that normally should have? I don’t know, maybe the traffic sent outside must normally be tagged in some way?
About restoring the configuration, I’m not getting this right. Reading the wiki, I understand the following command should be issued:
/system reset-configuration no-defaults=yes run-after-reset=my-config.rsc
The device performs the reset, but it does not load my saved config.
The content of the my-config.rsc is exactly the config in this post.
What am I doing wrong?
My network setup is very simple, there are few clients connected via wifi that access the Internet. No vpn, no nothing.
Thank you very much!
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=italy disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=MikroTik2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=italy disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid=MikroTik5 wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan835 vlan-id=835
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.50-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=192.168.2.0
/ip dhcp-client
add comment=confv2 disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=1.1.1.1 gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall filter
# CHAIN: Input
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="confv2: accept from LAN" in-interface-list=LAN
add action=drop chain=input comment="confv2: drop everything not permitted"
# CHAIN: Forward
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="confv2: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="confv2: allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=reject chain=forward comment="confv2: useful for tracking LAN issues" in-interface-list=LAN reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="confv2: drop everything else"
/ip firewall mangle
add action=set-priority chain=forward new-priority=0 out-interface=vlan835 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="configv2: masquerade" out-interface=vlan835
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN