Hello, first of all… excuse my bad english. I will try to make myself as clear and understandable as I can.

I have a Mikrotik with RouterOS version 6.41.2.

Its been in use for a couple of years now and Im really satisfied with it. Never been rebooted except from when the electric goes off in the house. Really stable!

Yesterday I tried to make a “local DNS” for my home network. I do not know if my terms are right as Im not a network guru. .
What I mean is that I want my network adresses for my devices to be static using dhcp server on the mikrotik and binding MAC adresses to specific IP’s.
Also I want for example “mikrotik.local” & “server1.local” refer to “192.168.1.1” & “192.168.1.100”

I accomplished to get static IP’s refered to my MAC adresses.
I also accomlished to get “local DNS” (server1.local) to work… but if I have made it the right way, I dont know! What I did was go to (in the routeros administration page)…
“IP” → “DNS” → “STATIC” → “ADD NEW”…
Then in those fields I typed Name → “server1.local” and Adress → “192.168.1.100”

Also, (I dont know if this was ticked before but I Think so?) in DNS i ticked the “Allow remote requests” (this is why I need help with my firewall rules as I have read that I need to somehow set this up). Thing is, I MUST have the “Allow remote requests” ticked, orelse my internet do not work at home. Is this normal?

And last thing I did, I think… was to add “192.168.1.1” as dynamic server in the DNS section. (I already had two dynamic servers here before).

NOW, everything works as I want. But…

1. Have I done this the right way?
2. “Allow remote requests”… how do I setup my firewall for this correctly?
3. My router version is 6.41.2, should I update this to 6.43.8? I actually thought it was updating automaticly… How do I update?
4. Is there anything else I need to do?

Please explain as simple as possible… I have never used script or terminal in routeros if i need to do this.

Thanks for your help.

Best regards.
Thomas

1. Update your firmware to the latest version!!
2. Post your config so that we can comment on your setup.
   /export hide=sensitive file=yourlatestconfig

I’m with @anav: upgrade to 6.42.11 (latest long-term currently) or 6.43.8 (latest stable)

Thats about right.

Probably you’ll have to add some rules which restrict connections to router itself (show exported setup so we can comment on which rules need to be added). If you started with default setup of recent ROS versions, you’d already be fine.

That’s normal … “remote” here means “any device which is not this router” … so either LAN or internet hosts qualify.

Don’t … list of DNS servers in DNS section is used by DNS server itself to forward requests if router doesn’t know the answer (either statically set as you did or cached from previous requests). Router should not query itself, it’ll enter infinite loop.

The place where you should add router’s IP address, is at IP > DHCP SERVER → NETWORK … so that it’ll get used by LAN hosts which get their IP config from DHCP server running on your RB. And it should be the only IP address of DNS server configured there. Verify on some client machine that it really contains only this address … I seem to remember that DHCP client (run on router) might push dynamic DNS servers to the DHCP server config as well.

Thank you very much!

I have updated to 6.43.8.

Here is my config:

jan/19/2019 10:56:15 by RouterOS 6.43.8

software id = LAH2-21J1

model = CRS125-24G-1S

serial number = 5A8C058B7CF7

/interface bridge
add admin-mac=E4:8D:8C:81:A8:B7 arp=proxy-arp auto-mac=no fast-forward=no
mtu=1500 name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master-local speed=100Mbps
set [ find default-name=ether2 ] name=ether2-slave-local speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
set [ find default-name=ether6 ] name=ether6-slave-local speed=100Mbps
set [ find default-name=ether7 ] name=ether7-slave-local speed=100Mbps
set [ find default-name=ether8 ] name=ether8-slave-local speed=100Mbps
set [ find default-name=ether9 ] name=ether9-slave-local speed=100Mbps
set [ find default-name=ether10 ] name=ether10-slave-local speed=100Mbps
set [ find default-name=ether11 ] name=ether11-slave-local speed=100Mbps
set [ find default-name=ether12 ] name=ether12-slave-local speed=100Mbps
set [ find default-name=ether13 ] name=ether13-slave-local speed=100Mbps
set [ find default-name=ether14 ] name=ether14-slave-local speed=100Mbps
set [ find default-name=ether15 ] name=ether15-slave-local speed=100Mbps
set [ find default-name=ether16 ] name=ether16-slave-local speed=100Mbps
set [ find default-name=ether17 ] name=ether17-slave-local speed=100Mbps
set [ find default-name=ether18 ] name=ether18-slave-local speed=100Mbps
set [ find default-name=ether19 ] name=ether19-slave-local speed=100Mbps
set [ find default-name=ether20 ] name=ether20-slave-local speed=100Mbps
set [ find default-name=ether21 ] name=ether21-slave-local speed=100Mbps
set [ find default-name=ether22 ] name=ether22-slave-local speed=100Mbps
set [ find default-name=ether23 ] name=ether23-ubiquiti speed=100Mbps
set [ find default-name=ether24 ] name=ether24-gateway speed=100Mbps
set [ find default-name=sfp1 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=
sfp1-slave-local
/interface pptp-server
add name=pptp-in1 user=""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name="dhcp range for unknown devices" ranges=192.168.1.170-192.168.1.199
add name=pptp-pool ranges=192.168.1.151-192.168.1.160
/ip dhcp-server
add address-pool="dhcp range for unknown devices" authoritative=
after-2sec-delay disabled=no interface=bridge1 lease-time=23h name=dhcp1
/ppp profile
set *FFFFFFFE bridge=bridge1 local-address=192.168.1.1 remote-address=
pptp-pool
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 interface=ether1-master-local
add bridge=bridge1 interface=ether2-slave-local
add bridge=bridge1 interface=ether3-slave-local
add bridge=bridge1 interface=ether4-slave-local
add bridge=bridge1 interface=ether5-slave-local
add bridge=bridge1 interface=ether6-slave-local
add bridge=bridge1 interface=ether7-slave-local
add bridge=bridge1 interface=ether8-slave-local
add bridge=bridge1 interface=ether9-slave-local
add bridge=bridge1 interface=ether10-slave-local
add bridge=bridge1 interface=ether11-slave-local
add bridge=bridge1 interface=ether12-slave-local
add bridge=bridge1 interface=ether13-slave-local
add bridge=bridge1 interface=ether14-slave-local
add bridge=bridge1 interface=ether15-slave-local
add bridge=bridge1 interface=ether16-slave-local
add bridge=bridge1 interface=ether17-slave-local
add bridge=bridge1 interface=ether18-slave-local
add bridge=bridge1 interface=ether19-slave-local
add bridge=bridge1 interface=ether20-slave-local
add bridge=bridge1 interface=ether21-slave-local
add bridge=bridge1 interface=ether22-slave-local
add bridge=bridge1 interface=ether23-ubiquiti
add bridge=bridge1 interface=sfp1-slave-local
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.1.1/24 interface=ether1-master-local network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether24-gateway

DHCP client can not run on slave interface!

add dhcp-options=hostname,clientid disabled=no interface=ether1-master-local
/ip dhcp-server lease
add address=192.168.1.2 client-id=1:4:18:d6:d0:55:83 comment=ACCESSPUNKTER
mac-address=04:18:D6:D0:55:83 server=dhcp1
add address=192.168.1.52 client-id=1:0:1d:ec:8:ce:4c mac-address=
00:1D:EC:08:CE:4C server=dhcp1
add address=192.168.1.51 client-id=1:0:1d:ec:a:52:b2 mac-address=
00:1D:EC:0A:52:B2 server=dhcp1
add address=192.168.1.111 client-id=1:28:cf:da:2a:d8:97 comment="APPLE TV"
mac-address=28:CF:DA:2A:D8:97 server=dhcp1
add address=192.168.1.31 client-id=1:f0:b4:79:6:0:db comment=
"AIRPORT EXPRESS" mac-address=F0:B4:79:06:00:DB server=dhcp1
add address=192.168.1.112 client-id=1:98:d6:bb:1c:30:36 mac-address=
98:D6:BB:1C:30:36 server=dhcp1
add address=192.168.1.101 client-id=1:8c:2d:aa:4a:1e:c7 mac-address=
8C:2D:AA:4A:1E:C7 server=dhcp1
add address=192.168.1.21 comment="RASPBERRY PI" mac-address=B8:27:EB:4A:0D:B3
server=dhcp1
add address=192.168.1.201 comment=SHELLY mac-address=CC:50:E3:1D:95:39
server=dhcp1
add address=192.168.1.100 client-id=1:d0:17:c2:d4:84:e0 comment="PC och MAC"
mac-address=D0:17:C2:D4:84:E0 server=dhcp1
add address=192.168.1.42 client-id=1:cc:f7:35:e2:ed:56 mac-address=
CC:F7:35:E2:ED:56 server=dhcp1
add address=192.168.1.41 comment="AMAZON ECHO" mac-address=44:00:49:4A:6C:C0
server=dhcp1
add address=192.168.1.113 client-id=1:98:d6:bb:1c:30:35 mac-address=
98:D6:BB:1C:30:35 server=dhcp1
add address=192.168.1.50 client-id=1:70:2a:d5:ec:39:de comment=
"DIGITALBOXAR & TV" mac-address=70:2A:D5:EC:39:DE server=dhcp1
add address=192.168.1.102 client-id=1:c8:63:f1:f9:25:aa mac-address=
C8:63:F1:F9:25:AA server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 domain=local gateway=
192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=mikrotik.local
add address=192.168.1.2 name=ubiquiti1.local
add address=192.168.1.52 name=vusolo2.local
add address=192.168.1.51 name=vuzero.local
add address=192.168.1.3 name=ubiquiti2.local
add address=192.168.1.11 name=server1.local
add address=192.168.1.21 name=raspberrypi1.local
add address=192.168.1.31 name=airport1.local
add address=192.168.1.32 name=airport2.local
add address=192.168.1.33 name=airport3.local
add address=192.168.1.34 name=airport4.local
add address=192.168.1.35 name=airport5.local
add address=192.168.1.41 name=echospot1.local
add address=192.168.1.42 name=echodot1.local
add address=192.168.1.50 name=samsungtv.local
add address=192.168.1.100 name=pc.local
add address=192.168.1.101 name=imac.local
add address=192.168.1.102 name=ps4.local
add address=192.168.1.103 name=yamaha.local
add address=192.168.1.111 name=appletv1.local
add address=192.168.1.112 name=appletv2.local
add address=192.168.1.113 name=appletv3.local
add address=192.168.1.201 name=shelly1.local
add address=192.168.1.202 name=shelly2.local
add address=192.168.1.203 name=shelly3.local
add address=192.168.1.204 name=shelly4.local
add address=192.168.1.205 name=shelly5.local
add address=192.168.1.206 name=shelly6.local
add address=192.168.1.207 name=shelly7.local
add address=192.168.1.208 name=shelly8.local
add address=192.168.1.209 name=shelly9.local
add address=192.168.1.210 name=shelly10.local
/ip firewall filter
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow established" connection-state=
established
add action=accept chain=input comment="Allow related" connection-state=
related
add action=accept chain=input comment="Allow PPTP Server Gre" protocol=gre
add action=accept chain=input comment="Allow PPTP Server 1723" dst-port=1723
protocol=tcp
add action=drop chain=input comment="Drop everything else - Input"
in-interface=ether24-gateway
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether24-gateway
add action=dst-nat chain=dstnat comment="NAT Port 80 to VU WebIF V-rum"
dst-port=80 in-interface=ether24-gateway protocol=tcp to-addresses=
192.168.1.31 to-ports=80
add action=dst-nat chain=dstnat comment="Vu+ Solo2 Streaming" dst-port=8001
in-interface=ether24-gateway protocol=tcp to-addresses=192.168.1.31
to-ports=8001
add action=dst-nat chain=dstnat dst-port=8002 in-interface=ether24-gateway
protocol=tcp to-addresses=192.168.1.31 to-ports=8002
/lcd
set backlight-timeout=never default-screen=interfaces
/ppp secret
add name=jonas profile=default-encryption service=pptp
add name=thomas profile=default-encryption service=pptp
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Stockholm
/system ntp client
set enabled=yes primary-ntp=192.36.133.17
/system scheduler
add interval=1h name="NO-IP UPDATE" on-event=no_ip_update policy=
read,write,test start-date=nov/17/2015 start-time=20:14:00
/system script
add dont-require-permissions=no name=no_ip_update owner=admin policy=
read,write,test source="# No-IP automatic Dynamic DNS update
\n
\n#--------------- Change Values in this section to match your setup -----
-------------
\n
\n# No-IP User account info
\n:local noipuser "xxx"
\n:local noippass "xxx"
\n
\n# Set the hostname or label of network to be updated.
\n# Hostnames with spaces are unsupported. Replace the value in the quotat
ions below with your host names.
\n# To specify multiple hosts, separate them with commas.
\n:local noiphost "xport.no-ip.org"
\n
\n# Change to the name of interface that gets the dynamic IP address
\n:local inetinterface "ether24-gateway"
\n
\n#-----------------------------------------------------------------------
-------------
\n# No more changes need
\n
\n:global previousIP
\n
\n:if ([/interface get $inetinterface value-name=running]) do={
\n# Get the current IP on the interface
\n :local currentIP [/ip address get [find interface="$inetinterface"
_disabled=no] address]
\n
\n# Strip the net mask off the IP address
\n :for i from=( [:len $currentIP] - 1) to=0 do={
\n :if ( [:pick $currentIP $i] = "/") do={
\n :set currentIP [:pick $currentIP 0 $i]
\n }
\n }
\n
\n :if ($currentIP != $previousIP) do={
\n :log info "No-IP: Current IP $currentIP is not equal to previou
s IP, update needed"
\n :set previousIP $currentIP
\n
\n# The update URL. Note the "\3F" is hex for question mark (?). Requi
red since ? is a special character in commands.
\n :local url "http://dynupdate.no-ip.com/nic/update\3Fmyip=$curr
entIP"
\n :local noiphostarray
\n :set noiphostarray [:toarray $noiphost]
\n :foreach host in=$noiphostarray do={
\n :log info "No-IP: Sending update for $host"
\n /tool fetch url=($url . "&hostname=$host") user=$noipuse
r password=$noippass mode=http dst-path=("no-ip_ddns_update-" . $host
. ".txt")
\n :log info "No-IP: Host $host updated on No-IP with IP $cur
rentIP"
\n }
\n } else={
\n :log info "No-IP: Previous IP $previousIP is equal to current I
P, no update needed"
\n }
\n} else={
\n :log info "No-IP: $inetinterface is not currently running, so there
fore will not update."
\n}"
/tool graphing interface
add interface=ether24-gateway

Also, what is the best way to see activity in and out on my router?

Bump…

Very strange config for me to try and decipher.
First you have no forward firewall filter rules???
Then you have ether1 which seems to a LAN port but then it seems to be a WAN port
Its not clear if your wan port is also your lAN DHCP server etc… totally frigged up.

Also you have not explicitly stated which DNS servers you want your network to be using??
a. the ISP DNS servers (dynamic)
b. outside DNS servers such as google and opendns

This is how it looks in the gui:



Ether1 should be a LAN port. Why does it seems to be a WAN port?
My fiber modem goes to ether24, and my wireless AP to ether23. Everything else should go to all my Ethernet ports in my rooms…

There are two ways i believe you can setup your DNS.

In IP > DHCP Server > Networks – DNS Servers

1. If you set the DNS to your local IP such as 192.168.1.1, then you would need to enable “Allow Remote requests” because you’re router will now need to act as a DNS server. Hence it’s also required that your router will be able to communicate to DNS server outside (internet). You will need to setup your inbound firewall so that no outside connection can use your router as DNS server. You will also need to allow outbound request going out on UDP 53 so that your router will be able to communicate to any DNS server to your liking.

2. If you set DNS servers to IP like 8.8.8.8 then you do not need to enable “Allow Remote Requests”. Because your clients will use this IP outside directly, hence is not required

Refer also to this for proper setup

https://wiki.mikrotik.com/wiki/Tips_and_Tricks_for_Beginners_and_Experienced_Users_of_RouterOS