Hello fellow Networking enthusiasts,
I am “ALL IN” with the Microtik brand and operating system. Having said that, however …I am feeling overwhelmed by a lack of networking knowledge and the time it’s taking to setup a router that has not been “over simplified into oblivion” with a robust OS behind it! I have seen others show off what it can do, so I’m trying to setup a small home network with two pieces of hardware,the HAP ax3 and the RB5009UG.
I have an Internet Service Provider providing internet and going into a cable modem. I’m currently use another brand of wifi product attached to that modem but would like to configure the RB5009UG+S+IN router to route traffic on my network. I will eventually replace the Netgear wifi router with a Microtik HAP ax3 router. This HAP ax3 was the first piece of hardware I purchased from Microtik. I had read somewhere (I thought that it was in one of these help forums) that the RB5009 should allow a user (using the default configuration) to plug Internet into the Ethernet port and then receive Internet out on its other ports. This has not been my experience however. So that I don’t omit details which may be important to troubleshooting the my router configuration, I have designated the Internet IN port as the SFP-plus port by using an SFP-plus to Ethernet adapter. ALSO…I designated Ether 8 as a “Managed access port” which seemingly serves the purpose of allowing for easier management and configuration changes without loosing connection from my computer or having to reset back to default configurations (Again!).
Bellow I’m posting my exported RB5009 configuration so that someone might tell me where It is that I have gone wrong. I have been working VERY hard to gain better understanding of Router OS ver.7, the Microtik platform and general networking! I have watched hours of (seemingly) knowledgable videos by reputable purveyors of networking teachers online. I also purchased courses on Udemy to hopefully understand what, how, and when to make changes. I may only liken my experience of gaining this knowledge as like trying to take a drink water from a fire hydrant…It is coming at you very fast and there is too much of it to be useful. My goal is to have a better understanding of the terminologies or methods that I learned so I may put them into a useable home networking context. THANK YOU for reading this post, and for any willingness you may have to guide me in the correct direction!
Hello,
I’m posting my configuration plain text to this reply Chechito. I noticed your reply saying something about “use code tags for proper readability”. That comment may not have been for me but I wanted to let you know, I’m sorry but I don’t know what that means. I did try to export the configuration file in color as I would assume that people who know more about this than I do would glean information from it, however, I could not get it to work for me.
In reference to my configuration file, It may be pretty obvious to some by looking at the file as to how my Microtik is configured. I thought it may be helpful to briefly summarize how I have the router setup and, how it is working for me. I have the SFP-plus (using ethernet adapter) as Internet IN. Ether ports 1-7 are bridged together and have a set of IP addresses with a subnet mask of 255.255.255.0. I use Ether port 8 as a Managed access port for making all changes to the router and so as not to get shut-out / locked-out. It has an IP address of 10.0.1.1/30 (meaning its subnet mask is 255.255.255.252). I found it easiest to setup this way so I never get locked out and can have a bombproof connection between my computer and the router to make all changes.
THE PROBLEM: I cannot receive the internet “through” the device by Ethernet to my PC. Internet comes through to the router just fine. I can ping to 8.8.8.8 and www.google.com from the terminal in the router. I cannot get the internet to come through to my PC though. I have it “hard wired” with a ethernet cable to ether 8, and also have tried the other ethernet ports with the same results. Both ether port 8 and ether port 2 give the same results to a terminal ping on my PC.
RESULTS: -ping to 8.8.8.8
Request timeout for imp-seq
-ping to www.google.com
error = cannot resolve google.com unknown host
So…this is where I’m at. Thank you or any help you might give to me.
You should start by using the “normal” default firewall settings, but first fix the following otherwise your ether8 won’t have correct access:
/interface list
add name=WAN
add name=LAN
/interface list member
add interface="sfpplus1-(INTERNET--IN)" list=WAN
add interface="1--bridge-LAN-Ether Sfpplus-&-ether 1-7" list=LAN
To:
/interface list
add name=WAN
add name=LAN
add name=MGMT
/interface list member
add interface="sfpplus1-(INTERNET--IN)" list=WAN
add interface="1--bridge-LAN-Ether Sfpplus-&-ether 1-7" list=LAN
add interface="ether8--MANAGED-ACCESS" list=LAN
add interface="ether8--MANAGED-ACCESS" list=MGMT
Then, remove your current firewall rules and insert default firewall rules:
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
The default set of firewall rules is good for 99.999% of normal uses, and it should not be replaced/changed unless/until you really know what you are doing.
So that I don’t omit details which may be important to troubleshooting the my router configuration, I have designated the Internet IN port as the SFP-plus port by using an SFP-plus to Ethernet adapter. ALSO…I designated Ether 8 as a “Managed access port” which seemingly serves the purpose of allowing for easier management and configuration changes without loosing connection from my computer or having to reset back to default configurations (Again!).