Here is my last attempt - RB3011 - No Server outbound connection

jogger · October 5, 2017, 3:27pm

Ok, sorry i have to come here and ask for help, but this is my last resort before i hang up the old college try at trying to run a home server.

Here is my setup

I am confused about why i can see my server at my IP Address (i see the apache page) but when i try and run sudo apt-get update it says 101: Network is Unreachable.

I have racked my brain about this for the last 3 days and am about ready to give up!

Has anyone set up something similar to what i have done in the image? I have read just about every post, even hairpin nat, everything, nothing seems to get my outbound connection to work! Can anyone take a look at my setup and tell me if there is a solution?

Thank You All!

jogger · October 5, 2017, 11:04pm

Is there any other information you need from my end to help me find a solution?

Quick Set Configuration

Mode: Router

Internet: Port: SFP1

Address Acquisition: Automatic

IP Address: 111.222.111.22

Netmask: 255.255.248.0/21

Gateway: 111.222.111.2

Local Network: 111.222.111.22 (same as IP Address it appears)

Netmask: 255.0.0.0/8

DHCP Server: X (checked)

DHCP Server Range: 192.168.88.10-192.168.88.254

NAT: X (checked)

Interface List:

LAN - bridge

WAN - SFP1

Anything else you need from to figure out why my server is not seeing out into to world?

Thanks for helping!

pcunite · October 5, 2017, 11:51pm

We can help you. Post your configs by running a New Terminal within the Winbox tool, /export compact hide-sensitive file=MyFile.rsc. Post the output here between the code tag.

jogger · October 6, 2017, 12:17am

# oct/04/2017 21:20:46 by RouterOS 6.40.3
# software id = UIR9-M60B
#
# model = RouterBOARD 3011UiAS
# serial number = 111111111111111
/interface bridge
add admin-mac=6C:11:6B:1D:11:11 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master_SERVER
set [ find default-name=ether3 ] master-port=ether2-master_SERVER name=\
    ether3-server-bind
set [ find default-name=ether4 ] master-port=ether2-master_SERVER name=\
    ether4-server-bind
set [ find default-name=ether5 ] master-port=ether2-master_SERVER name=\
    ether5-server-bind
set [ find default-name=ether6 ] name=ether6-master_SERVER2
set [ find default-name=ether7 ] master-port=ether6-master_SERVER2
set [ find default-name=ether8 ] master-port=ether6-master_SERVER2
set [ find default-name=ether9 ] master-port=ether6-master_SERVER2
set [ find default-name=ether10 ] master-port=ether6-master_SERVER2
set [ find default-name=sfp1 ] name=sfp1_WAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master_SERVER
add bridge=bridge comment=defconf interface=ether6-master_SERVER2
add bridge=bridge comment=defconf disabled=yes interface=sfp1_WAN
add bridge=bridge interface=ether1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1_WAN list=WAN
add comment="SERVER 1 LAN" disabled=yes interface=ether2-master_SERVER list=\
    LAN
add comment="SERVER 2 LAN" disabled=yes interface=ether6-master_SERVER2 list=\
    LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=104.231.157.22/8 interface=ether1 network=104.0.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1_WAN
/ip dhcp-server network
add address=104.0.0.0/8 gateway=104.231.157.22 netmask=8
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=104.231.157.22
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=104.231.157.22 list=my_ip_address
/ip firewall filter
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=none-dynamic chain=input comment="QUICK SCANNING" \
    connection-limit=100,32 disabled=yes limit=0,5:packet psd=21,3s,3,1 \
    src-address-type="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=input disabled=yes protocol=icmp reject-with=\
    icmp-network-unreachable src-address-list=port_scanners
add action=accept chain=forward comment=\
    "Accept connections from outside to port 80" disabled=yes dst-port=80 \
    in-interface=sfp1_WAN log=yes protocol=tcp
add action=accept chain=forward comment=\
    "Accept connections from outside to port 443" disabled=yes dst-port=443 \
    in-interface=sfp1_WAN log=yes protocol=tcp
add action=accept chain=input comment="Filter Rules" connection-state=\
    established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=bridge
add action=drop chain=input
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward out-interface=sfp1_WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward disabled=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=sfp1_WAN
add action=dst-nat chain=dstnat comment="Port 80 Open" dst-address=\
    !192.168.88.0/24 dst-address-type=local dst-port=80 log=yes protocol=tcp \
    to-addresses=192.168.88.248 to-ports=80
add action=masquerade chain=srcnat comment="Access WAN from Local LAN" \
    dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.88.0/24 \
    to-addresses=192.168.88.248 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp \
    src-address=192.168.88.248 to-addresses=104.231.157.26
add action=dst-nat chain=dstnat comment="443 Port Open" disabled=yes \
    dst-port=443 log=yes protocol=tcp to-addresses=192.168.88.248 to-ports=\
    443
add action=dst-nat chain=dstnat comment=SFTP dst-port=22 protocol=tcp \
    to-addresses=192.168.88.248 to-ports=22
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=HomeLab
/system script
add name=script1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/interface ethernet\r\
    \nset 0 name=LAN\r\
    \nset 1 name=WAN"
add name=script2 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/interface bridge\r\
    \nadd name=bridge-wan"
add name=script3 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface bridge port\r\
    \nadd interface=WAN bridge=bridge-wan\r\
    \nadd interface=LAN bridge=bridge-lan"
add name=script4 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface bridge settings\r\
    \nset allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes\
    \_use-ip-firewall-for-vlan=yes"
add name=script5 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall address-list\r\
    \nadd address=104.231.157.22 list=my_ip_address"
add name=script6 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall filter\r\
    \nadd chain=input comment=\"Allow access to router from known network\" sr\
    c-address-list=my_ip_address\r\
    \nadd action=drop chain=input comment=\"Disallow weird packets\" connectio\
    n-state=invalid\r\
    \nadd chain=input comment=\"Allow LAN access to router and Internet\" conn\
    ection-state=new in-interface=LAN\r\
    \nadd chain=input comment=\"Allow connections that originated from LAN\" c\
    onnection-state=established\r\
    \nadd chain=input comment=\"Allow connections that originated from LAN\" c\
    onnection-state=related\r\
    \nadd chain=input comment=\"Allow ping ICMP from anywhere\" protocol=icmp\
    \r\
    \nadd action=drop chain=input comment=\"Disallow anything from anywhere on\
    \_any interface\"\r\
    \nadd action=drop chain=forward comment=\"Disallow weird packets\" connect\
    ion-state=invalid\r\
    \nadd chain=forward comment=\"Allow LAN access to router and Internet\" co\
    nnection-state=new in-bridge-port=LAN\r\
    \nadd chain=forward comment=\"Allow connections that originated from LAN\"\
    \_connection-state=established\r\
    \nadd chain=forward comment=\"Allow connections that originated from LAN\"\
    \_connection-state=related\r\
    \nadd chain=forward comment=\"Open port 80 for Web Server\" dst-address=19\
    2.168.88.248 dst-port=80 protocol=tcp\r\
    \nadd action=drop chain=forward"
add name=script7 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall service-port\r\
    \nset ftp disabled=yes\r\
    \nset tftp disabled=yes\r\
    \nset irc disabled=yes\r\
    \nset h323 disabled=yes\r\
    \nset sip disabled=yes\r\
    \nset pptp disabled=yes"
add name=script8 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall\r\
    \nfilter add chain=input action=accept protocol=icmp comment=\"defconf: ac\
    cept ICMP\"\r\
    \n filter add chain=input action=accept connection-state=established,relat\
    ed comment=\"defconf: accept established,related\"\r\
    \n filter add chain=input action=drop in-interface=ether1 comment=\"defcon\
    f: drop all from WAN\"\r\
    \nfilter add chain=forward action=fasttrack-connection connection-state=es\
    tablished,related comment=\"defconf: fasttrack\"\r\
    \nfilter add chain=forward action=accept connection-state=established,rela\
    ted comment=\"defconf: accept established,related\""
add name=script9 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall filter\r\
    \nadd action=accept chain=forward dst-port=943 in-interface=bridge protoco\
    l=tcp\r\
    \nadd action=fasttrack-connection chain=forward comment=\"defconf: fasttra\
    ck\" \r\
    \n    connection-state=established,related\r\
    \nadd action=accept chain=forward comment=\"defconf: accept established,re\
    lated\" \r\
    \n    connection-state=established,related\r\
    \nadd action=drop chain=forward comment=\"defconf: drop invalid\" \r\
    \n    connection-state=invalid\r\
    \nadd action=drop chain=forward comment=\r\
    \n    \"defconf:  drop all from WAN not DSTNATed\" connection-nat-state=!d\
    stnat \r\
    \n    connection-state=new in-interface=sfp1\r\
    \nadd action=accept chain=input protocol=icmp\r\
    \nadd action=accept chain=input connection-state=established\r\
    \nadd action=drop chain=input in-interface=esfp1\r\
    \n/ip firewall nat\r\
    \nadd action=masquerade chain=srcnat comment=\"defconf: masquerade\" \r\
    \n    out-interface=sfp1\r\
    \nadd action=masquerade chain=srcnat out-interface=bridge\r\
    \nadd action=dst-nat chain=dstnat dst-address=104.231.157.22 dst-port=943 \
    log=\r\
    \n    yes log-prefix=\"tcp 943:\" protocol=tcp to-addresses=192.168.88.248\
    \r\
    \nadd action=dst-nat chain=dstnat dst-address=104.231.157.22 dst-port=1194\
    \_\r\
    \n    protocol=udp to-addresses=192.168.88.248\r\
    \nadd action=dst-nat chain=dstnat dst-address=104.231.157.22 dst-port=443 \
    \r\
    \n    protocol=tcp to-addresses=192.168.88.248\r\
    \nadd action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=\
    \r\
    \n    192.168.88.0/24"
add name=script10 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall nat\r\
    \nadd action=accept chain=forward disabled=no dst-port=80 protocol=tcp\r\
    \nadd action=accept chain=forward disabled=no dst-port=80 protocol=udp"
add name=script11 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall filter\r\
    \nadd action=add-src-to-address-list address-list=port_scanners address-li\
    st-timeout=5m10s chain=input comment=\"QUICK SCANNING\" psd=21,3s,3,1\r\
    \nADD chain=input protocol=icmp reject-with=icmp-host-reachable src-addres\
    s-list=port_scanners action=reject"
/tool e-mail
set address=74.125.136.108 from=<HomeLab> port=587 start-tls=yes user=\
    liberty01
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether1
add interface=ether2-master_SERVER
add interface=ether6-master_SERVER2
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether1
add interface=ether2-master_SERVER
add interface=ether6-master_SERVER2

pcunite · October 6, 2017, 2:41am

How are you connected to your ISP’s modem? Fiber or ether1? You have ether1 in the same bridge as your lan, which has a different subnet.

pcunite · October 6, 2017, 2:48am

Look at this script. I’ve minimized it down to something simpler to work on. Read slowly. I don’t understand what you’re doing with ether1 as opposed to SFP1. The SB4141 does not have a fiber interface. You have an issue there.

Before testing this script, I recommend you do a System / Reset

# apply sections, one by one

/interface bridge
add name=bridge-LAN comment=defconf

/interface ethernet
set [ find default-name=ether1 ] master-port=none name=ether1
set [ find default-name=ether2 ] master-port=none name=ether2
set [ find default-name=ether3 ] master-port=ether2 name=ether3
set [ find default-name=ether4 ] master-port=ether2 name=ether4
set [ find default-name=ether5 ] master-port=ether2 name=ether5
set [ find default-name=ether6 ] master-port=none name=ether6
set [ find default-name=ether7 ] master-port=ether6 name=ether7
set [ find default-name=ether8 ] master-port=ether6 name=ether8
set [ find default-name=ether9 ] master-port=ether6 name=ether9
set [ find default-name=ether10 ] master-port=ether6 name=ether10
set [ find default-name=sfp1 ]  master-port=none name=sfp1_WAN

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-LAN

/interface bridge port
add bridge=bridge-LAN interface=ether2  comment=defconf
add bridge=bridge-LAN interface=ether6 comment=defconf

#I don't understand why you have ether1 (104.231.157.22) on the LAN bridge
add bridge=bridge-LAN interface=ether1

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes

/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add comment=defconf interface=sfp1_WAN   list=WAN

/ip address
add address=192.168.88.1/24 interface=bridge-LAN comment=defconf
add address=104.231.157.22/8 interface=ether1

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1_WAN

/ip dhcp-server network
add address=104.0.0.0/8 gateway=104.231.157.22 netmask=8
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=104.231.157.22

/ip firewall filter
add chain=input action=accept connection-state=established,related comment="Accept established related"
add chain=input action=accept in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=input action=drop comment="Drop all other input"
add chain=forward action=accept connection-state=established,related comment="Accept established related"
add chain=forward action=accept connection-state=new in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=forward action=accept connection-nat-state=dstnat comment="Allow Port forwards"
add chain=forward action=drop comment="Drop all other forward"

/ip firewall nat
add chain=srcnat action=masquerade out-interface=sfp1_WAN comment="default masquerade"
add chain=dstnat action=dst-nat in-interface=sfp1_WAN protocol=tcp to-addresses=1.2.3.4 dst-port=123 to-ports=123 comment="Sample Port Forward"

jogger · October 6, 2017, 3:36am

Im connected to the modem through sfp1 (the SFP module) ? is that fine? I thought going from my modem (SB6141 with an ethernet cord) through SFP (Small form-factor pluggable) would be fine?

Here is how my connections look going in to my RB3011

jogger · October 6, 2017, 5:20pm

After the system reset do i connect through eth1 then?

Rieva · October 6, 2017, 9:52pm

You will have to pay a guy who understands basic networking.
I suggest you pay the guy with that RB3011, because for your internet connection, even WR740N v4 is overkill.

pukkita · October 7, 2017, 8:35am

According to the SB6141 Manual, as pcunite says there’s no SFP, you should wire it like this:
wiring.png

jogger · October 8, 2017, 9:31pm

I am confused? I bought this SFP Copper Module (Mikrotik Item model number S-RJ01). Now you are saying i cant use it with this router and modem? I am very confused now? It is an ethernet cord, it is nothing special, basic cat-6 ethernet cord? I am so confused on why an ethernet cord cant be used with this router.

https://www.amazon.com/gp/product/B00N9ZI0MI/ref=oh_aui_detailpage_o09_s00?ie=UTF8&psc=1 if this module wont work then why did you guys manufacture it? That makes no sense?

plankanater · October 9, 2017, 12:53am

The module will work. The reason they are all telling you to plug into ether 1 is because the quickset and default configs, configure ether 1 as the WAN port. Use the SFP port as you LAN not WAN then you can use Quickset. That would be the simplest setup. You can make the SFP a WAN port but there is a lot more programming involved.

Melody5781 · October 9, 2017, 3:48am

The copper SFP RJ45 module can be used in SFP1 port. But it makes things difficult and to make things easy you can use a Cat6 Ethernet cable between the modem and the ether1.

pukkita · October 9, 2017, 9:30am

Ok, now that makes sense, you used a SFP to copper RJ45 module.

Looks like Autonegotiation doesn’t succeed, you’ll have to:

1.- RB3011: Disable autoneg on SFP interface, set it to 1Gbps.

Check if interface enters Running state, and you get link ok. If it doesn’t:

2.- Arris: locate ethernet, and disable autoneg, forcing 1Gbps.

If you succeed on getting the SFP port to run, you’ll need to change anything on the RB3011 (ip addresses, firewall filter and nat rules, etc) that referred to ether1 as WAN, to the new sfp-interface.

jogger · October 9, 2017, 9:29pm

Ok, now that makes sense, you used a SFP to copper RJ45 module.

Looks like Autonegotiation doesn’t succeed, you’ll have to:

1.- RB3011: Disable autoneg on SFP interface, set it to 1Gbps.

Check if interface enters Running state, and you get link ok. If it doesn’t:

2.- Arris: locate ethernet, and disable autoneg, forcing 1Gbps.

If you succeed on getting the SFP port to run, you’ll need to change anything on the RB3011 (ip addresses, firewall filter and nat rules, etc) that referred to ether1 as WAN, to the new sfp-interface.

Hmm, i think i have everything configured correctly, i am still not able to get out of bridged-lan to access the outside world. So when i try to run sudo apt-get update it still says 101: No Connection. Also when i try to pink my server from the Mikrotik ping it says timeout. SFP1_WAN works, ping from eth2 does not.

Any help, heck i will even accept a teamviewer session at this point.

jogger · October 9, 2017, 10:22pm

# oct/09/2017 18:15:33 by RouterOS 6.40.3
# software id = UIR9-M60B
#
# model = RouterBOARD 3011UiAS
# serial number = 111111111111
/interface bridge
add admin-mac=6C:3B:6B:1D:00:99 auto-mac=no comment=defconf name=bridge-LAN
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6
set [ find default-name=sfp1 ] auto-negotiation=no name=sfp1_WAN
/ip neighbor discovery
set sfp1_WAN discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-LAN name=defconf
/interface bridge port
add bridge=bridge-LAN comment=defconf interface=ether2
add bridge=bridge-LAN comment=defconf interface=ether6
add bridge=bridge-LAN comment=defconf disabled=yes interface=sfp1_WAN
add bridge=bridge-LAN interface=ether1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add comment=defconf interface=sfp1_WAN list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-LAN network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1_WAN
/ip dhcp-server network
add address=104.0.0.0/8 gateway=104.231.157.22 netmask=8
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=104.231.157.22
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="Accept established related" \
    connection-state=established,related
add action=accept chain=input comment=\
    "Allow LAN access to router and Internet" connection-state=new \
    in-interface=bridge-LAN
add action=accept chain=forward comment="Accept established related" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "Allow LAN access to router and Internet" connection-state=new \
    in-interface=bridge-LAN
add action=accept chain=forward comment="Allow Port Forwards" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all other forward"
/ip firewall nat
add action=masquerade chain=srcnat comment="default masquerade" \
    out-interface=sfp1_WAN
add action=dst-nat chain=dstnat comment="Sample Port Forward" dst-address=\
    104.231.157.22 dst-port=80 in-interface=bridge-LAN protocol=tcp \
    to-addresses=192.168.88.248 to-ports=80
/system clock
set time-zone-name=America/New_York
/system script
add name=script1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface ethernet\r\
    \nset [ find default-name=ether1 ] master-port=none name=ether1\r\
    \nset [ find default-name=ether2 ] master-port=none name=ether2\r\
    \nset [ find default-name=ether3 ] master-port=ether2 name=ether3\r\
    \nset [ find default-name=ether4 ] master-port=ether2 name=ether4\r\
    \nset [ find default-name=ether5 ] master-port=ether2 name=ether5\r\
    \nset [ find default-name=ether6 ] master-port=none name=ether6\r\
    \nset [ find default-name=ether7 ] master-port=ether6 name=ether7\r\
    \nset [ find default-name=ether8 ] master-port=ether6 name=ether8\r\
    \nset [ find default-name=ether9 ] master-port=ether6 name=ether9\r\
    \nset [ find default-name=ether10 ] master-port=ether6 name=ether10\r\
    \nset [ find default-name=sfp1 ]  master-port=none name=sfp1_WAN"
add name=script2 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface list\r\
    \nadd comment=defconf name=WAN\r\
    \nadd comment=defconf name=LAN"
add name=script3 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/ip pool\r\
    \nadd name=dhcp ranges=192.168.88.10-192.168.88.254"
add name=script4 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip dhcp-server\r\
    \nadd address-pool=dhcp disabled=no interface=bridge-LAN"
add name=script5 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface bridge port\r\
    \nadd bridge=bridge-LAN interface=ether2  comment=defconf\r\
    \nadd bridge=bridge-LAN interface=ether6 comment=defconf"
add name=script6 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface bridge settings\r\
    \nset allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes\
    \_use-ip-firewall-for-vlan=yes"
add name=script7 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface list member\r\
    \nadd comment=defconf interface=bridge-LAN list=LAN\r\
    \nadd comment=defconf interface=sfp1_WAN   list=WAN"
add name=script8 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip address\r\
    \nadd address=192.168.88.1/24 interface=bridge-LAN comment=defconf\r\
    \nadd address=104.231.157.22/8 interface=ether1"
add name=script9 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip dhcp-client\r\
    \nadd dhcp-options=hostname,clientid disabled=no interface=sfp1_WAN"
add name=script10 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip dhcp-server network\r\
    \nadd address=104.0.0.0/8 gateway=104.231.157.22 netmask=8\r\
    \nadd address=192.168.88.0/24 comment=defconf gateway=192.168.88.1"
add name=script11 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/ip dns\r\
    \nset allow-remote-requests=yes servers=104.231.157.22"
add name=script12 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall filter\r\
    \nadd chain=input action=accept connection-state=established,related comme\
    nt=\"Accept established related\"\r\
    \nadd chain=input action=accept in-interface=bridge-LAN comment=\"Allow LA\
    N access to router and Internet\"\r\
    \nadd chain=input action=drop comment=\"Drop all other input\"\r\
    \nadd chain=forward action=accept connection-state=established,related com\
    ment=\"Accept established related\"\r\
    \nadd chain=forward action=accept connection-state=new in-interface=bridge\
    -LAN comment=\"Allow LAN access to router and Internet\"\r\
    \nadd chain=forward action=accept connection-nat-state=dstnat comment=\"Al\
    low Port forwards\"\r\
    \nadd chain=forward action=drop comment=\"Drop all other forward\""
add name=script13 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall nat\r\
    \nadd chain=srcnat action=masquerade out-interface=sfp1_WAN comment=\"defa\
    ult masquerade\"\r\
    \nadd chain=dstnat action=dst-nat in-interface=sfp1_WAN protocol=tcp to-ad\
    dresses=1.2.3.4 dst-port=123 to-ports=123 comment=\"Sample Port Forward\""
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether1
add interface=ether2
add interface=ether6
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether1
add interface=ether2
add interface=ether6

Is there something in my code that i am not doing correct because my server on eth2 at ip 192.168.88.248 is not able to have outbound connections? I try and ping from eth2 and bridge 192.168.88.248 and they all timeout? 192.168.88.248 is eth2 which is on the bridge-LAN interface.

Let me know if something in my firewall rules or NAT is not correct…thanks for helping.

jogger · October 10, 2017, 5:46am

Ok have a look at these. Only thing i have left is, i have changed my sfp1_wan and connected my modem to eth1 still cannot ping 8.8.8.8 from bridge_lan always get timeout. Any help.

# oct/10/2017 01:35:49 by RouterOS 6.40.3
# software id = UIR9-M60B
#
# model = RouterBOARD 3011UiAS
# serial number = 111111111111
/interface bridge
add admin-mac=6C:3B:6B:1D:66:99 auto-mac=no comment=defconf name=bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6
set [ find default-name=sfp1 ] auto-negotiation=no
/ip neighbor discovery
set ether1_WAN discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=24.93.112.2-24.93.119.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-LAN name=defconf
add address-pool=dhcp disabled=no interface=ether1_WAN name=dhcp1
/interface bridge port
add bridge=bridge-LAN comment=defconf interface=ether2
add bridge=bridge-LAN comment=defconf interface=ether6
add bridge=bridge-LAN comment=defconf interface=sfp1
add bridge=bridge-LAN disabled=yes interface=ether1_WAN
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add comment=defconf interface=ether1_WAN list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip arp
add address=192.168.88.248 interface=bridge-LAN mac-address=7C:05:07:10:04:AD
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1_WAN
/ip dhcp-server network
add address=24.0.0.0/8 gateway=24.93.112.1 netmask=8
add address=24.93.112.0/21 gateway=24.93.112.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=24.93.115.155
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.88.248 name=mywebsiteaddress.com
/ip firewall filter
add action=accept chain=input comment="Accept established related" \
    connection-state=established,related
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment=\
    "Allow LAN access to router and Internet" in-interface=bridge-LAN
add action=fasttrack-connection chain=forward comment="FastTrack Connections" \
    connection-state=established,related
add action=accept chain=forward comment="Accept established related" \
    connection-state=established,related
add action=accept chain=forward comment="Forward Out Eth1" out-interface=\
    ether1_WAN
add action=accept chain=forward comment="Allow Port forwards" \
    connection-nat-state=dstnat
add action=accept chain=forward comment=\
    "Allow LAN access to router and Internet" connection-state=new \
    in-interface=bridge-LAN
add action=accept chain=forward comment=\
    "Accept connections from outside to port 80" dst-port=80 in-interface=\
    ether1_WAN protocol=tcp
add action=drop chain=forward comment="Drop all other forward"
add action=drop chain=forward in-interface=ether1_WAN protocol=udp
add action=drop chain=forward in-interface=ether1_WAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="default masquerade" \
    out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="Sample Port Forward" dst-address=\
    24.93.115.155 dst-address-type=local dst-port=80 protocol=tcp \
    to-addresses=192.168.88.248 to-ports=80
add action=masquerade chain=srcnat comment="masquerade - bridge" dst-address=\
    192.168.88.0/24 out-interface=bridge-LAN src-address=192.168.88.0/24
/ip route
add disabled=yes distance=1 gateway=24.93.112.1
add distance=1 dst-address=24.0.0.0/24 gateway=ether1_WAN pref-src=\
    24.93.115.155
/ip service
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether6
add interface=sfp1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether6
add interface=sfp1

Let me know what i have to do to get bridge_lan to connect to the outside world. 192.168.88.248 (is on eth2) - my ping to 8.8.8.8 on interface bridge-lan always timeout

pukkita · October 10, 2017, 8:47am

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0

You should change that IP to interface=bridge-LAN

/ip arp
add address=192.168.88.248 interface=bridge-LAN mac-address=7C:05:07:10:04:AD

Delete this.

On Winbox, open a New Terminal and issue

/ip address print detail
/ip route print
/ping 8.8.8.8

Then copy and paste the output here.

jogger · October 10, 2017, 2:25pm

[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; defconf
     address=192.168.88.1/24 network=192.168.88.0 interface=bridge-LAN 
     actual-interface=bridge-LAN 

 1 D address=24.93.115.155/21 network=24.93.112.0 interface=ether1_WAN 
     actual-interface=ether1_WAN 
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          24.93.112.1               1
 1 X S  0.0.0.0/0                          24.93.112.1               1
 2 A S  24.0.0.0/24        24.93.115.155   ether1_WAN                1
 3 ADC  24.93.112.0/21     24.93.115.155   ether1_WAN                0
 4 ADC  192.168.88.0/24    192.168.88.1    bridge-LAN                0

jogger · October 10, 2017, 10:28pm

Ok after doing a little more research, could this possibly have something to do with my my bridge connections timeout when i ping 8.8.8.8 these are in my routes?

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          24.93.112.1               1
 1 X S  0.0.0.0/0                          24.93.112.1               1
 2 A S  24.0.0.0/24        24.93.115.155   ether1_WAN                1
 3 ADC  24.93.112.0/21     24.93.115.155   ether1_WAN                0
 4 ADC  192.168.88.0/24    192.168.88.1    bridge-LAN                0

Is my bridge-LAN not going to the outside world?

Thanks for any help.