How to add static route

POS · March 10, 2017, 6:39am

Hi,

I’m new to mikrotik. I’ve been trying for two hours now but how the hell do you add a simple LAN → WAN static route on this OS? This is very simple on Cisco, Fortigate and pfsense but somehow very hard to do on mikrotik.

I suppose it should be under IP → Routes but I have no idea what to fill in.

I can ping google from the built in ping tool on eth1 however running a traceroute from a pc connected to the eth2 port it stops at the eth2 gateway. I already set up a simple firewall rule.

Chain: Forward
In. Int: eth2
Out. int: eth1

TBH I find mikrotik incredibly hard to understand. The interface is all over the place and the way things are named makes it hard to understand what you are supposed to configure. Documentation is rather poor and not much use either.

janus20 · March 10, 2017, 10:49am

Hi,

Do you need a static route from lan to wan or do you need masquerade entire lan network to wan interface ?

a. static route from lan to wan ( presume you want to route 192.168.0.0/24 to wan interface, ether1 )
1. new terminal

/ip route
add dst-address=192.168.0.0/24 gateway=ether1

2. IP left menu; click on left IP menu option then click on routes option
a. click on “+” sign to add new route;
b. at dst-address field fill in network range or lan adress that you want to be routed ( in our example, 192.168.0.0/24 );
c. at gateway field type public wan ip, if you have one, or just select ether1 from drop-down list;
d. hit OK button; that’s all.

b. masquerande entire lan network range
1. new terminal ( suppose your wan interface is ether1 )

/ip firewall nat
add action=masquerade chain=srcnat comment="NATing lan network" out-interface=ether1

2. IP left menu; click on left IP menu option then click on firewall option
a. go to NAT tab;
b. click on “+” sign to add new rule;
c. in General tab, on chain field select srcnat;
d. then in Out Interface option, select drom drop-down list “ether1”;
e. move to Action tab and on Action option select from drop-down list “masquerade”;
f. hit “OK” button from left; that’s all.

You may want to look to default manual initial configuration examples too: https://wiki.mikrotik.com/wiki/Manual:Initial_Configuration

Also, would be great if you post your config too, as copy&paste, after open New Terminal menu option and type the following command:

/export hide-sensitive

Hope it helps.

kind regards,

POS · March 13, 2017, 8:55am

Thanks but it doesn’t work.

dst addr 192.168.0.5/24
gateway ethernet 1 (reachable)

But no internet access. I can ping the wan (eth1) interface.

Firewall is set to any any forward.

For what its worth I got routeros running inside a vm. The wan (eth1) port is bridged to my physical nic and lan (eth) is bridged to the MS loopback adapter. Shouldnt be a problem, I got the same setup running in pfsense.

Sob · March 13, 2017, 1:09pm

/ip route
add dst-address=192.168.0.5/24 gateway=<IP address of gateway>

But if you’re looking for default gateway for internet access, then you’ll need dst-address=0.0.0.0/0.

patrick7 · March 13, 2017, 3:27pm

And of course not 192.168.0.!!!5!!!/24

Sob · March 13, 2017, 4:10pm

Oops, I copied that one without thinking about it. But RouterOS complains about wrong address with helpful messagein both WinBox and CLI, so no one can actually use it.

POS · March 14, 2017, 5:07am

Whatever I do it just doesn’t work. I have absolutely no clue why RouterOS is designed to function totally different from any other firewall.

eth1 should act as WAN. Its getting a IP address (10.0.0.100) from a DHCP server (10.0.0.0/24). This is OK.
eth2 has its own DHCP pool and its giving out DHCP leases to my client (192.168.5.0/24). OK.
The firewall has a chain forward all ethernet in and all ethernet out rule. I suppose this should allow all traffic?
I’ve added a route 0.0.0.0/0 eth1 reachable. (there are two undeletable routes for eth1 and eth2).
From the built in ping tool I can ping 10.0.0.1. That’s the switch providing internet access.
But I cannot ping 8.8.8.8 or any other outside address. It says timeout (to 8.8.8. and host unreachable (10.0.0.100).

I’ve tried adding a nat rule but that makes no difference. I’ve tried adding routes, addresses and whatnot but nothing works.

All my other firewalls do have internet access with exactly the same setup.

POS · March 14, 2017, 5:34am

Okay deleted all settings and started over and looks like its working now.

I’m not sure what changed, routing and firewall rules are exactly the same. The only difference is that instead of relying on DHCP on the eth1 (WAN) interface I now set a static IP.

Anyway its working, now its time to set up some basic firewall rules and a hotspot. Lets see how it goes.

Sob · March 14, 2017, 12:13pm

I don’t know what you’re looking at, but RouterOS basic network configuration is exactly the same as in Windows, Linux (RouterOS is actually based on Linux), and basically anything I’ve ever seen.

If you configure WAN using DHCP, you should not need to add default (0.0.0.0/0) route, it should come from DHCP server. In case your external DHCP server is not configured to give out default route, you’d need to add one, but not with gateway being WAN interface, it should be IP address (10.0.0.1 in your case, it seems). Then you need to either add NAT to hide internal network behind 10.0.0.100, or configure static route on your gateway to internal 192.168.5.0/24. Firewall is easy too, everything is allowed by default, no rules means no blocking. So if you have doubts, start with that and when basic routing works, play with firewall as next step.