I tried to move ether2 out of bridge1 and somehow broke IPv4

bombcar · January 17, 2021, 6:09pm

I wanted to see if I could swap ether1 and ether2 (I had a silly idea about powering my RB4011iGS+ both by the power brick and PoE on the LAN side) and of course completely hosed myself.

Luckily I had IPv6 setup with an Hurricane Electric tunnel and somehow wormed my way back in. But now IPv4 doesn’t seem to be working right; I’ve recreated the ether2 as part of bridge1 and assigned the default IP back to bridge1 - DHCP is up and running again but I can’t ping the router from any other machine (but can ping it from itself). I suspect a firewall or mangle rule got deleted when I deleted ether2 and now it’s confused.

# jan/17/2021 12:01:55 by RouterOS 6.48
# software id = AICP-V6XM
#
# model = RB4011iGS+5HacQ2HnD
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] mac-address=6C:3B:6B:FC:1B:C1
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=5ghz-a/n/ac country="united states" disabled=no frequency=auto \
    frequency-mode=manual-txpower mac-address=B8:69:F4:DF:F1:8F mode=ap-bridge name=wlan1-5 radio-name=B869F4DFF18F \
    ssid=xxxxxx station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=2ghz-b/g/n country="united states" disabled=no frequency=auto \
    frequency-mode=manual-txpower mode=ap-bridge name=wlan2.4 ssid=xxxxxx station-roaming=enabled wireless-protocol=\
    802.11
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=xx.xx.xx.xx mtu=1280 name=sit1 \
    remote-address=184.105.253.14
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add address-pool=dhcp bootp-support=dynamic disabled=no interface=bridge1 name=dhcp1
/user group
set full policy=\
    local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=wlan1-5
add bridge=bridge1 interface=wlan2.4
add bridge=bridge1 interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
DHCP LEASES WERE HERE
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 domain=xxxxxxx.com gateway=192.168.88.1 netmask=24 ntp-server=\
    192.168.88.1 wins-server=192.168.88.158
/ip dns
set allow-remote-requests=yes servers=2001:470:20::2,2606:4700:4700::1111
/ip dns static
add address=192.168.88.182 name=camera1
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
add action=drop chain=forward src-address=192.168.88.182
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.88.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=34197 protocol=udp to-addresses=192.168.88.112 to-ports=34197
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.88.135 to-ports=443
add action=dst-nat chain=dstnat dst-port=1088 in-interface=ether1 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.88.135 to-ports=22
/ip route
add distance=1 dst-address=10.0.0.0/8 type=unreachable
/ip service
set www-ssl certificate=fullchain.cer_0 disabled=no
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1 type=external
/ipv6 address
add address=2001:470:1f10:67d::2 advertise=no interface=sit1
add address=2001:470:1f11:67d:: interface=bridge1
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 request=address
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=2001:470:1f10:67d::1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=bedroom-router
/system leds
add interface=wlan2.4 leds=\
    wlan2.4_signal1-led,wlan2.4_signal2-led,wlan2.4_signal3-led,wlan2.4_signal4-led,wlan2.4_signal5-led type=\
    wireless-signal-strength
add interface=wlan2.4 leds=wlan2.4_tx-led type=interface-transmit
add interface=wlan2.4 leds=wlan2.4_rx-led type=interface-receive
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.88.255 enabled=yes multicast=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

What did I do? I’m tempted to nuke and restart from fresh …

Thank goodness these forums are available over IPv6!

mkx · January 17, 2021, 6:24pm

It seems that interface list members is hosed (at least bridge interface should be member of LAN interface lust and ether1 member of WAN interface list).

However, I still suggest you to perform factory reset and re-do the necessary configuration adjustments. The main reason being: firewall (both IP v4 and IP v6) rules are far from optimum, v6 are mostly missing. After factory reset stick to defaults as much as possible and really change only what you fully understand. Default rules are pretty sound and safe, don’t replace them with some rules taken from a random online tutorial.

bpwl · January 17, 2021, 6:26pm

Swapping ether1 and ether2 is quite simple. (if you are connected through another path: wifi or different ethernet port)

Check your full config file, and note every place where ether1 and ether2 is mentioned. (ether1 is on many lines: DHCP client, WAN interface list)
That interface list is very important: many lines and interface rules use the LAN and WAN interface list.

At start ether1 is in the WAN list (triggering firewall rules and NAT). The bridge is in the LAN list, what makes all ports in the LAN list !
Being in the LAN list is important to get access to the router. Adding ether1 to the bridge will make it act as ether3 and upwards.
Ether2 in the WAN list will activate NAT for IPv4, and needs to have the DHCP client assigned (instead of assigned to ether1)

Using “Safe mode” will revert your actions if you lose connection, but ether3 and up, and the wifi is not touched so it should be no problem.

bombcar · January 17, 2021, 7:00pm

Now I appear to be even more hosed - I tried to reset config but it apparently did nothing - it keeps coming back with (apparently) the same broken config - I can’t access it in any manner now and I don’t have a serial console cable.

The manual reset via holding down the button apparently did nothing (it says to wait until the ACT led flashes but there is no ACT led - maybe the SPF one)?

bombcar · January 17, 2021, 7:02pm

Hmm something finally worked I guess - now my ISP is mad at me and I don’t know that password …

bombcar · January 17, 2021, 7:12pm

Forcing the MAC address for ether1 back to what it had been in the previous config made it work.

Now to relearn how I setup my HE tunnel and slowly climb back to where I was this morning.