internet not working despite pingable addresses

molnart · April 23, 2019, 6:56am

(it seems my previous topic was deleted without notification and I did not found any forum rules here so I am reposting it again).

After setting up my router (changed DHCP range, moved WAN to eth5, set up NAT rules) my internet stopped working. I can ping any address both from the router and my other devices on the network, even remotely access local devices via ssh from outside, but cannot access any webpage. this happens on all devices on my network

my interfaces look like follows:

Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS
 0     ether1                              ether            1500  1598       2028 
 1   S ether2                              ether            1500  1598       2028 
 2  RS ether3                              ether            1500  1598       2028 
 3  RS ether4                              ether            1500  1598       2028 
 4  R  ether5                              ether            1500  1598       2028 
 5   S wlan1                               wlan             1500  1600       2290 
 6  R  ;;; defconf
       bridge                              bridge           1500  1598

p3rad0x · April 23, 2019, 9:05am

This sounds like a nat rule not setup correctly.

Can you post your config so we can check it?

molnart · April 23, 2019, 9:20am

/ip firewall nat print:

 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

 1    chain=dstnat action=dst-nat to-addresses=192.168.50.7 to-ports=22 protocol=tcp dst-port=2255 log=no log-prefix=""

 2    chain=dstnat action=dst-nat to-addresses=192.168.50.7 to-ports=443 protocol=tcp dst-port=443 log=no log-prefix=""

 3    chain=dstnat action=dst-nat to-addresses=192.168.50.7 to-ports=80 protocol=tcp dst-port=80 log=no log-prefix=""

 4    chain=dstnat action=dst-nat to-addresses=192.168.50.7 to-ports=1194 protocol=udp dst-port=1194 log=yes log-prefix="pivpn"

mkx · April 23, 2019, 11:42am

Post output of /interface export (you can omit the wireless section but be sure to include everything else) and /ip firewall export … output of /ip firewall nat print you posted is not self-descriptive.

molnart · April 23, 2019, 12:29pm

/interface export
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=
wifi wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=xxxxxxx
wpa2-pre-shared-key=xxxxxxx
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge disabled=yes interface=ether1
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wlan1 list=LAN
add interface=bridge list=LAN
add interface=ether5 list=WAN
add interface=ether1 list=LAN

/ip firewall export
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new
in-interface-list=WAN
add action=accept chain=forward disabled=yes dst-address=192.168.50.7 dst-port=22 protocol=tcp src-address=0.0.0.0 src-address-list=“”
src-port=2255
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=2255 protocol=tcp to-addresses=192.168.50.7 to-ports=22
add action=dst-nat chain=dstnat dst-port=443 protocol=tcp to-addresses=192.168.50.7 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.50.7 to-ports=80
add action=dst-nat chain=dstnat dst-port=1194 log=yes log-prefix=pivpn protocol=udp to-addresses=192.168.50.7 to-ports=1194

victorsoares · April 23, 2019, 12:39pm

Had you check your DNS servers?

molnart · April 23, 2019, 1:13pm

i can ping domains as well, not just IPs, so I assume dns is ok.

these are my dns settings, 192.168.1.1 is the address of my WAN AP

servers: 8.8.8.8,1.1.1.1,8.8.4.4
              dynamic-servers: 192.168.1.1
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 48KiB

nickshore · April 23, 2019, 1:13pm

Looks like you are NATing all port 80 and 443 traffic to an internal IP

add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.50.7 to-ports=80

Try setting an in interface on these rules.

Regards
Nick

molnart · April 23, 2019, 2:22pm

:facepalm: what was it :facepalm: disabling NAT rules 2 and 3 solved the internet access. I had trouble understanding how the from-ports and to-ports work, I will need to study a bit how to do proper port forwarding in mikrotik.

thank you very much

nickshore · April 23, 2019, 3:28pm

If you just make sure that the in interface on those 2 rules is set to be your WAN interface then only traffic coming in on the WAN will be affected by them, without that the rules will intercept the traffic on all interfaces.

Regards
Nick

anav · April 23, 2019, 4:26pm

The sound of one hand clapping is prevalent whilst configuring Mikrotik devices.