Issue with hEX and Port Routing

SadisticNerd · September 10, 2018, 4:19pm

All,

I have found much on this forum that is of great use but I am apparently missing something very simple.

Initially I had my hEX wiht all internal ports in a bridge connected to other Mikrtik devices in “switch” mode. Worked great. Internet and DHCP had no issues.

Next step is I want to setup one Mikrotik device (RB2011) the same but not part of the bridge. I am trying to make a Guest WAP basically. I have a wAP AC coming but in the meantime I wanted to start playing. I got the interface (ether3-rb2011) pulled out from the bridge, DHCP working, just have no internet access. I checked the firewall rules and don’t think that is the issue.

My routes see the interfaces and IP ranges…

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          72.196.4.1                1
 1 ADC  10.50.1.0/32       10.50.1.1       ether3-rb2011             0
 2 ADC  10.100.0.0/24      10.100.0.1      bridge-internal           0
 3 ADC  {EXT IP}/23      {EXT IP}    ether1-router             0

Here is my config:

# sep/10/2018 10:55:36 by RouterOS 6.42.7
# software id = 1XFR-66DY
#
# model = RouterBOARD 750G r3
# serial number = XXXXXX
/interface bridge
add admin-mac=CC:2D:E0:B5:94:AA auto-mac=no name=bridge-internal protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-router
set [ find default-name=ether2 ] name=ether2-hapac2
set [ find default-name=ether3 ] name=ether3-rb2011
set [ find default-name=ether4 ] name=ether4-asus
set [ find default-name=ether5 ] name=ether5-hapaclite
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool-Internal ranges=10.100.0.100-10.100.0.200
add name=pool-Guest ranges=10.50.1.100-10.50.1.200
/ip dhcp-server
add address-pool=pool-Internal disabled=no interface=bridge-internal name=dhcpserver-internal
add address-pool=pool-Guest disabled=no interface=ether3-rb2011 name=dhcpserver-guest
/ipv6 dhcp-server
add address-pool=IPv6-local-pool comment="IPv6 DHCP Server" interface=ether1-router lease-time=10m name=server1
/interface bridge port
add bridge=bridge-internal interface=ether4-asus
add bridge=bridge-internal interface=ether5-hapaclite
add bridge=bridge-internal interface=ether2-hapac2
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=bridge-internal list=LAN
add comment=defconf interface=ether1-router list=WAN
add interface=bridge-internal list=discover
add interface=ether3-rb2011 list=discover
add interface=ether4-asus list=discover
add interface=ether5-hapaclite list=discover
add interface=bridge-internal list=mactel
add interface=bridge-internal list=mac-winbox
add interface=ether3-rb2011 list=LAN
add interface=ether3-rb2011 list=mac-winbox
/ip address
add address=10.100.0.1/24 interface=bridge-internal network=10.100.0.0
add address=10.50.1.1 interface=ether3-rb2011 network=10.50.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1-router
/ip dhcp-server network
add address=10.50.1.0/24 comment="Internal - Guest" gateway=10.50.1.1 netmask=24
add address=10.100.0.0/24 comment="Internal - Primary" gateway=10.100.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=10.100.0.0/24 list=Internal-All
add address=10.50.1.0/24 list=Internal-All
add address=10.100.0.0/24 list=Internal-Trusted
add address=10.50.1.0/24 list=Internal-Restricted
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="All All Trusted" src-address-list=Internal-Trusted
add action=accept chain=input comment="Allow DNS All" dst-port=53 protocol=udp src-address-list=Internal-All
add action=accept chain=input comment="All NTP All" protocol=udp src-address-list=Internal-All src-port=123
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" dst-limit=30,30,dst-address/1m40s limit=30,30:packet protocol=icmp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=reject chain=forward comment="Restricted to Trusted Blocked" dst-address-list=Internal-Trusted reject-with=icmp-network-unreachable src-address-list=Internal-Restricted
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-router
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.0.0/8
set api disabled=yes
set winbox address=10.0.0.0/8
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ipv6 address
add from-pool=IPv6-local-pool interface=bridge-internal
/ipv6 dhcp-client
add add-default-route=yes comment="Main DHCP IPv6 Pool" interface=ether1-router pool-name=IPv6-local-pool request=prefix
/system clock
set time-zone-name=America/Chicago
/system identity
set name=hex-1
/system ntp client
set enabled=yes primary-ntp=132.163.96.5 secondary-ntp=129.6.15.32 server-dns-names=pool.ntp.org
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

I appreciate the help in seeing what I missed I am sure!

nescafe2002 · September 10, 2018, 7:11pm

Problem is visible in route table:

1 ADC 10.50.1.0**/32** 10.50.1.1 ether3-rb2011 0

You should supply netmask, either in suffix or bitmask:

/ip address add address=10.50.1.1/24 interface=ether3-rb2011 network=10.50.1.0
#or
/ip address add address=10.50.1.1 interface=bridge-lan  network=10.50.1.0 netmask=255.255.255.0

SadisticNerd · September 10, 2018, 7:39pm

Wow. I swear I looked over that 10,000 times and never saw that. Thank you so much. I owe ya a drink my friend!