I’m new to the MikroTik environment and still learning the basics of network configuration.
I recently purchased a MikroTik hEX RB750Gr3 router, but I’ve encountered two issues that I can’t seem to resolve on my own:
Internet Access Issue After Power Outages: My home experiences frequent power outages. After the power returns, my MikroTik router boots up correctly, and all my devices (PCs and Macs) can see each other and communicate locally. However, they often can’t access the internet or load websites.
Temporary Fix: Running ipconfig /release and ipconfig /renew on my PCs usually restores internet access.
Temporary Fix 2: Restarting router through WinBox also fixes the issue, but it takes more time.
Question: Is there a way to configure the router to automatically handle this issue after a power interruption, so I don’t have to manually reset the IP configuration each time?
2. VPN Connection Problem: My second issue is more critical. I need to connect to my employer’s VPN (L2TP/IPsec with a pre-shared key) to access work files, but the connection fails when I try to connect through my MikroTik router.
Configuration Details: I followed this YouTube setup tutorial and applied the firewall rules as shown, which I believe may be causing the VPN connection issue.
Additional Details:
The VPN works if I connect my PC to the internet using my phone’s hotspot.
The VPN also works with my previous router, so it’s not blocked by my ISP.
This leads me to believe that the issue is with the MikroTik configuration, possibly related to firewall settings.
My setup is almost identical to the video, but if more specific information is needed, is there a guide on how to export a configuration file from my router while keeping sensitive information private?
The fact that the PC rebooting resets their connection tells me that the issue is not with the routers connection to the internet as that is separate.
However, what is clear is that your best bet is to buy UPS, if nothing else for your ISP modem and router to protect them from damage.
The same goes for your pcs. If your outages are long term, then the UPS allows you to gracefully power down all equipment.
Indeed, only the actual configuration is helpful - mistakes happen, differences considered negligible may actually have an impact etc.
There are multiple, but it is probably faster to type it than to google it up.
Go to the command line (press the [Terminal] button in Winbox or WebFig or use SSH), enter /export hide-sensitive file=somenicename. This will export the complete configuration except passwords and similar kind of information (and throw an error on early versions of RouterOS 7 as hide-sensitive is the default for ROS 7 and those early versions do not silently ignore this modifier, so in such a case just remove it, the passwords will not be exported anyway).
Next, download somenicename.rsc, open it in a text editor and manually obfuscate any usernames to external services, MAC addresses and serial numbers if that bothers you, and use find&replace functionality to substitute first three bytes of any public IP by something like public.subnet.a to maintain the consistency of the information without revealing the actual addresses.
Copy-paste the result here between [code] and [/code] tags, obtained by pressing the [</>] button.
Hello! Thank you for your help. After watching the tutorial, I feel like I’ve made a small step in the right direction. Previously, I was getting an 809 error code from RasClient, but now it’s 789! That’s progress!
I’m attaching my router configuration below:
# oct/29/2024 07:52:26 by RouterOS 6.49.17
# software id = JGEA-70H0
#
# model = RB750Gr3
# serial number = SERIALNUMBER
/interface bridge
add name=LAN
/interface ethernet
set [ find default-name=ether5 ] name=ETH-Brama
set [ find default-name=ether4 ] name=ETH-DanielPC
set [ find default-name=ether2 ] name=ETH-PokojAsi
set [ find default-name=ether3 ] name=ETH-Salon
set [ find default-name=ether1 ] name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=172.16.0.100-172.16.0.254
add name=dhcp_pool1 ranges=172.16.0.200-172.16.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=LAN lease-time=1d name=\
dhcp1
/interface bridge port
add bridge=LAN interface=ETH-PokojAsi
add bridge=LAN interface=ETH-Salon
add bridge=LAN interface=ETH-DanielPC
add bridge=LAN interface=ETH-Brama
/interface detect-internet
set detect-interface-list=all
/ip accounting
set enabled=yes
/ip address
add address=172.16.0.1/24 interface=LAN network=172.16.0.0
/ip dhcp-client
add disabled=no interface=WAN
/ip dhcp-server lease
add address=172.16.0.10 client-id=0:0:0:0:0:0:0 comment=OpenVPN \
mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.2 client-id=0:0:0:0:0:0:0 comment=DanielPC \
mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.100 client-id=0:0:0:0:0:0:0 comment=WorkPC \
mac-address=00:00:00:00:00:00 server=dhcp1
/ip dhcp-server network
add address=172.16.0.0/24 gateway=172.16.0.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=WAN
add action=accept chain=input dst-port=1194 protocol=udp
add action=log chain=output dst-port=1701 protocol=udp
/ip firewall nat
add action=accept chain=srcnat dst-address=xx.xx.xx.242 src-address=\
172.16.0.100
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat dst-port=1194 protocol=udp to-addresses=\
172.16.0.10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=NameNetwork
/system logging
add topics=ipsec
add topics=l2tp
add topics=debug
PS: As you can see, I have a private OpenVPN server on my local network. I use it to connect to my home from my phone to control my home assistant remotely. I hope this isn’t an issue.
You would be better off using wireguard which is native on the router ( assuming you have a public IP or the ISP router does and can forward ports to the hex ).
Why do you have two IP pools, and why do they overlap ???
Recommend set this to NONE /interface detect-internet
set detect-interface-list=all
I would not use a name for the bridge that is already used in router nomenclature for interface… /interface bridge
add name=BridgeLAN works
Same for the etherport WAN is common to represent the WAN interface list etc… change to: set [ find default-name=ether1 ] name=ether1WAN
Is this a public facing Router ( public IP ), if so, why did you get rid of the default firewalls which are meant to provide a secured network.
The rules are inadequate.
Your destination nat rule is incorrectly formatted.
In summmary, needs work should not be connected to the internet.
The existing firewall rules only deal with the traffic the router forwards between WAN and LAN, but they allow anyone to connect to the router itself. It has to be fixed ASAP, but it has nothing to do with the L2TP/IPsec issue. However, I don’t understand the purpose of the following rule in NAT: action=accept chain=srcnat dst-address=xx.xx.xx.242 src-address=172.16.0.100
As this rule refers to the address reserved for WorkPC, I suspect xx.xx.xx.242 is the address of the RAS; if so, what made you exempt the L2TP/IPsec client connection from getting masqueraded? The thing is that with this rule in place, xx.xx.xx.242 receives the packets from your work PC with the original source address 172.16.0.100, so its responses are sent wherever the remote network may choose but definitely not back to your home.
You would be better off using wireguard which is native on the router
I assume you’re referring to my OpenVPN server? If so, that’s something I’ll consider. I haven’t used WireGuard before, but I have a little experience with OpenVPN, which is why I thought it was a good choice.
I originally intended to create two pools: one for smart home devices and one for other devices. I forgot to implement it and never changed it back, but it’s fixed now. I’ve removed one of the pools.
Fixed. May I ask why you recommended this change?
Fixed.
Fixed.
I added the DNS server IP — also fixed
The IP is public. Does this mean I should restore the router to factory defaults? I followed a tutorial video as I lack knowledge in this area. I may have bought a router that’s too advanced for my needs, and I’m starting to regret not sticking with my old Asus. I’d read online that MikroTik is the best, but I wasn’t aware it would come with such a steep learning curve.
action=accept chain=srcnat dst-address=xx.xx.xx.242 src-address=172.16.0.100 - this is the rule you’re referring to. I added it based on the tutorial you sent, but I must have misunderstood its purpose. I’ve removed the rule now and apologize for any confusion caused by my lack of understanding.
In summmary, needs work should not be connected to the internet.
Cable was cut immediately . On a serious note, I understand your concerns, so what’s the best course of action? Should I reset to factory defaults and start over? Should I consider a more beginner-friendly router? If you have a better resource than the tutorial video I shared, I’d appreciate it. My goal is to keep it secure while still making it functional.
@sindy - Sorry for not responding to your comment directly. I believe you and anav share the same concerns, so I’ve explained here why I initially added that rule and why it’s now been removed.
The router is basically SAFE with the default rules the router comes with.
That is the best starting place to learn from.
Before making any changes, go through the config line by line and try to make sense of the purpose of each line.
That is the start of the education process.
In your case, its very close to default, one subnet basically and some ports for people too use.
Recommend reset the router to defaults and work slowly to add the information you have addded so far, but not the openvpn as wireguard is relatively easy and we can do it slow time.
Once you get over a bit of a hump, its damn fun to config the router!!!
I would suggest to avoid doing too many changes at a time. So my course of action would be to
reset the router to defaults
change the LAN addresses to match the existing ones
set up the single port forwarding rule you need to make OpenVPN work again
try connecting to the L2TP server in the company (should work right here without any modifications in the Mikrotik configuration - for the Mikrotik, the L2TP/IPsec traffic from the PC in LAN to the RAS in the company is just another UDP connection it has to transparently forward and src-nat)
find out what the heck the issue with power outage is (but as @anav said, a UPS is kind of a reverse of an alarm clock, as in “it makes you sleep better” - great paperback-sized DC UPses are available these days that are AC powered, have 24 V DC output and can keep the Tik alone up for hours)
…
…
…
if you have nothing better to waste your time on, upgrade the router to current RouterOS 7 (which will slow it down a bit) and install a wireguard server on it
If you ask me why I don’t share the common excitement about Wireguard, it’s because its appraised simplicity of configuration is caused by its feature leanness (to put it softly) where the “server” cannot push even an address, let alone a route list, to the “client”. So any change needs to be done on client side manually. Plus a few other, less obvious, issues. On Mikrotik, the advantage is the throughput, because the only encryption algorithm it supports easily outperforms an AES implemented in software. But you do not use your Mikrotik as an OpenVPN server so its CPU limitations do not bother you.
As for the recovery after power outage - the fact that you can either reboot the Mikrotik or release/renew on the PCs and both lead to the same result suggests that reducing the lease time from 1d to 10m or so, or even just waiting a bit longer for it to start working on its own, might be enough. Normally, the Tik boots faster than any Windows machine, but if you’ve got laptops that are not affected by power outages, it may just take them “forever” to find out that they can access internet again.
. On a serious note, I understand your concerns, so what’s the best course of action? Should I reset to factory defaults and start over? Should I consider a more beginner-friendly router? If you have a better resource than the tutorial video I shared, I’d appreciate it. My goal is to keep it secure while still making it functional.