Hello,
I am trying to use the Mikrotek as VPN box, i have my normal internet router connected to port 4
I have done a full reset, and configured the wifi + bridge (added all), set the DHCP off and set the IP to the range of my internet router’s range, and setup DNS.
connecting to the wireless of the Mikrotek i get internet, no issues.
however - when connected to the routerOS itself - trying to check fo updates, or setup the VPN, download a certificate, or even a simple ping from the toolbox (even using directly to eth4 or bridge) is not working.
as if the device itself cannot reach the internet, but clients can.
any assistance would be highly appriciated.
Thank you.
You have to specify DNS server under /ip/dns and not just in DHCP Network in order to Mikrotik be able to resolve update-server name - that’s my suggestion. Otherwise, post config.
As i said, DNS is configured. but even ping to 8.8.8.8 doesn’t work.
How do i post the configuration ?
Hopefully this is what you need:
#
# model = RB941-2nD
# serial number = A1C30AAxxxxxx
/interface bridge
add admin-mac=74:4D:28:3D:xx:xx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=israel disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=LetsWatchMovies wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=xxxxxxx wpa2-pre-shared-key=xxxxxxx
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge interface=all
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.1.223/24 comment=defconf interface=ether2 network=192.168.1.0
add address=192.168.1.224/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.223 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.223 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=ether2
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Like i said - the internet is working when im connected to the wifi, but from the device, im not getting anywhere:
[admin@MikroTik] > ping 8.8.8.8
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 timeout
1 8.8.8.8 timeout
2 192.168.1.224 84 64 675ms host unreachable
3 8.8.8.8 timeout
4 8.8.8.8 timeout
5 192.168.1.224 84 64 985ms host unreachable
sent=6 received=0 packet-loss=100%
You tell us you have your upstream router as port 4. Why do you put address on ether2 and route through ether2? Why do you bridge ports 2-4? Your WAN list has ether1 port only.
That is the original configuration.
Yes, i was wrong regarding port 4, i have the router connected at port 2 (if i connect it to port 1, i cannot access the device)
As for the bridge, i read a comment by someone that said it resolved the issue for him to put in bridge “all”
I would also mention i tried to set the “Internet” part to static, since Automatic was not bringing anything (i thought it might help)
Can you perhaps tell me how to correct it ?
I don’t mind doing a fresh reset, and change it
Ok i finally got it.
I changed to “Bridged mode”
Added Eth1-4, connected the router to Eth1 and set an IP & GW.
it all works now.
Thank you for your assistance for aiming me to the right place 
Glad to hear you’ve got it