eth1 - lte passthrough to eth1. Eth2 - on bridge. Bridge connected to LAN and get IP from LAN DHCP.
Problem: no internet on MikroTik SXTR device. I need it for updates, ntp, etc…
Question: how to configure Mikrotik to connect to LAN and get internet from LAN router?
Short answer: Set a default route to 0.0.0.0/0 with gateway LAN and distance lower than what you got now for LTE.
Already done, but internet not working. I don’t know how to set distance for other routes.
What is the LTE connection being used for ?
Can you post full config (minus serial, minus public WAN IP, passwds, …) ?
/interface bridge
add admin-mac=78:9A:18:91:59:CC auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" network-mode=lte \
sms-read=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet passthrough-interface=ether1 \
passthrough-mac=00:00:00:00:00:00 passthrough-subnet-size=24 \
use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m \
name=defconf
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1
add bridge=bridge comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.1.3/24 comment=defconf interface=bridge network=\
192.168.1.0
/ip dhcp-client
add interface=bridge
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.3 gateway=\
192.168.1.3 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.3 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
It’s invalid:
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.3 gateway=
192.168.1.3 netmask=24
Gateway and DNS server on LAN is 192.168.1.1
I am not getting it.
You got an SXT with LTE, it acts as DHCP server for the LAN network after it ?
Then what else is connected to LAN to have internet ?
From what I see:
- both ether ports are connected to bridge (though ether 1 is disabled ? Why ?)
- lte1 is labeled as WAN (logical)
- dhcp server is connected to bridge, using 192.168.88.0/24 subnet. But there is no 192.168.88.x address assigned to bridge ?
You have an ADDITIONAL address 192.168.1.3/24 connected on bridge. Why ? Where does subnet 192.168.1.0 come from ? Connected to which port ?
You also have a DHCP client on that same bridge acting as DHCP server ? Why ? Doesn’t make sense to do it that way. Where should it get an address from ?
There are obviously parts which you have not told us yet.
Maybe also a small drawing of your complete network ? Paper is ok.
OK.. i will try to to explain my network 
Main router Draytek vigor with dual wan, DHCP and etc… In this router wan1 - VDSL, wan2 - SXT. Both working on load balancing mode.
So… about SXT. Few days ago I bought SXT, put sim card, turn eth1 to DrayTek router WAN2 port, disabled eth1 on bridge and passthrough lte1 to eth1. Disabled DHCP, changed IP to 192.168.1.3 (in main page of SXT, old one was 192.168.188.1).
Main router (Draytek vigor) wan2 port gets IP from LTE operator and internet is working. But no internet on SXT device.
eth2 of SXT I connected to Draytek vigor router LAN port. And I want to share internet to SXT from main router (Draytek Vigor).
My network with main router (Draytek) is 192.168.1.0/24.
OK, no drawing but I get the picture 
So basically your SXT is also dual-WAN now.
Once via LTE, which it passes on via ether1.
Once via ether2 which is connected to LAN of your Draytek.
What I would do:
- remove ether1 from bridge since it’s passthrough with lte1 and it has no further business on that device
- remove dhcp server from bridge (no function, also remove pool and network)
- remove manually assigned IP address from bridge
- DHCP client on bridge should now get a lease from Draytek LAN, it will also dynamically create route towards Draytek.
What you should end up with:
- ether1 passthrough from LTE towards Draytek
- bridge getting IP lease from Draytek in LAN range via ether2 and providing internet services to SXT device via LAN
Personally I would also remove bridge and set DHCP client on ether2 but that’s maybe a bit too far.
Question: Why do you use pass-through ?
If you use SXT in default config, it should get internet from its LTE link saving you one connection.
Draytek then needs to get a lease on 1 port which is connecting to SXT and then your Dual WAN is back in place.
You will always be able to connect to it from your LAN (provided your firewall is setup properly).
Ideally you might also configure things in such a way that local SXT traffic should use Draytek for internet instead of LTE.
Question: Why do you use pass-through ?
In my mind pass-through is better than few routes (LTE operator external IP > LTE operator CGNAT address > SXT > Draytek > LAN. With pass-through I eliminate SXT and my Draytek wan2 port gets LTE operator CGNAT address, not DHCP adress from SXT).
- remove dhcp server from bridge (no function, also remove pool and network
- no own dhcp on bridge. DHCP client only, DHCP server on Draytek.
- remove manually assigned IP address from bridge
- not manually assigned IP to bridge. IP it gets from DHCP (192.168.1.7)
I assigned manually IP (192.168.1.3) on “Quick Set” (maybe to eth2 ? no option to leave empty).
It’s disabled but it is there. If it’s not used, get rid of it. Only adds confusion later on.
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m \
name=defconf
/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.3 gateway=\
192.168.1.3 netmask=24
- remove manually assigned IP address from bridge
- not manually assigned IP to bridge. IP it gets from DHCP (192.168.1.7)
I assigned manually IP (192.168.1.3) on “Quick Set” (maybe to eth2 ? no option to leave empty).
What’s this then ?
/ip address
add address=192.168.1.3/24 comment=defconf interface=bridge network=\
192.168.1.0
After default config, you can use Quickset once. Don’t use it again afterwards since you will not know for certain what it changes and what not.
If you go to terminal, what does /ip route print show ?
OK… DHCP removed from bridge.
[admin@MikroTik] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 192.168.1.1 1
DAc 100.81.243.0/24 ether1 0
DAc+ 192.168.1.0/24 bridge 0
DAc+ 192.168.1.0/24 bridge 0
Looks like you got a default route to Draytek there.
If you now use on terminal a ping to whatever site, does it work or not ?
Removed 192.168.1.3 IP
[admin@MikroTik] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 192.168.1.1 1
DAc 100.81.243.0/24 ether1 0
DAc 192.168.1.0/24 bridge 0
Found problem… DNS IP ping - OK, domain - not. how to fix?
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
I would remove this.
You can set in DHCP client to use peer DNS, which usually is better since all DNS requests will then be handled by the same device.
AdGuard, PiHole, … are other options then to sink ad-spam. Unless already foreseen on Draytek ?
DHCP client config
Internet not working.
Do you still have that DNS setting manually ?
Can you show /ip export please ?
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254
/ip dhcp-client
add interface=bridge
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.3 gateway=\
192.168.1.3 netmask=24
/ip dns
set allow-remote-requests=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
Please remove these parts.
/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.3 gateway=\
192.168.1.3 netmask=24
This one change yes to no
/ip dns
set allow-remote-requests=yes
How to remove in terminal? Web interface doesn’t show these settings.