No Internet Access and cant' PING

islandcapt · July 21, 2016, 10:08pm

Hello, all.

I am relatively new to MikroTik. However, I have successfully setup a half a dozen or so RB2011's and hEX Lites before now with the help of colleagues. However, I am having issues with a new configuration of an RB2011 running firmware 3.33 and ROS 6.34.6.

I initially uploaded a config that is running successfully on an identical router. However, I could not access the internet from the new RB2011 and I was unable to PING basic servers such as Google, etc. After scratching my head for hours, I reset the new RB2011 to defaults to see if there was something that the router did not like something about the previous router's config. With the router set to defaults, I still have the same results; no internet access, unsuccessful PINGs.

Here is the routers config with most everything as default configuration:

\

RouterOS 6.36

software id = 169X-8API

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/ip neighbor discovery
set ether1-gateway discover=no
/ip pool
add name=default-dhcp ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge interface=ether2-master
add bridge=bridge interface=ether6-master
add bridge=bridge interface=sfp1
/ip firewall connection tracking
set enabled=yes
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN"
in-interface=ether1-gateway log-prefix=""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface=ether1-gateway log-prefix=""
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix=
"" out-interface=ether1-gateway
/ip service
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

I am wondering if it has something to do with the 'sticky' firewall filters that have been created with the default config. I figure if I can get you guy's help with making the default config to work, I can adapt the working changes to the config I typically use which is mostly specific firewall filters.

I greatly appreciate the guidance.

Cheers!

loveman · July 22, 2016, 6:31am

Check steps :
1-check if you added gateway ip address from IP ROUTE.
2-check ip dns if you added.
3-check NAT in ip, firewall, nat, add, src address write range ip address, chain Masquerade.
Regards

islandcapt · July 22, 2016, 10:48am

Thanks for the reply, loveman.

1-check if you added gateway ip address from IP ROUTE.

Currently, the gateway ip address from IP ROUTE are added dynamically. The first route appears as 0.0.0.0/0 with the Gateway IP from the ISP shown as reachable via ether1-gateway. The second route appears as the Dst. Address xxx.xx.xxx.0/19 (related to ISP gateway) with the Gateway as ether1-gateway reachable and Pref. Source as an IP from the ISP. The third route is Dst. Address 192.168.88.0/24 Gateway=bridge reachable and the Pref. Source as 192.168.88. Do I need to add more?

2-check ip dns if you added.

The IP DNS also populates automatically in Dynamic Servers with the DNS addresses from the ISP. Is there something else to be added?

3-check NAT in ip, firewall, nat, add, src address write range ip address, chain Masquerade.

I’m not sure that I follow this suggestion. The default NAT Masquerade rule is in place which has worked for me in the past. Is there another rule to add or does the default rule need to be modified?

JP_Wireless · July 22, 2016, 11:58am

reset the router, save a new config back in a working one and upload afresh. Note that the ip address, name and some common item will be the same as that of the old router.

islandcapt · July 22, 2016, 12:14pm

Thanks for the reply, JP_Wireless.

My first step in this process was loading what I know to be a working config. However, that working config did not work with this router, and that is what really started the confusion. The only difference between the working config and that of this new router is the default firewall ‘dummy’ filters that are ‘sticky’ or ‘bulletins’ that I have not figured out how to disable. An example of one of those would be the ‘special dummy rule to show fasttrack counters.’

k6ccc · July 22, 2016, 6:41pm

Other than the fasttrack connection (which I don’t know what that is), I don’t see anything obviously wrong with the config. A couple of thoughts (in no particular order):
You have the WAN interface set as a DHCP client. Does the internet service that you are using offer plain old DHCP or is something else (such as PPPOE for example) required?
Assuming you are using a Windows computer, open a command prompt and type: ipconfig /all Confirm that you are getting an IP from the router - it should be 192.168.88.nnn, and the default gateway should be the router IP address. Then attempt to ping the router (should be 192.168.88.1). If you can ping the router, try to ping Google.com. Even if you can’t ping Google.com, does the ping command show that it got an IP address for Google.com, or could not find host? Especially if ping can’t find host, can you ping 172.217.0.238 (the IP I get when I ping Google.com). The results of these will help determine if you are having a DNS issue.
Can you command the router to do a ping test to an IP or host name (as opposed to you having your PC do so)?

That’s enough to start with..

islandcapt · July 22, 2016, 7:17pm

Good day, k6ccc,

The ISP provides the public IP address via DHCP based on the router’s WAN port MAC address. I am going to try your suggestions and post results briefly.