I have devices connected to a bridge. DHCP is set up correctly. When I ping 8.8.8.8 from the ether1 (internet) in Tools-> Ping it works, but when I ping from bridge interface, it shows timeout. Do I need to add a firewall rule, or a NAT translation?
Without you showing us your configuration it’s hard to say… Are you using default configuration ?
Yes, I'm using default configuration.
/ip firewall nat
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
1 chain=dstnat action=dst-nat to-addresses=192.168.88.253 to-ports=80 protocol=tcp dst-port=8080 log=no
log-prefix=""
2 chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=80 protocol=tcp dst-port=8081 log=no
log-prefix=""
/ip dhcp-server
Columns: NAME, INTERFACE, ADDRESS-POOL, LEASE-TIME
NAME INTERFACE ADDRESS-POOL LEASE-TIME
0 defconf bridge default-dhcp 10m
/ip firewall filter
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Let me know if I can show any other relevant configurations
Do I understand you correctly that you’re trying to execute
/tool/ping 8.8.8.8 interface=bridge
and it doesn’t work?
If that is so, then it’s expected (not to work). By setting interface parameter to ping command you’re overriding normal out-interface selection (which is result of resolving the next-hop routing task) by telling router to send pings out via bridge interface and it’s pretty clear that 8.8.8.8 is not available there.
If you’re trying to do something else, then expkain it in a bit more details.
More to the point, networking is about allowing specific user traffic, its not so people can ping themselves into delirium.
What traffic, actual real meaningful traffic, are you trying to ensure can be executed.
I have an amcrest camera connected to the mikrotik. There is an option to access FTP which requires a server address, and I’m guessing I have to do some address translation for that to work, because currently it is not working.
Sure, what I’m actually trying to do is for a device connected to the mikrotik (in this case, a camera) to be able to access external addresses like a FTP server. Currently it is not working when I use an FTP server addresss, and I’m suspecting it’s because it doesn’t “know” where the address is since it’s in the bridge network and not in ether1.
Well, that’s not because your ports are in the bridge. If you can access the internet from eg. your PC then your camera can also reach it.
I think that you are missing port forwarding on the server side network. Also when you are asked for FTP server IP address you enter IP address of the local network where server is or you enter wan address plus port ?