No internet on LAN - hex rb750gr3 with E3372

vanblunt · July 30, 2019, 7:47pm

Hi all.I have issue which seems to be simple but I cannot figure it out. I received HEX RB750GR3 from my friend. I connected Huawei E3372 Hilink to it and factory defaulted Hex. Now HEX has internet access (I can ping google.com from terminal) but devices on LAN don’t. My laptop is connected to LAN and it gets IP address, I can access HEX but internet doesn’t work. I made a test and connected internet with cable to first ethernet port - in this scenario internet on LAN devices works. But with LTE it doesn’t. What am I doing wrong? I have the latest firmware (6.44.5). I tried finding answer to this issue online but no one seems to have this problem. Anyone knows what needs to be done?

anav · July 31, 2019, 2:43pm

Ahh so you realized your friend is really your enemy LOL.
He gave you a gift that is giving you headaches.
Mikrotik is not a plugNplay device for the IT illiterate crowd but does take some work.
Stick through the initial tough beginning and you will enjoy working in RouterOS…

Suggest posting your config for viewing to determine what is going on.

/export hide-sensitive file=yourconfig31july

(ensure you remove your actual WANIP address)

vanblunt · July 31, 2019, 4:37pm

Hahaha! Yes, it turns out my friend is not really my friend anymore

Maybe Mikrotik is not plug&play but if I factory default it and then connect internet to 1st port (labeled Internet) then everything works fine. But if I disconnect cable from Internet port and try the same with USB modem plugged in then internet doesn’t work on LAN.

Anyways, my Hex RG750GR3 config is absolutely default - as I said before, I plugged Huawei E3372 153s USB modem to it and factory defaulted it. And internet works - I can ping out from terminal (for example google.com). It just doesn’t work on devices connected to LAN ports.
Here’s the config (my WAN IP is not public so no need to hide anything. Plus I don’t see it in config anyway):

_# jul/31/2019 18:21:12 by RouterOS 6.44.5

software id = 3TTR-Z1L9

model = RouterBOARD 750G r3

serial number = 6F3807C9C785

/interface lte
set [ find ] mac-address=0C:5B:8F:27:9A:64 name=lte1
/interface bridge
add admin-mac=64:D1:54:91:7D:BA auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=
ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN_

Any help would be greatly appreciated! Thanks in advance.

anav · July 31, 2019, 6:48pm

None of your routing information/config is there??

vanblunt · July 31, 2019, 7:19pm

Nope. That’s all output I get from the command you provided.

mkx · July 31, 2019, 7:20pm

Probably because all of it is dynamic. /ip route print and /ip address print would reveal lots of things. Before posting output of these commands do obfuscate public IP addresses … but do it consistently so that it will be obvious what belongs together.

My wild guess: in order to get internet over LTE working for LAN hosts, the LTE interface (as seen by ROS) will have to be added to members of WAN interface list (so that default SRC-NAT rule will do its magic).

vanblunt · July 31, 2019, 8:16pm

There you go:

_[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 192.168.8.1 2
1 ADC 192.168.8.0/24 192.168.8.100 lte1 0
2 ADC 192.168.88.0/24 192.168.88.1 bridge 0

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; defconf
192.168.88.1/24 192.168.88.0 bridge
1 D 192.168.8.100/24 192.168.8.0 lte1_

Let me know if you need any other info. What’s the command to add LTE interface to members of WAN interface list?

CZFan · July 31, 2019, 9:07pm

Besides what @mkx said, I don’t see where the client devices get DNS config from.

Add DNS server IPs under DHCP server networks

vanblunt · July 31, 2019, 9:21pm

Thanks for advice but I don’t think that’s what the issue is. If I ping google.com from LAN device, the address gets resolved. But I don’t get any response.

anav · August 1, 2019, 12:17am

Such confidence!
Well mkx and CZFan know far more than most here, thus your level of knowledge must be beyond me then so I am not able to provide any further assistance…

mkx · August 1, 2019, 4:02am

So did you try to add lte1 interface to WAN interface list? Did it do the trick or not?

vanblunt · August 1, 2019, 9:09am

I did. And it works now! It took some time for it to work as the change required reboot which I wasn’t aware of… Thank you so much for the advice!

@anv:

As I stated before, my level of Mikrotik knowledge is none - hence I asked for help here. But I have some network knowledge so when I see address being resolved from LAN client then I can be 100% sure the issue is not with DNS. I greatly appreciate your help anyway. Thanks for taking time to look into this.

anav · August 1, 2019, 4:55pm

Glad it worked out for you!