No route from LAN to WAN

Hi all,

I have a MikroTik CRS312-4C+8XG and I am trying to configure it as a router to connect to my ISP’s router. The ISP’s router is a Virgin Media Hub 4 which has been placed into modem mode. With the config shown below there are a few things that work and things that do not work…

1. The modem and router communicate okay as I can see that the DHCP client gets an ip, gateway, dhcp server and dns server.
2. From a Mikrotik terminal I can ping 8.8.8.8 and a fqdn.
3. From a PC on the LAN side I can ping the public assigned ip address on ether1 (WAN) and all other devices connected in the LAN.
4. From a PC on the LAN side I cannot ping anything on the internet, e.g. 8.8.8.8, including the WAN gateway ip address.
5. The DHCP server on the LAN side only gives its clients an ip address but does not give it the gateway ip. I assume that this should be 192.168.0.1
6. If I set a PC’s ip address manually to, say, 192.168.0.8, gateway to 192.168.0.1 and dns to 8.8.8.8,8.8.4.4 I still cannot ping anything on the internet.

I see two issues here:
There is no route between LAN and WAN.
DHCP server on LAN side is not giving its clients the gateway ip address.

I have tried to enable/disable ip-forward, turning off all the firewall rules and disabling the LAN DHCP server but still no luck.

Any help here would be very much appreciated.

Mark

The config:

# apr/09/2022 19:17:00 by RouterOS 7.2
# model = CRS312-4C+8XG

/interface bridge
add name=BRIDGE

/interface ethernet switch
set 0 l3-hw-offloading=yes

/interface list
add name=WAN
add name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=POOL_MAIN ranges=192.168.0.50-192.168.0.254

/ip dhcp-server
add address-pool=POOL_MAIN interface=BRIDGE name=DHCP_MAIN

/port
set 0 name=serial0

/interface bridge port
add bridge=BRIDGE comment=defconf interface=combo1
add bridge=BRIDGE comment=defconf interface=combo3
add bridge=BRIDGE comment=defconf interface=combo4
add bridge=BRIDGE comment=defconf interface=ether2
add bridge=BRIDGE comment=defconf interface=ether3
add bridge=BRIDGE comment=defconf interface=ether4
add bridge=BRIDGE comment=defconf interface=ether5
add bridge=BRIDGE comment=defconf interface=ether6
add bridge=BRIDGE comment=defconf interface=ether7
add bridge=BRIDGE comment=defconf interface=ether8
add bridge=BRIDGE comment=defconf interface=ether9
add bridge=BRIDGE comment=defconf interface=combo2

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip settings
set ip-forward=yes

/interface list member
add interface=ether1 list=WAN
add interface=BRIDGE list=LAN

/ip address
add address=192.168.0.1/24 interface=BRIDGE network=192.168.0.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=9.9.9.9 gateway=192.168.0.1

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.0.1 name=router.lan

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=192.168.0.0/24

/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 src-address=0.0.0.0/0 template=yes

i dont have access to that device so i have the following suggestions to try:

please do not include management ethernet interface as a port of the bridge, in this switch that interface is cpu only (i think is ether9), not part of switch chip

try disabling all hw-offload and reboot device verify that offload is fully disabled (disable fastrack rules on ip firewall) and check your routing works OK on software

then

enable fast-track ip firewall rules

then

enable hw-offload on switch ports

/interface/ethernet/switch/port set [find] l3-hw-offloading=yes

disable offload on wan port

/interface/ethernet/switch/port set ether1 l3-hw-offloading=no

then

enable offload on switch

/interface/ethernet/switch/set 0 l3-hw-offloading=yes

references
https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading

What do you get from “/ip/route/print”?

Hi,

Thank you chechito. I followed your instructions and got it to work. Thank you very much! The issue was that L3 H/W offloading was turned on for the WAN ether1 port.

As soon as I disabled it I was able to connect to the internet from my PC and DHCP is also working too.

tangent… For the record, the results of the ip/route/print are

Flags: D - DYNAMIC; A - ACTIVE; c, d, y - COPY
    DST-ADDRESS     GATEWAY      DISTANCE
DAd 0.0.0.0/0       xx.yyy.zz.1         1
DAc xx.yyy.zz.0/24  Uplink              0
DAc 192.168.0.0/24  BRIDGE              0

Thanks again, Mark

And this worked because L3HW prevents your “/ip firewall filter” rules from taking effect, I’m guessing?

If so, that’s a hazard of using a CRS3xx as a “router.” Products in this line are more switch than router, by design.