No WAN access on LAN

Lx585x · November 28, 2025, 3:43pm

Hello everyone, I’ve been trying to set-up my network for the last few days but I ran out of ideas what could be wrong.

So the setup is, RouterOS installed on a HPE server in a VM (Hyper-v). One ethernet port is connected to my modem (5G LTE) and the other port to the main switch.

I can ping 8.8.8.8 from the router but I have no internet on any computer connected to the LAN including the host running the VM.
The DHCP on LAN is working ok, since all the computers on the network get their IP, I am just missing some setting to get access to the internet.

ether1 in my case is LAN and ether2 is on WAN.

[admin@MikroTik] > /export hide-sensitive 
# nov/28/2025 15:25:22 by RouterOS 6.49.18
# software id = 
#
#
#
/interface bridge
add name=bridge_lan
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no disable-running-check=no speed=1Gbps
set [ find default-name=ether2 ] auto-negotiation=no disable-running-check=no speed=1Gbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.1-192.168.1.253
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge_lan name=dhcp1
/interface bridge port
add bridge=bridge_lan interface=ether1
/interface list member
add comment=defconf interface=bridge_lan list=LAN
add comment=defconf interface=ether2 list=WAN
/ip address
add address=192.168.1.1/24 interface=bridge_lan network=192.168.1.0
/ip dhcp-client
add disabled=no interface=ether2
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether2

I would appreciate any help since I'm clueless what am I missing here.

anav · November 28, 2025, 4:07pm

Seems to have most of the basic setup perhaps missing a route?
Did you select default-route=YES in IP DHCP settings?

rextended · November 28, 2025, 4:16pm

This mean: "add and use" anything, is the default...

/ip dhcp-client
add disabled=no interface=ether2

Lx585x · November 28, 2025, 4:51pm

Yes, Add default route is "yes" in DHCP client.

Lx585x · November 28, 2025, 7:28pm

Just to add one more thing which might help, I can see the modems IP which is connected on ether2 (WAN) port, but when I try to ping it's IP from ether1 I get a timeout.
So it looks like the issue is with routing from ether1 (bridge_lan) to ether2. I can't ping anything on ether2 from #1.

CGGXANNX · November 29, 2025, 2:37am

Where is your /ip dhcp-server network entry? Without it the DHCP server won't relay the information about the gateway to the clients, and the clients will not know which gateway to use for internet access.

Try to add:

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1

Also, adjust your dhcp_pool0. The address range should not be 192.168.1.1-192.168.1.253 but 192.168.1.2-192.168.1.254 because 192.168.1.1 is the router's address already.

Normally you can use the DHCP server wizard in WinBox and the pool and dhcp-server network entries will be created for you.

If you are using Hyper-V then upgrade to RouterOS 7 for better support, especially for virtual network adapter support. But you should use the modified CHR image that is UEFI compatible. You can get the VHDX image from @Amm0:

Releases · tikoci/fat-chr

See this thread for more discussion Router OS 7 on UEFI - RouterOS / Virtualization - MikroTik community forum

With that you can have the virtual machine to be a Generation 2 VM. You only need the image for the intial VM creation. Future ROS upgrades are done normally with WinBox/RouterOS CLI.

Lx585x · November 29, 2025, 7:40pm

Added and corrected the mentioned configuration, but the issue persists.

[admin@MikroTik] > /export hide-sensitive 
# nov/29/2025 19:30:46 by RouterOS 6.49.18
# software id = 
#
#
#
/interface bridge
add name=bridge_lan
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge_lan name=dhcp1
/interface bridge port
add bridge=bridge_lan interface=ether1
/interface list member
add comment=defconf interface=bridge_lan list=LAN
add comment=defconf interface=ether2 list=WAN
/ip address
add address=192.168.1.1/24 interface=bridge_lan network=192.168.1.0
add address=192.168.88.1/24 interface=bridge_lan network=192.168.88.0
/ip dhcp-client
add disabled=no interface=ether2
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2

I tried a full reset and reconfiguration, but it's still the same...

CGGXANNX · November 29, 2025, 7:55pm

After the reset you have lost allow-remote-requests=yes in the /ip dns setting. Put it back because the DHCP server now advertises the router (192.168.1.1) as DNS server.

If you don't want to turn on allow-remote-requests=yes, then you need to modify the /ip dhcp-server network entry and set dns-server=8.8.8.8,1.1.1.1 on that entry.

This line should be removed too:

Also, please note that after you've made changes to the DHCP server, the clients in LAN must renew their leases to see the updated information. Usually, they only automatically renew if less than half of the lease time remains. If you set the previous lease time too long (like 1 day), you should go to the client devices and manually force them to renew the DHCP lease (either by commands such as ipconfig /renew or just unplug/re-plug cables/reconnnect WiFi.

Lx585x · November 30, 2025, 2:14pm

Excellent now it's working, thank you so much for helping!