I have configured my Mikrotik router such that only one interface is allowed to get access to the router (ether1) and once
the user is getting IP from that interface the user should not get access to the internet.
So in brief ether1 is a single bridge that the router admin can login and configure the router and nothing else.
Other clients are behind NAT on different bridges have access to the internet while the DNS is slow for them but still they can resolve names and
get access to the websites.
So I can conclude that the router has no problem with routing the clients to the internet, but what I am UNABLE to figure out is why I neither can Ping or TraceRoute in WinBox terminal at all
I do not expect I get internet through the winbox ethernet interface but I expect the Router terminal should have access to the internet.
I have attached a trimmed version of the router configuration here.
I would like to know what setting has prevented the router [inside terminal] to get access to the internet since the router neither can be used for troubleshooting or upgrade.
I can not ping even 8.8.8.8 , and thereby dns also can not solve names too.
In addition I would like to know why the clients dns is working very slow while accessing to not cached dns name takes a couple of seconds, is there any remedy for improving the DNS performance?
Thanks in advance
Router config:
jan/02/1970 01:08:42 by RouterOS 6.43.8
model = CRS125-24G-1S-2HnD
*/interface ethernet
set [ find default-name=ether1 ] comment="For Router Configuration the client
will always get address 192.168.49.12 and the router address is 192.168.49
.1" speed=100Mbps
set [ find default-name=ether2 ] comment=
"This port should get connected to the ISP with added-default routes"
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment="private: port A"
set [ find default-name=ether6 ] comment="private: port B"
set [ find default-name=ether7 ] comment="private: port C"
set [ find default-name=ether8 ] comment="private: port D"
set [ find default-name=ether9 ] comment="guest: port A"
set [ find default-name=ether10 ] comment="guest: port B"
set [ find default-name=ether11 ] comment="guest: port C"
set [ find default-name=ether12 ] comment="guest: port D"
set [ find default-name=ether13 ] comment="roommate: port A"
set [ find default-name=ether14 ] comment="roommate: port B"
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=ether17 ] disabled=yes
set [ find default-name=ether18 ] disabled=yes
set [ find default-name=ether19 ] disabled=yes
set [ find default-name=ether20 ] disabled=yes
set [ find default-name=ether21 ] disabled=yes
set [ find default-name=ether22 ] disabled=yes
set [ find default-name=ether23 ] disabled=yes
set [ find default-name=ether24 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface bridge
add comment=
"The router config should be done only and only through this bridge"
fast-forward=no name=br0-routerconfig
add comment="This bridge is used for private home" fast-forward=no
name=br1-private
add comment="This bridge is used for roommate's home" fast-forward=no name=
br2-roommate
add comment="This bridge is used for guest's home" fast-forward=no name=
br3-guest
/interface list
add comment="Interface list for keeping all the local bridges" name=LAN
add comment="Interface which is used for login into the router" name=RTR-CONF
add comment="ether2-Is the only interface used for ISP as DHCP client" name=
WAN
add comment="Interface list alias that stands interfaces used for private
network" name=PRIVATE
add comment=
"Interface list alias that stands interfaces used for roommate network"
name=ROOMMATE
add comment=
"Interface list alias that stands interfaces used for guest network"
name=GUEST
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=""
management-protection=allowed mode=dynamic-keys supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=
allowed mode=dynamic-keys name=profile-wlan-master-idle
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=
allowed mode=dynamic-keys name=profile-wpa2-ws-nosignal
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=
allowed mode=dynamic-keys name=profile-wpa2-ws-roommate
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=
allowed mode=dynamic-keys name=profile-wpa2-ws-guest
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn bridge-mode=disabled
channel-width=20/40mhz-XX comment="This is the wlan-master which should no
t be used, it is just for the sake of virtual wlans" disabled=no
frequency=auto hide-ssid=yes mode=ap-bridge name=wlan-master
security-profile=profile-wlan-master-idle ssid=idle wireless-protocol=
802.11 wps-mode=disabled
add comment="virtual wlan for guest bridge" disabled=no keepalive-frames=
disabled mac-address=E6:8D:8C:XX:YY:ZZ master-interface=wlan-master
multicast-buffering=disabled name=wlan-virtual-guest security-profile=
profile-wpa2-ws-guest ssid=ws-guest wds-cost-range=0
wds-default-cost=0 wps-mode=disabled
add comment="virtual wlan for roommate bridge" disabled=no keepalive-frames=
disabled mac-address=E6:8D:8C:XX:RR:ZZ master-interface=wlan-master
multicast-buffering=disabled name=wlan-virtual-roommate security-profile=
profile-wpa2-ws-roommate ssid=ws-rmt wds-cost-range=0
wds-default-cost=0 wps-mode=disabled
add comment="virtual wlan for private bridge" disabled=no
keepalive-frames=disabled mac-address=E6:8D:8C:XX:HH:ZZ master-interface=
wlan-master multicast-buffering=disabled name=wlan-virtual-private
security-profile=profile-wpa2-ws-nosignal ssid=ws-nosignal
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless nstreme
set wlan-master comment="This is the wlan-master which should not be used, it
is just for the sake of virtual wlans"
set wlan-virtual-guest comment="virtual wlan for guest bridge"
set wlan-virtual-roommate comment="virtual wlan for roommate bridge"
set wlan-virtual-private comment="virtual wlan for private bridge"
/interface wireless manual-tx-power-table
set wlan-master comment="This is the wlan-master which should not be used, it
is just for the sake of virtual wlans"
set wlan-virtual-guest comment="virtual wlan for guest bridge"
set wlan-virtual-roommate comment="virtual wlan for roommate bridge"
set wlan-virtual-private comment="virtual wlan for private bridge"
/ip pool
add comment=
"Only assigns a single IP address to the ether1 for the config computer"
name=dhcp_pool_routerconfig ranges=192.168.49.12
add comment="Used for private network subnet" name=dhcp_pool_private
ranges=192.168.10.100-192.168.10.130
add comment="Used for roommate network subnet" name=dhcp_pool_roommate
ranges=10.12.0.120-10.12.0.130
add comment="Used for guest network subnet" name=dhcp_pool_guest ranges=
10.0.0.80/28
/ip dhcp-server
add address-pool=dhcp_pool_routerconfig disabled=no interface=
br0-routerconfig name=dhcpsrv-routerconfig
add address-pool=dhcp_pool_private disabled=no interface=br1-private
name=dhcpsrv-private
add address-pool=dhcp_pool_roommate disabled=no interface=br2-roommate name=
dhcpsrv-roommate
add address-pool=dhcp_pool_guest disabled=no interface=br3-guest name=
dhcpsrv-guest
/tool user-manager customer
set admin access=
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=br0-routerconfig comment=
"Port to the bridge for router configuration" interface=ether1
add bridge=br1-private interface=ether5
add bridge=br1-private interface=ether6
add bridge=br1-private interface=ether7
add bridge=br1-private interface=ether8
add bridge=br1-private comment="Port to the bridge to the private"
interface=wlan-virtual-private
add bridge=br2-roommate interface=ether13
add bridge=br2-roommate interface=ether14
add bridge=br2-roommate comment="Port to the bridge to the roommate"
interface=wlan-virtual-roommate
add bridge=br3-guest interface=ether9
add bridge=br3-guest interface=ether10
add bridge=br3-guest interface=ether11
add bridge=br3-guest interface=ether12
add bridge=br3-guest comment="Port to the bridge to the guest" interface=
wlan-virtual-guest
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment="ether1 should be used only for router configuration and login"
interface=ether1 list=RTR-CONF
add comment="# Adding br0-routerconfig in the LAN list as internal"
interface=br0-routerconfig list=LAN
add comment="WAN is available on ether2" interface=ether2 list=WAN
add comment="port A" interface=ether5 list=PRIVATE
add comment="port B" interface=ether6 list=PRIVATE
add comment="port C" interface=ether7 list=PRIVATE
add comment="port D" interface=ether8 list=PRIVATE
add comment="port WL" interface=wlan-virtual-private list=PRIVATE
add comment="# Adding br1-private in the LAN list as internal" interface=
br1-private list=LAN
add comment="port A" interface=ether13 list=ROOMMATE
add comment="port B" interface=ether14 list=ROOMMATE
add comment="port WL" interface=wlan-virtual-roommate list=ROOMMATE
add comment="# Adding br2-roommate in the LAN list as internal" interface=
br2-roommate list=LAN
add comment="port A" interface=ether9 list=GUEST
add comment="port B" interface=ether10 list=GUEST
add comment="port C" interface=ether11 list=GUEST
add comment="port D" interface=ether12 list=GUEST
add comment="port WL" interface=wlan-virtual-guest list=GUEST
add comment="# Adding br3-guest in the LAN list as internal" interface=
br3-guest list=LAN
/ip address
add address=192.168.49.1/24 comment=
"conf computer should only get 192.168.49.12 assigned" interface=
br0-routerconfig network=192.168.49.0
add address=192.168.10.1/24 comment="Address used for private bridge"
interface=br1-private network=192.168.10.0
add address=10.12.0.1/24 comment="Address used for roommate bridge"
interface=br2-roommate network=10.12.0.0
add address=10.0.0.1/24 comment="Address used for guest bridge" interface=
br3-guest network=10.0.0.0
/ip dhcp-client
add comment="Only this port should get connected to the ISP" dhcp-options=
hostname,clientid disabled=no interface=ether2
/ip dhcp-server network
add address=10.0.0.0/24 comment="The guest's domain name is DOMGUEST"
dns-server=8.8.8.8,10.0.0.1 domain=DOMGUEST gateway=10.0.0.1
add address=10.12.0.0/24 comment="The roomate's domain name is DOMROOMMATE"
dns-server=8.8.8.8,10.12.0.1 domain=DOMROOMMATE gateway=10.12.0.1
add address=192.168.10.0/24 comment="The domain name is DOMPRV"
dns-server=8.8.8.8,192.168.10.1 domain=DOMPRV gateway=192.168.10.1
add address=192.168.49.0/24 comment="The router IP will be for this subnet is
1 which is the same for gateway DNS is optional but activated"
dns-server=8.8.8.8,192.168.49.1 domain=DOMRTRCONF gateway=192.168.49.1
/ip dns
set allow-remote-requests=yes query-server-timeout=1s servers=8.8.8.8
/ip firewall address-list
add address=192.168.49.12 comment="# client dhcp pool range" list=
RsvAdr-clients-br0-routerconfig
add address=192.168.49.1 comment="# gateway address of the subnet" list=
RsvAdr-gw-br0-routerconfig
add address=192.168.49.0/24 comment="# whole subnet range" list=
RsvAdr-subnet-br0-routerconfig
add comment="# subnet cherrypick 0 addresses" list=
RsvAdr-cherrypick_0-br0-routerconfig
add address=192.168.10.100-192.168.10.130 comment="# client dhcp pool range"
list=RsvAdr-clients-br1-private
add address=192.168.100.1 comment="# gateway address of the subnet" list=
RsvAdr-gw-br1-private
add address=192.168.100.0/24 comment="# whole subnet range" list=
RsvAdr-subnet-br1-private
add comment="# subnet cherrypick 0 addresses" list=
RsvAdr-cherrypick_0-br1-private
add address=10.12.0.120-10.12.0.130 comment="# client dhcp pool range" list=
RsvAdr-clients-br2-roommate
add address=10.12.0.1 comment="# gateway address of the subnet" list=
RsvAdr-gw-br2-roommate
add address=10.12.0.0/24 comment="# whole subnet range" list=
RsvAdr-subnet-br2-roommate
add comment="# subnet cherrypick 0 addresses" list=
RsvAdr-cherrypick_0-br2-roommate
add address=10.0.0.80/28 comment="# client dhcp pool range" list=
RsvAdr-clients-br3-guest
add address=10.0.0.1 comment="# gateway address of the subnet" list=
RsvAdr-gw-br3-guest
add address=10.0.0.0/24 comment="# whole subnet range" list=
RsvAdr-subnet-br3-guest
add comment="# subnet cherrypick 0 addresses" list=
RsvAdr-cherrypick_0-br3-guest
add list=PKNK-Temporary
add list=PKNK-Valid
add list=PKNK-Attack
add address=0.0.0.0/8 comment=RFC6890 list=NonPublicSubnet
add address=10.0.0.0/8 comment=RFC6890 list=NonPublicSubnet
add address=100.64.0.0/10 comment=RFC6890 list=NonPublicSubnet
add address=127.0.0.0/8 comment=RFC6890 list=NonPublicSubnet
add address=169.254.0.0/16 comment=RFC6890 list=NonPublicSubnet
add address=172.16.0.0/12 comment=RFC6890 list=NonPublicSubnet
add address=192.0.0.0/24 comment=RFC6890 list=NonPublicSubnet
add address=192.0.2.0/24 comment=RFC6890 list=NonPublicSubnet
add address=192.168.0.0/16 comment=RFC6890 list=NonPublicSubnet
add address=192.88.99.0/24 comment=RFC3068 list=NonPublicSubnet
add address=198.18.0.0/15 comment=RFC6890 list=NonPublicSubnet
add address=198.51.100.0/24 comment=RFC6890 list=NonPublicSubnet
add address=203.0.113.0/24 comment=RFC6890 list=NonPublicSubnet
add address=224.0.0.0/4 comment=RFC4601 list=NonPublicSubnet
add address=240.0.0.0/4 comment=RFC6890 list=NonPublicSubnet
/ip firewall filter
add action=accept chain=input comment="# SET-FIL-A-000 Keeps only winbox acces
s port 1010 to the router via br0-routerconfig accepted" dst-port=1010
in-interface=br0-routerconfig protocol=tcp
add action=drop chain=input comment="# SET-FIL-B-000 Drops any IP that is in t
he Attack list the whole IP is blacklisted " log=yes src-address-list=
PKNK-Attack
add action=accept chain=input comment="# SET-FIL-B-001 Any packet to the route
r with the source IP in the Valid address list will be accepted only and o
nly for WinBox tcp connection on por 1010 from br1-private" dst-port=
1010 protocol=tcp src-address-list=PKNK-Valid
add action=add-src-to-address-list address-list=PKNK-Attack
address-list-timeout=30s chain=input comment="# SET-FIL-B-002 Any input w
hich is not on port 1221 after the IP is in the Temporary list will be con
sidered as attack and it will be saved for 30 seconds there " dst-port=
!1221 in-interface=br1-private log=yes protocol=tcp src-address-list=
PKNK-Temporary
add action=add-src-to-address-list address-list=PKNK-Temporary
address-list-timeout=25s chain=input comment="# SET-FIL-B003 25 seconds ti
meout for the br1-private IPs to be stroed in PKNK-Temporary address l
ist after first knock on port 3113" dst-port=3113 in-interface=
br1-private log=yes protocol=tcp
add action=add-src-to-address-list address-list=PKNK-Valid
address-list-timeout=30m chain=input comment="# SET-FIL-B004 Any packet fr
om br1-private to the router on the specified port 1221 that has its a
ddress already in the temporary address list will be added as accepted wit
h a time out permission of 30 minutes" dst-port=1221 in-interface=
br1-private log=yes protocol=tcp src-address-list=PKNK-Temporary
add action=drop chain=input comment="# SET-FIL-B005 Any packet destined to the
_router from whatever interface will be dropped. Router is not pinggable"
add action=drop chain=input comment="# SET-FIL-C-000 Drops any IP that is in t
he Attack list the whole IP is blacklisted " log=yes src-address-list=
PKNK-Attack
add action=accept chain=input comment="ref: accept established,related"
connection-state=established,related
add chain=input comment="ref: Accept all connections from local network"
in-interface-list=LAN
add action=drop chain=input comment="manual_defconf+ref: drop invalid"
connection-state=invalid
add action=accept chain=input comment="br1-private: accept ICMP"
in-interface=br1-private protocol=icmp
add action=drop chain=input comment="custom: !br1-private drop ICMP"
protocol=icmp
add action=drop chain=input comment=
"manual_defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"manual_defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="manual_defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"manual_defconf: drop all from WAN not DSTNATed" connection-nat-state=
!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment=
"ref: Drop all packets which are not destined to routes IP address"
dst-address-type=!local
add action=drop chain=input comment="ref: Drop all packets which does not have
_unicast source IP address disable multicast and broadcast addresses"
src-address-type=!unicast
add action=drop chain=input comment="ref: Drop all packets from public interne
t which should not exist in public network" in-interface-list=WAN
src-address-list=NotPublicSubnet
add action=drop chain=forward comment="drops internet for br0-routerconfig"
connection-mark=drop-internet-br0-rtrconf log=yes log-prefix=
manual_internet_drop
/ip firewall mangle
add action=mark-connection chain=forward comment=
"marks internet packets for filter drop on br0-routerconfig"
in-bridge-port-list=RTR-CONF log=yes new-connection-mark=
drop-internet-br0-rtrconf out-interface-list=WAN passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=never color-scheme=light default-screen=stat-slideshow
read-only-mode=yes touch-screen=disabled
/lcd pin
set hide-pin-number=yes pin-number=0501
/lcd interface
set wlan-master disabled=yes
set ether1 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
set ether11 disabled=yes
set ether12 disabled=yes
set ether13 disabled=yes
set ether14 disabled=yes
set ether15 disabled=yes
set ether16 disabled=yes
set ether17 disabled=yes
set ether18 disabled=yes
set ether19 disabled=yes
set ether20 disabled=yes
set ether21 disabled=yes
set ether22 disabled=yes
set ether23 disabled=yes
set ether24 disabled=yes
set sfp1 disabled=yes
add interface=br0-routerconfig timeout=4s
add interface=wlan-virtual-private timeout=4s
add interface=br1-private timeout=4s
add interface=wlan-virtual-roommate timeout=4s
add interface=br2-roommate timeout=4s
add interface=wlan-virtual-guest timeout=4s
add interface=br3-guest timeout=4s
/lcd interface pages
set 0 interfaces="br0-routerconfig,ether2,br1-private,wlan-virtual-pri
vate,br2-roommate,wlan-virtual-roommate,br3-guest,wlan-virtual-guest"
/lcd screen
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
/system console
set [ find ] disabled=yes
/system identity
set name=HomeRTR-CRS
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool user-manager database
set db-path=user-manager
*