RB2011UAS-2HnD-IN -- Full WLAN access, but no internet

Just finished with the setup of my new router. Got everything I need working except one thing. Wireless.

It’s odd, I can connect to the wireless signal with very good reception, I can browse my network fully and ping all my devices with no problem. I cannot however, browse the internet at all. I am assuming this is a simple setting that I am overlooking, but I just cannot seem to find it. I have tried resetting the wireless to its default settings, I have tried removing all wireless configurations and doing it manually and nothing is working here. Any help or insight you guys have would be really appreciated!

If you need any additional information let me know, and I will provide it accordingly. Please bear with me, although I am not new to networking in general, I found this router setup a little more challenging than I anticipated.

Just a comment-
I found that these pretty much will work out of the box. You might try first, backup
your config, reset to factory, and test. This should let you know if the problem is outside the Mikrotik box first,
then, try bringing back in you config step by step.

What is your out WAN port? Is masquerade on or off that port?

Michael

Alright, I have tried what you said. I reset to factory defaults and just like before, I connect to the wireless and browse the local network without issue. Still can’t reach the internet on wireless though. Wired still works fine. Thinking about it, I do not believe this is an issue with any of the wireless settings, as it functions perfectly but rather a setting in something else. What that is, I have no idea yet.

My WAN port is the default of ether1. I have a (defualt, already set up) bridge-local which reports that all ports are a part of. In IP>Firewall>NAT there is an entry for masquerade that is set to “enabled” – disabling this does not change anything (as far as wireless goes). Wireless is setup as ap bridge, 2GHZ-B/G/N, Frequency-2412, Channel width-20/40MHz HT above, bridge mode-enabled and no security (I will set up with WPA2 once working).

And, if it is relevant, I am on Comcast with DHCP addressing. If you would like me to upload any snippet of my config, let me know what you need and how to to get it (or at least what you need) nd I’ll do my best to provide

Anybody have any other ideas?

Sorry, got alligators this week.

Describe where the 2011 sits in relation to your lan and the Comcast feed.

Are you saying that when you plug in, you can not only get around your LAN but browse the internet?

What does Comcast give on DHCP, public or private - are you behind their NATed router? Is there anything between the
2011 and that?

Can you ping out to public addresses (8.8.8. through the wireless connection?

Does DNS lookup work on wireless connect?

Which ports are you using? The factory setup comes, I recall, with switch groups and a WAN set to either
eth0 or maybe the fiber…

Make sure your wireless interface is joined to the other switchports in a bridge interface…
Please open a terminal window from winbox and run: “export compact” and paste your result.

Alright, some more information for you guys…

I am testing the wireless with an Android phone, I CAN ping IP addresses successfully! I just can’t browse websites by there domain name. Also, I can browse my local network completely with no issues (I have a server, NAS, and a couple desktops that I can see).

I have a a bridge interface “bridge-local” that all the ethernet ports and wlan1 are a part of. My WAN port is “ether1-gateway.”

I have the requested output below, something that concerns me is that the routers default IP is 192.168.88.1. I have changed this to 192.168.1.1, but I see below that X.X.88.1 still shows up… what is this, and does it need changed?

[admin@MikroTik] > export compact
# jun/21/2013 19:14:14 by RouterOS 5.20
# software id = 6VWM-37F1
#
/interface bridge
add admin-mac=XXXXXXXXXXXXXXX auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above country="united states" \
    disabled=no distance=indoors ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 \
    mode=ap-bridge wireless-protocol=any
/interface ethernet
set 0 name=sfp1-gateway
set 1 name=ether1-gateway
set 6 name=ether6-master-local
set 7 master-port=ether6-master-local name=ether7-slave-local
set 8 master-port=ether6-master-local name=ether8-slave-local
set 9 master-port=ether6-master-local name=ether9-slave-local
set 10 master-port=ether6-master-local name=ether10-slave-local
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    wpa-pre-shared-key=XXXXXXXXXXXXX wpa2-pre-shared-key=XXXXXXXXXXXXXXX
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=wlan1
/ip dhcp-client
add comment="default configuration" disabled=no interface=sfp1-gateway
add comment="default configuration" disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=25565 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.1.2 to-ports=25565
add action=dst-nat chain=dstnat dst-port=25565 in-interface=ether1-gateway \
    protocol=udp to-addresses=192.168.1.2 to-ports=25565
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.1.2 to-ports=80
add action=dst-nat chain=dstnat dst-port=1337 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.1.3 to-ports=1337
add action=dst-nat chain=dstnat dst-port=1337 in-interface=ether1-gateway \
    protocol=udp to-addresses=192.168.1.3 to-ports=1337
add action=dst-nat chain=dstnat dst-port=50696 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.1.3 to-ports=50696
add action=dst-nat chain=dstnat dst-port=50601 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.1.4 to-ports=50601
/ip neighbor discovery
set sfp1-gateway disabled=yes
set ether1-gateway disabled=yes
set wlan1 disabled=yes
/ip smb
set domain=WORKGROUP
/ip upnp
set enabled=yes
/tool mac-server
add disabled=no interface=ether2
add disabled=no interface=ether3
add disabled=no interface=ether4
add disabled=no interface=ether5
add disabled=no interface=ether6-master-local
add disabled=no interface=ether7-slave-local
add disabled=no interface=ether8-slave-local
add disabled=no interface=ether9-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=wlan1
add interface=bridge-local

I discovered more information! It looks like anything getting an IP via DHCP (wireless, or ethernet) is getting issued a DNS server of 192.168.88.1. This is the problem. The reason I don’t have any issues with my ethernet devices is because they are all currently static IP’s with static, manually set DNS servers as well. When I try to use DHCP I can’t browse online anymore.

So now that I know what the problem is, how do I fix this? I found and replaced all the DNS settings that I could find that have X.X.88.1 with X.X.1.1 but it is still issuing X.X.88.1 to DHCP devices. Help!

EDIT: So I’ve narrowed it down even farther, but I don’t know how to change this. It appears to be one line “dns-server=192.168.88.1” that I can’t seem to change. Here is some output

/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" dhcp-option="" dns-server=192.168.88.1 gateway=192.168.1.1 netmask=24 ntp-server="" wins-server=""

I have looked through all of the options for “/ip dns” and I can’t seem to find what I need to change. Also, the GUI is of no help for this, all the settings in it show only X.X.1.1.

EDIT 2: I got it solved!!! Turns out, “dns-server=” is found in “/ip dhcp-server network”. Located the setting, changed it to my current X.X.1.1 IP and now everything works fine.

Thank you ALL for your posts… they got me thinking in new ways, this led me to finding the setting I was looking for.

Glad to see you worked this through.

You might consider turning off the DHCP services, if you have another - disable in the GUI menu IP > DHCP Server > DHCP select the server which generally the first one is dhcp0 and disable it, or remove it.

• disable in the CLI :

ip dhcp-server print
disable 0 or which ever it is

However, if you have many devices, Mikrotik as your DHCP server is a good choice.

Michael

I don’t have any other DHCP servers running. Only the one from MikroTik, and I need to have it for the wireless devices. Otherwise, I would just turn it off.

Thanks again everyone for all your help! It is greatly appreciated, and was incredibly helpful!

I would recommend to remove all the non-used default gateway settings on either ether1 or sfp.

Also I recommend to change the firewall filter rules a little
You now have
/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add action=drop chain=input comment=“default configuration” in-interface=
sfp1-gateway
add action=drop chain=input comment=“default configuration” in-interface=
ether1-gatewayConsider changing the last to into something like this
/ip firewall filter
add chain=input action=accept src-address=192.168.1.0/24 in-interface=local-bridge comment=“Allow traffic coming from local bridge”
add chain=input action=drop comment="Drop all remaining traffic"Also create some filter rules in forward chain.
A search on google will lead to a “simple” best practice solution.

I think I understand what you are telling me to do, but I don’t understand why. Can you explain these steps? Please tell me what my current code is (or isn’t) doing, and what the new code would do.

The code you now have is not particularly wrong, besides the not-used sfp-rule, which is doing nothing because the interface is not used.

But as far as I have been taught and handeling most of the traffic on firewalls I have configured is that you allow specific traffic that I would like to pass and block all the rest.
So for that reason my way of building rules is allowing inside traffic to pass through the firewall if it is from an IP address known as my internal network, and it is entering the router from the local network bridge. The IP range is not really needed but gives some more security if there is some uninvited system on the network. I did not specify any out-interface, because if you specify that for instance to be your ether1-gateway, I can not communicate between your internal systems, although that also depends on the bridge setting use-ip-firewall=yes/no.

Here you see my complete set of rules
/ip firewall filter
add action=drop chain=input comment=“Drop invalid connections” connection-state=invalid
add chain=input comment=“Accept established connections” connection-state=established
add chain=input comment=“Accept related connections” connection-state=related
add chain=input comment=“Allow access from local network” in-interface=br-PrivateNetwork src-address=192.168.25.0/24
add chain=input comment=“Allow access from guest network for DNS” dst-port=53 in-interface=br-GuestNetwork protocol=udp src-address=192.168.125.0/24
add action=log chain=input comment=“Log everything else” disabled=yes log-prefix=“IPv4 Drop input RR:”
add action=drop chain=input comment=“Drop everything else”
add action=drop chain=forward comment=“Drop invalid connections” connection-state=invalid
add chain=forward comment=“Accept established connections” connection-state=established
add chain=forward comment=“Accept related connections” connection-state=related
add chain=forward comment=“Allow traffic from Local network” in-interface=br-PrivateNetwork src-address=192.168.25.0/24
add chain=forward comment=“Allow Guest network going outside” in-interface=br-GuestNetwork out-interface=pppoe-***** src-address=192.168.125.0/24
add action=log chain=forward comment=“Log everything else” disabled=yes log-prefix= “IPv4 Drop forward RR:”
add action=drop chain=forward comment="Drop everything else"As you can see I have 2 networks. A guest and a private. Both are using a different IP range and since I allow the guest traffic only to my outgoing pppoe interface, guests can not connect to my private systems.

Awesome. Thank you for the details. This makes a lot of sense. I will look into changing these for my network!