Rb2011UiAS-2HnD FTTH configuration

RouterOS Beginner Basics
1

Hello everyone.

I had the “Rb2011UiAS-2HnD” in cascade with Vodafone Station Revolution. It worked well but for a space problem i want to fully replace this router with mikrotik’s.
So i started today to watch some tutorials on this forum and i collected the information from my isp’s site. What i got:
Username: vodafoneadsl
Password: vodafoneadsl
Required WAN interface: Gigabit Ethernet Full-Douplex Auto-Sensing with Ethernet 802.1q protocol.
Link to isp’s guide: (https://www.vodafone.it/portal/Privati/Supporto/Fibra--ADSL-e-Telefono/Installare-e-configurare/Modem-Alternativo)

Following this tutorial (https://www.geekzone.co.nz/forums.asp?forumid=66&topicid=206084).

I tried both the methods in the guide unsuccessful.
nat1.png
dhcp1.png
firewall.png
vlan1.png
The DHCP Client keeps searching and doesn’t get IP.
Anyone knows what going on?

Thanks in advance.

2

According to ISP’s guide you should be running PPPoE client on top of vlan1 interface. No DHCP client needed there … And the vlan1 interface should be using VLAN ID 1036.

To keep your router safe, add dynamically created pppoe interface (by default, its name is pppoe-out1) to the interface list named WAN.

3

Thank you for the fast response. I modified as you said and the yellow mark on the connection properties of windows disappeared. I still can’t use internet ( tried using google and pinging 8.8.8.8 )
To correct what i did before i modified the DHCP Client to ether1 (as it was as default). I went to “Quick Set” → “Router” —> “Port: Eth1” → “PPPoE” and i setted up User and Password.
t4.png
t2.png
t3.png
t1.png
Thanks in advance.

4

From the screenshot I gather that the PPPoE is up and tunning. To proceed we need more information, which are hard to get from screenshots. So please proceed by exporting current configuration in text form:

  1. open terminal window
  2. run command
    /export hide-sensitive file=config20190323.rsc
  3. fetch the output file via files menu
  4. open it in a decent text editor (if you’re using windows, use wordpad, not notepad). Check if it shows some sensitive information (private IP addresses are not sensitive, some private usernames or WiFi SSIDs and PSKs are) and obfuscate them
  5. copy-paste it here … inside code environment, available when editing answer as icon on the black background

While having terminal window open you can try to check for internet connectivity from the router itself. Example would be running command /tool traceroute 8.8.8.8

5

Config export

# mar/23/2019 18:39:08 by RouterOS 6.44.1
# software id = SHXK-T46W
#
# model = 2011UiAS-2HnD
# serial number = 7A6708E7310E
/interface bridge
add admin-mac=CC:2D:E0:A7:52:9E auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-A752A7 wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan1 vlan-id=1036
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
    use-peer-dns=yes user=vodafoneadsl
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add list=WAN
add interface=pppoe-out1 list=WAN
add list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=vlan1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=vlan1
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Rome
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN



Traceroute dump

# mar/23/2019 18:39:46 by RouterOS 6.44.1
# software id = SHXK-T46W
#
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST
   37.183.61.1                        0%    8   3.4ms     4.2     3.3     9.7
   83.224.46.250                      0%    8   6.6ms     5.7     4.5     6.7
   83.224.46.249                      0%    8   6.3ms       6     5.3     6.7
   83.224.40.217                      0%    8  11.5ms    11.6    11.1      12
   83.224.46.233                      0%    8  11.7ms    11.9    11.7    12.2
                                    100%    8 timeout
   216.239.50.248                     0%    7  14.2ms    13.9    12.6    14.5
   108.170.233.137                    0%    7    12ms    11.9    11.8    12.1
   8.8.8.8                            0%    7  11.9ms    11.9    11.7    12.1
6

Traceroute prooves that router has working internet connectivity.

A few things to change:

  • from this moment, don’t use quickset anymore. Change things directly in appropriate winbox sections.
  • router’s LAN IP address should be defined on bridge “interface”, not on ether2… before changing that part, enable safe mode (I believe there’s a button to enable/disable it somewhere on the edge of base winbox window). After you do the change and you can still work with router via winbox, exit the safe mode. If the change breaks connectivity between router and winbox, router will revert the change after a few seconds (less than half minute)…
  • disable DHCP client which is running on ether1 interface
  • fix firewall rule with comment “defconf: drop all from WAN not DSTNATed” … it should refer to in-interface-list=WAN instead of currently configured in-interface=vlan1
  • the important one: fix NAT rule so that it will refer to out-interface-list=WAN (instead of currently configured out-interface=vlan1)

[edit]
Another change (which won’t change a thing but should be done for syntactical reasons): add interface vlan1 to WAN interface list …

7

Thank you! I succeeded in configuring the router. I would like to have a little explanation about the difference between out-interface-list and out-interface.

8

There’s no big difference, out-interface-list allows you to refer to multiple interfaces and it’s not necessary that all of them make sense in certain case. In your case only pppoe-out1 really carries traffic which we want to target (e.g. for masquerade rule), but it doesn’t hurt to add vlan1 (tagged interface which doesn’t have IP setup) and ether1 (physical interface without IP configuration as well).
Keep in mind that firewall usually affects IP traffic and interfaces without IP config don’t directly participate in firewall operations.
Also keep in mind that it’s routing engine which decides which interface will be used as egress (exit) interface, not firewall. Which means only one interface will be used for transmitting the packet and use of interface lists in firewall rule doesn’t change it. Either out-interface or out-interface-list is only one of criteria which a packet needs to match in order for firewall to execute the action (masquerade in your particular case).

Use of interface lists brings one very nice side effect: if e.g. WAN interface changes from vlan1 to pppoe-out1, it’s enough to adjust interface list membership, no need to change firewall rules.

9

Thank you for your fast and exhaustive answers! All is working now.