I picked up a new rb4011igs5hacq2hnd-in and have been trying to get it working - The lan ports all route fine to the internet but the wireless Ap appears to have some kind of DHCP failure ( I see 169.x on the wifi ipconfig output.
If the config posted in OP is complete, then there’s no firewall protecting either router itself or LAN devices from evil internet. I suggest to start over (reset to default configuration) and add/change what’s needed (e.g. wireless security profiles and/or LAN IP).
There have been a few ROS versions where default config was inadequate (to put it mildly). I’ve checked and 6.43.1 is lacking config as well. However, recent testing (6.44beta40) has decent default setup.
What you could do: upgrade ROS to latest version in testing channel. Do reset with factory default. Then you can decide to downgrade to stable again (you’ll have to download ROS package manually, downgrades can’t be done pseudo-automatically). Or you can decide to stay with beta … it seems to be quite stable, not many problem reports are seen with latest betas …
It seems that factory default config of @webbsolution’s 4011 was fscked up … let’s see how it goes after a sane factory default config is applied. Chances are that problem from OP will just heal itself.
thansk for the note on the temp password exposure - no its not the real PW I am just setting this router up with a secondary internet line and nothing is attached to it at the moment aside from a Linux Live computer when it goes live the password gets changed.
I have reset the config three times and this same issue persists so it would appear I need to load another rev on this router then? I have a perfectly configured rb2011 but im pretty sure that config wont work on this router with the extra radio and different processor ?
I cant upload any of the stable or LTR releases to this router either…even though it lists 4.xxx routers…its says not permitted. but maybe now after a factor hard reset it might work - anyways here is the output
so go to system ----reset configuration ? - Not permitted lol yes it actually wont let me reset it now so im doing the hard reset with the button now…
used terminal and export file=xxx.txt
jan/02/1970 00:02:33 by RouterOS 6.43.4
software id = EGAE-6IE2
model = RB4011iGS+5HacQ2HnD
serial number = A28209DFFF7C
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=192.168.88.1/24 comment=“default configuration” interface=ether1
network=192.168.88.0
/system routerboard settings
set silent-boot=no
after a hard reset with the button I can now do the system — reset config option - The output is the same as above.
but its a little outdated. At 8:54 the video tutorial is suggesting that I set the master port slave off of interface # 2 but the field he is using (master port) does not appear in my version or routerboard. Everything else is straight forward ( i think) but that config is missing from these steps because I cant find the option …
I now have properly routed internet fromt he LAN and the WIFI AP - better progress - here is my output - comments Welcome -
dec/13/2018 11:15:25 by RouterOS 6.43.4
software id = EGAE-6IE2
model = RB4011iGS+5HacQ2HnD
serial number = A28209DFFF7C
/interface bridge
add fast-forward=no name=bridge1-2.4
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-Eth1
set [ find default-name=ether2 ] comment=
“LAN - All ports are switched off either 2”
set [ find default-name=ether10 ] comment=PPOE-Out-Eth10
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed mode=dynamic-keys name=WPA2
supplicant-identity=“” wpa-pre-shared-key=@@@@@@@@@
wpa2-pre-shared-key=@@@@@@ !
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n disabled=no frequency=auto
mode=ap-bridge security-profile=WPA2 ssid=Webb2.4 wireless-protocol=
802.11
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1-2.4 name=dhcp1
/interface bridge port
add bridge=bridge1-2.4 interface=ether2
add bridge=bridge1-2.4 interface=wlan2
add bridge=bridge1-2.4 interface=wlan1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1-2.4 list=LAN
/ip address
add address=192.168.88.15/24 comment=“LAN IP subnet” interface=ether2
network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=
64.59.144.19,192.168.88.15,64.59.150.135 gateway=192.168.88.15 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.8.4
/ip firewall address-list
add address=192.168.88.0/24 list=“LOcal LAN”
/ip firewall filter
add action=accept chain=input comment=
“allow access to the router from the lan” src-address-list=“LOcal LAN”
add action=drop chain=forward comment=“drop invalid packets”
connection-state=invalid
add action=drop chain=input comment=“drops all other traffic "
add action=accept chain=forward comment=“allow connections from the lan”
connection-nat-state=”" connection-state=new in-interface=bridge1-2.4
add action=accept chain=forward comment=“allow established connections”
connection-state=established
add action=accept chain=forward comment="allow related connections "
connection-state=related
add action=accept chain=input comment=
“allow established connections to the router” connection-state=
established
add action=accept chain=input comment=
“allow related connections to the router” connection-state=related
add action=drop chain=forward comment=“drop all other connections”
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=America/Vancouver
/system identity
set name=RB4011
/system leds
add interface=wlan2 leds=“wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le
d,wlan2_signal4-led,wlan2_signal5-led” type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes primary-ntp=45.127.112.2 secondary-ntp=54.39.173.225
/system routerboard settings
set silent-boot=no
/ip address
add address=192.168.88.15/24 comment=“LAN IP subnet” interface=ether2 \
should be
/ip address
add address=192.168.88.15/24 comment=“LAN IP subnet” *interface=bridge1-2.4 *
This is pretty wide open access to the router from the LAN??
“allow access to the router from the lan” src-address-list=“LOcal LAN”
Why not limit it to the likely PC or PCs you will be using to access the router?
add action=accept chain=forward comment=“allow connections from the lan”
connection-nat-state=“” connection-state=new in-interface=bridge1-2.4
This is confusing, what is the intent here?? I am thinking you meant allow LAN to WAN traffic?
add action=accept chain=forward comment=“allow internet traffic”
source-address-list=bridge1-2.4 out-interface=WAN
whether its better to use that or ( in-interface=brige1-2.4 out-interface=WAN ) is unknown to me hopefully someone else has a definitive answer.
If you are going to do any port forwarding you will need this rule before the drop all else forward rule.
/ip firewall filter add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat connection-state=established,related
You still didnt fix this
/ip address
add address=192.168.88.15/24 comment=“LAN IP subnet” interface=ether2 \
the interface is the bridge NOT ether2.
As far as DNS goes, here is what I have…
/ip dns
set allow-remote-requests=yes servers=
8.8.4.4,8.8.8.8,208.67.220.220,208.67.222.222
/ip firewall filter
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” dst-port=53
in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP” dst-port=
53 in-interface-list=LAN protocol=tcp
Also under my DHCP networks I state to use the applicable LAN gateway also as my DNS server - 192.168.88.1 for example.
for my access to the router I have
add action=accept chain=input comment=“Allow ADMIN to Router”
in-interface-list=LAN src-address-list=adminaccess
(so I define a firewall access list of allowed IPs, vice the etire LAN subnet, plus I back that up by limiting Winbox access to the same IPs)
To allow port forwarding
add action=accept chain=forward comment=
“Allow Port Forwarding - DSTNAT” connection-nat-state=dstnat
To allow LAN to WAN traffic
add action=accept chain=forward comment=“ENABLE LAN to WAN” in-interface=
HomeBridge log-prefix=“ALLOWED LAN 2 WAN TRAFFIC” out-interface-list=WAN
src-address=192.168.0.0/24
(one could use in-interface or src-address alone but I use both, why because I don’t know which is better and I can’t make up my mind LOL)
Most of youtube tutorials are at least incomplete, quite many are wrong. So I’ll just repeat my suggestion: upgrade to latest beta (testing channel), do a factory-reset there and downgrade again.
Factory configuration is most of time high quality (sane settings regarding bridge, ports, … and firewall settings) … except for some (now obsolete) stable releases where default configuration was inadequate (to put it mildly).
I was originally looking for a different rev of firmware with a more complete default build - this one is obviously broken, but I could not find one that winbox allowed me to upgrade to…so I removed the default config and started from scratch -
Are you suggesting that I load - the MMIPS beta firmware for this device ? can you link me to it ?
I cant seem to find anything else that this device will accept - here is the output of my current config - DNS is now fixed - WIfi and LAN route to the internet - no issues -
port forwarding looks to be broken still.
dec/14/2018 04:56:43 by RouterOS 6.43.4
software id = EGAE-6IE2
model = RB4011iGS+5HacQ2HnD
serial number = A28209DFFF7C
/interface bridge
add fast-forward=no name=bridge1-2.4
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-Eth1
set [ find default-name=ether2 ] comment=
“LAN - All ports are switched off either 2”
set [ find default-name=ether10 ] comment=PPOE-Out-Eth10
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed mode=dynamic-keys name=WPA2
supplicant-identity=“” wpa-pre-shared-key=########!
wpa2-pre-shared-key=#######!
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n disabled=no frequency=auto
mode=ap-bridge security-profile=WPA2 ssid=Webb2.4 wireless-protocol=
802.11
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=
192.168.88.1-192.168.88.14,192.168.88.16-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1-2.4 name=dhcp1
/interface bridge port
add bridge=bridge1-2.4 interface=ether2
add bridge=bridge1-2.4 interface=wlan2
add bridge=bridge1-2.4 interface=wlan1
add bridge=bridge1-2.4 interface=ether3
add bridge=bridge1-2.4 interface=ether4
add bridge=bridge1-2.4 interface=ether5
add bridge=bridge1-2.4 interface=ether6
add bridge=bridge1-2.4 interface=ether7
add bridge=bridge1-2.4 interface=ether8
add bridge=bridge1-2.4 interface=ether9
add bridge=bridge1-2.4 interface=ether10
add bridge=bridge1-2.4 interface=sfp-sfpplus1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1-2.4 list=LAN
/ip address
add address=192.168.88.15/24 comment=“LAN IP subnet” interface=ether2
network=192.168.88.0
add address=192.168.88.15/24 comment=lansubnet interface=bridge1-2.4 network=
192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,192.168.88.15,8.8.8.4 gateway=
192.168.88.15 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.8.4
/ip firewall address-list
add address=192.168.88.0/24 list=“LOcal LAN”
/ip firewall filter
add action=accept chain=input comment=
“allow access to the router from the lan” src-address-list=“LOcal LAN”
add action=drop chain=forward comment=“drop invalid packets”
connection-state=invalid
add action=drop chain=input comment=“drops all other traffic "
add action=accept chain=forward comment=“allow connections from the lan”
connection-nat-state=”" connection-state=new in-interface=bridge1-2.4
add action=accept chain=forward comment=“allow established connections”
connection-state=established
add action=accept chain=forward comment=“allow related connections "
connection-state=related
add action=accept chain=input comment=
“allow established connections to the router” connection-state=
established
add action=accept chain=input comment=
“allow related connections to the router” connection-state=related
add action=drop chain=forward comment=“drop all other connections”
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 out-interface-list=
WAN
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=
tcp src-address-list=”" to-addresses=192.168.88.125 to-ports=3074
add action=dst-nat chain=dstnat dst-port=27015-27030 in-interface=ether1
protocol=tcp src-address-list=“” to-addresses=192.168.88.125 to-ports=
27015-27030
add action=dst-nat chain=dstnat dst-port=27036-27037 in-interface=ether1
protocol=tcp src-address-list=“” to-addresses=192.168.88.125 to-ports=
27036-27037
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1
in-interface-list=all protocol=udp src-address-list=“” to-addresses=
192.168.88.125 to-ports=3074
add action=dst-nat chain=dstnat dst-port=4380 in-interface=ether1
in-interface-list=all protocol=udp src-address-list=“” to-addresses=
192.168.88.125 to-ports=4380
add action=dst-nat chain=dstnat dst-port=27000-27031 in-interface=ether1
in-interface-list=all protocol=udp src-address-list=“” to-addresses=
192.168.88.125 to-ports=27000-27031
add action=dst-nat chain=dstnat dst-port=27036 in-interface=ether1
in-interface-list=all protocol=udp src-address-list=“” to-addresses=
192.168.88.125 to-ports=27036
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/system clock
set time-zone-name=America/Vancouver
/system identity
set name=RB4011
/system leds
add interface=wlan2 leds=“wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le
d,wlan2_signal4-led,wlan2_signal5-led” type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes primary-ntp=45.127.112.2 secondary-ntp=54.39.173.225
/system routerboard settings
set silent-boot=no
Not sure why you have this again…
/ip address
add address=192.168.88.15/24 comment=“LAN IP subnet” interface=ether2
network=192.168.88.0
add address=192.168.88.15/24 comment=lansubnet interface=bridge1-2.4 network=
192.168.88.0
Should be just this
/ip address
add address=192.168.88.15/24 comment=lansubnet interface=bridge1-2.4 network=
192.168.88.0
What is this line in your config for… I find it confusing??
set [ find default-name=ether10 ] comment=PPOE-Out-Eth10
Re-ordered so they make sense to me…
/ip firewall filter
add action=accept chain=input comment=
“allow established connections to the router” connection-state=
established
add action=accept chain=input comment=
“allow related connections to the router” connection-state=
related
add action=drop chain=input comment=“drop invalid packets”
connection-state=invalid
add action=accept chain=input comment=
“allow access to the router from the lan” src-address-list=“LOcal LAN” YOU FORGOT TO PUT IN ALLOW DNS RULES ???
add action=drop chain=input comment="drops all other traffic "
add action=accept chain=forward comment=“allow established connections”
connection-state=established
add action=accept chain=forward comment="allow related connections "
connection-state=related
add action=drop chain=forward comment=“drop invalid packets”
connection-state=invalid you need a LAN to WAN rule. add action=accept chain=forward comment=“allow lan 2 Wan connections from the bridge”
in-inteface=bridge1-2.4 out-interface=eth1 You Need a proper Port Forwarding RUle!!!
*add action=accept chain=forward comment=*
“Allow Port Forwarding - DSTNAT” connection-nat-state=dstnat
add action=drop chain=forward comment="drops all other traffic "
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 (FIXED dont need the extra bit you had)
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=
tcp src-address-list=“” to-addresses=192.168.88.125 to-ports=3074
add action=dst-nat chain=dstnat dst-port=27015-27030 in-interface=ether1
protocol=tcp src-address-list=“” to-addresses=192.168.88.125 to-ports=
27015-27030
add action=dst-nat chain=dstnat dst-port=27036-27037 in-interface=ether1
protocol=tcp src-address-list=“” to-addresses=192.168.88.125 to-ports=
27036-27037
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1
protocol=udp src-address-list=“” to-addresses=\ (error on this line fixed)
192.168.88.125 to-ports=3074
add action=dst-nat chain=dstnat dst-port=4380 in-interface=ether1
protocol=udp src-address-list=“” to-addresses=\ (error on this line fixed)
192.168.88.125 to-ports=4380
add action=dst-nat chain=dstnat dst-port=27000-27031 in-interface=ether1
protocol=udp src-address-list=“” to-addresses=\ (error on this line fixed)
192.168.88.125 to-ports=27000-27031
add action=dst-nat chain=dstnat dst-port=27036 in-interface=ether1
protocol=udp src-address-list=“” to-addresses=\ (error on this line fixed)
192.168.88.125 to-ports=27036
I will note that your TCP and UDP ports dont line up perfectly but that is up to you as you know what has to be forwarded.
