Hi,

I bought MikroTik RB751U-2HnD because I wanted more serious router. But now I have problems setting it up. I successfully connected my router to internet (PPPoE client) and I can ping sites from it, but I have no idea how to set up NAT correctly so my local devices would have access to internet. It just seems that everything I do is wrong.

Please help me, here is some info that you probably need:

[admin@MikroTik] /ip hotspot service-port>> /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=bridge-local
actual-interface=bridge-local

1 D address=90.157.193.99/32 network=212.18.32.174 interface=pppoe-out1
actual-interface=pppoe-out1

2 address=212.18.32.174/32 network=212.18.32.174 interface=pppoe-out1
actual-interface=pppoe-out1
[admin@MikroTik] /ip hotspot service-port>> /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=212.18.32.174
gateway-status=212.18.32.174 reachable via pppoe-out1 distance=1
scope=30 target-scope=10

1 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge-local
gateway-status=bridge-local reachable distance=0 scope=10

2 ADC dst-address=212.18.32.174/32 pref-src=90.157.193.99 gateway=pppoe-out1
gateway-status=pppoe-out1 reachable distance=0 scope=10

[admin@MikroTik] /ip hotspot service-port>> /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE MTU L2MTU MAX-L2MTU

0 R ether1 ether 1500 1600 4076
1 R ether2 ether 1500 1598 2028
2 ether3-slave-local ether 1500 1598 2028
3 ether4-slave-local ether 1500 1598 2028
4 ether5-slave-local ether 1500 1598 2028
5 wlan1 wlan 1500 2290
6 R bridge-local bridge 1500 1598
7 R pppoe-out1 pppoe-out 1480

[admin@MikroTik] /ip hotspot service-port>> /ip firewall export

jan/02/1970 00:14:59 by RouterOS 5.12

software id = XD8N-S2L6

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=“default configuration” disabled=no
protocol=icmp
add action=accept chain=input comment=“default configuration”
connection-state=established disabled=no
add action=accept chain=input comment=“default configuration”
connection-state=related disabled=no
add action=drop chain=input comment=“default configuration” disabled=no
in-interface=ether1
add action=accept chain=input comment=“default configuration” disabled=no
protocol=icmp
add action=accept chain=input comment=“default configuration”
connection-state=established disabled=no
add action=accept chain=input comment=“default configuration”
connection-state=related disabled=no
add action=drop chain=input comment=“default configuration” disabled=no
in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=
no out-interface=ether1
add action=src-nat chain=srcnat disabled=no src-address=192.168.0.0/24
to-addresses=212.18.32.174
add action=dst-nat chain=dstnat disabled=no dst-address=212.18.32.174
to-addresses=192.168.0.2-192.168.0.254
add action=src-nat chain=srcnat disabled=no src-address=
192.168.0.2-192.168.0.254 to-addresses=212.18.32.174
add action=dst-nat chain=dstnat disabled=no dst-address=212.18.32.174
to-addresses=192.168.88.2-192.168.88.254
add action=src-nat chain=srcnat disabled=no src-address=
192.168.88.2-192.168.88.254 to-addresses=212.18.32.174
add action=masquerade chain=srcnat comment=“default configuration” disabled=
no out-interface=ether1
add action=src-nat chain=srcnat disabled=no src-address=192.168.0.0/24
to-addresses=212.18.32.174
add action=dst-nat chain=dstnat disabled=no dst-address=212.18.32.174
to-addresses=192.168.0.2-192.168.0.254
add action=src-nat chain=srcnat disabled=no src-address=
192.168.0.2-192.168.0.254 to-addresses=212.18.32.174
add action=dst-nat chain=dstnat disabled=no dst-address=212.18.32.174
to-addresses=192.168.88.2-192.168.88.254
add action=src-nat chain=srcnat disabled=no src-address=
192.168.88.2-192.168.88.254 to-addresses=212.18.32.174
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

[admin@MikroTik] /ip hotspot service-port>> /ip hotspot export

jan/02/1970 00:15:08 by RouterOS 5.12

software id = XD8N-S2L6

/ip hotspot profile
set [ find default=yes ] dns-name=“” hotspot-address=0.0.0.0 html-directory=
hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=
cookie,http-chap name=default rate-limit=“” smtp-server=0.0.0.0
split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default
shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip hotspot service-port
set ftp disabled=no ports=21

Thank you so much!

G’day,

just had a quick look through your setup.

In your firewall NAT rule, change your out-interface from ether1 to pppoe-out1

D2.

sorry, I’m a total n00b in that, what’s the command? thanks.

G’day,

if you are using winbox, then go to IP->firewall->NAT.

Double click on the entry that has masq - src-nat - ether1. Then change ether1 (in the out-interface area) to pppoe-out1

If using CLI, then try

/ip firewall nat
set 0 out-interface=pppoe-out1

The

set 0

part means change rule zero. If your nat rule relating to the out-interface is a different number (displayed when you do

/ip firewall nat pr

) then change zero to whatever number is shown next to the rule.

Have a look at http://wiki.mikrotik.com for info on cli.

hm, that did nothing for me any more suggestions?

Keep the out-interface to pppoe-out1. This is for sure the right setting in NAT.

If you by local devices mean your own devices on your LAN i.e. use the router as a home router. The that is exactly what I do too in order to have a better router at home and have more control.

However, for that purpose it seems to me that your setup is too complicated in terms of routing and then not sufficient in terms of firewall.

when you have NAT action=masquerade enabled then you do not need the other scr-nat settings. just check “add default route” and “use peer dns” in your PPPoE connection.

You may have connection to the internet (have you tried to ping af specific IP addr) but your browser does not find anything because the DNS is not set right. In windbox go to ip/dns and the window should be empty and then click on the settings tap and make sure that “allow remote request” is checked.

In the wiki there are some good examples on a complete standard set up and then search the board here for min. firewall settings.

rgs Pilgrim

http://www.mikrotik.com/testdocs/ros/2.9/guide/basic.php
http://klseet.com/index.php?option=com_content&view=article&id=51&Itemid=49
http://wiki.mikrotik.com/wiki/802.11n_Setup_Guide

Greg Sowell is a great source too. Here is his tutorial video on Mikrotik Basics.

http://gregsowell.com/?p=957

Thanks for your reply. Link from Greg Sowell was very helpful. I have a running connection on all computers via LAN (connected with cable).

The only problem now is configuring wireless AP connection. Problem is, for instance my iPhone doesn’t get local IP and therefore no internet connection. Please, look at the printscreen and tell me what I got wrong. Thanks.

I asume that you use ether 2 as your LAN 192.168.1.xxx interface where your devices are connected. If you want your wireless devices to connect to the same LAN 192.168.1.xxx and act as any other device that you have connected to your LAN then you should not give your wlan1 any IP address. You just need to create a bridge and where you bridge your ether 2 and wlan1. I have a simple AP set up at home with this configuration.


If you want the other physical interfaces to ether 3, 4, etc. to connect to your LAN too you could in pricible just add them to the bridge too. But for the physical interfaces it is better to use the swich function and use ether 2 as your master port and ether 3, 4 .. as slaves.

in the interface list you double click on the interface and under the general tap there is a “master port” box for the master interface you select none and for the slaves you select the interface you use as master e.g. ether 2.

So I made a bridge, but ether2 has role of “designated port” and wlan1 has the same role, but you have wlan1 “disabled port” (edit: I figured that one out, if some is trying to connect will say “designated port” otherwise “disabled port”)

But my wlan clients are still not getting local IP addresses. Please help me further. Thanks!

I think it may be because that your DHCP server is still just handing out IPs to the ether2. You have to put in the Bridge.

check ip/dhcp server and clik on the DHCP server listed and check the interface set. Must be the bridge, I think.

rgs Bjarne

Hi!

If I understand you problem, you can not create internet access.
This is an easy scenario for internet connection with pppoe:


Interface ip address

/ip address add address=192.168.1.1/24 interface=ether1

NAT privat IP-s to pppoe-out

/ip firewall nat add chain=src-nat src-address=192.168.1.0/24 action=masquerade

DHCP Pool

/ip pool add name=dhcp-pool ranges=192.168.1.2-192.168.1.254

DHCP Server

/ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 dns-server=192.168.1.1 //or any dns
/ip dhcp-server network add name=default interface=ether1 address-pool=dhcp-pool

It is just an example, all of settings you can set up easily with winbox

That was exactly what it was I just changed my DHCP server to “bridge1” and now everything works! Thank you so much!

One question: Does anyone has any idea why is wireless dropping? Not constantly, but here and there.

@Th0r, just a word of caution. I think I mentioned it already, but you should be sure that you have the min needed rules in your firewall. Check for example:

http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling
http://wiki.mikrotik.com/wiki/Home_Firewall (complete script for home firewall) to install the script you just open a new terminal window in winbox and paste the script.

rgs Pilgrim

@Pilgrim thanks, but I didn’t forget and set some basic rules

Do you have any thoughts why is wireless occasionally dropping? Thanks.

@th0r

No, I would not be the right one to answer that and I am also not sure how the problem could be investigated. I hope that someone else on the board can help. I am also interested in knowing more about this problem.

rgs Pilgrim