RESOLVED: Routing question.

razza · April 16, 2017, 9:04am

Sorry for a noobie question but I have been at this for ages and I just can’t get it to work. Hopefully, someone can help

I have my internet router (192.168.10.1) as the only device connected to ETH1. I have the rest of the 192.168.10.0/24 network connected to ETH3. ETH1 and ETH3 are part of Bridge 1. This all works fine
I have a completely separate network (192.168.88.0/24) connected to ETH5. With the config below I cannot get access to the internet (via Bridge 1). Can anyone help please?

[admin@MikroTik] > export
# apr/16/2017 09:55:41 by RouterOS 6.38.5
# software id = JWBV-LDKI
#
/interface bridge
add name=bridge1
/ip neighbor discovery
set ether1 discover=no
/ip pool
add name=88-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=88-dhcp disabled=no interface=ether5 name=88-eth5
/interface bridge filter
add action=drop chain=forward disabled=yes in-interface=ether1 packet-type=host src-mac-address=94:DE:80:C2:F1:33/FF:FF:FF:FF:FF:FF
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether3
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.88.1/24 interface=ether5 network=192.168.88.0
add address=192.168.10.7/24 interface=bridge1 network=192.168.10.0
add address=192.168.10.3/24 interface=ether1 network=192.168.10.0
add address=192.168.10.5/24 disabled=yes interface=ether3 network=192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.10.1
/ip dns static
add address=192.168.10.4 name=router
/ip firewall address-list
add address=192.168.10.230 list="Management PCs"
add address=192.168.10.144 list="Management PCs"
add address=192.168.88.9 list="Management PCs"
add address=192.168.10.146 list="Management PCs"
add address=192.168.88.0/24 list=88_subnet
add address=192.168.10.0/24 list=10_subnet
/ip firewall filter
add action=accept chain=forward in-interface=ether5
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="Management PC Rules" connection-nat-state="" dst-port=8291 protocol=tcp src-address-list="Management PCs"
add action=accept chain=input dst-port=80 protocol=tcp src-address-list="Management PCs"
add action=accept chain=input dst-port=22 protocol=tcp src-address-list="Management PCs"
add action=drop chain=input comment="Drop all INPUTS from all interfaces (excl Management PC's)" in-interface=all-ethernet
add action=accept chain=forward in-interface=bridge1 out-interface=ether5
add action=accept chain=forward comment="Bridge 1 traffic <> internet" in-interface=bridge1 out-interface=bridge1
add action=accept chain=forward comment="ETH5 Rules" dst-address=192.168.10.1 in-interface=ether5 out-interface=bridge1
add action=drop chain=forward comment="Stop Eth5 traffic getting to 192.168.10.0" dst-address-list=10_subnet in-interface=ether5 out-interface=bridge1
add action=accept chain=forward in-interface=ether5 out-interface=bridge1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward disabled=yes
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1
add action=drop chain=forward in-interface=bridge1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes src-address=192.168.88.0
/ip route
add distance=1 gateway=bridge1
add disabled=yes distance=1 gateway=192.168.10.1
/system clock
set time-zone-name=Europe/London
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
[admin@MikroTik] >

razza · April 16, 2017, 12:19pm

Resolved with srcnat masquerade and dns input rule.

Final config:

# apr/16/2017 13:12:12 by RouterOS 6.38.5
# software id = JWBV-LDKI
#
/interface bridge
add name=bridge1
/ip neighbor discovery
set ether1 discover=no
/ip pool
add name=88-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=88-dhcp disabled=no interface=ether5 lease-time=1h name=88-eth5
/interface bridge filter
add action=drop chain=forward disabled=yes in-interface=ether1 packet-type=host src-mac-address=94:DE:80:C2:F1:33/FF:FF:FF:FF:FF:FF
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether3
add bridge=bridge1 disabled=yes interface=ether2
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.88.1/24 interface=ether5 network=192.168.88.0
add address=192.168.10.7/24 interface=bridge1 network=192.168.10.0
add address=192.168.10.3/24 interface=ether1 network=192.168.10.0
add address=192.168.10.5/24 disabled=yes interface=ether3 network=192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.10.1
/ip dns static
add address=192.168.10.4 name=router
/ip firewall address-list
add address=192.168.10.230 list="Management PCs"
add address=192.168.10.144 list="Management PCs"
add address=192.168.88.9 list="Management PCs"
add address=192.168.10.146 list="Management PCs"
add address=192.168.88.0/24 list=88_subnet
add address=192.168.10.0/24 list=10_subnet
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward comment="BR1 - <> Internet" in-interface=bridge1 out-interface=bridge1
add action=accept chain=input comment="DNS Relay rule" dst-port=53 in-interface=all-ethernet protocol=udp src-port=""
add action=accept chain=input comment="Management PC Rules" connection-nat-state="" dst-port=8291 protocol=tcp src-address-list="Management PCs"
add action=accept chain=input dst-port=80 protocol=tcp src-address-list="Management PCs"
add action=accept chain=input dst-port=22 protocol=tcp src-address-list="Management PCs"
add action=accept chain=input comment="ETH 5 - Rule for DHCP" dst-port=67 in-interface=ether5 protocol=udp
add action=drop chain=input comment="Drop all INPUTS from all interfaces" in-interface=all-ethernet
add action=accept chain=forward comment="ETH5 - Allow to 192.168.10.1" dst-address=192.168.10.1 in-interface=ether5 out-interface=bridge1
add action=drop chain=forward comment="ETH5 - Stop traffic getting to 192.168.10.0" dst-address-list=10_subnet in-interface=ether5 out-interface=bridge1
add action=accept chain=forward comment="ETH5 - Allow to Internet" in-interface=ether5 out-interface=bridge1
add action=accept chain=forward comment="BR1 - Allow to Eth5" in-interface=bridge1 in-interface-list=all out-interface=ether5
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" src-address=192.168.88.0
/ip route
add distance=1 gateway=192.168.10.1
add disabled=yes distance=1 gateway=bridge1
/system clock
set time-zone-name=Europe/London
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2