Router can't access internet/PING/DNS - Clients are able to connect!

tmp · June 18, 2016, 3:07pm

Hi,

I set up my Mikrotik hap lite a few months ago and I’m quite happy with it - except for one thing.
I’m using the device as a home-router with PPPOE. The clients can access the internet without any problem but the router itself isn’t able to connect to the internet until
I disable the “drop all” rules. So I believe I have a mistake in my firewall config.
Here is my current config (ROS 6.34.6 (bugfix)):

/ip firewall filter
add chain=input connection-state=established connection-type=“”
add chain=input connection-state=related connection-type=“”
add chain=input in-interface=bridge-local
add action=drop chain=input connection-state=invalid connection-type=“”
add action=drop chain=input
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward dst-address=!192.168.88.0/24 in-interface=bridge-local
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=pppoe-out1
/ip firewall service-port

Can someone please tell me what I need to configure so that the router is able to connect to the internet itself?

Thanks in advance,

tmp

flynno · June 18, 2016, 5:20pm

/ip firewall nat
add action=masquerade chain=srcnat comment=“bridge configuration”
out-interface=bridge-local

ZeroByte · June 19, 2016, 4:36am

Check that the router has valid DNS servers configured in /ip dns menu.

tmp · June 22, 2016, 4:16pm

Thanks for your quick answers! The DNS-Servers are set correctly (to OpenDNS) and I also added the new NAT-rule but it still doesn’t work.
If I disable the marked firewall rule, both ping and DNS works:

Do you have another suggestion?

ZeroByte · June 22, 2016, 6:54pm

The screenshot of your rules doesn’t show enough information.
Some columns such as “connection-state” are not shown by default, and the default firewall rule set uses these fields.

Instead of posting a screenshot, open a terminal window and issue the command:
/ip firewall filter export compact

Copy and paste the results (and feel free to redact the public IP addresses that may appear with x.x.x.x)

tmp · June 26, 2016, 7:01pm

[admin@MikroTik] > /ip firewall filter export compact
# jun/26/2016 20:58:36 by RouterOS 6.34.6
# software id = XXXXX
#
/ip firewall filter
add chain=input connection-state=established connection-type=""
add chain=input connection-state=related connection-type=""
add chain=input in-interface=bridge-local
add action=drop chain=input connection-state=invalid connection-type=""
add action=drop chain=input
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward dst-address=!192.168.88.0/24 in-interface=bridge-local
add action=drop chain=forward

Here are my firewall settings. Thanks again!

Cha0s · June 26, 2016, 8:50pm

You have set ‘connection-type’ to “” on the established/related rules so they don’t match the established/related connections.

Through winbox, just edit the established/related rules and click on the arrow next to the ‘Connection Type’ field so that it will get gray.

tmp · June 27, 2016, 5:16pm

Cha0s, thanks a lot, this was the mistake I made while configuring the device. Everything works fine now!

ahmadzai · December 3, 2016, 6:47am

i am also facing the same problem some time its ping is working some time its not is there any solution for it.