Thank you for coming back. I already knew the 12 rules and I might have forgotten to mention that I don´t use the default rules. Masquerading in NAT is enabled. Every client in the Lan-Bridge exept the WIFI-Interface which is part of the Lan-Bridege has access to the internet, all RPI are availabe through Portforwardings. I will check the "Questions about Firewall". If I am not successfull I will post my complete configuration.
It is normally a /24, but your entry has the added netmask=24 so I wonder how (the heck) you managed to get that entry, maybe by editing a pre-existing entry?
I would remove it and then re-add it as follows:
/ip dhcp-server network add address=192.168.179.3/24 dns-server=192.168.179.20 gateway=192.168.179.3
(the netmask value should be added by Ros automatically)
[gerd@RockfishRouter] > /ip dhcp-server network add address=192.168.179.3/24 dns-server=192.168.179.20 gateway=192.168.179.3
failure: invalid network
I'm goin nutz...
In DHCP server network settings, property address has to be a network address, like this: 192.168.179.0/24 .
This setting has nothing to do with neither gateway nor DNS server nor DHCP server address ... it has to be network address. If there are multiple DHCP-server network lines, then this is a matcher (against chosen IP address) for selecting additional data to include in DHCP lease (gateway address, DNS server address, NTP server address, etc.)
mkx - thank you
If I do
/ip dhcp-server network add address=192.168.179.0/24 dns-server=192.168.179.20 gateway=192.168.179.3`
no error message comes up but no DHCP-Server is added
In added DHCp-Server in Winbox and changed address to 192.168179.20 added Subnet /24.
So the wresult seems to be: WIFI is working so far - I see connection from 2 Clients. So the Network-Settings seem to be okay? Connected to the WIFI but NO communication to the internet.
EDIT
I conected to the router via my Lenovo Linux-Box. From the Terminal a ping to 8.8.8.8 or f.e. to google.com is possible. Probably a Firewall-Rule for Port 53, 80, 443 necessary?
Tomorrow is another day... 
Thank you guys for todays help!
Ooops, typo, (copy and paste) of course it needs to be .0.
The DHCP server related settings are three:
/ip pool
add name=dhcp_br_lan ranges=192.168.179.100-192.168.179.254
/ip dhcp-server
add address-pool=dhcp_br_lan interface=br_lan name="DHCP LAN"
/ip dhcp-server network
add address=192.168.179.0/24 dns-server=192.168.179.20 gateway=192.168.179.3
Check that you have them right now.
Your firewall seems (to my inexpert eyes) an overcomplicated mess, it is entirely possible that you have something in it blocking internet connection.
In any case it is good practice (for readability, for the helping forum members, but also for you in the future) to group firewall filter rules by chain, rules are applied in top to bottom order within a same chain, it won’t change anything in the functions performed, but it is much more readable if you have first all input rules, then all forward rules, etc.
jaclaz - in WinBox the rules are sorted, i don´t know why they are mixed in the exported file. DHCP related server setting are managed as you mentioned.
I will delete all forwarding Firewall-Rules tomorrow and set them up again step by step.
Yeah I would say that is on the extreme edge of an overcooked config that has lost sight of reality and gone down a conspiracy tunnel of fear.
I would scrap the entire config, go back to default rules, and ask yourself the simple question.
What traffic do my users and devices need ( including the admin ) and focus on that first.
THere is so much noise that has nothing to do with needed traffic.
Not sure what you are doing with VOIP, but I have a single VOIP modem in my house and no rules for it on my config. It simply plugs into a few house phones and its own vlan and it works. Not a single rule!!
Have you heard about Asterisk PBX? I am running an Asterisk with several Users and this Server is connected to a Friends Asterisk PBX via IAX2 Have you heard about XMPP?...
I might not be an Network-Nerd and Profi - but please come back to my question why no Internet-Connection is available via WIFI....
Can be closed
Glad it's working.
But you do need to be careful with the firewall, which why folks are inquiring here... The firwall has a lot of subtleties and it's easy to allow more than you expect. But even with self-hosted PBX, you can still use the default firewall... with defconf firewall you use NAT dst-nat rules to allow the needed SIP/XMPP/etc ports inbound, as the default firewall filter allows dst-nat connections. This keeps the overall well-tested default intact, and avoids easy-to-make "mistakes" in custom firewalls.
Amm0 - honestly i´ts not working yet. and honestly I was a bit upset, because there was a feeling about beeing a "dumb". I asked ChatGPT and will try this out. I got an error in masquerading that told me In-Interface and Out-Interface can not be configured by two bridges.
After all It was good to read your last answer and your suggestions. When I won't be able to get it running I will go back to the default defconf configuration.
Regards, Gerd
Good morning all,
at least I found the solution for my problem. I ran into a "newbie-trap" by adding the DHCP-Server - Networks - Address like 192.168.179.3 and then added "24" to the "Network"-Tab. For that I was on 192.168.179.3/24. After reading through your posts again (formerly there was storm in my brain) I corrected that.
Now WIFI has Internet Access.
Next things will be to use defconf firewall-rules. My Router is on 7.16.1 - can I use the rules CGGXANNX recommended in "Questions about Firewall?
Last not least: What version should I update to?
You all have a nice weekend.
You can use those rules from 7.18 with a single exception, that is the fasttrack-connection rule for IPv6 (unter /ipv6 firewall filter). Versions older than 7.18 do not support Fasttrack for IPv6 yet, so that rule cannot be imported. Just don't include it in the import and you'll be fine.
The fasttrack-connection rule in the normal /ip firewall filter table for IPv4 is fully supported by your RouterOS version.
The L009 should have no major issues with version 7.19.6, and you can upgrade to that. The current "stable" version is 7.20.2, but the 7.20.x versions are causing quite a few issues for people on this forum, so maybe don't jump to the latest version yet.
Ok, just to be clear: I download the 7.19.6 main and 7.19.6 wifi-qcom packets, put them in the Files section and reboot my Router. Is that right? In latest 6 version there was only one main packet.
Thank you for the informations,
Gerd
Exactly that.
Thanks
So after all, I wanted to give you some latest information. After not being successfull I was about to send the Router back to my dealer. I first couldn´t factory reset it and found out there are different possibilitys.
But I didn ' t send it back and went on with the defconf settings and I am pretty happy with that. Only changes were to configure it to my network, got wifi out of the box and now added two portforwarding to my XMPP- and Asterisk-Servers (both on RPI's).
I have two questions: Is there an advantage in using "in/out-interface vs bridges?
Second quetion is: IPv6 is enabled by default (in ROS 6 there was an extra package) - is it possible to disable it?
I am glad that you could help me out.
Regards,
Gerd
- it depends, without context the answer is "a suffusion of yellow"
- Yes:
/ipv6 settings set disable-ipv6=yes
and/or, additionally/optionally:
Thank you