Setup assitance with Information RB3011

RouterOS Beginner Basics
1

Hello all,
I am new to MikroTik, I have a 3011 Router.
Layout
Ether1 WAN /29 subnet
Ether 2 LAN 192.168.1.0/24
Ether 3 to 10 is part of Lan Address

I can access my pc inside network from external and port forwarding to camera system is working fine too.

I can ping from inside the network to outside fine, dns resolving good.
Traceroute shows 192.168.1.1 twice which I thought was interesting.
But biggest problem is web browsing outside of the network is not working correctly, sometimes get the first page, but click a link and times out.

I figure it was firewall and removed most items down to a basic, did not make it better.

Here is my info I think you can use to help me understand what I did wrong.

Thanks in advance if you can help me.


[admin@IbeamIsp-LBC] /ip> export

feb/09/2017 10:03:48 by RouterOS 6.38.1

software id = TVTQ-HUHL

/ip pool
add name=dhcp ranges=192.168.1.50-192.168.1.254
/ip address
add address=98.6.39.202/29 interface=ether1 network=98.6.39.200
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge2 name=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall address-list
add address=192.168.1.0/24 comment=LAN list=local
add address=192.168.1.0/24 list=support
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add chain=input comment="Accept established and related packets" connection-state=established,related
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add chain=forward comment="Accept established and related packets" connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=accept chain=forward connection-nat-state=dstnat connection-state=established,related in-interface=ether1
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=dst-nat chain=dstnat comment=VideoSystem1 dst-port=80 protocol=tcp to-addresses=192.168.1.12 to-ports=80
add action=dst-nat chain=dstnat comment=VideoSystem2 dst-port=6036 protocol=tcp to-addresses=192.168.1.12 to-ports=6036
add action=accept chain=input comment="Local access to RB for Winbox" dst-port=8291 protocol=tcp src-address-list=local
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add check-gateway=arp distance=1 gateway=98.6.39.201
/ip service
set telnet disabled=yes

2

Your dst-nat’s to 192.168.1.12 are too broad. They have no filter other than tcp & port. So all traffic through the router with dst port 80 or 6036 is being redirected there. Need to specify incomming interface, dst-addr, dst-addr-type or a combination of those to narrow the dst-nat.

3

Thats interesting to catch that, I will try it. I just remotely enabled a proxy and it worked!. So now will correct what you saw and disable proxy and report back.

4

Ok got that, but the proxy also works pretty nice too!
Thank you for seeing that.

I am looking forward to working with this router, and intend to put a sector on to feed a few other buildings.

needed to get the darn thing understood, I will now use one port and go to a 48 port switch with trunking vlan, so that will be my next stumbling block I am sure.
I get a bit confused with some examples but am learning.

Thank you for your assistance.

5

Glad you’re off and running.

Proxy will take up resources on the router, plus can put lots of wear on the internal flash storage, so I wouldn’t use it unless you have another need for it… and then set up a separate disk.

VLANS, trunking and switches can be a little tricky to initially learn, especially with Mikrotik’s different switch chips each having slightly different quirks/tricks. (And the 2011 has two different switch chips!)
Once you learn and get them set up though, they are extremely useful and efficient.

Check out this page if you haven’t: http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features

6

Yes getting past first step has been interesting.
I have a HP Pro curve 2650.
I intend to trunk vlans out one port to it. I am trying to get a grasp on it. Wish I had a second RB3011 to lab with but this unit is in production now, so learning backup and restore first was most important. Fortunately I have key to building so will experiment on weekends. So much specific items on each piece to learn.