Simple and basic configuration are not working

iq25 · March 14, 2013, 9:36am

I am trying to set up RB435G (OS 6.0rc11). In the beginning, I just want to connect router in local lan to connect to internet and make more advanced configuration afterwards. I tried to open everything in firewall. But I cant connect to internet, tried with wireless and with wired connection also in local ethernet ports. Address are being given to clients, but looks like traffic is not getting through.
What am I doing wrong?

Interfaces

Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE         MTU L2MTU  MAX-L2MTU
 0     lan1                                ether       1500  1520       1520
 1     lan2                                ether       1500  1520       1520
 2  R  wan                                 ether       1500  1520       1520
 3     wlan1                               wlan        1500  2290
 4  X  wlan2                               wlan        1500
 5  X  wlan3                               wlan        1500
 6  X  wlan4                               wlan        1500

IP address

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                              
 0   10.10.10.0/24      10.10.10.0      wlan1                                  
 1   10.10.11.0/24      10.10.11.0      lan1                                   
 2 D 10.0.1.10/24       10.0.1.0        wan

DHCP servers

Flags: X - disabled, I - invalid 
 #   NAME     INTERFACE     RELAY           ADDRESS-POOL     LEASE-TIME ADD-ARP
 0 X dhcp1    wan                           static-only      3d        
 1   dhcp2    wlan1                         wifipool         10m       
 2   dhcp3    lan1                          lanpool          10m

DHCP client

Flags: X - disabled, I - invalid 
 #   INTERFACE                         USE ADD STATUS        ADDRESS           
 0   wan                               yes yes bound         10.0.1.10/24

IP firewall

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=input action=accept src-address=0.0.0.0/0 

 1   chain=input action=accept protocol=icmp src-address=0.0.0.0/0 

 2   chain=forward action=accept connection-state=new 

 3   chain=forward action=accept protocol=tcp src-address=0.0.0.0/0 

 4   chain=forward action=accept protocol=icmp 

 5   chain=forward action=accept connection-state=established 
     connection-type="" 

 6   chain=forward action=accept connection-state=related 

 7   chain=output action=accept protocol=icmp

IP route

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.0.1.1                  1
 1 ADC  10.0.1.0/24        10.0.1.10       wan                       0
 2 ADC  10.10.10.0/24      10.10.10.0      wlan1                     0
 3 ADC  10.10.11.0/24      10.10.11.0      lan1                      0

IP NAT

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=wan

IP pool

 # NAME                                           RANGES                         
 0 wifipool                                       10.10.10.1-10.10.10.254        
 1 lanpool                                        10.10.11.1-10.10.11.254        
 2 dhcp_pool1                                     10.10.11.1-10.10.11.254

DNS

ip dns
       servers: 
        dynamic-servers: 10.0.1.1,x.x.x.x,x.x.x.x
  allow-remote-requests: yes
    max-udp-packet-size: 4096
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 10KiB

dotnet · March 14, 2013, 9:57am

few change in your configuration :
pls follow this rules

/ip firewall filter
add chain=input connection-state=established comment=“Accept established connections”
add chain=input connection-state=related comment=“Accept related connections”
add chain=input connection-state=invalid action=drop comment=“Drop invalid connections”
add chain=input protocol=udp action=accept comment=“UDP” disabled=no
add chain=input protocol=icmp limit=50/5s,2 comment=“Allow limited pings”
add chain=input protocol=icmp action=drop comment=“Drop excess pings”
add chain=input protocol=tcp dst-port=22 comment=“SSH for secure shell”
add chain=input protocol=tcp dst-port=8291 comment=“winbox”
add chain=input src-address=10.10.10.0/24 comment=“From WLAN1 network”
add chain=input src-address=10.10.11.0/24 comment=“From LAN1”

/ip firewall nat
add chain=srcnat action=masquerade out-interface=wan
add chain=srcnat action=masquerade src-address=10.10.10.1-10.10.10.254
add chain=srcnat action=masquerade src-address=10.10.11.1-10.10.11.254

/ip dns
servers=8.8.8.8,8.8.4.4
set allow-remote-requests=yes
max-udp-packet-size=512
cache-size=5000KiB
cache-max-ttl=1w

Please change your ip pool may be mix up with your Lan pool & Dhcp Pool.

*** Pls don’t copy-paste, try to follow the rules ***

Best regards

iq25 · March 14, 2013, 11:35am

Thank you dotnet
I changed firewall rules, deleted unused dhcp pool, changed DNS servers, changed NAT. But still dont have internet. Interesting that from tools menu in winbox I can tracroute and ping any site.
More ideas?

NAT

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=wan 

 1   chain=srcnat action=masquerade src-address=10.10.10.0/24 

 2   chain=srcnat action=masquerade src-address=10.10.11.0/24

IP firewall

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Accept established connections
     chain=input action=accept connection-state=established 

 1   ;;; Accept related connections
     chain=input action=accept connection-state=related 

 2   ;;; Accept UDP
     chain=input action=accept protocol=udp 

 3   ;;; Accept input from wlan
     chain=input action=accept src-address=10.10.10.0/24 

 4   ;;; Accept input from LAN
     chain=input action=accept src-address=10.10.11.0/24 

 5   ;;; Allow limited pings
     chain=input action=accept protocol=icmp limit=5,2 

 6   ;;; Drop excessive pings
     chain=input action=drop protocol=icmp 

 7   ;;; Drop invalid connections
 chain=input action=drop connection-state=invalid 

 8   ;;; Accept established connections
     chain=forward action=accept connection-state=established 
     connection-type="" 

 9   ;;; Accept related connections
     chain=forward action=accept connection-state=related

CelticComms · March 14, 2013, 11:54am

Do you have networks entries under DHCP servers to ensure that clients get the gateway and DNS info too?

iq25 · March 14, 2013, 12:13pm

I have such entries:
IP DHCP server network

 # ADDRESS            GATEWAY         DNS-SERVER      WINS-SERVER     DO
 0 10.10.10.0/24      10.10.10.0     
 1 10.10.11.0/24      10.10.11.0

Clients get IP addresses and dns settings. They can do nslookup get IP of site, but cannot ping or connect to it.

CelticComms · March 14, 2013, 3:37pm

Changes the addresses on the interfaces to:

10.10.10.1/24
10.10.11.1/24

and also change the gateway entries to be .1 not .0 .

iq25 · March 15, 2013, 8:14am

CelticComms You are the best!

Your suggestion fixed all. Can you describe shortly why my configuration did not work? Gatway address can not end with zero?

Anyway big thanks.

CelticComms · March 15, 2013, 10:57am

On a /24 network the .0 and .255 address have special significance and normally can’t be used as host addresses.

More info here:

http://en.wikipedia.org/wiki/IPv4_subnetting_reference