Hi all, I’m trying to help a non-profit organization who is replacing their router. The old router is kaput so I cannot glean anything from the old config. I have limited router knowledge and not specific to Mikrotik.
The problem is that Internet is not working. When I plug in the WAN port the router does say ‘reachable’ for the WAN IP but does not provide access (tested by trying to browse and by pinging 8.8.8.8, no go).
The network is simple, one LAN on 10.0.0.0/24 and one outgoing WAN connection. I will paste my config below but here’s the gist of it:
WAN is ether13
For the LAN I have bridged Ethernet ports 2 through 12 and configured DHCP for them.
Ether 1 I just left with the standard 192.168.88.1 as a way to be sure I can get in to the router in case I screw something up in IP settings.
I have also configured simple pcq queues so users can share bandwidth equally.
i suspect there’s something wrong with my routing table but have very little experience with that. My ISP said my WAN IP is 208.83.199.242 with subnet 255.255.255.252 and that my gateway to the Internet is 208.83.199.241. I have Masquerade configured as I believe that’s how to run a LAN network sharing one WAN IP.
That’s about it, super simple I should think but it’s not passing any Internet traffic, any help would be super appreciated so I can get these guys up and running again, they do good really good work and help a lot of people but don’t have much money to hire a professional.
Here’s the config:

may/27/2019 21:56:13 by RouterOS 6.42.7

software id = CKED-AUWZ

model = RB1100x4

serial number = 91D80AE30458

/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether13 ] name=ether13WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.245
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/queue type
set 5 pcq-rate=10M
set 6 pcq-rate=10M
/queue simple
add max-limit=12M/30M name=LimitAll queue=
pcq-upload-default/pcq-download-default target=10.0.0.0/24
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=
192.168.88.0
add address=208.83.199.242 interface=ether13WAN network=208.83.199.252
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1,8.8.8.8 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=drop chain=input comment=“DROP SSH from WAN requests” dst-port=22
in-interface=ether13WAN protocol=tcp
add action=drop chain=input comment=“DROP webconfig from WAN requests”
dst-port=8081 in-interface=ether13WAN protocol=tcp
add action=drop chain=input comment=“DROP Winbox from WAN requests” dst-port=
8291 in-interface=ether13WAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=208.83.199.241
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=0.0.0.0/0 port=8081
set ssh address=10.0.0.0/24
set api disabled=yes
set winbox address=0.0.0.0/0
set api-ssl disabled=yes
/system clock
set time-zone-name=US/Pacific
/system identity
set name=MikroTikLV
/system routerboard settings
set silent-boot=no
/tool graphing interface
add

/ip address
add address=208.83.199.242 interface=ether13WAN network=208.83.199.252

/ip route
add distance=1 gateway=208.83.199.241

These do not fit together well. I suppose what you actually need is

/ip address
add address=208.83.199.242**/30** interface=ether13WAN network=208.83.199.240

But you may have to try netmasks from /30 down to /28 depending on how the ISP has set their network. Hint, remove that address item completely and add the new one, fill in just the address field with the 208.83.199.242/mask value and leave the network field blank, it will get auto-generated.

Change this rule:
/ip firewall nat add action=masquerade chain=srcnat
with
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether13WAN

The NAT tables are only used for connection-state=new packets, the remaining packets of the connection inherit the NAT handling triggered by the initial packet. So until the OP sets up port forwarding to allow access to some server running in their private LAN subnet via WAN, this masquerade rule will only act on outbound connections initiated by LAN hosts. I.e. the change you suggests makes the configuration “cleaner” but doesn’t solve the problem the OP came here with.

Thanks John and Sindy.
John: I have tried adding the ‘Out interface’ as WAN and also tried adding the ‘Src address’ 10.0.0.0/24 but none of those combinations seem to make a difference.
Sindy: I’ll try that tomorrow. Btw, I find it weird that even though a /30 is supposed to be a 255.255.255.252 netmask when I enter it into the router it interprets it as a 255.255.255.240 netmask, do you know why that is?

Are you talking about the actual netmask or about the network field of the
/ip address item? That field is not the netmask, and I can’t even realize where, if at all, RouterOS shows the netmasks in the a.b.c.d notation.

You tried a DHCP client on your WAN interface?

Regards.

Just do this:
/ip address add address=208.83.199.242/30 interface=ether13WAN

Ignore netmask and network. You’ve already specified it as part of the address.

You need to fix your firewall as well, before connecting this thing to the big wide world.

Thanks all, I’m up and working now.
I fixed the firewall security stuff and also blocked outside DHCP requests.
Before that I was flooded with UDP immediately to the point of maxing out my transmit interface with China originated bs traffic, it was crazy how quickly it came on. But yeah now all is well