Simple Nating - iPhone don't work [solved]

CristianDeluxe · November 6, 2011, 2:53pm

Hi, as always sorry for my bad English.

I’ve been using Mikrotik at my work some years and it’s amazing! Now finally I’ve my own RB433 at home (for play better : D ).

I’ve a DSL connection and my ISP router is a Zyxel P660HW. I’ve configured my router WAN in “bridge mode” and “PPPoE passthrough”, i’ve disabled everything I could (DHCP server, UPnP, NAT…) in this router.

I’ve connected a ethernet cable from my ISP router to “ether1” in RB433.

In RB433 I’ve configured a bridge with “ether1” and a “PPPoE client” interface called “Internet” (yeah KISS) so I get the public IP in this interface.

I’ve configured my wlan1 interface properly and a DHCP server in this interface with 192.168.2.0/24 for WLAN clients.

IP->Firewall->NAT->Masquerade rule and i can surf with any PC correctly but i can’t do it in any of my iPhones (DHCP IPs same that computers)

I think that i’m doing something wrong, i’ve googled and can’t find nothing about this and i need to find a quick solution (my girlfriend doesn’t understand the advantages of Mikrotik she just say “with old router my iphone works and now i don’t have internet!” ) so please help : )

Here my config:

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    disabled=no forward-delay=15s l2mtu=1526 max-message-age=20s mtu=1500 \
    name=PuenteCasa priority=0x8000 protocol-mode=none transmit-hold-count=6

/interface ethernet
set 0 arp=proxy-arp auto-negotiation=no disabled=no full-duplex=yes l2mtu=\
    1526 mac-address=00:00:00:00:00:00 mtu=1500 name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=yes full-duplex=yes l2mtu=1522 mac-address=00:00:00:00:00:00 \
    master-port=none mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1522 mac-address=00:00:00:00:00:00 \
    master-port=none mtu=1500 name=ether3 speed=100Mbps

/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1

/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" \
    group-key-update=5m interim-update=0s management-protection=disabled \
    mode=none name=default radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-sta-private-algo=none static-transmit-key=key-0 \
    supplicant-identity=MikroTik tls-certificate=none tls-mode=\
    no-certificates unicast-ciphers=""

add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm \
    group-key-update=5m interim-update=0s management-protection=allowed mode=\
    dynamic-keys name=WPA2 radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-sta-private-algo=none static-transmit-key=key-0 \
    supplicant-identity="" tls-certificate=none tls-mode=no-certificates \
    unicast-ciphers=tkip,aes-ccm

/interface wireless
set 0 adaptive-noise-immunity=ap-and-client-mode allow-sharedkey=no \
    antenna-gain=19 antenna-mode=ant-a area="" arp=enabled band=2ghz-onlyg \
    basic-rates-a/g=24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b="" bridge-mode=\
    disabled burst-time=disabled channel-width=20mhz compression=no country=\
    no_country_set default-ap-tx-limit=0 default-authentication=yes \
    default-client-tx-limit=0 default-forwarding=yes dfs-mode=no-radar-detect \
    disable-running-check=no disabled=no disconnect-timeout=3s distance=\
    dynamic frame-lifetime=0 frequency=2412 frequency-mode=manual-txpower \
    frequency-offset=0 hide-ssid=no hw-fragmentation-threshold=disabled \
    hw-protection-mode=none hw-protection-threshold=0 hw-retries=7 l2mtu=2290 \
    mac-address=00:00:00:00:00:00 max-station-count=2007 mode=ap-bridge mtu=\
    1500 name=wlan1 noise-floor-threshold=default nv2-cell-radius=30 \
    nv2-noise-floor-offset=default nv2-qos=default nv2-queue-count=2 \
    nv2-security=disabled on-fail-retry-time=100ms periodic-calibration=\
    default periodic-calibration-interval=60 preamble-mode=both \
    proprietary-extensions=post-2.9.25 radio-name=WifiWay rate-selection=\
    advanced rate-set=configured scan-list=default security-profile=WPA2 \
    ssid=WifiWay station-bridge-clone-mac=00:00:00:00:00:00 \
    supported-rates-a/g=24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b="" \
    tdma-period-size=2 tx-power-mode=default update-stats-interval=disabled \
    wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 \
    wds-ignore-ssid=no wds-mode=disabled wireless-protocol=802.11 \
    wmm-support=enabled

/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=no framer-limit=\
    3200 framer-policy=none

/ip pool
add name=dhcp_pool1 ranges=192.168.2.10-192.168.2.254

/ip dhcp-server
add add-arp=yes address-pool=pool2 address-pool6=test always-broadcast=yes \
    authoritative=yes disabled=no interface=wlan1 lease-time=3d name=\
    ServerDeluxe

/ppp profile
set default change-tcp-mss=yes name=default only-one=default use-compression=\
    default use-encryption=default use-ipv6=yes use-mpls=default \
    use-vj-compression=default
set default-encryption change-tcp-mss=yes name=default-encryption only-one=\
    default remote-ipv6-prefix-pool=none use-compression=default \
    use-encryption=yes use-ipv6=yes use-mpls=default use-vj-compression=\
    default

/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 \
    dial-on-demand=no disabled=no interface=PuenteCasa max-mru=1500 max-mtu=\
    1492 mrru=disabled name=Internet password=adslppp profile=default \
    service-name=Telefonica use-peer-dns=no user=adslppp@telefonicanetpa

/interface bridge port
add bridge=PuenteCasa disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether1 path-cost=10 point-to-point=auto priority=0x80
add bridge=PuenteCasa disabled=yes edge=auto external-fdb=auto horizon=none \
    interface=ether2 path-cost=10 point-to-point=auto priority=0x80
add bridge=PuenteCasa disabled=yes edge=auto external-fdb=auto horizon=none \
    interface=ether3 path-cost=10 point-to-point=auto priority=0x80

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=no

/ip address
add address=192.168.2.1/24 disabled=no interface=wlan1 network=192.168.2.0
add address=192.168.1.254/24 disabled=no interface=PuenteCasa network=\
    192.168.1.0
#Public Fake IP
add address=1.1.1.2 disabled=no interface=Internet network=1.1.1.1

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=\
    192.168.2.1,8.8.8.8,8.8.4.4,208.67.220.220,208.67.222.222 domain=DeluxeNet gateway=\
    192.168.2.1 ntp-server=192.168.2.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=1024KiB \
    max-udp-packet-size=1024 servers=\
    8.8.8.8,8.8.4.4,208.67.220.220,208.67.222.222

/ip dns static
add address=192.168.2.1 disabled=no name=DeluxeNet ttl=1d

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=yes \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s

/ip firewall filter
add action=reject chain=forward comment="INVALID tcp" connection-state=\
    invalid disabled=no protocol=tcp reject-with=tcp-reset
add action=reject chain=forward comment="INVALID udp" connection-state=\
    invalid disabled=no reject-with=icmp-port-unreachable

/ip firewall nat
add action=redirect chain=dstnat comment=DNS disabled=no layer7-protocol=dns \
    protocol=udp to-ports=53
add action=redirect chain=dstnat comment=DNS disabled=no dst-port=53 \
    protocol=udp to-ports=53
add action=masquerade chain=srcnat disabled=no out-interface=Internet \
    src-address=192.168.2.0/24

/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=yes
/ip upnp interfaces
add disabled=no interface=wlan1 type=internal
add disabled=no interface=PuenteCasa type=external

/system clock
set time-zone-name=Europe/Madrid

/system ntp client
set enabled=yes mode=unicast primary-ntp=158.227.98.15 secondary-ntp=\
    195.10.6.126

/system ntp server
set broadcast=no enabled=no manycast=yes multicast=no

Please help : ) thanks!!

cbrown · November 6, 2011, 4:40pm

This doesn’t make much sense. There is nothing special about the iPhone that would not allow it to connect to the internet. Try disabling any wireless security and then seeing if the phone can connect. If that don’t work you can also reset the network settings on the iPhone. There are also a few network utilities that you could try. Get one and see if you can ping your router, then try to ping google.com.

I quickly glanced over your config and nothing stood out to me. But very strange a computer would work but and iPhone won’t.

CristianDeluxe · November 6, 2011, 5:47pm

Hi, thanks for your reply.

I’ve tested it, before do the “PPPoE passthrough” i’ve my Mikrotik configured with a bridge between wlan1 and ether1 and my ISP router did the nat, with same config (WPA Security, DHCP Server, DNS, etc…) iphone works correctly but if i do NAT in Mikrotik it doesn’t.

Also i have a tool installed in my iPhone and i can ping the AP (192.168.2.1), i can do ns lookups, tracert… i don’t know where look

jandafields · November 6, 2011, 6:17pm

/ip pool
add name=dhcp_pool1 ranges=192.168.2.10-192.168.2.254

/ip dhcp-server
add add-arp=yes address-pool=pool2 address-pool6=test always-broadcast=yes \
    authoritative=yes disabled=no interface=wlan1 lease-time=3d name=\
    ServerDeluxe

You have dhcp-server using “pool2”, but you don’t actually have a “pool2”. You have a “dhcp_pool1”.

With that config, the dhcp server can’t hand out any addresses.

Obviously your iPhone has an address since you can ping the AP, but that might be manual. Show us your full iPhone ipconfig: ip, gateway, mask, dns.

CristianDeluxe · November 6, 2011, 7:48pm

Sorry i manually deleted from .rsc file some pools that i was using before, here the new “cleaned” config:

/ip pool
add name=home ranges=192.168.2.100-192.168.2.150
/ip dhcp-server
add add-arp=yes address-pool=home address-pool6=test always-broadcast=yes \
    authoritative=yes disabled=no interface=wlan1 lease-time=3d name=\
    ServerDeluxe

IP assigned on my iPhone:

Ping to AP

Traceroute to rediris.es

NS Lookup

Also testing a strange behaviour: i can surf in google (youtube, search, etc..) but in another websites (ie: digg.com, rediris.es) i can’t.

Can i do another test? or log some traffic for see something? i’m really lost here

CristianDeluxe · November 6, 2011, 8:10pm

Email also works.

Ah, my RouterOS version is 5.8 and iPhone version 4.3.2

cbrown · November 6, 2011, 8:38pm

Are you using a proxy?

CristianDeluxe · November 6, 2011, 8:42pm

No, iphone settings are: “Use HTTP Proxy=NO”

Webproxy on RB433 disabled.

jandafields · November 6, 2011, 8:46pm

You are using PPPOE. In the pppoe-interface, set MAX MTU = 1480 and MAX MRU = 1480.

If they are above that, some websites will not work.

CristianDeluxe · November 6, 2011, 8:51pm

Really thanks jandafields!! now all websites are working correctly. I owe you a beer : )

jandafields · November 6, 2011, 8:54pm

No problem, glad to help!