The last few days I have a severe issue with a Windows Server machine that just won’t take to the Internet consistently. It is a new installation on trusted and tested hardware and it worked a few days ago. At the time I was having some issues getting it to take a static IP, but managed to solve it by removing the entry from DHCP leases, adding it manually with MAC and Device ID, yet it will still not go outside my Lan. I guess it is a dangerous world after all.
I have done the usual OS troubleshooting, repairing, refreshing clearing DNS and what not. There are no DNS or AD machines involved. Only the DNS from my ISP.
None of this seem to help:
ipconfig /renew /flushdns
or
netsh winsock reset
netsh int ip reset
This is the one:
add address=192.168.1.10 client-id=1:e4:35:c8:7e:37:ee mac-address=E4:35:C8:7E:37:EE server=dhcp1
If you need more info or additional export, let me know, I am at a loss. Lan drivers are OK, connectivity is excellent, hardware tests with Intel PROset done successfully. I have switched LAN port and that did not help, back and forth a couple of times, and updated the IP address and MAC accordingly…
Knowing Windows and having some experience with installations looking fine but still gone awry I am kinda ready to wipe the drives and install the OS a new, but before wasting those 10 hours, I figure I ask here.
About your question
I don’t know, its from the initial setup that was done with quickset I think… no one said any about it before, I guess it can be removed safely?
I am very sorry for following the recommendations, tutorials and posts here on this forum. Considering that, how do I know yours is ok, if you say others is not?
Check my post history, I have ONLY implemented what others claim should be implemented.
This is the default firewall configuration on most devices:
/interface list member add list=LAN interface=bridge comment="defconf"
/interface list member add list=WAN interface=ether1 comment="defconf"
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
So you can compare it with yours.
Now I see that you don’t even have the WAN/LAN lists defined.
Meh.
I didn’t even catch what @tdw caught above.
Is that also from forum advices? lol
And from the documentation Wiki. Yes I know to little about this shit to experiment. I never experiment, I am a standards and process guy and have been for ever.
Regardless of which are you saying that ONE device loosing Internet because of this? 'Cause I had no issues with any other that I am aware of.
Ah, no? There is no script inside the export, unless you have it hidden, and on RouterOS there is not a single function that can do this automatically…
Only you may have clicked to “make static” on ip/arp probably thinking they are the button “make static” on DHCP leases, instead…
If setting a static address in the IP DHCP table also goes to the ARP table, sure then I understand why it happened. As for manually setting an ARP address in Webfig > IP > ARP, no. Never done it. Nor in Terminal, nor in WinBox, just to be clear.
According to the old manual: https://wiki.mikrotik.com/wiki/Manual:IP/ARP NO explanation as to what ARP is, only some examples of what it does, and I do not understand how that text is relevant in any part except for some, to me, obscure “machine addressing” from DHCP, but all DHCP entries are using MAC, so how is that different from regular IP DHCP addressing is beyond me.
According to the new manual: its down for maintenance.
Also made a ticket with same information to Mikrotik, ticket number SUP-83516, we have exchanged a bit of info, four days and 9 messages back and forth, but still no answer that helped me.
I got that answer here in the forum by TDW.
So I am happy that I posted, and glad that you guys are around.
I don’t want to bully, but it’s useless for you to insist.
Anything you export with “/export” is not dynamic,
adding DHCP leases manually or automatically does not create ANY STATIC rules in the ARP table.
The entries in the ARP table are exclusively dynamic (except if added manually or by script…)
and if the device with the static lease is turned off until the dynamic entry timeout, the ARP table does not have the respective entry.
Either you tried some weird scripts, or you put them like I explained on previous post.
Anyone on the forum can confirm this.
If you don't believe me, so be it, I have no way to prove you wrong that I know of. It's the first time ever, and ever is more than 30 years, that I have been accused of outright lying in a forum.
It seems to me that you are exaggerating a lot,
no one accused you to be a liar …
I too am wrong and have made far more serious mistakes without realizing it.
But that doesn’t mean I did it on purpose.
If I have offended you, forgive me, but I certainly did not accused you to be a liar.