I am a new Mikrotik user, and trying to setup the router to replace existing old-router.
I am able to have the DHCP Server running, and provide IP address to connected devices (both through Wi-Fi and LAN).
I have one Server with a Static IP Address.
With this setup:
From Mikrotik, I can PING my server just fine
From Mikrotik, I cannot PING my other devices, which the DHCP Server has provided the IP.
From PC, I cannot connect to my server (PING is not working as well).
The export configuration is as per below:
# jan/02/1970 05:09:34 by RouterOS 6.44.6
# software id = RSJ3-2NEC
#
# model = RB4011iGS+5HacQ2HnD
/interface bridge
add name=LAN-A7F11
add name=WAN-FM
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys name=WiFi-Sec supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac country=indonesia disabled=no frequency=auto mode=ap-bridge security-profile=WiFi-Sec ssid=Ad-Hoc_ID-5G
set [ find default-name=wlan2 ] band=2ghz-b/g/n country=indonesia disabled=no frequency=auto mode=ap-bridge security-profile=WiFi-Sec ssid=Ad-Hoc_ID-2.4G
/ip pool
add name=LAN-A7F11 ranges=10.7.8.100-10.7.8.150
/ip dhcp-server
add add-arp=yes address-pool=LAN-A7F11 always-broadcast=yes disabled=no interface=LAN-A7F11 lease-time=3h name=DHCP-A7F11
/interface bridge port
add bridge=WAN-FM interface=ether1
add bridge=LAN-A7F11 interface=wlan2
add bridge=LAN-A7F11 interface=wlan1
add bridge=LAN-A7F11 interface=ether6
add bridge=LAN-A7F11 interface=ether7
add bridge=LAN-A7F11 interface=ether8
add bridge=LAN-A7F11 interface=ether9
add bridge=LAN-A7F11 interface=ether10
add bridge=LAN-A7F11 interface=ether5
add bridge=LAN-A7F11 interface=ether4
add bridge=LAN-A7F11 interface=ether3
add bridge=LAN-A7F11 interface=ether2
add bridge=WAN-FM interface=sfp-sfpplus1
/ip address
add address=10.7.8.0/24 interface=LAN-A7F11 network=10.7.8.0
add address=10.7.8.2 interface=ether5 network=10.7.8.2
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN-FM
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server network
add address=10.7.8.0/24 dns-server=10.7.8.1 gateway=10.7.8.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,208.67.222.222,208.67.222.220
/ip firewall filter
add action=accept chain=forward in-interface=LAN-A7F11 log=yes out-interface=LAN-A7F11
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN-FM
/ip route rule
add action=lookup-only-in-table dst-address=10.7.8.0/24 table=main
/ip service
set telnet address=10.7.8.0/24 disabled=yes
set ftp disabled=yes
set www address=10.7.8.0/24 port=8080
set ssh address=10.7.8.0/24
set api disabled=yes
set winbox address=10.7.8.0/24
set api-ssl disabled=yes
/system identity
set name=Ad-Hoc_ID
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
Please advice what should I do so that ALL device within the LAN could communicate with each other normally.
Currently, there are no internet going through the Mikrotik due to problem with the ISP’s Modem.
Though, I would like to have your advice, so that once I have solved the issue with my ISP, I could have internet connection as well via the Mikrotik router with the above configuration.
A short version: reset to factory defaults and only make minor changes which you fully understand. The main problem is wrong setting of LAN IP address, but while trying to make pig fly, you managed to make config fubar.
The first line is wrong because a device must not have IP address which is network address (or broadcast address). If a netmask is /24, then x.y.z.0 is network address. Change that to e.g. 10.7.8.1 (but make sure that address is not used by some other device). BTW, that same address is configured as default gateway in DHCP server settings.
The second line doesn’t make any sense due to 2 reasons: 1) you’re setting address to interface which is member of bridge and that should not be done and 2) you’re implicitly setting a /32 network which is only usable in a point-to-point connection. Get rid of the second line.
Currently your router has no firewall configured. I strongly suggest to restore the default before the ISP modem gets fixed. You can always see the defaults by executing /system default-configuration print (make sure the terminal window is wide enough or else config lines get simply truncated). There are some changes to /ip service and those are best reverted to defaults as well.
Get rid of /ip route rule, you don’ need that.
A word of caution: setting
/ip dhcp-server config
set store-leases-disk=immediately
means many writes to internal flash disk which will shorten its life. One can not replace flash disk just like that because it stores ROS license. Setting this parameter to a few hours (I believe 12 hours is default) is likely much healthier.
Not if one is connecting to sensitive work files and servers or doing banking or buying selling bitcoin etc…
Maybe to protect my art work…
I mean, I am still half a boob when it comes to configuring these picky picky beasts but even when brand new, my problem was adding too many rules, and didnt dare remove any.
Thanks for the advice.
I was just following a guidance in Youtube on “Basic Configuration on Mikrotik”.
I have reset to factory defaults, and modify the IP allocations to match my previous setup as well as added-in WiFi security rules.
The issues with ISP is resolved as well (they changed the modem).
Everything is working fine (including WiFi 2.4 Ghz), except the WiFi 5 GHz. It is not showing up in ALL devices.
Appreciate to have your further advice so that I could have the WiFi 5 GHz working.
Thank you.
Current configuration is as below:
# apr/12/2020 15:26:19 by RouterOS 6.44.6
# software id = RSJ3-2NEC
#
# model = RB4011iGS+5HacQ2HnD
/interface bridge
add admin-mac=C4:AD:34:DB:A7:78 auto-mac=no comment=defconf name=LAN-A7F11
add admin-mac=C4:AD:34:DB:A7:77 auto-mac=no name=WAN-FM
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=WiFi-Sec supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge security-profile=WiFi-Sec ssid=Ad-Hoc_ID-5G wds-default-bridge=\
LAN-A7F11 wds-mode=dynamic wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=indonesia disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge security-profile=WiFi-Sec ssid=Ad-Hoc_ID-2.4G \
wireless-protocol=802.11
/ip pool
add name=Pool-DHCP-A7F11 ranges=10.7.8.100-10.7.8.150
/ip dhcp-server
add address-pool=Pool-DHCP-A7F11 disabled=no interface=LAN-A7F11 name=\
DHCP-LAN-A7F11
/interface bridge port
add bridge=LAN-A7F11 comment=defconf interface=ether2
add bridge=LAN-A7F11 comment=defconf interface=ether3
add bridge=LAN-A7F11 comment=defconf interface=ether4
add bridge=LAN-A7F11 comment=defconf interface=ether5
add bridge=LAN-A7F11 comment=defconf interface=ether6
add bridge=LAN-A7F11 comment=defconf interface=ether7
add bridge=LAN-A7F11 comment=defconf interface=ether8
add bridge=LAN-A7F11 comment=defconf interface=ether9
add bridge=LAN-A7F11 comment=defconf interface=ether10
add bridge=LAN-A7F11 comment=defconf interface=wlan1
add bridge=LAN-A7F11 comment=defconf interface=wlan2
add bridge=WAN-FM comment=defconf interface=ether1
add bridge=LAN-A7F11 comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=LAN-A7F11 list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.7.8.1/24 comment=defconf interface=LAN-A7F11 network=10.7.8.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=WAN-FM
/ip dhcp-server network
add address=10.7.8.0/24 gateway=10.7.8.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface=WAN-FM
Regarding the 5GHz wireless: verify settings of frequency-mode= and country=, they should be set to regulatory-domain and your country respectively. Otherwise AP might be transmitting on frequency not allowed in your country and some of location-aware wireless clients might obey those regulations.[*] The other thing with 5GHz is DFS: when AP enters cgannel selection procedure, it might take tens of minutes to verify that channel under consideration isn’t used by some radar. During that time, AP doesn’t transmit at all.
[*] my personal experience is this: in our country 2.4GHz channel #13 is legal to use, but that’s not true universally. Since most 2.4GHz APs avoid it, I decided to configure my AP to use it.
Then my better half got a brand new LG G4 phone and initially it wouldn’t see the SSID. After a while I decided to install SIM card. After it registered to mobile network, it also imediately noticed SSID on channel #13. My theory is that after registering to the mobile network, phone determined the country it was in and adjusted limitations accordingly.
When a DFS channel is selected, the AP will scan for 60 seconds for radar signals in that frequency… After those 60 seconds, if a radar is detected, it will go to the next channel and if it is a DFS channel as well then it will bescanned again for 60 seconds and so on… When a frequency with no radar is detected then the AP will accept client associations…
I have tried to change the frequency-mode=Regulatory-Domain and country name into my country respectively. Though, it still not showing-up in ALL devices.
I will do some more study into the RouterOS, specific for the 5GHz wireless setup, so that I could make it work.
The 5G WLAN issue has been solved.
It seems that the default configuration of the WLAN1 was locked to the lower frequencies (5.2 GHz) of the 5G band, and ALL the device I have only support the upper frequencies (5.7-5.8 GHz) of the 5G band.
Just need to reset the wireless configuration for WLAN1, and re-configured it as per my needs.
Thank you all for your help and advice, and happy weekend.
