I am new to RouterOS. My issue is that my users are not able to access internet. The PPPoE is connected to the PPOE interface, the LAN users are on the LAN interface. A dhcp has been created with LAN interface as 192.168.1.254, the same being the gateway also. PPPoE is connected and I have received IP from the dhcp server on the user workstation, however unable to reach any web page.
Are you masquerading traffic from the private LAN as it exits the WAN PPPoE interface?
I have not applied any NAT as of now. How would I have to go about inorder to masquerade the traffic.
You would add a src nat rule in Ip / Firewall to masquerade traffic where the relevant interface is the out interface.
However it is possible that your router is currently wide open with no firewall functional so you should probably have a look at something like:
The ping still gives time-out even after adding the nat.
[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=172.18.0.240/24 network=172.18.0.0 interface=Monitor
actual-interface=Monitor
1 address=192.168.1.254/24 network=192.168.1.0 interface=LAN
actual-interface=LAN
2 D address=94.96.6.25/32 network=84.235.124.4 interface=STC
actual-interface=STC
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=STC gateway-status=STC reachable
distance=1 scope=30 target-scope=10
1 DS dst-address=0.0.0.0/0 gateway=84.235.124.4
gateway-status=84.235.124.4 reachable via STC distance=1 scope=30
target-scope=10
2 ADC dst-address=84.235.124.4/32 pref-src=94.96.6.25 gateway=STC
gateway-status=STC reachable distance=0 scope=10
3 ADC dst-address=172.18.0.0/24 pref-src=172.18.
gateway-status=Monitor reachable distance=
4 ADC dst-address=192.168.1.0/24 pref-src=192.16
gateway-status=LAN reachable distance=0 sc
5 A S dst-address=192.168.1.254/32 gateway=PPOE
distance=1 scope=30 target-scope=10
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S -
# NAME TYPE
0 R PPOE ether
1 R LAN ether
2 R Monitor ether
3 R STC pppoe-out
[admin@MikroTik] > /ip firewall export
# jun/12/2012 19:21:18 by RouterOS 5.17
# software id = 2EXE-KC7U
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=1
tcp-close-wait-timeout=10s tcp-established-tim
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=
tcp-syn-received-timeout=5s tcp-syn-sent-timeo
tcp-time-wait-timeout=10s udp-stream-timeout=3
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-med
set pptp disabled=no
The lines were truncated so it is hard to see the full picture.
In addition, the following entry looks rather odd:
2 D address=94.96.6.25/32 network=84.235.124.4 interface=STC
actual-interface=STC
What is the router connected to on the WAN side? A DSL router in bridge mode? The entry above seems inconsistent with what was in the earlier screen shots.
STC is the pppoe. The DSL router is in bridge mode. The router is an ADSL modem, Airlive. That is a dynamic IP assigned by provider.
Try a trace route from a workstation to say 8.8.8.8 and see how far the traffic is getting,
There is a device at 94.96.6.25 claiming to be a TD-W8901G which seems to be a TP Link product. Are we sure that these are the most current IPs?
Since this is a pppoe connection, that was the dynamic IP the ISP had assigned at that time. It has changed as of now.
Please post /export compact
Apologies for the delay in posting a reply.
However I feel that it’s a case of routing issue where the route from LAN is not being forwarded to the PPPOE interface. Here is a traceroute from the workstation.
C:\Users\NetAdmin>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\NetAdmin>tracert 8.8.8.8
Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.1.254
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
C:\Users\NetAdmin>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : NetAdminPC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Peer-Peer
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetLink (TM) Fast Ethernet
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.67(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, June 29, 2012 6:50:38 PM
Lease Expires . . . . . . . . . . : Monday, July 02, 2012 6:50:37 PM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled
[admin@MikroTik] > /export compact
# jun/29/2012 18:42:39 by RouterOS 5.17
# software id = 2EXE-KC7U
#
/interface ethernet
set 0 name=PPOE speed=1Gbps
set 1 name=LAN speed=1Gbps
set 2 name=Monitor
/interface pppoe-client
add add-default-route=yes disabled=no interface=PPOE name=STC password=xxxx \
use-peer-dns=yes user=xxxxx@xxx.xx.xx
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=dhcp_pool1 ranges=192.168.1.25-192.168.1.253
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=LAN name=LH
/ip address
add address=172.18.0.240/24 interface=Monitor
add address=192.168.1.254/24 interface=LAN
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=xx.xx.xx.xx,xx.xx.xx.xx
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PPOE
/ip route
add distance=1 dst-address=192.168.1.254/32 gateway=PPOE
/ip service
set www-ssl disabled=no
set api disabled=no
#error
#error
#error
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set STC disabled=yes display-time=5s
set Monitor disabled=yes display-time=5s
set LAN disabled=yes display-time=5s
set PPOE disabled=yes display-time=5s
/tool e-mail
set starttls=no
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin parent=admin password="" \
paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no \
permissions=owner signup-allowed=no time-zone=-00:00
The range 192.168.1.0/24 is on the LAN interface so why is there this address assignment:
/ip route
add distance=1 dst-address=192.168.1.254/32 gateway=PPOE?
Well, I’m not too sure why I gave that 
Lemme change and see
I removed the route and yet there is no internet for the clients
[admin@MikroTik] > /export compact
# jul/05/2012 19:36:02 by RouterOS 5.17
# software id = 2EXE-KC7U
#
/interface ethernet
set 0 name=PPPoE speed=1Gbps
set 1 name=LAN speed=1Gbps
set 2 name=Monitor
/interface pppoe-client
add add-default-route=yes disabled=no interface=PPPoE name=STC password=xxx \
user=xxxxxxxx@xx.xx
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=dhcp_pool1 ranges=192.168.1.25-192.168.1.253
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=LAN name=LH
/ip address
add address=172.18.0.240/24 interface=Monitor
add address=192.168.1.254/24 interface=LAN
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=xx.xx.xx.xx,xx.xx.xx.xx
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PPPoE src-address=\
192.168.1.0/24
/ip service
set www-ssl disabled=no
set api disabled=no
#error
#error
#error
/system gps
set set-system-time=no
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set STC disabled=yes display-time=5s
set Monitor disabled=yes display-time=5s
set LAN disabled=yes display-time=5s
set PPPoE disabled=yes display-time=5s
/tool e-mail
set starttls=no
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin parent=admin password="" \
paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no \
permissions=owner signup-allowed=no time-zone=-00:00
[admin@MikroTik] > ping 8.8.8.8
HOST SIZE TTL TIME STATUS
8.8.8.8 56 45 107ms
8.8.8.8 56 45 107ms
8.8.8.8 56 45 108ms
8.8.8.8 56 45 106ms
8.8.8.8 56 45 106ms
8.8.8.8 56 45 107ms
8.8.8.8 56 45 106ms
8.8.8.8 56 45 105ms
8.8.8.8 56 45 108ms
8.8.8.8 56 45 107ms
8.8.8.8 56 45 108ms
8.8.8.8 56 45 108ms
sent=12 received=12 packet-loss=0% min-rtt=105ms avg-rtt=106ms
max-rtt=108ms
[admin@MikroTik] > ping 8.8.8.8 src-address=192.168.1.254
HOST SIZE TTL TIME STATUS
8.8.8.8 timeout
8.8.8.8 timeout
8.8.8.8 timeout
8.8.8.8 timeout
8.8.8.8 timeout
8.8.8.8 timeout
8.8.8.8 timeout
8.8.8.8 timeout
8.8.8.8 timeout
8.8.8.8 timeout
8.8.8.8 timeout
8.8.8.8 timeout
sent=12 received=0 packet-loss=100%
[admin@MikroTik] > ping 192.168.1.253
HOST SIZE TTL TIME STATUS
192.168.1.253 56 128 0ms
192.168.1.253 56 128 0ms
192.168.1.253 56 128 0ms
192.168.1.253 56 128 0ms
192.168.1.253 56 128 0ms
192.168.1.253 56 128 0ms
sent=6 received=6 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms
[admin@MikroTik] > interface ethernet print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP
0 R PPPoE 1500 00:0F:FE:21:B1:4E enabled
1 R LAN 1500 00:08:54:A5:C7:2E enabled
2 R Monitor 1500 00:08:54:A5:C7:30 enabled
[admin@MikroTik] > ip address
[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 172.18.0.240/24 172.18.0.0 Monitor
1 192.168.1.254/24 192.168.1.0 LAN
2 D 94.99.168.76/32 xx.xx.xx.x STC
[admin@MikroTik] > ping 192.168.1.253 src-address=94.99.168.76
HOST SIZE TTL TIME STATUS
192.168.1.253 56 128 0ms
192.168.1.253 56 128 0ms
192.168.1.253 56 128 0ms
192.168.1.253 56 128 0ms
192.168.1.253 56 128 0ms
192.168.1.253 56 128 0ms
sent=6 received=6 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms
From the workstation
C:\Users\NetAdmin>ipconfig
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.1.253
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
C:\Users\NetAdmin>tracert 8.8.8.8
Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.1.254
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
C:\Users\NetAdmin>tracert 94.99.168.76
Tracing route to 94.99.168.76 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 94.99.168.76
Trace complete.
C:\Users\NetAdmin>tracert 4.2.2.2
Tracing route to vnsc-bak.sys.gtei.net [4.2.2.2]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.1.254
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
C:\Users\NetAdmin>ping 94.99.168.76
Pinging 94.99.168.76 with 32 bytes of data:
Reply from 94.99.168.76: bytes=32 time<1ms TTL=64
Reply from 94.99.168.76: bytes=32 time<1ms TTL=64
Reply from 94.99.168.76: bytes=32 time<1ms TTL=64
Ping statistics for 94.99.168.76:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
I’m really lost with this 
I even have a key and I’m not able to activate the license either.
Isn’t your default gateway 192.168.1.254? Why don’t I see that route?
/ip route
add gateway=192.168.1.254
Or is it on the STC interface?
Yes, the default gateway for my LAN is 192.168.1.254. Let me add the route and see the output
Added
/ip route
distance=1 add gateway=192.168.1.254
It only showed the ip unreachable. But I believe to what you asked as whether it is on the STC interface, the answer might be yes for that as add default route is checked in the PPPoE setting.
can you post your NAT settings?
i know mine wouldn’t work unless i added
/ip firewall nat add action=masquerade chain=srcnat disabled=no out-interface=STC
Thanks dboillot.
I had the firewall as this before
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=PPPoE \
src-address=192.168.1.0/24
changed it to
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=STC
All issues solved. Thank you all for helping me.