WAN & LAN unable to communicate

RouterOS Beginner Basics
1

Hello I recently started to set up my home network. Due to my current ISP ‘Vodafone’ I am unable to use my own router. I have set up staticNAT/DNZ on the ISP router and set it to point towards to internal IP address of - 10.0.10.2. Which is the statically assigned address on my mikrotiks WAN port.

On the mikrotik I can ping the WAN port, VF router and out to the internet.

I am also able to ping my local network of - 10.0.20.10.

However, when connect my PC to the HP switch witch connects to port 3 on the mikrotik. It is unable to ping past the local networks gateway address.

Below is my current Mikrotik config and HP switch config.

set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] name=link-to-hp
set [ find default-name=ether1 ] name=wan
/ip neighbor discovery
set wan discover=no
/interface vlan
add interface=link-to-hp name=internet-vlan vlan-id=20
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=internet-pool ranges=10.0.20.10-10.0.20.253
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master name=defconf
add address-pool=internet-pool disabled=no interface=internet-vlan lease-time=1d name=internet-dhcp-server
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=192.168.88.0
add address=10.0.20.10/24 interface=internet-vlan network=10.0.20.0
add address=10.0.10.2/24 interface=wan network=10.0.10.0
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=forward dst-address=10.0.10.0/24 src-address=10.0.20.0/24
add chain=forward dst-address=10.0.20.0/24 src-address=10.0.10.0/24
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=forward connection-state=established
add chain=forward connection-state=related
/ip firewall nat
add chain=forward dst-address=10.0.20.0/24 src-address=10.0.10.0/24
add chain=forward dst-address=10.0.10.0/24 src-address=10.0.20.0/24
add action=masquerade chain=srcnat out-interface=wan src-address=10.0.20.0/24
add action=masquerade chain=srcnat out-interface=wan
add action=masquerade chain=srcnat src-address=192.168.88.0/24
add action=masquerade chain=srcnat src-address=10.0.20.0/24
add action=masquerade chain=srcnat src-address=10.0.30.0/24
/ip route
add distance=1 gateway=10.0.10.1
/system clock
set time-zone-name=Europe/London
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set wan disabled=yes display-time=5s
set ether2-master disabled=yes display-time=5s
set link-to-hp disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
set internet-vlan disabled=yes display-time=5s
/system logging
set 3 action=disk
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master
/tool user-manager database
set db-path=user-manager


HP Switch config

hostname “ProCurve Switch 2610-24”
interface 26
name “uplink-mikrotik”
exit
ip default-gateway 10.0.20.1
snmp-server community “public” Unrestricted
vlan 1
name “DEFAULT_VLAN”
untagged 26-28
ip address 192.168.1.2 255.255.255.0
no untagged 1-25
exit
vlan 10
name “backup-telnet”
untagged 25
ip address 192.168.2.10 255.255.255.0
exit
vlan 20
name “internet”
untagged 1,3,5,7,9,11
ip address dhcp-bootp
tagged 26
exit
vlan 30
name “management”
untagged 2,4,6,8,10,12-24
ip address dhcp-bootp
tagged 25
exit

Hopefully its something simple that i just can’t see haha.

Thanks,

2

Any advise?

/ip add
@MikroTik] > /ip add pr
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; defconf
192.168.88.1/24 192.168.88.0 ether2-master
1 10.0.20.10/24 10.0.20.0 internet-vlan
2 10.0.10.2/24 10.0.10.0 wan

/ip route
@MikroTik] > /ip route pr de
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=10.0.10.1 gateway-status=10.0.10.1 reachable via wan distance=1 scope=30
target-scope=10

1 ADC dst-address=10.0.10.0/24 pref-src=10.0.10.2 gateway=wan gateway-status=wan reachable distance=0
scope=10

2 ADC dst-address=10.0.20.0/24 pref-src=10.0.20.10 gateway=internet-vlan
gateway-status=internet-vlan reachable distance=0 scope=10

3 DC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=ether2-master
gateway-status=ether2-master unreachable distance=255 scope=10

/ip int

NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS

0 ether2-master ether 1500 1598 4074 00:0C:42:D7:B7:5B
1 ether4 ether 1500 1598 4074 00:0C:42:D7:B7:5D
2 ether5 ether 1500 1598 4074 00:0C:42:D7:B7:5E
3 R link-to-hp ether 1500 1598 4074 00:0C:42:D7:B7:5C
4 R wan ether 1500 1598 4074 00:0C:42:D7:B7:5A
5 R internet-vlan vlan

/int van
@MikroTik] > /int vlan pr detail
Flags: X - disabled, R - running, S - slave
0 R name="internet-vlan" mtu=1500 l2mtu=1594 mac-address=00:0C:42:D7:B7:5C arp=enabled vlan-id=20
interface=link-to-hp use-service-tag=no

Hp switch
interface 26
name "uplink-mikrotik"
exit
ip default-gateway 10.0.20.1
vlan 1
name "DEFAULT_VLAN"
untagged 26-28
ip address 192.168.1.2 255.255.255.0
no untagged 1-25
exit
vlan 20
name "internet"
untagged 1,3,5,7,9,11
ip address dhcp-bootp
tagged 26
exit

3

You are trying to ping FQDNs, right?
Can you ping 8.8.8.8 for example?

You’re missing DNS servers - your router simply doesn’t know where to resolve.

Try this:

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

-Chris

4

If you are allowing remote requests be sure to add drop rules on tcp/udp port 53 on the WAN port.