What's wrong in this config? No LAN-2-WAN connection...

wiggammy · June 24, 2014, 6:36am

I'm really stuck with my RB2011. Been trying to get it up and running for a couple of days now, with no luck. From my RB I can ping sites on the internet and on my LAN, but from a pc on the local LAN I can't ping anything outside the LAN. Any help would be greatly appreciated.

jun/24/2014 08:32:37 by RouterOS 6.13

software id = N34L-G850

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no l2mtu=1598 name=bridge-local
/interface ethernet
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=ether9-slave-local
set [ find default-name=ether10 ] name=ether10_ISP poe-out=off rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp1 ] name=sfp1-gateway
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=netherlands disabled=no distance=indoors frequency=2422 frequency-mode=
regulatory-domain l2mtu=2290 mode=ap-bridge ssid=xxxxxxxxxxx
/ip neighbor discovery
set ether1 discover=no
set sfp1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=
tkip,aes-ccm
/ip dhcp-server
add interface=bridge-local lease-time=10m name=default
add disabled=no interface=bridge-local name=rbrd01 relay=192.168.1.251
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether1
/ip address
add address=88.89.90.91/23 comment=ISP interface=ether10_ISP network=88.89.90.0
add address=192.168.1.252/24 comment=LAN interface=bridge-local network=192.168.1.0
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 disabled=yes name=router
add address=192.168.1.251 disabled=yes name=rbrd01
/ip firewall filter
add chain=input comment="Allow LAN access to router and Internet" connection-state=new
add chain=input comment="Allow established connections" connection-state=established
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=yes
add chain=input comment="Allow management from 192.168.1.0/24" in-interface=bridge-local src-address=192.168.1.0/24
add action=log chain=input log-prefix="DROP: "
add action=drop chain=input comment="Drop everything else" disabled=yes
add action=drop chain=forward comment="Allow established connections" connection-state=invalid disabled=yes protocol=tcp
add chain=forward comment="Allow related connections" connection-state=related protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=yes out-interface=sfp1-gateway
add action=masquerade chain=scrnat disabled=yes out-interface=ether10_ISP
/ip route
add distance=1 gateway=88.89.91.254
/ip upnp
set allow-disable-external-interface=no
/lcd
set backlight-timeout=5m default-screen=informative-slideshow
/lcd interface
set sfp1-gateway interface=sfp1-gateway
set ether1 interface=ether1
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6-master-local interface=ether6-master-local
set ether7-slave-local interface=ether7-slave-local
set ether8-slave-local interface=ether8-slave-local
set ether9-slave-local interface=ether9-slave-local
set ether10_ISP interface=ether10_ISP
set wlan1 interface=wlan1
/lcd interface pages
set 0 interfaces=sfp1-gateway,ether1,ether2,ether3,ether4,ether5,ether6-master-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,ether10_ISP,wlan1
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=rbrd01
/system logging
add action=disk topics=firewall
/system ntp client
set enabled=yes mode=unicast primary-ntp=83.98.201.133 secondary-ntp=94.228.40.3
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10_ISP
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10_ISP
add interface=wlan1
add interface=bridge-local

cdiedrich · June 25, 2014, 10:10am

Enable your second masquerade NAT rule /ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=yes out-interface=sfp1-gateway
add action=masquerade chain=scrnat disabled=yes out-interface=ether10_ISP ##—ENABLE ME----Chris

wiggammy · June 25, 2014, 12:54pm

Hi Chris,

Thanks for your quick reply, but still no luck…

5nik · June 25, 2014, 9:06pm

Which IP has your computer? Static or dynamic? Because your RB hasn’t DHCP server properly configured.

5nik · June 25, 2014, 9:17pm

Little advice: I see, you have static WAN IP. It is better to use snat instead of masquerade. In some cases masquerade may not work as you expect.

wiggammy · June 26, 2014, 7:03pm

Hi 5nik, thanks 4 your reply. I tried changing maquerade to src-nat/dst-nat, but still the issue remains the same.

From my laptop I can ping the RB, but not to 8.8.8.8, from the RB I can ping my laptop and 8.8.8.8

So I think either there’s something wrong/misconfigured or there’s a hw failure (but this seems a bit strange)

Any1 else got any idea perhaps?

5nik · June 26, 2014, 7:45pm

Can you please post your network config on laptop? (ip/mask/default route?)
You can always do factory-reset and configure RB again from zero. In some cases, it helped for me.

wiggammy · June 26, 2014, 9:26pm

laptop: 192.168.1.1 / 255.255.255.0 / 192.168.1.252
RB: 192.168.1.252 / 255.255.255.0

5nik · June 26, 2014, 9:40pm

Thank you. Everything looks good configured. Did you try factory reset and set RB again? You can try newer ROS too (latest is 6.15).

Tet · June 26, 2014, 9:44pm

What’s wrong

Disable all firewall filter rules (for testing purposes) and ping from laptop to inet should start running.

wiggammy · June 30, 2014, 1:51pm

Hi Guys,

Nothing seems to work, unfortunately. As far as my knowledge goes, I can only pinpoint the problem(s) down to the firewall, but I’m still not really convinced. I’ve posted the latest config here. Can you please take another look and help me.

/interface bridge
add l2mtu=1598 name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no l2mtu=2290 mode=ap-bridge ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=sfp1
/ip address
add address=192.168.1.252/24 interface=bridge1 network=192.168.61.0
add address=88.15.16.19/23 comment=ISP interface=ether1 network=88.15.16.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip firewall filter
add action=drop chain=input comment=“default configuration” in-interface=ether1
add chain=forward comment=“default configuration” connection-state=established
add chain=forward comment=“default configuration” connection-state=related
add action=drop chain=forward comment=“default configuration” connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=netmap chain=dstnat dst-address=88.15.16.0/23 to-addresses=192.168.1.0/24
add action=netmap chain=srcnat src-address=192.168.1.0/24 to-addresses=88.15.16.0/23
/ip upnp
set allow-disable-external-interface=no
/lcd interface
set sfp1 interface=sfp1
set ether1 interface=ether1
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6 interface=ether6
set ether7 interface=ether7
set ether8 interface=ether8
set ether9 interface=ether9
set ether10 interface=ether10
set wlan1 interface=wlan1
/system clock
set time-zone-name=Europe/Amsterdam
/system clock manual
set time-zone=+01:00
/system identity
set name=VDRBRD01
/system ntp client
set enabled=yes primary-ntp=213.239.154.12
/tool mac-server
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6
add interface=ether7
add interface=ether8
add interface=ether9
add interface=ether10
add interface=sfp1
add interface=wlan1
add
/tool mac-server mac-winbox
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6
add interface=ether7
add interface=ether8
add interface=ether9
add interface=ether10
add interface=sfp1
add interface=wlan1
add

5nik · June 30, 2014, 7:31pm

Ok, for internet working behind router, you need configured on router:

WAN IP - you have static IP: 88.15.16.19/23 /ip address add address=88.15.16.19/23 comment=ISP interface=ether1 network=88.15.16.0 You can delete/disable dhcp client
LAN IP - you have static IP: 192.168.1.252/24, but with incorrect network address: 192.168.61.0 (if it isn’t typing error). Correct network address, result: /ip address add address=192.168.1.252/24 interface=bridge1 network=192.168.1.0
Default route - in your last configuration isn’t default route. Add it:/ip route add add distance=1 gateway=88.89.91.254
Source NAT: /ip firewall nat add action=src-nat chain=srcnat out-interface=ether1 src-address=192.168.1.0/24 to-addresses=88.15.16.19

Please disable all others firewall rules and settings.
Set on computer static network configuration: IP:192.168.1.x / 255.255.255.0, GW: 192.168.1.252, DNS: 8.8.8.8. In the cmd try:

ping 192.168.1.252
ping 88.15.16.19
ping 88.89.91.254
ping 8.8.8.8
ping http://www.google.com

If you successfully ping Google, internet should work.