Community discussions

MikroTik App
 
jogger
just joined
Topic Author
Posts: 11
Joined: Thu Oct 05, 2017 5:41 pm

Here is my last attempt - RB3011 - No Server outbound connection

Thu Oct 05, 2017 6:27 pm

Ok, sorry i have to come here and ask for help, but this is my last resort before i hang up the old college try at trying to run a home server.

Here is my setup
Image

I am confused about why i can see my server at my IP Address (i see the apache page) but when i try and run sudo apt-get update it says 101: Network is Unreachable.

I have racked my brain about this for the last 3 days and am about ready to give up!

Has anyone set up something similar to what i have done in the image? I have read just about every post, even hairpin nat, everything, nothing seems to get my outbound connection to work! Can anyone take a look at my setup and tell me if there is a solution?

Thank You All!
 
jogger
just joined
Topic Author
Posts: 11
Joined: Thu Oct 05, 2017 5:41 pm

Re: Here is my last attempt - RB3011 - No Server outbound connection

Fri Oct 06, 2017 2:04 am

Is there any other information you need from my end to help me find a solution?

Quick Set Configuration

Mode: Router

Internet: Port: SFP1

Address Acquisition: Automatic

IP Address: 111.222.111.22

Netmask: 255.255.248.0/21

Gateway: 111.222.111.2

Local Network: 111.222.111.22 (same as IP Address it appears)

Netmask: 255.0.0.0/8

DHCP Server: X (checked)

DHCP Server Range: 192.168.88.10-192.168.88.254

NAT: X (checked)

Interface List:

LAN - bridge

WAN - SFP1

Anything else you need from to figure out why my server is not seeing out into to world?

Thanks for helping!
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Here is my last attempt - RB3011 - No Server outbound connection

Fri Oct 06, 2017 2:51 am

We can help you. Post your configs by running a New Terminal within the Winbox tool, /export compact hide-sensitive file=MyFile.rsc. Post the output here between the code tag.
 
jogger
just joined
Topic Author
Posts: 11
Joined: Thu Oct 05, 2017 5:41 pm

Re: Here is my last attempt - RB3011 - No Server outbound connection

Fri Oct 06, 2017 3:17 am

# oct/04/2017 21:20:46 by RouterOS 6.40.3
# software id = UIR9-M60B
#
# model = RouterBOARD 3011UiAS
# serial number = 111111111111111
/interface bridge
add admin-mac=6C:11:6B:1D:11:11 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master_SERVER
set [ find default-name=ether3 ] master-port=ether2-master_SERVER name=\
    ether3-server-bind
set [ find default-name=ether4 ] master-port=ether2-master_SERVER name=\
    ether4-server-bind
set [ find default-name=ether5 ] master-port=ether2-master_SERVER name=\
    ether5-server-bind
set [ find default-name=ether6 ] name=ether6-master_SERVER2
set [ find default-name=ether7 ] master-port=ether6-master_SERVER2
set [ find default-name=ether8 ] master-port=ether6-master_SERVER2
set [ find default-name=ether9 ] master-port=ether6-master_SERVER2
set [ find default-name=ether10 ] master-port=ether6-master_SERVER2
set [ find default-name=sfp1 ] name=sfp1_WAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master_SERVER
add bridge=bridge comment=defconf interface=ether6-master_SERVER2
add bridge=bridge comment=defconf disabled=yes interface=sfp1_WAN
add bridge=bridge interface=ether1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1_WAN list=WAN
add comment="SERVER 1 LAN" disabled=yes interface=ether2-master_SERVER list=\
    LAN
add comment="SERVER 2 LAN" disabled=yes interface=ether6-master_SERVER2 list=\
    LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=104.231.157.22/8 interface=ether1 network=104.0.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1_WAN
/ip dhcp-server network
add address=104.0.0.0/8 gateway=104.231.157.22 netmask=8
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=104.231.157.22
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=104.231.157.22 list=my_ip_address
/ip firewall filter
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=none-dynamic chain=input comment="QUICK SCANNING" \
    connection-limit=100,32 disabled=yes limit=0,5:packet psd=21,3s,3,1 \
    src-address-type="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=input disabled=yes protocol=icmp reject-with=\
    icmp-network-unreachable src-address-list=port_scanners
add action=accept chain=forward comment=\
    "Accept connections from outside to port 80" disabled=yes dst-port=80 \
    in-interface=sfp1_WAN log=yes protocol=tcp
add action=accept chain=forward comment=\
    "Accept connections from outside to port 443" disabled=yes dst-port=443 \
    in-interface=sfp1_WAN log=yes protocol=tcp
add action=accept chain=input comment="Filter Rules" connection-state=\
    established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=bridge
add action=drop chain=input
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward out-interface=sfp1_WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward disabled=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=sfp1_WAN
add action=dst-nat chain=dstnat comment="Port 80 Open" dst-address=\
    !192.168.88.0/24 dst-address-type=local dst-port=80 log=yes protocol=tcp \
    to-addresses=192.168.88.248 to-ports=80
add action=masquerade chain=srcnat comment="Access WAN from Local LAN" \
    dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.88.0/24 \
    to-addresses=192.168.88.248 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp \
    src-address=192.168.88.248 to-addresses=104.231.157.26
add action=dst-nat chain=dstnat comment="443 Port Open" disabled=yes \
    dst-port=443 log=yes protocol=tcp to-addresses=192.168.88.248 to-ports=\
    443
add action=dst-nat chain=dstnat comment=SFTP dst-port=22 protocol=tcp \
    to-addresses=192.168.88.248 to-ports=22
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=HomeLab
/system script
add name=script1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/interface ethernet\r\
    \nset 0 name=LAN\r\
    \nset 1 name=WAN"
add name=script2 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/interface bridge\r\
    \nadd name=bridge-wan"
add name=script3 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface bridge port\r\
    \nadd interface=WAN bridge=bridge-wan\r\
    \nadd interface=LAN bridge=bridge-lan"
add name=script4 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface bridge settings\r\
    \nset allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes\
    \_use-ip-firewall-for-vlan=yes"
add name=script5 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall address-list\r\
    \nadd address=104.231.157.22 list=my_ip_address"
add name=script6 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall filter\r\
    \nadd chain=input comment=\"Allow access to router from known network\" sr\
    c-address-list=my_ip_address\r\
    \nadd action=drop chain=input comment=\"Disallow weird packets\" connectio\
    n-state=invalid\r\
    \nadd chain=input comment=\"Allow LAN access to router and Internet\" conn\
    ection-state=new in-interface=LAN\r\
    \nadd chain=input comment=\"Allow connections that originated from LAN\" c\
    onnection-state=established\r\
    \nadd chain=input comment=\"Allow connections that originated from LAN\" c\
    onnection-state=related\r\
    \nadd chain=input comment=\"Allow ping ICMP from anywhere\" protocol=icmp\
    \r\
    \nadd action=drop chain=input comment=\"Disallow anything from anywhere on\
    \_any interface\"\r\
    \nadd action=drop chain=forward comment=\"Disallow weird packets\" connect\
    ion-state=invalid\r\
    \nadd chain=forward comment=\"Allow LAN access to router and Internet\" co\
    nnection-state=new in-bridge-port=LAN\r\
    \nadd chain=forward comment=\"Allow connections that originated from LAN\"\
    \_connection-state=established\r\
    \nadd chain=forward comment=\"Allow connections that originated from LAN\"\
    \_connection-state=related\r\
    \nadd chain=forward comment=\"Open port 80 for Web Server\" dst-address=19\
    2.168.88.248 dst-port=80 protocol=tcp\r\
    \nadd action=drop chain=forward"
add name=script7 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall service-port\r\
    \nset ftp disabled=yes\r\
    \nset tftp disabled=yes\r\
    \nset irc disabled=yes\r\
    \nset h323 disabled=yes\r\
    \nset sip disabled=yes\r\
    \nset pptp disabled=yes"
add name=script8 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall\r\
    \nfilter add chain=input action=accept protocol=icmp comment=\"defconf: ac\
    cept ICMP\"\r\
    \n filter add chain=input action=accept connection-state=established,relat\
    ed comment=\"defconf: accept established,related\"\r\
    \n filter add chain=input action=drop in-interface=ether1 comment=\"defcon\
    f: drop all from WAN\"\r\
    \nfilter add chain=forward action=fasttrack-connection connection-state=es\
    tablished,related comment=\"defconf: fasttrack\"\r\
    \nfilter add chain=forward action=accept connection-state=established,rela\
    ted comment=\"defconf: accept established,related\""
add name=script9 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall filter\r\
    \nadd action=accept chain=forward dst-port=943 in-interface=bridge protoco\
    l=tcp\r\
    \nadd action=fasttrack-connection chain=forward comment=\"defconf: fasttra\
    ck\" \r\
    \n    connection-state=established,related\r\
    \nadd action=accept chain=forward comment=\"defconf: accept established,re\
    lated\" \r\
    \n    connection-state=established,related\r\
    \nadd action=drop chain=forward comment=\"defconf: drop invalid\" \r\
    \n    connection-state=invalid\r\
    \nadd action=drop chain=forward comment=\r\
    \n    \"defconf:  drop all from WAN not DSTNATed\" connection-nat-state=!d\
    stnat \r\
    \n    connection-state=new in-interface=sfp1\r\
    \nadd action=accept chain=input protocol=icmp\r\
    \nadd action=accept chain=input connection-state=established\r\
    \nadd action=drop chain=input in-interface=esfp1\r\
    \n/ip firewall nat\r\
    \nadd action=masquerade chain=srcnat comment=\"defconf: masquerade\" \r\
    \n    out-interface=sfp1\r\
    \nadd action=masquerade chain=srcnat out-interface=bridge\r\
    \nadd action=dst-nat chain=dstnat dst-address=104.231.157.22 dst-port=943 \
    log=\r\
    \n    yes log-prefix=\"tcp 943:\" protocol=tcp to-addresses=192.168.88.248\
    \r\
    \nadd action=dst-nat chain=dstnat dst-address=104.231.157.22 dst-port=1194\
    \_\r\
    \n    protocol=udp to-addresses=192.168.88.248\r\
    \nadd action=dst-nat chain=dstnat dst-address=104.231.157.22 dst-port=443 \
    \r\
    \n    protocol=tcp to-addresses=192.168.88.248\r\
    \nadd action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=\
    \r\
    \n    192.168.88.0/24"
add name=script10 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall nat\r\
    \nadd action=accept chain=forward disabled=no dst-port=80 protocol=tcp\r\
    \nadd action=accept chain=forward disabled=no dst-port=80 protocol=udp"
add name=script11 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall filter\r\
    \nadd action=add-src-to-address-list address-list=port_scanners address-li\
    st-timeout=5m10s chain=input comment=\"QUICK SCANNING\" psd=21,3s,3,1\r\
    \nADD chain=input protocol=icmp reject-with=icmp-host-reachable src-addres\
    s-list=port_scanners action=reject"
/tool e-mail
set address=74.125.136.108 from=<HomeLab> port=587 start-tls=yes user=\
    liberty01
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether1
add interface=ether2-master_SERVER
add interface=ether6-master_SERVER2
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether1
add interface=ether2-master_SERVER
add interface=ether6-master_SERVER2
Last edited by jogger on Mon Oct 09, 2017 9:30 pm, edited 1 time in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Here is my last attempt - RB3011 - No Server outbound connection

Fri Oct 06, 2017 5:41 am

How are you connected to your ISP's modem? Fiber or ether1? You have ether1 in the same bridge as your lan, which has a different subnet.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Here is my last attempt - RB3011 - No Server outbound connection

Fri Oct 06, 2017 5:48 am

Look at this script. I've minimized it down to something simpler to work on. Read slowly. I don't understand what you're doing with ether1 as opposed to SFP1. The SB4141 does not have a fiber interface. You have an issue there.

Before testing this script, I recommend you do a System / Reset
# apply sections, one by one

/interface bridge
add name=bridge-LAN comment=defconf

/interface ethernet
set [ find default-name=ether1 ] master-port=none name=ether1
set [ find default-name=ether2 ] master-port=none name=ether2
set [ find default-name=ether3 ] master-port=ether2 name=ether3
set [ find default-name=ether4 ] master-port=ether2 name=ether4
set [ find default-name=ether5 ] master-port=ether2 name=ether5
set [ find default-name=ether6 ] master-port=none name=ether6
set [ find default-name=ether7 ] master-port=ether6 name=ether7
set [ find default-name=ether8 ] master-port=ether6 name=ether8
set [ find default-name=ether9 ] master-port=ether6 name=ether9
set [ find default-name=ether10 ] master-port=ether6 name=ether10
set [ find default-name=sfp1 ]  master-port=none name=sfp1_WAN

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-LAN

/interface bridge port
add bridge=bridge-LAN interface=ether2  comment=defconf
add bridge=bridge-LAN interface=ether6 comment=defconf

#I don't understand why you have ether1 (104.231.157.22) on the LAN bridge
add bridge=bridge-LAN interface=ether1

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes

/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add comment=defconf interface=sfp1_WAN   list=WAN

/ip address
add address=192.168.88.1/24 interface=bridge-LAN comment=defconf
add address=104.231.157.22/8 interface=ether1

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1_WAN

/ip dhcp-server network
add address=104.0.0.0/8 gateway=104.231.157.22 netmask=8
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=104.231.157.22

/ip firewall filter
add chain=input action=accept connection-state=established,related comment="Accept established related"
add chain=input action=accept in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=input action=drop comment="Drop all other input"
add chain=forward action=accept connection-state=established,related comment="Accept established related"
add chain=forward action=accept connection-state=new in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=forward action=accept connection-nat-state=dstnat comment="Allow Port forwards"
add chain=forward action=drop comment="Drop all other forward"

/ip firewall nat
add chain=srcnat action=masquerade out-interface=sfp1_WAN comment="default masquerade"
add chain=dstnat action=dst-nat in-interface=sfp1_WAN protocol=tcp to-addresses=1.2.3.4 dst-port=123 to-ports=123 comment="Sample Port Forward"
 
jogger
just joined
Topic Author
Posts: 11
Joined: Thu Oct 05, 2017 5:41 pm

Re: Here is my last attempt - RB3011 - No Server outbound connection

Fri Oct 06, 2017 6:36 am

How are you connected to your ISP's modem? Fiber or ether1? You have ether1 in the same bridge as your lan, which has a different subnet.
Im connected to the modem through sfp1 (the SFP module) ? is that fine? I thought going from my modem (SB6141 with an ethernet cord) through SFP (Small form-factor pluggable) would be fine?

Here is how my connections look going in to my RB3011

Image
 
jogger
just joined
Topic Author
Posts: 11
Joined: Thu Oct 05, 2017 5:41 pm

Re: Here is my last attempt - RB3011 - No Server outbound connection

Fri Oct 06, 2017 8:20 pm

Look at this script. I've minimized it down to something simpler to work on. Read slowly. I don't understand what you're doing with ether1 as opposed to SFP1. The SB4141 does not have a fiber interface. You have an issue there.

Before testing this script, I recommend you do a System / Reset
After the system reset do i connect through eth1 then?
 
Rieva
just joined
Posts: 3
Joined: Fri Sep 22, 2017 6:47 pm

Re: Here is my last attempt - RB3011 - No Server outbound connection

Sat Oct 07, 2017 12:52 am

You will have to pay a guy who understands basic networking.
I suggest you pay the guy with that RB3011, because for your internet connection, even WR740N v4 is overkill.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Here is my last attempt - RB3011 - No Server outbound connection

Sat Oct 07, 2017 11:35 am

According to the SB6141 Manual, as pcunite says there's no SFP, you should wire it like this:
wiring.png
You do not have the required permissions to view the files attached to this post.
 
jogger
just joined
Topic Author
Posts: 11
Joined: Thu Oct 05, 2017 5:41 pm

Re: Here is my last attempt - RB3011 - No Server outbound connection

Mon Oct 09, 2017 12:31 am

According to the SB6141 Manual, as pcunite says there's no SFP, you should wire it like this:
I am confused? I bought this SFP Copper Module (Mikrotik Item model number S-RJ01). Now you are saying i cant use it with this router and modem? I am very confused now? It is an ethernet cord, it is nothing special, basic cat-6 ethernet cord? I am so confused on why an ethernet cord cant be used with this router.

https://www.amazon.com/gp/product/B00N9 ... UTF8&psc=1 if this module wont work then why did you guys manufacture it? That makes no sense?
 
plankanater
Member Candidate
Member Candidate
Posts: 172
Joined: Wed Mar 14, 2012 3:56 am

Re: Here is my last attempt - RB3011 - No Server outbound connection

Mon Oct 09, 2017 3:53 am

The module will work. The reason they are all telling you to plug into ether 1 is because the quickset and default configs, configure ether 1 as the WAN port. Use the SFP port as you LAN not WAN then you can use Quickset. That would be the simplest setup. You can make the SFP a WAN port but there is a lot more programming involved.
 
User avatar
Melody5781
newbie
Posts: 29
Joined: Thu Sep 14, 2017 12:42 pm

Re: Here is my last attempt - RB3011 - No Server outbound connection

Mon Oct 09, 2017 6:48 am

The copper SFP RJ45 module can be used in SFP1 port. But it makes things difficult and to make things easy you can use a Cat6 Ethernet cable between the modem and the ether1.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Here is my last attempt - RB3011 - No Server outbound connection

Mon Oct 09, 2017 12:30 pm

According to the SB6141 Manual, as pcunite says there's no SFP, you should wire it like this:
I am confused? I bought this SFP Copper Module (Mikrotik Item model number S-RJ01). Now you are saying i cant use it with this router and modem? I am very confused now? It is an ethernet cord, it is nothing special, basic cat-6 ethernet cord?
Ok, now that makes sense, you used a SFP to copper RJ45 module.

Looks like Autonegotiation doesn't succeed, you'll have to:

1.- RB3011: Disable autoneg on SFP interface, set it to 1Gbps.

Check if interface enters Running state, and you get link ok. If it doesn't:

2.- Arris: locate ethernet, and disable autoneg, forcing 1Gbps.

If you succeed on getting the SFP port to run, you'll need to change anything on the RB3011 (ip addresses, firewall filter and nat rules, etc) that referred to ether1 as WAN, to the new sfp-interface.
 
jogger
just joined
Topic Author
Posts: 11
Joined: Thu Oct 05, 2017 5:41 pm

Re: Here is my last attempt - RB3011 - No Server outbound connection

Tue Oct 10, 2017 12:29 am

Ok, now that makes sense, you used a SFP to copper RJ45 module.

Looks like Autonegotiation doesn't succeed, you'll have to:

1.- RB3011: Disable autoneg on SFP interface, set it to 1Gbps.

Check if interface enters Running state, and you get link ok. If it doesn't:

2.- Arris: locate ethernet, and disable autoneg, forcing 1Gbps.

If you succeed on getting the SFP port to run, you'll need to change anything on the RB3011 (ip addresses, firewall filter and nat rules, etc) that referred to ether1 as WAN, to the new sfp-interface.
Hmm, i think i have everything configured correctly, i am still not able to get out of bridged-lan to access the outside world. So when i try to run sudo apt-get update it still says 101: No Connection. Also when i try to pink my server from the Mikrotik ping it says timeout. SFP1_WAN works, ping from eth2 does not.

Any help, heck i will even accept a teamviewer session at this point.
 
jogger
just joined
Topic Author
Posts: 11
Joined: Thu Oct 05, 2017 5:41 pm

Re: Here is my last attempt - RB3011 - No Server outbound connection

Tue Oct 10, 2017 1:22 am

# oct/09/2017 18:15:33 by RouterOS 6.40.3
# software id = UIR9-M60B
#
# model = RouterBOARD 3011UiAS
# serial number = 111111111111
/interface bridge
add admin-mac=6C:3B:6B:1D:00:99 auto-mac=no comment=defconf name=bridge-LAN
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6
set [ find default-name=sfp1 ] auto-negotiation=no name=sfp1_WAN
/ip neighbor discovery
set sfp1_WAN discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-LAN name=defconf
/interface bridge port
add bridge=bridge-LAN comment=defconf interface=ether2
add bridge=bridge-LAN comment=defconf interface=ether6
add bridge=bridge-LAN comment=defconf disabled=yes interface=sfp1_WAN
add bridge=bridge-LAN interface=ether1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add comment=defconf interface=sfp1_WAN list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-LAN network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1_WAN
/ip dhcp-server network
add address=104.0.0.0/8 gateway=104.231.157.22 netmask=8
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=104.231.157.22
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="Accept established related" \
    connection-state=established,related
add action=accept chain=input comment=\
    "Allow LAN access to router and Internet" connection-state=new \
    in-interface=bridge-LAN
add action=accept chain=forward comment="Accept established related" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "Allow LAN access to router and Internet" connection-state=new \
    in-interface=bridge-LAN
add action=accept chain=forward comment="Allow Port Forwards" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all other forward"
/ip firewall nat
add action=masquerade chain=srcnat comment="default masquerade" \
    out-interface=sfp1_WAN
add action=dst-nat chain=dstnat comment="Sample Port Forward" dst-address=\
    104.231.157.22 dst-port=80 in-interface=bridge-LAN protocol=tcp \
    to-addresses=192.168.88.248 to-ports=80
/system clock
set time-zone-name=America/New_York
/system script
add name=script1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface ethernet\r\
    \nset [ find default-name=ether1 ] master-port=none name=ether1\r\
    \nset [ find default-name=ether2 ] master-port=none name=ether2\r\
    \nset [ find default-name=ether3 ] master-port=ether2 name=ether3\r\
    \nset [ find default-name=ether4 ] master-port=ether2 name=ether4\r\
    \nset [ find default-name=ether5 ] master-port=ether2 name=ether5\r\
    \nset [ find default-name=ether6 ] master-port=none name=ether6\r\
    \nset [ find default-name=ether7 ] master-port=ether6 name=ether7\r\
    \nset [ find default-name=ether8 ] master-port=ether6 name=ether8\r\
    \nset [ find default-name=ether9 ] master-port=ether6 name=ether9\r\
    \nset [ find default-name=ether10 ] master-port=ether6 name=ether10\r\
    \nset [ find default-name=sfp1 ]  master-port=none name=sfp1_WAN"
add name=script2 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface list\r\
    \nadd comment=defconf name=WAN\r\
    \nadd comment=defconf name=LAN"
add name=script3 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/ip pool\r\
    \nadd name=dhcp ranges=192.168.88.10-192.168.88.254"
add name=script4 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip dhcp-server\r\
    \nadd address-pool=dhcp disabled=no interface=bridge-LAN"
add name=script5 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface bridge port\r\
    \nadd bridge=bridge-LAN interface=ether2  comment=defconf\r\
    \nadd bridge=bridge-LAN interface=ether6 comment=defconf"
add name=script6 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface bridge settings\r\
    \nset allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes\
    \_use-ip-firewall-for-vlan=yes"
add name=script7 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface list member\r\
    \nadd comment=defconf interface=bridge-LAN list=LAN\r\
    \nadd comment=defconf interface=sfp1_WAN   list=WAN"
add name=script8 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip address\r\
    \nadd address=192.168.88.1/24 interface=bridge-LAN comment=defconf\r\
    \nadd address=104.231.157.22/8 interface=ether1"
add name=script9 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip dhcp-client\r\
    \nadd dhcp-options=hostname,clientid disabled=no interface=sfp1_WAN"
add name=script10 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip dhcp-server network\r\
    \nadd address=104.0.0.0/8 gateway=104.231.157.22 netmask=8\r\
    \nadd address=192.168.88.0/24 comment=defconf gateway=192.168.88.1"
add name=script11 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/ip dns\r\
    \nset allow-remote-requests=yes servers=104.231.157.22"
add name=script12 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall filter\r\
    \nadd chain=input action=accept connection-state=established,related comme\
    nt=\"Accept established related\"\r\
    \nadd chain=input action=accept in-interface=bridge-LAN comment=\"Allow LA\
    N access to router and Internet\"\r\
    \nadd chain=input action=drop comment=\"Drop all other input\"\r\
    \nadd chain=forward action=accept connection-state=established,related com\
    ment=\"Accept established related\"\r\
    \nadd chain=forward action=accept connection-state=new in-interface=bridge\
    -LAN comment=\"Allow LAN access to router and Internet\"\r\
    \nadd chain=forward action=accept connection-nat-state=dstnat comment=\"Al\
    low Port forwards\"\r\
    \nadd chain=forward action=drop comment=\"Drop all other forward\""
add name=script13 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall nat\r\
    \nadd chain=srcnat action=masquerade out-interface=sfp1_WAN comment=\"defa\
    ult masquerade\"\r\
    \nadd chain=dstnat action=dst-nat in-interface=sfp1_WAN protocol=tcp to-ad\
    dresses=1.2.3.4 dst-port=123 to-ports=123 comment=\"Sample Port Forward\""
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether1
add interface=ether2
add interface=ether6
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether1
add interface=ether2
add interface=ether6
Is there something in my code that i am not doing correct because my server on eth2 at ip 192.168.88.248 is not able to have outbound connections? I try and ping from eth2 and bridge 192.168.88.248 and they all timeout? 192.168.88.248 is eth2 which is on the bridge-LAN interface.

Let me know if something in my firewall rules or NAT is not correct....thanks for helping.
 
jogger
just joined
Topic Author
Posts: 11
Joined: Thu Oct 05, 2017 5:41 pm

Re: Here is my last attempt - RB3011 - No Server outbound connection

Tue Oct 10, 2017 8:46 am

Ok have a look at these. Only thing i have left is, i have changed my sfp1_wan and connected my modem to eth1 still cannot ping 8.8.8.8 from bridge_lan always get timeout. Any help.
# oct/10/2017 01:35:49 by RouterOS 6.40.3
# software id = UIR9-M60B
#
# model = RouterBOARD 3011UiAS
# serial number = 111111111111
/interface bridge
add admin-mac=6C:3B:6B:1D:66:99 auto-mac=no comment=defconf name=bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6
set [ find default-name=sfp1 ] auto-negotiation=no
/ip neighbor discovery
set ether1_WAN discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=24.93.112.2-24.93.119.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-LAN name=defconf
add address-pool=dhcp disabled=no interface=ether1_WAN name=dhcp1
/interface bridge port
add bridge=bridge-LAN comment=defconf interface=ether2
add bridge=bridge-LAN comment=defconf interface=ether6
add bridge=bridge-LAN comment=defconf interface=sfp1
add bridge=bridge-LAN disabled=yes interface=ether1_WAN
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add comment=defconf interface=ether1_WAN list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip arp
add address=192.168.88.248 interface=bridge-LAN mac-address=7C:05:07:10:04:AD
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1_WAN
/ip dhcp-server network
add address=24.0.0.0/8 gateway=24.93.112.1 netmask=8
add address=24.93.112.0/21 gateway=24.93.112.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=24.93.115.155
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.88.248 name=mywebsiteaddress.com
/ip firewall filter
add action=accept chain=input comment="Accept established related" \
    connection-state=established,related
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment=\
    "Allow LAN access to router and Internet" in-interface=bridge-LAN
add action=fasttrack-connection chain=forward comment="FastTrack Connections" \
    connection-state=established,related
add action=accept chain=forward comment="Accept established related" \
    connection-state=established,related
add action=accept chain=forward comment="Forward Out Eth1" out-interface=\
    ether1_WAN
add action=accept chain=forward comment="Allow Port forwards" \
    connection-nat-state=dstnat
add action=accept chain=forward comment=\
    "Allow LAN access to router and Internet" connection-state=new \
    in-interface=bridge-LAN
add action=accept chain=forward comment=\
    "Accept connections from outside to port 80" dst-port=80 in-interface=\
    ether1_WAN protocol=tcp
add action=drop chain=forward comment="Drop all other forward"
add action=drop chain=forward in-interface=ether1_WAN protocol=udp
add action=drop chain=forward in-interface=ether1_WAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="default masquerade" \
    out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="Sample Port Forward" dst-address=\
    24.93.115.155 dst-address-type=local dst-port=80 protocol=tcp \
    to-addresses=192.168.88.248 to-ports=80
add action=masquerade chain=srcnat comment="masquerade - bridge" dst-address=\
    192.168.88.0/24 out-interface=bridge-LAN src-address=192.168.88.0/24
/ip route
add disabled=yes distance=1 gateway=24.93.112.1
add distance=1 dst-address=24.0.0.0/24 gateway=ether1_WAN pref-src=\
    24.93.115.155
/ip service
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether6
add interface=sfp1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether6
add interface=sfp1
Let me know what i have to do to get bridge_lan to connect to the outside world. 192.168.88.248 (is on eth2) - my ping to 8.8.8.8 on interface bridge-lan always timeout
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Here is my last attempt - RB3011 - No Server outbound connection

Tue Oct 10, 2017 11:47 am

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
You should change that IP to interface=bridge-LAN
/ip arp
add address=192.168.88.248 interface=bridge-LAN mac-address=7C:05:07:10:04:AD
Delete this.

On Winbox, open a New Terminal and issue
/ip address print detail
/ip route print
/ping 8.8.8.8
Then copy and paste the output here.
 
jogger
just joined
Topic Author
Posts: 11
Joined: Thu Oct 05, 2017 5:41 pm

Re: Here is my last attempt - RB3011 - No Server outbound connection

Tue Oct 10, 2017 5:25 pm

[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; defconf
     address=192.168.88.1/24 network=192.168.88.0 interface=bridge-LAN 
     actual-interface=bridge-LAN 

 1 D address=24.93.115.155/21 network=24.93.112.0 interface=ether1_WAN 
     actual-interface=ether1_WAN 
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          24.93.112.1               1
 1 X S  0.0.0.0/0                          24.93.112.1               1
 2 A S  24.0.0.0/24        24.93.115.155   ether1_WAN                1
 3 ADC  24.93.112.0/21     24.93.115.155   ether1_WAN                0
 4 ADC  192.168.88.0/24    192.168.88.1    bridge-LAN                0
 
jogger
just joined
Topic Author
Posts: 11
Joined: Thu Oct 05, 2017 5:41 pm

Re: Here is my last attempt - RB3011 - No Server outbound connection

Wed Oct 11, 2017 1:28 am

Ok after doing a little more research, could this possibly have something to do with my my bridge connections timeout when i ping 8.8.8.8 these are in my routes?
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          24.93.112.1               1
 1 X S  0.0.0.0/0                          24.93.112.1               1
 2 A S  24.0.0.0/24        24.93.115.155   ether1_WAN                1
 3 ADC  24.93.112.0/21     24.93.115.155   ether1_WAN                0
 4 ADC  192.168.88.0/24    192.168.88.1    bridge-LAN                0
Is my bridge-LAN not going to the outside world?

Thanks for any help.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Here is my last attempt - RB3011 - No Server outbound connection

Wed Oct 11, 2017 3:05 pm

Your routing is fine.

Did you issue the ping to 8.8.8.8 from the router???

Remove masquerade on bridge-LAN, only masquerade you need is the one already set:

You posted:
/ip firewall nat
add action=masquerade chain=srcnat comment="default masquerade" \
    out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="Sample Port Forward" dst-address=\
    24.93.115.155 dst-address-type=local dst-port=80 protocol=tcp \
    to-addresses=192.168.88.248 to-ports=80
add action=masquerade chain=srcnat comment="masquerade - bridge" dst-address=\
    192.168.88.0/24 out-interface=bridge-LAN src-address=192.168.88.0/24
Should be:
/ip firewall nat
add action=masquerade chain=srcnat comment="default masquerade" \
    out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="Sample Port Forward" dst-address=\
    24.93.115.155 dst-address-type=local dst-port=80 protocol=tcp \
    to-addresses=192.168.88.248 to-ports=80

Who is online

Users browsing this forum: BioMax, itvisionpk, tjanas94 and 35 guests