I have searched a long time and tried many things but nothing with success.
A similar topic was posted by icanfly at post viewtopic.php?t=139205 but the solution is not working for me. I don't know why.
In my setup I have a VDSL modem (Vigor 165) in "bridge mode" and connected to a Mikrotik RB 750G r3.
On the LAN side I'm using a pfSense Firewall which is the default gateway for my LAN. The gateway of the pfSense is the Mikrotik router.
For more details see the attached diagram:
Internet is working, and also my LAN is working fine but I can't access the modem web interface.
Can someone help me please?
Here's my configuration:
Code: Select all
# aug/01/2019 00:43:32 by RouterOS 6.44.3
# software id = Z7L3-P5LF
#
# model = RouterBOARD 750G r3
# serial number = XXXXXXXXXXXX
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] loop-protect=on rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] loop-protect=on rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] loop-protect=on rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] loop-protect=on rx-flow-control=auto tx-flow-control=auto
/interface vlan
add interface=ether1 name=vlan7 vlan-id=7
/interface bonding
add mode=active-backup name=bonding1 primary=ether2 slaves=ether2,ether3
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan7 name=pppoe-tcom password=XXXXXXXX use-peer-dns=yes user=XXXXXXXXXXXXXXXXXXXXXXXX#0001@t-online.de
/interface vlan
add interface=bonding1 name=vlan71 vlan-id=71
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface list member
add interface=bonding1 list=LAN
add interface=pppoe-tcom list=WAN
add interface=vlan71 list=LAN
add interface=vlan7 list=WAN
/ip address
add address=172.16.1.250/24 interface=vlan71 network=172.16.1.0
add address=172.16.2.250/24 interface=ether1 network=172.16.2.0
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.16.1.250 name=gw1.local ttl=1h
/ip firewall address-list
add address=0.0.0.0/8 list=bogons
add address=10.0.0.0/8 list=bogons
add address=100.64.0.0/10 list=bogons
add address=127.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=172.0.0.0/12 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=192.168.0.0/16 list=bogons
add address=198.18.0.0/15 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=240.0.0.0/4 list=bogons
add address=10.0.0.0/8 list=rfc1918
add address=172.16.0.0/12 list=rfc1918
add address=192.168.0.0/16 list=rfc1918
/ip firewall filter
add action=accept chain=input comment="accept established,reladed" connection-state=established,related
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept LAN->*" in-interface-list=LAN
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop"
add action=fasttrack-connection chain=forward comment="fasttrack,established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=output comment="drop invalid" connection-state=invalid
/ip firewall nat
add action=dst-nat chain=dstnat comment="nat ipsec-esp" in-interface-list=WAN protocol=ipsec-esp to-addresses=172.16.1.249
add action=dst-nat chain=dstnat comment="nat udp IPSec" dst-port=500,4500 in-interface-list=WAN protocol=udp to-addresses=172.16.1.249
add action=src-nat chain=srcnat comment="nat to modem" dst-address=172.16.2.248 out-interface=ether1 to-addresses=172.16.2.248
add action=masquerade chain=srcnat comment="masquerade LAN->WAN" dst-address-list=!rfc1918 out-interface-list=WAN src-address-list=rfc1918
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/system clock
set time-zone-name=Europe/Berlin