Community discussions

 
martin4030
just joined
Topic Author
Posts: 14
Joined: Tue Jul 30, 2019 10:55 am

PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+

Mon Aug 05, 2019 9:00 pm

Hi everyone,

I been trying all day to get my new router to work, model: (CCR1009-7G-1C-1S+) i been trying quickset, i been following guides, looking at the manual, looking at youtube.

I can't even get the router to ping the outside, on it's own. I even looked at my old config, using a CRS as router and that one had no issues, looked at its backup file.
I'm new to Mikrotik routers, so hope someone has the golden key, as i'm blind and cant find the error.

The unit is setup, to get DHCP on its WAN port Ether1. / Ether2 goes to the LAN switch.

I have set up DNS/NAT/Default Route/NAT/DHCP server etc - but it never got to a point where to router can ping the outside world from its terminal. (It is getting a WAN ip from my ISP) and i have not setup any VLAN on the WAN side, i have not done this with my Unifi Router that i changed from.
[martin@MikroTik] > export compact hide-sensitive
# jan/02/1970 00:48:03 by RouterOS 6.45.3
# software id = XXXXXXXX
#
# model = CCR1009-7G-1C-1S+
# serial number = XXXXXXXX
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.50-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=87.104.X.X/25 interface=ether1 network=87.104.X.X
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=ether1
[martin@MikroTik] > 
Last edited by martin4030 on Tue Aug 06, 2019 2:11 pm, edited 2 times in total.
 
Sob
Forum Guru
Forum Guru
Posts: 4385
Joined: Mon Apr 20, 2009 9:11 pm

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Mon Aug 05, 2019 9:08 pm

You need (the exact address is what ISP gave you):
/ip route
add distance=1 gateway=87.104.X.???
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
martin4030
just joined
Topic Author
Posts: 14
Joined: Tue Jul 30, 2019 10:55 am

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Mon Aug 05, 2019 9:12 pm

Hi Sob,

It's just me hiding my WAN IP :)

So i need to put this in
/ip route
add distance=1 gateway=WAN IP
Is it not possible to make it dynamic as my IP could change, as its dynamic ? i will still try it.
 
Sob
Forum Guru
Forum Guru
Posts: 4385
Joined: Mon Apr 20, 2009 9:11 pm

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Mon Aug 05, 2019 9:29 pm

No, there are two distinct things, one is your WAN address and the other is ISP's gateway address. But if you say it's dynamic, you're wrong from the start, because in addition to wrong gateway, you now have static address assigned to ether1. Maybe you need to add DHCP client on ether1?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
flynno
Member Candidate
Member Candidate
Posts: 238
Joined: Wed Aug 27, 2014 8:11 pm

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Mon Aug 05, 2019 9:33 pm

Add a dhcp client on ether1 in IP >DHCP Client


/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN


/ip dns
set servers=8.8.8.8,8.8.4.4
 
martin4030
just joined
Topic Author
Posts: 14
Joined: Tue Jul 30, 2019 10:55 am

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Mon Aug 05, 2019 9:39 pm

DHCP is set on Ether1
[admin@MikroTik] > export compact hide-sensitive
# jan/02/1970 00:19:22 by RouterOS 6.45.3
# software id = WVIR-4QDS
#
# model = CCR1009-7G-1C-1S+
# serial number = 914F0A6D66B4
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add distance=1 gateway=ether1
Still can't ping or make the router update packages or check.
[admin@MikroTik] > ping 8.8.8.8
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                                                 
    0 8.8.8.8                                                 timeout                                                                                                                                                                
    1 8.8.8.8                                                 timeout                                                                                                                                                                
    2 8.8.8.8                                                 timeout                                                                                                                                                                
    3 8.8.8.8                                                 timeout       
 
Sob
Forum Guru
Forum Guru
Posts: 4385
Joined: Mon Apr 20, 2009 9:11 pm

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Mon Aug 05, 2019 9:46 pm

Also remove the wrong route:
/ip route
add distance=1 gateway=ether1
A correct one (dynamic) should be added by DHCP client.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
flynno
Member Candidate
Member Candidate
Posts: 238
Joined: Wed Aug 27, 2014 8:11 pm

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Mon Aug 05, 2019 9:47 pm

In DHCP Client have you set 'Add Default Route:' to yes along with use peer dns
 
martin4030
just joined
Topic Author
Posts: 14
Joined: Tue Jul 30, 2019 10:55 am

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Mon Aug 05, 2019 9:56 pm

I change to your recommandations, and i did now also add under DHCP to use 'Add Default Route:' to yes along with use peer dns.

Still no internet.
[admin@MikroTik] > export compact hide-sensitive
# jan/02/1970 00:33:54 by RouterOS 6.45.3
# software id = WVIR-4QDS
#
# model = CCR1009-7G-1C-1S+
# serial number = 914F0A6D66B4
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-ntp=no
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
[admin@MikroTik] > 
 
Sob
Forum Guru
Forum Guru
Posts: 4385
Joined: Mon Apr 20, 2009 9:11 pm

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Mon Aug 05, 2019 10:06 pm

And did DHCP client succeed?

You can run:
/ip dhcp-client print
/ip address print 
/ip route print
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
martin4030
just joined
Topic Author
Posts: 14
Joined: Tue Jul 30, 2019 10:55 am

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Mon Aug 05, 2019 10:18 pm

Thanks for helping out everyone: XX is just me hiding :)
/ip dhcp-client print

[admin@MikroTik] > /ip dhcp-client print
Flags: X - disabled, I - invalid, D - dynamic 
 #   INTERFACE                                                                                                                                               USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS        ADDRESS           
 0   ether1                                                                                                                                                  yes          yes               bound         87.104.8.1XX/25

/ip address print 

[admin@MikroTik] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.1.1/24     192.168.1.0     ether2
 1 D 87.104.8.X    87.104.8.1XX    ether1

/ip route print

[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          87.104.8.1XX              1
 1 ADC  87.104.8.1XX/25    87.104.8.1XX    ether1                    0
 2 ADC  192.168.1.0/24     192.168.1.1     ether2                    0
[admin@MikroTik] >
Last edited by martin4030 on Tue Aug 06, 2019 10:35 am, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 4385
Joined: Mon Apr 20, 2009 9:11 pm

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Tue Aug 06, 2019 12:24 am

You don't seem to be very good at hiding addresses. ;)

What I see should be working config. But if you didn't leave out some parts (firewall for example), I should be able to ping your address, but it doesn't work.

If you try to ping gateway, does it work? Or traceroute to some numeric address in internet (e.g. 8.8.8.8), does it get anywhere? Both from router.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1685
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Tue Aug 06, 2019 12:29 am

You don't seem to be very good at hiding addresses. ;)
lol
 
martin4030
just joined
Topic Author
Posts: 14
Joined: Tue Jul 30, 2019 10:55 am

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Tue Aug 06, 2019 10:39 am

I been in contact with my ISP to be safe, and everything is fine in there ned. They could see the router taking a WAN ip etc.

I dont know what to do, so i did reset it all - setup using quick conf and as a (try) i have now change my MAC adresse on the WAN interface. I now need to wait another hour for my ISP to give the new mac a WAN ip.

I also upgraded software + routerbord firmware to testing release.

Anyone else owner a 1009-7g-1c-1s+ that could share a working config/backup?
 
martin4030
just joined
Topic Author
Posts: 14
Joined: Tue Jul 30, 2019 10:55 am

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Tue Aug 06, 2019 1:58 pm

Here is my config backup!

I have not internet still, and router cant still not ping internet from it self.

Could it be the routerbord firmware? Mine says 6.45.3 but on download page it says tilegx_3.41.fwf or is that someting else.

Just thinking of what it can be as i think Routerbord follows Router OS version numbers.
# jan/02/1970 00:23:14 by RouterOS 6.45.3
# software id = WVIR-4QDS
#
# model = CCR1009-7G-1C-1S+
# serial number = 914F0A6D66B4
/interface ethernet
set [ find default-name=combo1 ] comment="ADMIN LAN"
set [ find default-name=ether1 ] comment="WAN from ISP"
set [ find default-name=ether2 ] comment="DHCP LAN"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2 name=dhcp1
/ip address
add address=192.168.88.1/24 comment="Admin LAN" interface=combo1 network=\
    192.168.88.0
add address=192.168.1.1/24 comment="DHCP LAN" interface=ether2 network=\
    192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
 
User avatar
xvo
Member
Member
Posts: 329
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Tue Aug 06, 2019 2:21 pm

Here is my config backup!

I have not internet still, and router cant still not ping internet from it self.

Could it be the routerbord firmware? Mine says 6.45.3 but on download page it says tilegx_3.41.fwf or is that someting else.

Just thinking of what it can be as i think Routerbord follows Router OS version numbers.
Look at:
/system routerboard print
Current-firmware has to be the same as RouterOS version.
If it's not - upgrade it, and reboot.
/system routerboard upgrade
The config looks like it should work ok.
 
martin4030
just joined
Topic Author
Posts: 14
Joined: Tue Jul 30, 2019 10:55 am

Re: PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+

Tue Aug 06, 2019 2:50 pm

Hi, looks like that is okay.
[admin@MikroTik] > /system routerboard print
routerboard: yes
model: CCR1009-7G-1C-1S+
serial-number: 914F0A6D66B4
firmware-type: tilegx
factory-firmware: 6.42.12
current-firmware: 6.45.3
upgrade-firmware: 6.45.3
[admin@MikroTik] > 
 
Sob
Forum Guru
Forum Guru
Posts: 4385
Joined: Mon Apr 20, 2009 9:11 pm

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Tue Aug 06, 2019 3:43 pm

Once more:
If you try to ping gateway, does it work? Or traceroute to some numeric address in internet (e.g. 8.8.8.8), does it get anywhere? Both from router.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
martin4030
just joined
Topic Author
Posts: 14
Joined: Tue Jul 30, 2019 10:55 am

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)

Tue Aug 06, 2019 4:44 pm

Once more:
If you try to ping gateway, does it work? Or traceroute to some numeric address in internet (e.g. 8.8.8.8), does it get anywhere? Both from router.
I tryid yesterday to ping - NO responce. Doing Traceroute - It never left the router. I will look more at it when i return home.
 
martin4030
just joined
Topic Author
Posts: 14
Joined: Tue Jul 30, 2019 10:55 am

FIXED (ISP error) PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+  [SOLVED]

Tue Aug 06, 2019 5:41 pm

Hi all,

thanks for your time.

after testing and testing, i contacted my ISP again and told them somethings very wrong, even that i get a wan ip there must be a error.

he said, it does not look wrong but as a safety they restarted the fiberbox that im hooked up to in the road, and also restarted my fiber bridge.

Boom / 500 - 500 with the config we all made doing this little test :)

It all pointed at the ISP after testing a Unifi Router that had the same issue.

Thanks a million everyone.

Now comes the funny part, tuning my new mikrotik routers firewall and performance.

First speedtest, shows 486,68 down and 463,25 up - my line is a Fiber 500/500

Any recommandations on firewall rules anyone ? I could use some good help here also.
 
martin4030
just joined
Topic Author
Posts: 14
Joined: Tue Jul 30, 2019 10:55 am

Re: PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+

Tue Aug 06, 2019 5:44 pm

My notes for a new install any changes?
2) 

/user add name=new user password=XXXXXXXX group=full
/user remove admin

3)
/user set 0 address=192.168.1.0/24
/ip service set winbox address=192.168.1.0/24

4)
/ip service disable telnet,ftp,api,api-ssl

5)
/tool mac-server set allowed-interface-list=none

6)
/tool mac-server mac-winbox set allowed-interface-list=none

7)
/tool mac-server ping set enabled=no

8)
/ip neighbor discovery-settings set discover-interface-list=none

9)
/tool bandwidth-server set enabled=no 

10)
/ip dns set allow-remote-requests=no

11)
/ip ssh set strong-crypto=yes

12)
/ip service set ssh port=2200

13)

Create address list which includes different subnets (basically all subnets which should not exist in public network):

/ip firewall address-list
 add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
 add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
 add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
 add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
 add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
 add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
 add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
 add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
 add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
 add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
 add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
 add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
 add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
 add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
 add address=240.0.0.0/4 comment=RFC6890 list=NotPublic

Create firewall filter rules to protect router from incoming (input) connections:

/ip firewall filter

add action=accept chain=input connection-state=established,related comment="Accept established related"
add action=accept chain=input in-interface=bridge1 comment="Allow LAN access to router and Internet"
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward connection-state=established,related comment="Accept established related"
add action=accept chain=forward connection-state=new in-interface=bridge1 comment="Allow LAN access to router and Internet"
add action=accept chain=forward connection-nat-state=dstnat comment="Accept Port forwards"
add action=drop chain=forward comment="Drop all other forward"


14)
SSH acceass subnet.
/ip service set ssh address=192.168.1.0/24

15)
/system note set show-at-login=yes
/system note set note="This is a private network - Authorized administrators only. Access to this device is monitored."

16)
/ip settings set rp-filter=strict

17)
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org


 
Sob
Forum Guru
Forum Guru
Posts: 4385
Joined: Mon Apr 20, 2009 9:11 pm

Re: PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+

Tue Aug 06, 2019 7:14 pm

It looks ok.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
martin4030
just joined
Topic Author
Posts: 14
Joined: Tue Jul 30, 2019 10:55 am

Re: PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+

Tue Aug 06, 2019 7:26 pm

I did change:

Firewall

/ip firewall filter
add action=accept chain=input connection-state=established,related comment="Accept established related"
add action=accept chain=input in-interface=bridge1->ether2 comment="Allow LAN access to router and Internet"
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward connection-state=established,related comment="Accept established related"
add action=accept chain=forward connection-state=new in-interface=bridge1->ether2 comment="Allow LAN access to router and Internet"
add action=accept chain=forward connection-nat-state=dstnat comment="Accept Port forwards"
add action=drop chain=forward comment="Drop all other forward"
 
martin4030
just joined
Topic Author
Posts: 14
Joined: Tue Jul 30, 2019 10:55 am

Re: PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+

Tue Aug 06, 2019 7:26 pm

Thanks for the help, and support and review :)
I did change:

Firewall

/ip firewall filter
add action=accept chain=input connection-state=established,related comment="Accept established related"
add action=accept chain=input in-interface=bridge1->ether2 comment="Allow LAN access to router and Internet"
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward connection-state=established,related comment="Accept established related"
add action=accept chain=forward connection-state=new in-interface=bridge1->ether2 comment="Allow LAN access to router and Internet"
add action=accept chain=forward connection-nat-state=dstnat comment="Accept Port forwards"
add action=drop chain=forward comment="Drop all other forward"
 
Sob
Forum Guru
Forum Guru
Posts: 4385
Joined: Mon Apr 20, 2009 9:11 pm

Re: PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+

Tue Aug 06, 2019 7:30 pm

Sorry, I missed that one, usually the LAN is bridge and I'm looking at too many configs at the same time.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: Bing [Bot] and 35 guests