Page 1 of 1
PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+
Posted: Mon Aug 05, 2019 9:00 pm
by martin4030
Hi everyone,
I been trying all day to get my new router to work, model: (CCR1009-7G-1C-1S+) i been trying quickset, i been following guides, looking at the manual, looking at youtube.
I can't even get the router to ping the outside, on it's own. I even looked at my old config, using a CRS as router and that one had no issues, looked at its backup file.
I'm new to Mikrotik routers, so hope someone has the golden key, as i'm blind and cant find the error.
The unit is setup, to get DHCP on its WAN port Ether1. / Ether2 goes to the LAN switch.
I have set up DNS/NAT/Default Route/NAT/DHCP server etc - but it never got to a point where to router can ping the outside world from its terminal. (It is getting a WAN ip from my ISP) and i have not setup any VLAN on the WAN side, i have not done this with my Unifi Router that i changed from.
[martin@MikroTik] > export compact hide-sensitive
# jan/02/1970 00:48:03 by RouterOS 6.45.3
# software id = XXXXXXXX
#
# model = CCR1009-7G-1C-1S+
# serial number = XXXXXXXX
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.50-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=87.104.X.X/25 interface=ether1 network=87.104.X.X
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=ether1
[martin@MikroTik] >
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Mon Aug 05, 2019 9:08 pm
by Sob
You need (the exact address is what ISP gave you):
/ip route
add distance=1 gateway=87.104.X.???
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Mon Aug 05, 2019 9:12 pm
by martin4030
Hi Sob,
It's just me hiding my WAN IP
So i need to put this in
/ip route
add distance=1 gateway=WAN IP
Is it not possible to make it dynamic as my IP could change, as its dynamic ? i will still try it.
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Mon Aug 05, 2019 9:29 pm
by Sob
No, there are two distinct things, one is your WAN address and the other is ISP's gateway address. But if you say it's dynamic, you're wrong from the start, because in addition to wrong gateway, you now have static address assigned to ether1. Maybe you need to add DHCP client on ether1?
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Mon Aug 05, 2019 9:33 pm
by flynno
Add a dhcp client on ether1 in IP >DHCP Client
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip dns
set servers=8.8.8.8,8.8.4.4
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Mon Aug 05, 2019 9:39 pm
by martin4030
DHCP is set on Ether1
[admin@MikroTik] > export compact hide-sensitive
# jan/02/1970 00:19:22 by RouterOS 6.45.3
# software id = WVIR-4QDS
#
# model = CCR1009-7G-1C-1S+
# serial number = 914F0A6D66B4
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add distance=1 gateway=ether1
Still can't ping or make the router update packages or check.
[admin@MikroTik] > ping 8.8.8.8
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 timeout
1 8.8.8.8 timeout
2 8.8.8.8 timeout
3 8.8.8.8 timeout
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Mon Aug 05, 2019 9:46 pm
by Sob
Also remove the wrong route:
/ip route
add distance=1 gateway=ether1
A correct one (dynamic) should be added by DHCP client.
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Mon Aug 05, 2019 9:47 pm
by flynno
In DHCP Client have you set 'Add Default Route:' to yes along with use peer dns
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Mon Aug 05, 2019 9:56 pm
by martin4030
I change to your recommandations, and i did now also add under DHCP to use 'Add Default Route:' to yes along with use peer dns.
Still no internet.
[admin@MikroTik] > export compact hide-sensitive
# jan/02/1970 00:33:54 by RouterOS 6.45.3
# software id = WVIR-4QDS
#
# model = CCR1009-7G-1C-1S+
# serial number = 914F0A6D66B4
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-ntp=no
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
[admin@MikroTik] >
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Mon Aug 05, 2019 10:06 pm
by Sob
And did DHCP client succeed?
You can run:
/ip dhcp-client print
/ip address print
/ip route print
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Mon Aug 05, 2019 10:18 pm
by martin4030
Thanks for helping out everyone: XX is just me hiding
/ip dhcp-client print
[admin@MikroTik] > /ip dhcp-client print
Flags: X - disabled, I - invalid, D - dynamic
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 ether1 yes yes bound 87.104.8.1XX/25
/ip address print
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.1.1/24 192.168.1.0 ether2
1 D 87.104.8.X 87.104.8.1XX ether1
/ip route print
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 87.104.8.1XX 1
1 ADC 87.104.8.1XX/25 87.104.8.1XX ether1 0
2 ADC 192.168.1.0/24 192.168.1.1 ether2 0
[admin@MikroTik] >
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Tue Aug 06, 2019 12:24 am
by Sob
You don't seem to be very good at hiding addresses.
What I see should be working config. But if you didn't leave out some parts (firewall for example), I should be able to ping your address, but it doesn't work.
If you try to ping gateway, does it work? Or traceroute to some numeric address in internet (e.g. 8.8.8.
, does it get anywhere? Both from router.
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Tue Aug 06, 2019 12:29 am
by sebastia
You don't seem to be very good at hiding addresses.
lol
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Tue Aug 06, 2019 10:39 am
by martin4030
I been in contact with my ISP to be safe, and everything is fine in there ned. They could see the router taking a WAN ip etc.
I dont know what to do, so i did reset it all - setup using quick conf and as a (try) i have now change my MAC adresse on the WAN interface. I now need to wait another hour for my ISP to give the new mac a WAN ip.
I also upgraded software + routerbord firmware to testing release.
Anyone else owner a 1009-7g-1c-1s+ that could share a working config/backup?
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Tue Aug 06, 2019 1:58 pm
by martin4030
Here is my config backup!
I have not internet still, and router cant still not ping internet from it self.
Could it be the routerbord firmware? Mine says 6.45.3 but on download page it says tilegx_3.41.fwf or is that someting else.
Just thinking of what it can be as i think Routerbord follows Router OS version numbers.
# jan/02/1970 00:23:14 by RouterOS 6.45.3
# software id = WVIR-4QDS
#
# model = CCR1009-7G-1C-1S+
# serial number = 914F0A6D66B4
/interface ethernet
set [ find default-name=combo1 ] comment="ADMIN LAN"
set [ find default-name=ether1 ] comment="WAN from ISP"
set [ find default-name=ether2 ] comment="DHCP LAN"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2 name=dhcp1
/ip address
add address=192.168.88.1/24 comment="Admin LAN" interface=combo1 network=\
192.168.88.0
add address=192.168.1.1/24 comment="DHCP LAN" interface=ether2 network=\
192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Tue Aug 06, 2019 2:21 pm
by xvo
Here is my config backup!
I have not internet still, and router cant still not ping internet from it self.
Could it be the routerbord firmware? Mine says 6.45.3 but on download page it says tilegx_3.41.fwf or is that someting else.
Just thinking of what it can be as i think Routerbord follows Router OS version numbers.
Look at:
/system routerboard print
Current-firmware has to be the same as RouterOS version.
If it's not - upgrade it, and reboot.
/system routerboard upgrade
The config looks like it should work ok.
Re: PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+
Posted: Tue Aug 06, 2019 2:50 pm
by martin4030
Hi, looks like that is okay.
[admin@MikroTik] > /system routerboard print
routerboard: yes
model: CCR1009-7G-1C-1S+
serial-number: 914F0A6D66B4
firmware-type: tilegx
factory-firmware: 6.42.12
current-firmware: 6.45.3
upgrade-firmware: 6.45.3
[admin@MikroTik] >
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Tue Aug 06, 2019 3:43 pm
by Sob
Once more:
If you try to ping gateway, does it work? Or traceroute to some numeric address in internet (e.g. 8.8.8.8), does it get anywhere? Both from router.
Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+)
Posted: Tue Aug 06, 2019 4:44 pm
by martin4030
Once more:
If you try to ping gateway, does it work? Or traceroute to some numeric address in internet (e.g. 8.8.8.
, does it get anywhere? Both from router.
I tryid yesterday to ping - NO responce. Doing Traceroute - It never left the router. I will look more at it when i return home.
FIXED (ISP error) PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+ [SOLVED]
Posted: Tue Aug 06, 2019 5:41 pm
by martin4030
Hi all,
thanks for your time.
after testing and testing, i contacted my ISP again and told them somethings very wrong, even that i get a wan ip there must be a error.
he said, it does not look wrong but as a safety they restarted the fiberbox that im hooked up to in the road, and also restarted my fiber bridge.
Boom / 500 - 500 with the config we all made doing this little test
It all pointed at the ISP after testing a Unifi Router that had the same issue.
Thanks a million everyone.
Now comes the funny part, tuning my new mikrotik routers firewall and performance.
First speedtest, shows 486,68 down and 463,25 up - my line is a Fiber 500/500
Any recommandations on firewall rules anyone ? I could use some good help here also.
Re: PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+
Posted: Tue Aug 06, 2019 5:44 pm
by martin4030
My notes for a new install any changes?
2)
/user add name=new user password=XXXXXXXX group=full
/user remove admin
3)
/user set 0 address=192.168.1.0/24
/ip service set winbox address=192.168.1.0/24
4)
/ip service disable telnet,ftp,api,api-ssl
5)
/tool mac-server set allowed-interface-list=none
6)
/tool mac-server mac-winbox set allowed-interface-list=none
7)
/tool mac-server ping set enabled=no
8)
/ip neighbor discovery-settings set discover-interface-list=none
9)
/tool bandwidth-server set enabled=no
10)
/ip dns set allow-remote-requests=no
11)
/ip ssh set strong-crypto=yes
12)
/ip service set ssh port=2200
13)
Create address list which includes different subnets (basically all subnets which should not exist in public network):
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
Create firewall filter rules to protect router from incoming (input) connections:
/ip firewall filter
add action=accept chain=input connection-state=established,related comment="Accept established related"
add action=accept chain=input in-interface=bridge1 comment="Allow LAN access to router and Internet"
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward connection-state=established,related comment="Accept established related"
add action=accept chain=forward connection-state=new in-interface=bridge1 comment="Allow LAN access to router and Internet"
add action=accept chain=forward connection-nat-state=dstnat comment="Accept Port forwards"
add action=drop chain=forward comment="Drop all other forward"
14)
SSH acceass subnet.
/ip service set ssh address=192.168.1.0/24
15)
/system note set show-at-login=yes
/system note set note="This is a private network - Authorized administrators only. Access to this device is monitored."
16)
/ip settings set rp-filter=strict
17)
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
Re: PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+
Posted: Tue Aug 06, 2019 7:14 pm
by Sob
It looks ok.
Re: PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+
Posted: Tue Aug 06, 2019 7:26 pm
by martin4030
I did change:
Firewall
/ip firewall filter
add action=accept chain=input connection-state=established,related comment="Accept established related"
add action=accept chain=input in-interface=bridge1->ether2 comment="Allow LAN access to router and Internet"
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward connection-state=established,related comment="Accept established related"
add action=accept chain=forward connection-state=new in-interface=bridge1->ether2 comment="Allow LAN access to router and Internet"
add action=accept chain=forward connection-nat-state=dstnat comment="Accept Port forwards"
add action=drop chain=forward comment="Drop all other forward"
Re: PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+
Posted: Tue Aug 06, 2019 7:26 pm
by martin4030
Thanks for the help, and support and review
I did change:
Firewall
/ip firewall filter
add action=accept chain=input connection-state=established,related comment="Accept established related"
add action=accept chain=input in-interface=bridge1->ether2 comment="Allow LAN access to router and Internet"
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward connection-state=established,related comment="Accept established related"
add action=accept chain=forward connection-state=new in-interface=bridge1->ether2 comment="Allow LAN access to router and Internet"
add action=accept chain=forward connection-nat-state=dstnat comment="Accept Port forwards"
add action=drop chain=forward comment="Drop all other forward"
Re: PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+
Posted: Tue Aug 06, 2019 7:30 pm
by Sob
Sorry, I missed that one, usually the LAN is bridge and I'm looking at too many configs at the same time.