I just installed a Mikrotik router between my internet gateway (on ether1) and my internal network. All is working fine, except I can't access my internet gateway anymore from my LAN. The router is also unable to ping the gateway when selecting any other port than ether1. I have tried many things now, but so far without success. Here is my configuration through export:
Code: Select all
# apr/11/2020 12:43:18 by RouterOS 6.46.5
# software id = LM7B-KZT4
#
# model = RB760iGS
# serial number = A36A0A955502
/interface bridge
add admin-mac=74:4D:28:C8:A7:FC auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.1.101-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.2/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=192.168.2.3/24 interface=ether1 network=192.168.2.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.2 gateway=\
192.168.1.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.254
/ip dns static
add address=192.168.1.2 name=router.lan
add address=192.168.1.45 name=testserver
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-address=192.168.2.254 dst-port=80 \
protocol=tcp to-addresses=192.168.1.12 to-ports=80
add action=dst-nat chain=dstnat dst-address=192.168.2.254 dst-port=443 \
protocol=tcp to-addresses=192.168.1.12 to-ports=443
add action=dst-nat chain=dstnat dst-address=192.168.2.254 dst-port=9001 \
protocol=tcp to-addresses=192.168.1.12 to-ports=9001
add action=dst-nat chain=dstnat dst-address=192.168.2.254 dst-port=8000 \
protocol=tcp to-addresses=192.168.1.50 to-ports=8000
add action=dst-nat chain=dstnat dst-address=192.168.2.254 dst-port=554 \
protocol=tcp to-addresses=192.168.1.50 to-ports=554
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.2.254 \
out-interface=ether1 to-addresses=192.168.2.3
add action=dst-nat chain=dstnat disabled=yes protocol=tcp src-address=\
192.168.1.0/24 to-addresses=192.168.2.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.2.0/24 \
out-interface=ether1
/ip route
add distance=1 gateway=192.168.2.254