Community discussions

MikroTik App
 
hholm
just joined
Topic Author
Posts: 4
Joined: Mon May 04, 2020 6:12 pm

webtrafic not working

Mon May 04, 2020 6:25 pm

helloe,

I have a strange problem.. on a
CCR1009-7G-1C-1S+

"wan" interface = combo1
DHCP client is enabled

"LAN" = LAN-Bridge
DHCP server is running

Issue:
When interface "COMBO1" is assigned a private IP from my cablemodem (cable modem is NAT'ing) - everything works fine. ping, DNS and web for the clients connected to the LAN-Bridge

When I change my cable modem to "bridge-mode" - the interface "combo1" is assigned a public IP adresse (including gw+dns servers) - and the only working for the clients is ping + DNS lookup - webtraffic doesn'r work


What have I missed?







Current Config:
</interface bridge
add name=LAN-Bridge
/caps-man configuration
add country=denmark datapath.bridge=LAN-Bridge name=BSV6 security.authentication-types=wpa2-psk security.passphrase=XXXX ssid=XXXXX
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.56.100-192.168.56.200
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=LAN-Bridge name=dhcp2
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man access-list
add action=accept interface=all signal-range=-80..120
add action=reject interface=all signal-range=-120..-81
/caps-man manager
set enabled=yes package-path=/ upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=LAN-Bridge
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=BSV6
/interface bridge port
add bridge=LAN-Bridge interface=ether6
add bridge=LAN-Bridge interface=ether7
/ip address
add address=192.168.56.1/24 interface=LAN-Bridge network=192.168.56.0
/ip dhcp-client
add disabled=no interface=combo1
/ip dhcp-server network
add address=192.168.56.0/24 dns-server=8.8.8.8 gateway=192.168.56.1
/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked in-interface=combo1 log=yes log-prefix=allowd out-interface=LAN-Bridge
/ip firewall nat
add action=masquerade chain=srcnat log=yes log-prefix=NAT_MASQ out-interface=combo1 src-address=192.168.56.0/24
/system clock
set time-zone-name=Europe/Copenhagen
 
User avatar
bpwl
Long time Member
Long time Member
Posts: 553
Joined: Mon Apr 08, 2019 1:16 am

Re: webtrafic not working

Mon May 04, 2020 10:22 pm

Question: how does your cable modem identify itself to the Internet service provider?
Is there a username/password, or is it based on the MAC address of the cable modem?
When the cable modem is not in bridge mode, does it get a similar IP address? (sometimes you get an IP address that is the basis for the real login handshake)
 
hholm
just joined
Topic Author
Posts: 4
Joined: Mon May 04, 2020 6:12 pm

Re: webtrafic not working

Mon May 04, 2020 10:30 pm

The modem is having a simulator ip adress, 100.x.x.x

Identifycation is Mac based
 
User avatar
bpwl
Long time Member
Long time Member
Posts: 553
Joined: Mon Apr 08, 2019 1:16 am

Re: webtrafic not working

Mon May 04, 2020 11:09 pm

The modem is having a simulator ip adress, 100.x.x.x

Identifycation is Mac based
The same MAC may be required in the CCR1009 WAN port ...just a guess
 
hholm
just joined
Topic Author
Posts: 4
Joined: Mon May 04, 2020 6:12 pm

Re: webtrafic not working

Fri May 08, 2020 8:56 am

Hi again,

I can see all ICMP + UDP traffic is working...

all TCP connections are stuck in "state" = Syn SENT

incomming logon attemps to the router itself are logged in the firewall log


any hint ?
 
anav
Forum Guru
Forum Guru
Posts: 4159
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: webtrafic not working

Fri May 08, 2020 6:20 pm

Not 100% sure of these two rules.....
/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked in-interface=combo1 log=yes log-prefix=allowd out-interface=LAN-Bridge
/ip firewall nat
add action=masquerade chain=srcnat log=yes log-prefix=NAT_MASQ out-interface=combo1 src-address=192.168.56.0/24

Typically the rules look like this.
(1) add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, " connection-state=\
established,related
(2) /ip firewall nat (for a dynamic wanip)
add action=masquerade chain=srcnat comment="Outgoing traffic" \
ipsec-policy=out,none out-interface=your ISP eth port

(1) There is no need for in interface or out interface portions that I am aware of?
(2) Masquerade rule does not normally have a source address?

As well without a full config and a bonus of a network diagram its hard to know.
/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
hholm
just joined
Topic Author
Posts: 4
Joined: Mon May 04, 2020 6:12 pm

Re: webtrafic not working

Fri May 22, 2020 5:10 pm

Thanks you all for information...

I've got the cablemodem replaced, and everything works like I expected :)

Who is online

Users browsing this forum: ihphar and 45 guests