Failed to connect to internet

ikhlasulamal · Sat May 09, 2020 8:08 pm

After performing NetInstall to my RB 941-2nD (hAP Lite), installation was successful, but very sorry, we can't connect to internet.

MK01.png

Test result:

Default configuration was applied.
Ping to all local IP is done well (all 192.168.2.*, all 192.168.1.*, modem's public IP).
Ping to ISP's DNS is failed. The same problem to all IPs out there.

Otherwise, connecting laptop directly to modem allows me to connect to internet, so I have a conclusion that this is not about my modem. I also had checked default NAT and firewall rules, all looks well.

Note that this problem did not occur before NetInstall, I had used the box for my home about ten days before.

Does anyone have suggestions how do I start debugging this problem? A bit strange for unusual problem.

Thank you in advance.

anav · Sat May 09, 2020 8:47 pm

Sure, please post your config here.
/export hide-sensitive file=anynameyouwish

ikhlasulamal · Sat May 09, 2020 9:24 pm

Sure, please post your config here.
/export hide-sensitive file=anynameyouwish

Thank you. Here is my config:

# jan/02/1970 18:05:12 by RouterOS 6.46.5
# software id = YCEF-KZ52
#
# model = RB941-2nD
# serial number = D1130BA3F321
/interface bridge
add admin-mac=C4:AD:34:C9:6E:47 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=indonesia disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-C96E4B \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.128-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2 network=\
    192.168.2.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=yes distance=1 gateway=192.168.1.1
/system logging
add topics=debug
add disabled=yes topics=packet
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Zacharias · Sat May 09, 2020 9:31 pm

/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=\
    192.168.2.0

Set the address on your Bridge Interface and not on the ether2 slave Interface...

ikhlasulamal · Sat May 09, 2020 11:09 pm

Code: Select all
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=\
    192.168.2.0
Set the address on your Bridge Interface and not on the ether2 slave Interface...

I have returned the router to default configuration, it uses bridge rather than ether1, but is still failed. Copy of default configuration:

# jan/02/1970 00:07:03 by RouterOS 6.46.5
# software id = YCEF-KZ52
#
# model = RB941-2nD
# serial number = D1130BA3F321
/interface bridge
add admin-mac=C4:AD:34:C9:6E:47 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-C96E4B wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

This,

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0

anav · Sun May 10, 2020 4:09 am

Zach is correct, your config was in error - logically the Ip address and the dhcp server, have to match aka the bridge is the interface!

You have a static WANIP and thus need to adjust accordingly.
First disable DHCP CLIENT,
(/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
Then add the static information
Got to ip address
add 192.168.1.2/24 for interface ethernet1
Then to go to routes.
add route
destination address 0.0.0.0
gatewayIP 192.168.1.1
go to IP DNS, add to the top line 9.9.9.9, 1.1.1.1 for example
(and get rid of the default static DNS setting thats there)
now to check if you have connectivity....
go to system packages and ensure it can get updates
go to terminal window and ping www.google.com for example

One would have to ensure the sourcenat rule is for a static fixed WANIP.
For example your sourcenat rule should be.....................
from
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
to
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 comment="defconf: masquerade" \
ipsec-policy=out,none to-addresses=192.168.1.2

ikhlasulamal · Sun May 10, 2020 8:30 am

Thank you, I can understand all the logics about IP addresses and related routings; but after modifying configurations to follow suggestions above, ping to 8.8.8.8 still got timeout responses.

Are there any other possibilities regarding this problem? Packet corrupt, for example.

Any suggestions are appreciated.

anav · Sun May 10, 2020 3:54 pm

post your config after your changes and will have a look/review........

ikhlasulamal · Sun May 17, 2020 11:54 pm

First, thank you for your help.

Here is the configuration

# jan/02/1970 04:56:35 by RouterOS 6.46.5
# software id = YCEF-KZ52
#
# model = RB941-2nD
# serial number = D1130BA3F321
/interface bridge
add admin-mac=C4:AD:34:C9:6E:47 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=indonesia disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-C96E4B \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.128-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=wlan1 network=\
    192.168.2.0
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface=ether1 to-addresses=192.168.1.2
/ip route
add distance=1 dst-address=0.0.0.0/32 gateway=192.168.1.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Mon May 18, 2020 1:40 am

What is 192.168.1.1 doing here (wanip is not correct)............ replace it with 1.1.1.1, 9.9.9.9 two of the ones that I use for dns.
/ip dns
set allow-remote-requests=yes servers=192.168.1.1 ????

This ip address is wrong and confusing. The interface for 192.168.2.1 is the BRIDGE remember.....
(/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf)
/ip address
add address=192.168.2.1/24 comment=defconf interface=wlan1 network=\
192.168.2.0

Okay so what you are saying here is that the ether1 is your wan and you get a fixed IP of 192.168.1.2 >??
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0

This is a leftover from the default config hard to find (look at IP DNS static) and just get rid of it.
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan

It seems you are missing the interface list members??
ether1 should be associated with WAN
Bridge should be associated with LAN

This one I would not allow as I dont see the purpose especially from a security perspective.
/tool mac-server
set allowed-interface-list=LAN

Rest looks good!
Fix the above items and you should have success!

2frogs · Mon May 18, 2020 2:04 am

First, thank you for your help.

Here is the configuration

# jan/02/1970 04:56:35 by RouterOS 6.46.5
# software id = YCEF-KZ52
#
# model = RB941-2nD
# serial number = D1130BA3F321
/interface bridge
add admin-mac=C4:AD:34:C9:6E:47 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=indonesia disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-C96E4B \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.128-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=wlan1 network=\
    192.168.2.0
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface=ether1 to-addresses=192.168.1.2
/ip route
add distance=1 dst-address=0.0.0.0/32 gateway=192.168.1.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Your LAN IP is on the wrong interface. It should be on bridge.

/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=192.168.2.0

Also your default route is wrong. It should be:

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1

ikhlasulamal · Mon May 18, 2020 12:15 pm

I have fixed as suggested:

1. Addresses:

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   ;;; defconf
     192.168.2.1/24     192.168.2.0     bridge
 1   192.168.1.2/24     192.168.1.0     ether1

2. Routings:

[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.1.1               1
 1 ADC  192.168.1.0/24     192.168.1.2     ether1                    0
 2 ADC  192.168.2.0/24     192.168.2.1     bridge                    0

3. NAT:

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; defconf: masquerade
      chain=srcnat action=src-nat to-addresses=192.168.1.2 out-interface=ether1 log=no log-prefix="" ipsec-policy=out,none

Question: should

action

be

src-nat

or

masquerade

?

Ping results:

Modem's LAN IP

[admin@MikroTik] > /ping 192.168.1.1
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.1.1                                56  64 1ms
    1 192.168.1.1                                56  64 0ms
    2 192.168.1.1                                56  64 0ms
    3 192.168.1.1                                56  64 0ms
    sent=4 received=4 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=1ms

Modem's public IP

[admin@MikroTik] > /ping 10.240.148.210
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 10.240.148.210                             56  64 1ms
    1 10.240.148.210                             56  64 0ms
    2 10.240.148.210                             56  64 0ms
    sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=1ms

ISP's DNS

[admin@MikroTik] > /ping 118.98.44.10
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 118.98.44.10                                            timeout
    1 118.98.44.10                                            timeout
    2 118.98.44.10                                            timeout
    sent=3 received=0 packet-loss=100%

Note that I did not touch Mikrotik's DNS section, because my priority for now is to make sure connection to outside of the modem is reached.

Configurations as exported:

# jan/02/1970 07:35:06 by RouterOS 6.46.5
# software id = YCEF-KZ52
#
# model = RB941-2nD
# serial number = D1130BA3F321
/interface bridge
add admin-mac=C4:AD:34:C9:6E:47 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=indonesia disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-C96E4B \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.128-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=30m name=\
    defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface=ether1 to-addresses=192.168.1.2
/ip route
add distance=1 gateway=192.168.1.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Mon May 18, 2020 2:42 pm

For a fixed wanip, src-nat is correct.
You were given advice on DNS and IP route already.................. lead a horse to water..............

2frogs · Mon May 18, 2020 3:03 pm

1. & 2. look good.
3. action=srcnat is normally used when you have multiple IPs on your WAN interface. Using src-address as an example, you could have 1 internal IP use one external IP while the rest of your internal IPs use another.
action=masquerade is the default because it works well with a single IP on WAN and is best way to deal with a dynamic WAN IP. It also works well when you have multiple WANs or want to change your WAN port. If you use out-interface-list instead of out-interface, then all you have to do is to add the new interface to the interface-list and your firewall rules will apply to the new interfaces.
Note: you don’t need to specify to-address when using masquerade.

Your DNS is fine as is as long as the modem does provide DNS..

Since you can ping the modem from the Mikrotik, your issue most likely will be with the modem. Some ISPs require the MAC of the router to be registered with them. Some modems simply require a reboot for a new router to work.

10.240.148.210 is not an actual public IP. Is it possible your modem is on bridge mode which would require you to need a PPPOE connection on the Mikrotik?

ikhlasulamal · Mon May 18, 2020 11:33 pm

1. & 2. look good.
3. action=srcnat is normally used when you have multiple IPs on your WAN interface. Using src-address as an example, you could have 1 internal IP use one external IP while the rest of your internal IPs use another.
action=masquerade is the default because it works well with a single IP on WAN and is best way to deal with a dynamic WAN IP. It also works well when you have multiple WANs or want to change your WAN port. If you use out-interface-list instead of out-interface, then all you have to do is to add the new interface to the interface-list and your firewall rules will apply to the new interfaces.
Note: you don’t need to specify to-address when using masquerade.

Thank you for the explanation.

Your DNS is fine as is as long as the modem does provide DNS..

Since you can ping the modem from the Mikrotik, your issue most likely will be with the modem. Some ISPs require the MAC of the router to be registered with them. Some modems simply require a reboot for a new router to work.

10.240.148.210 is not an actual public IP. Is it possible your modem is on bridge mode which would require you to need a PPPOE connection on the Mikrotik?

Yes, the modem has DNS server.

I also thought about this possibility: issue in the modem, referring to ping's results, however, this issue did not yet exist before Netinstall was used. It is a simple modem having a socket for RJ45 and a wireless interface. No special configurations or firewall rules.

Thank you, anyway.

2frogs · Tue May 19, 2020 5:14 am

If you plug into the modem directly with your PC or connect to its wireless, do you get an IP from it? Are you able to browse the Internet or ping Internet IPs?

If you are having to set an IP in the range of your modem to ping it/ access its web interface, then it is most likely in bridge mode. This would require you to need to setup a PPPOE client (or some other way) on the Mikrotik to actually receive your Public IP.

I have had a device that I netinstalled not operate correctly afterward and required a second netinstall.

ikhlasulamal · Tue May 19, 2020 8:45 am

I have had a device that I netinstalled not operate correctly afterward and required a second netinstall.

Will try this afternoon. Thanks for the idea.

Failed to connect to internet

Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Re: Failed to connect to internet

Who is online