Newbie: Access to modem behind router

Sz4r1ej · Sat Jun 27, 2020 8:32 am

Hello

I'm very new to Mikrotik and have a small problem of accessing Virgin ISP modem through Mikrotik hAP ac.
DHCP is enabled. Any pointer would and explanation would be greatly appreciated
My configuration file :

# jun/26/2020 18:14:41 by RouterOS 6.47
# software id = FIZY-JWRI
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 673706DFBAA7
/interface bridge
add admin-mac=6C:3B:6B:11:E6:A1 auto-mac=no comment=defconf fast-forward=no \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] full-duplex=no rx-flow-control=on \
    tx-flow-control=on
set [ find default-name=ether2 ] name=ether2-master rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether3 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] auto-negotiation=no
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm \
    group-key-update=23h59m mode=dynamic-keys name=WEP static-algo-0=\
    40bit-wep static-key-0=42c96e4136 supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm wpa2-pre-shared-key=42c96e4136
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce country=no_country_set disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower mode=ap-bridge \
    security-profile=WEP ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
    channel-width=20/40mhz-Ce country=no_country_set disabled=no distance=\
    indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge \
    security-profile=WEP ssid="MT Szarlej" wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.87.2-192.168.87.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp authoritative=after-2sec-delay disabled=no \
    interface=bridge lease-time=23h name=defconf
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=wlan1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add interface=vlan1 list=discover
/interface wireless access-list
add interface=wlan1 mac-address=68:17:29:9E:D3:BA
add interface=wlan1 mac-address=00:D7:3B:9D:B0:11
/interface wireless connect-list
add interface=wlan1 mac-address=68:17:29:9E:D3:BA security-profile=WEP
add interface=wlan1 mac-address=00:D7:3B:9D:B0:11 security-profile=WEP
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server lease
add address=192.168.88.249 client-id=1:2c:56:dc:3b:30:94 mac-address=\
    2C:56:DC:3B:30:94 server=defconf
add address=192.168.88.165 client-id=1:68:17:29:9e:d3:ba mac-address=\
    68:17:29:9E:D3:BA server=defconf
add address=192.168.88.166 client-id=1:0:d7:3b:9d:b0:11 mac-address=\
    00:D7:3B:9D:B0:11 server=defconf
add address=192.168.88.149 client-id=1:b0:5a:da:87:49:8c mac-address=\
    B0:5A:DA:87:49:8C server=defconf
add address=192.168.88.133 client-id=1:b0:5a:da:87:49:8e mac-address=\
    B0:5A:DA:87:49:8E server=defconf
add address=192.168.88.131 client-id=1:b0:5a:da:87:49:8d mac-address=\
    B0:5A:DA:87:49:8D server=defconf
add address=192.168.88.100 mac-address=00:0C:29:D8:E7:80 server=defconf
/ip dhcp-server network
add address=192.168.87.0/24 dns-server=192.168.87.1 gateway=192.168.87.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.1
/ip dns static
add address=192.168.88.1 name=router type=A
add address=192.168.88.1 name=Router.os ttl=5m type=A
add address=192.168.88.133 name=vmware ttl=5m type=A
add address=192.168.88.147 name=Home-dc01 type=A
add address=192.168.88.145 name=Home-util01 type=A
add address=192.168.88.133 name=ilocz1545012c ttl=2s type=A
add address=192.168.88.100 name=ftpserver type=A
/ip firewall address-list
add list=Fantasy_Grounds
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
/ip service
set www-ssl disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/London
/system leds
set 1 interface=wlan2

dimpat · Wed Nov 11, 2020 8:19 pm

I 'd like to continue on this post, as I have the same problem and I don't want to start a new with the same title.

I have my ISP modem as a bridge and my mikrotik as a router (+pppoe)
Modem IP 192.168.1.1
Mikrotik ether1 pppoe IP WAN IP & 192.168.1.2
Mikrotik ether2-ether5 = bridge with IP 192.168.19.254
My local LAN devices are connected to ether2-ether5

I want to access the modem's web page at 192.168.1.1 from my LAN but I can't.
I can ping the modem from mikrotik but not from my lan.
I have set the following firewall rules but no success.

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=input comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" in-interface=pppoe-out1 protocol=icmp
add action=drop chain=input comment="Block anything else" in-interface=pppoe-out1

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.19.0/24 out-interface=bridge1 \
    src-address=192.168.19.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="NAT to Modem" out-interface=ether1-ToModem

If I connect a cable from ether2 to modem's lan2 I can access the modem web but I think it's not the proper way.
Can someone help here?
Thank you.

erkexzcx · Thu Nov 12, 2020 7:32 pm

Is this what you are trying to achieve?

LAN <--> Mikrotik router <--> Modem <--> Internet

mkx · Thu Nov 12, 2020 7:51 pm

This setting should allow the connections

add action=masquerade chain=srcnat comment="NAT to Modem" out-interface=ether1-ToModem

If it's not, then there's some other setting interfering. Post full config if you want us to help you find the problem.

dimpat · Fri Nov 13, 2020 1:55 pm

my config is the flollowing:

# nov/13/2020 13:46:45 by RouterOS 6.47.7
# software id = 4I2K-XZX3
#
# model = RouterBOARD 750G r3
# serial number = aabbccddee
/interface bridge
add admin-mac=6C:3B:6B:7D:98:A2 auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment="Connection to Internet Modem" name=\
    ether1-ToModem speed=100Mbps
set [ find default-name=ether2 ] name=ether2-ToModemLAN speed=100Mbps
set [ find default-name=ether3 ] name=ether3-home speed=100Mbps
set [ find default-name=ether4 ] name=ether4-ubnt speed=100Mbps
set [ find default-name=ether5 ] name=ether5-nap speed=100Mbps
/interface pppoe-client
add add-default-route=yes comment="Dial internet connection" disabled=no \
    interface=ether1-ToModem keepalive-timeout=60 name=pppoe-out1 \
    service-name=Cyta use-peer-dns=yes user=username
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.19.160-192.168.19.189
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge1 name=myDHCP
/queue type
add kind=pcq name=PCQ_download pcq-classifier=dst-address pcq-rate=32M
add kind=pcq name=PCQ_upload pcq-classifier=src-address pcq-rate=3M
/queue simple
add disabled=yes name="All bandwidth" queue=PCQ_upload/PCQ_download target=\
    pppoe-out1
add name=pppoe-out1 queue=default/default target=pppoe-out1 total-queue=\
    default
add name=QoS_1 packet-marks=QoS_1 parent=pppoe-out1 priority=1/1 queue=\
    default/default target=pppoe-out1 total-queue=default
add name=QoS_2 packet-marks=QoS_2 parent=pppoe-out1 priority=2/2 queue=\
    default/default target=pppoe-out1 total-queue=default
add name=QoS_7 packet-marks=QoS_7 parent=pppoe-out1 priority=7/7 queue=\
    default/default target=pppoe-out1 total-queue=default
add name=QoS_8 packet-marks=QoS_8 parent=pppoe-out1 queue=default/default \
    target=pppoe-out1 total-queue=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether3-home
add bridge=bridge1 interface=ether4-ubnt
add bridge=bridge1 interface=ether5-nap
add bridge=bridge1 interface=ether2-ToModemLAN
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=bridge1 list=discover
add interface=ether3-home list=discover
add interface=ether4-ubnt list=discover
add interface=ether5-nap list=discover
add interface=pppoe-out1 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
add interface=ether2-ToModemLAN list=discover
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.19.254/24 comment=defconf interface=bridge1 network=\
    192.168.19.0
add address=192.168.1.2/24 interface=ether1-ToModem network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.19.211 client-id=1:e0:b9:4d:ed:ca:88 comment="PanTilt 01" \
    mac-address=E0:B9:4D:ED:CA:88 server=myDHCP
add address=192.168.19.212 client-id=1:e0:b9:4d:ed:9c:78 comment="PanTilt 02" \
    mac-address=E0:B9:4D:ED:9C:78 server=myDHCP
add address=192.168.19.214 comment=Balcony mac-address=E0:62:90:57:C1:15 \
    server=myDHCP
add address=192.168.19.215 comment=Roof mac-address=00:12:12:37:E1:3B server=\
    myDHCP
/ip dhcp-server network
add address=192.168.19.0/24 comment=defconf dns-server=192.168.19.10 gateway=\
    192.168.19.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.19.254 name=router
/ip firewall address-list
add address=aabbccddee.sn.mynetname.net comment="Get wan-ip" list=WAN1-IP
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" in-interface=\
    pppoe-out1 protocol=icmp
add action=accept chain=input comment="defconf: allow Winbox" disabled=yes \
    in-interface=pppoe-out1 port=8291 protocol=tcp
add action=accept chain=input comment="defconf: allow SSH" disabled=yes \
    in-interface=pppoe-out1 port=22 protocol=tcp
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface=ether1-ToModem
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
    protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=drop chain=input comment="Block anything else" in-interface=\
    pppoe-out1
/ip firewall mangle
add action=mark-connection chain=forward comment=QoS_1_ICMP connection-state=\
    new new-connection-mark=QoS_1 out-interface=pppoe-out1 passthrough=yes \
    protocol=icmp
add action=mark-packet chain=forward connection-mark=QoS_1 new-packet-mark=\
    QoS_1 passthrough=no protocol=icmp
add action=mark-connection chain=prerouting comment=______DNS \
    connection-state=new dst-port=53 new-connection-mark=QoS_1 passthrough=\
    yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=QoS_1 dst-port=53 \
    new-packet-mark=QoS_1 passthrough=no protocol=udp
add action=mark-packet chain=forward comment=______ACK new-packet-mark=QoS_1 \
    packet-size=0-123 passthrough=no port=!80,443 protocol=tcp tcp-flags=ack
add action=mark-connection chain=forward comment=______HTTP-S_small \
    connection-state=new dst-port=80,443 new-connection-mark=QoS_1 \
    out-interface=pppoe-out1 passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-bytes=0-500000 \
    connection-mark=QoS_1 dst-port=80,443 new-packet-mark=QoS_1 passthrough=\
    no protocol=tcp
add action=mark-connection chain=forward comment=______NTP connection-state=\
    new dst-port=123 new-connection-mark=QoS_1 out-interface=pppoe-out1 \
    passthrough=yes protocol=udp
add action=mark-packet chain=forward connection-mark=QoS_1 dst-port=123 \
    new-packet-mark=QoS_1 passthrough=no protocol=udp
add action=mark-connection chain=forward comment=\
    QoS_2_FTP_SSH_Telnet_SMTP_POP3-S_SNTP_IMAP-S_SMTP-S connection-state=new \
    dst-port=20,21,22,23,25,110,143,465,587,993,995 new-connection-mark=QoS_2 \
    out-interface=pppoe-out1 passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=QoS_2 new-packet-mark=\
    QoS_2 passthrough=no
add action=mark-packet chain=forward comment=______HTTP-S_large \
    connection-bytes=500000-0 connection-mark=QoS_1 dst-port=80,443 \
    new-packet-mark=QoS_2 out-interface=pppoe-out1 passthrough=no protocol=\
    tcp
add action=mark-connection chain=forward comment=QoS_8_Torrents \
    connection-state=new dst-port=10000-65535 new-connection-mark=QoS_8 \
    out-interface=pppoe-out1 passthrough=yes protocol=tcp
add action=mark-connection chain=forward connection-state=new dst-port=\
    10000-65535 new-connection-mark=QoS_8 out-interface=pppoe-out1 \
    passthrough=yes protocol=udp
add action=mark-packet chain=forward connection-mark=QoS_8 new-packet-mark=\
    QoS_8 passthrough=no
add action=mark-connection chain=forward comment=QoS_7_all_others \
    connection-state=new new-connection-mark=QoS_7 out-interface=pppoe-out1 \
    passthrough=yes protocol=tcp
add action=mark-connection chain=forward connection-state=new \
    new-connection-mark=QoS_7 out-interface=pppoe-out1 passthrough=yes \
    protocol=udp
add action=mark-packet chain=forward connection-mark=QoS_7 new-packet-mark=\
    QoS_7 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.19.0/24 out-interface=bridge1 src-address=192.168.19.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="NAT to Modem" disabled=yes \
    out-interface=ether1-ToModem
/ip firewall service-port
set sip ports=5060,5061,5070
/ip service
set ssh port=22
set winbox address=192.168.19.0/24
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ipv6 firewall mangle
add action=mark-connection chain=forward comment=QoS_1_ICMP connection-state=\
    new new-connection-mark=QoS_1 out-interface=pppoe-out1 passthrough=yes \
    protocol=icmpv6
add action=mark-packet chain=forward connection-mark=QoS_1 new-packet-mark=\
    QoS_1 out-interface=pppoe-out1 passthrough=no protocol=icmpv6
add action=mark-packet chain=forward comment=______ACK in-interface=\
    pppoe-out1 new-packet-mark=QoS_1 packet-size=0-123 passthrough=no \
    protocol=tcp src-port=!80,443 tcp-flags=ack
add action=mark-packet chain=forward dst-port=!80,443 new-packet-mark=QoS_1 \
    out-interface=pppoe-out1 packet-size=0-123 passthrough=no protocol=tcp \
    tcp-flags=ack
add action=mark-connection chain=prerouting comment=______DNS \
    connection-state=new new-connection-mark=QoS_1 passthrough=yes port=53 \
    protocol=udp
add action=mark-packet chain=prerouting connection-mark=QoS_1 \
    new-packet-mark=QoS_1 passthrough=no port=53 protocol=udp
add action=mark-connection chain=forward comment=______HTTP-S \
    connection-state=new dst-port=80,443 new-connection-mark=QoS_1 \
    out-interface=pppoe-out1 passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=______HTTP-S_small \
    connection-bytes=0-500000 connection-mark=QoS_1 dst-port=80,443 \
    new-packet-mark=QoS_1 out-interface=pppoe-out1 passthrough=no protocol=\
    tcp
add action=mark-packet chain=forward comment=\
    QoS_2_HTTP-S_large_FTP_SSH_Telnet_SMTP_POP3-S_SNTP_IMAP-S_SMTP-S \
    connection-bytes=500000-0 connection-mark=QoS_1 dst-port=80,443 \
    new-packet-mark=QoS_2 out-interface=pppoe-out1 passthrough=no protocol=\
    tcp
add action=mark-connection chain=forward connection-state=new dst-port=\
    20,21,22,23,25,110,143,465,587,993,995 new-connection-mark=QoS_2 \
    out-interface=pppoe-out1 passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=QoS_2 new-packet-mark=\
    QoS_2 passthrough=no
add action=mark-connection chain=forward comment=QoS_8_Torrents \
    connection-state=new dst-port=10000-65535 new-connection-mark=QoS_8 \
    out-interface=pppoe-out1 passthrough=yes protocol=tcp
add action=mark-connection chain=forward connection-state=new dst-port=\
    10000-65535 new-connection-mark=QoS_8 out-interface=pppoe-out1 \
    passthrough=yes protocol=udp
add action=mark-packet chain=forward connection-mark=QoS_8 new-packet-mark=\
    QoS_8 passthrough=no
add action=mark-connection chain=forward comment=QoS_7_all_others \
    connection-state=new new-connection-mark=QoS_7 out-interface=pppoe-out1 \
    passthrough=yes protocol=tcp
add action=mark-connection chain=forward connection-state=new \
    new-connection-mark=QoS_7 out-interface=pppoe-out1 passthrough=yes \
    protocol=udp
add action=mark-packet chain=forward connection-mark=QoS_7 new-packet-mark=\
    QoS_7 passthrough=no
/ppp profile
set *FFFFFFFE local-address=dhcp remote-address=*2
/ppp secret
add disabled=yes name=myname profile=default-encryption
/system clock
set time-zone-name=Europe/Athens
/system ntp client
set enabled=yes primary-ntp=193.239.214.227 secondary-ntp=193.239.214.226
/system resource irq rps
set ether1-ToModem disabled=no
set ether3-home disabled=no
set ether4-ubnt disabled=no
set ether5-nap disabled=no
set ether2-ToModemLAN disabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-interface=all filter-ip-address=192.168.19.189/32

mkx · Fri Nov 13, 2020 2:13 pm

This firewall filter rule:

add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface=ether1-ToModem

It is intended to be with in-interface set to pppoe-out1.

And might be show-stopper as well.

BTW, your firewall (for chain=forward) is pretty basic, but it lacks one quite important rule:

add action=accept chain=forward connection-state=established,related,untracked

which is pretty similar to the one fast-tracking connections. It should be placed right after the fast-track rule and will take care of minority of packets, missed by the fast-track rule (there always are some).

anav · Fri Nov 13, 2020 2:20 pm

I am curious, these are not the default rules so I am assuming you put them in..

So please let me know the purpose of these two rules..................
add action=accept chain=input comment="defconf: allow Winbox" disabled=yes \
in-interface=pppoe-out1 port=8291 protocol=tcp
add action=accept chain=input comment="defconf: allow SSH" disabled=yes \
in-interface=pppoe-out1 port=22 protocol=tcp

By that I mean besides ensuring your router is compromised (if they were not disabled).
They should be removed regardless.

mkx · Fri Nov 13, 2020 2:29 pm

By that I mean besides ensuring your router is compromised (if they were not disabled).
They should be removed regardless.

Well ... I'd actually suggest that OP performs factory-reset on router, it will make a solid foundation. Then he can re-implement some of features (such as static DHCP leases or some QoS settings) if needed ... and only if changes are well understood (picking random settings from random youtube tutorials is sometimes dangerous).

dimpat · Fri Nov 13, 2020 2:38 pm

I was checking some things that's why I added some rules and then disabled. I am going to delete all disabled as soon as my router works the way I want.
@mkx The first rule is disabled. I have made the following changes but no luck.

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" in-interface=pppoe-out1 protocol=icmp
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=pppoe-out1
add action=drop chain=input comment="Block anything else" in-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.19.0/24 out-interface=bridge1 \
    src-address=192.168.19.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="NAT to Modem" disabled=yes out-interface=ether1-ToModem

dimpat · Fri Nov 13, 2020 2:54 pm

Well ... I'd actually suggest that OP performs factory-reset on router, it will make a solid foundation. Then he can re-implement some of features (such as static DHCP leases or some QoS settings) if needed ... and only if changes are well understood (picking random settings from random youtube tutorials is sometimes dangerous).

One last question before I perform a factory reset. Are there any default settings to use as a router (dial pppoe) or should I have to look for those somewhere?

mkx · Fri Nov 13, 2020 3:38 pm

I guess you could select PPPoE as WAN method from "Quick Set" (default Web interface mode). If not, it's not that hard to configure it:

Select WebFig (in upper right part of Web interface)
open PPP
click "Add New" -> "PPPoE Client"
click down arrow at "Interfaces" and then select interface connecting modem (e.g. ether1)
enter PPPoE username in User
click down arrow at "Password" and enter correct PPPoE password
make sure "Add Default Route" is enabled
you might want to enable "Use Peer DNS", it will instruct router to use DNS servers offered by ISP for its own needs. If you intend to set DNS servers manually, leave this setting unchecked
click OK
open "Interfaces" -> "Interface List", click "Add New", select list "WAN", select "pppoe-out1" as Interface and click OK

After this never ever select "Quick Set" again.

[edit] Forgot to write down the last bullet (#10). Which is very important as it actually allows you to use internet from LAN devices ... at the same time default config should also allow you to access modem (default config will probably run DHCP client on ether1 and ISP modem probably runs DHCP server so your router will automatically get IP address on ether1 interface).

dimpat · Fri Nov 13, 2020 3:46 pm

Thank you. I'll try it tonight.

anav · Fri Nov 13, 2020 11:06 pm

Two comments on the config.
I dont believe you need the bits in red! Get rid of it.

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.19.0/24 out-interface=bridge1 \
src-address=192.168.19.0/24

Second dont see your forward chain rules other than the first two???

dimpat · Sat Nov 14, 2020 11:25 am

I did a factory reset with the default configuration. The only changes I made are:
added ip 192.168.1.2 to ether1-ToModem (my modem has 192.168.1.1)
and added the rule

add action=masquerade chain=srcnat comment="NAT to Modem" out-interface=ether1-ToModem

My complete configuration now is :

# nov/14/2020 11:19:04 by RouterOS 6.47.7
# software id = 4I2K-XZX3
#
# model = RouterBOARD 750G r3
# serial number = aabbccddeeff
/interface bridge
add admin-mac=6C:3B:6B:7D:98:A2 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ToModem
set [ find default-name=ether2 ] disabled=yes name=ether2-ModemLAN
set [ find default-name=ether3 ] name=ether3-Home
set [ find default-name=ether4 ] name=ether4-ubnt
set [ find default-name=ether5 ] name=ether5-nap
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-ToModem name=\
    pppoe-out1 use-peer-dns=yes user=usename
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.19.160-192.168.19.189
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-ModemLAN
add bridge=bridge comment=defconf interface=ether3-Home
add bridge=bridge comment=defconf interface=ether4-ubnt
add bridge=bridge comment=defconf interface=ether5-nap
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-ToModem list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.19.254/24 comment=defconf interface=ether2-ModemLAN \
    network=192.168.19.0
add address=192.168.1.2 interface=ether1-ToModem network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1-ToModem
/ip dhcp-server network
add address=192.168.19.0/24 comment=defconf gateway=192.168.19.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.19.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT to Modem" out-interface=\
    ether1-ToModem
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Athens
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Now I can not even ping my modem from mikrotik

mkx · Sat Nov 14, 2020 12:03 pm

Since you followed the bullets I wrote the NAT rule you added is not necessary, the default masquerade rule covers connections towards modem as well.

Now: what do the following commands print out? (Redact your public IP address)

Code: Select all
```
/ip address print
```
Code: Select all
```
/ip route print
```

BTW, before @anav notices it: the LAN IP address should be set on bridge, not ether2-ModemLAN, specially so as the interface is disabled.

dimpat · Sat Nov 14, 2020 12:29 pm

changed my ip with 1.2.3.4

/ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; defconf
     192.168.19.254/24  192.168.19.0    bridge                                   
 1 D 1.2.3.4/32    46.103.127.1         pppoe-out1                               
 2   ;;; added to access modem from lan
     192.168.1.2/32     192.168.1.0     ether1-ToModem

/ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          pppoe-out1                1
 1 ADC  46.103.127.1/32    1.2.3.4         pppoe-out1                0
 2 ADC  192.168.1.0/32     192.168.1.2     ether1-ToModem            0
 3 ADC  192.168.19.0/24    192.168.19.254  bridge                    0

mkx · Sat Nov 14, 2020 12:33 pm

Ah, sorry, previously I missed an error in your config:

/ip address
add address=192.168.1.2/24 interface=ether1-ToModem network=192.168.1.0

Since DHCP client, running on ether1-ToModem, doesn't get any lease, you can disable (or completely remove) it as well.

dimpat · Sat Nov 14, 2020 12:43 pm

Ah, sorry, previously I missed an error in your config:
/ip address
add address=192.168.1.2/24 interface=ether1-ToModem network=192.168.1.0
Since DHCP client, running on ether1-ToModem, doesn't get any lease, you can disable (or completely remove) it as well.

I have disabled the dhcp server on modem. That's why I have set a static IP on ether1-ToModem.
I have now disabled dhcp client on ether1-ToModem.

I edited IP address to 192.168.1.2/24 and I can now ping the modem from mikrotik. But not from LAN

dimpat · Sat Nov 14, 2020 4:23 pm

I give up.
I'll connect again the additional ethernet cable between ether2 of Mikrotik and lan2 of modem as I can't find another way to access my modem's GUI.
Thank you all for your answers.

bpwl · Sat Nov 14, 2020 5:00 pm

I give up.
I'll connect again the additional ethernet cable between ether2 of Mikrotik and lan2 of modem as I can't find another way to access my modem's GUI.
Thank you all for your answers.

If you can connect from LAN through ether2 of the Mikrotik, which is bridged just as the rest of LAN, then you are either using an IP address in the lan2 modem range, or the modem LAN2 has an IP range like the LAN. (192.168.19.0/24). Correct ?

Routing and NAT does not work if both ends are in the same subnet. (The hairpin used earlier is not for a WAN connection). A LAN definition on the modem should not have a subnet that is the same as your Mikrotik LAN. Answers for that subnet would not go to the Mikrotik if the LAN2 IP address was used.

dimpat · Sat Nov 14, 2020 5:27 pm

If you can connect from LAN through ether2 of the Mikrotik, which is bridged just as the rest of LAN, then you are either using an IP address in the lan2 modem range, or the modem LAN2 has an IP range like the LAN. (192.168.19.0/24). Correct ?

The modem has IP 192.168.1.1 while my LAN is 192.168.19.0/24. If I connect Mikrotik's ether2 to Modem's LAN2 I can access the modem from my pc because I have added 2 IPs to PC (192.168.19.19, 192.168.1.19).
But I can not ping the modem from Mikrotik unless I add 192.168.1.2 to Mikrotik ether1.
So Both ends are not in the same subnet.
If I disconnect the cable ether2<-->LAN2 and the ether1 has IP 192.168.1.2, Mikrotik can ping the Modem, but not from my PC.

bpwl · Sat Nov 14, 2020 5:38 pm

What IP address do you use to ping the MODEM?. 192.168.1.1?
If the PC at that moment has besides 192.168.19.19 also IP address 192.168.1.19 , it will look for 192.168.1.1 on its own L2 LAN environment (direct attached network) ,and would not use the 192.168.19.1 gateway (Mikrotik).

dimpat · Sat Nov 14, 2020 5:46 pm

What IP address do you use to ping the MODEM?. 192.168.1.1?
If the PC at that moment has besides 192.168.19.19 also IP address 192.168.1.19 , it will look for 192.168.1.1 on its own L2 LAN environment (direct attached network) ,and would not use the 192.168.19.1 gateway (Mikrotik).

I ping the modem to 192.168.1.1
The second is not true, because as I told you if I connect (Mikrotik)Ether2<-->(Modem)LAN2 I can ping the modem from my pc and also access it's GUI.

bpwl · Sat Nov 14, 2020 6:02 pm

I told you if I connect (Mikrotik)Ether2<-->(Modem)LAN2 I can ping the modem from my pc and also access it's GUI.

If you connect the cable, and ether2 is bridged as it is, then all interfaces connected to that bridge form "one L2 direct attached network " to the PC.
In contrast to the network connected to ether1, which is L3/routed connected.

If your PC has IP address 192.168.1.19/24 and you try to reach 192.168.1.1 the PC will send an ARP request on its network and (only) try a direct connection, without using a router/gateway.
If the ether2 cable is not there the PC will not find 192.168.1.1
If the PC only has 192.168.19.19/24 as IP address, and tries to reach 192.168.1.1, it will use the gateway 192.168.19.1 because it has no direct connection to that network.

dimpat · Sat Nov 14, 2020 6:30 pm

If you connect the cable, and ether2 is bridged as it is, then all interfaces connected to that bridge form "one L2 direct attached network " to the PC.
In contrast to the network connected to ether1, which is L3/routed connected.

If your PC has IP address 192.168.1.19/24 and you try to reach 192.168.1.1 the PC will send an ARP request on its network and (only) try a direct connection, without using a router/gateway.
If the ether2 cable is not there the PC will not find 192.168.1.1
If the PC only has 192.168.19.19/24 as IP address, and tries to reach 192.168.1.1, it will use the gateway 192.168.19.1 because it has no direct connection to that network.

Now I understand what was wrong. Without the Ether2<-->Lan2 cable, I tried on another pc that has only one IP (192.168.19.20) address and it could connect to my modem!
Thank you @bpwl for the answer. My problem is solved !!!

Is it too much to ask one more question? Is there any way to make use of the modem's wifi? (if ether2&Lan2 were connected, I could successfully connect to modem's wifi).

bpwl · Sat Nov 14, 2020 7:15 pm

Use the modem's wifi as LAN? Fully depends on the configurability of the modem. (Could easily be done with a Mikrotik).
You must be able to split the flow between the internet WAN -LAN on one side and the LAN2-wifi on the other side.
Your modem can certainly act as AP for the Mikrotik. But the combination with it's modem function could be difficult.

Config would be something like :

Mikrotik wifi
+
LAN <--> (bridge) Mikrotik router (ether1) <--> (LAN1) Modem (WAN) <--> Internet
Î
|-----------------------------------------------------------> (LAN2) Modem + Modem wifi

dimpat · Sat Nov 14, 2020 8:05 pm

ok, if it's complicated, let's leave it for another thread specifically to this.

Thank you again for your help.

Newbie: Access to modem behind router

Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Re: Newbie: Access to modem behind router

Who is online