My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Tristancce · Mon Aug 10, 2020 9:19 am

I've gone through the quick set on home ap, I've set up bridges and I've worked with the DHCP and I can't find a concise answer as to why I keep getting the no internet message : /, what are the first steps I need tp take and or screenshots I need to share?

anav · Mon Aug 10, 2020 1:47 pm

export your config
/export hide-sensitive file=anynameyouwish

Then post the exported filed here (just ensure you remove your wanip and wan gateway ip.

Tristancce · Thu Aug 13, 2020 9:53 am

Where would I find my Wanip and Wan gateway ip so I can remove them?

robmaltsystems · Thu Aug 13, 2020 1:36 pm

>/export hide-sensitive file=anynameyouwish

Those RouterOS developers really do think of everything

Tristancce · Thu Aug 13, 2020 2:41 pm

Alright, I exported my file, thank you guys for helping me : )

anav · Thu Aug 13, 2020 3:32 pm

Why two bridges?
This is wrong /ip address
add address=169.254.157.171/24 interface=ether2 network=169.254.157.0

Worse though, you have no firewall rules and thus should not hook up to the internet.

Sob · Thu Aug 13, 2020 5:35 pm

This is wrong, because all interfaces will end up in LAN list:

/interface detect-internet
set detect-interface-list=LAN internet-interface-list=LAN lan-interface-list=LAN wan-interface-list=LAN

Either use correct lists, or disable it completely.

Also, interesting choice of LAN subnet, 169.254.x.x are link-local addresses that devices use when there's no DHCP. I never tried to use this range with DHCP, I guess it should work, but it's also not impossible that something sees them as special and refuse to use them to access anything beyond this subnet.

Tristancce · Thu Aug 13, 2020 10:15 pm

okay, I put in both lines of code in, what should I know about firewalls and how do I set one up?

bpwl · Thu Aug 13, 2020 10:38 pm

A good firewall to start from is the default one. You can export it from the default config and later import it in your own config if not built starting from the default. You might also find an export already on the Forum or Wiki.
The default firewall one uses two interface lists : WAN and LAN . The interface(s) which has the incoming internet connection goes into the WAN interface list.The interfaces (or bridge) that forms the LAN connected ports go into the LAN interface list (slave ports of a bridge don't have to be added). LAN ports can do everything, WAN ports are NAT-masqueraded and only allowed to send answers from earlier (established) connections.

Tristancce · Fri Aug 14, 2020 3:08 am

I found this on the wiki, would you recommend this firewall? https://wiki.mikrotik.com/wiki/Home_Firewall

karlisi · Fri Aug 14, 2020 8:56 am

Last row says: 19:48, 21 May 2008 (EEST)
I believe most of it is obsolete. As said before, the default ruleset is the best starting point.

bpwl · Fri Aug 14, 2020 11:02 am

I leave the default firewall in all my devices, even if not used (all ports bridged) just in case I might later need one

This is from 6.45.6 , my preferred "stable" version today

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

robmaltsystems · Fri Aug 14, 2020 11:26 am

The article linked to above has been deleted so one does assume it was out of date.

Tristancce · Fri Aug 14, 2020 12:24 pm

Okay, I got put the firewall up, what do I need to do next to get LAN connection?

bpwl · Fri Aug 14, 2020 3:18 pm

Cleanup as Rob and Anav told you before....

/ip pool
add name=dhcp ranges=169.254.157.2-169.254.157.254

Wrong IP range ... use one subnet out of the private IP ranges. LAN subnet must be different from WAN.subnet.
IPv4 Private Address Space and Filtering
10.0. 0.0/8 IP addresses: 10.0. 0.0 – 10.255. 255.255.
172.16. 0.0/12 IP addresses: 172.16. 0.0 – 172.31. 255.255.
192.168. 0.0/16 IP addresses: 192.168. 0.0 – 192.168. 255.255.

/interface detect-internet
set detect-interface-list=LAN internet-interface-list=LAN lan-interface-list=\
LAN wan-interface-list=LAN

Remove this! It's wrong. Internet detect could only be on WAN , never on LAN. Even if corrected, you don't need this: It will set things for you that you did not expect.

/interface list member

add list=LAN

What's this? Non-existing interface ? Remove?

/ip address
add address=169.254.157.171/24 interface=ether2 network=169.254.157.0

Again wrong IP address. And address must be on "bridge1" not on "ether2". So it should be "interface=bridge1"

/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=169.254.157.0/24 gateway=169.254.157.171 netmask=24

Remove "add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24". This is just wrong.
Adjust the other line for private IP addresses as selected before. The gateway should be your router to the internet, the IP address given above, but in the correct Private Range.

Let your devices get an IP address from your router. (renew or release/new on device , or restart devices, or disconnect/connect). If they still use 169.254, they did not properly obtain a leased IP address !

Tristancce · Sat Aug 15, 2020 1:25 am

Okay, so I added everything to the text file but still am a little confused about the section where you said
"IPv4 Private Address Space and Filtering
10.0. 0.0/8 IP addresses: 10.0. 0.0 – 10.255. 255.255.
172.16. 0.0/12 IP addresses: 172.16. 0.0 – 172.31. 255.255.
192.168. 0.0/16 IP addresses: 192.168. 0.0 – 192.168. 255.255."

Where does this get added?

Also, when I tried to restore the changes made I get a message that says "Couldn't restore configuration - file not found (6)"
even tho I have it on my desktop.

I'll upload the file again so that it can be reviewed again!
Thank you for the help so far!

bpwl · Sat Aug 15, 2020 11:24 am

You just pick one subnet to be used as private range.

Lets say we pick 192.168.100/24 as subnet. Most operators/devices choose 192.168.0.0/24, therefore we pick a different one, to avoid later conflicts.

If we take 192.168.100.0/24 we EDIT in Winbox or Webfig (not in Quick-set and export-edit-import is complicating things). Prefer WinBOX because if something goes wrong in the config steps then we can reconnect using the MAC address.

Step by step (I'm not very good at this kind of instructions, I prefer people to understand what they are doing ....)

/ip pool
add name=dhcp ranges=169.254.157.2-169.254.157.254

Change the pool with winbox to contain 192.168.100.20-192.168.100.250

/ip address
add address=169.254.157.171/24 interface=bridge1 network=169.254.157.0

Add an extra IP address with winbox to the bridge interface, we will remove this one later
add address=192.168.100.1/24 interface=bridge1 network=191.168.100.0

/ip dhcp-server network
add address=169.254.157.0/24 gateway=169.254.157.171 netmask=24

Change the dhcp served network with winbox, to read ;
add address=192.168.100.0/24 gateway=192.168.100.1 netmask=24

Physically disconnect/reconnect to the MKT router, you will get something like 192.168.100.250 as IP address on your PC, and remove the old IP address 169.254.157.171 in the router.

Tristancce · Sun Aug 16, 2020 1:24 am

I made the changes to the file but I'm not able to upload it the file, it tells me "Couldn't restore configuration - file not found (6)"

bpwl · Sun Aug 16, 2020 9:51 am

backup<->restore (*.backup file) - Files
export<->import (*.rsc file) - Terminal
download<->upload (any file)- Files

Tristancce · Sun Aug 16, 2020 9:59 am

Okay, I imported through the terminal and it said "expected end of command (line 30 column 22)," not sure what this means?

bpwl · Sun Aug 16, 2020 10:24 am

Check your syntax of the rsc file. Error detected at (line 30 column 22).

JustDobby · Sun Aug 16, 2020 8:58 pm

One thing springs to mind - you might (if not already so) use a separate ssh (or telnet) client if you're using the terminal from within WinBox.. that one tends to miss chars when pasting copied data into it.. Putty (my personal favourite, use your own preferred client) always works wonders..that just might explain your syntax error if it looks ontherwise ok, or is a freshly copied export..

Tristancce · Mon Aug 17, 2020 8:11 am

I assume line 30 is the 30th line in but where are the columns?

bpwl · Mon Aug 17, 2020 12:08 pm

The benefit of being old and grey in IT.

Before those fancy fonts, computer output was done on printers and screens with constant width (equally spaced) character positions. One character was one byte.
A screen had 24 lines and 80 columns. A large printer had 66 lines (11 inch paper) of 132 characters. A punched card had 80 characters.

Set your text in font "Courier" and you will see, that you can count the lines and columns.

Error detected at (row,column) means that's the point that the code parser found something wrong, It could be too late. An unclosed ( or " could make some code still be parsed the wrong way, and only later an inconsistency is found. The hint is not always the real problem , like "expected end of command" means it cannot process the extra information on that line. The root cause can be somewhere earlier in the script.

One way of testing is taking logical blocks of code out of the script by copy, and paste it in the CLI session.as if you just typed it in (and indeed Putty does that very well)

karlisi · Mon Aug 17, 2020 1:09 pm

You can use 'verbose' switch on import, sometimes output to screen helps to spot the problem, because you will see exactly where the script stops. And there is another one useful switch 'from-line' which you can use to continue import after correcting errors.

WeWiNet · Tue Aug 18, 2020 8:00 pm

Why starting from something that does not work, when its simpler to go back, use RESET and start from something that works clean
and do the modifications from there?
Specially when there is no evidence that it ever worked or the system performed the way it should do... ?

May advice would be, go back and reset the device, and if needed use quickset for typical bridged AP use case and then get it going from there...

Tristancce · Wed Sep 02, 2020 2:40 am

Sorry, I have been absent for some time, I was busy with health issues and just got the time to come back to this forum, I'm still not positive as to how to read the columns and rows. Someone suggested I start from scratch. Will fixing the one line of malfunctioning code fix the issue, or am I better off starting over?

WeWiNet · Wed Sep 02, 2020 9:46 am

Tristance, glad you are back.

Personally ROS and inbox are quit complex for first time user. One thing missing and nothing works
and there are too many options/things to correct.

I would do:

Take an export of your current config as well as a backup (backup via GUI and export via:
Code: Select all
```
export file=mycurrentconfig
```
, download that file to your PC

Then reset the device completely (menu: system/reset configuration

Once your device gets up, use quickset ONCE!!! Select dual band AP (or the corresponding device type you want)

set basic things like SSID for 2G, 5G, passwords, IP ranges etc. Use "router" mode to start with and not bridge mode

You should select all LAN ports bridged (ETH1 will still remain internet port), to use NAT (I would suggest so), firewall (I suggest so) use DHCP and also set the IP address for your local LAN

Once you have your "basic" set, go to "terminal" and do again an export (export file=xyz) of the config and a backup

You can use Quicset as long as you do not do any other change via winbox or GUI. If you want to do such changes, do NOT use Quickset anymore

From there onwards use "save mode" while you do changes and see if the device is still functional. Also do regular exports/backup to be able to come back if something is broken

Using an advanced (but still simple to use) text editor, like ATOM with ROS highlighting and DIF function will help you to see the difference between two rsc files (the export files)

this is a great and simple way to learn and see what has changed, and what works :-)

My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Re: My LAN won't work, what are all the essential actions I need to take in order to set up a LAN?

Who is online