Having an annoying beginner issue. I've been using Mikrotik for a while now, but I can't figure out how to access my modem management page through my WAN interface.
As of now my setup is as follows
Netgear Modem (Bridge mode) (10.0.0.2/23)
| (SFP)
v
Mikrotik hEX S (10.0.1.1)
| (eth1-5)
v
Client network (DHCP 10.0.1.1/24)
My network is flat right now and has no VLANs configured.
I previously added a static address for 10.0.0.2 on SFP1 which pinged from the modem, however, I couldn't get this to ping from client devices and have since removed it.
Here's my config and list of addresses
Code: Select all
# may/29/2021 12:59:54 by RouterOS 6.48.2
#
# model = RB760iGS
/interface bridge
add add-dhcp-option82=yes admin-mac=XX:XX:XX:XX:XX:XX 0 auto-mac=no comment=\
defconf dhcp-snooping=yes igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether5 ] poe-out=forced-on poe-priority=1
set [ find default-name=sfp1 ] mac-address=XX:XX:XX:XX:XX:XX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec peer
add exchange-mode=ike2 name=ikev2 passive=yes send-initial-contact=no
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=1m enc-algorithm=\
aes-256 hash-algorithm=sha256 lifetime=1h proposal-check=strict
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
lifetime=5m pfs-group=none
/ip pool
add name=dhcp ranges=10.0.1.2-10.0.1.254
add name=vpn ranges=10.0.2.2/31
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge name=defconf
/ip ipsec mode-config
add address-pool=vpn address-prefix-length=32 name=cfg1
/port
set 0 name=serial0
/ppp profile
set *0 use-ipv6=no
set *FFFFFFFE local-address=10.0.2.1 remote-address=vpn use-encryption=\
required use-ipv6=no use-upnp=no
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-source-route=yes
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp1 list=WAN
/interface ovpn-server server
set auth=sha1 cipher=aes128,aes256 default-profile=default-encryption \
require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=10.0.1.1/24 interface=ether1 network=10.0.1.0
/ip arp
add address=10.0.1.30 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid,clientid_duid disabled=no \
interface=sfp1 script="#/system script run update_gateway-ip\r\
\n#delay 2s\r\
\n#/system script run set_static" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server alert
add interface=bridge
/ip dhcp-server network
add address=10.0.1.0/24 comment=defconf dns-server=10.0.1.1 gateway=10.0.1.1 \
netmask=24 ntp-server=10.0.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=173.245.48.0/20 list=cloudflare
add address=103.21.244.0/22 list=cloudflare
add address=103.31.4.0/22 list=cloudflare
add address=141.101.64.0/18 list=cloudflare
add address=108.162.192.0/18 list=cloudflare
add address=190.93.240.0/20 list=cloudflare
add address=188.114.96.0/20 list=cloudflare
add address=197.234.240.0/22 list=cloudflare
add address=198.41.128.0/17 list=cloudflare
add address=162.158.0.0/15 list=cloudflare
add address=104.16.0.0/12 list=cloudflare
add address=172.64.0.0/13 list=cloudflare
add address=131.0.72.0/22 list=cloudflare
add address=216.218.128.0/17 comment=\
"Hurricane Electric - Flagged by elastiflow/abuseipdb" list=blacklisted
add address=216.243.0.0/18 comment=\
"vanoppen.biz - Flagged by elastiflow/abuseipdb" list=blacklisted
add address=196.52.43.0/24 comment=\
"NetSystems/LogicWeb - Flagged by elastiflow/abuseipdb" list=blacklisted
add address=89.248.169.0/24 comment=\
" Incrediserve Ltd - Flagged by elastiflow/abuseipdb - Netherlands" list=\
blacklisted
add address=31.154.0.0/17 comment=\
"Partner Communications Ltd. - Flagged by elastiflow - Isreal" list=\
blacklisted
add address=213.152.161.0/24 comment=\
"AirVPN - Flagged by elastiflow/abuseipdb - Netherlands" list=blacklisted
add address=137.63.64.0/18 comment=\
"Afritel - Flagged by elastiflow - Seychelles" list=blacklisted
add address=184.104.0.0/15 comment="Hurricane Electric" list=blacklisted
add address=181.64.192.95 comment="Telefonica del Peru S.A.A. - Spain" list=\
blacklisted
add address=66.240.192.138 comment=" CARInet Inc. - USA" list=blacklisted
/ip firewall filter
add action=drop chain=input comment="drop blacklist ips" log=yes log-prefix=\
blacklist src-address-list=blacklisted
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=fasttrack-connection chain=forward comment=\
"fasttrack ignore ipsec" connection-mark=!ipsec connection-state=\
established,related
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=input comment="allow IPsec VPN (500,4500,1701/udp)" \
dst-port=500,1701,4500 in-interface=sfp1 log=yes log-prefix=IPsec \
protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=ping \
protocol=icmp src-address-list=AWS
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=!DSTNAT
add action=drop chain=input comment="drop WAN DNS" dst-port=53 in-interface=\
sfp1 protocol=tcp
add action=drop chain=input comment="drop WAN DNS" dst-port=53 in-interface=\
sfp1 log-prefix="WAN DNS" protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN log=yes log-prefix=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=output disabled=yes dst-address=8.8.8.8 dst-port=53 \
protocol=tcp
add action=drop chain=output disabled=yes dst-address=8.8.8.8 dst-port=53 \
protocol=udp
/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec connections" \
ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="mark ipsec connections" \
ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface=sfp1 log=yes \
log-prefix=omega protocol=tcp src-address-list=cloudflare to-addresses=\
10.0.1.5 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=sfp1 \
log=yes log-prefix=omega protocol=tcp src-address-list=cloudflare \
to-addresses=10.0.1.5 to-ports=443
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec settings
set accounting=no
/ip route
add disabled=yes distance=1 gateway=98.206.32.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.1.7/32,10.0.1.6/32,10.0.1.5/32
set www-ssl address=10.0.0.6/32
set api disabled=yes
set winbox address=10.0.1.6/32,10.0.1.9/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip traffic-flow
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=America/Chicago
/system identity
set name=router
/system logging
add disabled=yes topics=e-mail
add disabled=yes topics=interface
add disabled=yes topics=script
add action=disk disabled=yes topics=dns,!packet
add disabled=yes topics=l2tp,!debug
add action=syslog disabled=yes topics=dns,!packet
add action=syslog topics=critical
add action=syslog topics=error
add action=syslog topics=info
add action=syslog topics=interface
add action=syslog topics=ipsec,!debug
add action=syslog topics=l2tp,!debug
add action=syslog topics=script
add action=syslog topics=warning
add action=syslog topics=e-mail
add topics=ipsec,debug,!packet
add disabled=yes topics=ipsec,!debug
add disabled=yes topics=ipsec,packet
add action=syslog topics=ipsec,debug,!packet
add disabled=yes topics=dhcp,debug
add action=syslog topics=dns
add topics=firewall
/system ntp client
set enabled=yes primary-ntp=132.163.96.2 secondary-ntp=129.6.15.30
/system ntp server
set enabled=yes
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
/system scheduler
add name=dhcp_on_startup on-event="/system script run set_dhcp" policy=\
reboot,read,write,policy start-time=startup
/system script
add dont-require-permissions=no name=update_gateway-ip owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global currentIP;\r\
\n:global currentGateway;\r\
\n:global dhcpStatus [/ip dhcp-client get [find interface=sfp1] status];\r\
\n:global dhcpDisabled [/ip dhcp-client get [find interface=sfp1] disabled\
];\r\
\n:local newIP;\r\
\n:local newGateway;\r\
\n\r\
\n:if (\$dhcpStatus = \"bound\" && !\$dhcpDisabled ) do={\r\
\n :set newIP [/ip dhcp-client get [find interface=\"sfp1\"] address];\
\r\
\n :set newGateway [/ip dhcp-client get [find interface=\"sfp1\"] gatew\
ay];\r\
\n\r\
\n # update WAN\r\
\n \r\
\n :if (\$newIP != \$currentIP) do={\r\
\n :put \"ip address \$currentIP changed to \$newIP\";\r\
\n :set currentIP \$newIP;\r\
\n }\r\
\n\r\
\n # update gateway\r\
\n\r\
\n :if ( \$newGateway != \$currentGateway ) do={\r\
\n :put \"gateway \$currentGateway changed to \$newGateway\"\r\
\n :set currentGateway \$newGateway\r\
\n }\r\
\n}"
add dont-require-permissions=no name=set_static owner=admin policy=\
reboot,read,write,policy,test source=":global currentIP;\
\n\r\
\n:global currentGateway;\r\
\n\
\n\
\n:global dhcpStatus;\r\
\n:global dhcpDisabled\r\
\n\r\
\n:if (\$dhcpStatus = \"bound\" && !\$dhcpDisabled ) do={\r\
\n\r\
\n\
\n#set DHCP off\r\
\n/ip dhcp-client set [find where interface=sfp1] disabled=yes;\r\
\n\r\
\n# add static IP address\
\n\r\
\n/ip address add address=\$currentIP interface=sfp1;\r\
\n\
\n\
\n\r\
\n# add static route for gateway\r\
\n\
\n/ip route add gateway=\$currentGateway dst-address=0.0.0.0/0;\r\
\n\
\n}"
add dont-require-permissions=no name=set_dhcp owner=admin policy=\
reboot,read,write,test source=":local down \"net is unreachable, setting D\
HCP\"\r\
\n\r\
\n:log warning \$down\r\
\n\r\
\n/ip dhcp-client enable [find where interface=sfp1];\r\
\n\r\
\n/ip address remove [find where interface=sfp1];\r\
\n\r\
\n/ip route remove [find where dst-address=0.0.0.0/0]"
add dont-require-permissions=no name=wake owner=admin policy=\
reboot,read,write,policy source="/tool wol mac=[:put [/ip dhcp-server leas\
e get value-name=mac-address [find where host-name=\"wake\"]]] interface\
=bridge"
/system watchdog
set watchdog-timer=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=yes down-script="/system script run set_dhcp" host=8.8.8.8 \
interval=30s timeout=10s up-script=\
":local up \"connection restored\"\r\
\n:log info \$up"
/tool user-manager database
set db-path=flash/user-manager
# ADDRESS NETWORK INTERFACE
0 10.0.1.1/24 10.0.1.0 ether1
1 D 67.XXX.XXX.XXX/XX 67.XXX.XXX.XXX sfp1
# ADDRESS MAC-ADDRESS INTERFACE
0 C 10.0.1.30 XX:XX:XX:XX:XX:XX bridge
1 HDC 10.0.1.6 XX:XX:XX:XX:XX:XX bridge
2 HDC 10.0.1.10 XX:XX:XX:XX:XX:XX bridge
3 HDC 10.0.1.4 XX:XX:XX:XX:XX:XX bridge
4 HDC 10.0.1.202 XX:XX:XX:XX:XX:XX bridge
5 HDC 10.0.1.21 XX:XX:XX:XX:XX:XX bridge
6 HDC 10.0.1.20 XX:XX:XX:XX:XX:XX bridge
7 HDC 10.0.1.8 XX:XX:XX:XX:XX:XX bridge
8 HDC 10.0.1.2 XX:XX:XX:XX:XX:XX bridge
9 HDC 10.0.1.110 XX:XX:XX:XX:XX:XX bridge
10 HDC 10.0.1.130 XX:XX:XX:XX:XX:XX bridge
11 DC 67.XXX.XXX.XXX XX:XX:XX:XX:XX:XX sfp1
12 HDC 10.0.1.124 XX:XX:XX:XX:XX:XX bridge
13 HDC 10.0.1.127 XX:XX:XX:XX:XX:XX bridge
14 DC 10.0.1.126 XX:XX:XX:XX:XX:XX bridge