Community discussions

MikroTik App
 
mrday
just joined
Topic Author
Posts: 3
Joined: Fri Nov 15, 2019 8:19 am

Can't Access Netgear Modem Management hEX S

Fri May 21, 2021 7:08 pm

Hello all,

Having an annoying beginner issue. I've been using Mikrotik for a while now, but I can't figure out how to access my modem management page through my WAN interface.

As of now my setup is as follows

Netgear Modem (Bridge mode) (10.0.0.2/23)
| (SFP)
v
Mikrotik hEX S (10.0.1.1)
| (eth1-5)
v
Client network (DHCP 10.0.1.1/24)

My network is flat right now and has no VLANs configured.

I previously added a static address for 10.0.0.2 on SFP1 which pinged from the modem, however, I couldn't get this to ping from client devices and have since removed it.

Here's my config and list of addresses
# may/29/2021 12:59:54 by RouterOS 6.48.2
#
# model = RB760iGS
/interface bridge
add add-dhcp-option82=yes admin-mac=XX:XX:XX:XX:XX:XX 0 auto-mac=no comment=\
    defconf dhcp-snooping=yes igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether5 ] poe-out=forced-on poe-priority=1
set [ find default-name=sfp1 ] mac-address=XX:XX:XX:XX:XX:XX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec peer
add exchange-mode=ike2 name=ikev2 passive=yes send-initial-contact=no
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=1m enc-algorithm=\
    aes-256 hash-algorithm=sha256 lifetime=1h proposal-check=strict
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    lifetime=5m pfs-group=none
/ip pool
add name=dhcp ranges=10.0.1.2-10.0.1.254
add name=vpn ranges=10.0.2.2/31
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge name=defconf
/ip ipsec mode-config
add address-pool=vpn address-prefix-length=32 name=cfg1
/port
set 0 name=serial0
/ppp profile
set *0 use-ipv6=no
set *FFFFFFFE local-address=10.0.2.1 remote-address=vpn use-encryption=\
    required use-ipv6=no use-upnp=no
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-source-route=yes
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp1 list=WAN
/interface ovpn-server server
set auth=sha1 cipher=aes128,aes256 default-profile=default-encryption \
    require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=10.0.1.1/24 interface=ether1 network=10.0.1.0
/ip arp
add address=10.0.1.30 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid,clientid_duid disabled=no \
    interface=sfp1 script="#/system script run update_gateway-ip\r\
    \n#delay 2s\r\
    \n#/system script run set_static" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server alert
add interface=bridge
/ip dhcp-server network
add address=10.0.1.0/24 comment=defconf dns-server=10.0.1.1 gateway=10.0.1.1 \
    netmask=24 ntp-server=10.0.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=173.245.48.0/20 list=cloudflare
add address=103.21.244.0/22 list=cloudflare
add address=103.31.4.0/22 list=cloudflare
add address=141.101.64.0/18 list=cloudflare
add address=108.162.192.0/18 list=cloudflare
add address=190.93.240.0/20 list=cloudflare
add address=188.114.96.0/20 list=cloudflare
add address=197.234.240.0/22 list=cloudflare
add address=198.41.128.0/17 list=cloudflare
add address=162.158.0.0/15 list=cloudflare
add address=104.16.0.0/12 list=cloudflare
add address=172.64.0.0/13 list=cloudflare
add address=131.0.72.0/22 list=cloudflare
add address=216.218.128.0/17 comment=\
    "Hurricane Electric - Flagged by elastiflow/abuseipdb" list=blacklisted
add address=216.243.0.0/18 comment=\
    "vanoppen.biz - Flagged by elastiflow/abuseipdb" list=blacklisted
add address=196.52.43.0/24 comment=\
    "NetSystems/LogicWeb - Flagged by elastiflow/abuseipdb" list=blacklisted
add address=89.248.169.0/24 comment=\
    " Incrediserve Ltd - Flagged by elastiflow/abuseipdb - Netherlands" list=\
    blacklisted
add address=31.154.0.0/17 comment=\
    "Partner Communications Ltd. -  Flagged by elastiflow - Isreal" list=\
    blacklisted
add address=213.152.161.0/24 comment=\
    "AirVPN - Flagged by elastiflow/abuseipdb - Netherlands" list=blacklisted
add address=137.63.64.0/18 comment=\
    "Afritel - Flagged by elastiflow - Seychelles" list=blacklisted
add address=184.104.0.0/15 comment="Hurricane Electric" list=blacklisted
add address=181.64.192.95 comment="Telefonica del Peru S.A.A. - Spain" list=\
    blacklisted
add address=66.240.192.138 comment=" CARInet Inc. - USA" list=blacklisted
/ip firewall filter
add action=drop chain=input comment="drop blacklist ips" log=yes log-prefix=\
    blacklist src-address-list=blacklisted
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=fasttrack-connection chain=forward comment=\
    "fasttrack ignore ipsec" connection-mark=!ipsec connection-state=\
    established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=input comment="allow IPsec VPN (500,4500,1701/udp)" \
    dst-port=500,1701,4500 in-interface=sfp1 log=yes log-prefix=IPsec \
    protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=ping \
    protocol=icmp src-address-list=AWS
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=!DSTNAT
add action=drop chain=input comment="drop WAN DNS" dst-port=53 in-interface=\
    sfp1 protocol=tcp
add action=drop chain=input comment="drop WAN DNS" dst-port=53 in-interface=\
    sfp1 log-prefix="WAN DNS" protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN log=yes log-prefix=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=output disabled=yes dst-address=8.8.8.8 dst-port=53 \
    protocol=tcp
add action=drop chain=output disabled=yes dst-address=8.8.8.8 dst-port=53 \
    protocol=udp
/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec connections" \
    ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="mark ipsec connections" \
    ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface=sfp1 log=yes \
    log-prefix=omega protocol=tcp src-address-list=cloudflare to-addresses=\
    10.0.1.5 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=sfp1 \
    log=yes log-prefix=omega protocol=tcp src-address-list=cloudflare \
    to-addresses=10.0.1.5 to-ports=443
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec settings
set accounting=no
/ip route
add disabled=yes distance=1 gateway=98.206.32.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.1.7/32,10.0.1.6/32,10.0.1.5/32
set www-ssl address=10.0.0.6/32
set api disabled=yes
set winbox address=10.0.1.6/32,10.0.1.9/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip traffic-flow
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=America/Chicago
/system identity
set name=router
/system logging
add disabled=yes topics=e-mail
add disabled=yes topics=interface
add disabled=yes topics=script
add action=disk disabled=yes topics=dns,!packet
add disabled=yes topics=l2tp,!debug
add action=syslog disabled=yes topics=dns,!packet
add action=syslog topics=critical
add action=syslog topics=error
add action=syslog topics=info
add action=syslog topics=interface
add action=syslog topics=ipsec,!debug
add action=syslog topics=l2tp,!debug
add action=syslog topics=script
add action=syslog topics=warning
add action=syslog topics=e-mail
add topics=ipsec,debug,!packet
add disabled=yes topics=ipsec,!debug
add disabled=yes topics=ipsec,packet
add action=syslog topics=ipsec,debug,!packet
add disabled=yes topics=dhcp,debug
add action=syslog topics=dns
add topics=firewall
/system ntp client
set enabled=yes primary-ntp=132.163.96.2 secondary-ntp=129.6.15.30
/system ntp server
set enabled=yes
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
/system scheduler
add name=dhcp_on_startup on-event="/system script run set_dhcp" policy=\
    reboot,read,write,policy start-time=startup
/system script
add dont-require-permissions=no name=update_gateway-ip owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global currentIP;\r\
    \n:global currentGateway;\r\
    \n:global dhcpStatus [/ip dhcp-client get [find interface=sfp1] status];\r\
    \n:global dhcpDisabled [/ip dhcp-client get [find interface=sfp1] disabled\
    ];\r\
    \n:local newIP;\r\
    \n:local newGateway;\r\
    \n\r\
    \n:if (\$dhcpStatus = \"bound\" && !\$dhcpDisabled ) do={\r\
    \n    :set newIP [/ip dhcp-client get [find interface=\"sfp1\"] address];\
    \r\
    \n    :set newGateway [/ip dhcp-client get [find interface=\"sfp1\"] gatew\
    ay];\r\
    \n\r\
    \n    # update WAN\r\
    \n    \r\
    \n    :if (\$newIP != \$currentIP) do={\r\
    \n        :put \"ip address \$currentIP changed to \$newIP\";\r\
    \n        :set currentIP \$newIP;\r\
    \n    }\r\
    \n\r\
    \n    # update gateway\r\
    \n\r\
    \n    :if ( \$newGateway != \$currentGateway ) do={\r\
    \n        :put \"gateway \$currentGateway changed to \$newGateway\"\r\
    \n        :set currentGateway \$newGateway\r\
    \n    }\r\
    \n}"
add dont-require-permissions=no name=set_static owner=admin policy=\
    reboot,read,write,policy,test source=":global currentIP;\
    \n\r\
    \n:global currentGateway;\r\
    \n\
    \n\
    \n:global dhcpStatus;\r\
    \n:global dhcpDisabled\r\
    \n\r\
    \n:if (\$dhcpStatus = \"bound\" && !\$dhcpDisabled ) do={\r\
    \n\r\
    \n\
    \n#set DHCP off\r\
    \n/ip dhcp-client set [find where interface=sfp1] disabled=yes;\r\
    \n\r\
    \n# add static IP address\
    \n\r\
    \n/ip address add address=\$currentIP interface=sfp1;\r\
    \n\
    \n\
    \n\r\
    \n# add static route for gateway\r\
    \n\
    \n/ip route add gateway=\$currentGateway dst-address=0.0.0.0/0;\r\
    \n\
    \n}"
add dont-require-permissions=no name=set_dhcp owner=admin policy=\
    reboot,read,write,test source=":local down \"net is unreachable, setting D\
    HCP\"\r\
    \n\r\
    \n:log warning \$down\r\
    \n\r\
    \n/ip dhcp-client enable [find where interface=sfp1];\r\
    \n\r\
    \n/ip address remove [find where interface=sfp1];\r\
    \n\r\
    \n/ip route remove [find where dst-address=0.0.0.0/0]"
add dont-require-permissions=no name=wake owner=admin policy=\
    reboot,read,write,policy source="/tool wol mac=[:put [/ip dhcp-server leas\
    e get value-name=mac-address [find where host-name=\"wake\"]]] interface\
    =bridge"
/system watchdog
set watchdog-timer=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=yes down-script="/system script run set_dhcp" host=8.8.8.8 \
    interval=30s timeout=10s up-script=\
    ":local up \"connection restored\"\r\
    \n:log info \$up"
/tool user-manager database
set db-path=flash/user-manager

 #   ADDRESS            NETWORK         INTERFACE                              
 0   10.0.1.1/24        10.0.1.0        ether1                                 
 1 D 67.XXX.XXX.XXX/XX   67.XXX.XXX.XXX    sfp1  
 
  #    ADDRESS         MAC-ADDRESS       INTERFACE                              
 0  C 10.0.1.30       XX:XX:XX:XX:XX:XX bridge                                 
 1 HDC 10.0.1.6        XX:XX:XX:XX:XX:XX bridge                                
 2 HDC 10.0.1.10       XX:XX:XX:XX:XX:XX bridge                                
 3 HDC 10.0.1.4        XX:XX:XX:XX:XX:XX bridge                                
 4 HDC 10.0.1.202      XX:XX:XX:XX:XX:XX bridge                                
 5 HDC 10.0.1.21       XX:XX:XX:XX:XX:XX bridge                                
 6 HDC 10.0.1.20       XX:XX:XX:XX:XX:XX bridge                                
 7 HDC 10.0.1.8        XX:XX:XX:XX:XX:XX bridge                                
 8 HDC 10.0.1.2        XX:XX:XX:XX:XX:XX bridge                                
 9 HDC 10.0.1.110      XX:XX:XX:XX:XX:XX bridge                                
10 HDC 10.0.1.130      XX:XX:XX:XX:XX:XX bridge                                
11 DC 67.XXX.XXX.XXX    XX:XX:XX:XX:XX:XX sfp1                                   
12 HDC 10.0.1.124      XX:XX:XX:XX:XX:XX bridge                                
13 HDC 10.0.1.127      XX:XX:XX:XX:XX:XX bridge                                
14 DC 10.0.1.126      XX:XX:XX:XX:XX:XX bridge
Any help would be appreciated! Been stuck on this for a while now.
Last edited by mrday on Sat May 29, 2021 9:47 pm, edited 4 times in total.
 
mrday
just joined
Topic Author
Posts: 3
Joined: Fri Nov 15, 2019 8:19 am

Re: Access Netgear Modem Management Through WAN Interface (SFP1)

Sat May 29, 2021 8:19 pm

Is this possible without VLANs?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11476
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can't Access Netgear Modem Management hEX S

Sat May 29, 2021 8:54 pm

The problem is in subnetting you have: subnet set on netgear overlaps with mikrotik's LAN (10.0.1.0/24 is upper half of 10.0.0.0/23) and that's a problem for both mikrotik and netgear.

From the sketch of network layout it's not very clear how mikrotik is actually configured so it's impossible to tell how to fix your problem. So post full mikrotik config (execute /export hide-sensitive file=anynameyouwish from terminal window, fetch file, open it in text editor and copy-paste it in [code] [/code] environment). And clarify which ether port on mikrotik is actually used to connect to netgear.

Depending on physical layout and requirements it probably is possible to get away without using VLANs.
 
mrday
just joined
Topic Author
Posts: 3
Joined: Fri Nov 15, 2019 8:19 am

Re: Can't Access Netgear Modem Management hEX S

Sat May 29, 2021 9:47 pm

The problem is in subnetting you have: subnet set on netgear overlaps with mikrotik's LAN (10.0.1.0/24 is upper half of 10.0.0.0/23) and that's a problem for both mikrotik and netgear.

From the sketch of network layout it's not very clear how mikrotik is actually configured so it's impossible to tell how to fix your problem. So post full mikrotik config (execute /export hide-sensitive file=anynameyouwish from terminal window, fetch file, open it in text editor and copy-paste it in [code] [/code] environment). And clarify which ether port on mikrotik is actually used to connect to netgear.

Depending on physical layout and requirements it probably is possible to get away without using VLANs.

Thank you for the reply! I've updated the original post to include my config file.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19176
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't Access Netgear Modem Management hEX S

Sat May 29, 2021 10:18 pm

I tried to make sense of your subnetting and WANs and bridge and ports and got lost.
Suggest a diagram may be helpful.

Who is online

Users browsing this forum: godel0914, JustDobby, Seekport [Bot] and 12 guests