Community discussions

MikroTik App
 
auspat
just joined
Topic Author
Posts: 2
Joined: Tue Sep 14, 2021 6:45 pm

2 separate networks - no internet access

Tue Sep 14, 2021 6:48 pm

Hello, everyone.

I'm still new to the Mikrotik configuration. I have the following constellation:

Port Ether1: WAN / Internet via PPoE dial-in
Port Ether2: Internal network
Port Ether3: guest network

Access to the Internet is possible from Ether2, but not from Ether3. DHCP works in the "guest network" of Ether3. The config looks like this:
/interface bridge
add admin-mac=08:55:31:BA:74:C7 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-BA74CD wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-BA74CC wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
/ip pool
add comment="VLAN 1 - Intern" name=dhcp ranges=192.168.103.10-192.168.103.50
add comment=L2TP name=L2TP ranges=10.0.10.1-10.0.10.50
add comment="VLAN 20 - Guest" name=dhcp_pool3 ranges=\
10.18.100.2-10.18.103.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool3 disabled=no interface=ether3 name="DHCP Guest"
/ip ipsec mode-config
add address-pool=L2TP name=vpndhcpo
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.103.254 name=\
L2TP-VPN remote-address=L2TP use-encryption=required use-mpls=yes
set *FFFFFFFE bridge=bridge dns-server=192.168.103.100,8.8.8.8 local-address=\
192.168.103.254 remote-address=L2TP
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=Guest interface=ether3 list=LAN
/ip address
add address=192.168.103.254/24 comment=Intern interface=bridge network=\
192.168.103.0
add address=10.18.100.1 comment=Guest interface=ether3 network=10.18.100.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.103.41 client-id=1:7c:10:c9:44:cb:bb mac-address=\
7C:10:C9:44:CB:BB server=defconf
add address=192.168.103.40 client-id=1:7c:10:c9:44:1a:7b mac-address=\
7C:10:C9:44:1A:7B server=defconf
/ip dhcp-server network
add address=10.18.100.0/22 gateway=10.18.100.1
add address=192.168.103.0/24 comment=defconf dns-server=192.168.103.100 \
gateway=192.168.103.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.103.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="L2TP VPN erlauben" dst-port=500 \
protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment=" Drop Invalid connections" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat connection-type="" out-interface=ether1
add action=masquerade chain=srcnat comment=\
"Allen Traffic nach draussen Natten" out-interface=pppoe-out1
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ppp secret
/system clock
set time-zone-name=Europe/Vienna
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Is there a simple firewall rule missing here so that access to the Internet from Ether3 is possible?

Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 separate networks - no internet access

Wed Sep 15, 2021 3:43 pm

I dont see offhand why ether3 is not getting internet.
The only thing I noted in the forward chain is a duplication of this rule
(remove the one at the bottom of the list)

add action=drop chain=input comment=" Drop Invalid connections" \
connection-state=invalid

I will keep looking.
You have three sourcenat rules........
You only need this one (the first one)
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN



Okay here is one thing in interface list members you need to include the following.............

/interface list member
add interface=ppoe-out?? list=WAN not sure of the name of your ppoe-dial out connection
add comment=defconf interface=ether1 list=WAN
add comment=Guest interface=ether3 list=LAN
add comment=defconf interface=bridge list=LAN
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: 2 separate networks - no internet access

Wed Sep 15, 2021 4:07 pm

/ip address
add address=10.18.100.1/22 comment=Guest interface=ether3 network=10.18.100.0

Missing subnet mask implies subnet mask /32 which effectively disables all communication via this interface.

@anav, I'm deeply disappointed because you did not catch this error :wink:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 separate networks - no internet access

Wed Sep 15, 2021 4:19 pm

Im not, it is not my fault all these people (said as nicely as I can)
do not stick to norms if its not .0 , .1 , .24 then you are on your own!!!
Like who uses .254 or 22 or 28 or 32 or anything obscure ;-)

I assume any bozo foolish enough to stray from norms in terms of IP nomenclature knows what they are doing LOL

Where I agree with you is basic troubleshooting on zeroing in on the most likely config line that would cause this.
Since dhcp is working (then no issues with dhcp network or ip pool etc, leaveing ip address as the most likely culprit.
Luv you too!

By the way I am a quick study!!
viewtopic.php?f=2&t=178542
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: 2 separate networks - no internet access

Wed Sep 15, 2021 4:44 pm

By the way I am a quick study!!
viewtopic.php?f=2&t=178542

You're my man :-)

Who is online

Users browsing this forum: baragoon, ccrsxx and 37 guests