I've recently bought RB493G and now I'm trying to set it up for simple config that will replace my D-Link DIR-655 router. So far I can't get it working as easy as it's stated in Manual:Initial Configuration.
After I added filter rules that are not mention in Manual:Initial Configuration, I got ping/nslookup/tracert working from local PC, but I still can't get web pages working. Sometimes page opens partially (CSS are not loaded or images are missing), but sometimes I just get "took too long time to respond".
I'm probably missing some basic point here, but I need help as I completely don't see what I'm missing. I expected that config will work as per "Initial configuration" article.
Please help.
My network "map":
1. My router's ether1 is connected to my ISP. ISP gives it IP via DHCP without any problems.
2. For simplicity of first config I've connected only one local PC to ether9 and configured it with static IP (192.168.88.2 and manually set ISP's DNSes on the local PC).
I've did what "Initial config" asked in "DHCP Client", "Configuring network address translation (NAT)", I also have set "Allow Remote Requests" according to "Domain name resolution" sections.
I skipped "Default gateway" as router get IP from ISP via DHCP and get's basic routes dynamically. I also skipped NTP config as I will apply relevant script to use NTP server names instead of IPS later on.
I've also added filters according to "Set up packet filtering" of Securing your router as without it neither pings nor tracerouts worked from local PC.
Below you can find output of difference between default config and my one (compact export), /ip address print detail, /ip route print detail and /ip firewall export. NTP is not set yet, so it's 1970 in timestamp below.
Code: Select all
# jan/02/1970 08:38:20 by RouterOS 5.14
#
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether1
add address=192.168.88.1/24 interface=ether9
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
Code: Select all
>> /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=ether1
actual-interface=ether1
1 D address=178.74.250.61/21 network=178.74.248.0 interface=ether1
actual-interface=ether1
2 address=192.168.88.1/24 network=192.168.88.0 interface=ether9
actual-interface=ether9
Code: Select all
>> /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=178.74.248.1
gateway-status=178.74.248.1 reachable via ether1 distance=0 scope=30
target-scope=10 vrf-interface=ether1
1 ADC dst-address=178.74.248.0/21 pref-src=178.74.250.61 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10
2 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=ether9,ether1
gateway-status=ether9 reachable,ether1 reachable distance=0 scope=10
Code: Select all
> /ip firewall export
# jan/02/1970 02:01:27 by RouterOS 5.14
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Accept established connections" \
connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" \
connection-state=related disabled=no
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid disabled=no
add action=accept chain=input comment=UDP disabled=no protocol=udp
add action=accept chain=input comment="Allow limited pings" disabled=no limit=\
50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=\
icmp
add action=accept chain=input comment="From our private LAN" disabled=yes \
src-address=192.168.88.0/24
add action=accept chain=input disabled=no in-interface=ether9
add action=log chain=input comment="Log everything else" disabled=no \
log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else" disabled=no
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=ether1 \
src-address=192.168.88.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no