Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Can't surf web on simple config though ping and tracert work

Locked
 
iScape
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Sun Dec 23, 2012 1:23 am

Can't surf web on simple config though ping and tracert work

Sun Dec 23, 2012 10:58 am

Hi,

I've recently bought RB493G and now I'm trying to set it up for simple config that will replace my D-Link DIR-655 router. So far I can't get it working as easy as it's stated in Manual:Initial Configuration.

After I added filter rules that are not mention in Manual:Initial Configuration, I got ping/nslookup/tracert working from local PC, but I still can't get web pages working. Sometimes page opens partially (CSS are not loaded or images are missing), but sometimes I just get "took too long time to respond".

I'm probably missing some basic point here, but I need help as I completely don't see what I'm missing. I expected that config will work as per "Initial configuration" article.

Please help.

My network "map":
1. My router's ether1 is connected to my ISP. ISP gives it IP via DHCP without any problems.
2. For simplicity of first config I've connected only one local PC to ether9 and configured it with static IP (192.168.88.2 and manually set ISP's DNSes on the local PC).

I've did what "Initial config" asked in "DHCP Client", "Configuring network address translation (NAT)", I also have set "Allow Remote Requests" according to "Domain name resolution" sections.
I skipped "Default gateway" as router get IP from ISP via DHCP and get's basic routes dynamically. I also skipped NTP config as I will apply relevant script to use NTP server names instead of IPS later on.

I've also added filters according to "Set up packet filtering" of Securing your router as without it neither pings nor tracerouts worked from local PC.

Below you can find output of difference between default config and my one (compact export), /ip address print detail, /ip route print detail and /ip firewall export. NTP is not set yet, so it's 1970 in timestamp below.
Code: Select all
# jan/02/1970 08:38:20 by RouterOS 5.14
#
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether1
add address=192.168.88.1/24 interface=ether9
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
Code: Select all
 >> /ip address print detail  
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     address=192.168.88.1/24 network=192.168.88.0 interface=ether1 
     actual-interface=ether1 

 1 D address=178.74.250.61/21 network=178.74.248.0 interface=ether1 
     actual-interface=ether1 

 2   address=192.168.88.1/24 network=192.168.88.0 interface=ether9 
     actual-interface=ether9
Code: Select all
 >> /ip route print detail  
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=178.74.248.1 
        gateway-status=178.74.248.1 reachable via  ether1 distance=0 scope=30 
        target-scope=10 vrf-interface=ether1 

 1 ADC  dst-address=178.74.248.0/21 pref-src=178.74.250.61 gateway=ether1 
        gateway-status=ether1 reachable distance=0 scope=10 

 2 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=ether9,ether1 
        gateway-status=ether9 reachable,ether1 reachable distance=0 scope=10
Code: Select all
 > /ip firewall export 
# jan/02/1970 02:01:27 by RouterOS 5.14
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
    10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Accept established connections" \
    connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" \
    connection-state=related disabled=no
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid disabled=no
add action=accept chain=input comment=UDP disabled=no protocol=udp
add action=accept chain=input comment="Allow limited pings" disabled=no limit=\
    50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=\
    icmp
add action=accept chain=input comment="From our private LAN" disabled=yes \
    src-address=192.168.88.0/24
add action=accept chain=input disabled=no in-interface=ether9
add action=log chain=input comment="Log everything else" disabled=no \
    log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else" disabled=no
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=ether1 \
    src-address=192.168.88.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
Last edited by iScape on Sun Dec 30, 2012 12:56 am, edited 1 time in total.
Top
 
336
just joined
Posts: 8
Joined: Fri Nov 30, 2012 8:35 am

Re: Can't surf web on simple config though ping and tracert

Thu Dec 27, 2012 9:38 am

I'm new at this to but I had a problem before with my dns server under dhcp-server. What does this say?
Code: Select all
/ip dhcp-server network export
Try to set dns-server to something like 8.8.8.8 and just see what happens.
Top
 
gotsprings
Forum Guru
Forum Guru
Posts: 2118
Joined: Mon May 14, 2012 9:30 pm

Re: Can't surf web on simple config though ping and tracert

Thu Dec 27, 2012 6:40 pm

Looks like you have the SAME IP on different ports.

You need to do that with a bridge not each interface.

Disable the wireless.
Make a bridge and call it "basic router"
Now assign your physical interface for LAN and the Wireless to the bridge.

Can you put a straight export compact up here.

Your Masquerade rule is also set to the wrong interface. Your WAN appears to be on same interface as you LAN.
Top
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Can't surf web on simple config though ping and tracert

Fri Dec 28, 2012 12:58 pm

Remove this line first:
Code: Select all
add address=192.168.88.1/24 comment="default configuration" interface=ether1
and then give us an update.

The partial web page loading is probably due to confused ARP entries caused by this IP mistakenly being on both Ether 1 & 9.
Top
 
iScape
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Sun Dec 23, 2012 1:23 am

Re: Can't surf web on simple config though ping and tracert

Sat Dec 29, 2012 1:12 pm

It appeared that I missed some of aspects in Manual:Default_Configurations, i.e. necessity to set admin-mac for bridge interface.

So, CelticComms and gotsprings I did what you've suggested and small extra (ROS upgrade) and now internet works thought it open pages with certain delay comparing to my previous router.

thank you.

My current compact export is
Code: Select all
# jan/02/1970 00:24:02 by RouterOS 6.0rc6
#
/interface bridge
add admin-mac=<ether1-gateway internal MAC> auto-mac=no l2mtu=1520 name=bridge1 \
    protocol-mode=rstp
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/interface bridge port
add bridge=bridge1 interface=ether9
/ip address
add address=192.168.88.1/24 interface=ether9 network=192.168.88.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="Accept established connections" connection-state=\
    established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add chain=input comment=UDP protocol=udp
add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add chain=input comment="From our private LAN" disabled=yes src-address=\
    192.168.88.0/24
add chain=input in-interface=ether9
add action=log chain=input comment="Log everything else" log-prefix=\
    "DROP INPUT"
add action=drop chain=input comment="Drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 !to-addresses \
    !to-ports
next steps will be to configure dhcp and connect wireless access point
Last edited by iScape on Sun Dec 30, 2012 12:56 am, edited 1 time in total.
Top
 
iScape
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Sun Dec 23, 2012 1:23 am

Re: Can't surf web on simple config though ping and tracert

Sun Dec 30, 2012 12:55 am

I've added my WiFi AP and DHCP - so far, so good. P2P works full speed, WiFi works and web pages opens as expected.

CelticComms and gotsprings, thank's again.

So for any newbie who is dumb in networking and for some reason need to set up basic config of RB493G, please refer to compact export of my config (you have to replace <ether1-gateway internal MAC> with your MAC):
Code: Select all
# dec/30/2012 00:50:25 by RouterOS 6.0rc6
#
/interface bridge
add admin-mac=<ether1-gateway internal MAC> auto-mac=no l2mtu=1520 name=bridge1 \
    protocol-mode=rstp
/ip pool
add name=dhcp_pool1 ranges=192.168.0.190-192.168.0.197
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether7
/ip address
add address=192.168.0.1/24 interface=ether9 network=192.168.0.0
add address=192.168.0.2/24 interface=ether8 network=192.168.0.0
add address=192.168.0.3/24 interface=ether7 network=192.168.0.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 name=router
/ip firewall filter
add chain=input comment="Accept established connections" connection-state=\
    established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add chain=input comment=UDP protocol=udp
add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add chain=input comment="From our private LAN" disabled=yes src-address=\
    192.168.0.0/24
add chain=input in-interface=ether9
add action=log chain=input comment="Log everything else" log-prefix=\
    "DROP INPUT"
add action=drop chain=input comment="Drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 !to-addresses \
    !to-ports
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether8 type=internal
add interface=ether1 type=external
add disabled=yes interface=ether9 type=internal
Top
Locked

Who is online

Users browsing this forum: Bing [Bot] and 68 guests
  4. RouterOS
  5. Beginner Basics