Hi guys,

I just purchased a RB4011iGS and having issues connect the hosts to the internet

The connection type that my IPS is using is IPoE Vlan10

I used a quicky setup and created a DHCP server, NAT, Public IP is "Automatic". Created a VLAN interface, assigned it to DCHP Client

Everything works from the router, I can ping 8.8.8.8 etc, the hosts get DHCP leases, but none of them can get to the internet, they can only ping my gateway 10.0.0.1

I am new to Mikrotik, can somebody please assist?

Thank you

I got it resolved by adding a vlan interface (my internet is on vlan10)

Under Interface List"

Add: vlan10 ISP subinterface to "WAN", because in NAT Policies, the interfaces have now been combined to LAN and WAN in newer firmware

However I have an issue with DNS, when I go to DNS settings of the DHCP server and use DNS server as my router ip 10.0.0.1 it doesn't work, no DNS requests can be resolved

If I change it to 8.8.8.8 for example it works

Is it a bug or work as intended?

Is it a bug or work as intended?

It may be both but the latter is more likely. If allow-remote-requests under /ip dns is set to no, the DNS server doesn't respond to any DNS queries coming from outside the router, including from the LAN clients. It is only safe to change this setting to yes if you have at least the default firewall rules in place, as you need proper firewall rules to prevent DNS requests coming in via the WAN interface (from the internet) from being responded. Devices which respond to DNS queries over the WAN can be misused for (D)DoS attacks hiding the actual identity of the attacker.

Is it a bug or work as intended?

It may be both but the latter is more likely. If allow-remote-requests under /ip dns is set to no, the DNS server doesn't respond to any DNS queries coming from outside the router, including from the LAN clients. It is only safe to change this setting to yes if you have at least the default firewall rules in place, as you need proper firewall rules to prevent DNS requests coming in via the WAN interface (from the internet) from being responded. Devices which respond to DNS queries over the WAN can be misused for (D)DoS attacks hiding the actual identity of the attacker.

Yes I prefer to keep it as "No" to be honest, not sure why the local dns doesn't work yet, I will retest again tomorrow

Thank you

Yes I prefer to keep it as "No" to be honest, not sure why the local dns doesn't work yet, I will retest again tomorrow

I'm not sure you've got me right - to make the 4011 respond any DNS queries coming from outside (including from LAN), you must set allow-remote-requests to yes. There is nothing to test about it. "Remote" means "external", not "from far away".

HI Sindy,

thank you for being so helpful, I did specify my router as dns server, allowed remote connections in DNS

I am using these default rules would that be enough to drop any dns requests from wan?:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Thank you

These are the default firewall rules which I've referred to, so yes, they do drop any connection to the router itself which is initiated from outside the LAN (except ICMP). It's the last rule in chain input which does that; the rule just before (above) it is the exception for ICMP (so the public IP can be pinged).

The answer is yes!

{Input Chain}
This rule in your input chain drops all requests coming from the internet to your router and allows all requests to your router from the LAN.
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

This is a decent generic default firewall filter rule that ensures access tor router services for those behind the router and closing off the router to those on the internet.
However, once you learn a bit more about firewall rules I prefer to narrow down access to the router to ONLY the admin who configures the router (by use of a firewall address list).
For those on the LAN the only reason to access the router is for specific services like DNS.
Then I apply a last rule in the input chain to drop everthing else, be it from the WAN side or LAN side and thus a more globally and encompassing security rule.
Its also called a last rule because its the last one you should add to the config otherwise you will lock yourself out of the router without an admin access rule in place!

So typically this is what I recommend:

add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=xxxxxxx src-address-list=adminaccess

add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp

add action=drop chain=input comment="DROP ALL ELSE"

{Forward Chain}
This rule in your forward chain drops all requests coming from the internet through your router to the LANs except the ones that have a corresponding Destination NAT rule (matches a dst port you have listed).
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

This is a decent generic default firewall filter rule that ensures access across the router to your subnets from the outside is blocked except for port forwarding.
However, I prefer to narrow down the rule to isolate one purpose at a time, especially if port forwarding is not required,
Firstly access to the lans from the internet for port forwarding.
Then use the block all rule to stop ALL other traffic I have not specifically allowed be it WAN to LAN or LAN to LAN etc........
Once again, before the last rule ensure you have an allow LAN to WAN rule so the LANs have internet access.
If the admin needs access to other subnets or vlanA subnet needs access to a shared device (printer) in vlanb, here is where you would make those rules.

add action=accept chain=forward comment="ENABLE HomeLAN to WAN" \
in-interface=xxxxx OR in-interface-list=yyyyyy out-interface-list=WAN
add action=accept chain=forward comment= "Allow Port Forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN (can be disabled until required or removed if no port forwarding occurs)

add action=drop chain=input comment="DROP ALL ELSE"