Community discussions

MikroTik App
 
kieranthegay
just joined
Topic Author
Posts: 1
Joined: Fri Jun 02, 2023 11:47 pm

No Internet on router

Fri Jun 02, 2023 11:58 pm

Hi all

I've just got my hEX S setup at home, but I have no internet on the router it self, so when i check for update for example the connection times out and when I ping from the router the connection timesout.

All devices on LAN the internet works fine on.

Config below:
# jun/02/2023 21:54:09 by RouterOS 7.9.1
# software id = L3VM-GUCZ
#
# model = RB760iGS
# serial number = 
/disk
set sd1 type=hardware
add parent=sd1 partition-number=1 partition-offset=512 partition-size=\
    "30 908 349 952" type=partition
/interface bridge
add admin-mac=18:FD:74:F8:2D:77 auto-mac=no comment=defconf name=bridge-LAN
/interface ovpn-client
add certificate="OpenVPN Cert" cipher=aes256-cbc connect-to=1.2.3.4 \
    disabled=yes mac-address=02:B2:C7:54:E6:34 name="KS DC" user=user
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mtu=1500 name=\
    WAN service-name=INTERNET user=username
/interface list
add comment=defconf name=External
add comment=defconf name=Trusted
add name=Guest
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-128 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms="ae\
    s-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-\
    128-ctr,aes-128-gcm" pfs-group=modp2048
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=172.16.12.100-172.16.12.254
add name=dhcp_pool2 ranges=172.16.12.100-172.16.12.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge-LAN lease-time=\
    10m name=defconf
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
    up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
    up-port=1700
add address=eu1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (eu1)" up-port=1700
add address=nam1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (nam1)" up-port=1700
add address=au1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (au1)" up-port=1700
add address=eu1.cloud.thethings.network down-port=1700 name="TTN V3 (eu1)" \
    up-port=1700
add address=nam1.cloud.thethings.network down-port=1700 name="TTN V3 (nam1)" \
    up-port=1700
add address=au1.cloud.thethings.network down-port=1700 name="TTN V3 (au1)" \
    up-port=1700
/port
set 0 name=serial0
/snmp community
set [ find default=yes ] addresses=172.16.10.8/32
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=Trusted
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge-LAN list=Trusted
add comment=defconf interface=ether1 list=External
add interface=WAN list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.16.10.1/24 comment=defconf interface=bridge-LAN network=\
    172.16.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-relay
add dhcp-server=172.16.10.8 disabled=no interface=*8 name=relay1
/ip dns
set servers=172.16.10.8
/ip dns static
add address=172.16.10.1 comment=defconf name=router
/ip firewall address-list
add list=BlackList
add address=172.16.10.0/24 list=LANIP
add address=172.16.12.0/24 list=GuestVlan
add address=45.90.28.40 list="Trusted DNS 1"
add address=45.90.30.40 list="Trusted DNS 2"
add address=45.90.28.76 list="Guest DNS1"
add address=45.90.30.76 list="Guest DNS2"
add address=172.16.10.22 list="Google Home"
add address=172.16.10.12 list="Google Home"
/ip firewall filter
add action=add-src-to-address-list address-list=BlackList \
    address-list-timeout=10h chain=input comment="\"Block TCP port scanning\":\
    \_add a device scanning an unused port to BlackList." connection-state=\
    new dst-port=\
    20-25,80,110,161,443,445,3128,3306,3333,3389,7547,8291,8080-8082 \
    in-interface=BT-WAN protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!Trusted
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="Inbound - Trust access to mgt" \
    connection-state=established,related,untracked dst-port=80,22,8291 \
    protocol=tcp src-address-list=LANIP
add action=accept chain=input comment="Inbound - Ping" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="Inbound - IPSEC" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="Outbound - IPSEC" ipsec-policy=\
    out,ipsec
add action=accept chain=forward comment="Outbound - Work VPN" dst-address=\
    1.2.3.4
add action=accept chain=forward comment="Outbound - Work 3CX" dst-address=\
    1.2.3.4
add action=accept chain=forward comment="Outbound - Google Home TCP" \
    dst-port=8008,8009,80,443,5228 protocol=tcp src-address-list=\
    "Google Home"
add action=accept chain=forward comment="Outbound - Google Home UDP" \
    dst-port=53,123 protocol=udp src-address-list="Google Home"
add action=accept chain=forward comment="Outbound - Trusted DNS" \
    connection-state="" dst-port=53 protocol=udp src-address=172.16.10.8 \
    src-address-list=""
add action=drop chain=forward comment="Block DNS Traffic" dst-port=53 \
    protocol=udp src-address=!172.16.10.8
add action=accept chain=forward comment="Outbound - SIP" src-address=\
    172.16.10.4
add action=accept chain=forward comment="Outbound - Time" connection-state="" \
    dst-port=123 protocol=udp
add action=accept chain=forward comment="Outbound - Web Traffic" \
    connection-state="" dst-port=80,443 protocol=tcp
add action=accept chain=forward comment="Outbound - MC" connection-state="" \
    dst-port=25565,30052,30051,30050 protocol=tcp
add action=accept chain=forward comment="Outbound - Ptero Ports" \
    connection-state="" dst-port=8080,2022 protocol=tcp
add action=accept chain=forward comment="Outbound - Steam (TCP)" dst-port=\
    27015-27050 protocol=tcp
add action=accept chain=forward comment="Outbound - Steam (UDP)" dst-port=\
    27015-27050 protocol=udp
add action=accept chain=forward comment="Outbound - SMTP STARTLS (TCP)" \
    dst-port=587 protocol=tcp
add action=accept chain=forward comment="Outbound - QNAP VPN Client TCP" \
    dst-port=1443 protocol=tcp src-address=172.16.10.5
add action=accept chain=forward comment="Outbound - Teamviewer TCP" dst-port=\
    5938 protocol=tcp
add action=accept chain=forward comment="Outbound - Teamviewer UDP" dst-port=\
    5938 protocol=udp
add action=accept chain=forward comment="Outbound - Roblox" dst-port=\
    49152-65535 protocol=udp src-address=172.16.10.26
add action=accept chain=forward comment="Outbound - Whatsapp TCP" dst-port=\
    5222,5223 protocol=tcp
add action=accept chain=forward comment="Outbound - Whatsapp UDP" dst-port=\
    3478 protocol=udp
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=External
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="drop everything else"
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting comment=Teamviewer dst-port=5938 \
    new-connection-mark=conn-TeamViewer passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=5938 \
    new-connection-mark=conn-TeamViewer protocol=udp
add action=mark-packet chain=prerouting connection-mark=conn-TeamViewer \
    new-packet-mark=TeamViewer_pkt-up passthrough=no src-address=\
    172.16.10.0/24
add action=mark-packet chain=prerouting connection-mark=conn-TeamViewer \
    dst-address=172.16.10.0/24 new-packet-mark=TeamViewer_pkt-down \
    passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=WAN
/ip firewall raw
add action=drop chain=prerouting comment=\
    "Blacklist: reject the connection with a device from the blacklist." \
    src-address-list=BlackList
/ip firewall service-port
set irc disabled=no
set sip disabled=yes
set rtsp disabled=no
/ip service
set telnet disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes location=Flat
/system clock
set time-zone-name=Europe/London
/system identity
set name=router
/system logging
add prefix=ipsec topics=ipsec
/system note
set show-at-login=no
/tool graphing interface
add allow-address=172.16.10.0/24
/tool mac-server
set allowed-interface-list=Trusted
/tool mac-server mac-winbox
set allowed-interface-list=Trusted
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No Internet on router

Sun Jun 04, 2023 3:39 pm

NOthing I could see on a quick glance, however your setup is overly complex and it will be very difficult to find the wrong grain of sand within the beach you have constructed.
My advice is to simplify.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5318
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: No Internet on router

Sun Jun 04, 2023 4:04 pm

Looks like your device doesn't have DNS (but other clients on the network do).
Is that DNS server 172.16.10.8 reachable from Hex ?

Who is online

Users browsing this forum: holvoetn and 37 guests