AT&T Router Passthrough Setup

HellsEmissary · Tue Mar 18, 2025 8:39 pm

I was having issues being able to connecting to the internet, so I decided to reset the router configuration. I went through the default configuration, and that is not working. I am able to connect to the Mikrotik update servers, and I am able to ping 8.8.8.8 successfully directly using the router. The issue is that none of the devices connected to the router are able to get internet. My internet connection is an AT&T BGW320-500/505 setup in fixed passthrough mode, going into the first port in the router.

# 2025-03-18 14:21:45 by RouterOS 7.18.2
# software id = 
#
# model = CRS312-4C+8XG
/interface bridge

set [ find default-name=ether1 ] name=WAN1_AT&T
set [ find default-name=ether2 ] name=WAN2_Comcast
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=combo1
add bridge=bridge comment=defconf interface=combo2
add bridge=bridge comment=defconf interface=combo3
add bridge=bridge comment=defconf interface=combo4
add bridge=bridge comment=defconf disabled=yes interface=WAN1_AT&T
add bridge=bridge comment=defconf disabled=yes interface=WAN2_Comcast
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
/interface list member
add interface=bridge list=LAN
/interface ovpn-server server
add mac-address= name=ovpn-server1
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip dhcp-client
add interface=WAN1_AT&T
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1_AT&T
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.88.0/24 port=
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no

TheCat12 · Wed Mar 19, 2025 1:24 pm

Before doing anything about the internet connection of the LAN devices, you need to implement a firewall ASAP! The default one is the bare minimum.

After you urgently do that, you can remove the WAN port from the bridge, add it to the WAN interface list and check whether "Add default route" is enabled for the DHCP client

HellsEmissary · Wed Mar 19, 2025 5:46 pm

Is this the default firewall rules?

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN

My router does not automatically add default rules that I could find.

The Wan port is disabled under bridge>ports. The WAN port has been added as a WAN port under interface list>interface list, and the DHCP client has the default route enabled.

TheCat12 · Wed Mar 19, 2025 5:56 pm

Is this the default firewall rules?

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN

Yes.

The Wan port is disabled under bridge>ports. The WAN port has been added as a WAN port under interface list>interface list, and the DHCP client has the default route enabled.

If you have done that, then the devices should start having internet connectivity, otherwise re-export the config with the made changes

HellsEmissary · Thu Mar 20, 2025 5:04 pm

I am still not getting any internet connection. The following is the updated config:

# 2025-03-20 00:33:35 by RouterOS 7.18.2
# software id = 
#
# model = CRS312-4C+8XG
#
/interface bridge

/interface ethernet
set [ find default-name=ether1 ] name=WAN1_AT&T
set [ find default-name=ether2 ] name=WAN2_Comcast
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=combo1
add bridge=bridge comment=defconf interface=combo2
add bridge=bridge comment=defconf interface=combo3
add bridge=bridge comment=defconf interface=combo4
add bridge=bridge comment=defconf disabled=yes interface=WAN1_AT&T
add bridge=bridge comment=defconf disabled=yes interface=WAN2_Comcast
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
/interface list member
add interface=bridge list=LAN
add interface=WAN1_AT&T list=WAN
add interface=WAN2_Comcast list=WAN
/interface ovpn-server server
add mac-address= name=ovpn-server1
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip dhcp-client
add interface=WAN1_AT&T
add default-route-distance=2 disabled=yes interface=WAN2_Comcast
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1_AT&T
add action=masquerade chain=srcnat disabled=yes out-interface=WAN2_Comcast
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.88.0/24 port=
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no

erlinden · Thu Mar 20, 2025 5:17 pm

I am still not getting any internet connection. The following is the updated config:

Could that be related to this?

add bridge=bridge comment=defconf disabled=yes interface=WAN1_AT&T
add bridge=bridge comment=defconf disabled=yes interface=WAN2_Comcast

Or were these interfaces enabled while testing?

In addition, you might as well want to enable your DHCP client on WAN2.

HellsEmissary · Thu Mar 20, 2025 7:09 pm

Could that be related to this?
Code: Select all
add bridge=bridge comment=defconf disabled=yes interface=WAN1_AT&T
add bridge=bridge comment=defconf disabled=yes interface=WAN2_Comcast
Or were these interfaces enabled while testing?

These were enabled during testing. The only thing that changes is that windows now thinks that there is an internet connection, but there is not, as I am unable to load a single web page.

In addition, you might as well want to enable your DHCP client on WAN2.

The WAN2 is disabled because the cable modem for the second connection in not physically connect to the router at the moment. It is hooked up to a different router, as a temporary solution while I am trying to fix this issue.

rplant · Fri Mar 21, 2025 11:55 am

Hi,

I attempted this config on a hex, it mostly worked.

I needed the following slight changes.

#Not sure how this was missing, perhaps removed from your export for some reason.

/interface bridge
add name=bridge

#websites wouldn't work without allow-remote-requests
/ip dns
set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yes

Also perhaps the following ipv6 stuff (block everything) might be wise at least in the short term.

/ipv6 settings
set disable-ipv6=yes

/ipv6 firewall raw
add chain=prerouting action=drop
add chain=output action=drop

/ipv6 firewall filter
add chain=input action=drop
add chain=forward action=drop
add chain=output action=drop

You can look at the route table to see if anything is obviously wrong.

HellsEmissary · Fri Mar 21, 2025 6:50 pm

#Not sure how this was missing, perhaps removed from your export for some reason.

/interface bridge
add name=bridge

I do already have a bridge called bridge. I do not know why it was not listed in the export.

#websites wouldn't work without allow-remote-requests
/ip dns
set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yes

I turned allow remote requests on, and that did not do anything for me.

I also tried disabling and reenabling WAN1_AT&T (ethernet port 1), and now the DHCP client is now showing as a red color.

TheCat12 · Fri Mar 21, 2025 6:55 pm

To work properly, the WAN ports should either stay as disabled members of the bridge or, even better, be removed from the bridge

HellsEmissary · Sat Mar 22, 2025 12:02 am

I have disabled the WAN port on the bridge again, but still no internet connection.

rplant · Sat Mar 22, 2025 12:39 am

Hi,
A few thoughts.

Does the CRS have a gateway IP address?
(ie. Did its DHCP client work)
Can you ping 8.8.8.8 from the CRS?
Do you have the correct ip address, default gateway on your client device?

On a slightly different note.

The CRS312 is a switch, it can also route but its CPU is quite low powered,
It can do a limited amount of hardware offloaded routing as well which is very fast, but you are likely
to run out of hardware quickly and then be back to software routing for lots of your traffic.

Using the common 512 byte, 25 filter rules from the product tests results. Its software routing
performance is much less than a hex refresh.

Documentation on the L3 hardware offloading:

https://help.mikrotik.com/docs/spaces/R ... Offloading

Note: You need an upgraded firewall filter rule set to get fasttrack hardware offload to work, (you need the fasttrack rules)
Also, you may not be able to fasttrack traffic for the alternate WAN interface.

A default set of firewall filter rules I extracted from a hex.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Perhaps you would be better off for the external gateway device with something else.
eg. RB5009 or one of the CCR models.

For internal traffic I imagine the CRS will be fine.

HellsEmissary · Tue Mar 25, 2025 6:36 pm

Does the CRS have a gateway IP address?
(ie. Did its DHCP client work)

Yes, the DHCP client is getting an external IP address, and the gateway IP address is within the same IP address range as the external IP.

Can you ping 8.8.8.8 from the CRS?

Yes, I have previously stated this in the original post.

I am able to connect to the Mikrotik update servers, and I am able to ping 8.8.8.8 successfully directly using the router.

Do you have the correct ip address, default gateway on your client device?

Yes, I am getting an IP address within the correct range (192.168.88.2-192.168.88.254), and I am getting 192.168.88.1 as the default gateway.

I am also happy to report that I am now getting an internet connection on my client devices now, but I am still having internet issues. I disabled the port from the bridge again, and I added the primary and secondary AT&T DNS servers to the DNS settings. That was what allowed me to get an internet connection, but I am still having issues. While I am able to get an internet connection now, the speed of that connection is approximately 150 megabit for both upload and download. The problem is that I have a gigabyte fiber connection from AT&T, so I should be getting a much faster connection than I am getting.

AT&T Router Passthrough Setup

AT&T Router Passthrough Setup

Re: AT&T Router Passthrough Setup

Re: AT&T Router Passthrough Setup

Re: AT&T Router Passthrough Setup

Re: AT&T Router Passthrough Setup

Re: AT&T Router Passthrough Setup

Re: AT&T Router Passthrough Setup

Re: AT&T Router Passthrough Setup

Re: AT&T Router Passthrough Setup

Re: AT&T Router Passthrough Setup

Re: AT&T Router Passthrough Setup

Re: AT&T Router Passthrough Setup

Re: AT&T Router Passthrough Setup