Good day
I have a mikrotik router board.
I have changed my WAN from PPPoE to a static IP.
But my router can ping its gateway but failing ping the internet. Kindly assist
# apr/16/2022 18:58:08 by RouterOS 6.45.9
# software id = NYXN-0HT3
#
# model = RB4011iGS+
# serial number = XXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes interface=ether1 keepalive-timeout=disabled name=\
pppoe-out1 password=XXXXXXXXX use-peer-dns=yes user=\
XXXXXXXXXXXX
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add hotspot-address=192.168.88.1 login-by=mac,cookie,http-chap mac-auth-mode=\
mac-as-username-and-password name="MAC AUTH as USER"
add hotspot-address=192.168.88.1 name=hsprof1
add login-by=mac,cookie,http-chap mac-auth-mode=mac-as-username-and-password \
name="hsprof2 Mac Auth"
add name=hsprof3
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=hs-pool-12 ranges=192.168.10.20-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip hotspot
add address-pool=dhcp disabled=no idle-timeout=none interface=bridge name=\
hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] address-pool=dhcp
add address-pool=dhcp idle-timeout=8h !keepalive-timeout mac-cookie-timeout=\
4w2d name=USERS shared-users=10
add address-pool=hs-pool-12 mac-cookie-timeout=4w2d name=Premium \
shared-users=5
add address-pool=dhcp !keepalive-timeout name=uprof1 shared-users=5
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
add address=192.168.10.1/24 comment="hotspot network" interface=bridge \
network=192.168.10.0
add address=X.X.X.X/30 interface=ether1 network=X.X.X.X
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=5.11.11.5,5.11.11.11 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=5.11.11.5,5.11.11.11
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment=WINBOX dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=XXXXXXXX dst-port=8000 \
protocol=tcp to-addresses=192.168.88.4 to-ports=8000
/ip hotspot ip-binding
XXXXXXX
/ip hotspot user
XXXXX
/ip route
add distance=1 gateway=ether1
/system clock
set time-zone-name=Indian/Mauritius
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: NAT / Firewall rules issue
(1) Upgrade firmware to at least latest long term 6.48 version.
(2) Remove old pppoe settings!!
/interface pppoe-client
add add-default-route=yes interface=ether1 keepalive-timeout=disabled name=\
pppoe-out1 password=XXXXXXXXX use-peer-dns=yes user=\
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
Also I would change this to
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether2 list=LAN
add comment=defconf interface=ether1 list=WAN
(4) This input rule is NOT secure and should be modified to NOT at least not include WAN.
add action=accept chain=input comment=WINBOX dst-port=8291 protocol=tcp
TO
add action=accept chain=input comment=WINBOX dst-port=8291 protocol=tcp in-interface-list=LAN
(5) OKAY you reallly need to figure out what you are doing with the following as they are all mixed up!!!
a. bridge
b. hotspot
c. ether2
d. the two IP pools available,
For example hotspot profile shows subnet of 192.168.88.x
Ip pool shows DHCP belonging to bridge
Ip pool shows hs-pool of 192.168.20.X ?
But hotspot has interface bridge?
Bridge has all ports including ether2
But ether2 has address 192.168.88X ??
Bridge has IP address 192.168.10 ??
++++++++++++++++++++++++++++++++++++
In other words I dont understand your setup and maybe because I dont use Hotspot.
My impression is that you are trying to use two subnets for hotspot, when it only needs one ??
++++++++++++++++++++++++++++++++++++
In conclusion..
A. get rid of old pppoe stuff
B. really nail down what you need for hotspot stuff, it could be okay, I just dont have the experience.
C. FIX firewall rules in terms of the organization. Put all input chain rules together for easy viewing and understanding and the same for forward chain.
The order within a chain is critical so it must be easily seen and compared.
Sorry I couldnt be more helpful.
(2) Remove old pppoe settings!!
/interface pppoe-client
add add-default-route=yes interface=ether1 keepalive-timeout=disabled name=\
pppoe-out1 password=XXXXXXXXX use-peer-dns=yes user=\
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
Also I would change this to
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether2 list=LAN
add comment=defconf interface=ether1 list=WAN
(4) This input rule is NOT secure and should be modified to NOT at least not include WAN.
add action=accept chain=input comment=WINBOX dst-port=8291 protocol=tcp
TO
add action=accept chain=input comment=WINBOX dst-port=8291 protocol=tcp in-interface-list=LAN
(5) OKAY you reallly need to figure out what you are doing with the following as they are all mixed up!!!
a. bridge
b. hotspot
c. ether2
d. the two IP pools available,
For example hotspot profile shows subnet of 192.168.88.x
Ip pool shows DHCP belonging to bridge
Ip pool shows hs-pool of 192.168.20.X ?
But hotspot has interface bridge?
Bridge has all ports including ether2
But ether2 has address 192.168.88X ??
Bridge has IP address 192.168.10 ??
++++++++++++++++++++++++++++++++++++
In other words I dont understand your setup and maybe because I dont use Hotspot.
My impression is that you are trying to use two subnets for hotspot, when it only needs one ??
++++++++++++++++++++++++++++++++++++
In conclusion..
A. get rid of old pppoe stuff
B. really nail down what you need for hotspot stuff, it could be okay, I just dont have the experience.
C. FIX firewall rules in terms of the organization. Put all input chain rules together for easy viewing and understanding and the same for forward chain.
The order within a chain is critical so it must be easily seen and compared.
Sorry I couldnt be more helpful.
Re: NAT / Firewall rules issue
Looks like it is the route that is the issue, if you are not using a P2P address or unless it is a directly connected route (think like same subnet where it will use arp to get around) do not use the interface, please put the gateway address that the ISP gave you here
/ip route
add distance=1 gateway=ether1
Edited: to make more sense since i dont proof read before posting
Who is online
Users browsing this forum: tangent and 32 guests