Community discussions

MikroTik App
 
Emeline
just joined
Topic Author
Posts: 5
Joined: Tue Dec 06, 2022 8:12 pm

Need Help on Setting RB450Gx4

Thu Dec 08, 2022 8:24 am

Hi Everyone, I'm new in configuring Mikrotik, and would like your assistance on guide for this issue below:

Current Config
  • Interface:
    ether1 : for Internet WAN with PPPoE
    ether 2 : for Static IP P2P
    ether 3: for LAN with DHCP Server
  • Address List:
    ether1: Address 192.168.1.2/24, Network: 192.168.1.0
    ether2: Address 192.168.2.2/24, Network: 192.168.2.0
    ether3: Address 192.168.0.1/24, Network: 192.168.0.0
  • PPPoE:
    Type: PPPoE Client
    Interface: ether1
  • Switch connected to Ether3 assigned Static IP via ARP 192.168.0.2
  • DHCP Server:
    Interface: ether3
    DHCP Address Space: 192.168.0.0/24
    DHCP Gateway: 192.168.0.1
    Address to Give Out 192.168.0.2-254
    Address pool: dhcp_pool0
  • Firewall > NAT:
    Chain: srcnat
    Action: masquerade


The issue that I currently have:
  • My Laptop able to get IP with 192.168.0.250/24 and Gateway 192.168.0.1, and I'm able to ping the Switch 192.168.0.2 and can even connect winbox to Mikrotik via Switch, but unable to ping the Mikrotik 192.168.0.1
  • I need Routing so that user able to use Internet from ether1 and P2P access from ether2

Can someone pointed out where did I do wrong and help me to fix the issue?

Thank you
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need Help on Setting RB450Gx4

Thu Dec 08, 2022 5:53 pm

Pointing out mistakes in what you did works better when we can see it, the real thing with everything that can influence it. See Step2 in viewtopic.php?t=182601
 
Emeline
just joined
Topic Author
Posts: 5
Joined: Tue Dec 06, 2022 8:12 pm

Re: Need Help on Setting RB450Gx4

Thu Dec 08, 2022 6:20 pm

Sorry about that. I'm literally new in configuring Mikrotik so didn't know how to do that. I have resolved the unable to ping to mikrotik from laptop, by enabling ARP in the Interface. The issue I have now is that the routing so that LAN can use both internet connection on ether1 and p2p connection in ether2. Here's the current config:
# jan/02/1970 00:11:09 by RouterOS 6.48.6
# software id = 3IIS-MXAZ
#
# model = RB450Gx4
# serial number = HCM085Q6TZG
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-full,100M-full,1000M-full \
    name=ether1-wan
set [ find default-name=ether2 ] advertise=10M-full,100M-full,1000M-full \
    name=ether2-p2p
set [ find default-name=ether3 ] advertise=10M-full,100M-full,1000M-full \
    name=ether3-lan
set [ find default-name=ether5 ] advertise=10M-full,100M-full,1000M-full arp=\
    disabled name=ether5-remote
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=pppoe-1 \
    service-name=pppoe-1-broadband user=xxxxxx
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 bootp-lease-time=lease-time bootp-support=dynamic \
    disabled=no interface=ether3-lan lease-time=5d name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=all
/ip address
add address=192.168.2.2/24 interface=ether2-p2p network=192.168.2.0
add address=192.168.0.1/24 interface=ether3-lan network=192.168.0.0
add address=192.168.13.1 interface=ether5-remote network=192.168.13.0
add address=192.168.1.2/24 interface=ether1-wan network=192.168.1.0
/ip arp
add address=192.168.0.2 comment=Switch interface=ether3-lan mac-address=\
    28:87:BA:55:64:5B
add address=192.168.0.254 interface=ether3-lan mac-address=D8:D0:90:18:45:F8
/ip dhcp-client
add disabled=no interface=ether5-remote
add disabled=no interface=ether1-wan
add disabled=no interface=ether3-lan
add disabled=no interface=ether2-p2p
/ip dhcp-server lease
add address=192.168.0.2 always-broadcast=yes client-id=Switch mac-address=\
    28:87:BA:55:64:5B
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,1.1.1.1,1.0.0.1 gateway=\
    192.168.0.1
/ip firewall address-list
add address=192.168.0.2-192.168.0.254 list=lan-user
add address=192.168.1.0/24 list=pppoe
add address=192.168.2.0/24 list=p2p
/ip firewall nat
add action=masquerade chain=srcnat
/ip hotspot ip-binding
add address=192.168.0.2 mac-address=28:87:BA:55:64:5B to-address=192.168.0.2
/system identity
set name=RouterOS
/system routerboard settings
set silent-boot=yes
Could you have a look and tell me what should I add?

Thank you
Last edited by BartoszP on Thu Dec 08, 2022 7:27 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need Help on Setting RB450Gx4

Thu Dec 08, 2022 8:48 pm

There's some weird stuff like DHCP clients on all interfaces (why?), but there's no firewall or anything else that would block access between interfaces. If ether2-p2p is connected to another network where devices have default gateway other than this router, that could be a problem if there's no route to your subnet (on those devices or their router), but you fixed that with your unconditional masquerade rule, so any connection from 192.168.0.x to 192.168.2.y will look like it's from 192.168.2.2 and target device knows where to find that.
 
Emeline
just joined
Topic Author
Posts: 5
Joined: Tue Dec 06, 2022 8:12 pm

Re: Need Help on Setting RB450Gx4

Fri Dec 09, 2022 9:01 am

There's some weird stuff like DHCP clients on all interfaces (why?),

Those are some leftovers config that haven't been removed yet

If ether2-p2p is connected to another network where devices have default gateway other than this router, that could be a problem if there's no route to your subnet (on those devices or their router),

ether2-p2p is connected to another router that p2p to data center which requires a routing from LAN to 192.168.2.1


The topology should be like this:
Image


My current config is like this:
# dec/09/2022 00:33:52 by RouterOS 6.48.6
# software id = 3IIS-MXAZ
#
# model = RB450Gx4
# serial number = HCM085Q6TZG
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-full,100M-full,1000M-full \
    name=ether1-wan
set [ find default-name=ether2 ] advertise=10M-full,100M-full,1000M-full \
    loop-protect=on name=ether2-p2p rx-flow-control=on tx-flow-control=\
    on
set [ find default-name=ether3 ] advertise=10M-full,100M-full,1000M-full \
    name=ether3-lan
set [ find default-name=ether5 ] advertise=10M-full,100M-full,1000M-full arp=\
    disabled name=ether5-remote
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=pppoe-p2p \
    service-name=telco-broadband user=xxxxxxxx
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 bootp-lease-time=lease-time bootp-support=dynamic \
    disabled=no interface=ether3-lan lease-time=6d name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=all
/ip address
add address=192.168.2.2/24 interface=ether2-p2p network=192.168.2.0
add address=192.168.0.1/24 interface=ether3-lan network=192.168.0.0
add address=192.168.13.1 interface=ether5-remote network=192.168.13.0
add address=192.168.1.2/24 interface=ether1-wan network=192.168.1.0
/ip arp
add address=192.168.0.2 comment=Switch interface=ether3-lan mac-address=\
    28:87:BA:55:64:5B
/ip dhcp-server lease
add address=192.168.0.2 always-broadcast=yes client-id=Switch mac-address=\
    28:87:BA:55:64:5B
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=1.1.1.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=192.168.0.2-192.168.0.254 list=lan-user
add address=192.168.1.0/24 list=wan
add address=192.168.2.0/24 list=wan
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=lan-user
add action=masquerade chain=srcnat out-interface=ether2-p2p
add action=masquerade chain=srcnat out-interface=ether1-wan
/ip route
add check-gateway=ping distance=1 dst-address=xxx.xxx.xxx.xxx/16 gateway=\
    192.168.2.1
add check-gateway=ping distance=1 dst-address=xxx.xxx.xxx.0/21 gateway=\
    192.168.2.1
add check-gateway=ping distance=1 dst-address=xxx.xxx.xxx.0/23 gateway=\
    192.168.2.1
add check-gateway=ping distance=1 dst-address=xxx.xxx.xxx.0/24 gateway=\
    192.168.2.1
add check-gateway=ping distance=1 dst-address=xxx.xxx.xxx.0/24 gateway=\
    192.168.2.1
/system clock
set time-zone-name=Asia/Jakarta
/system clock manual
set time-zone=+07:00
/system identity
set name=RouterOS
/system routerboard settings
set silent-boot=yes
  • I've added IP>Route for 5 IPs that will be connected through 192.168.2.1, can you check if that config is correct?
  • I connected another laptop to ether2 and set it as 192.168.2.1/24 and was able to ping 192.168.2.2, but from Mikrotik, I wasn't able to ping 192.168.2.1. And I've made sure the ARP is enabled on the interface as well, but I sitll couldn't get to ping
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need Help on Setting RB450Gx4

Sun Dec 11, 2022 5:25 am

Routes seem ok, only if those subnets are only reachable via 192.168.2.1, you don't need check-gateway=ping, because they should point there whether it's up or not.

As for ping, if you were able to ping 192.168.2.2 from 192.168.2.1, then communication between them is clearly working. Not being able to ping in other direction is probably because laptop's firewall blocks it.

And for communication with real devices in data center, make sure that they (and everything on the way) have route to 192.168.2.2 (or to 192.168.0.0/24 if you'd remove masquerade from ether2-p2p).
 
Emeline
just joined
Topic Author
Posts: 5
Joined: Tue Dec 06, 2022 8:12 pm

Re: Need Help on Setting RB450Gx4

Mon Dec 12, 2022 5:18 am

As for ping, if you were able to ping 192.168.2.2 from 192.168.2.1, then communication between them is clearly working. Not being able to ping in other direction is probably because laptop's firewall blocks it.
Yeah, apparently it was due to the other firewall. Once I disabled it, I can ping now. How foolish of me.

Last question, I need to allow specific source and destination ports from ether3-lan to those 5 subnet via ether2-p2p, is this config correct?
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=lan-user
add action=masquerade chain=srcnat out-interface=ether2-p2p
add action=masquerade chain=srcnat out-interface=ether1-wan
add action=accept chain=dstnat dst-address=192.168.2.0/24 dst-port=48129-48137 protocol=udp src-port=48129-48137
add action=accept chain=dstnat dst-address=192.168.2.0/24 dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=8194-8395
add action=accept chain=dstnat dst-address=192.168.2.0/24 dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=48152-65535
add action=dst-nat chain=dstnat src-address=192.168.0.0/24 to-addresses=xxx.xxx.xxx.0/24
add action=dst-nat chain=dstnat src-address=192.168.0.0/24 to-addresses=xxx.xxx.xxx.0/24
add action=dst-nat chain=dstnat src-address=192.168.0.0/24 to-addresses=xxx.xxx.xxx.0/23
add action=dst-nat chain=dstnat src-address=192.168.0.0/24 to-addresses=xxx.xxx.xxx.0/21
add action=dst-nat chain=dstnat src-address=192.168.0.0/24 to-addresses=xxx.xxx.xxx.0/16

or should I specify dst-address on the port settings with the subnet like this?

/ip firewall nat
add action=masquerade chain=srcnat src-address-list=lan-user
add action=masquerade chain=srcnat out-interface=ether2-p2p
add action=masquerade chain=srcnat out-interface=ether1-wan
add action=dst-nat chain=dstnat dst-port=48129-48137 protocol=udp src-port=48129-48137 to-addresses=xxx.xxx.xxx.0/24 
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=8194-8395 to-addresses=xxx.xxx.xxx.0/24
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=48152-65535 to-addresses=xxx.xxx.xxx.0/24

add action=dst-nat chain=dstnat dst-port=48129-48137 protocol=udp src-port=48129-48137 to-addresses=xxx.xxx.xxx.0/24 
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=8194-8395 to-addresses=xxx.xxx.xxx.0/24
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=48152-65535 to-addresses=xxx.xxx.xxx.0/24

add action=dst-nat chain=dstnat dst-port=48129-48137 protocol=udp src-port=48129-48137 to-addresses=xxx.xxx.xxx.0/23
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=8194-8395 to-addresses=xxx.xxx.xxx.0/23
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=48152-65535 to-addresses=xxx.xxx.xxx.0/23

add action=dst-nat chain=dstnat dst-port=48129-48137 protocol=udp src-port=48129-48137 to-addresses=xxx.xxx.xxx.0/21
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=8194-8395 to-addresses=xxx.xxx.xxx.0/21
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=48152-65535 to-addresses=xxx.xxx.xxx.0/21

add action=dst-nat chain=dstnat dst-port=48129-48137 protocol=udp src-port=48129-48137 to-addresses=xxx.xxx.xxx.0/16
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=8194-8395 to-addresses=xxx.xxx.xxx.0/16
add action=dst-nat chain=dstnat dst-port=8194-8198,8209-8220,8290-8294 protocol=tcp src-port=48152-65535 to-addresses=xxx.xxx.xxx.0/16
Thank you
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need Help on Setting RB450Gx4

Wed Dec 21, 2022 12:05 am

Sorry about late response, open tab got burried among other stuff.

It doesn't seem correct at all, "/ip firewall nat" is for changing sources or destinations. For blocking and allowing stuff there's "/ip firewall filter". Since you currently don't have any, you may want to get some ideas from e.g. viewtopic.php?t=180838
 
Emeline
just joined
Topic Author
Posts: 5
Joined: Tue Dec 06, 2022 8:12 pm

Re: Need Help on Setting RB450Gx4

Fri Dec 23, 2022 9:47 am

It doesn't seem correct at all, "/ip firewall nat" is for changing sources or destinations. For blocking and allowing stuff there's "/ip firewall filter". Since you currently don't have any, you may want to get some ideas from e.g. viewtopic.php?t=180838
Hi Sub, thank you for your reply. I have tried and confirmed that the issue has been resolved now and connections are all good to Internet and P2P. But I found another issue. I'm trying to route 4 specific IP to another IP like this:

User 192.168.0.54 route to 192.168.2.54, so that router 192.168.2.1 on Eth2 will read traffic from 0.54 as if from 2.54 instead of from 2.2

Any ways to do that?

Who is online

Users browsing this forum: Bing [Bot] and 44 guests