Community discussions

MikroTik App
 
icanfly
just joined
Topic Author
Posts: 3
Joined: Fri Sep 14, 2018 4:00 pm

Access modem behind Mikrotik

Fri Sep 14, 2018 4:10 pm

Greetings!

I used search and found several similar articles, however, solutions from there did not help me.
So, I have an VDSL modem (Vigor 130), being set in bridge mode and Mikrotik connected to it.

The Internet is working fine, but I cannot access Vigor 130 web interface in my setup.
And now, I am afraid, that I screwed up setup and it is not optimal/secure.
Could you, please, help me with understanding? Many thanks!

Here is the configuration:

# aug/27/2018 02:52:58 by RouterOS 6.43
# software id = XXX
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = XXX
/caps-man datapath
add client-to-client-forwarding=yes name=datapath1
/interface bridge
add admin-mac=MAC auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
ether2-master
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add add-default-route=yes default-route-distance=0 disabled=no interface=\
ether1 name=NAME password=PASSWORD use-peer-dns=yes user=\
USER
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
KEY wpa2-pre-shared-key=KEY
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=\
192.168.88.0
add address=192.168.1.1 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=8.8.8.8 list=GOOGLE_DNS
add address=8.8.4.4 list=GOOGLE_DNS
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=drop chain=input src-address=138.122.34.191
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input connection-type="" dst-port=53 in-interface=\
ether1 protocol=tcp src-port=""
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=telekom
add action=masquerade chain=srcnat out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24 port=12345
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.0.0/24
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

 
korg
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Tue Apr 26, 2016 4:10 pm

Re: Access modem behind Mikrotik

Sat Sep 15, 2018 3:59 pm

If Vigor is having DHCP client as well, just enable DHCP-CLient on your Mikrotik and add a route to it.
 
mkx
Forum Guru
Forum Guru
Posts: 4322
Joined: Thu Mar 03, 2016 10:23 pm

Re: Access modem behind Mikrotik  [SOLVED]

Sat Sep 15, 2018 5:01 pm

Either follow advice by @korg (run DHCP client on ether1 device, it'll also add route to subnet where Vigor is accessible) or try to find out actual IP address of Vigor's LAN address. It seems that default IP address of Vigor is 192.168.1.1 so you must set some other address on ether1 of your RB (now it's set to exactly this address), such as 192.168.1.2.
BR,
Metod
 
icanfly
just joined
Topic Author
Posts: 3
Joined: Fri Sep 14, 2018 4:00 pm

Re: Access modem behind Mikrotik

Sat Sep 15, 2018 5:15 pm

Wow, thank you @korg, @mkx

I did set a new IP address "192.168.1.2" and somehow Vigor now is being accessible from "192.168.1.1". It looks a bit hacky to me, but works!
 
mkx
Forum Guru
Forum Guru
Posts: 4322
Joined: Thu Mar 03, 2016 10:23 pm

Re: Access modem behind Mikrotik

Sat Sep 15, 2018 5:17 pm

Nothing is hacky here. Vigor has it's address set and no other device in the same subnet (your RB included) is allowed to have exactly same address.
BR,
Metod
 
mkx
Forum Guru
Forum Guru
Posts: 4322
Joined: Thu Mar 03, 2016 10:23 pm

Re: Access modem behind Mikrotik

Sat Sep 15, 2018 5:21 pm

Just noticed: correct setting of IP address on ether1 interface would be 192.168.1.2/24 ... without netmask things might behave slightly unpredictable.
BR,
Metod
 
icanfly
just joined
Topic Author
Posts: 3
Joined: Fri Sep 14, 2018 4:00 pm

Re: Access modem behind Mikrotik

Sat Sep 15, 2018 6:53 pm

Yes, I did set it with netmask: 192.168.1.2/24.

Thank you. :)

Who is online

Users browsing this forum: biomesh and 19 guests