Community discussions

MikroTik App
 
gesaugen
newbie
Topic Author
Posts: 37
Joined: Mon Jun 09, 2014 4:54 pm

No internet on "home AP" default setup

Tue Dec 07, 2021 3:32 pm

Please help:
I've used quick setup on my router and set it up as "home AP" but I don't have internet.
The internet comes from optic modem which connects to the router via LAN cable which I have connected to the eth1 of the router (internet is working when connected to other non-mikrotik router)
in quick setup page, under "internet" the "address acquisition" is set to "automatic" but everything it greyed out and nothing happens when I press "renew" or "release" buttons
Setup on the router is default + everything from Mikrotik's Securing Your Router web page
here's the screen capture of the quick setup:
Image
Here's the export of the config:
# jan/02/1970 01:20:40 by RouterOS 6.49.1
# software id = T2DJ-1FCL
#
# model = 2011UiAS-2HnD
# serial number = xxx
/interface bridge
add admin-mac=xxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no frequency=auto mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-xxx wpa2-pre-shared-key=\
    xxx
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes \
    log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set enabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
holvoetn
Forum Guru
Forum Guru
Posts: 5413
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: No internet on "home AP" default setup

Tue Dec 07, 2021 4:05 pm

First line on your export:
Start by making sure your time settings are correct on your Mikrotik.
Easiest way to make sure it stays correct, is using NTP client but I realize you need to set it once manually.

DHCP can be problematic if time is not being used correctly.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19116
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No internet on "home AP" default setup

Tue Dec 07, 2021 4:33 pm

well hopefully all you did in quickset was choose the mode as you suggested.......

Observations:
1. /ip neighbor discovery-settings
set discover-interface-list=none
change to LAN

2. /tool mac-server mac-winbox
set allowed-interface-list=none
change to LAN

3. I see two things missing, IP ROUTE for the router and IP DNS settings for the router.

/ip route
destination=0.0.0.0/0 gateway=IP gateway of ISP { select ISP under IP DHCP Client settings to find the gateway }

4. Your firewall rules need work.
You have some duplicates and some unnecessary and order is important as well.
Most of us like to see the chains together, much easier for reading and troubleshooting, so all input chain rules together and all forward chain rules together.
Here is an adaptation........ A bit simpler and clearer all you need.....

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 {disable if not required}
add action=accept chain=input src-address-list=allowed_to_router in-interface-list=LAN
add action=drop chain=input

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec {disable if not required}
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec {disable if not required}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow internet traffic outbound" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \ {disable if not required}
connection-state=new in-interface-list=WAN
add action=drop chain=forward

Done will work nicely for you!

HOWEVER....... For better SECURITY!
On the default rule set, on the input chain, all LAN folks are permitted to fully access the router whereas ONLY the admin really needs full access. The rest of the LAN users only need services for such things as DNS and perhaps NTP if you have that setup. ( Just ensure you have static IPs set under DHCP leases for the network).
In other words, you should create a firewall access list like so.
add address=IP of admin desktop list=authorized
add address=IP of admin laptop list=authorized
add address=IP of admin ipad list=authorized
add address=IP of admin smartphone list=authorized.

Then the firewall rule becomes instead (of allowed_to_router).
add action=accept chain=input src-address-list=authorized in-interface-list=LAN

To ensure users have access to the router for DNS........
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp

SO...... BE CAREFUL, FIRST THING IS DISABLE THE DROP ALL RULE so you dont lock yourself out of the router.

Take this.
add action=accept chain=input src-address-list=allowed_to_router in-interface-list=LAN
add action=drop chain=input

Disable last rule.
add action=accept chain=input src-address-list=allowed_to_router in-interface-list=LAN
add action=drop chain=input disabled=yes

TO
add action=accept chain=input src-address-list=authorized in-interface-list=LAN
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input disabled=yes

Apply and you should be able to open and close winbox and gain access to the router.
Then ENABLE the drop rule in the input chain to finish the config.
 
gesaugen
newbie
Topic Author
Posts: 37
Joined: Mon Jun 09, 2014 4:54 pm

Re: No internet on "home AP" default setup

Wed Dec 08, 2021 11:48 pm

Thanks for advice but there's another problem: looks like the reason why i don't have Internet is because I can't get Internet when mikrotik is connected directly to optic modem. My original configuration is: optic cable goes to ISP modem (Raisecom HT803G-1GE-02) and from it lan cable goes into ISPs router which has "access data" username and password set for accessing the Internet. I've tried to change ISP's router with mikrotik and that doesn't work. I've even tried to enter those username and pass into mikrotik's pppoe setup in quick setup page but if didn't work. But if I connect mikrotik on ISPs routerthen i get the Internet connection.
So the printemps is between optic modem ( which is in bridge mode) and mikrotik.

Any idea how to make connection between optic modem and mikrotik work?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19116
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No internet on "home AP" default setup

Thu Dec 09, 2021 12:04 am

Nope, the MT is not a modem but there may be work arounds??.
Read this thread perhaps for some ideas.
viewtopic.php?t=154954

Although if you have the ISP modem router in bridge mode, it may be as good as it gets......

Who is online

Users browsing this forum: kevinlukas, pe1chl and 42 guests