Community discussions

MikroTik App
 
jdanen
just joined
Topic Author
Posts: 5
Joined: Thu Dec 09, 2021 9:10 pm

No internet access from LAN (RB2011-UiAS-2Hnd)

Thu Dec 09, 2021 9:53 pm

I've gotten my grubby hands on my first MikroTik router, and the configuration has somewhat stumped me. I've followed the first time config procedure pretty closely, successfully created the local bridge, interface lists for WAN and LAN, got the DHCP server and client running. It seems that the outgoing connections are fine - the router gets an IP address, and can ping various servers on the web. However, while the LAN devices get their IP addresses and can reach the router, they can't get connection to anything outside the LAN (internet or otherwise). Smells like a NAT issue, but I do have this as my only NAT rule, and as far as I understand, that's all that should be there for basic functionality:
 0    chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none
To make matters more clear, this router is connected to the combo modem-router-AP device given out by the ISP. That combo device does DHCP of its own, and lives at 192.168.1.1 in its own network. (I'm aware it would be better practice to disable every smart bit on the ISP's router and let the RB2011 handle DHCP and everything else, but due to reasons outside the scope of this topic, I can't do that quite yet). The RB2011 is intended to have a LAN (wired+wireless) of its own, and live at 192.168.2.2 in that LAN.

Excuse me if I am typing nonsense, all of my previous networking experience comes from torturing an old consumer router with OpenWrt, and that was a plug-and-play experience compared to this.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: No internet access from LAN (RB2011-UiAS-2Hnd)

Fri Dec 10, 2021 6:40 pm

Could you please POST your Config,
so we can better understand how your device is configured ?
(/export hide-sensitive file=anynameyouwish)


Thanks !
 
jdanen
just joined
Topic Author
Posts: 5
Joined: Thu Dec 09, 2021 9:10 pm

Re: No internet access from LAN (RB2011-UiAS-2Hnd)

Sat Dec 11, 2021 5:28 pm

Could you please POST your Config,
so we can better understand how your device is configured ?
(/export hide-sensitive file=anynameyouwish)


Thanks !
No problem:
# dec/11/2021 17:17:39 by RouterOS 6.48.4
# software id = FIEP-NH1Q
#
# model = 2011UiAS-2HnD
# serial number = [REMOVED]
/interface bridge
add name=bridj
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=latvia disabled=no frequency=auto mode=ap-bridge ssid=\
    WhyTest
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk,wpa-eap,wpa2-eap mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=lan_pool ranges=192.168.0.255-192.168.2.3
/ip dhcp-server
add address-pool=lan_pool disabled=no interface=bridj name=lan_dhcp
/interface bridge port
add bridge=bridj interface=ether2
add bridge=bridj interface=ether3
add bridge=bridj interface=ether4
add bridge=bridj interface=ether5
add bridge=bridj interface=ether6
add bridge=bridj interface=ether7
add bridge=bridj interface=ether8
add bridge=bridj interface=ether9
add bridge=bridj interface=ether10
add bridge=bridj interface=wlan1
/interface list member
add interface=bridj list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.2.2/24 interface=bridj network=192.168.2.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set servers=1.0.0.1
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Riga
/system identity
set name=StarryNight
/system ntp client
set enabled=yes server-dns-names=lv.pool.ntp.org
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The (mis)spelling of "bridge" as "bridj" is intentional. Stupid, but intentional.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: No internet access from LAN (RB2011-UiAS-2Hnd)

Sat Dec 11, 2021 7:33 pm

You are handing out a gateway of 192.168.2.1 (under /ip dhcp-server network) but the Mikrotik is at 192.168.2.2 (under /ip address).

Also the pool definition isn't valid for the subnet 192.168.2.0/24, the largest valid range would be 192.168.2.3-192.168.2.254, although that could be reduced if you wish to accomodate some static addresses.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No internet access from LAN (RB2011-UiAS-2Hnd)  [SOLVED]

Sat Dec 11, 2021 7:37 pm

Recommend upgrading firmware to at least latest 6.49 stable version.

(1) Dont get too cute!!
/ip address
add address=192.168.2.2/24 interface=bridj network=192.168.2.0
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
/ip pool
add name=lan_pool ranges=192.168.0.255-192.168.2.3

Should be something like
/ip pool
add name=lan_pool ranges=192.168.2.3-192.168.2.250
 
jdanen
just joined
Topic Author
Posts: 5
Joined: Thu Dec 09, 2021 9:10 pm

Re: No internet access from LAN (RB2011-UiAS-2Hnd)

Sat Dec 11, 2021 9:56 pm

Thanks, correcting the address pool and gateway address worked.

Who is online

Users browsing this forum: No registered users and 42 guests