Can't ping the Internet through new MikroTik router [SOLVED]

ckewinjones · Sat Jun 17, 2023 8:57 pm

I am replacing a hEX Ethernet router (RB750Gr3) with a new RB5009UG+S+IN, and I am having some trouble configuring the RB5009.

Here is a (simplified) network diagram of my existing network:

The upgrade to the network is simply to replace the existing hEX with the new RB5009. Everything else remains the same.

To get the RB5009 configured and working, I have disconnected the hEX from the cable modem and connected the RB5009 in its place. The only device connected to the RB5009 is my laptop. I have followed the instructions in the Wiki for https://help.mikrotik.com/docs/display/ ... figuration up through "Verify Connectivity" (but also including setting the basic firewall rules under "IP Connectivity Access").

Here is what works:

The RB5009 is able to get an address by DHCP from the cable modem

The laptop is able to get an IP address by DHCP from the RB5009

I can ping Google's name server ('8.8.8.8') by IP address from the RB5009 (i.e. from the RouterOS command line)

I can ping google.com by name from the RB5009

Here is what doesn't work:

I can't ping Google's name server by IP address from my laptop

I can't ping google.com (or any other host) by name from my laptop

In short, it looks like the router isn't routing traffic from my laptop on the local network to the Internet.

Here is the configuration on the RB5009 as it is now:

# jun/17/2023 10:01:05 by RouterOS 7.8
# software id = CIAZ-SUFT
#
# model = RB5009UG+S+
# serial number = HEE08K82CQV
/interface bridge
add name=local
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=local name=dhcp2
/interface bridge port
add bridge=local interface=ether2
add bridge=local interface=ether3
add bridge=local interface=ether4
add bridge=local interface=ether5
add bridge=local interface=ether6
add bridge=local interface=ether7
add bridge=local interface=ether8
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 \
protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 \
port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22 \
protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
ether1
/system clock
set time-zone-name=America/New_York

I've attached the RB5009 config file, and also the config file for the existing hEX (which is working fine).

If anyone can see what is wrong with my RB5009 configuration, or has any suggestions how I can troubleshoot this, I should be much obliged.

drasked · Sun Jun 18, 2023 1:12 pm

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

And it looks like the dhcp client on eth1 is disabled

Maybe close all those services from the internet (winbox, ssh) and use vpn for remote management or at least some whitelisting.

McGremlin · Sun Jun 18, 2023 2:48 pm

Hi.
I am not sure why you have 2 DHCP pools there.
If the section after "Here is the configuration on the RB5009 as it is now:" is the whole config (I'm unable to chech rsc files at the moment), you don't have any NAT rule, you need to masquerade in srcnat chain with out.interface ether1.
You need to add a static route 0.0.0.0/0 with gateway ether1 - I'm confused, because without it you shouldn't be able to ping anything outside your LAN network, even from router itself, perhaps it dynamicly is added from DHCP-client.
Not sure about this, but probably you will need a firewall accept rule in forward chain, src.address 192.168.88.0/24 out.interface ether1 somewhere above the "drop everything else" rule.

ckewinjones · Sun Jun 18, 2023 5:35 pm

Thanks very much for your reply. With your help, my new RB5009 is now working.

The key was "you don't have any NAT rule, you need to masquerade in srcnat chain with out.interface ether1." That is, of course, covered in the First Time Configuration wiki article, but evidently I didn't read carefully enough and I missed it. Once I added this, everything is working.

Briefly responding to your other points:

There are two DHCP pools because I wanted to change the pool size and I ended up creating a new pool rather than editing the existing one (not sure why). The original pool isn't referenced anywhere so I imagine there is no harm done.
Static route 0.0.0.0/0 on ether1 is indeed defined dynamically by DHCP.
I don't have any rules defined in the forward chain. Everything is working without it, but that does not mean that it is not necessary or advisable. I need to educate myself about what this means and how it works, then I will set it up. There is a wiki article on Building Your First Firewall; I'll start there.

Once again, thanks for your good advice.

ilfavi · Fri Sep 13, 2024 8:23 pm

wrong thread, sorry

Can't ping the Internet through new MikroTik router [SOLVED]

Can't ping the Internet through new MikroTik router [SOLVED]

Re: Can't ping the Internet through new MikroTik router

Re: Can't ping the Internet through new MikroTik router

Re: Can't ping the Internet through new MikroTik router

Re: Can't ping the Internet through new MikroTik router [SOLVED]