New to Mikrotik, RB5009UG+S+ questions

chent · Sat Sep 09, 2023 11:49 pm

Good day,

I've recently received a RB5009UG+S+ to sit in front of a few servers in a colo environment. We have a handful of public IPs delivered via a single ethernet port, and I'd like to configure the RB to handle those via its WAN port and forward various services to the servers on the LAN. Pretty basic stuff.

To evaluate and test things out, here's what I have done (a few times now

:

- Use 'Quick Set' to simply set the mode as 'router' and enter a static IP address for the WAN, and slightly modify the DHCP parameters
- Did the same without using Quick Set in order to determine what the default config looks like and what changes Quick Set makes
- Created a couple NAT rules to forward HTTP/S services from a specific public IP to one of the servers on the LAN - no issues
- Set up wireguard for remote access / administration - no issues, works well

Now here is where I'm running into some issues. I've added another server port to the LAN of the Mikrotik for further testing. However, I can't seem to access the Internet on that interface.
I've tried curling or pinging certain external services with no success. To ensure this isn't a problem on the server side, from the Mikrotik terminal I can ping out to various hosts such as 1.1.1.1 without issue. From the webfig Tools menu, I can ping the same addresses via ether1 with no issue. When I try to change the interface to either bridge or the specific LAN ether port the server interface is connected to, there is no response to the ping, same as on the server.
I've gone through many of the tutorials and config guides, and I can't seem to narrow down what the issue might be.

Here's the config, you may note a couple of disabled rules I was using for testing. I have the same results with those rules enabled:

# 2023-09-09 16:41:13 by RouterOS 7.11.2
# software id = 
#
# model = RB5009UG+S+
# serial number = 
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.48.10-192.168.48.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 persistent-keepalive=25s public-key="yMrEkxIyumbwfSDu8SdCRHn7Z3LsJCnlhKW1tVbrcFE="
/ip address
add address=192.168.48.1/24 comment=defconf interface=bridge network=192.168.48.0
add address=x.x.x.x/x interface=ether1 network=x.x.x.x
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=x.x.x.x/x interface=ether1 network=x.x.x.x
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.48.0/24 comment=defconf dns-server=192.168.48.1 gateway=192.168.48.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.48.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="allow wireguard traffic" disabled=yes src-address=192.168.100.0/24
add action=accept chain=input comment="allow wireguard" dst-port=13231 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input disabled=yes in-interface-list=LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" disabled=yes in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=80,443 protocol=tcp to-addresses=192.168.48.254
add action=src-nat chain=srcnat out-interface-list=WAN src-address=192.168.48.254 to-addresses=x.x.x.x
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/NewYork
/system identity
set name=mikrotik
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Any assistance or a sanity check would be much appreciated

IlKa · Sun Sep 10, 2023 2:15 am

Hello.

From what I see, you created a one big bridge for all servers and started DHCP there. Did your server get address from DHCP?
Can it ping router `192.168.48.1`?
If yes, try to disable all IPs except one on `ether1` and check again.

When I try to change the interface to either bridge or the specific LAN ether port the server interface is connected to, there is no response to the ping, same as on the server.

What do you mean? Are you talking about ping `src`? Please, provide command you use.

Putting all servers in one bridge is only good if you have huge traffic between them. Otherwise I suggest to put each server into the separate network and filter traffic between them. So if your server gets hacked, hacker wouldn't be able to go to another server from it. Network segregation is a thing!

And do you really want to have DHCP for your servers? Random changes of IP address for server is probably not good (but you can always bind IP to mac address of course)

I have similar config, but my servers are Hyper-V, so each VPS has its own Vlan-ID (as well as servers itself) and Mirotik routes/filters data between em.

Some VPSs have public IP. Actually, they have local IP from RFC1918, but Mikrotik does full cone NAT between public IP and certain private IP.

New to Mikrotik, RB5009UG+S+ questions

New to Mikrotik, RB5009UG+S+ questions

Re: New to Mikrotik, RB5009UG+S+ questions