Community discussions

MikroTik App
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 2:38 pm

eth1 - lte passthrough to eth1. Eth2 - on bridge. Bridge connected to LAN and get IP from LAN DHCP.
Problem: no internet on MikroTik SXTR device. I need it for updates, ntp, etc...
Question: how to configure Mikrotik to connect to LAN and get internet from LAN router?
 
holvoetn
Forum Guru
Forum Guru
Posts: 6760
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 2:54 pm

Short answer: Set a default route to 0.0.0.0/0 with gateway LAN and distance lower than what you got now for LTE.
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 3:15 pm

Already done, but internet not working. I don't know how to set distance for other routes.
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6760
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 3:23 pm

What is the LTE connection being used for ?

Can you post full config (minus serial, minus public WAN IP, passwds, ...) ?
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 4:32 pm

/interface bridge
add admin-mac=78:9A:18:91:59:CC auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" network-mode=lte \
    sms-read=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet passthrough-interface=ether1 \
    passthrough-mac=00:00:00:00:00:00 passthrough-subnet-size=24 \
    use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m \
    name=defconf
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1
add bridge=bridge comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.1.3/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip dhcp-client
add interface=bridge
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.3 gateway=\
    192.168.1.3 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.3 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
It's invalid:
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.3 gateway=\
192.168.1.3 netmask=24

Gateway and DNS server on LAN is 192.168.1.1
 
holvoetn
Forum Guru
Forum Guru
Posts: 6760
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 4:42 pm

I am not getting it.

You got an SXT with LTE, it acts as DHCP server for the LAN network after it ?
Then what else is connected to LAN to have internet ?

From what I see:
- both ether ports are connected to bridge (though ether 1 is disabled ? Why ?)
- lte1 is labeled as WAN (logical)
- dhcp server is connected to bridge, using 192.168.88.0/24 subnet. But there is no 192.168.88.x address assigned to bridge ?

You have an ADDITIONAL address 192.168.1.3/24 connected on bridge. Why ? Where does subnet 192.168.1.0 come from ? Connected to which port ?
You also have a DHCP client on that same bridge acting as DHCP server ? Why ? Doesn't make sense to do it that way. Where should it get an address from ?

There are obviously parts which you have not told us yet.
Maybe also a small drawing of your complete network ? Paper is ok.
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 5:01 pm

OK.. i will try to to explain my network :)
Main router Draytek vigor with dual wan, DHCP and etc... In this router wan1 - VDSL, wan2 - SXT. Both working on load balancing mode.
So... about SXT. Few days ago I bought SXT, put sim card, turn eth1 to DrayTek router WAN2 port, disabled eth1 on bridge and passthrough lte1 to eth1. Disabled DHCP, changed IP to 192.168.1.3 (in main page of SXT, old one was 192.168.188.1).
Main router (Draytek vigor) wan2 port gets IP from LTE operator and internet is working. But no internet on SXT device.
eth2 of SXT I connected to Draytek vigor router LAN port. And I want to share internet to SXT from main router (Draytek Vigor).

My network with main router (Draytek) is 192.168.1.0/24.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6760
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 5:23 pm

OK, no drawing but I get the picture :lol:

So basically your SXT is also dual-WAN now.
Once via LTE, which it passes on via ether1.
Once via ether2 which is connected to LAN of your Draytek.

What I would do:
- remove ether1 from bridge since it's passthrough with lte1 and it has no further business on that device
- remove dhcp server from bridge (no function, also remove pool and network)
- remove manually assigned IP address from bridge
- DHCP client on bridge should now get a lease from Draytek LAN, it will also dynamically create route towards Draytek.

What you should end up with:
- ether1 passthrough from LTE towards Draytek
- bridge getting IP lease from Draytek in LAN range via ether2 and providing internet services to SXT device via LAN

Personally I would also remove bridge and set DHCP client on ether2 but that's maybe a bit too far.

Question: Why do you use pass-through ?
If you use SXT in default config, it should get internet from its LTE link saving you one connection.
Draytek then needs to get a lease on 1 port which is connecting to SXT and then your Dual WAN is back in place.
You will always be able to connect to it from your LAN (provided your firewall is setup properly).
Ideally you might also configure things in such a way that local SXT traffic should use Draytek for internet instead of LTE.
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 5:44 pm

Question: Why do you use pass-through ?
In my mind pass-through is better than few routes (LTE operator external IP > LTE operator CGNAT address > SXT > Draytek > LAN. With pass-through I eliminate SXT and my Draytek wan2 port gets LTE operator CGNAT address, not DHCP adress from SXT).
- remove dhcp server from bridge (no function, also remove pool and network
- no own dhcp on bridge. DHCP client only, DHCP server on Draytek.
- remove manually assigned IP address from bridge
- not manually assigned IP to bridge. IP it gets from DHCP (192.168.1.7)
I assigned manually IP (192.168.1.3) on "Quick Set" (maybe to eth2 ? no option to leave empty).
 
holvoetn
Forum Guru
Forum Guru
Posts: 6760
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 5:49 pm

- remove dhcp server from bridge (no function, also remove pool and network
- no own dhcp on bridge. DHCP client only, DHCP server on Draytek.
It's disabled but it is there. If it's not used, get rid of it. Only adds confusion later on.
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m \
    name=defconf

/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.3 gateway=\
    192.168.1.3 netmask=24
- remove manually assigned IP address from bridge
- not manually assigned IP to bridge. IP it gets from DHCP (192.168.1.7)
I assigned manually IP (192.168.1.3) on "Quick Set" (maybe to eth2 ? no option to leave empty).
What's this then ?
/ip address
add address=192.168.1.3/24 comment=defconf interface=bridge network=\
    192.168.1.0
After default config, you can use Quickset once. Don't use it again afterwards since you will not know for certain what it changes and what not.

If you go to terminal, what does /ip route print show ?
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 5:57 pm

OK... DHCP removed from bridge.
[admin@MikroTik] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS      GATEWAY      DISTANCE
DAd  0.0.0.0/0        192.168.1.1         1
DAc  100.81.243.0/24  ether1              0
DAc+ 192.168.1.0/24   bridge              0
DAc+ 192.168.1.0/24   bridge              0
 
holvoetn
Forum Guru
Forum Guru
Posts: 6760
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 6:04 pm

Looks like you got a default route to Draytek there.
If you now use on terminal a ping to whatever site, does it work or not ?
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 6:10 pm

Removed 192.168.1.3 IP
[admin@MikroTik] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS      GATEWAY      DISTANCE
DAd 0.0.0.0/0        192.168.1.1         1
DAc 100.81.243.0/24  ether1              0
DAc 192.168.1.0/24   bridge              0
Found problem... DNS :) IP ping - OK, domain - not. :) how to fix?
 
holvoetn
Forum Guru
Forum Guru
Posts: 6760
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 6:16 pm

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
I would remove this.
You can set in DHCP client to use peer DNS, which usually is better since all DNS requests will then be handled by the same device.
AdGuard, PiHole, ... are other options then to sink ad-spam. Unless already foreseen on Draytek ?
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 6:26 pm

DHCP client config
You do not have the required permissions to view the files attached to this post.
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 6:28 pm

Internet not working.
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6760
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 6:30 pm

Do you still have that DNS setting manually ?

Can you show /ip export please ?
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 6:35 pm

/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254
/ip dhcp-client
add interface=bridge
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.3 gateway=\
    192.168.1.3 netmask=24
/ip dns
set allow-remote-requests=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
 
holvoetn
Forum Guru
Forum Guru
Posts: 6760
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 6:42 pm

Please remove these parts.
/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.3 gateway=\
    192.168.1.3 netmask=24
This one change yes to no
/ip dns
set allow-remote-requests=yes
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 6:44 pm

How to remove in terminal? :) Web interface doesn't show these settings.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6760
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 6:46 pm

/ip pool remove default

/ip dhcp-server network remove 0 (if it's the only one it should work)
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 6:48 pm

[admin@MikroTik] > /ip pool remove default
[admin@MikroTik] > /ip dhcp-server remove 0
failure: can't remove dynamic object
[admin@MikroTik] > /ip export              
# 1970-01-02 02:51:37 by RouterOS 7.13.5
# software id = NU11-ZF6U
#
# model = SXTR
# serial number = xxxx
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip dhcp-client
add interface=bridge
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.3 gateway=\
    192.168.1.3 netmask=24
/ip dns
set allow-remote-requests=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
 
holvoetn
Forum Guru
Forum Guru
Posts: 6760
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 6:51 pm

You missed my edit :?
/ip dhcp-server network remove 0

And dns is still set to allow remote requests.
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 6:57 pm

Sorry... :)
[admin@MikroTik] > /ip export
# 1970-01-02 02:58:30 by RouterOS 7.13.5
# software id = NU11-ZF6U
#
# model = SXTR
# serial number = xxxx
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip dhcp-client
add interface=bridge
/ip dns
set allow-remote-requests=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 7:19 pm

Unchecked Allow Remote Requests
[admin@MikroTik] > /ip export                           
# 1970-01-02 03:19:58 by RouterOS 7.13.5
# software id = NU11-ZF6U
#
# model = SXTR
# serial number = xxx
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip dhcp-client
add interface=bridge
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
[admin@MikroTik] > 
 
holvoetn
Forum Guru
Forum Guru
Posts: 6760
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 8:03 pm

Can you make sure date/time is more or less correct ?
Ip cloud is easiest, ntp client is better.

Then reboot sxt and see where we are.
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 8:25 pm

No working DNS - no connections to NTP servers = wrong date and time.
Entered ntp servers (IP only). Now date and time is correct. And no changes after reboot. DNS not working. :(
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 9:20 pm

Seems no reply from DNS.

Logs from main router, when DNS working (other pc on lan):
2024-03-01 21:14:42	 Local User (MAC=B2-43-33-B9-D8-D9): 192.168.1.8:33946 -> 142.250.203.202:443 (TCP)
 2024-03-01 21:14:42	 Local User (MAC=B2-43-33-B9-D8-D9): 192.168.1.8 DNS -> 8.8.8.8 inquire gmail.googleapis.com
Logs from main router, when I ping google.com in Mikrotik terminal.
 2024-03-01 21:19:47	 Local User (MAC=78-9A-18-91-59-CC): 192.168.1.7 DNS -> 8.8.8.8 inquire upgrade.mikrotik.com
 2024-03-01 21:19:47	 Local User (MAC=78-9A-18-91-59-CC): 192.168.1.7 DNS -> 8.8.8.8 inquire google.com
 2024-03-01 21:19:45	 Local User (MAC=78-9A-18-91-59-CC): 192.168.1.7 DNS -> 8.8.4.4 inquire upgrade.mikrotik.com
 2024-03-01 21:19:45	 Local User (MAC=78-9A-18-91-59-CC): 192.168.1.7 DNS -> 8.8.4.4 inquire google.com
 2024-03-01 21:19:43	 Local User (MAC=78-9A-18-91-59-CC): 192.168.1.7 DNS -> 8.8.8.8 inquire upgrade.mikrotik.com
 2024-03-01 21:19:43	 Local User (MAC=78-9A-18-91-59-CC): 192.168.1.7 DNS -> 8.8.8.8 inquire google.com
 
holvoetn
Forum Guru
Forum Guru
Posts: 6760
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 9:57 pm

Can you first disable lte to be sure nothing comes in using the back door?

Then disable firewall rules.
Then test again.

I suspect a fw rule is blocking things.
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 10:39 pm

No changes :(
 
DonIT
just joined
Topic Author
Posts: 22
Joined: Tue Feb 27, 2024 8:32 pm

Re: MikroTik | SXTR&FG621-EA LTE: internet from LAN

Fri Mar 01, 2024 11:10 pm

Also, reset SXT and redid the changes again. Changed eth2 LAN IP to other.

Who is online

Users browsing this forum: barte91, mkx and 27 guests