ISP Bridge Mode cause issue on RB5009

Joho00 · Wed Jun 12, 2024 1:33 am

Hello,

i need help pls in the following strange issue:

if i use my ISP modem (Freebox France) in router mode, i got internet perfectly with the actual setup (firewall, NAT [masquarade out WAN], etc..)

when i set the modem to bridge mode and get a public IP in my Mikrotik RB5009, (DHCP Client released), all counters are still working on Firewall tab and NAT (nothing extra dropped, checked in the Log), but i cannot get internet in any device.

should i change something with the NAT rule?

actual:

 0    ;;; WAN SFP+ masq
      chain=srcnat action=masquerade to-addresses=***public IP address*** out-interface=sfp-sfpplus1[WAN] log=no log-prefix="

tried but didn't work:

/ip firewall nat
add action=masquerade chain=srcnat comment="WAN SFP+ masq" out-interface=\
    "sfp-sfpplus1[WAN]" to-addresses=***public IP address***

the only difference i can realize is that i have had internal IP before (when modem was in router mode) but now as it is in bridge, i have public IP in my Mikrotik RB5009.

i have switched off for a short period my firewall to test if maybe it is blocked somehwere there, but not, so i really lost what is the problem here.

i hope you can help me and thanks in advance!

any tip is more than welcome!

kind regards,
Joho

Joho00 · Wed Jun 12, 2024 11:24 am

please help, it is very irritating and i haven't got any idea where the issue can come from..

jvanhambelgium · Wed Jun 12, 2024 1:43 pm

Remove the to-address value ??

Joho00 · Wed Jun 12, 2024 1:59 pm

Remove the to-address value ??

i removed, but nothing changed :/

(to address or to port is mandatory for src-nat, so i couldn't apply this rule)

jvanhambelgium · Wed Jun 12, 2024 2:05 pm

Again, it can be dozens of reasons. This could have been 1

It was worth trying.
You state traffic-counters are moving. Can you test if your issue is DNS-related or actual connectivity ?
Can you ping 8.8.8.8 from a connected PC ?
What DNS are you PC's on the LAN using ?

etc,etc ...

Joho00 · Wed Jun 12, 2024 2:08 pm

thanks for answer and effort!

i cannot ping out any domain or IP, i got timeout for the PC from LAN ping the 8.8.8.8.

the PC is using a https DOH connection to QAUD9 and to cloudflare as secondary. (set under WIN11)

please tell me what other details you need and i will share as much as i can.

also what is very strange is that the packages are counting properly under my Firewall rules, so looks like everything is OK. the only bad sympton is that there is no Internet on LAN.

i am sure there is small thing that is overwatched by me, but i cannot find..

thanks again for support, that is appreciated!

jvanhambelgium · Wed Jun 12, 2024 2:31 pm

Best thing is to provide a FULL config-export on your box , minus sensitive stuff like serial-numbers or some bits of the public-IP itself.
I assume your Win11 PC can ping its default-gateway ? (= the RB5009)
From the RB5009-console, can you ping something like 8.8.8.8 ? Or not even that ?

I can be a small thing, it can be a major f*ckup too, but without the full picture very difficult to pinpoint.

Joho00 · Wed Jun 12, 2024 3:14 pm

thanks!

i cannot ping 8.8.8.8 from console RB5009, it is time out too.

i can ping my RB5009 from LAN device, i also manage the router from this PC.

please see below my actual settings, i have removed the sensitive info and the firewall. (as the firewall does not cause the issue, as i have tested it without the complete firewall)

thank you again for help!

# 2024-06-12 by RouterOS 7.15.1
#
# model = RB5009UG+S+
/interface bridge
add name="RouterBridge[ETH-6,8]"
/interface ethernet
set [ find default-name=ether1 ] name="ether1[HAX]"
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] name="ether5[PCG]"
set [ find default-name=ether6 ] disabled=yes name="ether6[WRT]"
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] name="ether8[TPR]"
set [ find default-name=sfp-sfpplus1 ] name="sfp-sfpplus1[WAN]"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=***DELETED***
/ip pool
add name="DHCP_pool_ether5[PCG]" ranges=10.0.0.10-10.0.0.200
add name=DHCP_pool_router_bridge ranges=10.0.50.199-10.0.50.200
add name="DHCP_pool_ether1[HAX]" ranges=10.0.1.10-10.0.1.200
/ip dhcp-server
add address-pool="DHCP_pool_ether5[PCG]" interface="ether5[PCG]" lease-time=\
    8h name=dhcp_srv_1
add address-pool="DHCP_pool_ether1[HAX]" interface="ether1[HAX]" lease-time=\
    8h name=dhcp_srv_2
add address-pool=DHCP_pool_router_bridge interface="RouterBridge[ETH-6,8]" \
    lease-time=8h name=dhcp_srv_3
/container config
set registry-url=https://registry-1.docker.io tmpdir=***DELETED***
/dude
set enabled=yes
/interface bridge port
add bridge="RouterBridge[ETH-6,8]" interface="ether6[WRT]"
add bridge="RouterBridge[ETH-6,8]" interface="ether8[TPR]"
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/ip address
add address=10.0.0.1/24 comment="ether5[PCG] address list" interface=\
    "ether5[PCG]" network=10.0.0.0
add address=10.0.1.1/24 comment="ether1[HAX]" interface="ether1[HAX]" \
    network=10.0.1.0
add address=10.0.50.1/24 comment="ether6&8 [RouterBridge]" interface=\
    "RouterBridge[ETH-6,8]" network=10.0.50.0
/ip dhcp-client
add interface="sfp-sfpplus1[WAN]" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.0.1.11 client-id=***MAC address*** mac-address=\
    ***MAC address*** server=dhcp_srv_2
add address=10.0.0.10 client-id=***MAC address*** mac-address=\
    ***MAC address*** server=dhcp_srv_1
add address=10.0.50.200 client-id=***MAC address*** mac-address=\
    ***MAC address*** server=dhcp_srv_3
add address=10.0.50.199 mac-address=***MAC address*** server=dhcp_srv_3
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=9.9.9.9,1.1.1.1 gateway=10.0.0.1
add address=10.0.1.0/24 dns-server=10.0.0.1 gateway=10.0.1.1
add address=10.0.50.0/24 gateway=10.0.50.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1
/ip dns static
add address=9.9.9.9 name=Q9DNS
add address=1.1.1.1 name=CFDNS
/ip firewall address-list
***DELETED***
/ip firewall filter
***DELETED***
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN SFP+ masq" out-interface=\
    "sfp-sfpplus1[WAN]" to-addresses=***public IP***
/ip firewall raw
***DELETED***
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=***DELETED***
set api disabled=yes
set winbox address=***DELETED***
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=***DELETED***
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=***DELETED***
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

jvanhambelgium · Wed Jun 12, 2024 6:18 pm

When on the CLI of the router, can you ping 1.1.1.1 for example ?
How does your routing-table look like ? (/ip/route/ print)

Joho00 · Wed Jun 12, 2024 6:22 pm

pls see below:

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS       GATEWAY                DISTANCE
DAd 0.0.0.0/0         ***public IP***               1
DAc 10.0.0.0/24       ether5[PCG]                   0
DAc 10.0.1.0/24       ether1[HAX]                   0
DAc 10.0.50.0/24      RouterBridge[ETH-6,8]         0
DAc ***public IP***.0/24  sfp-sfpplus1[WAN]             0

in CLI PING is time out for 8.8.8.8 and also for 1.1.1.1 :/

i know weird issue..

jvanhambelgium · Wed Jun 12, 2024 6:43 pm

If you want anyone to seriously take a look at it you'll probably need to provide the *full* config.
This is very weird, if you cannot even ping from the CLI there is something fundamentally wrong...

You could also try the "Quickset" and setup the box first with default settings ? At least you Internet should work and you'll get basic FW-rules to start from?

infabo · Wed Jun 12, 2024 7:44 pm

Remove the to-address value ??
i removed, but nothing changed :/

(to address or to port is mandatory for src-nat, so i couldn't apply this rule)

since when is this mandatory and why should it be mandatory at all? the most simple nat rule you need and can try is:

/ip/firewall/nat/add action=masquerade chain=srcnat out-interface="sfp-sfpplus1[WAN]"

But I give you an advise and don't use port names directly and use interface lists instead. Good practice.

/interface/list/member/add interface="sfp-sfpplus1[WAN]" list=WAN

afterwards alter the srcnat rule:

/ip/firewall/nat/add action=masquerade chain=srcnat out-interface-list=WAN comment="masquerade awesome ***censored*** WAN"

MTNick · Wed Jun 12, 2024 8:03 pm

Just to test, eliminate the RB5009 DNS server.
1. Enable peer dns (check mark) in DHCP-Client for WAN. Check ping to 8.8.8.8 again.

If you can ping after eliminating the RB5009 DNS server, turn the DHCP-Client peer DNS off (no check mark) in DHCP-Client. Then try:
1. Your DHCP-Server DNS is set wrong. If you’re using the RB5009 as the DNS server, set the DNS to the IP address of the RB5009, not QUAD & CloudFlare. I believe there’s a resolution conflict.
2. Agree with the previous above post. Your masquerade rule is wrong. The “to-address” isn’t required & shouldn’t be populated. If the “to-address” is wrong, internet will not work.

Joho00 · Wed Jun 12, 2024 10:33 pm

thank you for all of you for the comments, i will try the advices tonight or tomorrow.

the strange thing is that my NAT is working without issue if i use my ISP modem in router mode. and in this case the tracert show me 2 LAN address before external IP. so that should be okay.

OR maybe my name translation is done by the ISP modem in router mode and that is why it is not working when i change it to bridge mode.....

i will try the advices and get back with feedback for sure!

thanks again for the support to all of you!

MTNick · Thu Jun 13, 2024 1:35 am

Assigning the DNS IP in DHCP-Server Network, all devices attached, either by wireless or wired, will adhere to the set DNS server.

Assuming the RB5009’s IP address is 10.0.0.1

/ip dhcp-client
add interface="sfp-sfpplus1[WAN]" use-peer-dns=no use-peer-ntp=no add-default-route=yes default-route-distance=1

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1 ntp-server=10.0.0.1
add address=10.0.1.0/24 dns-server=10.0.0.1 gateway=10.0.1.1 ntp-server=10.0.0.1
add address=10.0.50.0/24 dns-server=10.0.0.1 gateway=10.0.50.1 ntp-server=10.0.0.1

/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1

/ip firewall nat
add action=masquerade chain=srcnat comment="WAN SFP+ masq" out-interface="sfp-sfpplus1[WAN]"

Delete or disable the below unless a device/pc is using “Q9DNS” & “CFDNS” hard set by name specifically
/ip dns static
add address=9.9.9.9 name=Q9DNS disabled=yes
add address=1.1.1.1 name=CFDNS disabled=yes

Joho00 · Thu Jun 13, 2024 11:18 am

i have tried the mentioned advices and please see feedback below:

"If you can ping after eliminating the RB5009 DNS server, turn the DHCP-Client peer DNS off (no check mark) in DHCP-Client. Then try:
1. Your DHCP-Server DNS is set wrong. If you’re using the RB5009 as the DNS server, set the DNS to the IP address of the RB5009, not QUAD & CloudFlare. I believe there’s a resolution conflict."

--> i was able to ping from router the 8.8.8.8 and also google.com (which was resolved properly)

but no ping from my LAN PC.

i have done the changes as mentioned for the DNS addresses and to disable the Static addresses, but it changed nothing :/

/ip dhcp-client
add interface="sfp-sfpplus1[WAN]" use-peer-dns=no use-peer-ntp=no add-default-route=yes default-route-distance=1

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1 ntp-server=10.0.0.1
add address=10.0.1.0/24 dns-server=10.0.0.1 gateway=10.0.1.1 ntp-server=10.0.0.1
add address=10.0.50.0/24 dns-server=10.0.0.1 gateway=10.0.50.1 ntp-server=10.0.0.1

/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1

/ip firewall nat
add action=masquerade chain=srcnat comment="WAN SFP+ masq" out-interface="sfp-sfpplus1[WAN]"

Delete or disable the below unless a device/pc is using “Q9DNS” & “CFDNS” hard set by name specifically
/ip dns static
add address=9.9.9.9 name=Q9DNS disabled=yes
add address=1.1.1.1 name=CFDNS disabled=yes

what i have tried on LAN PC is that to use the nslookup and here i could see strange thing.

when the ISP modem is in bridge mode, it is working well with 9.9.9.9 resolve.

but when i switch ISP modem to bridge, nslookup started to give response:

C:\Users\X>nslookup
DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  9.9.9.9

for me that is really weird that when i got a public IP via the bridge mode of ISP modem, i loose the internet connection on LAN network, but from router i can ping even domain name too and it is resolved via CLI.

i will trying further and thanks for support

erlinden · Thu Jun 13, 2024 11:29 am

I would expect your client to use 10.0.0.1 as DNS server (as specified in /ip dhcp-server network). Why is it showing 9.9.9.9?
Can you perform nslookup forum.mikrotik.com?

Can you post an ipconfig /all from this client?
Can you also post a tracert 9.9.9.9 from this client?

Assuming the client is a Windows machine?

Joho00 · Thu Jun 13, 2024 12:17 pm

thanks for answer!

i have tried and i made a bit of mistake previously, because on my WIN machine, the DNS was set staticly in the machine.

now it is automatic from DHCP, but the result is same at the end.

pls see below the responses:

IP config /all


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller
   Physical Address. . . . . . . . . : ***MAC***
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.0.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 2024. június 13., csütörtök 11:07:51
   Lease Expires . . . . . . . . . . : 2024. június 13., csütörtök 19:07:51
   Default Gateway . . . . . . . . . : 10.0.0.1
   DHCP Server . . . . . . . . . . . : 10.0.0.1
   DNS Servers . . . . . . . . . . . : 10.0.0.1

i did some clean to be on the safe side: ipconfig / release, /renew + /flushdns

nslookup forum.mikrotik.com:


C:\Users\X>nslookup forum.mikrotik.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  10.0.0.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

tracert for 9.9.9.9


C:\Users\X>tracert 9.9.9.9

Tracing route to 9.9.9.9 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.0.0.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *     ^C

indeed, it is a WIN11 machine.

thanks in advance!

Joho00 · Thu Jun 13, 2024 12:40 pm

latest results:

even in router mode of the ISP, if i change the DNS-server in the DHCP/network tab in my Mikrotik, the resolution stop to work:

ip/dhcp-server/network/print 
Columns: ADDRESS, GATEWAY, DNS-SERVER
# ADDRESS        GATEWAY     DNS-SERVER
0 10.0.0.0/24    10.0.0.1    10.0.0.1   
1 10.0.1.0/24    10.0.1.1    10.0.0.1   
2 10.0.50.0/24   10.0.50.1  10.0.0.1

but if i change it to 9.9.9.9, it starts to work. so look like my RB5009 DNS resolution doesn't work..


ip/dhcp-server/network/print 
Columns: ADDRESS, GATEWAY, DNS-SERVER
# ADDRESS        GATEWAY     DNS-SERVER
0 10.0.0.0/24    10.0.0.1    9.9.9.9   
1 10.0.1.0/24    10.0.1.1    9.9.9.9   
2 10.0.50.0/24   10.0.50.1  9.9.9.9

if i change the ISP modem to bridge, noone of the above is working, i loose the internet again totally.

looks like something should be with the DNS resolution in the router, but i cannot found where is the problem..

thanks for help and have a nice day!

erlinden · Thu Jun 13, 2024 1:11 pm

(to address or to port is mandatory for src-nat, so i couldn't apply this rule)

That is new to me...the default rule is:

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

Can you export a complete config?

/export file=anynameyoulike

Make sure to remove serial and any other private information.
Because there is something goovy going on.

Joho00 · Thu Jun 13, 2024 3:39 pm

sure thanks, i will do a fresh export (with hidden priv info) and share it later the day.

my masquarade rule is the same as you mentioned but i do not use yet address list, but use out-interface=SFP port:

(i will change anyhow as suggested earlier to have the address-list, but i could not dol it yet)

thanks again and i will be backwith the export file when i can

Joho00 · Thu Jun 13, 2024 7:38 pm

Hello All,

i want to inform you that the issue has been solved!!!

the solution was to request an IPv4 full stack from my ISP provider (Free , France) via my online account.

after 30 mins i have had to restart my ISP modem, wait until it rebooted and then when i checked my RB5009 DHCP client screen, i have seen a new public IP address.

i have opened a browser to test the access to the internet and finally it worked!!!!!!!

nothing to do with the router or anyithing like that, something is different with this setup in the ISP side with the IPv4 full stack..

maybe a network master can undertsand and maybe to explain, but finally it is working!!!

i apperciate all of your support, time and effort to try to help me!

hope that case will be useful for some other Mirkotik users living in France and using Free as an ISP provider with Freebox equipment.

ISP Bridge Mode cause issue on RB5009 [SOLVED]

ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009

Re: ISP Bridge Mode cause issue on RB5009 [SOLVED]