Community discussions

MikroTik App
 
Joez
just joined
Topic Author
Posts: 5
Joined: Wed Dec 18, 2024 7:24 pm

RB5009 in the hands of a newbie, Gateway problem

Thu Dec 19, 2024 4:47 pm

Hi to all in the community!

I recently bought an RB5009UG+S+IN for my office network. There's nothing very special to manage—8 PCs, 1 virtualization server, some IP phones, and a bunch of IoT devices.

Actually, I’ve never configured a RouterOS device before, but after reading some documentation and watching a few tutorials, I think I can handle the basics (or maybe not!).

After configuring a LAN bridge for all the ports (except eth1 for WAN), I created a DHCP server using the wizard (with a pool, and so on...), set up a DHCP client for my eth1 (WAN), and set up NAT masquerading for it. I assumed this would allow internet access.

Right now, I'm in a test setup where I have my ISP router connected to the WAN and one PC connected to eth2.

The PC correctly receives an IP from the DHCP server.
The WAN receives an IP from the ISP router.
The RB5009 can reach the internet (I tested with a ping and a system upgrade, both worked fine).
However, there is no internet connection on the PC.

Looking at the Ethernet card status on the PC, I think something is wrong with the DNS or gateway settings.

Can someone help me figure out the issue?
How can I show you the full configuration of my RB5009?

Thanks a lot for the newbie help request!

Regards,
Joe
 
jaclaz
Forum Guru
Forum Guru
Posts: 1981
Joined: Tue Oct 03, 2023 4:21 pm

Re: RB5009 in the hands of a newbie, Gateway problem

Thu Dec 19, 2024 4:57 pm

How can I show you the full configuration of my RB5009?
Follow this:
viewtopic.php?t=203686#p1051720
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: RB5009 in the hands of a newbie, Gateway problem

Thu Dec 19, 2024 6:12 pm

Can you ping 8.8.8.8 ? If yes, can you ping google.com or anything else from the PC, if not then it's probably DNS.

But RB5009 should work out of the box. Or do you want to use it as a learning device ?
 
Joez
just joined
Topic Author
Posts: 5
Joined: Wed Dec 18, 2024 7:24 pm

Re: RB5009 in the hands of a newbie, Gateway problem

Thu Dec 19, 2024 6:26 pm

This is my curret configuration, very basics.

additional info:

My PC on eth2
my isp modem gateway 192.168.1.1 with dhcp enabled on eth1 WAN
WAN dhcp client obtain address 192.168.1.6

My pc recieve dhcp address 192.168.1.99, dns 1.1.1.1, but i see no gateway!

If i ping 1.1.1.1 fro router terminal it's work fine, but no ping and connectivity on the PC
No ping from My PC to 192.18.1.254 and 1.1.1.1

The router is just erased and with no standard configuration.
i think it's updated to last verison of RouterOS
# 2024-12-19 16:15:42 by RouterOS 7.16.2
# software id = 
#
# model = RB5009UG+S+
# serial number = HFE0********
/interface bridge
add comment="LAN Bridge" name="bridge- LAN" port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="ether1 -WAN"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.60-192.168.1.99
add name=dhcp_pool1 ranges=192.168.1.60-192.168.1.99
add name=dhcp_pool2 ranges=192.168.1.60-192.168.1.99
/ip dhcp-server
add address-pool=dhcp_pool2 interface="bridge- LAN" name=dhcp1
/interface bridge port
add bridge="bridge- LAN" interface=ether2 internal-path-cost=10 path-cost=10
add bridge="bridge- LAN" interface=ether3 internal-path-cost=10 path-cost=10
add bridge="bridge- LAN" interface=ether4 internal-path-cost=10 path-cost=10
add bridge="bridge- LAN" interface=ether5 internal-path-cost=10 path-cost=10
add bridge="bridge- LAN" interface=ether6 internal-path-cost=10 path-cost=10
add bridge="bridge- LAN" interface=ether7 internal-path-cost=10 path-cost=10
add bridge="bridge- LAN" interface=ether8 internal-path-cost=10 path-cost=10
add bridge="bridge- LAN" interface=sfp-sfpplus1 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip address
add address=192.168.1.254/24 interface="bridge- LAN" network=192.168.1.0
/ip dhcp-client
add comment="WAN Clinet " interface="ether1 -WAN"
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.1.254
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 -WAN"
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system note
set show-at-login=no
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: RB5009 in the hands of a newbie, Gateway problem

Thu Dec 19, 2024 7:21 pm

There is your problem, same subnet on WAN and LAN side. Change your subnet on either WAN or LAN side.

RB5009 is your gateway and in your PC you probably get 192.168.1.254 as gateway. What are you trying to achieve ? There is no a single firewall rules.
 
Joez
just joined
Topic Author
Posts: 5
Joined: Wed Dec 18, 2024 7:24 pm

Re: RB5009 in the hands of a newbie, Gateway problem

Thu Dec 19, 2024 7:49 pm

Yes! This is my issue!

While waiting for replies, I tried resetting all the configurations and using the default one. It works like a charm.

It’s similar to my bare minimum configuration, with some differences, of course!

In the configuration I posted earlier, I deleted all the firewall rules just for testing purposes—you know, to check if the lack of connectivity was related to incorrect rules, but obviously, it wasn’t.

Now, thanks for your help! I’ll continue configuring by adding my PPPoE connection to my ONT and hope it works fine. Of course, I now have all the default firewall rules active!

Next, I’ll need to add some port forwarding and hope I can manage it!

Again, sorry for the newbie questions, but this is my first attempt at exploring this new world!

Joe
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: RB5009 in the hands of a newbie, Gateway problem

Thu Dec 19, 2024 8:05 pm

Never say you are sorry for newbie question. You can't learn anything if you don't ask :D

You can watch videos from TheNetworkBerg for eg. Great videos and everything is explained in detail. You also have a video about PPPoE.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1981
Joined: Tue Oct 03, 2023 4:21 pm

Re: RB5009 in the hands of a newbie, Gateway problem

Thu Dec 19, 2024 8:25 pm

If I may, it is not a good idea to connect a router to internet without a proper set of firewall rules.
You should first thing add these (they are the default ones from Mikrotik for other devices, adapted for your case):
When fiddling with a Mikrotik with only an interface as WAN all the rest in a LAN bridge it is extremely easy to get locked out by the firewall filter rules or from some other limitations, so the usual advice is to take a port (let's say ether8 in your case out of the bridge and categorize it as MGMT, besides LAN.
This snippet "categorizes" interfaces and explicitly allows Winbox on the LAN bridge and ether8 ( later ether8 will become only MGMT interface).
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=defconf name=MGMT

/interface list member
add interface="ether1 -WAN" list=WAN
add interface="bridge- LAN"  list=LAN
add interface=ether8 list=LAN
add interface=ether8 list=MGMT

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
though personally I would get rid of the space (and of the double quotes) in the names of interfaces, ether1_WAN and bridge_LAN remain perfectly readable.

Then the basic default firewall filter rules:
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
Then I would add an address like 192.168.88.1/24 to ether8, so that you can manually connect to it sertting your PC to 192.168.88.2, Winbox should be able to connect to it via MAC no matter the IP address.


Be careful when doing these changes, try first them in Safe mode and check that you still have connection to the RB5009.
If you have doubts, ask before making them.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB5009 in the hands of a newbie, Gateway problem

Thu Dec 19, 2024 11:24 pm

THis is the bible on vlans - viewtopic.php?t=143620

Two things, always use safemode when configuring the router. Basically invoke it, make changes, wait 5 seconds and if the router doesnt blow up, unselect safe mode, which captures the config (saves it) and then continue. If you do something while in safe mode it will go back to the last step before selecting safe mode!!

Second thing, to do vlans its safest to do so from a port OFF the bridge.
So take like port 9 off the bridge, give it its own IP address and access the router from there for all configuring.

/interface ethernet
set [ find default-name=ether9] name=OffBridge9

/ip address
add address=192.168.65.1/30 interface=OffBridge9 network=192.168.65.0

/interface list member
add interface=Offbridge9 list=LAN { or trusted or base/management whatever is the interface list that is trusted )

Now plug in your laptop into ether9, change ipv4 settings to 192.168.65.2 and you should be in!!!
Last edited by anav on Fri Dec 20, 2024 4:57 pm, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6752
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RB5009 in the hands of a newbie, Gateway problem

Thu Dec 19, 2024 11:27 pm

Now plug in your laptop into ether9, change ipv4 settings to 192.168.65.2 and you should be in!!!
Don't think so.
Not on RB5009 with 8 ether ports :lol:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB5009 in the hands of a newbie, Gateway problem

Thu Dec 19, 2024 11:46 pm

Now plug in your laptop into ether9, change ipv4 settings to 192.168.65.2 and you should be in!!!
Don't think so.
Not on RB5009 with 8 ether ports :lol:
Then they should have called it the RB5008 LOL
Then use port 8, use your imagination, drink some moose milk!!!
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1518
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: RB5009 in the hands of a newbie, Gateway problem

Fri Dec 20, 2024 5:25 am

Well... There is SFP+ which is 9th network interface :D So 5009 is a valid name 8)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB5009 in the hands of a newbie, Gateway problem

Fri Dec 20, 2024 9:17 am



Don't think so.
Not on RB5009 with 8 ether ports :lol:
Then they should have called it the RB5008 LOL
Then use port 8, use your imagination, drink some moose milk!!!
5009 is indeed an odd number for a router ... specially because it's even :lol:
 
Joez
just joined
Topic Author
Posts: 5
Joined: Wed Dec 18, 2024 7:24 pm

Re: RB5009 in the hands of a newbie, Gateway problem

Fri Dec 20, 2024 2:09 pm

well, thanks for all suggestions!
now it's all set, also eth8 as "Free entrace tiket"!

Next step for me is hook up my ONT and configure PPPoE connection.

My isp provider say:

PPPoE Client
VLAN 1036
User: vodafoneadsl
PSW: vodafoneadsl
NAT: YES

Very standard and basic.

i think i make all the steps right, and after that router terminal can ping 1.1.1.1 whitout problem, but.....no connectivity in my PC on eth2, and i noticed the status "Sercing...." in the DHCP Client on eth1WAN

This my configuration now:
# 2024-12-19 18:33:04 by RouterOS 7.16.2
# software id = KW13-RUIJ
#
# model = RB5009UG+S+
# serial number = HFE0*******
/interface bridge
add admin-mac=78:9A:18:********** auto-mac=no name=bridge
/interface vlan
add interface=ether1 name=vlan1_Vodafone vlan-id=1036
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1_Vodafone name=\
    pppoe-out1 user=vodafoneadsl
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=defconf name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.60-192.168.88.99
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=ether8 list=LAN
add interface=ether8 list=MGMT
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.88.1 interface=ether8 network=192.168.88.1
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
nickshore
Long time Member
Long time Member
Posts: 524
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: RB5009 in the hands of a newbie, Gateway problem

Fri Dec 20, 2024 4:19 pm

You need to add the pppoe-out1 into the WAN interface list so that NAT works.

The DHCP client on ether1 is no longer needed.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB5009 in the hands of a newbie, Gateway problem

Fri Dec 20, 2024 4:54 pm

This does not look good at all.
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.88.1 interface=ether8 network=192.168.88.1

If your plan was to use ether8 as a safe place to config,
a. it needs to be removed from the bridge ( which you have done, super!_
b. get a different non-overlapping ip address from the bridge. use something like 192.168.65.1/30
Did you not read the post I made on this subject???
 
Joez
just joined
Topic Author
Posts: 5
Joined: Wed Dec 18, 2024 7:24 pm

Re: RB5009 in the hands of a newbie, Gateway problem

Sat Dec 21, 2024 11:35 am

If your plan was to use ether8 as a safe place to config,
a. it needs to be removed from the bridge ( which you have done, super!_
b. get a different non-overlapping ip address from the bridge. use something like 192.168.65.1/30
Did you not read the post I made on this subject???
Yes, yes, yes, I’m sorry!

Actually, my plan was to use it, after completing all the configuration, in my office network (192.168.1.0). So my brain automatically said, "It's fine to use 192.168.88.0 for the safe eth8 interface." However, to avoid any doubts, I’ve now changed it to your suggested 192.168.65.0.

This morning, I switched my ISP modem to the RB5009, connecting it directly to the ONT. It works like a charm—everything is running smoothly for all the PCs and other devices. Thank you so much for your help!

Now it’s time to set up some port forwarding for my server services.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1981
Joined: Tue Oct 03, 2023 4:21 pm

Re: RB5009 in the hands of a newbie, Gateway problem

Sat Dec 21, 2024 12:01 pm

Only as a note, maybe you haven't noticed it, but it is important that you understand this for other future configurations.

I originally suggested to have ether8 as 192.168.88.1/24(assuming that you would have changed the same range set on the bridge to your local lan one).

BUT what you implemented (accidentally) was 192.168.88.1/32 (i.e. network 192.168.88.1).
Anav correctly (to resolve the conflict on 192.168.88.1) suggested 192.168.65.1/30.

An address like 192.168.65.1/30 is "smart" as it only allows 4 addresses, of which two usable:
192.168.65.0 <-network address
192.168.65.1<-usable:the RB5009 ether8
192.168.65.2<- usable; the IP you have to give to the PC connected to ether8
192.168.65.3<- broadcast address
see:
https://www.calculator.net/ip-subnet-ca ... =Calculate

When you input an address in RoS, you should remember to specify the CIDR network mask, and Ros will automatically set the "network" parameter for you, i.e.
/ip address
add address=192.168.88.1 interface=ether8

will result in (as seen in your export):
/ip address
add address=192.168.88.1 interface=ether8 network=192.168.88.1

whilst the (suggested) command would have been:
/ip address
add address=192.168.88.1/24 interface=ether8

which would have come out in export as:
/ip address
add address=192.168.88.1/24 interface=ether8 network=192.168.88.0

same goes for the the /30, do check that you have now:
/ip address
add address=192.168.65.1/30 interface=ether8 network=192.168.65.0

Who is online

Users browsing this forum: No registered users and 18 guests