Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Help with routing Internet through a RB5009UG router....

Post Reply
 
Hello2025
just joined
Topic Author
Posts: 2
Joined: Wed Jan 08, 2025 8:42 pm
Location: United States

Help with routing Internet through a RB5009UG router....

Wed Jan 08, 2025 11:34 pm

Hello fellow Networking enthusiasts,
I am "ALL IN" with the Microtik brand and operating system. Having said that, however ...I am feeling overwhelmed by a lack of networking knowledge and the time it's taking to setup a router that has not been "over simplified into oblivion" with a robust OS behind it! I have seen others show off what it can do, so I'm trying to setup a small home network with two pieces of hardware,the HAP ax3 and the RB5009UG.
I have an Internet Service Provider providing internet and going into a cable modem. I'm currently use another brand of wifi product attached to that modem but would like to configure the RB5009UG+S+IN router to route traffic on my network. I will eventually replace the Netgear wifi router with a Microtik HAP ax3 router. This HAP ax3 was the first piece of hardware I purchased from Microtik. I had read somewhere (I thought that it was in one of these help forums) that the RB5009 should allow a user (using the default configuration) to plug Internet into the Ethernet port and then receive Internet out on its other ports. This has not been my experience however. :( So that I don't omit details which may be important to troubleshooting the my router configuration, I have designated the Internet IN port as the SFP-plus port by using an SFP-plus to Ethernet adapter. ALSO...I designated Ether 8 as a "Managed access port" which seemingly serves the purpose of allowing for easier management and configuration changes without loosing connection from my computer or having to reset back to default configurations (Again!).
Bellow I’m posting my exported RB5009 configuration so that someone might tell me where It is that I have gone wrong. I have been working VERY hard to gain better understanding of Router OS ver.7, the Microtik platform and general networking! I have watched hours of (seemingly) knowledgable videos by reputable purveyors of networking teachers online. I also purchased courses on Udemy to hopefully understand what, how, and when to make changes. I may only liken my experience of gaining this knowledge as like trying to take a drink water from a fire hydrant....It is coming at you very fast and there is too much of it to be useful. My goal is to have a better understanding of the terminologies or methods that I learned so I may put them into a useable home networking context. THANK YOU for reading this post, and for any willingness you may have to guide me in the correct direction!

Joe
Last edited by chechito on Wed Jan 08, 2025 11:37 pm, edited 2 times in total.
Reason: deleted RTF file, please post your config code in plain text
Top
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:
Contact chechito

Re: Help with routing Internet through a RB5009UG router....

Wed Jan 08, 2025 11:39 pm

deleted RTF file, if you wish to share your config, post it in plain text removing any personal or private data
Code: Select all
use code tags for proper readability
Top
 
Hello2025
just joined
Topic Author
Posts: 2
Joined: Wed Jan 08, 2025 8:42 pm
Location: United States

Re: Help with routing Internet through a RB5009UG router....

Wed Jan 15, 2025 9:00 pm

Hello,
I'm posting my configuration plain text to this reply Chechito. I noticed your reply saying something about "use code tags for proper readability". That comment may not have been for me but I wanted to let you know, I'm sorry but I don't know what that means. I did try to export the configuration file in color as I would assume that people who know more about this than I do would glean information from it, however, I could not get it to work for me.
In reference to my configuration file, It may be pretty obvious to some by looking at the file as to how my Microtik is configured. I thought it may be helpful to briefly summarize how I have the router setup and, how it is working for me. I have the SFP-plus (using ethernet adapter) as Internet IN. Ether ports 1-7 are bridged together and have a set of IP addresses with a subnet mask of 255.255.255.0. I use Ether port 8 as a Managed access port for making all changes to the router and so as not to get shut-out / locked-out. It has an IP address of 10.0.1.1/30 (meaning its subnet mask is 255.255.255.252). I found it easiest to setup this way so I never get locked out and can have a bombproof connection between my computer and the router to make all changes.
THE PROBLEM: I cannot receive the internet "through" the device by Ethernet to my PC. Internet comes through to the router just fine. I can ping to 8.8.8.8 and www.google.com from the terminal in the router. I cannot get the internet to come through to my PC though. I have it "hard wired" with a ethernet cable to ether 8, and also have tried the other ethernet ports with the same results. Both ether port 8 and ether port 2 give the same results to a terminal ping on my PC.
RESULTS: -ping to 8.8.8.8
Request timeout for imp-seq
-ping to www.google.com
error = cannot resolve google.com unknown host

So...this is where I'm at. Thank you or any help you might give to me.

Code: Select all
# 2025-01-07 08:06:37 by RouterOS 7.16
# software id = ---------
#
# model = RB5009UPr+S+
# serial number = ------------
/interface bridge
add comment=Bridged-Sfpplus1-&-ether-1-7 name=\
    "1--bridge-LAN-Ether Sfpplus-&-ether 1-7"
/interface ethernet
set [ find default-name=ether8 ] name=ether8--MANAGED-ACCESS
set [ find default-name=sfp-sfpplus1 ] name=\
    "sfpplus1-(INTERNET--IN)"
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/iot lora servers
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" \
    protocol=UDP
add address=nam1.cloud.thethings.industries name=\
    "TTS Cloud (nam1)" protocol=UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" \
    protocol=UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" \
    protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" \
    protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" \
    protocol=UDP
/ip pool
add name=dhcp_pool0 ranges=10.0.0.20-10.0.0.254
/interface bridge port
add bridge="1--bridge-LAN-Ether Sfpplus-&-ether 1-7" disabled=yes \
    interface="sfpplus1-(INTERNET--IN)"
add bridge="1--bridge-LAN-Ether Sfpplus-&-ether 1-7" interface=\
    ether1
add bridge="1--bridge-LAN-Ether Sfpplus-&-ether 1-7" interface=\
    ether2
add bridge="1--bridge-LAN-Ether Sfpplus-&-ether 1-7" interface=\
    ether3
add bridge="1--bridge-LAN-Ether Sfpplus-&-ether 1-7" interface=\
    ether4
add bridge="1--bridge-LAN-Ether Sfpplus-&-ether 1-7" interface=\
    ether5
add bridge="1--bridge-LAN-Ether Sfpplus-&-ether 1-7" interface=\
    ether6
add bridge="1--bridge-LAN-Ether Sfpplus-&-ether 1-7" interface=\
    ether7
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface="sfpplus1-(INTERNET--IN)" list=WAN
add interface="1--bridge-LAN-Ether Sfpplus-&-ether 1-7" list=LAN
/ip address
add address=10.0.0.1/24 comment=\
    "Same as old Apple router IP default address's" interface=\
    "1--bridge-LAN-Ether Sfpplus-&-ether 1-7" network=10.0.0.0
add address=72.179.10.34/22 comment=\
    "Cable Internet IP from provider DHCP server.." interface=\
    "sfpplus1-(INTERNET--IN)" network=72.179.8.0
add address=10.0.1.1/30 comment=\
    "IP Address for Ether 8-Managed capability" interface=\
    ether8--MANAGED-ACCESS network=10.0.1.0
/ip dhcp-client
add disabled=yes interface="sfpplus1-(INTERNET--IN)"
/ip dhcp-relay
add dhcp-server=10.0.0.1 disabled=no interface=\
    "1--bridge-LAN-Ether Sfpplus-&-ether 1-7" name=relay1
/ip dhcp-server
add address-pool=dhcp_pool0 interface=\
    "1--bridge-LAN-Ether Sfpplus-&-ether 1-7" lease-time=8h name=\
    dhcp1
/ip dhcp-server network
add address=10.0.0.0/24 comment="Router Network\?\?" dns-none=yes \
    gateway=10.0.0.1 netmask=24
add address=10.0.0.1/32 comment="Routers IP address\?" dns-none=\
    yes gateway=10.0.0.0
/ip dns
set servers=1.1.1.2,1.0.0.2
/ip firewall filter
add action=accept chain=input dst-limit=2,5,dst-address/1m40s \
    protocol=icmp
add action=drop chain=input dst-limit=2,5,dst-address/1m40s \
    protocol=icmp
add action=accept chain=input connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=invalid
add action=drop chain=input in-interface=\
    "1--bridge-LAN-Ether Sfpplus-&-ether 1-7"
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward hw-offload=yes
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.0.1
/ip firewall service-port
set ftp disabled=yes
/system clock
set time-zone-autodetect=no
/system note
set show-at-login=no
Last edited by tangent on Thu Jan 16, 2025 6:36 am, edited 1 time in total.
Reason: Wrapped config in code block
Top
 
billybee
just joined
Posts: 3
Joined: Mon Sep 16, 2024 7:46 am

Re: Help with routing Internet through a RB5009UG router....

Sat Jan 18, 2025 3:04 am

You need a firewall rule that permits forwarding traffic through the router. Something like:
Code: Select all
add action=accept chain=forward connection-state=new in-interface-list=LAN out-interface-list=WAN
Top
 
jaclaz
Forum Guru
Forum Guru
Posts: 2165
Joined: Tue Oct 03, 2023 4:21 pm

Re: Help with routing Internet through a RB5009UG router....

Sat Jan 18, 2025 2:25 pm

There is some confusion in your configuration.

You should start by using the "normal" default firewall settings, but first fix the following otherwise your ether8 won't have correct access:
Code: Select all
/interface list
add name=WAN
add name=LAN

/interface list member
add interface="sfpplus1-(INTERNET--IN)" list=WAN
add interface="1--bridge-LAN-Ether Sfpplus-&-ether 1-7" list=LAN
To:
Code: Select all
/interface list
add name=WAN
add name=LAN
add name=MGMT

/interface list member
add interface="sfpplus1-(INTERNET--IN)" list=WAN
add interface="1--bridge-LAN-Ether Sfpplus-&-ether 1-7" list=LAN
add interface="ether8--MANAGED-ACCESS" list=LAN
add interface="ether8--MANAGED-ACCESS" list=MGMT
Then, remove your current firewall rules and insert default firewall rules:
Code: Select all
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
The default set of firewall rules is good for 99.999% of normal uses, and it should not be replaced/changed unless/until you really know what you are doing.
Top
Post Reply
  4. RouterOS
  5. Beginner Basics