CPE unit.

mambotech · Thu Oct 12, 2006 10:47 pm

Hi,

I have setup a CPE unit. The ethernet interface has a static address and the wlan has a dhcp client setup. The wlan has been allocated an ipaddress from the dhcp server. The problem I am having is that no traffic seems to be routing from the ethernet side. i.e I cannot browse the internet.

Please could someone tell me where I have gone wrong. should the ehternet be on dhcp and the wlan be on a static ?

client (dhcp) -> ethernet (static) -> wlan (dhcp)

Thanks Mark

cibernet · Fri Oct 13, 2006 12:49 am

Hi,

I have setup a CPE unit. The ethernet interface has a static address and the wlan has a dhcp client setup. The wlan has been allocated an ipaddress from the dhcp server. The problem I am having is that no traffic seems to be routing from the ethernet side. i.e I cannot browse the internet.

Please could someone tell me where I have gone wrong. should the ehternet be on dhcp and the wlan be on a static ?

client (dhcp) -> ethernet (static) -> wlan (dhcp)

Thanks Mark

Missing NAT?

mambotech · Fri Oct 13, 2006 1:19 am

I am just checking and NAT is not setup

Mark

cibernet · Fri Oct 13, 2006 1:53 am

I am just checking and NAT is not setup

Mark

Well, you need to NAT....

ip firewall nat add chain=src-nat out-interface=wlan1 action=masquerade

mambotech · Fri Oct 13, 2006 2:22 am

hi cibernet

OK ...I can now ping the ethernet address through the wlan connection. So in theory the PC should now get an ipaddress from the DHCP server and they should be able to browse ..?

Wlan 192.168.2.26 -> ether1 192.168.2.27 -> Client PC dhcp

Mark

Fri Oct 13, 2006 9:39 am

no! your client is masqueraded (hidden behind router). you need either to set up a DHCP server on your router, or give your client a static address. it should be on a different subnet by the way, your addresses are not correctly set up

mambotech · Fri Oct 13, 2006 10:55 am

Hi Normis

I am struggling with this client configuration. I have 3 other routers running fine. But I can't seem to get this CPE unit to work correctly.

This is the current setup:

I have a dhcp server sitting on 192.168.2.7 which is a seperate server.

I want the Client PC that is using the CPE to be allocated an IP address from this server.

All the other routers have a Wlan ip address of 192.168.2.* and are bridged with a backhaule Wlan 10.0.0.* and this works fine. All the clients that connect to the AP's get an ip address from the dhcp server on 192.168.2.7

Can you tell me what the config would look like.

I have it setup like this at the moment

client PC -> eth1 (192.168.2.27) -> bridge <- Wlan (10.0.0.4)

I cannot ping either address from outside the CPE unit even though it is connect to the wireless Lan

Thanks Mark

Fri Oct 13, 2006 11:04 am

if you use masquerade, you will NOT be able to ping the client from outside. that is the whole point of this kind of setup. the client can get out, but nothing can get in. including your pings.

mambotech · Fri Oct 13, 2006 11:20 am

I can't ping out from the unit either .....I also cannot connect to the mac address either now

Can you post a config please of how I should set it up ....

Thanks Mark

Fri Oct 13, 2006 11:23 am

this should be very simple. i think you are just complicating a simple setup.

public ip space ~~~~ public IP of router / local IP of router ~~~~ local IP of client

and on the router you have the masquerading rule. and in the client you specify the router as gateway.

simple!

mambotech · Fri Oct 13, 2006 12:08 pm

Normis,

I agree it should be simple. I have now set it up as you suggested.

PC static address 10.2 -> eth1-10.1-> wlan 192.168.2.26

My networks gateway is 192.168.2.7 DNS is 192.168.2.7 I can ping the gateway from the wlan interface but not from the client PC. The client PC's gateway is 192.168.10.1.

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 ADC 192.168.2.0/24 192.168.2.26 wlan1
1 ADC 192.168.10.0/24 192.168.10.1 ether1
2 A S 0.0.0.0/0 r 192.168.2.7 wlan1

[admin@MikroTik] ip dhcp-server> lease print
Flags: X - disabled, R - radius, D - dynamic, B - blocked
# ADDRESS MAC-ADDRESS HOST-NAME SERVER RATE-LIMIT STATUS
0 D 192.168.10.2 00:13:D3:BA:70:E3 vAsperen dhcp1 bound
[admin@MikroTik] ip dhcp-server> /ping 192.168.10.2
192.168.10.2 ping timeout
192.168.10.2 ping timeout
192.168.10.2 ping timeout
192.168.10.2 ping timeout
192.168.10.2 ping timeout

[admin@MikroTik] ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=src-nat out-interface=wlan1 action=masquerade

What am I missing here ? It's as though it's not forwarding

Thanks Mark

Fri Oct 13, 2006 12:28 pm

wait a second, on the client - the gateway should be the router eg. 10.1

mambotech · Fri Oct 13, 2006 12:43 pm

Normis,

When you say client do you mean client PC if yes it's is being allocated an ipaddress from the dhcp-server on ehter1.

Mark

Fri Oct 13, 2006 12:48 pm

No, I am saying that you should set the `default gateway` setting in his windows settings to the local address of the router.

mambotech · Fri Oct 13, 2006 1:02 pm

Normis,

He has the default gateway of the router set in his PC .....it is being allocated by the DHCP server on ether1

ipaddress 192.168.10.2
gateway 192.168.10.1

I ask him to do a tracert to 192.168.2.7 it gets as far as the 192.168.10.1 address and then times out. ??

Looks like the local network is not forwarding to the public network. How do I switch on debug logging for the interfaces ??

Thanks Mark

mambotech · Fri Oct 13, 2006 1:24 pm

Question:

I the client PC to be allocted and ip address from the DHCP server on the network ... Is this possible with the CPE unit. Maybe I shouldn't us masquerade. Can you tell me how I would setup this up.

would this work .... chain=srcnat src-address=192.168.2.26 src-address-list="" action=accept

Thanks Mark

Fri Oct 13, 2006 1:50 pm

i suggest you to make a network drawing, with all the IP addresses and post configuration of IP addresses and routes

mambotech · Fri Oct 13, 2006 2:24 pm

Hi Normis,

Please see diagram below. I need all traffic from the client to go through the proxy/dhcp server. I also require the Client PC to pick up an IP address from the dhcp server as well. All other clients on the network currently do this.

[/img]

Thanks Mark

Fri Oct 13, 2006 2:31 pm

client will never get that dhcp address from your dhcp server, because the server is behind that router. you should enable dhcp server on the CPE and let it give out it's own address to the client. or just use other approach, not masquerading

mambotech · Fri Oct 13, 2006 2:37 pm

OK,

The current setup does allocate an ipaddress from the CPE unit but I still cannot browse. What would be the alternative to masquerade. We are looking at buy 50 of these client units but we need to get the config right and I am struggling with this one ????

Mark

Fri Oct 13, 2006 2:44 pm

so:

1. you can ping from client to the CPEs ethernet address?

2. you have set up the masquerade rule in the CPE as someone above sugested?

3. you can ping rest of the world from within CPE?

looks like the masquerade rule is not working, can you make a supout.rif file and send to support ?

mambotech · Fri Oct 13, 2006 2:57 pm

1. you can ping from client to the CPEs ethernet address? Yes

2. you have set up the masquerade rule in the CPE as someone above sugested? Yes

3. you can ping rest of the world from within CPE? Yes

looks like the masquerade rule is not working, can you make a supout.rif file and send to support ? This is a problem ...I am in the UK the unit is in Spain. I am hooked into our main Mikrotik router and have a telnet connection in to the CPE unit. I can run the supout.rif command but I cannot retrive it to send to you.

Is there any other way we can do this.

Thanks Mark

Fri Oct 13, 2006 3:01 pm

if you can telnet, you can FTP - no ?

mambotech · Fri Oct 13, 2006 3:38 pm

Normis,

I can't get access via ftp. Does the router stop you accessing remotely without a password. If so how do I add a password to an account using telnet

Mark

Fri Oct 13, 2006 3:46 pm

if there is telnet access, there should be ftp access using the same user/password.

mambotech · Fri Oct 13, 2006 3:55 pm

Normis,

I am connect to our main router using winbox I then telnet into the CPE ...which means tha request is coming from a local connection not outside of the LAN

Mark

mambotech · Fri Oct 13, 2006 6:11 pm

Hi Normis,

I have sent you the supout.rif file. Can you see what is wrong ???

Thanks Mark

Mon Oct 16, 2006 9:00 am

i don't see a gateway specified in your router. you need to add a default gateway so that your router knows where to send everything.

/ip route add gateway=192.168.2.1

(or whatever your gateway is)

mambotech · Mon Oct 16, 2006 12:58 pm

Normis,

Here is the current config

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 ADC 192.168.2.0/24 192.168.2.26 wlan1
1 ADC 192.168.10.0/24 192.168.10.1 ether1
2 A S 0.0.0.0/0 r 192.168.2.7 wlan1

[mark@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=src-nat out-interface=wlan1 action=masquerade

1 X chain=srcnat src-address=192.168.2.26 action=accept

[mark@MikroTik] ip firewall nat> /ip dhcp-server lease print
Flags: X - disabled, R - radius, D - dynamic, B - blocked
# ADDRESS MAC-ADDRESS HOST-NAME SERVER RATE-LIMIT STATUS
0 D 192.168.10.2 00:13:D3:BA:70:E3 vAsperen dhcp1 bound

I have just tested again with the client PC and it is still not able to browse or ping the outside world. Do you think the unit is faulty??

Thanks Mark

Mon Oct 16, 2006 1:17 pm

no, but I think you should hire one of our consultants to look at your network more closely: http://www.mikrotik.com/consultants.html

they are very helpful people, try to contact one of them to see their opinion.

it will not be possible to solve your problem without looking at the network and logging into your routers.

mambotech · Mon Oct 16, 2006 2:07 pm

Normis,

I don't see why I need a consultant. I have 25 clients hanging off this network and they are all working fine. I have 2 client running muria unit that run the routerOS and they are connecting in OK as well. What makes you think there is a problem with the network ????

Regards Mark

mambotech · Mon Oct 16, 2006 2:07 pm

Normis,

I don't see why I need a consultant. I have 25 clients hanging off this network and they are all working fine. I have 2 client running muria unit that run the routerOS and they are connecting in OK as well. What makes you think there is a problem with the network ????

Regards Mark

Mon Oct 16, 2006 2:51 pm

this is apparent. this setup is so simple that it should work after 2 minutes of configuration. it's definetly not a software issue as this functionality is essential, and someone else would have noticed a problem.

juan.gabatel · Mon Oct 16, 2006 5:28 pm

Hi, i have the same problem than mambotech, has 2 vlan and none of them make forwarding, i think is the RouterOS, because I have 1 CPE whit RouterOS v 2.9.24 and work very well, now the company has bought 50 CPE, but they come whit RouterOS v2.9.29 and the same configuration doesn’t work, they say to me that I have to upgrade to the last version 2.9.32 to resolve the problem, in fact did it, but now non of the vlan makes forwarding, only ping the gateway whit the wlan interface, but not the client, we are still waiting for a answer of support, but i strongly think that is the RouterOS that make this problem, i want a “routeros-rb500-2.9.24.npk” if someone have it contact me or put the email on the forum so i can contact. Thanks.

CPE unit.

CPE unit.

Re: CPE unit.

Nat

Re: Nat

Nat

CPE

Normis

CPE

CPE

CPE

Config

CPE

CPE

FTP

supout.rif

gateway

Consultant

Consultant

The same problem

Who is online