I've been working for quite some time to get my router configuration working and I am coming up empty.
It has to be something small that I'm missing - but I'm not seeing it.
I have tried removing all NAT and Firewall configuration sections and I am still having the same problem.
The router is bound to 192.168.0.1 (LAN) and 192.168.88.1 (Management).
When my machine is 192.168.0.33 (Plugged into Lan Interface)
ping 192.168.0.1 will get 0-2 replies - the rest will Time Out
ping 192.168.88.1 will get 0-2 replies - the rest will Time Out
When my machine is 192.168.88.18 (Plugged into the Management Interface)
ping 192.168.0.1 works perfectly
ping 192.168.88.1 works perfectly.
I am at a complete loss.
Here is my configuration script:
Code: Select all
# Last Updated Oct 15 2017
#
# model = 2011UiAS
#
##############################
#### ROUTER CONFIGURATION ####
##############################
/system identity
set name=PaulBlart
### Update RouterOS Software on the "bugfix" channel
/system package update
set channel=bugfix
### Setup the system clock
/system clock
set time-zone-autodetect=no time-zone-name=America/Edmonton
### Configure NTP Client
/system ntp client
set enabled=yes primary-ntp=136.159.2.1 secondary-ntp=132.205.1.1
### Configure Router Tools
/tool mac-server set [ find default=yes ] disabled=yes
/tool sniffer set filter-ip-protocol=icmp
/tool bandwidth-server set enabled=no
##################################
#### PHYSICAL INTERFACE SETUP ####
##################################
/interface ethernet
set [ find default-name=ether1 ] name=ether1 disabled=yes
set [ find default-name=ether2 ] name=ether2 disabled=yes
set [ find default-name=ether3 ] name=ether3 disabled=yes
set [ find default-name=ether4 ] name=ether4 disabled=yes
set [ find default-name=ether5 ] name=ether5 disabled=yes
set [ find default-name=ether6 ] name=ether6 disabled=yes
set [ find default-name=ether7 ] name=ether7 disabled=yes
set [ find default-name=ether8 ] name=ether8 disabled=yes
set [ find default-name=ether9 ] name=ether9 disabled=yes
set [ find default-name=ether10 ] name=ether10 disabled=yes
set [ find default-name=sfp1 ] name=sfp1 disabled=yes
# WAN Uplink to ISP Modem (Bridging Mode Enabled)
set [ find default-name=ether6 ] name=if_wan disabled=no
# Raspberry Pi
set [ find default-name=ether7 ] name=if_pi disabled=no
# Connection to switch on VLAN2 (VoIP Traffic)
set [ find default-name=ether2 ] name=if_voip disabled=no
# Connection to switch on VLAN1 (LAN Traffic)
set [ find default-name=ether8 ] name=if_lan disabled=no
# Dedicated connection specifically for Router Management
set [ find default-name=ether9 ] name=if_mgmt disabled=no
# Connect to Wireless Access Point
set [ find default-name=ether10 ] name=if_wlan disabled=no
######################
#### IP ADDRESSES ####
######################
/ip address
add address=192.168.0.1/24 interface=if_lan network=192.168.0.0
add address=192.168.0.1/24 interface=if_wlan network=192.168.0.0
add address=192.168.0.1/24 interface=if_voip network=192.168.0.0
add address=192.168.88.1/24 interface=if_mgmt network=192.168.88.0
add address=192.168.55.254/24 interface=if_pi network=192.168.55.0
#####################
#### IP SETTINGS ####
#####################
/ip settings
set allow-fast-path=no
set ip-forward=no
set route-cache=no
set secure-redirects=no
set send-redirects=no
/ip traffic-flow
set interfaces=if_wan
##########################
#### IP ADDRESS POOLS ####
##########################
/ip pool
remove [find]
# Wired LAN Address Pool
# 192.168.0.33 - 192.168.0.62 (30 Addresses)
add name=pool_lan ranges=192.168.0.32/27
# VoIP Address Pool
# 192.168.0.65 - 192.168.0.94 (30 Addresses)
add name=pool_voip ranges=192.168.0.64/27
# Wireless LAN Address Pool
# 192.168.0.97 - 192.168.0.125 (30 Addresses)
add name=pool_wlan ranges=192.168.0.96/27
# Management Address Pool
# 192.168.88.17 - 192.168.88.22 (6 Addresses)
add name=pool_mgmt ranges=192.168.88.16/29
# Raspberry Pi Address
# 192.168.55.1 - 192.168.55.1 (1 Address)
add name=pool_pi ranges=192.168.55.1/32
###################################################
#### DHCP SERVER - ROUTER GIVING OUT ADDRESSES ####
###################################################
/ip dhcp-server
add address-pool=pool_lan disabled=no interface=if_lan lease-time=3d name=dhcpd_lan
add address-pool=pool_voip disabled=no interface=if_voip lease-time=3d name=dhcpd_voip
add address-pool=pool_wlan disabled=no interface=if_wlan lease-time=1h name=dhcpd_wlan
add address-pool=pool_mgmt disabled=no interface=if_mgmt lease-time=1h name=dhcpd_mgmt
add address-pool=pool_pi disabled=no interface=if_pi lease-time=3d name=dhcpd_pi
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
add address=192.168.55.0/24 gateway=192.168.55.1 netmask=24
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
##############
#### UPNP ####
##############
/ip upnp set enabled=yes
/ip upnp interfaces
add interface=if_wan type=external
add interface=if_lan type=internal
add interface=if_wlan type=internal
####################
#### IP ROUTING ####
####################
/ip route add check-gateway=ping distance=1 gateway=108.181.92.1 routing-mark=wan-route
#####################
#### IP SERVICES ####
#####################
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
###################################################
#### DHCP CLIENT - OBTAINING ADDRESS FOR ROUTER ###
###################################################
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=if_wan use-peer-ntp=no use-peer-dns=yes
###########################
#### DNS CONFIGURATION ####
###########################
/ip dns set allow-remote-requests=no cache-size=512KiB max-udp-packet-size=512 cache-max-ttl=10m
#############################
#### PROXY CONFIGURATION ####
#############################
/ip proxy
set src-address=192.168.0.1
set anonymous=yes
set enabled=yes
###########################################
#### NETWORK ADDRESS TRANSLATION (NAT) ####
###########################################
/ip firewall nat
add comment="NAT LAN traffic to the internet" \
chain=srcnat action=masquerade \
out-interface=if_wan \
disabled=no
################################
#### FIREWALL CONFIGURATION ####
################################
### Address Lists
/ip firewall address-list
add address=0.0.0.0/8 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=192.168.0.0/16 list=Bogon
# Hosts banned from communicating with router
add address=5.188.10.102 list=Banlist
### Firewall Service Ports
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
########################
#### FIREWALL RULES ####
########################
/ip firewall filter
add comment="Allow forward Established and Related - FastTrack" chain=forward \
action=fasttrack-connection \
connection-state=established,related \
disabled=yes
add comment="Allow forward Established and Related" chain=forward \
action=accept \
connection-state=established,related
add comment="Allow input Established and Related" chain=input \
action=accept \
connection-state=established,related
add comment="Ban List" chain=forward \
action=drop src-address-list=Banlist
add comment="Allow input Ping" chain=input \
action=accept protocol=icmp
add comment="Drop Port_Scanners" chain=input \
action=drop in-interface=if_wan src-address-list=Port_Scanners
add comment="Drop Port_Scanners Forward" chain=forward \
action=drop in-interface=if_wan src-address-list=Port_Scanners
add comment="Drop Bogon Forward" chain=forward \
action=drop in-interface=if_wan src-address-list=Bogon
# Firewall - Build Address Lists based on negative activity detection
add comment="Port_Scanners to list" chain=input \
action=add-src-to-address-list \
address-list=Port_Scanners address-list-timeout=2w \
in-interface=if_wan protocol=tcp psd=21,3s,3,1
add comment="NMAP FIN Stealth scan" chain=input \
action=add-src-to-address-list \
address-list=Port_Scanners address-list-timeout=2w \
in-interface=if_wan protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add comment="SYN/FIN scan" chain=input \
action=add-src-to-address-list \
address-list=Port_Scanners address-list-timeout=2w \
in-interface=if_wan protocol=tcp tcp-flags=fin,syn
add comment="SYN/RST scan" chain=input \
action=add-src-to-address-list \
address-list=Port_Scanners address-list-timeout=2w \
in-interface=if_wan protocol=tcp tcp-flags=syn,rst
add comment="FIN/PSH/URG scan" chain=input \
action=add-src-to-address-list \
address-list=Port_Scanners address-list-timeout=2w \
in-interface=if_wan protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add comment="ALL/ALL scan" chain=input \
action=add-src-to-address-list \
address-list=Port_Scanners address-list-timeout=2w \
in-interface=if_wan protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add comment="NMAP NULL scan" chain=input \
action=add-src-to-address-list \
address-list=Port_Scanners address-list-timeout=2w \
in-interface=if_wan protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
# Drop unwanted connections
add comment="Drop forward not Dst NAT" chain=forward action=drop \
in-interface=if_wan connection-nat-state=!dstnat connection-state=new log=yes
add comment="Drop forward Invalid" chain=forward action=drop \
in-interface=if_wan
add comment="Drop input All" chain=input action=drop \
in-interface=if_wan connection-state=invalid log=yes
###############
### SCRIPTS ###
###############
/system script
add name=Configure_DHCP_Routes \
policy=reboot,read,write,policy,test \
source=":local entcounter\r\
\n:local routecounter\r\
\n:local duplicatecounter\r\
\nlocal routeupdated \"no\"\r\
\nforeach clientcounter in=[/ip dhcp-client find] do={\r\
\nlocal routingmarkname ([/ip dhcp-client get \$clientcounter interface] .\
\_\"-route\")\r\
\nlocal newroutinggateway [ip dhcp-client get \$clientcounter gateway]\r\
\nforeach routecounter in=[/ip route find where routing-mark=\$routingmark\
name] do={\r\
\n:local routinggateway [/ip route get [find routing-mark=\$routingmarknam\
e] gateway]\r\
\n\r\
\n:if ([:len \$newroutinggateway] > 0) do={\r\
\n:if (\$\"routinggateway\" != \"newroutinggateway\") do={\r\
\n/ip route set \$routecounter gateway=\$newroutinggateway\r\
\n:set routeupdated \"yes\"\r\
\n}\r\
\n}\r\
\n}\r\
\n:if ([:len \$newroutinggateway] > 0) do={\r\
\n:if (\$routeupdated = \"no\") do={\r\
\n/ip route add routing-mark=\$routingmarkname gateway=\$newroutinggateway\
\_dst-address=0.0.0.0/0\r\
\n}\r\
\n}\r\
\n}"
#######################
### SCHEDULED TASKS ###
#######################
/system scheduler
add comment="Configure DHCP Routes" \
interval=1m name=Every_Minute \
on-event="/system script run Configure_DHCP_Routes" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
start-date=jan/01/1970 start-time=01:00:00
#####################
#### LCD DISPLAY ####
#####################
/lcd
set enabled=yes
set backlight-timeout=120s
set read-only-mode=yes
set time-interval=daily
set touch-screen=disabled
backlight state=on
set default-screen=stats
/lcd interface
disable numbers=[find interface!=if_wan]
display if_wan
#####################
### USER ACCOUNTS ###
#####################
/user add comment="Main Admin User" \
name=rosadmin group=full password="ChangeMe!"
/user remove numbers=[ find name="admin" ]
Thanks
Dan