I have to change a TP-Link router that is configured with a PPPoE user.
I was told that putting the MikroTik on PPPoE with the same user and password, the router on the same network (192.168.8.0/24, with .1 as gateway) and no DHCP (all the PCs have static IP on Windows) it will work.
But it doesn't.
When I change the TP-Link for the MikroTik, not even one PC gets connection to internet (I just unplug the WAN cable from the TP-Link and plug it on the MikroTik, port 1, and another ethernet cable that goes to a switch, port 2).
BUT, if I connect a PC into another port or using WiFi, that PC (with static IP on the 192.168.8.0/24 network) gets internet.
Edit to explain better the situation. Read from here.
There is a network using static IP on all of its devices. I need to change the router of that network for a MikroTik.
I configure PPPoE on the router MikroTik 941-2nD.Then I put the router on the 192.168.8.0/24 subnet, with 192.168.8.1 as gateway.
Deactivated DHCP, leave NAT checked (using Quick Set). Wireless disabled.
After that, I used some rules to block sites:
/ip firewall layer7-protocol
add name=facebook regexp="^.+(facebook).*\$" comment=FBK
/ip firewall mangle
add action=mark-connection chain=prerouting protocol=udp dst-port=53 connection-mark=no-mark layer7-protocol=facebook new-connection-mark=facebook_conn passthrough=yes comment=FBK
add action=mark-packet chain=prerouting connection-mark=facebook_conn new-packet-mark=facebook_packet comment=FBK
/ip firewall filter
add action=drop chain=forward packet-mark=facebook_packet comment=FBK
add action=drop chain=input packet-mark=facebook_packet comment=FBK
The same with Messenger, Twitter and Instagram (You just change the site name on the command for the one that you want to block. All the "facebook" for "twitter" to block twitter).
After that, I made the change of routers.
I plug in the Internet cable on the Eth1 port. I plug in an Eth cable that goes to a switch on the Port 2.
Aaaand, the network doesn't have connection to Internet. Funny thing is, if I connect another PC on other port (3 or 4 of the MikroTik). That PC gets connection (previously configured with an static IP on the 192.168.8.0/24 subnet).
Trying to change a cheap TP-Link router for a cheap MikroTik one
Last edited by Ganuza on Fri Jun 22, 2018 3:05 pm, edited 1 time in total.
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
Show your configuration export (except the password)
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
Which model of Mikrotik?
My understanding is that the default setup of the mikrotik is pretty much ready to go out of the box in terms of connectivity.
Before plugging any internet connection into it however, I would at least.
a. install winbox on my pc
b. access the mikrotik via winbox
c. change admin name to something else
d. apply a password to the new name.
Go to IP services and turn everything off except winbox.
Then test.... but before too long go through and apply the following unless not applicable.....
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
Standard expectation is that ether1 is WAN1 and ether2 is LAN on the default.
The LANIP structure is 192.168.88.1
My understanding is that the default setup of the mikrotik is pretty much ready to go out of the box in terms of connectivity.
Before plugging any internet connection into it however, I would at least.
a. install winbox on my pc
b. access the mikrotik via winbox
c. change admin name to something else
d. apply a password to the new name.
Go to IP services and turn everything off except winbox.
Then test.... but before too long go through and apply the following unless not applicable.....
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
Standard expectation is that ether1 is WAN1 and ether2 is LAN on the default.
The LANIP structure is 192.168.88.1
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
Please post config here
One possible omission is forgetting to add a NAT rule
One possible omission is forgetting to add a NAT rule
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
Code: Select all
# jun/22/2018 07:36:22 by RouterOS 6.42.4
# software id = 03IN-0M57
#
# model = RouterBOARD 941-2nD
# serial number = 846207E45A8F
/interface bridge
add admin-mac=---------------- auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
MikroTik-EFF85E wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=---------- use-peer-dns=yes user=----------------
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add interface=bridge name=defconf
/ip firewall layer7-protocol
add comment=FBK name=facebook regexp="^.+(facebook).*\$"
add comment=SPD name=speedtest regexp="^.+(speedtest).*\$"
add comment=INS name=instagram regexp="^.+(instagram).*\$"
add comment=TW name=twitter regexp="^.+(twitter).*\$"
add comment=MSG name=messenger regexp="^.+(messenger).*\$"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.8.1/24 comment=defconf interface=ether2 network=\
192.168.8.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.8.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=FBK packet-mark=facebook_packet
add action=drop chain=input comment=FBK packet-mark=facebook_packet
add action=drop chain=forward comment=SPD packet-mark=speedtest_packet
add action=drop chain=input comment=SPD packet-mark=speedtest_packet
add action=drop chain=forward comment=INS packet-mark=instagram_packet
add action=drop chain=input comment=INS packet-mark=instagram_packet
add action=drop chain=forward comment=TW packet-mark=twitter_packet
add action=drop chain=input comment=TW packet-mark=twitter_packet
add action=drop chain=forward comment=MSG packet-mark=messenger_packet
add action=drop chain=input comment=MSG packet-mark=messenger_packet
/ip firewall mangle
add action=mark-connection chain=prerouting comment=FBK connection-mark=\
no-mark dst-port=53 layer7-protocol=facebook new-connection-mark=\
facebook_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=FBK connection-mark=\
facebook_conn new-packet-mark=facebook_packet
add action=mark-connection chain=prerouting comment=SPD connection-mark=\
no-mark dst-port=53 layer7-protocol=speedtest new-connection-mark=\
speedtest_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=SPD connection-mark=\
speedtest_conn new-packet-mark=speedtest_packet
add action=mark-connection chain=prerouting comment=INS connection-mark=\
no-mark dst-port=53 layer7-protocol=instagram new-connection-mark=\
instagram_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=INS connection-mark=\
instagram_conn new-packet-mark=instagram_packet
add action=mark-connection chain=prerouting comment=TW connection-mark=\
no-mark dst-port=53 layer7-protocol=twitter new-connection-mark=\
twitter_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=TW connection-mark=\
twitter_conn new-packet-mark=twitter_packet
add action=mark-connection chain=prerouting comment=MSG connection-mark=\
no-mark dst-port=53 layer7-protocol=messenger new-connection-mark=\
messenger_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=MSG connection-mark=\
messenger_conn new-packet-mark=messenger_packet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Argentina/Cordoba
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LANAnother thing. I disable wireless (Interfaces - right click - disable), shut down the router and when it turns on, wireless is on again.
A friend known said to me that check that all the portr were on the same bridge and that check the masquerade (I don't know what that is).
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
The config does not look so bad, so you will have to debug it.
First check if the PPPoE interface is coming up and obtains an external IP address.
Then try with your censorship dropping and marking rules disabled to see if they maybe block all the traffic.
Note that such filtering is very CPU intensive and probably will not work well either. When such broad
terms are filtered you will block much more than those services themselves, maybe due to something I oversee
now you are effectively blocking everything.
First check if the PPPoE interface is coming up and obtains an external IP address.
Then try with your censorship dropping and marking rules disabled to see if they maybe block all the traffic.
Note that such filtering is very CPU intensive and probably will not work well either. When such broad
terms are filtered you will block much more than those services themselves, maybe due to something I oversee
now you are effectively blocking everything.
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
The PPPoE gets IP. The weird thing is that I was able to connect to internet through the interface 3 by connecting another PC directly (with static IP on the 8.0/24 range) and the same with WiFi.The config does not look so bad, so you will have to debug it.
First check if the PPPoE interface is coming up and obtains an external IP address.
Then try with your censorship dropping and marking rules disabled to see if they maybe block all the traffic.
Note that such filtering is very CPU intensive and probably will not work well either. When such broad
terms are filtered you will block much more than those services themselves, maybe due to something I oversee
now you are effectively blocking everything.
I do want to test with a clean config (just PPPoE and the 8.0/24 subnet. And maybe there is something with the eth 2 port? (Even though it doesn't look like that) So I also want to try connecting the network on the eth 3 port (I didn't try that).
We want to make the exchange to measure the CPU usage with a filtering method (and that one is the only one that I found that works), so although it would be bad if it crashes, we do are prepared for the eventual crash of the device.
In approximatly 8 hours I'm gonna test and post the results here.
Thanks for your help!
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
The setup of the ethernet ports looks fine. I would recommend disabling the special rules for censorship (filter, mangle) and try if it works.
Doing content filters this way is CPU intensive and has a risk of false positives.
Doing content filters this way is CPU intensive and has a risk of false positives.
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
Well.. I did the change with a MikroTik router with just PPPoE user and pass, LAN IP (192.168.8.0/24) and DHCP disabled. It didn't worked.
I have no fucking clue of what the problem might be.
Can it be something that is configured on the TP-Link and it's missing on the MikroTik?
I have no fucking clue of what the problem might be.
Can it be something that is configured on the TP-Link and it's missing on the MikroTik?
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
Maybe this:
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
althouugh it should also be sufficient to have the change-mss option enabled on the PPPoE interface.
of course with such a config you also need the masquerade option that you had in the shown config, and the PPPoE interface must be in the WAN interface list.
It is a basic config used by many users who have internet with PPPoE, including me.
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
althouugh it should also be sufficient to have the change-mss option enabled on the PPPoE interface.
of course with such a config you also need the masquerade option that you had in the shown config, and the PPPoE interface must be in the WAN interface list.
It is a basic config used by many users who have internet with PPPoE, including me.
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
Hello,Well.. I did the change with a MikroTik router with just PPPoE user and pass, LAN IP (192.168.8.0/24) and DHCP disabled. It didn't worked.
I have no fucking clue of what the problem might be.
Can it be something that is configured on the TP-Link and it's missing on the MikroTik?
I think I can see the problem. You have told your MikroTik that if a computer tries to access facebook, speedtest, instagram, twitter, or messenger, that it should prevent that computer from being able to make any DNS queries afterwards for any websites. If it can't look up any names then you essentially cannot browse the Internet. If someone's browser tries to access anything with facebook in the name their DNS will be blocked completely and they will not be able to access any sites. I assume that is not what you want?
ex. if the customer has any messenger program installed on their computer that tries automatically to resolve something with "messenger" in the name then their Internet will get blocked after that. If it tries to connect to messenger right away then they will get blocked right away.
EDIT: I am mistaken, it seems that each DNS request starts up a separate connection so that extra requests should not get blocked. I just tested your config on my device and it worked. What RouterOS version do you have?
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
Hi, I'm using 6.42.4 (stable) and WinBox 3.14. On the firsts tests I was using 6.42.2 (stable).Hello,Well.. I did the change with a MikroTik router with just PPPoE user and pass, LAN IP (192.168.8.0/24) and DHCP disabled. It didn't worked.
I have no fucking clue of what the problem might be.
Can it be something that is configured on the TP-Link and it's missing on the MikroTik?
...
EDIT: I am mistaken, it seems that each DNS request starts up a separate connection so that extra requests should not get blocked. I just tested your config on my device and it worked. What RouterOS version do you have?
I thought about some security configuration beyond the router (maybe on the switch where all the PCs are connected) but then I remembered that by connecting a notebook (with a randon IP from the same subnet) by ethernet and WiFi, I had connection to Internet.
I found the configuration to block sites here on the forum. I am new on MikroTik, so there is a lot that I don't understand about the terminology of this devices.
Another thing, I configured the router (using static IP, no DHCP) testing on another PPPoE account connected to a modem/router on bridge mode and it was working fine, with and without the blocking configuration. (on both 6.42.2 and .4 stable versions).
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
Because there are apparently so many overzealous operators who want to restrict what their clients can visit, there are many examples of "block this block that" configs to be found.
Unfortunately the usually block much more than the (usually beginner) poster knows, and others become the victim of that.
In todays internet it is not so straightforward anymore to block specific services. The network is adapting to such blocks and working around them.
You need to ask yourself if it is really necessary to do these blocks and if so, use more advanced methods to do it.
And even then, it will be piece-of-cake for your users to work around it when they want.
Unfortunately the usually block much more than the (usually beginner) poster knows, and others become the victim of that.
In todays internet it is not so straightforward anymore to block specific services. The network is adapting to such blocks and working around them.
You need to ask yourself if it is really necessary to do these blocks and if so, use more advanced methods to do it.
And even then, it will be piece-of-cake for your users to work around it when they want.
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
That is truth. But, in this scenario, the navigation (with the restrictions applied) works fine if I connect a PC directly to the router (it's not that the CPU reaches 100% usage and it freezes or I' blocking something that I don't want to block).Because there are apparently so many overzealous operators who want to restrict what their clients can visit, there are many examples of "block this block that" configs to be found.
Unfortunately the usually block much more than the (usually beginner) poster knows, and others become the victim of that.
In todays internet it is not so straightforward anymore to block specific services. The network is adapting to such blocks and working around them.
You need to ask yourself if it is really necessary to do these blocks and if so, use more advanced methods to do it.
And even then, it will be piece-of-cake for your users to work around it when they want.
About the last sentence, can you tell me how to work around the blocking method that I found? It would be of help.
Edit: I just saw your last post. What does that script do?
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
Any VPN service will cut around your efforts... and when you want to block those too you will again have a lot of services to watch and block.About the last sentence, can you tell me how to work around the blocking method that I found? It would be of help.
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
So, by just using Opera (that has VPN) I should be able to bypass this? I'm gonna try it.Any VPN service will cut around your efforts... and when you want to block those too you will again have a lot of services to watch and block.About the last sentence, can you tell me how to work around the blocking method that I found? It would be of help.
Edit: Just did it, and yes. It's that easy..But well, this is what we can do with the tools that we have.
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
This seems dead, but I will continue updating.
I just connected the router (using another PPPoE user) to a clean switch. From the router I went to another router on bridge mode (needed for DSL) and connected two PCs into the switch.
The PCs with static IP. The router without DHCP. It worked.
I just connected the router (using another PPPoE user) to a clean switch. From the router I went to another router on bridge mode (needed for DSL) and connected two PCs into the switch.
The PCs with static IP. The router without DHCP. It worked.
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
Export again your config with the latest changes and the suggested cleanup.
Let's have a look.
Let's have a look.
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
There are no new configs. I just took a brand new Router, put the network and PPPoE, disabled DHCP and plugged the ethernet cables. (Without any kind of filter or any other config beyod the basic)
Someone said that the bridge may be the problem. But why that would be a problem with a certain network but not with another?
PS: In around 6 hours I'm gonna update this with the latest config that I used. I don't have the devices with me.
Someone said that the bridge may be the problem. But why that would be a problem with a certain network but not with another?
PS: In around 6 hours I'm gonna update this with the latest config that I used. I don't have the devices with me.
Code: Select all
# jul/05/2018 14:37:54 by RouterOS 6.42.4
# software id = MR82-JA9L
#
# model = RouterBOARD 941-2nD
# serial number = ---------------------
/interface bridge
add admin-mac=---------------- auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
MikroTik-EFF972 wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=--------- use-peer-dns=yes user=----------
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=----------- \
wpa2-pre-shared-key=-------------
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.8.1/24 comment=defconf interface=ether2 network=\
192.168.9.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.8.0/24 comment=defconf gateway=192.168.9.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=200.110.160.135
/ip dns static
add address=192.168.8.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Argentina/Cordoba
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LANRe: Trying to change a cheap TP-Link router for a cheap MikroTik one
Code: Select all
/ip dhcp-server network
add address=192.168.8.0/24 comment=defconf gateway=192.168.9.1 netmask=24Code: Select all
/ip address
add address=192.168.8.1/24 comment=defconf interface=ether2 network=\
192.168.9.0Code: Select all
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254You should definitely make your mind which network range you wish to use
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
Oh, sorry. It's not like that.
I changed the IPs on the .txt before paste it here.
In this case, the network is 192.168.8.0/24, with no DHCP, so the DHCP range shouldn't matter, right?
So, network 8.0/24, gateway 8.1 and no DHCP (the DHCP box is unchecked on the quick config screen. The PCs have static IP).
I changed the IPs on the .txt before paste it here.
In this case, the network is 192.168.8.0/24, with no DHCP, so the DHCP range shouldn't matter, right?
So, network 8.0/24, gateway 8.1 and no DHCP (the DHCP box is unchecked on the quick config screen. The PCs have static IP).
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
If I understand correctly, all the interfaces but the eth 1 (WAN) are on bridge, right?
Re: Trying to change a cheap TP-Link router for a cheap MikroTik one
If I understand what you are trying to do, yes that's correct.
The Bridge is effectively joining those ports together into a switch. Anything outside of that switch will need to be routed to. In your configuration I think you want all of the internal ports to be switched and able to communicate freely with each other. The WAN link though is only to be routed to and the ip address for it will be on a different subnet and you will want a firewall in between.
The Bridge is effectively joining those ports together into a switch. Anything outside of that switch will need to be routed to. In your configuration I think you want all of the internal ports to be switched and able to communicate freely with each other. The WAN link though is only to be routed to and the ip address for it will be on a different subnet and you will want a firewall in between.