rb4011 - default config has broken DHCP

webbsolution · Thu Dec 13, 2018 6:15 am

I picked up a new rb4011igs5hacq2hnd-in and have been trying to get it working - The lan ports all route fine to the internet but the wireless Ap appears to have some kind of DHCP failure ( I see 169.x on the wifi ipconfig output.

config output is:

# dec/12/2018 19:35:08 by RouterOS 6.43.4
# software id = EGAE-6IE2
#
# model = RB4011iGS+5HacQ2HnD
# serial number = A28209DFFF7C
/interface wireless
set [ find default-name=wlan1 ] country=canada disabled=no mode=ap-bridge \
ssid=Webb5hz wireless-protocol=802.11
set [ find default-name=wlan2 ] country=canada disabled=no mode=ap-bridge \
ssid=Webb2.4 wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
xxx wpa2-pre-shared-key=xxx
/ip pool
add name=dhcp ranges=192.168.88.31-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/interface list member
add interface=ether1 list=WAN
add list=LAN
/ip address
add address=192.168.88.15/24 interface=ether2 network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.15 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether2 type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=America/Vancouver
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system routerboard settings
set silent-boot=no

filipelias · Thu Dec 13, 2018 7:50 am

Is the wifi interface in the same bridge as your lan ports?

Odesláno z mého XT1635-02 pomocí Tapatalk

cdiedrich · Thu Dec 13, 2018 7:52 am

There's no bridge which would connect wireless to wired to dhcp.

Create a bridge, move ether2 ip address and dhcp server to the bridge
add ether2 and wireless to the bridge

You're done.
-Chris

mkx · Thu Dec 13, 2018 9:16 am

If the config posted in OP is complete, then there's no firewall protecting either router itself or LAN devices from evil internet. I suggest to start over (reset to default configuration) and add/change what's needed (e.g. wireless security profiles and/or LAN IP).

webbsolution · Thu Dec 13, 2018 5:24 pm

that was the default config -

is there a better default config available for this router?

mkx · Thu Dec 13, 2018 5:31 pm

that was the default config -

is there a better default config available for this router?

There have been a few ROS versions where default config was inadequate (to put it mildly). I've checked and 6.43.1 is lacking config as well. However, recent testing (6.44beta40) has decent default setup.

What you could do: upgrade ROS to latest version in testing channel. Do reset with factory default. Then you can decide to downgrade to stable again (you'll have to download ROS package manually, downgrades can't be done pseudo-automatically). Or you can decide to stay with beta ... it seems to be quite stable, not many problem reports are seen with latest betas ...

anav · Thu Dec 13, 2018 5:43 pm

Also this......
/interface list member
add interface=ether1 list=WAN
add list=LAN

Should be
/interface list member
add interface=ether1 list=WAN
add interface=ether2 add list=LAN

If you put eth2 and other ports on the bridge
/interface list member
add interface=ether1 list=WAN
add interface=bridge add list=LAN

Also I am assuming this is not actually your wifi password "2866Mountview", otherwise it should be changed!

mkx · Thu Dec 13, 2018 5:49 pm

Also this......

It seems that factory default config of @webbsolution's 4011 was fscked up ... let's see how it goes after a sane factory default config is applied. Chances are that problem from OP will just heal itself.

webbsolution · Thu Dec 13, 2018 5:56 pm

thansk for the note on the temp password exposure - no its not the real PW

I am just setting this router up with a secondary internet line and nothing is attached to it at the moment aside from a Linux Live computer when it goes live the password gets changed.

webbsolution · Thu Dec 13, 2018 5:58 pm

I have reset the config three times and this same issue persists so it would appear I need to load another rev on this router then? I have a perfectly configured rb2011 but im pretty sure that config wont work on this router with the extra radio and different processor ?

Also this......
It seems that factory default config of @webbsolution's 4011 was fscked up ... let's see how it goes after a sane factory default config is applied. Chances are that problem from OP will just heal itself.

Jotne · Thu Dec 13, 2018 6:05 pm

Try a factory rest and then post the new config created.

System->Reset Configuration->Reset Configuration

webbsolution · Thu Dec 13, 2018 6:33 pm

yea something is odd with this...

I cant upload any of the stable or LTR releases to this router either...even though it lists 4.xxx routers...its says not permitted. but maybe now after a factor hard reset it might work - anyways here is the output

so go to system ----reset configuration ? - Not permitted lol yes it actually wont let me reset it now so im doing the hard reset with the button now...

used terminal and export file=xxx.txt

# jan/02/1970 00:02:33 by RouterOS 6.43.4
# software id = EGAE-6IE2
#
# model = RB4011iGS+5HacQ2HnD
# serial number = A28209DFFF7C
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether1 \
network=192.168.88.0
/system routerboard settings
set silent-boot=no

after a hard reset with the button I can now do the system --- reset config option - The output is the same as above.

Jotne · Thu Dec 13, 2018 8:34 pm

A very minimalistisk conifg.
Can you from Winbox select Quick Set and select some of the modes from top dropdown and see if that helps?

webbsolution · Thu Dec 13, 2018 9:19 pm

i dont have a lot of faith in this default config -

so im following this tutorial https://www.youtube.com/watch?v=ulDefmf1ces

but its a little outdated. At 8:54 the video tutorial is suggesting that I set the master port slave off of interface # 2 but the field he is using (master port) does not appear in my version or routerboard. Everything else is straight forward ( i think) but that config is missing from these steps because I cant find the option ...

I now have properly routed internet fromt he LAN and the WIFI AP - better progress - here is my output - comments Welcome -

# dec/13/2018 11:15:25 by RouterOS 6.43.4
# software id = EGAE-6IE2
#
# model = RB4011iGS+5HacQ2HnD
# serial number = A28209DFFF7C
/interface bridge
add fast-forward=no name=bridge1-2.4
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-Eth1
set [ find default-name=ether2 ] comment=\
"LAN - All ports are switched off either 2"
set [ find default-name=ether10 ] comment=PPOE-Out-Eth10
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=WPA2 \
supplicant-identity="" wpa-pre-shared-key=@@@@@@@@@

\
wpa2-pre-shared-key=@@@@@@

!
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n disabled=no frequency=auto \
mode=ap-bridge security-profile=WPA2 ssid=Webb2.4 wireless-protocol=\
802.11
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1-2.4 name=dhcp1
/interface bridge port
add bridge=bridge1-2.4 interface=ether2
add bridge=bridge1-2.4 interface=wlan2
add bridge=bridge1-2.4 interface=wlan1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1-2.4 list=LAN
/ip address
add address=192.168.88.15/24 comment="LAN IP subnet" interface=ether2 \
network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=\
64.59.144.19,192.168.88.15,64.59.150.135 gateway=192.168.88.15 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.8.4
/ip firewall address-list
add address=192.168.88.0/24 list="LOcal LAN"
/ip firewall filter
add action=accept chain=input comment=\
"allow access to the router from the lan" src-address-list="LOcal LAN"
add action=drop chain=forward comment="drop invalid packets" \
connection-state=invalid
add action=drop chain=input comment="drops all other traffic "
add action=accept chain=forward comment="allow connections from the lan" \
connection-nat-state="" connection-state=new in-interface=bridge1-2.4
add action=accept chain=forward comment="allow established connections" \
connection-state=established
add action=accept chain=forward comment="allow related connections " \
connection-state=related
add action=accept chain=input comment=\
"allow established connections to the router" connection-state=\
established
add action=accept chain=input comment=\
"allow related connections to the router" connection-state=related
add action=drop chain=forward comment="drop all other connections"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=America/Vancouver
/system identity
set name=RB4011
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes primary-ntp=45.127.112.2 secondary-ntp=54.39.173.225
/system routerboard settings
set silent-boot=no

anav · Thu Dec 13, 2018 9:40 pm

1. /ip address
add address=192.168.88.15/24 comment="LAN IP subnet" interface=ether2 \

should be
/ip address
add address=192.168.88.15/24 comment="LAN IP subnet" interface=bridge1-2.4 \

2. This is pretty wide open access to the router from the LAN??
"allow access to the router from the lan" src-address-list="LOcal LAN"
Why not limit it to the likely PC or PCs you will be using to access the router?

3. add action=accept chain=forward comment="allow connections from the lan" \
connection-nat-state="" connection-state=new in-interface=bridge1-2.4

This is confusing, what is the intent here?? I am thinking you meant allow LAN to WAN traffic?
add action=accept chain=forward comment="allow internet traffic"\
source-address-list=bridge1-2.4 out-interface=WAN

whether its better to use that or ( in-interface=brige1-2.4 out-interface=WAN ) is unknown to me hopefully someone else has a definitive answer.

4. If you are going to do any port forwarding you will need this rule before the drop all else forward rule.
/ip firewall filter add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat connection-state=established,related

webbsolution · Thu Dec 13, 2018 11:58 pm

thanks for the feedback - ITs still a work in progress.

1) added -

2) noted - its a small network and ill tighten this up later -

3) The WAN port is #1 which the ISP Ethernet cable is plugged into -

4) Rule added - I will be forwarding ports once I get the other issues resolved.

I can also see I have DNS issues -

nothing gets to the internet unless I hard code DNS on the nic so the broadcast is not working.

# dec/13/2018 11:24:23 by RouterOS 6.43.4
# software id = EGAE-6IE2
#
# model = RB4011iGS+5HacQ2HnD
# serial number = A28209DFFF7C
/interface bridge
add fast-forward=no name=bridge1-2.4
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-Eth1
set [ find default-name=ether2 ] comment=\
"LAN - All ports are switched off either 2"
set [ find default-name=ether10 ] comment=PPOE-Out-Eth10
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=WPA2 \
supplicant-identity="" wpa-pre-shared-key=#########! \
wpa2-pre-shared-key=#########!
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n disabled=no frequency=auto \
mode=ap-bridge security-profile=WPA2 ssid=Webb2.4 wireless-protocol=\
802.11
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1-2.4 name=dhcp1
/interface bridge port
add bridge=bridge1-2.4 interface=ether2
add bridge=bridge1-2.4 interface=wlan2
/interface list member
add interface=ether1 list=WAN
add interface=bridge1-2.4 list=LAN
/ip address
add address=192.168.88.15/24 comment="LAN IP subnet" interface=ether2 \
network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=\
64.59.144.19,192.168.88.15,64.59.150.135 gateway=192.168.88.15 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.8.4
/ip firewall address-list
add address=192.168.88.0/24 list="LOcal LAN"
/ip firewall filter
add action=accept chain=input comment=\
"allow access to the router from the lan" src-address-list="LOcal LAN"
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
established,related in-interface=ether1
add action=drop chain=forward comment="drop invalid packets" \
connection-state=invalid
add action=drop chain=input comment="drops all other traffic "
add action=accept chain=forward comment="allow connections from the lan" \
connection-nat-state="" connection-state=new in-interface=bridge1-2.4
add action=accept chain=forward comment="allow established connections" \
connection-state=established
add action=accept chain=forward comment="allow related connections " \
connection-state=related
add action=accept chain=input comment=\
"allow established connections to the router" connection-state=\
established
add action=accept chain=input comment=\
"allow related connections to the router" connection-state=related
add action=drop chain=forward comment="drop all other connections"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1-2.4 type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=America/Vancouver
/system identity
set name=RB4011
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes primary-ntp=45.127.112.2 secondary-ntp=54.39.173.225
/system routerboard settings
set silent-boot=no

anav · Fri Dec 14, 2018 12:20 am

You still didnt fix this
/ip address
add address=192.168.88.15/24 comment="LAN IP subnet" interface=ether2 \

the interface is the bridge NOT ether2.

As far as DNS goes, here is what I have.........
/ip dns
set allow-remote-requests=yes servers=\
8.8.4.4,8.8.8.8,208.67.220.220,208.67.222.222

/ip firewall filter
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
53 in-interface-list=LAN protocol=tcp

Also under my DHCP networks I state to use the applicable LAN gateway also as my DNS server - 192.168.88.1 for example.

for my access to the router I have
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=adminaccess
(so I define a firewall access list of allowed IPs, vice the etire LAN subnet, plus I back that up by limiting Winbox access to the same IPs)

To allow port forwarding
add action=accept chain=forward comment=\
"Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat

To allow LAN to WAN traffic
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
HomeBridge log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN \
src-address=192.168.0.0/24

(one could use in-interface or src-address alone but I use both, why because I don't know which is better and I can't make up my mind LOL)

mkx · Fri Dec 14, 2018 2:51 pm

Most of youtube tutorials are at least incomplete, quite many are wrong. So I'll just repeat my suggestion: upgrade to latest beta (testing channel), do a factory-reset there and downgrade again.

Factory configuration is most of time high quality (sane settings regarding bridge, ports, ... and firewall settings) ... except for some (now obsolete) stable releases where default configuration was inadequate (to put it mildly).

webbsolution · Fri Dec 14, 2018 6:09 pm

I was originally looking for a different rev of firmware with a more complete default build - this one is obviously broken, but I could not find one that winbox allowed me to upgrade to...so I removed the default config and started from scratch -

Are you suggesting that I load - the MMIPS beta firmware for this device ? can you link me to it ?

I cant seem to find anything else that this device will accept - here is the output of my current config - DNS is now fixed - WIfi and LAN route to the internet - no issues -

port forwarding looks to be broken still.

# dec/14/2018 04:56:43 by RouterOS 6.43.4
# software id = EGAE-6IE2
#
# model = RB4011iGS+5HacQ2HnD
# serial number = A28209DFFF7C
/interface bridge
add fast-forward=no name=bridge1-2.4
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-Eth1
set [ find default-name=ether2 ] comment=\
"LAN - All ports are switched off either 2"
set [ find default-name=ether10 ] comment=PPOE-Out-Eth10
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=WPA2 \
supplicant-identity="" wpa-pre-shared-key=########! \
wpa2-pre-shared-key=#######!
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n disabled=no frequency=auto \
mode=ap-bridge security-profile=WPA2 ssid=Webb2.4 wireless-protocol=\
802.11
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=\
192.168.88.1-192.168.88.14,192.168.88.16-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1-2.4 name=dhcp1
/interface bridge port
add bridge=bridge1-2.4 interface=ether2
add bridge=bridge1-2.4 interface=wlan2
add bridge=bridge1-2.4 interface=wlan1
add bridge=bridge1-2.4 interface=ether3
add bridge=bridge1-2.4 interface=ether4
add bridge=bridge1-2.4 interface=ether5
add bridge=bridge1-2.4 interface=ether6
add bridge=bridge1-2.4 interface=ether7
add bridge=bridge1-2.4 interface=ether8
add bridge=bridge1-2.4 interface=ether9
add bridge=bridge1-2.4 interface=ether10
add bridge=bridge1-2.4 interface=sfp-sfpplus1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1-2.4 list=LAN
/ip address
add address=192.168.88.15/24 comment="LAN IP subnet" interface=ether2 \
network=192.168.88.0
add address=192.168.88.15/24 comment=lansubnet interface=bridge1-2.4 network=\
192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,192.168.88.15,8.8.8.4 gateway=\
192.168.88.15 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.8.4
/ip firewall address-list
add address=192.168.88.0/24 list="LOcal LAN"
/ip firewall filter
add action=accept chain=input comment=\
"allow access to the router from the lan" src-address-list="LOcal LAN"
add action=drop chain=forward comment="drop invalid packets" \
connection-state=invalid
add action=drop chain=input comment="drops all other traffic "
add action=accept chain=forward comment="allow connections from the lan" \
connection-nat-state="" connection-state=new in-interface=bridge1-2.4
add action=accept chain=forward comment="allow established connections" \
connection-state=established
add action=accept chain=forward comment="allow related connections " \
connection-state=related
add action=accept chain=input comment=\
"allow established connections to the router" connection-state=\
established
add action=accept chain=input comment=\
"allow related connections to the router" connection-state=related
add action=drop chain=forward comment="drop all other connections"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 out-interface-list=\
WAN
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
tcp src-address-list="" to-addresses=192.168.88.125 to-ports=3074
add action=dst-nat chain=dstnat dst-port=27015-27030 in-interface=ether1 \
protocol=tcp src-address-list="" to-addresses=192.168.88.125 to-ports=\
27015-27030
add action=dst-nat chain=dstnat dst-port=27036-27037 in-interface=ether1 \
protocol=tcp src-address-list="" to-addresses=192.168.88.125 to-ports=\
27036-27037
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 \
in-interface-list=all protocol=udp src-address-list="" to-addresses=\
192.168.88.125 to-ports=3074
add action=dst-nat chain=dstnat dst-port=4380 in-interface=ether1 \
in-interface-list=all protocol=udp src-address-list="" to-addresses=\
192.168.88.125 to-ports=4380
add action=dst-nat chain=dstnat dst-port=27000-27031 in-interface=ether1 \
in-interface-list=all protocol=udp src-address-list="" to-addresses=\
192.168.88.125 to-ports=27000-27031
add action=dst-nat chain=dstnat dst-port=27036 in-interface=ether1 \
in-interface-list=all protocol=udp src-address-list="" to-addresses=\
192.168.88.125 to-ports=27036
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/system clock
set time-zone-name=America/Vancouver
/system identity
set name=RB4011
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes primary-ntp=45.127.112.2 secondary-ntp=54.39.173.225
/system routerboard settings
set silent-boot=no

anav · Fri Dec 14, 2018 9:18 pm

Not sure why you have this again..........
/ip address
add address=192.168.88.15/24 comment="LAN IP subnet" interface=ether2 \
network=192.168.88.0
add address=192.168.88.15/24 comment=lansubnet interface=bridge1-2.4 network=\
192.168.88.0

Should be just this
/ip address
add address=192.168.88.15/24 comment=lansubnet interface=bridge1-2.4 network=\
192.168.88.0

Also where is you IP address for the WAN??

revise..............
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.0.15 gateway=\
192.168.88.15 netmask=24

What is this line in your config for.......... I find it confusing??
set [ find default-name=ether10 ] comment=PPOE-Out-Eth10

Re-ordered so they make sense to me.............
/ip firewall filter

add action=accept chain=input comment=\
"allow established connections to the router" connection-state=\
established
add action=accept chain=input comment=\
"allow related connections to the router" connection-state=\
related
add action=drop chain=input comment="drop invalid packets" \
connection-state=invalid
add action=accept chain=input comment=\
"allow access to the router from the lan" src-address-list="LOcal LAN"
YOU FORGOT TO PUT IN ALLOW DNS RULES ????????
add action=drop chain=input comment="drops all other traffic "

add action=accept chain=forward comment="allow established connections" \
connection-state=established
add action=accept chain=forward comment="allow related connections " \
connection-state=related
add action=drop chain=forward comment="drop invalid packets" \
connection-state=invalid
you need a LAN to WAN rule.
add action=accept chain=forward comment="allow lan 2 Wan connections from the bridge" \
in-inteface=bridge1-2.4 out-interface=eth1
You Need a proper Port Forwarding RUle!!!
add action=accept chain=forward comment=\
"Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat
add action=drop chain=forward comment="drops all other traffic "

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 (FIXED dont need the extra bit you had)
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
tcp src-address-list="" to-addresses=192.168.88.125 to-ports=3074
add action=dst-nat chain=dstnat dst-port=27015-27030 in-interface=ether1 \
protocol=tcp src-address-list="" to-addresses=192.168.88.125 to-ports=\
27015-27030
add action=dst-nat chain=dstnat dst-port=27036-27037 in-interface=ether1 \
protocol=tcp src-address-list="" to-addresses=192.168.88.125 to-ports=\
27036-27037
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 \
protocol=udp src-address-list="" to-addresses=\ (error on this line fixed)
192.168.88.125 to-ports=3074
add action=dst-nat chain=dstnat dst-port=4380 in-interface=ether1 \
protocol=udp src-address-list="" to-addresses=\ (error on this line fixed)
192.168.88.125 to-ports=4380
add action=dst-nat chain=dstnat dst-port=27000-27031 in-interface=ether1 \
protocol=udp src-address-list="" to-addresses=\ (error on this line fixed)
192.168.88.125 to-ports=27000-27031
add action=dst-nat chain=dstnat dst-port=27036 in-interface=ether1 \
protocol=udp src-address-list="" to-addresses=\ (error on this line fixed)
192.168.88.125 to-ports=27036

I will note that your TCP and UDP ports dont line up perfectly but that is up to you as you know what has to be forwarded.

webbsolution · Sat Dec 15, 2018 6:53 pm

I am trying to trying to make your changes.... but things are not going to plan here ...

you will note that at the start of this post while following the tutorial that I mentioned the lack of an option to use a master port to switch all the ports to ? Maybe this was my mistake ? I can see a check box option in quickset for "bridge all LAN ports" is that the same feature ? Anyways - checking it doesnt seem to help aside from being able to ping the rest of the LAN now ( so thats a step i the right direction)

Some additional info that might help -

Eth1 = ISP line to WAN ( I set the WAN
Eth-2 = My PC
Eth-3 Netgear 24 port Switch - (on the switch are 2 sans and a group of servers for lab work)

in addresses I have the Default route at 99.199.162.XXX/XX - this is the same as my WAN address noted in the quickset address acquisition field -
then I have 192.168.88.15/24 network 192.168.88.0 on eth-2
Then I have LAN subnet address - which is the same as above but on the Bridge2.4

YOU WROTE:

Not sure why you have this again..........
/ip address
add address=192.168.88.15/24 comment="LAN IP subnet" interface=ether2 \
network=192.168.88.0
add address=192.168.88.15/24 comment=lansubnet interface=bridge1-2.4 network=\
192.168.88.0

When I leave only your suggested network (if I disable the line "add address=192.168.88.15/24 comment="LAN IP subnet" interface=ether2 \
network=192.168.88.0") I lose routing to the internet when the adapter pics up a new IP/D+NS reservation. So it would seem that something is wrong fundamentally with the coms to the bridge and the other ports ??

revise..............
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.0.15 gateway=\
192.168.88.15 netmask=24

Failure:such network already exists....

What is this line in your config for.......... I find it confusing??
set [ find default-name=ether10 ] comment=PPOE-Out-Eth10

In the tutorial mentioned the author goes through and manually adds the interfaces for all ports and labels them. I also own a CAp2n (not configured yet) and I use PPOE to power it so I labelled the PPOE port (eth 10)

on the suggested firewall changes -

This all works wihtout an error when using the command line -
'/ip firewall filter

add action=accept chain=input comment=\
"allow established connections to the router" connection-state=\
established
add action=accept chain=input comment=\
"allow related connections to the router" connection-state=\
related
add action=drop chain=input comment="drop invalid packets" \
connection-state=invalid
add action=accept chain=input comment=\
"allow access to the router from the lan" src-address-list="LOcal LAN"
YOU FORGOT TO PUT IN ALLOW DNS RULES ????????
add action=drop chain=input comment="drops all other traffic "

add action=accept chain=forward comment="allow established connections" \
connection-state=established
add action=accept chain=forward comment="allow related connections " \
connection-state=related
add action=drop chain=forward comment="drop invalid packets" \
connection-state=invalid"

but this fails

this line you need a LAN to WAN rule.
add action=accept chain=forward comment="allow lan 2 Wan connections from the bridge" \
in-inteface=bridge1-2.4 out-interface=eth1

- is this an ip filter or a nat rule ?

anav · Sat Dec 15, 2018 10:12 pm

Some additional info that might help -

Eth1 = ISP line to WAN ( I set the WANhttps://forum.mikrotik.com/posting.php?mode=reply&f=2&t=142716
Eth-2 = My PC (do you want access to all vlans from your PC or just internet)?
Eth-3 Netgear 24 port Switch - (on the switch are 2 sans and a group of servers for lab work) What is sans? is it a managed switch??

in addresses I have the Default route at 99.199.162.XXX/XX - this is the same as my WAN address noted in the quickset address acquisition field -
then I have 192.168.88.15/24 network 192.168.88.0 on eth-2
Then I have LAN subnet address - which is the same as above but on the Bridge2.4
THat is a problem, it makes no sense to have two lansubnets that are the same.
If you want your PC on a different subnet than the bridge, then say so! and use different numbers.
Once you have a clearly stated requirement then we can program efficiently.
Yes, the firewall rules and setup have to be in sync, thats what we are attemping to sync and simplify. :-

revise..............
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.0.15 gateway=\
192.168.88.15 netmask=24

Failure:such network already exists....
Yes because you created one plus it sounds like the default setup still is there as well and thats why you need to get rid of one of them............

What is this line in your config for.......... I find it confusing??
set [ find default-name=ether10 ] comment=PPOE-Out-Eth10

In the tutorial mentioned the author goes through and manually adds the interfaces for all ports and labels them. I also own a CAp2n (not configured yet) and I use PPOE to power it so I labelled the PPOE port (eth 10)
WHat?? a Cap2N is an access point isnt it? Do you mean POE power over ethernet. So this will be a future ethernet connection to an access point??

on the suggested firewall changes -

This all works wihtout an error when using the command line -
'/ip firewall filter

add action=accept chain=input comment=\
"allow established connections to the router" connection-state=\
established
add action=accept chain=input comment=\
"allow related connections to the router" connection-state=\
related
add action=drop chain=input comment="drop invalid packets" \
connection-state=invalid
add action=accept chain=input comment=\
"allow access to the router from the lan" src-address-list="LOcal LAN"
YOU FORGOT TO PUT IN ALLOW DNS RULES ????????
add action=drop chain=input comment="drops all other traffic "

add action=accept chain=forward comment="allow established connections" \
connection-state=established
add action=accept chain=forward comment="allow related connections " \
connection-state=related
add action=drop chain=forward comment="drop invalid packets" \
connection-state=invalid"

but this fails

this line you need a LAN to WAN rule.
add action=accept chain=forward comment="allow lan 2 Wan connections from the bridge" \
in-interface=bridge1-2.4 out-interface=eth1

- is this an ip filter or a nat rule ? FILTER RULE, it should work its what I have on my router.

You could use one of the following three
add action=accept chain=forward comment="allow lan 2 Wan connections from the bridge" \
in-interface=bridge1-2.4 out-interface=eth1

add action=accept chain=forward comment="allow lan 2 Wan connections from the bridge" \
source-address=192.168.88.0/24 out-interface=eth1

add action=accept chain=forward comment="allow lan 2 Wan connections from the bridge" \
source-address=192.168.88.0/24 in-interface=bridge1-2.4 out-interface=eth1

EXCERPT FROM MY RULES
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
HomeBridge log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN \
src-address=192.168.0.0/24 (for all devices on my bridge dhcp service - the transparent vlan1)
add action=accept chain=forward comment="ENABLE DMZ to WAN" in-interface=\
ether4 out-interface-list=WAN src-address=192.168.10.0/24 (for my subnet not on the bridge)
add action=accept chain=forward comment="ENABLE VLAN100 to WAN" in-interface=\
GuestWifi_T&B_V100 out-interface-list=WAN src-address=192.168.100.0/24 for my vlan on an accesspoint the interface is vlan100)
add action=accept chain=forward comment="ENABLE VLAN30 to WAN" in-interface=\
Wifi-SDevices_cap1 out-interface-list=WAN src-address=192.168.30.0/24 for my vlan on an an accesspoint the interface is vlanxxx)

webbsolution · Sat Dec 15, 2018 11:12 pm

(do you want access to all vlans from your PC or just internet)? - Yes eventually - right now I dont have any Vlans but I will deploy that at some point in the near future.

What is sans? is it a managed switch?? SANS = Storage area Network - really just two storage devices - Synology Boxes - The Netgear 724 is a managed switch - here it is -

https://www.amazon.ca/NETGEAR-ProSAFE-2 ... 1968&psc=1

WHat?? a Cap2N is an access point isnt it? Do you mean POE power over ethernet. So this will be a future ethernet connection to an access point?? ---

Yes on my rb2011 I deployed Capsman with great success so I hope to do that with this device later as well. The RB4011 is downstairs in the wiring closet and I found adding a cap2n really improved the wireless coverage for the other people in the house/ Office.

anav · Sat Dec 15, 2018 11:29 pm

Okay time to post your latest config and you can use the code display function (highlight the text) found above (the black square with the square brackets)

webbsolution · Sun Dec 16, 2018 1:04 am

Thank you for your continued patience -

sorry for being an idiot but im not understanding the request to post the code -

i did a drawing of the LAN, the hard wired components and the devices that require DHCP/DNS and the external services - see attachment - maybe this will help identify the simple setup i am after -

you requested this :

"revise..............
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.0.15 gateway=\
192.168.88.15 netmask=24"
which resulted in an error - however I deleted what I had and I think I managed to use the wizard successfully in this step ( ?) the config will show you if i screwed this up i think...

removed everything from my Firewall setup and added your commands - I assume I can do group commands and that I dont have to do each command one by one ?-

but this one failed -

add action=accept chain=forward comment="allow
lan 2 Wan connections from the bridge" \
\... in-inteface=bridge1-2.4 out-interface=eth1
expected end of command (line 2 column 1)

ok so now wiht these changes I have no internet - when I test DHCP and DNS on my workstation that is ususally hard coded with an IP and DNS I get this which looks acceptable - but I cant browse outside my LAN tot he internet.

IPv4 Address. . . . . . . . . . . : 192.168.88.12(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : December 15, 2018 2:57:35 PM
Lease Expires . . . . . . . . . . : December 15, 2018 3:07:35 PM
Default Gateway . . . . . . . . . : 192.168.88.15
DHCP Server . . . . . . . . . . . : 192.168.88.15
DNS Servers . . . . . . . . . . . : 8.8.8.8
192.168.88.15
8.8.8.4
NetBIOS over Tcpip. . . . . . . . : Enabled

Exposed config after changes - (file export used)

# dec/15/2018 18:00:59 by RouterOS 6.43.4
# software id = EGAE-6IE2
#
# model = RB4011iGS+5HacQ2HnD
# serial number = A28209DFFF7C
/interface bridge
add fast-forward=no name=bridge1-2.4
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-Eth1
set [ find default-name=ether2 ] comment=\
"LAN - All ports are switched off either 2"
set [ find default-name=ether10 ] comment=PPOE-Out-Eth10
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=WPA2 \
supplicant-identity="" wpa-pre-shared-key=######## \
wpa2-pre-shared-key=#######
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n disabled=no frequency=auto \
mode=ap-bridge security-profile=WPA2 ssid=Webb2.4 wireless-protocol=\
802.11
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=\
192.168.88.1-192.168.88.14,192.168.88.16-192.168.88.254
add name=dhcp_pool2 ranges=\
192.168.88.1-192.168.88.14,192.168.88.16-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge1-2.4 name=dhcp1
/interface bridge port
add bridge=bridge1-2.4 interface=ether2
add bridge=bridge1-2.4 interface=wlan2
add bridge=bridge1-2.4 interface=wlan1
add bridge=bridge1-2.4 interface=ether3
add bridge=bridge1-2.4 interface=ether4
add bridge=bridge1-2.4 interface=ether5
add bridge=bridge1-2.4 interface=ether6
add bridge=bridge1-2.4 interface=ether7
add bridge=bridge1-2.4 interface=ether8
add bridge=bridge1-2.4 interface=ether9
add bridge=bridge1-2.4 interface=ether10
add bridge=bridge1-2.4 interface=sfp-sfpplus1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1-2.4 list=LAN
/ip address
add address=192.168.88.15/24 comment=lansubnet interface=bridge1-2.4 network=\
192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,192.168.88.15,8.8.8.4 gateway=\
192.168.88.15 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.8.4
/ip firewall address-list
add address=192.168.88.0/24 list="LOcal LAN"
/ip firewall filter
add action=accept chain=input comment=\
"allow established connections to the router" connection-state=\
established
add action=accept chain=input comment=\
"allow related connections to the router" connection-state=related
add action=drop chain=input comment="drop invalid packets" connection-state=\
invalid
add action=accept chain=input comment=\
"allow access to the router from the lan" src-address-list="LOcal LAN"
add action=drop chain=input comment="drops all other traffic "
add action=accept chain=forward comment="allow established connections" \
connection-state=established
add action=accept chain=forward comment="allow related connections " \
connection-state=related
add action=drop chain=forward comment="drop invalid packets" \
connection-state=invalid
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drops all other traffic "
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
tcp src-address-list="" to-addresses=192.168.88.125 to-ports=3074
add action=dst-nat chain=dstnat dst-port=27015-27030 in-interface=ether1 \
protocol=tcp src-address-list="" to-addresses=192.168.88.125 to-ports=\
27015-27030
add action=dst-nat chain=dstnat dst-port=27036-27037 in-interface=ether1 \
protocol=tcp src-address-list="" to-addresses=192.168.88.125 to-ports=\
27036-27037
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
udp src-address-list="" to-addresses=192.168.88.125 to-ports=3074
add action=dst-nat chain=dstnat dst-port=4380 in-interface=ether1 protocol=\
udp src-address-list="" to-addresses=192.168.88.125 to-ports=4380
add action=dst-nat chain=dstnat dst-port=27000-27031 in-interface=ether1 \
protocol=udp src-address-list="" to-addresses=192.168.88.125 to-ports=\
27000-27031
add action=dst-nat chain=dstnat dst-port=27036 in-interface=ether1 protocol=\
udp src-address-list="" to-addresses=192.168.88.125 to-ports=27036
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
udp src-address-list="" to-addresses=192.168.88.125 to-ports=3074
add action=dst-nat chain=dstnat dst-port=4380 in-interface=ether1 protocol=\
udp src-address-list="" to-addresses=192.168.88.125 to-ports=4380
add action=dst-nat chain=dstnat dst-port=27000-27031 in-interface=ether1 \
protocol=udp src-address-list="" to-addresses=192.168.88.125 to-ports=\
27000-27031
add action=dst-nat chain=dstnat dst-port=27036 in-interface=ether1 protocol=\
udp src-address-list="" to-addresses=192.168.88.125 to-ports=27036
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/system clock
set time-zone-name=America/Toronto
/system identity
set name=RB4011
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes primary-ntp=45.127.112.2 secondary-ntp=54.39.173.225
/system routerboard settings
set silent-boot=no

anav · Sun Dec 16, 2018 5:57 am

No worries, I may be in over my head LOL. For example I have no clue why you use .15???
Im going to change it to something I do understand.
I also wont play around with subnet games, I will use vlans

/interface bridge
add fast-forward=no name=bridge1-2.4 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-Eth1
set [ find default-name=ether2 ] comment= main bridge trunk to switch
set [ find default-name=ether3 ] comment= my PC
set [ find default-name=ether10 ] comment=Future AP trunk

/interface vlan
add interface=Bridge1-2.4 name=GuestWifi_V45 vlan-id=45
add interface=Bridge1-2.4 name=NAS_V10 vlan-id=10
add interface=Bridge1-2.4 name=vmware_V20 vlan-id=20
add interface=Bridge1-2.4 name=Xtens_V30 vlan-id=30

/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=WPA2 \
supplicant-identity="" wpa-pre-shared-key=######## \
wpa2-pre-shared-key=#######

/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n disabled=no frequency=auto \
mode=ap-bridge name=WLAN_HOME security-profile=WPA2 ssid=Webb2.4 wireless-protocol=\
802.11
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto \
mode=ap-bridge name=WLAN_GUESTS security-profile=WPA2 ssid=Guest_Wifi vlan-id=45 \
vlan-mode=use-tag wireless-protocol=802.11\

/ip pool
add name=dhcp_bridge ranges=192.168.88.1-192.168.88.254
add name=dhcp_guestwifi ranges=\
192.168.45.1-192.168.45.50
add name=dhcp_NASBoxes ranges=\
192.168.10.1-192.168.10.10
add name=dhcp_vmware ranges=\
192.168.20.1-192.168.20.2
add name=dhcp_Xenserver ranges=\
192.168.30.1-192.168.30.2

/ip dhcp-server
add address-pool=dhcp-bridge disabled=no interface=Bridge1-2.4 lease-time=1d \
    name=BridgeServer
add address-pool=dhcp_guestwifi disabled=no interface=GuestWifi_V45\
    lease-time=1d name=guestwifi_server
add address-pool=dhcp_NASBoxes disabled=no interface=NAS_V10\
   lease-time=1d name=NAS_server
add address-pool=dhcp_VMware disabled=no interface=vmware_V20\
  lease-time=1d name=VMW_server
add address-pool=dhcp_Xtens disabled=no interface=Xtens_V30\
  lease-time=1d name=Xtens_server

  /ip dhcp-server network
add address=192.168.88.0/24 comment=HomeLAN_Network dns-server=192.168.88.1 \
    gateway=192.168.88.1
add address=192.168.45.0/24 comment=Guestwifi-network dns-server=192.168.45.1 \
    gateway=192.168.45.1
add address=192.168.10.0/24 comment=NAS_network dns-server=192.168.10.1 \
    gateway=192.168.10.1
add address=192.168.20.0/24 comment=Vm_network dns-server=192.168.20.1 \
    gateway=192.168.20.1
add address=192.168.30.0/24 comment=Xtens_network dns-server=192.168.30.1 \
    gateway=192.168.30.1
	
/ip address
add address=192.168.88.1/24 interface=Bridge1-2.4 network=192.168.88.0
add address=192.168.45.1/24 interface=GuestWifi_V45 network=\
    192.168.45.0
add address=192.168.10.1/24 interface=NAS_V10 network=192.168.10.0
add address=192.168.20.1/24 interface=vmware_V20 network=192.168.20.0
add address=192.168.30.1/24 interface=Xtens_V30 network=192.168.30.0
  
/interface bridge port
add bridge=bridge1-2.4 interface=ether2 ingress-filtering=yes
add bridge=bridge1-2.4 interface=wlan2
add bridge=bridge1-2.4 interface=WLAN_GUESTS
add bridge=bridge1-2.4 interface=ether3
add bridge=bridge1-2.4 interface=ether10 ingress-filtering=yes

/interface list member
add interface=ether1 list=WAN
add interface=bridge1-2.4 list=LAN
add interface=GuestWifi_V45 list=LAN
add interface=NAS_V10 list=LAN
add interface=vmware_V20 list=LAN
add interface=Xtens_V30 list=LAN

/interface bridge vlan
add bridge=Bridge1-2.4 tagged=Bridge1-2.4,eth2 vlan-ids=10,20,30
add bridge=Bridge1-2.4 tagged=Bridge1-2.4,eth10,WLAN_GUESTS vlan-ids=45


/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.8.4

/ip firewall address-list
add address=192.168.88.0/24 list="LOcal LAN"
add address=192.168.88.0/24 list=accessprinter
add address=192.168.45.0/24 list=accessprinter
add address=192.168.10.0/24 list=accessprinter
add address=192.168.20.0/24 list=accessprinter
add address=192.168.30.0/24 list=accessprinter
add address=192.168.10.0/24 list=vlanaccess
add address=192.168.20.0/24 list=vlanaccess
add address=192.168.30.0/24 list=vlanaccess

/ip firewall filter
add action=accept chain=input comment=\
"allow established connections to the router" connection-state=\
established
add action=accept chain=input comment=\
"allow related connections to the router" connection-state=related
add action=drop chain=input comment="drop invalid packets" connection-state=\
invalid
add action=accept chain=input comment=\
"allow access to the router from the lan" src-address-list="LOcal LAN"
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drops all other traffic "
{forward chain}
add action=accept chain=forward comment="allow established connections" \
connection-state=established
add action=accept chain=forward comment="allow related connections " \
connection-state=related
add action=drop chain=forward comment="drop invalid packets" \
connection-state=invalid
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Allow Access to Printer"\
dst-address=192.168.88.XX in-interface=bridge1-2.4 source-address-list=accessprinter 
(note: static IP address of printer is destination address)
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
    Bridge1-2.4 log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN \
    src-address=192.168.88.0/24
add action=accept chain=forward comment="ENABLE VLAN45 to WAN" in-interface=\
    GuestWifi_V45 out-interface-list=WAN src-address=192.168.45.0/24
add action=accept chain=forward comment="ENABLE VLAN10 to WAN" in-interface=\
    NAS_V10 out-interface-list=WAN src-address=192.168.30.0/24
add action=accept chain=forward comment="ENABLE VLAN20 to WAN" in-interface=\
    vmware_V20 out-interface-list=WAN src-address=192.168.45.0/24
add action=accept chain=forward comment="ENABLE VLAN30 to WAN" in-interface=\
    Xtens_V30 out-interface-list=WAN src-address=192.168.30.0/24
add action=accept chain=forward comment="enable-admin-access-to-vlans"\
    source address=192.168.88.125 in-interface=bridge1-2.4 destination-address-list=vlanaccess
add action=drop chain=forward comment="drops all other traffic"

/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth1
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
tcp src-address-list="" to-addresses=192.168.88.125 
add action=dst-nat chain=dstnat dst-port=27015-27030 in-interface=ether1 \
protocol=tcp src-address-list="" to-addresses=192.168.88.125
add action=dst-nat chain=dstnat dst-port=27036-27037 in-interface=ether1 \
protocol=tcp src-address-list="" to-addresses=192.168.88.125
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
udp src-address-list="" to-addresses=192.168.88.125
add action=dst-nat chain=dstnat dst-port=4380 in-interface=ether1 protocol=\
udp src-address-list="" to-addresses=192.168.88.125
add action=dst-nat chain=dstnat dst-port=27000-27031 in-interface=ether1 \
protocol=udp src-address-list="" to-addresses=192.168.88.125
add action=dst-nat chain=dstnat dst-port=27036 in-interface=ether1 protocol=\
udp src-address-list="" to-addresses=192.168.88.125
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
udp src-address-list="" to-addresses=192.168.88.125
add action=dst-nat chain=dstnat dst-port=4380 in-interface=ether1 protocol=\
udp src-address-list="" to-addresses=192.168.88.125
add action=dst-nat chain=dstnat dst-port=27000-27031 in-interface=ether1 \
protocol=udp src-address-list="" to-addresses=192.168.88.125
add action=dst-nat chain=dstnat dst-port=27036 in-interface=ether1 protocol=\
udp src-address-list="" to-addresses=192.168.88.125

/ip upnp
set allow-disable-external-interface=yes enabled=yes
/system clock
set time-zone-name=America/Toronto
/system identity
set name=RB4011
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes primary-ntp=45.127.112.2 secondary-ntp=54.39.173.225
/system routerboard settings
set silent-boot=no

rb4011 - default config has broken DHCP

rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP

Re: rb4011 - default config has broken DHCP