Hello all

In my CCR1009 V6.43.4 in Firewall/ Service Ports are red and I don´t Know solve it? Could you help me?

Thanks in advance.
Regards

post your config
/export hide-sensitive file=yourconfigfeb27

Hello

# feb/27/2019 15:28:06 by RouterOS 6.43.4
# software id = VMCP-8RM0
#
# model = CCR1009-7G-1C-1S+
# serial number =
/interface ethernet
set [ find default-name=combo1 ] name="combo1 TraficoPPPoE"
set [ find default-name=ether1 ] name="ether1 Telefonia" speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Gateway speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=\
10M-full,100M-full,1000M-full
/interface vlan
add arp=reply-only comment="CC-1" interface=\
"combo1 TraficoPPPoE" name=vlan11 vlan-id=11
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=66 name=option66TVA value="s'192.168.254.1'"
/ip dhcp-server option sets
add name=tftpserver options=option66TVA
/ip pool
add name=TelefonoVLAN11 ranges=100.100.11.10-100.100.11.254
add name=dhcp_pool20 ranges=192.168.254.2-192.168.254.254
/ip dhcp-server
add address-pool=dhcp_pool20 disabled=no interface=vlan11 name=dhcp1
/ppp profile
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
/interface pppoe-server server
/ip address
add address=10.16.2.2/30 comment=defconf interface=ether2-Gateway \
network=10.16.2.0
add address=100.100.11.1/24 interface=vlan11 network=100.100.11.0
add address=192.168.254.1/24 interface=vlan11 network=192.168.254.0
/ip arp
/ip dhcp-server network
add address=192.168.254.0/24 dhcp-option=option66TVA dhcp-option-set=\
tftpserver gateway=192.168.254.1
/ip pool
add name=Al next-pool="Al 2" ranges=X.X.X.65-X.X.X.150
add name="Al 2" next-pool=Al3 ranges=X.X.X.155-X.X.X.247
add name=Al3 next-pool=Al ranges=Y.Y.Y.128/25
/ip route
add distance=1 gateway=Z.Z.Z.1
add distance=1 dst-address=Y.Y.Y.128/25 type=blackhole
add distance=1 dst-address=X.X.X.0/24 type=blackhole
/ip service
set telnet address=23.23.23.0/27
set ftp address=23.23.23.0/27
set www address=23.23.23.0/27
set ssh address=23.23.23.0/27
set api disabled=yes
set winbox address=23.23.23.027
/ip tftp
add ip-addresses=0.0.0.0/0 real-filename=WR940Nv617121437530n.bin \
req-filename=WR940Nv617121437530n.bin
add ip-addresses=0.0.0.0/0 real-filename=B0BE76C5341C.bin req-filename=\
B0BE76C5341C.bin
/lcd
set time-interval=daily
/ppp profile
/ppp secret
add name=pruebafichero profile=Basico20 service=pppoe
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name="MikroTik Ubiquiti CCR1009"
/system logging
add topics=e-mail,debug
/system routerboard settings
set silent-boot=no
/tool graphing interface
add
/tool sniffer
set file-limit=10000KiB file-name=capturetftpvlan11 filter-interface=vlan11

You have to enable connection tracking if you want to enable firewall service ports.

Note that these are ip service helpers, usually for NAT, not the actual services.

So it doesn't make sense to enable these helpers if you aren't natting or filtering.

First thing I noticed is an error in ip address.
/ip address
add address=10.16.2.2/30 comment=defconf interface=ether2-Gateway\
network=10.16.2.0
add address=100.100.11.1/24 interface=vlan11 network=100.100.11.0
add address=192.168.254.1/24 interface=vlan11 network=192.168.254.0

Second, I have no clue what this does......
/ip dhcp-server option
add code=66 name=option66TVA value="s'192.168.254.1'"

But I dont see the usual DHCP-SERVER for this network.
however you have this
/ip dhcp-server
add address-pool=dhcp_pool20 disabled=no interface=vlan11 name=dhcp1

Which again mixes up the vlan11 interface with the pool for a different lan structure.
I would say you dont know what is going where at this point so it needs to be cleaned up.

You have your services enabled ftp api etc................. do you need these??
Strange IP addresses being used on them as well......... not reflected by any IP settings on the router

Hello

I want to add tftp server in my mikrotik pppoe server and I need to configure a dhcp server with option 66 for doing automatic provision in new customer router .
add code=66 name=option66TVA value="s'192.168.254.1'"
Later, the customer router charge the config file, It will use a pppoe wan connection.

When I use
add address=192.168.254.1/24 interface=vlan11 network=192.168.254.0 is defined tftp ip server.

I have a vlan id for Access Point, also I use fixed ip for my voice gateway in this network
add address=100.100.11.1/24 interface=vlan11 network=100.100.11.0

A diagram will help, I am only used to simple networks at home.

Hello

It is not neccesary a diagram but I could describe the steps:

1- I connect a customer router with factory configuration in the network.
2 - The dhcp server send private ip to the router with "option 66 information".
3 - Router download config file by TFTP, the config file is /Files directory on Mikrotik.
4 - Router charge the config file and reboot, (The Config file contain pppoe user and password).
5 - Router login with user and password in Mikrotik PPPoE Server and It connect to Internet.

I want to configure DHCP Server, TFTP Server and PPPOE Server in the same machine.

Regards.

You have to enable connection tracking if you want to enable firewall service ports.

Note that these are ip service helpers, usually for NAT, not the actual services.

So it doesn't make sense to enable these helpers if you aren't natting or filtering.

I have enable connectio tracking and service ports are enable, but TFTP Server doesn't work.

Thank you.

Undo that change, because enabling the firewall helper service won't activate the actual service.

Enable logging for topic tftp and disable/enable tftp rule. Check the log. Is the server starting?

Hello

I undo that change, and the firewall service port return to red color. I enable logging for tftp and the log show this information.



Regards

but It doesn´t work.

Regards