Mikrotik router behind Comcast business modem with dynamic IPv6

SEJohnsen · Fri Aug 28, 2020 1:47 am

I was so happy with the Mikrotik Routerboard I'm using at home that I talked my church into buying one for their building. Now I cannot for the life of me get it to work. The only difference that I can see between home setup and work setup is that I have a static IP from Comcast (business class Internet) at home, and the church has dynamic IP, which very often ends up being IPv6.

The Comcast modem is made by Cisco and is an incredible pain in the foot to manage. Each setting I change and save requires a reboot, which takes on average more than 10 minutes. And this is the "new" modem they used to replace our old one about 9 months ago.

The Mikrotik is a heX RB750Gr3 5-port RouterBoard.

Mikrotik WILL NOT connect to the Comcast modem, although no other device has issues doing so. I did enable the IPv6 package on the RB. I've tried putting the Comcast in bridge mode, rebooting both devices multiple times with nothing else connected. I've tried two chained routers, with Comcast providing a DHCP address on 192.168.10.x. I've tried setting static IP on the RB. The RB GUI reports that the cable connection is good, and shows activity on the line (confirmed by the lights flashing), but I cannot ping an outside address or get an Internet connection. I've spent three half days at the church trying to make this work with no success. Any suggestions?

I'm reasonably experienced with IPv4 networking, going all the way back to the coax days. :-) Not so experienced with IPv6. My understanding is that if I do all IPv6 networking, that will expose my internal devices to the Internet. I'm very reluctant to do that. And some of our equipment is old and may not work with IPv6. So I'd like the RB to run NAT, keeping the internal network on 192.168.x.x, with only the WAN/modem connection using IPv6. Is this a sound approach?

Even though I've set up a lot on the RB, at this point I'm willing to factory reset and start over if I can just get it to work. Or maybe it's just not possible to set up?

biomesh · Fri Aug 28, 2020 3:54 am

Post your config. I have been using both ipv4 and ipv6 since Comcast began supporting ipv6(quite a number of years ago).

The dynamic ip should be an ipv4 though and you should also get a ipv6 address and a prefix (/64 or /60).

If you are switching between routers, be sure to reboot the modem as they get locked to the wan Mac address.

SEJohnsen · Fri Aug 28, 2020 4:59 am

Yes, I rebooted the Comcast router and made sure the RB was the only device connected.

Here is the config:

# sep/09/2019 00:59:42 by RouterOS 6.42.11
# software id = H2AJ-QXHP
#
# model = RB750Gr3

/interface ethernet
set [ find default-name=ether2 ] l2mtu=1598 name=ether1-gateway
set [ find default-name=ether3 ] arp=proxy-arp l2mtu=1598 mac-address=\
    4C:5E:0C:AB:85:8D name=ether2-vlan
set [ find default-name=ether4 ] l2mtu=1598 mac-address=4C:5E:0C:AB:85:8E \
    name="ether3-subnet1 CID office"
set [ find default-name=ether5 ] l2mtu=1598 mac-address=4C:5E:0C:AB:85:8F \
    name=ether4-admin

/interface vlan
add interface=ether2-vlan name="vlan10 translation" vlan-id=10
add interface=ether2-vlan name="vlan11 CID office" vlan-id=11
add interface=ether2-vlan name="vlan12 CID wireless" vlan-id=12
add interface=ether2-vlan name="vlan13 Admin only" vlan-id=13
add interface=ether2-vlan name="vlan15 Guest Internet only" vlan-id=15
add interface=ether2-vlan name="vlan18 OpenVPN" vlan-id=18

/ip pool
add name=dhcp ranges=192.168.1.90-192.168.1.150
add name=dhcp_pool3 ranges=192.168.3.151-192.168.3.180
add name=dhcp_pool0 ranges=192.168.0.200-192.168.0.253
add name=dhcp_pool2 ranges=192.168.2.200-192.168.2.253
add name=dhcp_pool1 ranges=192.168.1.151-192.168.1.220
add name=dhcp_pool8 ranges=192.168.8.200-192.168.8.254

/ip dhcp-server
add address-pool=dhcp_pool2 authoritative=after-10sec-delay disabled=no \
    interface="vlan12 CID wireless" name="Wireless office"
add address-pool=dhcp_pool8 disabled=no interface="vlan18 OpenVPN" \
    lease-time=6h name=VPN
add address-pool=dhcp_pool1 disabled=no interface="ether3-subnet1 CID office" \
    name=Basement
add address-pool=dhcp_pool1 disabled=no interface="vlan11 CID office" name=\
    "Upstairs wired"
add address-pool=dhcp_pool1 disabled=no interface=ether4-admin name=\
    "Admin port"
add address-pool=dhcp_pool0 disabled=no interface="vlan10 translation" name=\
    Translation

/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    ether2-vlan network=192.168.88.0
add address=192.168.3.1/24 interface="vlan13 Admin only" network=192.168.3.0
add address=192.168.0.1/24 interface="vlan10 translation" network=192.168.0.0
add address=192.168.2.1/24 disabled=yes network=192.168.2.0
add address=192.168.8.1/24 interface="vlan18 OpenVPN" network=192.168.8.0
add address=192.168.2.1/24 interface="vlan12 CID wireless" network=\
    192.168.2.0
add address=192.168.1.1/24 comment="Management port" interface=ether2-vlan \
    network=192.168.1.0
add address=192.168.5.1/24 interface="vlan15 Guest Internet only" network=\
    192.168.5.0

/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway

biomesh · Fri Aug 28, 2020 6:06 am

Is the Comcast device a modem only or is it a business class modem/router combo device? If it is a combo device then you need to call Comcast support and put it in bridged mode.

I looked at the config quickly and didn't see any reason to not get a valid address, so it looks like you might be dealing with one of these combo devices.

SEJohnsen · Fri Aug 28, 2020 7:27 am

Yes, it's a combo device. It should work either in router mode or bridge mode. I did call Comcast and put in in bridge mode, but the Mikrotik did not work either way.

biomesh · Fri Aug 28, 2020 1:36 pm

It's probably not really in bridge mode then. On the dslreports forums in the past people have reported many issues with those devices (normally smc devices). You are better off buying/trying a standard modem on the business class supported modem list and get the modem activated on the account. This will make your life much easier.

SEJohnsen · Fri Aug 28, 2020 5:22 pm

Thanks. Shouldn't the RB at least be able to get an IP address from the Comcast router via DHCP when Comcast is in router mode? Or be able to get online if I put a static IP on the RB? I'm concerned that I can go out and buy a new modem and my RB setup still isn't working.

biomesh · Fri Aug 28, 2020 6:34 pm

If there is a dhcp server on the modem / combo box it should provide an address. You might want to also update to a current version as 6.42.11 is very old - it looks to be a dev build anyway. There have been dhcp client related fixes since then, so you could be hitting an old bug.

Also be aware that your "ether1-gateway" is actually ether2 on your device. Perhaps this is your issue depending on how things are connected.

/interface ethernet
set [ find default-name=ether2 ] l2mtu=1598 name=ether1-gateway
set [ find default-name=ether3 ] arp=proxy-arp l2mtu=1598 mac-address=\
4C:5E:0C:AB:85:8D name=ether2-vlan
set [ find default-name=ether4 ] l2mtu=1598 mac-address=4C:5E:0C:AB:85:8E \
name="ether3-subnet1 CID office"
set [ find default-name=ether5 ] l2mtu=1598 mac-address=4C:5E:0C:AB:85:8F \
name=ether4-admin

SEJohnsen · Fri Aug 28, 2020 9:45 pm

That looks like a likely source for the problem. I'll change the interfaces, pools, servers and addresses and see what happens.

SEJohnsen · Fri Sep 04, 2020 1:36 am

Update: I replaced the Comcast router with a brand new router, but the RB still was not working. Then I noticed that since the eth ports were mixed up, it affected IP addresses, DHCPP servers, etc. I think I've cleaned up the remaining eth port errors. However, I cannot access the RB admin from eth3 or eth4. Any ideas?
Here is my config:

# sep/09/2019 03:18:55 by RouterOS 6.42.11
# software id = H2AJ-QXHP

# model = RB750Gr3

/interface ethernet
set [ find default-name=ether1 ] name=eth1-gateway
set [ find default-name=ether2 ] arp=proxy-arp l2mtu=1598 name=eth2-vlan
set [ find default-name=ether3 ] l2mtu=1598 mac-address=4C:5E:0C:AB:85:8D \
    name=eth3-basement
set [ find default-name=ether4 ] l2mtu=1598 mac-address=4C:5E:0C:AB:85:8E \
    name=eth4-admin
set [ find default-name=ether5 ] l2mtu=1598 mac-address=4C:5E:0C:AB:85:8F \
    name=eth5-default

/ip pool
add name=dhcp_pool3 ranges=192.168.3.151-192.168.3.180
add name=dhcp_pool0 ranges=192.168.0.200-192.168.0.253
add name=dhcp_pool2 ranges=192.168.2.200-192.168.2.253
add name=dhcp_pool1 next-pool=dhcp_pool1a ranges=192.168.1.151-192.168.1.220
add name=dhcp_pool1a ranges=192.168.1.90-192.168.1.150
add name=dhcp_pool8VPN ranges=192.168.8.200-192.168.8.254
add name=adminpool ranges=192.168.88.90-192.168.88.253
add name=dhcp_pool4 ranges=192.168.4.151-192.168.4.220

/ip dhcp-server
add address-pool=dhcp_pool8VPN lease-time=6h name=VPN
add address-pool=adminpool disabled=no interface=eth5-default name=default
add address-pool=dhcp_pool0 disabled=no interface="vlan10 translation" name=Translation
add address-pool=dhcp_pool2 disabled=no interface="vlan12 CID wireless" name=Wireless
add address-pool=dhcp_pool3 disabled=no interface=eth3-basement name=Basement
add address-pool=dhcp_pool1 disabled=no interface="vlan11 CID office" name="CID wired upstairs"

/ip address
add address=192.168.10.2/24 interface=eth1-gateway network=192.168.10.0
add address=192.168.3.1/24 interface=eth3-basement network=192.168.3.0
add address=192.168.4.1/24 interface=eth4-admin network=192.168.4.0
add address=192.168.88.1/24 comment="default configuration" interface=eth5-default network=192.168.88.0
add address=192.168.0.1/24 interface="vlan10 translation" network=192.168.0.0
add address=192.168.1.1/24 interface="vlan11 CID office" network=192.168.1.0
add address=192.168.2.1/24 interface="vlan12 CID wireless" network=192.168.2.0
add address=192.168.5.1/24 interface="vlan15 Guest Internet only" network=192.168.5.0

/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=eth1-gateway

biomesh · Fri Sep 04, 2020 3:25 am

Are you connecting to the router ip for that subnet, or a different vlan? You have firewall rules blocking inter vlan traffic.

SEJohnsen · Fri Sep 04, 2020 3:53 am

Connecting on that port and on that subnet. But I think it's simply marking them as invalid because I have everything disconnected. When I reconnect the cables and reboot, they come back. So tomorrow I plan to go back over and install this again in the church office.

biomesh · Fri Sep 04, 2020 4:24 am

If you do run into any issues, I would focus on your firewall rules. Disable the vlan restricting ones then enable one by one until you find the culprit.

SEJohnsen · Fri Sep 04, 2020 6:10 am

Thanks so much!

SEJohnsen · Fri Sep 04, 2020 9:38 pm

So the saga continues...

I set the Comcast modem to have LAN IP 192.168.10.1 with DHCP starting at 192.168.10.90. (Note: this is not bridge mode.) The RB is set to WAN IP 192.168.10.2. I plugged it in and everything worked great on the RB! Firewall, routing, Internet access, all good so far. Then two issues happened:

1) This is my third Comcast modem in a few months, and it too is defective, and crashes when you try to set up port forwarding. Easy solution: I'm ordering my own modem today and am done renting bad modems from Comcast.

2) BUT, long story short, I called Comcast about the port forwarding and talked to an idiot rep who insisted that the only way this would work is with bridge mode off but with DHCP also off on the Comcast modem and my router getting a dynamic WAN IP. Finally I humored him and let him change the Comcast router. (After, he couldn't figure out how to get it back and wanted me to pay a tech $100 to fix it. I declined and switched it back myself, but that's another story.) BUT, here's the weird thing. When the RB could no longer get a WAN IP or connect to Comcast on Eth1-gateway, it stopped allowing me to access the admin web GUI on ANY of the interfaces. I tried it plugged into Comcast, unplugged from Comcast, power cycled it, etc., but am back to the RB apparently not working. How would the lack of an Internet connection on eth1 stop the other interfaces from working? It did respond to ping, and DHCP was working, but no web admin on any of its IPs, and I could not verify that it was routing anything. This is the same thing that happened a few days ago when the Comcast tech was there with me; my RB stopped responding at all so it was easy for him to say the Comcast router issue was actually my Mikrotik's fault.

Finally I gave up and brought the RB home again. After being off for 45 minutes, I fired the RB back up. Same thing. No more admin. The only change here is that I set it to "obtain address automatically" in the Quick set. DHCP works on eth5, eth4, eth3, and it responds to ping on those ports and IPs, but the web admin page is gone on all interfaces and IP addresses.

I suppose I could factory reset it and restore/rebuild the config, but I'm starting to wonder if there's something wrong with the unit.

Fri Sep 04, 2020 10:50 pm

Really strange things. Put comcast into pure bridge mode and try with a computer attached directly if you can set it in the way that everything starts to work. Then replicate the settings to wan port of the router. Check it gets the expected ip address and is able to get the Internet connection then step forward... You need to split the aresas of possible problems and investigate them independently.

docboy · Fri Sep 04, 2020 11:30 pm

viewtopic.php?f=2&t=165733

OP, I posted my thread in "General" section. Near identical issue.

Every other Comcast tech gave me a different answer. One I spoke this morning says bridge mode requires static IP. I have dynamic IP. So he recommends "pass through" mode: disable Comcast wifi and remove IPV4 and IPV6 firewalls. Keep DHCP on. I did so and still no internet.

Latest tech thinks Mikrotik router is not configured properly to receive DHCP from Comcast. I'm not sure how to check if the Mikrotik is setup properly.

docboy · Fri Sep 04, 2020 11:37 pm

Newb question: how does one look and post the router 's config? Sorry for hijack.

biomesh · Fri Sep 04, 2020 11:47 pm

Bridge mode means that the router should get a dynamic address. If you have a static allocation your gateway would have to be in router/gateway mode.

DHCP should work if the gateway device is actually handing out a DHCP address. Run the packet sniffer to see if dhcp requests are being sent and how they are being replied to by the gateway.

The only real reason to ever use these devices is if you need static addresses. If you don't just get a regular modem and things will "just work".

docboy · Sat Sep 05, 2020 12:06 am

Bridge mode means that the router should get a dynamic address. If you have a static allocation your gateway would have to be in router/gateway mode.

DHCP should work if the gateway device is actually handing out a DHCP address. Run the packet sniffer to see if dhcp requests are being sent and how they are being replied to by the gateway.

The only real reason to ever use these devices is if you need static addresses. If you don't just get a regular modem and things will "just work".

How does one check to see if the Mikrotik is receiving a DHCP address?

SEJohnsen · Sat Sep 05, 2020 12:55 am

viewtopic.php?f=2&t=165733

OP, I posted my thread in "General" section. Near identical issue.

Every other Comcast tech gave me a different answer. One I spoke this morning says bridge mode requires static IP. I have dynamic IP. So he recommends "pass through" mode: disable Comcast wifi and remove IPV4 and IPV6 firewalls. Keep DHCP on. I did so and still no internet.

Latest tech thinks Mikrotik router is not configured properly to receive DHCP from Comcast. I'm not sure how to check if the Mikrotik is setup properly.

That's the problem I've been running into with Comcast. Not only do they all have different answers, they all disregard what the previous rep concluded after I spent hours on the phone. I've had to prove over and over to each new tech that something is wrong with the Comcast modem. Until the one guy I spoke to today who insisted the modem was working even when it wasn't, until he bricked it.

But I'm simultaltneously dealing with Mikrotik RB issues and it's VERY hard to troubleshoot when both are going on!

From many, many years of networking experience, I can say that either of these SHOULD work:

Comcast in router mode, giving out DHCP + Mikrotik in router mode, getting WAN IP address automatically. Requires an extra "hop" so very slight performance degradation, but should work.
Comcast in "pass-through" router mode, with DHCP off and firewall off + Mikrotik in router mode, with WAN IP address set statically.
Comcast in actual bridge mode + Mikrotik getting WAN IP address automatically

In point of fact, I have used all of those modes with Comcast and various routers, including Mikrotik routers.
Mixing those (like the Comcast rep this morning was insisting on until he bricked the box) with "pass-through" mode but no static IP on the Mikrotik should not work.

Comcast always prefers to upsell you to a more expensive package rather than fix their non-working equipment or train their reps, but there is no reason why you need to pay $25/month for a $0.50 static IP from Comcast in order for the Internet to work.

SEJohnsen · Sat Sep 05, 2020 12:56 am

Newb question: how does one look and post the router 's config? Sorry for hijack.

Go to Terminal window, type

export file my-current-config

Then go to Webfig --> Files and download the rsc file it generated. Open in any text editor.

SEJohnsen · Sat Sep 05, 2020 12:59 am

How does one check to see if the Mikrotik is receiving a DHCP address?

1) If Mikrotik is set to obtain an address automatically, and your Internet is working downstream from the Mikrotik, it got a DHCP address.
2) Log into web admin and go to Quick set. It will show you the IP address it obtained by DHCP.

SEJohnsen · Sat Sep 05, 2020 1:03 am

The only real reason to ever use these devices is if you need static addresses. If you don't just get a regular modem and things will "just work".

In my case, I don't need the static IP address, but what I DO need is to set up VLANs with advanced firewall rules. Internet service is in the basement of one brick building, and all the office equipment is in an addition separated by a lot of concrete. The Mikrotik's programmability allows me to maximize the use of a single cable in between, and keep everything secure.

SEJohnsen · Sat Sep 05, 2020 1:06 am

Put comcast into pure bridge mode and try with a computer attached directly if you can set it in the way that everything starts to work.

Yes, it didn't work like that, which is what finally got Comcast to replace the router. But unfortunately they replaced it with another non-functioning one. I've ordered my own Arris modem from Amazon which will arrive next week, but in the mean time I've got a brand-new routerboard I brought home that I cannot access or log into ever since it failed to get an IP address from Comcast. And it did the same thing a few days ago. As soon as it failed to get a dynamic WAN IP address, it stopped working altogether and had to be factory reset. Any ideas on why?

docboy · Sat Sep 05, 2020 1:46 am

Really strange things. Put comcast into pure bridge mode and try with a computer attached directly if you can set it in the way that everything starts to work. Then replicate the settings to wan port of the router. Check it gets the expected ip address and is able to get the Internet connection then step forward... You need to split the aresas of possible problems and investigate them independently.

One tech claims that if comcast modem is in bridge mode, it would require static IP. True or false?

docboy · Sat Sep 05, 2020 1:49 am

How does one check to see if the Mikrotik is receiving a DHCP address?
1) If Mikrotik is set to obtain an address automatically, and your Internet is working downstream from the Mikrotik, it got a DHCP address.
2) Log into web admin and go to Quick set. It will show you the IP address it obtained by DHCP.

Thanks for the tips. In your case, is your Mikrotik showing an IP address? I assume if all is working correctly, the Mikrotik should show the Comcast gateway's IP.

SEJohnsen · Sat Sep 05, 2020 2:47 am

Thanks for the tips. In your case, is your Mikrotik showing an IP address? I assume if all is working correctly, the Mikrotik should show the Comcast gateway's IP.

If all is working correctly, the Mikrotik should have at least two IPs, one for WAN (coming from Comcast), and one for LAN (which it displays inside to your other devices). It's possible to assign a different IP address to each ethernet port and interface on the RB.

SEJohnsen · Sat Sep 05, 2020 2:49 am

One tech claims that if comcast modem is in bridge mode, it would require static IP. True or false?

I don't know if it's true or not, but given the level of knowledge of several of the Comcast reps I talked to today, I'd take it with a grain of salt and verify independently. That doesn't sound right to me.

SEJohnsen · Sat Sep 05, 2020 3:03 am

UPDATE: There's something on the Quick Set page that kept breaking my RB. Whether or not I'm connected to Comcast, once I apply the settings in Quick Set, the box becomes unusable. The config that I restored has WAN IP 192.168.10.2 (static) and LAN IP 192.168.88.1 or 192.168.1.1 on the Quick Set page. When I restore the image and log in, it shows my LAN IP as 192.168.10.2, and my WAN IP as either static 0.0.0.0 or automatic.

Setting WAN IP to 192.168.10.2 (static) in Quick Set and LAN IP to 192.168.88.1, the box breaks. I noticed that it turns DHCP on automatically, with a wrong address range (on a different subnet from 192.168.88.1), and I am not able to change the address range (i.e., it keeps reverting back).

After several cycles, I restored my image, logged in, and changed WAN address acquisition to Automatic. The local address still defaulted to 192.168.10.2, which I changed to 192.168.1.1 As soon as I applied the settings, it turned on DHCP server with the wrong range. This time I immediately turned the DHCP server off on the Quick Set page and applied settings, and I was able to proceed. Not sure why it keeps automatically applying settings that will break the box.

docboy · Sat Sep 05, 2020 7:15 am

One tech claims that if comcast modem is in bridge mode, it would require static IP. True or false?
I don't know if it's true or not, but given the level of knowledge of several of the Comcast reps I talked to today, I'd take it with a grain of salt and verify independently. That doesn't sound right to me.

Copied and paste from a Comcast forum, posted by a Comcast tech:

"On the Comcast Network Static IP address cannot be assigned to a bridged device. Placing the device in <true bridge mode> disables all router functions of the gateway. In <true bridge mode> the public IP is passed directly to only one connected device, multiple connections to additional gateway LAN ports will create an IP conflict."

Not sure who to believe, but I am suspecting based on other posts on Comcast forums one does NOT need static IP for bridge mode to work.

It's odd though OP in your case at home you have static IP at home and dynamic IP at church.

SEJohnsen · Sat Sep 05, 2020 7:34 am

Copied and paste from a Comcast forum, posted by a Comcast tech:

"On the Comcast Network Static IP address cannot be assigned to a bridged device. Placing the device in <true bridge mode> disables all router functions of the gateway. In <true bridge mode> the public IP is passed directly to only one connected device, multiple connections to additional gateway LAN ports will create an IP conflict."

That's correct. That's pretty much the definition of bridge mode. When the Comcast router is in bridge mode, it's your Mikrotik that gets the IP address, whether dynamic or static. And it has to be the only device connected.

biomesh · Sat Sep 05, 2020 3:20 pm

For those with the odd behavior of not being able to connect after some time you might want to set all detect-internet interfaces to none.

docboy · Sat Sep 05, 2020 4:11 pm

For those with the odd behavior of not being able to connect after some time you might want to set all detect-internet interfaces to none.

Where does one find this option? Thanks.

biomesh · Sat Sep 05, 2020 5:16 pm

/interface detect-internet detect-interface-list=none

docboy · Sat Sep 05, 2020 5:56 pm

/interface detect-internet detect-interface-list=none

Thanks. Can I ask what is the default option in case we need to go back?

biomesh · Sat Sep 05, 2020 6:12 pm

The default (from the default config from an rb931) is none. I don't think this is enabled default. If you use quickset or set it manually it is enabled.

docboy · Sat Sep 05, 2020 6:42 pm

The default (from the default config from an rb931) is none. I don't think this is enabled default. If you use quickset or set it manually it is enabled.

Can you clarify? So this line is by default?: /interface detect-internet detect-interface-list=none

What is other option? Can you replace "none" with another option?

Is there an online manual that lists these options? I found this: https://wiki.mikrotik.com/wiki/Manual:Interface

But cannot find the "detect-internet" config line.

Thanks.

SEJohnsen · Sat Sep 05, 2020 7:42 pm

Can you clarify? So this line is by default?: /interface detect-internet detect-interface-list=none

In the WebFig, go to Interfaces, then click on the button "Detect Internet." Only the WAN port should detect Internet, or none of them.

tdw · Sat Sep 05, 2020 9:18 pm

UPDATE: There's something on the Quick Set page that kept breaking my RB. Whether or not I'm connected to Comcast, once I apply the settings in Quick Set, the box becomes unusable. The config that I restored has WAN IP 192.168.10.2 (static) and LAN IP 192.168.88.1 or 192.168.1.1 on the Quick Set page. When I restore the image and log in, it shows my LAN IP as 192.168.10.2, and my WAN IP as either static 0.0.0.0 or automatic.

Quick Set should only be used once on a device which has been reset to default. If you make any other changes to the configuration with Winbox, Webfig or CLI the results of running Quick Set again are completely unpredictable.

SEJohnsen · Sat Sep 05, 2020 10:05 pm

Quick Set should only be used once on a device which has been reset to default. If you make any other changes to the configuration with Winbox, Webfig or CLI the results of running Quick Set again are completely unpredictable.

Thanks. That's really helpful. Currently Quick Set shows the WAN IP address as 0.0.0.0. How/where do I get rid of that or change it in webfig? I'd like to to be an automatic IP address.

SEJohnsen · Sat Sep 05, 2020 10:08 pm

Currently Quick Set shows the WAN IP address as 0.0.0.0. How/where do I get rid of that or change it in webfig? I'd like to to be an automatic IP address.

NM, I found this here: https://help.mikrotik.com/docs/display/ ... figuration

docboy · Sat Sep 05, 2020 10:26 pm

Quick Set should only be used once on a device which has been reset to default. If you make any other changes to the configuration with Winbox, Webfig or CLI the results of running Quick Set again are completely unpredictable.
Thanks. That's really helpful. Currently Quick Set shows the WAN IP address as 0.0.0.0. How/where do I get rid of that or change it in webfig? I'd like to to be an automatic IP address.

Is the source of our problem? Should it be changed to match that of Comcast gateway?

SEJohnsen · Sat Sep 05, 2020 11:06 pm

Should it be changed to match that of Comcast gateway?

No. Only if you have a static IP and bridge mode.

docboy · Sat Sep 05, 2020 11:38 pm

Should it be changed to match that of Comcast gateway?
No. Only if you have a static IP and bridge mode.

If default Comcast gateway is 10.1.10.1 and we have dynamic IP, what should WAN IP address be set at?

SEJohnsen · Sat Sep 05, 2020 11:56 pm

If default Comcast gateway is 10.1.10.1 and we have dynamic IP, what should WAN IP address be set at?

If your RB is behind the Comcast router (not in bridge mode), then both devices get a WAN IP and LAN IP. The Comcast router gets your public IP from Comcast; it presents 10.1.10.1 as the LAN IP. Your RB gets 10.1.10.x as it's "WAN IP" then presents something else on another subnet as LAN IP.

tdw · Sat Sep 05, 2020 11:59 pm

Thanks. That's really helpful. Currently Quick Set shows the WAN IP address as 0.0.0.0. How/where do I get rid of that or change it in webfig? I'd like to to be an automatic IP address.
Is the source of our problem? Should it be changed to match that of Comcast gateway?

0.0.0.0 is not a valid address, in a field which must contain an address it is often used as a placeholder to signify "unknown" or "anything". If the WAN is set to auto in Quick Set it is irrelevent, the actual IP address will be seen in under IP > DHCP Client or IP > Addresses.

docboy · Sun Sep 06, 2020 1:31 am

Thanks. That's really helpful. Currently Quick Set shows the WAN IP address as 0.0.0.0. How/where do I get rid of that or change it in webfig? I'd like to to be an automatic IP address.
Is the source of our problem? Should it be changed to match that of Comcast gateway?
0.0.0.0 is not a valid address, in a field which must contain an address it is often used as a placeholder to signify "unknown" or "anything". If the WAN is set to auto in Quick Set it is irrelevent, the actual IP address will be seen in under IP > DHCP Client or IP > Addresses.

What should OP do in the case where the WAN IP is 0.0.0.0? Are you saying if the WAN is set to auto, the 0.0.0.0 WAN IP is of no problem? If WAN is not set to auto, what should OP set the WAN IP as? Somehow, our Mikrotik routers are not receiving a DHCP address from the Comcast gateway.

Sun Sep 06, 2020 2:38 am

Four zeroes are not valid ip address for an interface.
It's maybe impossible to help you if it is so unclear where the problem is. Connect a computer to the modem directly and make sure that everything works correctly. Then reset the router and replicate the settings on wan side. Once it works, configure the rest.

docboy · Sun Sep 06, 2020 6:03 pm

Thanks. That's really helpful. Currently Quick Set shows the WAN IP address as 0.0.0.0. How/where do I get rid of that or change it in webfig? I'd like to to be an automatic IP address.
Is the source of our problem? Should it be changed to match that of Comcast gateway?
0.0.0.0 is not a valid address, in a field which must contain an address it is often used as a placeholder to signify "unknown" or "anything". If the WAN is set to auto in Quick Set it is irrelevent, the actual IP address will be seen in under IP > DHCP Client or IP > Addresses.

OPs church (as well as my office) have dynamic IP. What should the IP address be set at?

docboy · Tue Sep 08, 2020 7:01 pm

If default Comcast gateway is 10.1.10.1 and we have dynamic IP, what should WAN IP address be set at?
If your RB is behind the Comcast router (not in bridge mode), then both devices get a WAN IP and LAN IP. The Comcast router gets your public IP from Comcast; it presents 10.1.10.1 as the LAN IP. Your RB gets 10.1.10.x as it's "WAN IP" then presents something else on another subnet as LAN IP.

Try this, I found it on nextiva's site, and may be relevant for us. I'm going to try it at end of day:

For DPC3941B Only:

Navigate to Advanced > NAT.
Uncheck the Disable All checkbox if there is a checkmark in the box.
Reboot the router and any devices connected to the router.

docboy · Wed Sep 09, 2020 1:11 am

That's the problem I've been running into with Comcast. Not only do they all have different answers, they all disregard what the previous rep concluded after I spent hours on the phone. I've had to prove over and over to each new tech that something is wrong with the Comcast modem. Until the one guy I spoke to today who insisted the modem was working even when it wasn't, until he bricked it.

But I'm simultaltneously dealing with Mikrotik RB issues and it's VERY hard to troubleshoot when both are going on!

From many, many years of networking experience, I can say that either of these SHOULD work:

Comcast in router mode, giving out DHCP + Mikrotik in router mode, getting WAN IP address automatically. Requires an extra "hop" so very slight performance degradation, but should work.

Comcast in "pass-through" router mode, with DHCP off and firewall off + Mikrotik in router mode, with WAN IP address set statically.

Comcast in actual bridge mode + Mikrotik getting WAN IP address automatically

In point of fact, I have used all of those modes with Comcast and various routers, including Mikrotik routers.
Mixing those (like the Comcast rep this morning was insisting on until he bricked the box) with "pass-through" mode but no static IP on the Mikrotik should not work.

Comcast always prefers to upsell you to a more expensive package rather than fix their non-working equipment or train their reps, but there is no reason why you need to pay $25/month for a $0.50 static IP from Comcast in order for the Internet to work.

I have dynamic IP. What would happen if Comcast is in "pass through" mode, and I turned IPV4 LAN DHCP off. Currently my Comcast has firewall off w/Mikrotik in router mode, but no internet.

SEJohnsen · Wed Sep 09, 2020 1:34 am

I have dynamic IP. What would happen if Comcast is in "pass through" mode, and I turned IPV4 LAN DHCP off. Currently my Comcast has firewall off w/Mikrotik in router mode, but no internet.

I suspect that will not work. My understanding is that "pass through" mode is not the same as true bridge mode, so nothing would be giving your Mikrotik an IP address at that point.

docboy · Wed Sep 09, 2020 3:32 am

If default Comcast gateway is 10.1.10.1 and we have dynamic IP, what should WAN IP address be set at?
If your RB is behind the Comcast router (not in bridge mode), then both devices get a WAN IP and LAN IP. The Comcast router gets your public IP from Comcast; it presents 10.1.10.1 as the LAN IP. Your RB gets 10.1.10.x as it's "WAN IP" then presents something else on another subnet as LAN IP.
Try this, I found it on nextiva's site, and may be relevant for us. I'm going to try it at end of day:

For DPC3941B Only:

Navigate to Advanced > NAT.
Uncheck the Disable All checkbox if there is a checkmark in the box.
Reboot the router and any devices connected to the router.

I just tried above and did not work. Still no internet. I'm about to give up. I'm using a Mikrotik hAP ac2 router btw.

docboy · Wed Sep 09, 2020 3:54 am

Sorry for the hijack OP....

I just tried this connection: Comcast gateway in "pass through mode" Port 1 --> Mikrotik port 1; M port 2 goes to main switch; M port 5 I hook up my laptop

With my laptop I login directly into the Mikrotik wifi, I get internet connection.
Office workstations connected via main switch still has no internet.

Under Router OS -> Interfaces -> Interface -> I see packets being sent/received for ethernet ports 1, 2, 5

Does this suggest a setting is wrong with the main switch?

Below is the config of the Mikrotik router. Any suggestions on what to do?

# sep/08/2020 17:45:18 by RouterOS 6.47.3
# software id = 8THQ-W36F
#
# model = RBD52G-5HacD2HnD
# serial number = D7170CF81962
/interface bridge
add admin-mac=48:8F:5A:66:72:D0 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-6672D4 station-roaming=enabled wireless-protocol=\
802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-6672D5 station-roaming=\
enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip firewall connection tracking
set udp-timeout=5m
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=64.28.121.110 list=PingServers
add address=64.28.122.110 list=PingServers
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp \
src-address-list=PingServers
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set sip disabled=yes
/system clock
set time-zone-name=America/Los_Angeles
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

SEJohnsen · Wed Sep 09, 2020 4:26 am

Sorry for the hijack OP....

I just tried this connection: Comcast gateway in "pass through mode" Port 1 --> Mikrotik port 1; M port 2 goes to main switch; M port 5 I hook up my laptop

With my laptop I login directly into the Mikrotik wifi, I get internet connection.
Office workstations connected via main switch still has no internet.

Under Router OS -> Interfaces -> Interface -> I see packets being sent/received for ethernet ports 1, 2, 5

Does this suggest a setting is wrong with the main switch?

Below is the config of the Mikrotik router. Any suggestions on what to do?

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.88.1

The lines quoted include one of your problems. You have all your LAN interfaces bridged together. But you assigned 192.168.88.1 to ether2 and not to the bridge. Delete that IP address from ether2 and assign it to the bridge.

docboy · Wed Sep 09, 2020 5:10 am

Sorry for the hijack OP....

I just tried this connection: Comcast gateway in "pass through mode" Port 1 --> Mikrotik port 1; M port 2 goes to main switch; M port 5 I hook up my laptop

With my laptop I login directly into the Mikrotik wifi, I get internet connection.
Office workstations connected via main switch still has no internet.

Under Router OS -> Interfaces -> Interface -> I see packets being sent/received for ethernet ports 1, 2, 5

Does this suggest a setting is wrong with the main switch?

Below is the config of the Mikrotik router. Any suggestions on what to do?

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.88.1
The lines quoted include one of your problems. You have all your LAN interfaces bridged together. But you assigned 192.168.88.1 to ether2 and not to the bridge. Delete that IP address from ether2 and assign it to the bridge.

Thanks for responding.

Can you let me know how do I delete that IP from ether2 and assign it to the bridge?

SEJohnsen · Wed Sep 09, 2020 6:21 am

Can you let me know how do I delete that IP from ether2 and assign it to the bridge?

IP --> Addresses

Wed Sep 09, 2020 7:41 am

You should join corresponding thread instead of the hijacking the non relevant one.
Here it was solved already:
https://r.tapatalk.com/shareLink/topic? ... source=app

FAILED SETUP: Internet works only on wifi

docboy · Wed Sep 09, 2020 7:48 am

You should join corresponding thread instead of the hijacking the non relevant one.
Here it was solved already:
https://r.tapatalk.com/shareLink/topic? ... source=app

FAILED SETUP: Internet works only on wifi

Apologies to the OP. Will continue in said thread above and in my post on other section.