Hi everyone,

I need some help. I just recently hard reset my Mikrotik router (RouterBOARD 750 r2) and now after normal configuration, my PC now isn't able to connect to the Internet via the Mikrotik router, it says unable to resolve DNS, unable to ping external IP. BUT I am able to access the Internet within the router (successful in checking for new updates for the router).

FYI, I'm not running DHCP, the PC is configure with static IPs, I can ping the router though.

Here is my config info. May I know where did I go wrong?

# jan/07/2022 09:55:34 by RouterOS 6.49.2
# software id = TR50-ZDR7
#
# model = RouterBOARD 750 r2
# serial number = xxxxx
/interface bridge
add admin-mac=CC:2D:E0:55:SS:EC auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=vlan500 vlan-id=500
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan500 max-mru=1492 max-mtu=\
1492 name=unifi use-peer-dns=yes user=xxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=\
8.8.8.8,8.8.4.4,208.67.220.220,208.67.222.222
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface=unifi in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=unifi in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=unifi out-interface-list=WAN
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

(1) You need to add these to the interface list members ( maybe not both but no harm done)
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=unifi list=WAN
add interface=vlan500 list=WAN

(2) This is a bit of a redundant firewall rule, and also a bit convoluted, should be clarified
FROM
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface=unifi in-interface-list=!LAN
TO
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

Which says drop all but not the LAN. Which meets the intent of the comment line.
New users should avoid tricky configuration 'tricks" or functionalities like the "!" symbol.

Much clearer to understand are the following recommended rules to start off with.
add action=accept chain=input in-interface-list=LAN {allow LAN input}
add action=drop chain=input {drop everything else}

This will naturally lead to future changes when perhaps you dont want the full LAN to be able to reach the router etc.............but not critical.

from the Terminal

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
expected end of command (line 1 column 5)
[admin@MikroTik] /interface list member> in-interface-list=!LAN


Is the screenshot correct?

Ok, GOT IT!

But my question would be, how does it look in the WinBox GUI? Do you know where to look for it?

From your config.......
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

I recommended ADDING to the list member with the following............ (which clearly dont exist on your config????)
add interface=unifi list=WAN
add interface=vlan500 list=WAN

Which one is preventing from being entered by the router or is it showing in red ????
(I believe if I had to try one first without the other it would be the vlan500)

Well, I added the last two... It works.

Oh well... but I don't know how it looks like in the Winbox GUI.

Interface lists are in Interfaces menu and then under Interface List tab.

One can tell the difference between an IT professional (or is it the European influence) response, and the MTUNA trained certified response.
Using the old axiom, a picture is a worth a thousand words......... or rephrased, better than a few lousy words.
..........................................................................

Oh this spoon-feeding, where will it end? Visiting in person and showing where to click? Mine was perfectly fine more than just a hint, almost a guide.

Oh this spoon-feeding, where will it end? Visiting in person and showing where to click? Mine was perfectly fine more than just a hint, almost a guide.

I guess @anav followed your instructions and was so much pleased with own success that he decided to document it

@anav: did you ever wonder how much of redundancy is in a picture? Look at size of screenshot file you created and compare it to those few ten bytes by @Sob ... no wonder that one picture tells more than a thousand words ... it well has to as in your example it takes 25.000 times more data to deliver that tiny bit of added information ...

If you were concerned about carbon wastage MKX you wouldnt have posted a silly retort, so I know you are just jesting!

Where I would disagree with both of you, on this particular function, is MT's unorthodox use of the box to click on to access the interface list.
If it were a more consistent approach, I would be with you. However many a time, I have had to think - now where did Normis put that effing link.............