Hello all,

I have Mikrotik running with 4 nics. I don't know how to export my configuration (yet). It was running fine until earlier today. Do not know what happened/changed.

I have 2 DHCP servers running on 2 of the NICs. They both hand out/assign IPs with no problem. DNS servers are also registered with the requesting machine.

Here is my problem: I can ping/tracert from any DHCPed machine through the Mikrotik and out to any IP/web site and get a success. I cannot, however, load ANY web page through either NIC.

They appear to be configured correctly, but I am a bit of a newbie at this. As I said, it was running fine earlier.

What do I need to check? Or what info can I provide to help out?

Could this be some kind of DOS or DNS attack?

Again, this is an urgent problem. I would greatly appreciate any help,

Jakkwb

post a traceroute from your clients,
post your src-nat/dst-nat settings so people know exactly whats runnning there.

post a traceroute from your clients:

from one of my office machines that can ping/tracert, but cannot get web pages:

tracert yahoo.com 216.109.112.135
first hop 172.16.1.1 (office-gateway NIC on Mikrotik)
x.y.z.1 Cisco gateway router (nothing changed on this machine at all - has always worked perfectly)
out to yahoo - get there fine.

post your src-nat/dst-nat settings so people know exactly whats runnning there.

The only NAT rule I have is this one:

ip firewall nat add chain=srcnat action=masquerade out-interface=Public

Which I got from the Mikrotik web site, and an earlier post from me. This worked fine until today. I originally could not get DHCPed machines to have any access at all past the Mikrotik, and was told I needed this masquerade rule. When I put it in, it started working.

I can supply any other needed info.

Thank you for the post,

Jakkwb

post a traceroute from your clients:

from one of my office machines that can ping/tracert, but cannot get web pages:

tracert yahoo.com 216.109.112.135
first hop 172.16.1.1 (office-gateway NIC on Mikrotik)
x.y.z.1 Cisco gateway router (nothing changed on this machine at all - has always worked perfectly)
out to yahoo - get there fine.

post your src-nat/dst-nat settings so people know exactly whats runnning there.

The only NAT rule I have is this one:

ip firewall nat add chain=srcnat action=masquerade out-interface=Public

Which I got from the Mikrotik web site, and an earlier post from me. This worked fine until today. I originally could not get DHCPed machines to have any access at all past the Mikrotik, and was told I needed this masquerade rule. When I put it in, it started working.

I can supply any other needed info.

Thank you for the post,

Jakkwb

check whether you enabled transparent proxy in hotspot profiles

Yes, that actually is enabled under the default profile, but I am not using wireless or hotspots on this router.

Advice?

in winbox

open new terminal
type in "export file=routerconfig"
press enter
open "files" in winbox
drag and drop the "routerconfig.src" onto your pc desktop or location of your choice
open this file with app like notepad2 (or notepad)
copy the text (changing your real IPs) and paste it in the forum

Maybe we can then see what wrong

ok, here it is:


# nov/14/2007 20:54:45 by RouterOS 2.9.43
# software id = DQ5H-6XT
#
/ interface ethernet
set Public-gateway name="Public-gateway" mtu=1500 \
mac-address=00:10:4B:C5:25:68 arp=enabled disable-running-check=yes \
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps \
comment="" disabled=no
set "PTP to Black Rock" name="PTP to Black Rock" mtu=1500 \
mac-address=00:60:97:C9:B5:79 arp=enabled disable-running-check=yes \
auto-negotiation=no full-duplex=no cable-settings=default speed=10Mbps \
comment="" disabled=no
set "PTP to Hoxie" name="PTP to Hoxie" mtu=1500 mac-address=00:B0:D0:16:A5:BF \
arp=enabled disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
set Office-network name="Office-network" mtu=1500 \
mac-address=00:A0:C9:89:46:A6 arp=enabled disable-running-check=yes \
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps \
comment="" disabled=no
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
/ interface pptp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 \
keepalive-timeout=30 default-profile=default-encryption
/ ip pool
add name="Office-pool" ranges=172.16.1.2-172.16.1.254
add name="Wireless-pool" ranges=192.168.2.10-192.168.2.254
/ ip service
set telnet port=23 address=192.168.1.0/24 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=yes
set www port=80 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes
/ ip upnp
set enabled=no allow-disable-external-interface=yes show-dummy-rule=yes
/ ip arp
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip dns
set primary-dns=68.95.120.3 secondary-dns=68.95.120.4 \
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
/ ip dns static
add name="gate.westweb1.net" address=68.95.120.3 ttl=1d
/ ip traffic-flow
set enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m \
inactive-flow-timeout=15s
/ ip address
add address=68.95.120.4/26 network=68.95.120.0 broadcast=68.95.120.63 \
interface=Public-gateway comment="added by setup" disabled=no
add address=68.95.120.129/26 network=68.95.120.128 broadcast=68.95.120.191 \
interface="PTP to Black Rock" comment="" disabled=no
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 \
interface="PTP to Hoxie" comment="" disabled=no
add address=172.16.1.1/24 network=172.16.1.0 broadcast=172.16.1.255 \
interface=Office-network comment="" disabled=no
/ ip proxy
set enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000 \
maximal-server-connectons=1000
/ ip proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
/ ip accounting
set enabled=no account-local-traffic=no threshold=256
/ ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ ip neighbor discovery
set Public-gateway discover=yes
set "PTP to Black Rock" discover=yes
set "PTP to Hoxie" discover=yes
set Office-network discover=yes
/ ip route
add dst-address=0.0.0.0/0 gateway=68.95.120.1 distance=1 scope=255 \
target-scope=10 comment="added by setup" disabled=no
/ ip firewall nat
add chain=srcnat out-interface=Public-gateway icmp-options=0:0-255 \
action=masquerade comment="" disabled=no
/ ip firewall filter
add chain=forward connection-state=established action=accept comment="allow \
established connections" disabled=yes
add chain=forward connection-state=related action=accept comment="allow \
related connections" disabled=yes
add chain=forward connection-state=invalid action=drop comment="drop invalid \
connections" disabled=yes
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="drop \
blaster worm" disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment="drop \
messenger worm" disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="drop blaster \
worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="drop blaster \
worm" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="don't know" \
disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="don't \
know" disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="drop mydoom" \
disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="don't know" \
disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \
disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \
disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \
disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \
disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \
disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="worm" \
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="drop bagle \
virus" disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="drop dumaru.Y" \
disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="drop Beagle" \
disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop \
MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \
disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \
disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop \
Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop \
Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop \
MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \
disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \
disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop \
SubSeven" disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \
Agobot, Gaobot" disabled=no
add chain=forward action=jump jump-target=virus comment="jump to the virus \
chain" disabled=yes
add chain=forward protocol=icmp action=accept comment="allow ping" \
disabled=yes
add chain=forward protocol=udp action=accept comment="allow udp" disabled=yes
add chain=forward action=drop comment="drop everything else" disabled=yes
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \
address-list="port scanners" address-list-timeout=2s comment="port \
scanners to list" disabled=yes
add chain=input protocol=tcp dst-port=22 src-address-list=black_list \
action=drop comment="drop ssh brute forcers" disabled=yes
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list \
address-list=black_list address-list-timeout=1d comment="" disabled=yes
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list \
address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=yes
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage1 action=add-src-to-address-list \
address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=yes
add chain=input protocol=tcp dst-port=22 connection-state=new \
action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m comment="" disabled=yes
add chain=sanity-check protocol=tcp psd=50,3s,3,1 \
action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d comment="Block port scans \(causes high cpu \
load\)" disabled=yes
add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \
action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d comment="Block TCP Null scan" disabled=yes
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d comment="Block TCP Xmas scan" disabled=yes
add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump \
jump-target=drop comment="" disabled=yes
add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop \
comment="Drop TCP RST" disabled=yes
add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump \
jump-target=drop comment="Drop TCP SYN+FIN" disabled=yes
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set gre disabled=yes
set pptp disabled=yes
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
tcp-syncookie=no
/ ip dhcp-server
add name="Office-DHCP" interface=Office-network lease-time=3d \
address-pool=Office-pool bootp-support=static add-arp=yes \
authoritative=after-2sec-delay disabled=no
add name="Wireless-network" interface="PTP to Hoxie" lease-time=3d \
address-pool=Wireless-pool bootp-support=static add-arp=yes \
authoritative=after-2sec-delay disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
/ ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1 \
dns-server=68.95.120.3,68.95.120.4 domain="westweb1.net" \
dhcp-option=(unknown) comment=""
add address=192.168.2.0/24 gateway=192.168.2.1 \
dns-server=68.95.120.3,68.95.120.4 domain="westweb1.net" comment=""
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set default name="default" hotspot-address=0.0.0.0 dns-name="" \
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 \
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d \
split-user-domain=no use-radius=no
/ ip hotspot user profile
set default name="default" idle-timeout=none keepalive-timeout=2m \
status-autorefresh=1m shared-users=1 transparent-proxy=no
/ ip web-proxy
set enabled=no src-address=0.0.0.0 port=3128 hostname="proxy" \
transparent-proxy=no parent-proxy=0.0.0.0:0 \
cache-administrator="webmaster" max-object-size=4096KiB cache-drive=system \
max-cache-size=none max-ram-cache-size=unlimited
/ ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
/ ip web-proxy cache
add url=":cgi-bin \\\?" action=deny comment="don't cache dynamic http pages" \
disabled=no
/ system logging
add topics=info prefix="" action=memory disabled=no
add topics=error prefix="" action=memory disabled=no
add topics=warning prefix="" action=memory disabled=no
add topics=critical prefix="" action=echo disabled=no
/ system logging action
set memory name="memory" target=memory memory-lines=100 memory-stop-on-full=no
set disk name="disk" target=disk disk-lines=100 disk-stop-on-full=no
set echo name="echo" target=echo remember=yes
set remote name="remote" target=remote remote=0.0.0.0:514
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 \
check-interval=1d user=""
/ system clock manual
set time-zone=+00:00 dst-delta=+00:00 dst-start="jan/01/1970 00:00:00" \
dst-end="jan/01/1970 00:00:00"
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes \
no-ping-delay=5m automatic-supout=yes auto-send-supout=no
/ system console
add port=serial0 term="" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
/ system console screen
set line-count=25
/ system identity
set name="MikroTik"
/ system note
set show-at-login=yes note=""
/ system lcd
set enabled=no type=24x4 port=parallel contrast=0
/ system lcd page
set time display-time=5s disabled=yes
set resources display-time=5s disabled=yes
set uptime display-time=5s disabled=yes
set packets display-time=5s disabled=yes
set bits display-time=5s disabled=yes
set version display-time=5s disabled=yes
set Public-gateway display-time=5s disabled=yes
set "PTP to Black Rock" display-time=5s disabled=yes
set "PTP to Hoxie" display-time=5s disabled=yes
set Office-network display-time=5s disabled=yes
/ system health
set state-after-reboot=enabled
/ system routerboard bios
set
/ port
set serial0 name="serial0" baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
set serial1 name="serial1" baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
/ ppp profile
set default name="default" use-compression=default use-vj-compression=default \
use-encryption=default only-one=default change-tcp-mss=yes comment=""
set default-encryption name="default-encryption" use-compression=default \
use-vj-compression=default use-encryption=yes only-one=default \
change-tcp-mss=yes comment=""
/ ppp aaa
set use-radius=no accounting=yes interim-update=0s
/ queue type
set default name="default" kind=pfifo pfifo-limit=50
set ethernet-default name="ethernet-default" kind=pfifo pfifo-limit=50
set wireless-default name="wireless-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
set synchronous-default name="synchronous-default" kind=red red-limit=60 \
red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name="hotspot-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
add name="default-small" kind=pfifo pfifo-limit=10
/ queue interface
set Public-gateway queue=ethernet-default
set "PTP to Black Rock" queue=ethernet-default
set "PTP to Hoxie" queue=ethernet-default
set Office-network queue=ethernet-default
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool e-mail
set server=0.0.0.0 from="<>"
/ tool sniffer
set interface=all only-headers=no memory-limit=10 file-name="" file-limit=10 \
streaming-enabled=no streaming-server=0.0.0.0 filter-stream=yes \
filter-protocol=ip-only filter-address1=0.0.0.0/0:0-65535 \
filter-address2=0.0.0.0/0:0-65535
/ tool graphing
set store-every=5min
/ user
add name="admin" group=full address=68.95.120.0/26 comment="system default \
user" disabled=no
/ user group
add name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!f\
tp,!write,!policy
add name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password\
,web,!ftp,!policy
add name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
x,password,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ radius
add service=ppp,login called-id="" domain="westweb1.net" address=68.95.120.3 \
secret="hello" authentication-port=1645 accounting-port=1646 timeout=600ms \
accounting-backup=no realm="" comment="" disabled=no
/ radius incoming
set accept=yes port=1645
/ driver
/ snmp
set enabled=no contact="" location=""
/ snmp community
set public name="public" address=0.0.0.0/0 read-access=yes
/ routing ospf
set router-id=0.0.0.0 distribute-default=never redistribute-connected=no \
redistribute-static=no redistribute-rip=no redistribute-bgp=no \
metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 \
metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate \
authentication=none disabled=no
/ routing bgp instance
set default name="default" as=65530 router-id=0.0.0.0 \
redistribute-connected=no redistribute-static=no redistribute-rip=no \
redistribute-ospf=no redistribute-other-bgp=no out-filter="" \
client-to-client-reflection=yes ignore-as-path-len=no comment="" \
disabled=no
/ routing rip
set distribute-default=never redistribute-static=no redistribute-connected=no \
redistribute-ospf=no redistribute-bgp=no metric-default=1 metric-static=1 \
metric-connected=1 metric-ospf=1 metric-bgp=1 update-timer=30s \
timeout-timer=3m garbage-timer=2m
/ routing rip interface
add interface=all receive=v2 send=v2 authentication=none authentication-key="" \
key-chain="" in-filter="" out-filter="" disabled=no


Thanks a million,

Jakkwb

jakkwb -
First thing I would do is disable your filtering rules - all of them. Dimitry's firewalling rule set is very good and comprehesive - but if you don't know what you are doing you can 'shoot yourself in the foot' - so disable all that for the moment. Then if everything works - go through the rules, understand what they are and enable sections at a time making sure everything works.

One thing you didn't actually specify - do the pages not load or do they say the site cannot be found? There is a big difference.... The reason I ask is one of your rules below drops all UDP traffic - DNS is udp based....

Thanks for the tips, Thom.

I actually found the rule that said to drop all UDP last night after my last post. After I disabled it, one of the interfaces started working (Office-network). The other, PTP-H, still does not bring up web pages. It tries - sits for several minutes as te progress bar slowly moves, but never loads. I can still ping and tracert the same web page through that interface. IE says "opening (web page)" at the bottom of the screen.

I now have all filters disabled. I am getting the same results.

Thank you again,

Jakkwb

jakkwb -
Ok - office Internet is working....

PTP-H - this looks like a wireless hotspot interface - is it?
Are you getting a correct IP when you are connected to this interface - looks like between 192.168.2.10 - 192.168.2.xx
When you ping or traceroute - do you use the IP address or the domain name 216.218.186.2 vice http://www.he.net ? It makes a difference so be precise.

Thom, hi again. After I disabled all the other filters, I waited a bit then rebooted the router.

I do not have a hotspot, this PTP is a wireless PTP to a Motorola Canopy tower.

I can ping from a remote Canopy connected PC using IP or domain name successfully. I can also ping (ip or name) from Mikrotik out to web pages.

Yes, the above PC has the proper IP and subnet assigned to it.

Web pages still do not come through on this interface. What is interesting, after the reboot above, it worked for a few minutes, then slowed to a crawl/non-working again.

I need to do some reading on the filters.

Thanks for all your help.

please, someone help me with this....

How can I test the NIC cards in Mikrotik?

Please help me. The web performance on the PTP-H is dismal. Something is wrong with my setup, but I do not know what it is.

Anyone?

can you post (from a terminal window) /ip route print and /ip route rule print

There are no route rules.

Here are the routes:

Terminal vt102 detected, using multiline input mode
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC G GATEWAY DIS
0 A S ;;; added by setup
0.0.0.0/0 r 68.95.120.1 1
1 ADC 68.95.120.0/26 192.168.2.1 0
2 ADC 68.95.120.128/26 68.95.120.129 0
3 ADC 169.254.1.0/24 169.254.1.1 0
4 ADC 192.168.2.0/24 192.168.2.1 0

Thank you.

As you can tell, I have been messing with it all day long. I changed the IP information for the Office-network. Also changed that NIC card (it seemed a bit flakey)

Anyway, there are a few pages now and then that come through (via a remote PC connected to a Motorola Canopy radio on the PTP-H interface). I can still ping and tracert anywhere from that same PC. Just web data is very slow, mostly not working at all.

The office network is running fine, now.

If you'll notice on the DC routes, Mikrotik software automatically assigns the wrong preferred source and interface for 1 & 3 (why does it do that?). It does not show the interfaces on the post above, but they are wrong. It will not let me change them. This has been going on for days; I posted previously about it, but no fix. That may be my whole problem, perhaps.

One more thing, do I need just one NAT/Masquerade rule for both sets of private IPs, or do I need a rule for each of them?

Thank you again.

winbox - IP / then route / once in the route window go to the rule tab. Hit the '+' to add a rule. src-addr 0.0.0.0/0 dst-addr 0.0.0.0/0 action lookup Table main


Thom

add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="don't \
know" disabled=no

If I'm not mistaken this rule would drop web traffic because the traffic coming back to your computer from the web server would probably be destined to port 1024 or just higher (random to a certain extent).

You can't drop that range of ports like you are - I think that was your problem IMO

Scott

Scott,

quote: add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="don't \
know" disabled=no

I did find that earlier and disabled it (see my above posts). That fixed my Office-network web pages loading. There is still something wrong with my PTP-H - I still cannot get web pages through that interface for some reason.

Thom,

I put that route rule in and rebooted. It worked a few minutes, then went back to its slowness/never loading a page.

What do you think about Mikrotik assigning the wrong interface/pref source to 2 of the DAC routes?

Thanks so much.

Let me know if I need to provide any other info.

For all of you 'watching' this thread jakkwb emailed me offline. We have his routing and src-nat issue fixed. The 'real' issue was he was getting some interference from another WISP eating up his backhaul channel so his wireless subscribers (not wireless via MT) could not actually get to the Internet....

I'll let jakkwb tell the rest if he is so inclined.....