No internet access after configuring DHCP and a few other questions

jkaberg · Sun Jul 17, 2016 5:12 am

Hey everyone,

I've just recently bought and configured my CRS 125-24G-1S-IN (firmware 6.35.4), but I'm struggeling with a few things (I'm very new to the RouterOS scene);

Whenever I configure it to hand out IP adresses over DHCP I get no internet access on neither static or dynamic IP ranges. (pre DHCP configure internet is fine)
My ISP is broadcasting IPTV over VLAN 303, and in my home a have a few devices with various MAC adresses. How can I configure the VLAN to only accept clients with a specific MAC? I noticed in the RouterOS UI it mentions VLAN a few times so if anyone can point me at the proper one that would be great
By default as I figure it, RouterOS isn't very restrictive on filtering out incoming traffic (blocking ports more precisely), any good relevant guide on that? I wish to lock down pretty much everything except port 22, 80, 443 and 32400 which I'd like to forward to my server.

Thanks for takeing your time, really appreciate it.

jkaberg · Sun Jul 17, 2016 9:58 pm

So I figured out why this is happening (all ports are bridged so that wan and lan traffic resides on the same network).

Now how do I solve this? I haven't done anything close to this before so I'm out on a limb. WAN traffic comes in on SFP1.

Will need to do more reading I guess..

Revelation · Mon Jul 18, 2016 4:29 am

So I figured out why this is happening (all ports are bridged so that wan and lan traffic resides on the same network).

Now how do I solve this? I haven't done anything close to this before so I'm out on a limb. WAN traffic comes in on SFP1.

Will need to do more reading I guess..

You don't want your WAN port bridged with your LAN ports. Further you need to setup NAT with masquerade for your LAN hosts to use your public IP on your WAN port to access the internet.

jus06tine · Mon Jul 18, 2016 8:00 am

Hey everyone,

I've just recently bought and configured my CRS 125-24G-1S-IN (firmware 6.35.4), but I'm struggeling with a few things (I'm very new to the RouterOS scene);

Whenever I configure it to hand out IP adresses over DHCP I get no internet access on neither static or dynamic IP ranges. (pre DHCP configure internet is fine)

My ISP is broadcasting IPTV over VLAN 303, and in my home a have a few devices with various MAC adresses. How can I configure the VLAN to only accept clients with a specific MAC? I noticed in the RouterOS UI it mentions VLAN a few times so if anyone can point me at the proper one that would be great

By default as I figure it, RouterOS isn't very restrictive on filtering out incoming traffic (blocking ports more precisely), any good relevant guide on that? I wish to lock down pretty much everything except port 22, 80, 443 and 32400 which I'd like to forward to my server.
Thanks for takeing your time, really appreciate it.

Hi,
just some cents here that hopes to contribute in solving your problem.
You may want to check your network setting in IP>DHCP Server>Networks. you might want to configure the gateway, and DNS servers there. note that your config here will be the one given to your DHCP clients. just come across with the same problem before and was solved setting those. Revelation is also right, you need to masquerade your LAN IP's to you WAN IP in IP>Firewall>NAT.
If you want to filter out all ports in your firewall, you need to set a filter rule in your firewall to Drop all forward chains (you might want to do this while you are connected to your RB using a Mac and not with an IP because you might lock-out your router.), if you want to allow certain ports to pass you firewall, just create accept rule in forward chain with the port you want (e.g ip firewall filter add chain=forward protocol=tcp port=80 action=accept). Note that hierarchy is very important in creating a filter rule. you should have your drop rule below your accept rule for this to work properly.

Hope this helps you.

Justine

jkaberg · Mon Jul 18, 2016 11:58 am

Thanks for the reply's. Here's my current config, as of now firewall blocks all connections (removing the drop rule in forward chain fixes that). Any ideas? (with drop rule removed in forward chain the exposed ports in forward/nat chains still doesnt work, I can't access these ports on the wan interface)

[admin@MikroTik] > export compact
# jul/18/2016 10:55:24 by RouterOS 6.35.4
# software id = 4ZWJ-QVRS
#
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp1 ] mac-address=E4:8D:8C:A6:C0:67
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=3d name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
/interface ethernet switch mac-based-vlan
add new-customer-vid=303 new-service-vid=303 src-mac-address=44:AA:F5:5F:89:5A
/interface ethernet switch port
set 0 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 1 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 2 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 3 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 4 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 5 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 6 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 7 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 8 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 9 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 10 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 11 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 12 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 13 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 14 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 15 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 16 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 17 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 18 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 19 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 20 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 21 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 22 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 23 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 24 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 25 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
/interface ethernet switch vlan
add ingress-mirror=yes ports=ether24,sfp1 vlan-id=303
/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall filter
add chain=forward dst-port=80 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=443 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=22 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=32400 in-interface=sfp1 protocol=tcp
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment=MASQ out-interface=sfp1
add action=dst-nat chain=dstnat dst-port=443 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat dst-port=22 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=22
add action=dst-nat chain=dstnat dst-port=32400 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=32400
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service

set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/Oslo
/system routerboard settings
set protected-routerboot=disabled
[admin@MikroTik] >

Also now DHCP works as expect, unsure if the config is optimal tho?

jkaberg · Mon Jul 18, 2016 1:35 pm

Alright so I was missing these two

/ip firewall nat
add action=masquerade chain=srcnat dst-port=22,80,443,32400 protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.1.0/24 dst-address-type=local dst-port=22,80,443,32400 protocol=tcp to-addresses=192.168.1.10

So final firewall config is,

/ip firewall filter
add chain=forward dst-port=80 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=443 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=22 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=32400 in-interface=sfp1 protocol=tcp
add action=drop chain=forward disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=MASQ out-interface=sfp1
add action=dst-nat chain=dstnat dst-port=443 in-interface=sfp1 log=yes protocol=tcp to-addresses=192.168.1.10 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat dst-port=22 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=22
add action=dst-nat chain=dstnat dst-port=32400 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=32400
add action=masquerade chain=srcnat dst-port=22,80,443,32400 protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.1.0/24 dst-address-type=local dst-port=22,80,443,32400 protocol=tcp to-addresses=192.168.1.10

Now is still have the forward chain drop issue, not sure how to resolve that one?

karlisi · Mon Jul 18, 2016 4:44 pm

Add this before other forward chain rules

/ip firewall filter
add chain=forward connection-state=established,related

jus06tine · Tue Jul 19, 2016 5:17 am

Do you have a diagram of what you are trying to do?

Is the CRS acts as your gateway? if you want to access your local network from the internet you may want to make sure you have a public IP set on your SPF1 interface.

You may opt to try the following:

set the 192.168.x.x IP to bridge1 instead of ether1
set the DNS server in the /ip dhcp-server network
set the action to accept in the forward chain of your allowed port(s)
enable the last filter on you firewall (the one with drop action)
set a static route to your ISP gateway.

give us a feedback if any of it solved even some of your issues..

No internet access after configuring DHCP and a few other questions

No internet access after configuring DHCP and a few other questions

Re: No internet access after configuring DHCP and a few other questions

Re: No internet access after configuring DHCP and a few other questions

Re: No internet access after configuring DHCP and a few other questions

Re: No internet access after configuring DHCP and a few other questions

Re: No internet access after configuring DHCP and a few other questions

Re: No internet access after configuring DHCP and a few other questions

Re: No internet access after configuring DHCP and a few other questions