MikroTik

Hi folks

First day with a hap ac lite. I'm trying to use it as a home router with an ISP that we connect to via pppoe. I've managedmake it work as an access point hanging off the hardware we're retiring, and can set up the pppoe client okay, but can't get traffic flowing from hosts on the home network to the internet.

I've tried to add the pertinent info here:

[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 217.32.145.0 0
1 ADC 192.168.88.0/24 192.168.88.1 bridge1 0
2 ADC 217.32.145.0/32 86.185.99.131 pppoe-out 0
[admin@MikroTik] > /ping 8.8.8.8
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 55 13ms
1 8.8.8.8 56 55 13ms
sent=2 received=2 packet-loss=0% min-rtt=13ms avg-rtt=13ms max-rtt=13ms

[admin@MikroTik] > /interface pppoe-client print
Flags: X - disabled, R - running
0 name="pppoe-out" max-mtu=auto max-mru=auto mrru=disabled interface=ether1
user="bthomehub@btbroadband.com" password="*" profile=default keepalive-timeout=60
service-name="" ac-name="" add-default-route=yes default-route-distance=0 dial-on-demand=no
use-peer-dns=yes allow=pap,chap,mschap1,mschap2

[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=icmp
1 chain=input action=accept connection-state=established
2 chain=input action=accept connection-state=related
3 chain=input action=drop in-interface=ether1 log=no log-prefix=""

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1

[admin@MikroTik] > /ping 8.8.8.8
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 55 20ms
1 8.8.8.8 56 55 18ms
2 8.8.8.8 56 55 20ms
sent=3 received=3 packet-loss=0% min-rtt=18ms avg-rtt=19ms max-rtt=20ms

[admin@MikroTik] > /ping www.google.com
SEQ HOST SIZE TTL TIME STATUS
0 209.85.203.104 56 43 28ms
1 209.85.203.104 56 43 28ms
2 209.85.203.104 56 43 28ms
sent=3 received=3 packet-loss=0% min-rtt=28ms avg-rtt=28ms max-rtt=28ms

Is there anything obviously wrong here? Or anything that'd be useful to see / setup to help diagnose further.

Thanks

Do U have NAT enabled for pppoe connection?


Отправлено с моего iPhone используя Tapatalk

Hi, I have this in the config:

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

which I got from https://wiki.mikrotik.com/wiki/How_to_c ... Masquerade

Does this seem reasonable?

Thanks

Full config here:

/export
# mar/12/2017 13:42:05 by RouterOS 6.38.5
# software id = 6D1C-LP83
#
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=ether1 name=pppoe-out password=* \
use-peer-dns=yes user=xxx@xxx.xxx
/interface wireless
set [ find default-name=wlan1 ] country="united kingdom" mode=ap-bridge wireless-protocol=802.11
set [ find default-name=wlan2 ] country="united kingdom" mode=ap-bridge wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.0/24
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool2 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
/system clock
set time-zone-name=Europe/London
/system routerboard settings
set init-delay=0s
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=wlan2
add interface=wlan1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=wlan2
add interface=wlan1

Hi,

NAT rule should be applied to pppoe-out and not to ether1. When you connect via PPPOE to your ISP, pppoe-out is now your WAN interface not ether1 anymore. So that, any firewall rule you may write from now regarding wan interface should use pppoe-out and not ether1.

Into IP -> Firewall -> NAT tab change out interface from ether1 to pppoe-out.
to Hope it helps.

kind regards,

Awesome! That does the trick. Thank you for the help here, much appreciated.
mrzipf

You did change this as well, didn't you?

/ip firewall filter
add action=drop chain=input in-interface=pppoe-out

Thanks for flagging this, I've got that as #0 rule now.

It's been great getting all the help here today, everyone's input has been super helpful. There's a bit of a steep learning curve with the gear, but I'm pretty excited about it.

Best regards
mrzipf