MikroTik

Posted: **Fri Feb 25, 2011 5:35 pm**

Hi

I'm trying to setup home network. I'm using 750g as the router for xDSL. I have setup PPPoE on 750g. This is working and I can see the connection is established. What I can't do is get this connection available for computers on the LAN, connected to 750g. I was reading various posts on this forum and some suggest to create bridge, some to create nat masquerade. I've tried all but no luck...

Can someone give me more specific instructions? I'm completely new to this level of networking so detailed instructions are welcome

Posted: **Fri Feb 25, 2011 8:42 pm**

Post the output of "/ip address print detail", "/ip route print detail", "/interface print", and "/ip firewall export"

Posted: **Fri Feb 25, 2011 8:50 pm**

Ok, here it is:

[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     address=192.168.88.1/24 network=192.168.88.0 broadcast=192.168.88.255 interface=bridge1 
     actual-interface=bridge1

[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge1 
        gateway-status=bridge1 reachable distance=0 scope=10

[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                                            TYPE             MTU   L2MTU
 0     ether1-gateway                                                  ether            1500  1524 
 1  R  ether2-local-master                                             ether            1500  1524 
 2     ether3-local-slave                                              ether            1500  1524 
 3     ether4-local-slave                                              ether            1500  1524 
 4  R  ether5-local-slave                                              ether            1500  1524 
 5  R  bridge1                                                         bridge           1500  1524 
 6     pppoe-siol                                                      pppoe-out

[admin@MikroTik] > /ip firewall export
# jan/02/1970 01:02:36 by RouterOS 4.11
# software id = WY86-EVIY
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established \
    disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" connection-state=related disabled=\
    no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=\
    pppoe-siol
add action=masquerade chain=srcnat comment="" disabled=no out-interface=pppoe-siol
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

Regards, Tom

Posted: **Fri Feb 25, 2011 10:14 pm**

Why are you bridging stuff?

Posted: **Fri Feb 25, 2011 10:22 pm**

I have been trying all sorts of things - I read in this forum in several topics that I need to bridge, so I tried that. I also tried changing NAT rules, but didn't work it out. For each thing I reset router to factory settings (reset-configuration command) and started from there. My output reflects the last stuff I tried. If bridge is not needed, than I'm happy to reset once again and do it properly - but need directions as to what to do and how

Thanks, Tom

Posted: **Fri Feb 25, 2011 10:58 pm**

I see.

Reset to factory defaults, then connect via Winbox by MAC address (important! You're going to remove IP addresses further down, so you MUST connect via MAC address). The below is all text format configuration, so click the Terminal button and copy/paste the commands in.

Then run this to clean up the default interface configuration:

/ip address remove [/ip address find]
/ip dhcp-client remove [/ip dhcp-client remove]

Then add your PPPoE client to ether1-gateway, this interface then plugs into your modem. Replace your username and password for the service:

/interface pppoe-client
add interface=ether1-gateway user=user password=passwd disabled=no add-default-route=yes use-peer-dns=yes name=pppoe-ether1

Then configure an IP address for your LAN, make the DNS caching resolver available, and configure a DHCP server for the LAN. This assumes a LAN of 192.168.0.0/24. Replace all references as required if you need different IP addressing:

/ip address
add address=192.168.0.1/24 interface=ether2-local-master
/ip dns
set allow-remote-requests=yes
/ip pool
add name=DHCP-Pool ranges=192.168.0.100-192.168.0.254 disabled=no
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 dns-server=192.168.0.1 disabled=no
/ip dhcp-server
add authoritative=yes disabled=no interface=ether2-local-master lease-time=1d address-pool=DHCP=Pool

And then finally configure NAT for the LAN network out the PPPoE interface:

/ip firewall nat
add chain=src-nat out-interface=pppoe-ether1 action=masquerade

Some firewalling is probably a good idea:

/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=ether2-local-master action=accept
add chain=input action=drop
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=ether2-local-master action=accept
add chain=forward action=drop

That should do it. If you need to forward ports for services available from the WAN, here an example of forwarding port tcp/80 to an inside machine at 192.168.0.10:

/ip firewall nat
add chain=dst-nat in-interface=pppoe-ether1 protocol=tcp dst-port=80 action=dstnat to-address=192.168.0.10

Then you also need to make a firewall rule permitting that traffic:

/ip firewall filter
add chain=forward protocol=tcp dst-port=80 dst-address=192.168.0.10 action=accept

And then move that rule above the default drop rule in the forward chain.

Hope that helps.

Posted: **Sat Feb 26, 2011 4:22 am**

Some firewalling is probably a good idea:

/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=ether2-local-master action=accept
add chain=input action=drop
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=ether2-local-master action=accept
add chain=forward action=drop

Can you explain why do you use the rule

add chain=input connection-state=invalid action=drop

before the rule

add chain=input action=drop

? I think it's redundant.

Posted: **Sat Feb 26, 2011 4:36 am**

It stops invalid packets from entering the router (or traversing the router in the forward chain) even if they're sourced from behind the ether2-master-local interface.

Posted: **Sat Feb 26, 2011 10:33 am**

Thanks a lot, this made it! I can now get internet on my LAN!

Thanks again!

MikroTik

750g PPPoE to LAN

750g PPPoE to LAN

Re: 750g PPPoE to LAN

Re: 750g PPPoE to LAN

Re: 750g PPPoE to LAN

Re: 750g PPPoE to LAN

Re: 750g PPPoE to LAN

Re: 750g PPPoE to LAN

Re: 750g PPPoE to LAN

Re: 750g PPPoE to LAN