在基本设置工作时遇到了麻烦。

WesleyBidsnipes · Wed Oct 05, 2022 10:54 pm

I have a new CCR2004-16g-2s+ and two Cap ACs.

After finally managing to connect to it with Winbox, I first ran this command:

/system reset-configuration no-defaults=yes skip-backup=yes

Then, I ran commands similar tothose found here. The only notable differences being that I chose 192.168.144.0/21 as my network. A dhcp client is set up for ether1, a dhcp server is set up for bridge and both of these work... if my cable modem is plugged into ether1, it gets an IP address from the ISP. If a computer is plugged into any of the other ports, they'll get a 192.68.144.x address.

Then, I (somehow) managed to get Capsman working correctly after several false starts. I can connect to the ssid, and I get 192.168.144.x addresses with those as well.

But this isn't currently usable yet. I've tried to set up NAT, and I think it should be rather simple right now... my requirements are pretty minimal. I think (but am uncertain) that it should be a single firewall rule like so:

/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade

I do remember that this isn't the exact same command I had written (I was working off some other copy of this... it even spelled masquerade wrong, and I was confused about that until I counted over 71 characters to where the misspelling was indicated as a syntax error). In particular, I think the position of out-interface and action were switched so that the former was the last part, like so:

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

Should that matter? When I use the UI rather than the terminal, it seems to have liked the command just fine. But when I switch over to my new Mikrotik router, I have no internet connection through it. In the tutorial I was working from, it suggested that the connection tracking table needed to be nuked, but gave no explicit commands for this... I eventually found a set of 3 commands that basically did something like "tracking enabled=no; delay 5; tracking enabled=yes". The tracking table (forget where I found it in Winbox) did indeed clear out, and then eventually fill back up. This did not change my connectivity problems.

It's difficult because once I cut over to this router, I no longer have internet to try to troubleshoot with and have to go about hooking back up my old router again. I intend to post the configuration dump in a few hours when I'm off work and have can do so. But I was hoping that in the meantime my description of the steps I've taken might make it obvious that I've left something out. Thanks in advance.

anav · Wed Oct 05, 2022 11:23 pm

I would forget capsman for now until you understand the config and are successful in more basic functionality.
a. setting up decent firewall rules
b. setting up vlans for the network (assuming your capac will have at least two if not more vlans running on them (guest, iot, home wireless networks),
c. setting up capacs as basic AP/switches (dirt simple).

viewtopic.php?t=182373

loloski · Wed Oct 05, 2022 11:30 pm

for a start change this 192.168.144.0/21 into 192.168.144.0/24 because /21 is too big for you and will make a lot of broadcast and noise unnecessarily

Buckeye · Thu Oct 06, 2022 3:22 am

The size of the network mask does not cause more broadcast itself. It just allows for more hosts, which can then lead to more broadcasts.

If you have 100 hosts, and the only thing that is different is the use of /24 vs /21, the number of broadcasts will be the same in both cases.

At least I can't think of a reason why a /21 would increase broadcast for the same number of hosts.

Buckeye · Thu Oct 06, 2022 3:48 am

It's difficult because once I cut over to this router, I no longer have internet to try to troubleshoot with and have to go about hooking back up my old router again. I intend to post the configuration dump in a few hours when I'm off work and have can do so. But I was hoping that in the meantime my description of the steps I've taken might make it obvious that I've left something out. Thanks in advance.

My suggestion would be to play with the new router in a double nat situation until you get things working as you expect. If your current router uses the 192.168.144.0/21 subnet for its LAN, then you will need to use something different on the MikroTik's LAN, since the MikroTik will be obtaining its "internet" connection from your existing router. Think of your existing router as the ISP for the MikroTik.

There are several advantages to doing this while you are learning.

You will still have internet access while you are learning in the "lab" environment. This is one of the biggest advantages, especially if other people are using the internet, they can continue without any interruption.

从网上你会保护你的前任isting router, in case you don't have your "internet" firewall rules set up correctly.

You will be able to test the internet firewall on the MikroTik from a device on the "outer" LAN.

You will not be as afraid of playing around and making mistakes. Playing around, breaking things, and then troubleshooting them is a requirement for learning.

WesleyBidsnipes · Thu Oct 06, 2022 8:29 am

My configuration is currently:

# oct/06/2022 00:17:15 by RouterOS 7.4.1
# software id = XZ53-XF2N
#
# model = CCR2004-16G-2S+
# serial number = HD4080D6NC2
/interface bridge
add name=local
/caps-man configuration
add datapath.bridge=local name=Home-1.0 security.authentication-types=wpa-psk,wpa2-psk ssid=Fatline
/接口无线安全性配置文件
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.144.128/26
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local lease-time=30m name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether6
add disabled=no interface=ether8
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Home-1.0
/interface bridge port
add bridge=local interface=ether10
/ip firewall connection tracking
set enabled=yes
/ip address
add address=192.168.144.1/21 interface=local network=192.168.144.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.144.0/21 gateway=192.168.144.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.144.0/21
/system clock
set time-zone-name=America/Chicago

Other than my questionable choice of a subnet, most of the pieces are in place I think. I'm not sure what's missing/wrong.

Since Buckeye pointed it out, I will say that my old router is using 192.168.88.x. I was a little surprised that this is the default network Mikrotik uses, since I chose that years ago for a consumer Netgear router that's now either in a landfill or at the bottom of a closet.

If double-NAT is supposed to be easy, I must not be very bright... before I realized it, I had it doing some routing loop and had to reboot my consumer router even after unplugging cables... the Mikrtotik recovered nicely as soon as patch cables were plugged in sanely again.

Buckeye · Thu Oct 06, 2022 11:39 am

If double-NAT is supposed to be easy, I must not be very bright... before I realized it, I had it doing some routing loop and had to reboot my consumer router even after unplugging cables... the Mikrtotik recovered nicely as soon as patch cables were plugged in sanely again.

你做need the nat masquerade on the CCR2004 for ether1 (the internet connection). You have no firewall, so it should not be connected to internet. If you did, and didn't have a password set, you may want to export your config to a file, use winbox to copy to pc., then do a netinstall to known clean factory default.

This is what I mean by double nat "lab setup". Your existing router's LAN and dhcp server will act as the ISP connection for the CCR2004. In other word connect CCR2004 ether1 to one of your existing router's LAN ports, then the CCR2004 should get an ip address in 192.168.88.0/24 (if that is what your current network is set to). Devices that then get connected to the CCR LAN would get an address from the CCR2004's dhcp.

double router lab.drawio.png

If the CCR2004 has a quick set, you could also use this to get an initial config (after resetting to empty config, or using netinstall). It is a setup similar to a consumer router, but I am not sure that "simple setup" is included with a Business class router like the CCR2004.

Or see @anav'sNew User Pathway To Config Successwhich has pointers to useful resources.

WesleyBidsnipes · Fri Oct 07, 2022 8:14 am

@Buckeye I did have a password set.

It has been a long time since I've used iptables on linux, and I was never very good anyway. Is there a link to a good basic set of firewall rules out there? I need nothing at the moment... I've had port forwarding set up in the past, but if that's been used even once in the past year I can't remember it.

I've also managed to get the double-NAT working, I'm using it now in fact. I notice that when I have it plugged into the the old router, it adds a line in Routing->Nexthops like so:

R ip4 192.168.88.1 30 10 none 192.168.88.1%ether1 1 "some-large-integer" 0 "another-large-int"

There are of course a few other lines related to the bridge, to ether1, and to the ports I have my Caps plugged into. When I have the Mikrotik plugged directly into the cable modem, those lines are present as well, but no nexthop for the ISP's gateway. I don't know if this means I screwed up the dhcp client, if my ISP just has their dhcp server configured poorly, or something else entirely.

If anyone can offer advice or even just a hint, I do want to learn this but I've got to get over this hump first.

Buckeye · Fri Oct 07, 2022 11:22 am

Is there a link to a good basic set of firewall rules out there?

See Paragraph B of @anav'sNew User Pathway To Config Successand there is a section about firewalls in the ROS documentation that startshere

ROS firewall.png

I've also managed to get the double-NAT working, I'm using it now in fact. I notice that when I have it plugged into the the old router, it adds a line in Routing->Nexthops like so:
Code:Select all
R ip4 192.168.88.1 30 10 none 192.168.88.1%ether1 1 "some-large-integer" 0 "another-large-int"

I think/ip route printis more useful in your case. It will show any default route (DAd) and and connected routes (DAc), if you have static routes they will show up as ( As). D dynamic, A active, d default, s static, c connected. (a connected route is a route automatically created for an address/mask on an interface, e.g. the interface with address 192.168.144.1/21 will have a connected route for 192.168.144.0/21.

Here's what my lab router looks like. It is abnormal because I have three interfaces with dhcp clients. I would expect you to have only one default route that would start with DAd + 0.0.0.0/0, and it would expect it to look like DAd + 0.0.0.0/0 192.168.88.1 1

[demo@MikroTik] > ip route print Flags: D - DYNAMIC; I, A - ACTIVE; c, s, d, y - COPY; H - HW-OFFLOADED; + - ECMP Columns: DST-ADDRESS, GATEWAY, DISTANCE # DST-ADDRESS GATEWAY DISTANCE DAd + 0.0.0.0/0 192.168.249.1 1 DAd + 0.0.0.0/0 192.168.241.1 1 DAd + 0.0.0.0/0 192.168.101.1 1 DAc 192.168.88.0/24 BR-SW 0 DIcH 192.168.89.0/24 ether5-off_bridge_wrk 0 DAc 192.168.99.1/32 loopback 0 DAc 192.168.101.0/24 ether1-WAN 0 DAc 192.168.241.0/24 vlan241 0 0 As 192.168.247.0/24 192.168.241.1 1 DAc 192.168.249.0/24 vlan10 0

在基本设置工作时遇到了麻烦。

在基本设置工作时遇到了麻烦。

Re: Having trouble getting basic setup working.

Re: Having trouble getting basic setup working.

Re: Having trouble getting basic setup working.

Re: Having trouble getting basic setup working.

Re: Having trouble getting basic setup working.

Re: Having trouble getting basic setup working.

Re: Having trouble getting basic setup working.

Re: Having trouble getting basic setup working.

Who is online