FixPedia
OtherHigh

MikroTik: No Internet — Causes and Fixes

This article details the common issue of no internet access on MikroTik routers. Learn the main failure causes and get step-by-step instructions to fix them, starting from simple cable checks up to firewall rule configuration.

Updated at February 17, 2026
15-30 minutes
Medium
FixPedia Team
Применимо к:MikroTik RouterOS v6.45+MikroTik RouterOS v7.xCCR, RB, hAP series

What the "No Internet" Error Means on MikroTik

The "no internet" error on a MikroTik router means that devices on the local network (and often the router itself) cannot establish a connection to resources outside your local network. Symptoms:

  • Websites do not load, even though Wi-Fi/LAN connections are active.
  • On the WAN interface (e.g., ether1) in the status, there is no letter R (Running).
  • The default route (0.0.0.0/0) is missing or incorrect in the routing table (/ip route).
  • The router does not receive an IP address from the provider (for DHCP/PPPoE).
  • The ping 8.8.8.8 command from the router or a client fails.

The problem is at the network (L3) layer or higher and is related to routing settings, address translation (NAT), or traffic filtering.

Common Causes

  1. Physical link or WAN interface settings.
    • Cable break or poor contact (twisted pair, fiber optic).
    • Incorrect connection type from the provider (DHCP, PPPoE, static IP) or incorrectly specified credentials (login/password for PPPoE).
    • Missing or incorrect VLAN configuration if the provider uses tagging.
    • Faulty SFP module or optical transceiver.
  2. Missing or incorrect default route.
    • The 0.0.0.0/0 route was not added automatically (e.g., when using a static IP) and is missing manually.
    • The gateway in the route is specified incorrectly or is unreachable.
  3. NAT (Masquerade) is not configured or is misconfigured.
    • There is no rule in the srcnat chain with masquerade action to translate private IP addresses from the local network to the public IP address of the WAN interface.
    • A NAT rule exists, but the out-interface or src-address is specified incorrectly.
  4. Traffic blocking by the firewall.
    • Rules in the forward, input, or output chains block outgoing traffic from the local network (forward) or responses from external servers (input).
    • Connection tracking or stateful inspection is configured incorrectly.
  5. DNS resolution issues.
    • DNS servers are not specified in the router's settings (/ip dns).
    • The specified DNS servers are unreachable or blocked.
    • Incorrect DNS addresses are distributed to clients via the DHCP server.
  6. Blocking by the provider.
    • The provider has locked the MAC address of your previous device (router/computer). MAC address cloning is required in the WAN interface settings (/interface ethernet set [find] mac-address=XX:XX:XX:XX:XX:XX).
    • Unpaid bill or maintenance on the provider's side.

Troubleshooting Methods

Method 1: Check Physical Layer and Basic WAN Settings

Start with the simplest steps to rule out cable and configuration errors at the interface level.

  1. Check the indicators on the router and the provider's switch/modem. The WAN port (ether1 or another) should have a green/yellow light (Link/Activity).
  2. In WinBox/WebFig or via CLI, execute: 
    /interface print
    Find your WAN interface (usually ether1, sfp1, or pppoe-out1). Ensure that in the status column it shows R (running), and in the disabled column it shows no.
  3. Check if an IP address was obtained.
    • For DHCP/PPPoE: in the same interface row, in the actual-interface or running column, an IP address should be displayed (e.g., 192.168.100.5).
    • For static IP: check the interface settings (/interface ethernet set [find name=ether1]). Ensure address is filled correctly (IP/mask, e.g., 10.0.0.2/24).
  4. If the status is not R:
    • Reboot the router and the provider's equipment.
    • Try a different cable or port on the switch.
    • For PPPoE, check the logs: /log print where topics=ppp. An authentication error is possible.

Method 2: Check and Add the Default Route

If the interface has an IP address but the route is missing, traffic has no path to follow.

  1. View current routes: 
    /ip route print
    Look for a line with dst-address=0.0.0.0/0. If it's not there — the route is missing.
  2. Determine the gateway. Usually, it's the IP address in the same network as your WAN address, but not the same. Often it's .1 or .254. For example, if your WAN address is 192.168.100.5/24, the gateway is likely 192.168.100.1.
    • Option A (if the provider gave you the gateway): Add the route manually: 
      /ip route add dst-address=0.0.0.0/0 gateway=192.168.100.1
      (replace 192.168.100.1 with your gateway).
    • Option B (if using DHCP/PPPoE): The route should be added automatically. If it's missing, the provider might not be sending it. In this case, try adding it manually, specifying the gateway you see in the interface settings (often the provider's router address).
  3. After adding, check gateway reachability: 
    ping address=192.168.100.1
    If the ping fails, the problem is at the link layer (Method 1) or the gateway is incorrect.

Method 3: Check and Configure NAT (Masquerade)

NAT allows devices on your local network (e.g., 192.168.88.0/24) to use a single public IP address to access the internet.

  1. Check for a NAT rule: 
    /ip firewall nat print
    Look for a rule in the srcnat chain with masquerade action. Example of a correct rule: 
    #   CHAIN SRC-ADDRESS DST-ADDRESS OUT-INTERFACE ACTION
0   srcnat  192.168.88.0/24  masquerade
    Pay attention to the fields:
    • chain: must be srcnat.
    • src-address: your local network range (e.g., 192.168.88.0/24).
    • action: masquerade.
    • out-interface: must be the name of your WAN interface (e.g., ether1). In modern RouterOS versions, this field can be empty if the rule applies to all outgoing interfaces.
  2. If the rule is missing or out-interface is incorrect, create it: 
    /ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
    (replace ether1 with your WAN interface name).
  3. Important: The NAT rule must be above (have a lower number in the list) than any drop rules in the forward chain.

Method 4: Diagnose and Configure Firewall

Incorrect firewall rules are one of the most common causes.

  1. Temporarily disable the entire firewall for diagnosis: 
    /ip firewall set [find] disabled=yes
    Try accessing a website from a client. If the internet starts working — the problem is definitely in the firewall.
  2. Re-enable the firewall:
    /ip firewall set [find] disabled=no
  3. Check the forward chain. This is the main chain for traffic between networks (LAN -> WAN and back). Ensure there is a rule allowing established/related connections: 
    /ip firewall filter print where chain=forward
    Usually, this is a rule with action=accept and connection-state=established,related. This should be sufficient for internet access.
  4. Check the input chain. If you are testing access to the router itself from the local network (e.g., ping from a client to the router's IP), ensure there is a rule in input allowing ICMP (ping) or all traffic from your LAN network.
  5. If you have custom rules, temporarily move them down the list or disable them (set ... disabled=yes), leaving only the basic ones (accept established/related, accept from LAN to router).

Method 5: Check DNS and Test by IP

Sometimes the internet is working, but it fails due to name resolution issues.

  1. Check the router's DNS settings: 
    /ip dns print
    Working DNS servers should be specified (e.g., servers=8.8.8.8,1.1.1.1). If the field is empty or contains local, non-working addresses — add them: 
    /ip dns set servers=8.8.8.8,1.1.1.1
  2. Check if the router resolves names: 
    /tool dns query address=google.com
    If the command returns an IP address — DNS is working.
  3. Key test: ping by IP address. From the router or a client, execute: 
    ping 8.8.8.8
    • If the ping works but websites don't load — the problem is almost 100% DNS. Configure DNS on the router and/or on clients (specify DNS servers in network settings, e.g., 8.8.8.8).
    • If the ping fails — the problem is with routing, NAT, or blocking. Go back to Methods 2, 3, 4.

Prevention

  • Document changes. Before making any complex firewall or NAT rules, export the configuration (/export file=backup) or use configuration scripts.
  • Use tags and comments. Comment (#) every rule in the firewall and NAT, explaining its purpose. This will simplify future diagnostics.
  • Start with a simple configuration. When setting up "from scratch," first verify that basic internet access works (interface, route, NAT), and only then add complex filtering rules.
  • Keep RouterOS updated regularly. Many network bugs and vulnerabilities are fixed in updates.
  • Monitor logs. Enable logging for important subsystems: /log add topics=ppp,firewall,dhcp. This will help quickly see where traffic is being blocked or where an error occurs.
  • Check provider settings. When changing tariffs or provider equipment (e.g., switching from DHCP to PPPoE), be sure to update the WAN interface settings on the router.

F.A.Q.

Why does my MikroTik have Wi-Fi but no internet?
What to do if the WAN interface has no 'R' (running) status?
Can lack of internet be related to DNS?

Hints

Check physical connection and interface status
Check routing table
Check NAT (Masquerade) settings
Temporarily disable firewall for diagnostics
Check DNS settings
Test connection to external IP

Did this article help you solve the problem?

FixPedia

Free encyclopedia for fixing errors. Step-by-step guides for Windows, Linux, macOS and more.

© 2026 FixPedia. All materials are available for free.

Made with for the community