Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Stuck no internet on CRS326 behind RB4011  [SOLVED]

Post Reply
 
Postal8558
just joined
Topic Author
Posts: 4
Joined: Sun Jun 18, 2023 6:59 am

Stuck no internet on CRS326 behind RB4011

Tue Mar 12, 2024 4:49 am

Hello, I was hoping I could get some help from the more experienced users here.

I have had an RB4011 for a few years now as a router, currently have some unmanaged switches downstream working fine. Recently acquired a CRS326 and it looks like the RB4011 is just dropping the packets.
I am able to connect via winbox from my desktop hardwired to the RB4011 into the CRS326
ping 8.8.8.8 , ping google.com , and ping my.gateway.ip all timeout on the CRS326 terminal
From the RB4011 side using torch, I see the packets coming in from the CRS326


CRS326 Config:
Code: Select all
# jan/04/1970 22:49:00 by RouterOS 6.49.8
# software id = **ELIDED**
#
# model = CRS326-24G-2S+
# serial number = **ELIDED**
/interface bridge
add name=bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16
add bridge=bridge interface=ether17
add bridge=bridge interface=ether18
add bridge=bridge interface=ether19
add bridge=bridge interface=ether20
add bridge=bridge interface=ether21
add bridge=bridge interface=ether22
add bridge=bridge interface=ether23
add bridge=bridge interface=ether24
add bridge=bridge interface=sfp-sfpplus2
add bridge=bridge interface=sfp-sfpplus1
/interface list member
add interface=bridge list=LAN
/ip dhcp-client
add disabled=no interface=bridge
/ip dns
set allow-remote-requests=yes
/system identity
set name="MikroTik CRS326"
/system routerboard settings
set boot-os=router-os

RB4011 config:
Code: Select all
# 2024-03-10 05:08:48 by RouterOS 7.12.1
# software id = **ELIDED**
#
# model = RB4011iGS+
# serial number = **ELIDED**
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] l2mtu=1592
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.176.2-192.168.176.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 pvid=8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.176.1/24 comment=defconf interface=ether2 network=\
    192.168.176.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.176.0/24 comment=defconf gateway=192.168.176.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d max-concurrent-queries=400 \
    max-concurrent-tcp-sessions=400 use-doh-server=https://1.1.1.1/dns-query
/ip firewall address-list
add address=192.168.176.2-192.168.176.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.0.0/16 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=0.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
/ip firewall filter
add action=drop chain=input comment="drop netbios 137" disabled=yes dst-port=137 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix=!frLAN_INPUT
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=INVALID_INPUT
add action=drop chain=forward comment="Drop netbios 137" disabled=yes dst-port=137 in-interface-list=LAN protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Accept incoming natted connections" connection-nat-state=dstnat connection-state=established,related,new,untracked in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=invalidForward
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN log=yes log-prefix=!public_from_LAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list=LAN log=yes log-prefix=LAN_!LAN src-address=!192.168.176.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall mangle
add action=log chain=prerouting connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.176.0/24,192.168.88.0/24 disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp interfaces
add interface=ether1 type=external
/routing bfd configuration
add disabled=no
/system note
set show-at-login=no
/system resource irq rps
set sfp-sfpplus1 disabled=no
Last edited by tangent on Tue Mar 12, 2024 5:08 am, edited 1 time in total.
Reason: Elided PII; split configs into two code blocks
Top
 
tangent
Forum Guru
Forum Guru
Posts: 1406
Joined: Thu Jul 01, 2021 3:15 pm
Contact:
Contact tangent

Re: Stuck no internet on CRS326 behind RB4011

Tue Mar 12, 2024 5:23 am

/interface list add name=WAN

You can drop that. Nothing refers to it.

/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik

You can get rid of that flotsam by upgrading to 7.13+.

/ip dns set allow-remote-requests=yes

You aren't running a DNS server on the switch. Nuke it.

/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2
/interface ovpn-server server set auth=sha1,md5

More flotsam, easily removed.

/ip address add address=192.168.176.1/24 comment=defconf interface=ether2 network=192.168.176.0

Here's your actual problem. Put that on the bridge, not on a single interface.

/ip dhcp-server network add address=192.168.176.0/24 comment=defconf gateway=192.168.176.1 netmask=24
/ip dns set allow-remote-requests=yes cache-max-ttl=1d max-concurrent-queries=400 max-concurrent-tcp-sessions=400 use-doh-server=https://1.1.1.1/dns-query

If you're going to provide DHCP and DNS service locally, the DHCP server should advertise your DNS server.
Top
 
Postal8558
just joined
Topic Author
Posts: 4
Joined: Sun Jun 18, 2023 6:59 am

Re: Stuck no internet on CRS326 behind RB4011

Tue Mar 12, 2024 6:59 am

Thank you for your feedback. I implemented your suggestions.

I plugged in a laptop into the CRS 326 and it was able to reach the internet
ping 8.8.8.8
ping 192.168.176.1 (my gateway)
ping google.com
All succeeded and internet is working as expected

However in my winbox session, in the CRS 326 terminal, all those commands are timing out :-?
I am able to reach other devices in my LAN
Code: Select all
[xxxxx@MikroTik CRS326] > ping 192.168.176.1
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                       
    0 192.168.176.1                                           timeout                                                                      
    1 192.168.176.1                                           timeout                                                                      
    sent=2 received=0 packet-loss=100% 

[xxxxx@MikroTik CRS326] > ping 8.8.8.8
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                       
    0 8.8.8.8                                                 timeout                                                                      
    1 8.8.8.8                                                 timeout                                                                      
    sent=2 received=0 packet-loss=100% 

[xxxxx@MikroTik CRS326] > ping google.com
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    while resolving ip-address: could not get answer from dns server

[xxxxx@MikroTik CRS326] > ping 192.168.176.202
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 192.168.176.202                            56  64 0ms  
    1 192.168.176.202                            56  64 0ms  
    sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms
Top
 
tangent
Forum Guru
Forum Guru
Posts: 1406
Joined: Thu Jul 01, 2021 3:15 pm
Contact:
Contact tangent

Re: Stuck no internet on CRS326 behind RB4011

Tue Mar 12, 2024 8:07 am

It sounds like you’re running on the same stale DHCP config on the switch, from before you fixed things. Presuming you don’t want to wait out the bad DHCP lease, you can restart the switch.

It will work for the same reason your laptop now works.
Top
 
Postal8558
just joined
Topic Author
Posts: 4
Joined: Sun Jun 18, 2023 6:59 am

Re: Stuck no internet on CRS326 behind RB4011

Wed Mar 13, 2024 3:42 am

Thanks for your help!

Restarting the CRS 326 and RB 4011 a few times unfortunately did not resolve the issue. Maybe the bad leases persisted through reboots? I found 2 other LAN clients where the ping timed out from the client to the RB4011 and also timed out in the other direction from the RB4011 to those clients.

What finally fixed the issue for me is:
In the DHCP leases page in Router OS on the RB4011, remove the assigned IP from the clients having issues including the CRS326 and reassign a new IP. After I did that one by one I was able to ping bidirectionally and everything had internet access including the CRS 326 terminal :-D
Top
 
tangent
Forum Guru
Forum Guru
Posts: 1406
Joined: Thu Jul 01, 2021 3:15 pm
Contact:
Contact tangent

Re: Stuck no internet on CRS326 behind RB4011

Wed Mar 13, 2024 3:52 am

Maybe the bad leases persisted through reboots?

Sure; the RouterOS DHCP server does indeed remember what it assigned previously, so that persistent clients can keep getting the same assignments as long as they keep renewing their leases on time. I just didn't think it would reapply prior bad configurations, only the parts that remained valid under the new configuration. That's why I didn't suggest removing the old leases and forcing them to be regenerated.

Now we both know different. 🤓
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19405
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Stuck no internet on CRS326 behind RB4011

Wed Mar 13, 2024 3:57 am

Is there a general flush all DHCP leases setting??
Top
 
tangent
Forum Guru
Forum Guru
Posts: 1406
Joined: Thu Jul 01, 2021 3:15 pm
Contact:
Contact tangent

Re: Stuck no internet on CRS326 behind RB4011

Wed Mar 13, 2024 5:22 am

Code: Select all
/ip/dhcp-server/lease/remove [find where dynamic]

Bewm! Badness-be-gone.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19405
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Stuck no internet on CRS326 behind RB4011

Wed Mar 13, 2024 5:37 pm

Can I assume this will also work then?
............
Code: Select all
/ip/dhcp-server/lease/remove [find where static]
Top
 
tangent
Forum Guru
Forum Guru
Posts: 1406
Joined: Thu Jul 01, 2021 3:15 pm
Contact:
Contact tangent

Re: Stuck no internet on CRS326 behind RB4011

Wed Mar 13, 2024 11:18 pm

Sure, it will run, but it destroys the admin’s hand-assigned static reservations. If they’re wrong, they need to be fixed by hand, not destroyed.

That’s why I didn’t write an unqualified “[find]”.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19405
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Stuck no internet on CRS326 behind RB4011

Thu Mar 14, 2024 2:25 am

Yes I am the admin and wish to eliminate them LOL.........
Top
 
Postal8558
just joined
Topic Author
Posts: 4
Joined: Sun Jun 18, 2023 6:59 am

Re: Stuck no internet on CRS326 behind RB4011  [SOLVED]

Tue Apr 16, 2024 4:38 am

Update, so it happened again today. But I finally figured it out. The problem is that under IP -> ARP, you have to make sure that the MAC is not bound to the old / wrong IP in ARP list.

I was trying to set a static IP to a new machine that was statically set for a different machine previously. I did it in the DHCP leases list. This allowed me to SSH into new machine but new machine could not ping out into the internet. Eventually I stumbled into the ARP list, when I removed the old machine assignment there and added the new one I was able to connect to the internet again.

I guess the ARP list doesn't refresh often even after restart.
Top
Post Reply

Who is online

Users browsing this forum: infabo, smx52, SweBat and 16 guests
  4. RouterOS
  5. Beginner Basics