Cannot ping default gateway on one of WAN interfaces

RouterOS General
1

Hello Guys,

I have a problem with my config. My WAN interface Eth2 is not working at all. This interface is connected to a Tp-Link router provided by my ISP, I do not have access to this router and it cannot be put in the bridge mode. I have configured eth2 to take configuration over DHCP from Tp-Link. It gets the IP, default gateway and all seems to be good. But I cannot even ping the default gateway. I have tried everything and I don’t really understand why it’s not working. I tried “disabling” firewall, putting different routes and nothing works. I have the same configuration on my eth3 port with different ISP and it works flawlessly.

So in summary, I am trying to connect it like this:
Mikrotik Eth1 <-------> ISP1 <-------> Internet
Mikrotik Eth2 192.168.11.100 (received from DHCP) <-----------> Tp Link’s default gateway (192.168.11.1) <--------------------> Internet
Mikrotik Eth3 <-------> ISP3 <------> Internet

And I’m stuck on timeouts when trying to ping from Eth2 to Default Gateway. Could you suggest what might me wrong with my config, please?

Here is my config, if something is missing or unclear, please let me know. (I have changed the IP addresses from my real ones and removed all comments and Mac addresses)

RouterOS 7.16
# model = RB760iGS

/interface bridge
add admin-mac=X auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
    
/interface ethernet
set [ find default-name=ether1 ] comment= mac-address=
set [ find default-name=ether2 ] comment= loop-protect=off \
    mac-address=X
set [ find default-name=ether3 ] comment=
set [ find default-name=ether4 ] comment=
set [ find default-name=ether5 ] comment=
set [ find default-name=sfp1 ] comment="not connected" disabled=yes

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=dhcp ranges=192.168.60.31-192.168.60.99
add name=ike2-pool ranges=192.168.70.2-192.168.70.254

/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf

/routing table
add comment="routing via secondary ISP" disabled=no fib name=secondary-isp

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 \
    internal-path-cost=10 path-cost=10
    
    /ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=*46 tagged=ether5 untagged=ether1,ether2,ether3,ether4 vlan-ids=""
/interface detect-internet
set wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=x interface=ether1 list=WAN
add comment=x interface=ether2 list=WAN
add disabled=yes interface=x list=WAN
add comment=x interface=ether3 list=WAN

/ip address
add address=192.168.60.217/24 comment=defconf interface=bridge network=\
    192.168.60.0
/ip dhcp-client
add comment= interface=ether1
add comment= default-route-distance=20 interface=ether3
add comment= default-route-distance=10 interface=ether2
/ip dhcp-server lease
add address=192.168.60.200 comment="" dhcp-option="" \
    mac-address=
add address=192.168.60.201 comment="" dhcp-option="" \
    mac-address=
add address=192.168.60.203 comment="" \
    mac-address=X
add address=192.168.60.207 mac-address=X
add address=192.168.60.209 client-id=X comment=\
    "" mac-address=X
add address=192.168.60.204 comment="" mac-address=\
    X
add address=192.168.60.202 comment="" mac-address=\
    X
/ip dhcp-server network
add address=192.168.60.0/24 comment=defconf dns-server=192.168.60.217 gateway=\
    192.168.60.217 netmask=24
/ip dns
set allow-remote-requests=yes servers=x
/ip dns static
add address=192.168.60.217 comment=defconf name=router.lan type=A
add address=x name=Cloud type=A
add address=x name=x type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow IPSEC/IKE2 connections" \
    dst-port=500,4500 protocol=udp
add action=accept chain=input src-address=x
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward out-interface-list=!LAN src-mac-address=\
    
add action=drop chain=forward out-interface-list=!LAN src-mac-address=\
    
add action=drop chain=forward out-interface-list=!LAN src-mac-address=\
    
add action=drop chain=forward out-interface-list=!LAN src-mac-address=\
    
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward protocol=ipsec-ah

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.105.1 \
    routing-table=secondary-isp suppress-hw-offload=no
add disabled=no distance=20 dst-address=0.0.0.0/0 gateway=192.168.11.1 \
    routing-table=secondary-isp suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.11.0/24 gateway=ether2 \
    routing-table=secondary-isp suppress-hw-offload=no

/routing rule
add action=lookup-only-in-table comment= disabled=no \
    src-address=x table=secondary-isp
add action=lookup-only-in-table comment= disabled=no \
    src-address=x table=secondary-isp
2

Well I suspect you have a plethora of issues.
Not the least is the fact that you have no VLANs, but have tried to add an unneeded /interface bridge vlan entry ( which does show error)

/interface bridge vlan
add bridge=*46 tagged=ether5 untagged=ether1,ether2,ether3,ether4 vlan-ids=“”

Generally speaking most folks avoid using detect internet aka set to NONE.

+++++++++++++++++++++++++++++++++++++++++++++++

Looking at your routes you have to make up your mind.
In dhcp client you have told the router to create default routes for ether2 and ether3
/ip dhcp-client
add comment= interface=ether1
add comment= default-route-distance=10 interface=ether2
add comment= default-route-distance=20 interface=ether3

Then in IP routes you attempt to define routes manually for ether2 and ether3.

/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.105.1
routing-table=secondary-isp suppress-hw-offload=no
add disabled=no distance=20 dst-address=0.0.0.0/0 gateway=192.168.11.1
routing-table=secondary-isp suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.11.0/24 gateway=ether2
routing-table=secondary-isp suppress-hw-offload=no

BUt you are mixed up. here you show ether2 with distance as 1 and something else with 10…
Very confusing.
Suggest highly YOU REMOVE the create default route setttings in IP DHCP CLient, and make the routes manually.
Since it appears for at least two of the wans, you have a fixed gateway IP…
You cannot use ether2 as a gatewayIP in a route… it has to be an IP address…( unless wireguard interface or pppoe interface etc.).

3

MikroTik is funny with routes. In other brand you can specify different metrics and that applies to traffic trversing the router but the router has access on all interfaces regardless. Tik isn’t like this, it looks at it’s own routing table so your metric 20 interface isn’t getting used whilst metric 10 is about.

/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.105.1 \
    routing-table=secondary-isp suppress-hw-offload=no
add disabled=no distance=20 dst-address=0.0.0.0/0 gateway=192.168.11.1 \
    routing-table=secondary-isp suppress-hw-offload=no

In my dual WAN I use an exceptionally simple setup but it works so it can’t be stupid right? ether2 is my primary WAN and ether3 (not mentioned) is my backup. Primary is DHCP client with default route set to 1 and backup is manually set to 2. 1 drops and 2 takes over.

/ip route
add comment="4g route" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip dhcp-client
add interface=ether2_WAN_YOUFIBRE use-peer-dns=no use-peer-ntp=no

/ip dhcp-client/ print
Columns: INTERFACE, USE-PEER-DNS, ADD-DEFAULT-ROUTE, STATUS, ADDRESS
# INTERFACE            USE-PEER-DNS  ADD-DEFAULT-ROUTE  STATUS  ADDRESS         
0 ether2_WAN_YOUFIBRE  no            yes                bound   REDACTED
4

First of all, thank you very much for even taking a look at my messy config.

That may be true but everything else works :unamused:

I was surprised to see this vlan entry when I was generating config, so it’s either some leftover or maybe CapsMan put it there. Maybe unnecessarily I have omitted CapsMan config. On Eth5 i have connected only Mikrotik hap ac2 which acts as AP and on Eth4 there is a CSS326 switch that connect all my LAN devices together. That’s why I put those two ports in a bridge, since they’re both Lan, meant to be one network. But I do not remember adding any Vlan config myself.

I have turned it off now, I forgot that exists to be honest.

I’m not sure what’s mixed up here. I use dynamic routes from DHCP and they work fine. The manual rules you mentioned are for different routing table and this routing table is used only by two devices. So it shouldn’t have effect on the rest of the traffic. As for the “ether2”, I have changed it to IP but again, this rule is only for a separate routing table.

5

Isn’t this exactly what I’m doing? :smiley: I just use dynamic routes from DHCP for it. I have it set up for 1, 10 and then 20 so it works the same. I just can’t get this one ISP to work correctly and I’m not sure why :confused:

6

The fact that you cannot ping the default gateway 192.168.11.1 may be caused by some funny setting of the TP-link, so first of all, what does /ip arp print where address=192.168.11.1 show? If nothing, run :ping 192.168.11.1 arp-ping=yes interface=ether2 and if you get responses, run the previous command again, it should show an ARP record now. Is that the case?

7

I would assume first that this is some funky config on the TpLink side, especially that they are using VLANs for sure to separate TV and internet ports. And to add some more information. When I connect my PC directly to the ISP’s TP Link, it works just fine. Also, I have tried to put interface ether2 on bridge (just for testing) and then suddenly I am able to ping it from Mikrotik. It’s very stange to me. I will probably have to ask ISP for some other connection method, removing this TP-Link router completely.

And answering your question, I have this in ARP when ether2 is set to WAN:

D 192.168.11.1 ether2 failed

And when I remove it from WAN and put on bridge, Mikrotik can ping it from bridge:

DC 192.168.11.1 xx:xx:xx:xx:xx:xx bridge reachable

8

Why have you configured the MAC address for ether2 manually? Does it not clash with another MAC address in the system? What is its first byte?

When you make ether2 a member port of the bridge, the MAC address of the bridge is used for IP traffic that goes via ether2.

9

Ahhhhhhh, mate. I even looked at this mac when I was exporting config but I thought it doesn’t make any difference. I have reset it now and I can ping the gateway… Such a stupid leftover from some previous config. I must have set it for some MAC checks in the past. I will put the routes I want now and everything should be fine. Thanks for your help to all of you guys!

10

It almost sounds like you stole this router from someone else, seeing as you dont remember half the config on the thing ;-ppp Just kidding.

11

I just use it for a long time and I was changing ISPs in the past :stuck_out_tongue: Some of them have this stupid requirement of registering MAC addresses and the workaround for lazy people was to use MAC from previous router. That’s for sure what happened here :unamused: I was just stupid not to try to remove it when I saw it during config export :laughing: And for VLAN, I believe capsman put it there, but I did WiFi config long time ago so I can’t be sure. But I can confirm that now all the routing rules work and I can access the internet via this ISP, so all is good.

Although I will for sure check the config once again and try to clear unnecessary stuff :smiley: