Cannot ping to Mikrotik from LAN

kuldaoo · April 12, 2017, 4:38pm

Hi
I’m new to MikroTik so I hope someone can help me with my problem.

I cannot ping the device on it’s LAN adsress but I can ping it from internet via it’s wan IP address. Curious is that when I disconnect one of my ISP (ether2), ping works.
I can access webconfig from web browser on it’s LAN address without problem.

I set my Routerboard 450G:
Network 192.168.100.0/24
LAN IP of MikroTik 192.168.100.1
ether1 = ISP1 - backup ISP connection
ether2 = ISP2 - primary ISP connection
ether3-5 = LAN (bridge1)

Here is my Firewall config:

/ip firewall filter
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add action=accept chain=input comment="allow established conncetion" connection-state=established
add action=accept chain=input comment="allow icmp" protocol=icmp
add action=accept chain=input comment="allow from lan all ports" src-address=192.168.100.0/24
add action=accept chain=input comment="allow from wan only webadmin" dst-port=80 protocol=tcp
add action=drop chain=input comment="drop everything else"
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid protocol=tcp
add action=accept chain=forward comment="allow allready established connections" connection-state=established
add action=accept chain=forward comment="allow related connections" connection-state=related

And I added some static routes which works as internet backup

/ip route
add check-gateway=ping comment="gateway of primary ISP" distance=1 gateway=88.146.96.1 routing-mark=ToWAN2
add comment="gateway of secondary ISP" distance=1 gateway=77.104.208.209 routing-mark=ToWAN1
add check-gateway=ping comment="backup of gateway of primary ISP" distance=1 gateway=77.104.208.209
add check-gateway=ping comment="backup of gateway of secondary ISP" distance=1 gateway=88.146.96.1

Thanks for help

skuykend · April 12, 2017, 9:24pm

Take a look at your mangle rules. You may be marking the packets with a route-mark too often and therefore using a routing table without the 192.168.100 subnet.

kuldaoo · April 13, 2017, 7:34am

Thanks for reply. Yes I use mange rules to assign IP ranges to each of WAN ports. But what means “too often”?

add action=mark-routing chain=prerouting comment="ip range to WAN2 isp - UBK All" new-routing-mark=ToWAN2 passthrough=yes src-address=192.168.100.2-192.168.100.253
add action=mark-routing chain=prerouting comment="ip range to WAN1 isp - UBK-Biztalk2" new-routing-mark=ToWAN1 passthrough=yes src-address=192.168.100.181
add action=mark-routing chain=prerouting comment="UBK-Guest Wifi router zasedacka" new-routing-mark=ToWAN1 passthrough=yes src-address=192.168.100.254

skuykend · April 13, 2017, 9:58pm

Your top mangle marks all incoming packets from your local subnet to ToWan2 even if it’s going to the router. Once its marked and looks at the routing table ToWan2 it only sees a default route. It does not see the main routing table with your local subnets. So it sends the ping out to 88.146.96.1

Either exclude dst-address for 192.168.100.0/24 from the mangles or add a static route to 100.x to the ToWan2 route table. May be better ways too.

kuldaoo · April 15, 2017, 2:41pm

Thank you very much, I added another mangle to mark all traffic to my WAN addresses and everything started to work.