Hi All,

I am unable to ping or tracert the web, I had been fiddling with this for 2 days and am unable to find any solutions, my knowlede of routing and gateways is weak,

Setup is

Zyxel (10.0.0.1) -- Ubnt (10.0.0.2)--Ubnt(10.0.0.3)--Ubnt(10.0.0.4)--Ubnt(10.0.0.5)--Mikrotik Rb1100hx2---192.168.1.1-255 Lan devices.

Zyxel is setup in bridge to Mikrotik, Ubnt are wds wireless bridge.
With my setup I can access all the setup pages for Ubnt wireless bridges and the Zyxel modem. I cannot for some reason ping from the 192.168.1.0 lan to the 10.0.0.0 or www

Any suggestions welcome , and export of my config is below

Thanks

Jeremy


[admin@MikroTik] > export

jun/30/2014 15:25:03 by RouterOS 6.15

software id = LRXA-SFAN

/interface bridge
add comment="Internal Network" l2mtu=1598 name=bridge-local protocol-mode=none
/ip neighbor discovery
set bridge-local comment="Internal Network"
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=yes name=ppp-wan
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap default-route-distance=1 dial-on-demand=no disabled=no interface=ether2 keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled name=pppoe-wan password=xxxxxxxxx
profile=ppp-wan service-name="" use-peer-dns=yes user=jeremynzl@xxxx.xx.xx
/ip neighbor discovery
set pppoe-wan discover=no
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether1
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
/ip address
add address=192.168.1.52/24 comment="default configuration" interface=ether1 network=192.168.1.0
add address=192.168.1.1/24 interface=bridge-local network=192.168.1.0
add address=10.0.0.6/16 interface=ether2 network=10.0.0.0
/ip dns
set allow-remote-requests=yes cache-size=10000KiB max-udp-packet-size=512
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add chain=input comment="Allow Established connections" connection-state=established
add chain=input comment="Allow ICMP" protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment=nat-internet-access out-interface=pppoe-wan to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ether2
/ip hotspot service-port
set ftp disabled=yes
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=172.16.0.1
/ip proxy
set always-from-cache=yes cache-administrator=web-proxy cache-on-disk=yes parent-proxy=0.0.0.0 serialize-connections=yes
/ip route
add distance=1 dst-address=10.0.0.1/32 gateway=ether2
add distance=1 dst-address=10.0.0.2/32 gateway=ether2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=ether1 type=internal
add interface=pppoe-wan type=external
/snmp
set enabled=yes trap-community=public
/system clock
set time-zone-name=Pacific/Auckland
/system clock manual
set dst-delta=-01:00 time-zone=-01:00
/system ntp client
set enabled=yes primary-ntp=202.89.49.65 secondary-ntp=202.89.49.65

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 111.69.67.99 1
1 ADC 10.0.0.0/16 10.0.0.6 ether2 0
2 A S 10.0.0.1/32 ether2 1
3 A S 10.0.0.2/32 ether2 1
4 ADC 111.69.67.99/32 111.69.86.207 pppoe-wan 0
5 ADC 192.168.1.0/24 192.168.1.1 bridge-local 0
[admin@MikroTik] /ip route>

I DO NOT SEE ANY DHCP SERVER, I SUPPOSE YOU PUT MANUALLY THE IP ON LOCAL 192.168.1.0/24 LAN DEVICES

Paste this on new terminal:

/interface bridge
set bridge-local protocol-mode=rstp
/system logging action
set 0 memory-lines=1000
set 1 disk-lines-per-file=1000
/ip dns
set max-udp-packet-size=4096 servers=8.8.8.8,8.8.4.4
/ip address
set interface=bridge-local [find where address=192.168.1.52/24]
/ip route
remove [find]
/ip upnp interfaces
set [find where interface=ether1] interface=bridge-local
/snmp
set enabled=yes trap-community=public trap-target=0.0.0.0 trap-version=2
/system clock manual
set dst-delta=+00:00 time-zone=+00:00
/system clock
set time-zone-name=Pacific/Auckland
/interface pppoe-client
set pppoe-wan allow=pap,chap,mschap1,mschap2 max-mru=1480 max-mtu=1480

After you paste this script, if username and password on ppp-wan are correctly configured, there is no reason for not working, for what I see.

IF YOU NOT USE 192.168.1.52 IP ON ROUTERBOARD, REMOVE IT.

IF YOU WANT ADD DHCP SERVER ON YOUR ROUTERBOARD:

/ip pool
add name=pool-dhcp ranges=192.168.1.101-192.168.1.199
/ip dhcp-server
add address-pool=pool-dhcp disabled=no interface=bridge-local lease-time=1w name=server-dhcp
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24

Commented version:

/interface bridge
set bridge-local protocol-mode=rstp

rstp is better…

/system logging action
set 0 memory-lines=1000
set 1 disk-lines-per-file=1000

aligned to 6.x defaults

/ip dns
set max-udp-packet-size=4096 servers=8.8.8.8,8.8.4.4

512 udp is too little, 4096 is new standard from 5.x, Peer DNS are used, but if peer do not communicate it’s own? better write two backup dns…

/ip address
set interface=bridge-local [find where address=192.168.1.52/24]

Ip address must be assigned to bridge, not ethernet directly, if the ethernet are on bridge.

/ip route
remove [find]

the two route are unneccesary, because all 10.0.0.0/16 are already directed to ether2

/ip upnp interfaces
set [find where interface=ether1] interface=bridge-local

bridge-local are the local interface, not ether1. Ether1 are on bridge-local.

/snmp
set enabled=yes trap-community=public trap-target=0.0.0.0 trap-version=2

fixed with right parameters

/system clock manual
set dst-delta=+00:00 time-zone=+00:00
/system clock
set time-zone-name=Pacific/Auckland

fixed with right parameters for your timezone

/interface pppoe-client
set pppoe-wan allow=pap,chap,mschap1,mschap2 max-mru=1480 max-mtu=1480

usually pppoe can not support 1500 mru/mtu and all type of link are allowed, the server decide.


**[u]If I have helped you, please add Karma.

Thanks.[/u]**

Wow thanks Rextended,

That was a great script to tidy up my config. I have loaded it all except the dhcp server.
Sadly I am still achieving 100% loss on tracert and ping's to the wan side of the router.
This occurs for both www and 10.0.0.0 address's

I have attached the config as it now stands with your admendments.

Also thankyou for the breakdown on what each change did.

Jeremy

jul/01/2014 09:14:53 by RouterOS 6.15

software id = LRXA-SFAN

/interface bridge
add comment="Internal Network" l2mtu=1598 name=bridge-local
/ip neighbor discovery
set bridge-local comment="Internal Network"
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=yes name=ppp-wan
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 default-route-distance=1 dial-on-demand=no disabled=no interface=ether2 keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-wan password=********** profile=ppp-wan service-name="" use-peer-dns=yes user=jeremynzl@****..
/ip neighbor discovery
set pppoe-wan discover=no
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether1
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
/ip address
add address=192.168.1.1/24 interface=bridge-local network=192.168.1.0
add address=10.0.0.6/16 interface=ether2 network=10.0.0.0
/ip dns
set allow-remote-requests=yes cache-size=10000KiB servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add chain=input comment="Allow Established connections" connection-state=established
add chain=input comment="Allow ICMP" protocol=icmp
/ip firewall mangle
add action=change-mss chain=forward new-mss=1452 out-interface=pppoe-wan protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment=nat-internet-access out-interface=pppoe-wan to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ether2
/ip hotspot service-port
set ftp disabled=yes
/ip proxy
set always-from-cache=yes cache-administrator=web-proxy cache-on-disk=yes parent-proxy=0.0.0.0 serialize-connections=yes
/ip service
set telnet disabled=yes
set ssh disabled=yes
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=pppoe-wan type=external
/snmp
set enabled=yes trap-community=public trap-target=0.0.0.0 trap-version=2
/system clock
set time-zone-name=Pacific/Auckland
/system ntp client
set enabled=yes primary-ntp=202.89.49.65 secondary-ntp=202.89.49.65
[admin@MikroTik] >

I’m online, in this moment I check again the config, if I have missed something…

I really not see any problem,
except I suggest you to use as ntp servers this two:
131.203.16.6
131.203.16.10

Are you sure pppoe-server are exposed on your ether2?
your zyxel is one ADSL router put on bridge mode?

On winbox you can use on ppp / pppoe-scanner for see if on ether2 are exposed pppoe-server service.

If your zyxel are used as router, you must replace the pppoe-client to one dhcp-client, and subsequently change almost all config on the rb…

Hi,

Thanks for having another look, The Zyxel is in bridge mode. I just use the 10.0.0.1 to get to its user interface.
I use the ppoe scan, its showing as detected and connected.
Internet access is working perfectly even accessing the zyxel and ubnt interfaces on 10.0.0.* addresses
But still 100% ping and tracert loss

Jeremy

really i not see any settings wrong

try to disable second nat rule:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2

and try to ping inside rb
8.8.8.8
and
10.0.0.1

Nat rule disabled. still 100% packet loss, and now unable to access user interfaces on 10.0.0.0 addresses
Using both RB1100 ping tool and cmd on lan machine

I really not understand why not work…

I hope other forum users can help us, but I think the problem is on zyxel / pppoe-client side
yes, also if “R” appear…

about mangle, remove this, is wrong (this is the cause???):

/ip firewall mangle
add action=change-mss chain=forward new-mss=1440 out-interface=pppoe-wan protocol=tcp tcp-flags=syn

paste this if the pppoe-server profile “change tcp mss” not work:

/ip firewall mangle
add action=change-mss chain=forward in-interface=all-ppp new-mss=1440 protocol=tcp tcp-flags=syn tcp-mss=1441-65535
add action=change-mss chain=forward new-mss=1440 out-interface=all-ppp protocol=tcp tcp-flags=syn tcp-mss=1441-65535

because it alter the mss also when must not be changed, when is = or < to 1440

Changes made still no ping to 10.0.0.0 or www

I have two dynamic rules now for mangle that appear.


\

jul/01/2014 10:20:12 by RouterOS 6.15

software id = LRXA-SFAN

/interface bridge
add comment="Internal Network" l2mtu=1598 name=bridge-local
/ip neighbor discovery
set bridge-local comment="Internal Network"
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=yes name=ppp-wan
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2
default-route-distance=1 dial-on-demand=no disabled=no interface=ether2
keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=disabled name=
pppoe-wan password=*** profile=ppp-wan service-name=""
use-peer-dns=yes user=jeremynzl@**
/ip neighbor discovery
set pppoe-wan discover=no
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether1
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
/ip address
add address=192.168.1.1/24 interface=bridge-local network=192.168.1.0
add address=10.0.0.6/16 interface=ether2 network=10.0.0.0
/ip dns
set allow-remote-requests=yes cache-size=10000KiB servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections"
connection-state=invalid
add chain=input comment="Allow Established connections" connection-state=
established
add chain=input comment="Allow ICMP" protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment=nat-internet-access out-interface=
pppoe-wan to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ether2
/ip hotspot service-port
set ftp disabled=yes
/ip proxy
set always-from-cache=yes cache-administrator=web-proxy cache-on-disk=yes
parent-proxy=0.0.0.0 serialize-connections=yes
/ip service
set telnet disabled=yes
set ssh disabled=yes
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=pppoe-wan type=external
/snmp
set enabled=yes trap-community=public trap-target=0.0.0.0 trap-version=2
/system clock
set time-zone-name=Pacific/Auckland
/system ntp client
set enabled=yes primary-ntp=202.89.49.65 secondary-ntp=202.89.49.65
[admin@MikroTik] >

IF the dynamic rule appear, pppoe-server make the connection.

Really i can not help you more, i do not know if pppoe-client is really working.

I hope anoter user on the forum can find the problem, but I really think that is not outside pppoe-client…

Thankyou for your time and suggestions.

Jeremy

one wierd thing I have just noticed is when under traffic, i.e a download it will give me a ping reply to the 10.0.0.0 address’s some of the time with still 75% ping loss

Update Fixed,

After going over everything again and again. I found I could now ping the local ubnt radio on 10.0.0.5 but not anything past the wireless network.
I then investigated the ubiquiti devices and found that the airmax setting was preventing the passing of icmp. why I still do not know.
With airmax disabled I am able to ping and tracert the www and local 10.0.0.0 devices.

Thanks for the help and tutoring for the Mikrotik. I have learned lots

Jeremy

Quick question

I need my 10.0.0.* devices to be able to report to the 192.168.1.3 address’s
I can ping and ssh into the 10.0.0.* devices but they have no route back. I have tried some nat addresses and have been able to port 10.0.0.0 address to 192.168.1.0 address’s but that does not solve the problem.

for example the 10.0.0.5 device has

Ip 10.0.0.5
Mask 255.255.0.0
Gateway 192.168.1.1
Dns 192.168.1.1

This device can access the www but no the internal lan.



Thanks

Jeremy

For the 10.0.0.0/16 devices the gateway should be 10.0.0.6 (That’s the IP of the router, am I right?)

Lengend!!. enjoy some Karma

Thanks

Jeremy