Can't ping to new modem

Hi,

Due to unstable internet connection, my ISP just switch the old router to the new one (ZTE F670).
The problem is my Mikrotik RBD52G-5HacD2HnD Firmware version 6.49.6 can’t ping the new router (ZTE) [Timed out].
I have browsed some thread both mikrotik forum and other like reddit etc, and I can make sure the ISP don’t lock the MAC address because I can ping to the ZTE from my laptop if I connect to it directly (without Mikrotik).

Any suggestion how to troubleshoot this issue?

I have tried reset configuration the routerboard and can ping to the ZTE, but after restored back to the main config, the routerboard can’t ping ZTE again.
If you need some data, let me know and I will share it.

Thank you in advance

From the steps you already took, it looks indeed like something in your config is blocking that communication.

From terminal:
/export hide-sensitive file=anynameyouwish
Review file for additional private ino (public IP, passwords, secret keys, … don’t forget to obfuscate serial number)
Then post between [__code] quotes.

Please provide as well small drawing with how those devices are connected going to outside ISP, which device has which IP and possible other devices on the same network.

A good start for troubleshooting are the firewall rules.
When you ping, check which drop rule has the counter increasing at the same rate as the ping. Might already give you a good indication where the problem is.

Hi thanks for the response.

Herewith the code and picture of topology

# jul/27/2022 15:46:25 by RouterOS 6.49.6
# software id = 3N2H-SZVC
#
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=48:8F:5A:XX:XX:XX auto-mac=no comment=defconf name=bridge
add comment="17B Connection" disabled=yes name=bridge1
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" comment=\
    "ISP 1"
set [ find default-name=ether2 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" comment=17B
set [ find default-name=ether3 ] arp=reply-only comment="cisco extender1"
set [ find default-name=ether4 ] comment="Hotspot"
set [ find default-name=ether5 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" arp=\
    reply-only comment="Switch Local"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile1 supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    default-authentication=no default-forwarding=no disabled=no frequency=\
    2452 installation=indoor mode=ap-bridge security-profile=profile1 ssid=\
    SSID-2GHz station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX default-authentication=no default-forwarding=no \
    disabled=no distance=indoors frequency=5200 installation=indoor mode=\
    ap-bridge security-profile=profile1 ssid=SSID-5GHz station-roaming=\
    enabled wireless-protocol=802.11
add comment=Meeting keepalive-frames=disabled mac-address=4A:8F:5A:XX:XX:XX \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 \
    security-profile=profile1 ssid=SSID-Meeting wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan3 comment=Meeting
/interface wireless nstreme
set *9 comment=Meeting
/ip firewall layer7-protocol
add name=weblist regexp="(youtube.com|facebook.com|instagram.com|detik.com|kum\
    paran.com|steam.com|mola.tv|hotstar.com|netflix.com|twitter.com|spotify.co\
    m|tunein.com)"
/ip hotspot profile
add hotspot-address=10.10.0.1 html-directory=flash/hotspot \
    http-cookie-lifetime=1h login-by=cookie,http-pap name=hsprof1 rate-limit=\
    2M use-radius=yes
/ip hotspot user profile
set [ find default=yes ] idle-timeout=15m mac-cookie-timeout=1h rate-limit=2M \
    session-timeout=1h shared-users=20
/ip pool
add name=dhcp ranges=172.17.1.100-172.17.1.254
add name=hs-pool-6 ranges=10.10.0.2-10.10.0.254
add comment="IP Range meeting" name=pool-meeting ranges=\
    192.168.2.11-192.168.2.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=hs-pool-6 disabled=no interface=ether4 lease-time=5m name=\
    dhcp1
add address-pool=pool-meeting disabled=no interface=wlan3 name=meeting
/ip hotspot
add address-pool=hs-pool-6 addresses-per-mac=20 disabled=no interface=ether4 \
    name=hotspot1 profile=hsprof1
/queue simple
add dst=ether1 name="Priority Meeting" priority=1/1 target=wlan3
add comment="Priority 3" disabled=yes dst=ether1 name=queue1 priority=\
    1/1 target=ether3
add comment="All Network" disabled=yes dst=ether1 limit-at=5M/5M max-limit=\
    5M/5M name="All Network" target=172.17.1.0/24
add disabled=yes dst=ether1 limit-at=2M/2M max-limit=2M/2M name=\
    "Limit Specific IP" target=172.17.1.0/24
add dst=ether1 limit-at=512k/512k max-limit=512k/512k name=\
    "Down Limit Hotspot" target=ether4
add comment="Equal Bandwidth" dst=ether1 limit-at=5M/5M max-limit=50M/50M \
    name=BalanceLimit priority=2/2 queue=\
    pcq-upload-default/pcq-download-default target=bridge
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw \
    time-zone=+07:00
/tool user-manager profile
add name=Guest name-for-users=Guest override-shared-users=unlimited owner=\
    admin price=0 starts-at=now validity=0s
add name=Internal name-for-users=Internal override-shared-users=2 owner=admin \
    price=0 starts-at=logon validity=0s
add name="3 hours" name-for-users="3 hours" override-shared-users=2 owner=\
    admin price=0 starts-at=logon validity=3h
/tool user-manager profile limitation
add address-list="" download-limit=0B group-name="" ip-pool="" ip-pool6="" \
    name=General owner=admin rate-limit-min-rx=2000B rate-limit-min-tx=2000B \
    rate-limit-rx=2000B rate-limit-tx=2000B transfer-limit=0B upload-limit=0B \
    uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" ip-pool6="" \
    name=Internal owner=admin rate-limit-min-rx=10000B rate-limit-min-tx=\
    10000B rate-limit-priority=3 rate-limit-rx=10000B rate-limit-tx=10000B \
    transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" ip-pool6="" \
    name="3 hours" owner=admin rate-limit-min-rx=5000B rate-limit-min-tx=\
    5000B rate-limit-rx=5000B rate-limit-tx=5000B transfer-limit=0B \
    upload-limit=0B uptime-limit=3h
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 comment=defconf disabled=yes interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf disabled=yes interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
/interface wireless access-list
add mac-address=H:I:D:E
/ip address
add address=172.17.1.1/24 comment=defconf interface=bridge network=172.17.1.0
add address=10.10.0.1/24 interface=ether4 network=10.10.0.0
add address=192.168.2.1/24 comment=Meeting interface=wlan3 network=\
    192.168.2.0
add address=172.18.0.2/24 interface=ether2 network=172.18.0.0
add address=172.17.0.1/24 comment=defconf disabled=yes interface=ether5 \
    network=172.17.0.0
/ip arp
[HIDDEN]
/ip dhcp-client
add add-default-route=no comment=defconf disabled=no interface=ether1
add add-default-route=no interface=ether2
/ip dhcp-server lease
/ip dhcp-server network
add address=10.10.0.0/24 comment="hotspot network" gateway=10.10.0.1
add address=172.17.1.0/24 comment=defconf dns-server=172.17.1.1,192.168.0.1 \
    gateway=172.17.1.1 netmask=24
add address=192.168.2.0/24 comment=meeting gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=\
    10.10.0.1,172.17.1.1,172.18.0.1,172.18.0.5
/ip dns static
add address=172.17.1.1 comment=defconf name=router.lan
add address=172.17.0.1 comment=defconf disabled=yes name=router.lan.local
add address=192.168.0.1 comment="DNS Server to 17B" name=17B.lan
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment="Allow connection to 17B" disabled=yes \
    dst-address=192.168.0.0 src-address=172.17.1.0
add action=accept chain=input comment="Accept connection to MikroTik" \
    dst-port=80 protocol=tcp
add action=accept chain=input comment="Accept connection to WinBox" dst-port=\
    8000 protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment=\
    "Redirect to downpage if Internet Down" disabled=yes dst-port=80,443 \
    protocol=tcp to-addresses=172.18.0.5 to-ports=8080
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade local" ipsec-policy=\
    out,none out-interface=ether2
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.10.0.0/24
add action=redirect chain=dstnat comment="Redirect to block page" disabled=\
    yes dst-port=80,443 protocol=tcp to-ports=8080
add action=dst-nat chain=dstnat comment="MikroTik Remote" dst-port=8887 \
    protocol=tcp to-addresses=172.17.1.1 to-ports=80
/ip hotspot user
add disabled=yes name=guest
/ip proxy
set enabled=yes
/ip proxy access
add action=deny comment="Redirect Connection Down" dst-host=!172.18.0.5 \
    redirect-to=172.18.0.5:8080
add action=deny comment="Kumparan Block" dst-host=kumparan.com redirect-to=\
    172.18.0.5:8080/blpage.html
add action=deny comment="Instagram Block" dst-host=*instagram* redirect-to=\
    172.18.0.5:8080/blpage.html
add action=deny comment="Spotify Block" dst-host=spotify.com redirect-to=\
    172.18.0.5:8080/blpage.html
add action=deny comment="Tune In Block" dst-host=tunein.com redirect-to=\
    172.18.0.5:8080/blpage.html
add action=deny comment="Twitter Block" dst-host=*twitter* redirect-to=\
    172.18.0.5:8080/blpage.html
add action=deny comment="Facebook Block" dst-host=*facebook* redirect-to=\
    172.18.0.5:8080/blpage.html
add action=deny comment="Detik Block" dst-host=detik.com redirect-to=\
    172.18.0.5:8080/blpage.html
add action=deny comment="Youtube Block" dst-host=*youtube* redirect-to=\
    172.18.0.5:8080/blpage.html
/ip route
add check-gateway=ping comment="ISP 1" distance=1 gateway=8.8.8.8 \
    target-scope=30
add comment="To 17B, if down will automatically switch to Primelink" \
    distance=2 gateway=172.18.0.1
add comment="ISP 1" disabled=yes distance=1 gateway=192.168.1.1
add check-gateway=ping comment=\
    "If ping to google fail, automatically run primelink" distance=1 \
    dst-address=8.8.8.8/32 gateway=192.168.1.1
add distance=1 dst-address=58.185.141.0/32 gateway=172.18.0.1
add distance=1 dst-address=192.168.0.0/24 gateway=172.18.0.1
add comment="ISP 1" disabled=yes distance=1 dst-address=192.168.1.0/32 \
    gateway=192.168.1.1
/radius
add address=172.17.1.1 service=hotspot
/system clock
set time-zone-name=Asia/City
/system identity
set name=MikroTik-Name
/tool e-mail
set address=mail1.cehgroup.com from="MikroTik 17D" port=143 user=\
    email@mail.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=ISP 1 host=192.168.1.1
add comment=ISP 2 disabled=yes down-script="/tool e-mail send to=mail@\
    email.com subject=\"Internet Down\" body=\"Source ISP 2\
    \_DOWN\"\r\
    \n\r\
    \nif ([/tool netwatch get 1 down] = yes)\r\
    \ndo= {\r\
    \n/ip firewall nat enable 0\r\
    \n/ip proxy access enable 0 }" host=XXX.XX.XX.XXX up-script="/tool e-mail \
    send to=email@mail.com subject=\"Internet UP\" body=\"S\
    ource ISP 2 is UP\"\r\
    \n\r\
    \n/ip firewall nat disable 0\r\
    \n/ip proxy access disable 0"
add disabled=yes down-script=\
    "/ip firewall nat enable 0\r\
    \n/ip proxy access enable 0" host=8.8.8.8 up-script=\
    "/ip firewall nat disable 0\r\
    \n/ip proxy access disable 0"
add comment=ISP 2 host=XXX.XX.XX.XXX
/tool user-manager database
set db-path=flash/user-manager
/tool user-manager profile profile-limitation
add from-time=0s limitation=General profile=Guest till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=9h limitation="3 hours" profile="3 hours" till-time=17h \
    weekdays=monday,tuesday,wednesday,thursday,friday
add from-time=0s limitation=General profile="3 hours" till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=172.17.1.1 log="" \
    name=Company use-coa=no
/tool user-manager user
add customer=admin disabled=no ipv6-dns=:: shared-users=unlimited username=\
    guest wireless-enc-algo=none wireless-enc-key="" wireless-psk=""

Sorry for the messy image and a little bit complex just in case need the whole network topology.
I marked the focused area with yellow box.
If need more information or need me to simplify it, can just ask.

Thank you for your support

Picture clarifies a lot.
So the problem is ping from router2 to ISP1-modem, correct ?
Connection from ISP1-modem to router2 is on ether1 ?

Can you also provide output from
/ip address print
/ip route print

Yes correct.

Here are the information needed

---------------- Address Print

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; defconf
     172.17.1.1/24      172.17.1.0      bridge                                   
 1   10.10.0.1/24       10.10.0.0       ether4                                   
 2 I ;;; Meeting
     192.168.2.1/24     192.168.2.0     wlan3                                    
 3   172.18.0.2/24      172.18.0.0      ether2                                   
 4 X ;;; defconf
     172.17.0.1/24      172.17.0.0      ether5                                   
 5   192.168.1.254/24   192.168.1.0     ether1

---------------- Route Print

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; ISP 1
        0.0.0.0/0                          8.8.8.8                   1
 1   S  ;;; To 17B, if down will automatically switch to ISP 2
        0.0.0.0/0                          172.18.0.1                2
 2   S  ;;; If ping to google fail, automatically run ISP 2
        8.8.8.8/32                         192.168.1.1               1
 3 ADC  10.10.0.0/24       10.10.0.1       ether4                    0
 4 A S  58.XX.XXX.0/32                    172.18.0.1                1
 5 ADC  172.17.1.0/24      172.17.1.1      bridge                    0
 6 ADC  172.18.0.0/24      172.18.0.2      ether2                    0
 7 A S  192.168.0.0/24                     172.18.0.1                1
 8 ADC  192.168.1.0/32     192.168.1.254   ether1                    0
 9 X S  ;;; ISP 1
        192.168.1.0/32                     192.168.1.1               1

For additional information, I tried some possible solution by enable and disable some config, I remember I always revert it back but I don’t know why after I tried to disable DHCP Client and change it to manual (Add IP at Address menu), it can ping and back to normal. Since I thought I’ve found the solution, so I restore my configuration back and tried to change the IP (assumed there’s IP conflict).
But the issue still there. So my IP setup (Mikrotik to ZTE) might different between this post and earlier post (between input manual and using DHCP Client)

Hi guys,
If you followed this topic from the start, now I’d like to announce that I have found the solution.
It looks like the Routerboard somehow “lock” the ether1 ARP but the status still dynamic.

After troubleshooting by resetting the RB and reconfig one by one using rsc, I have found that the ARP table caused this problem. Then after I remove ARP for ether1, it can ping and have reply, and whole system back to normal.
If you need further information or have similar issue, can contact me through this forum.

Thanks to holvoetn for your time to support me

To be honest, I haven’t done much.
I was as stumped as you were and from my side, couldn’t find anything really wrong in your config.

You did all the leg work. So good of you that you found the issue yourself !

I appreciate your time and effort to review my complicate network topology and the setup also I believe take time.
Once again, thank you for the support.