Guest network can ping google.com, but not browse

risca · August 18, 2016, 10:36am

Hello,

In my home setup I have 2 MikroTik devices:

hAP ac (RB962UiGS-5HacT2HnT) running as main home router.
RB493 running as CAP slave

See end of post for some exports of my setup.

The CAPsMAN setup seems to work. 2 wireless networks show up, with different security profile on each. I have setup the guest network datapath to use my guest bridge (guest-LAN).
I’ve based my setup on this guide: https://www.geleijn.nl/2014/guest-network-mikrotik-router/
I’ve setup 2 subnets, with a DHCP server running on each:

192.168.0.0/24 - Guest network
192.168.77.0/24 - Normal network

When I connect to the guest network, I get an IP that belongs to the guest network subnet.

Here’s the problem:
When connected to the guest network I can ping google.com, but I cannot browse it:

12:32 $ ping -c 4 google.com
PING google.com (213.155.151.155) 56(84) bytes of data.
64 bytes from 213-155-151-155.customer.teliacarrier.com (213.155.151.155): icmp_seq=2 ttl=57 time=115 ms
64 bytes from 213-155-151-155.customer.teliacarrier.com (213.155.151.155): icmp_seq=3 ttl=57 time=147 ms
64 bytes from 213-155-151-155.customer.teliacarrier.com (213.155.151.155): icmp_seq=4 ttl=57 time=55.9 ms

--- google.com ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3002ms
rtt min/avg/max/mdev = 55.988/106.208/147.101/37.776 ms

12:33 $ curl -m 5 google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.se/?gfe_rd=cr&ei=6Y61V6LNEOPk8AfVjZqoBQ">here</A>.
</BODY></HTML>

12:33 $ curl -m5 "http://www.google.se/?gfe_rd=cr&ei=6Y61V6LNEOPk8AfVjZqoBQ"
curl: (28) Operation timed out after 5001 milliseconds with 0 bytes received

12:33 $ ping -c4 www.google.se
PING www.google.se (216.58.201.163) 56(84) bytes of data.
64 bytes from arn02s06-in-f163.1e100.net (216.58.201.163): icmp_seq=1 ttl=55 time=122 ms
64 bytes from arn02s06-in-f3.1e100.net (216.58.201.163): icmp_seq=2 ttl=55 time=23.6 ms
64 bytes from arn02s06-in-f163.1e100.net (216.58.201.163): icmp_seq=3 ttl=55 time=138 ms
64 bytes from arn02s06-in-f3.1e100.net (216.58.201.163): icmp_seq=4 ttl=55 time=79.0 ms

--- www.google.se ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 23.647/90.981/138.330/44.547 ms

hAP ac router export

[admin@MikroTik] > /export 
# aug/18/2016 13:45:11 by RouterOS 6.36
# software id = BQPQ-8R3F
#
/interface bridge
add admin-mac=E4:8D:8C:AA:F9:7C auto-mac=no name=LAN
add name=guest-LAN
/interface ethernet
set [ find default-name=ether1 ] name=WAN
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface wireless
# managed by CAPsMAN
# channel: 2442/20-Ce/gn(20dBm), SSID: Dalakolonin, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=sweden disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=Dalakolonin wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(20dBm), SSID: Dalakolonin, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce country=sweden disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=Dalakolonin wireless-protocol=802.11
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=81.227.11.208 mtu=1280 name=sit1 remote-address=216.66.80.90
/ip neighbor discovery
set WAN discover=no
set sit1 comment="Hurricane Electric IPv6 Tunnel Broker"
/caps-man datapath
add bridge=LAN client-to-client-forwarding=yes local-forwarding=yes name=datapath1
add bridge=guest-LAN name=datapath2
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=WPA-PSK passphrase=<redacted>
add name=None
/caps-man configuration
add country=sweden datapath=datapath1 mode=ap name=cfg1 security=WPA-PSK ssid=Dalakolonin
add country=sweden datapath=datapath2 mode=ap name=cfg2 security=None ssid=Dalakolonin_guest
/caps-man interface
add arp=enabled configuration=cfg1 disabled=no l2mtu=1600 mac-address=00:0C:42:3A:F4:4D master-interface=none mtu=1500 name=cap1 radio-mac=00:0C:42:3A:F4:4D
add arp=enabled configuration=cfg2 disabled=no l2mtu=1600 mac-address=02:0C:42:3A:F4:4D master-interface=cap1 mtu=1500 name=cap1-1 radio-mac=00:00:00:00:00:00
add arp=enabled configuration=cfg1 disabled=no l2mtu=1600 mac-address=E4:8D:8C:AA:F9:82 master-interface=none mtu=1500 name=cap2 radio-mac=E4:8D:8C:AA:F9:82
add arp=enabled configuration=cfg2 disabled=no l2mtu=1600 mac-address=E6:8D:8C:AA:F9:82 master-interface=cap2 mtu=1500 name=cap2-1 radio-mac=00:00:00:00:00:00
add arp=enabled configuration=cfg1 disabled=no l2mtu=1600 mac-address=E4:8D:8C:AA:F9:81 master-interface=none mtu=1500 name=cap3 radio-mac=E4:8D:8C:AA:F9:81
add arp=enabled configuration=cfg2 disabled=no l2mtu=1600 mac-address=E6:8D:8C:AA:F9:81 master-interface=cap3 mtu=1500 name=cap3-1 radio-mac=00:00:00:00:00:00
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys wpa-pre-shared-key=<redacted> wpa2-pre-shared-key=<redacted>
add name=profile
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.77.50-192.168.77.254
add name=guest-dhcp ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LAN name=dhcp1
add add-arp=yes address-pool=guest-dhcp bootp-support=dynamic disabled=no interface=guest-LAN name=guest-dhcp
/ppp profile
add change-tcp-mss=yes name=OVPN-client only-one=yes use-encryption=required use-mpls=no
/interface ovpn-client
add certificate=openvpn-pepsi-client-dalakolonin cipher=aes256 connect-to=213.114.155.238 disabled=yes mac-address=02:8B:CD:45:7B:81 name=ovpn-pepsi password=<redacted> profile=OVPN-client user=risca
/caps-man manager
set ca-certificate=CAPsMAN-CA-E48D8CAAF97B certificate=CAPsMAN-E48D8CAAF97B enabled=yes require-peer-certificate=yes upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1 slave-configurations=cfg2
/interface bridge filter
# wlan3 not ready
# in/out-bridge-port matcher not possible when interface (wlan3) is not slave
add action=drop chain=forward in-interface=*A log-prefix=""
# wlan3 not ready
# in/out-bridge-port matcher not possible when interface (wlan3) is not slave
add action=drop chain=forward log-prefix="" out-interface=*A
# no interface
add action=drop chain=forward in-interface=*B log-prefix=""
# no interface
add action=drop chain=forward log-prefix="" out-interface=*B
/interface bridge port
add bridge=LAN comment=defconf interface=ether2-master
add bridge=LAN comment=defconf interface=sfp1
add bridge=LAN comment=defconf interface=wlan1
add bridge=LAN comment=defconf interface=wlan2
/interface wireless access-list
add ap-tx-limit=524288
add ap-tx-limit=524288
/interface wireless cap
set bridge=LAN certificate=CAPsMAN-E48D8CAAF97B discovery-interfaces=LAN enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.77.1/24 comment=defconf interface=LAN network=192.168.77.0
add address=192.168.0.1/24 interface=guest-LAN network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=WAN
/ip dhcp-server lease
add address=192.168.77.243 client-id=1:b8:27:eb:ec:d7:83 comment="6lowpan/printer server" mac-address=B8:27:EB:EC:D7:83 server=dhcp1
add address=192.168.77.226 client-id=ff:4c:3d:5e:7b:0:1:0:1:1b:64:5e:37:60:a4:4c:3d:5e:7b disabled=yes mac-address=60:A4:4C:3D:5E:7B server=dhcp1
add address=192.168.77.215 client-id=ff:2f:34:d5:e7:0:1:0:1:1b:64:5e:37:60:a4:4c:3d:5e:7b comment=Nas2 mac-address=00:1B:2F:34:D5:E7 server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 domain=dalakolonin-guest.local gateway=192.168.0.1 netmask=24 ntp-server=192.168.0.1
add address=192.168.77.0/24 dns-server=192.168.77.1 domain=dalakolonin.local gateway=192.168.77.1 netmask=24 ntp-server=192.168.77.1
/ip dns
set allow-remote-requests=yes servers=2001:470:20::2,2001:4860:4860::4444,2001:4860:4860::8888
/ip dns static
add address=192.168.77.1 name=mikrotik
add address=192.168.77.215 name=nas2.local
add address=192.168.77.215 name=nas2
add address=192.168.77.243 name=rpi-6lowpan
/ip firewall filter
add action=accept chain=input comment="accept icmp from 66.220.2.74 (HE tunnel broker)" protocol=icmp src-address=66.220.2.74
add action=accept chain=input comment="accept ICMP, except on WAN" in-interface=!WAN log-prefix="" protocol=icmp
add action=accept chain=input comment="defconf: accept establieshed,related" connection-state=established,related log-prefix=""
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN log-prefix=""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related log-prefix=""
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related log-prefix=""
add action=drop chain=forward comment="drop packages guest->!WAN" disabled=yes in-interface=guest-LAN out-interface=!WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=""
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=WAN log-prefix=""
/ip firewall nat
add action=masquerade chain=srcnat log-prefix="" out-interface=WAN src-address=192.168.77.0/24
add action=masquerade chain=srcnat out-interface=WAN src-address=192.168.0.0/24
add action=src-nat chain=srcnat comment=NTP log-prefix="" protocol=udp src-port=123 to-addresses=192.168.77.1
add action=dst-nat chain=dstnat comment="nas2 plex" disabled=yes dst-port=32400 log-prefix="" protocol=tcp to-addresses=192.168.77.215 to-ports=32400
add action=dst-nat chain=dstnat comment="nas2 ssh" dst-port=13579 in-interface=WAN log-prefix="" protocol=tcp to-addresses=192.168.77.215 to-ports=22
add action=dst-nat chain=dstnat comment="nas2 grafana" dst-port=30001 in-interface=WAN log-prefix="" protocol=tcp to-addresses=192.168.77.215 to-ports=30001
add action=dst-nat chain=dstnat comment="nas2 https" dst-port=443 in-interface=WAN log-prefix="" protocol=tcp to-addresses=192.168.77.215 to-ports=443
add action=dst-nat chain=dstnat comment="nas2 smtp" dst-port=465 in-interface=WAN log-prefix="" protocol=tcp to-addresses=192.168.77.215 to-ports=465
add action=dst-nat chain=dstnat comment="nas2 imap" dst-port=993 in-interface=WAN log-prefix="" protocol=tcp to-addresses=192.168.77.215 to-ports=993
add action=dst-nat chain=dstnat comment="nas2 torrent tcp" dst-port=6881-6889,30100-30200 in-interface=WAN log-prefix="" protocol=tcp to-addresses=192.168.77.215
add action=dst-nat chain=dstnat comment="nas2 torrent udp" dst-port=6881-6889,30100-30200 in-interface=WAN log-prefix="" protocol=udp to-addresses=192.168.77.215
/ipv6 address
add address=2001:470:27:22b::2 advertise=no interface=sit1
add address=2001:470:28:22b:: interface=LAN
/ipv6 firewall address-list
add address=2001:470:28:22b:d497:e7:dfff:44d2/128 comment=nas2 list=ssh
add address=2001:470:28:22b:3cd6:45e1:27eb:e37d/128 comment=eeebox list=ssh
add address=2001:470:28:22b:96db:c9ff:fe35:2d77/128 comment="eeebox #2" list=ssh
/ipv6 firewall filter
# no interface
add action=accept chain=forward comment="ssh address list" dst-address-list=ssh dst-port=22 in-interface=*C log-prefix="" protocol=tcp
# no interface
add action=drop chain=forward in-interface=*C log-prefix=""
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=2001:470:27:22b::1
/system clock
set time-zone-name=Europe/Stockholm
/system leds
set 1 interface=wlan2
/system ntp client
set enabled=yes primary-ntp=194.237.158.153 secondary-ntp=130.236.254.102
/system ntp server
set enabled=yes
/system routerboard settings
set cpu-frequency=720MHz protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master
add interface=wlan1
add interface=wlan2
add interface=sfp1
add
add
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master
add interface=wlan1
add interface=wlan2
add interface=sfp1
add
add

EDIT: Added full export of hAP ac router

pukkita · August 18, 2016, 10:51am

Post the full export…

Do you have the webproxy or http redirection enabled?

risca · August 18, 2016, 11:44am

I’ll update the first post with a full export.

Both webproxy and http redirection are disabled.

risca · August 18, 2016, 2:42pm

A small update:
If I have my laptop connected both on ethernet and guest wifi, ping over wifi times out.

16:39 $ ping google.com -I wlp3s0 -w5
PING google.com (213.155.151.149) from 192.168.0.2 wlp3s0: 56(84) bytes of data.

--- google.com ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 4999ms

16:39 $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 84:3a:4b:05:34:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global dynamic wlp3s0
       valid_lft 580sec preferred_lft 580sec
    inet6 fe80::863a:4bff:fe05:3408/64 scope link 
       valid_lft forever preferred_lft forever
3: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:21:cc:d4:01:22 brd ff:ff:ff:ff:ff:ff
    inet 192.168.77.254/24 brd 192.168.77.255 scope global dynamic enp0s25
       valid_lft 306sec preferred_lft 306sec
    inet6 2001:470:28:22b:221:ccff:fed4:122/64 scope global noprefixroute dynamic 
       valid_lft 2591707sec preferred_lft 604507sec
    inet6 fe80::221:ccff:fed4:122/64 scope link 
       valid_lft forever preferred_lft forever

After I disconnect my ethernet connection, ping works again:

16:39 $ ping google.com -I wlp3s0 -w5 -c4
PING google.com (213.155.151.152) from 192.168.0.2 wlp3s0: 56(84) bytes of data.
64 bytes from 213-155-151-152.customer.teliacarrier.com (213.155.151.152): icmp_seq=1 ttl=57 time=128 ms
64 bytes from 213-155-151-152.customer.teliacarrier.com (213.155.151.152): icmp_seq=2 ttl=57 time=45.0 ms
64 bytes from 213-155-151-152.customer.teliacarrier.com (213.155.151.152): icmp_seq=3 ttl=57 time=55.5 ms
64 bytes from 213-155-151-152.customer.teliacarrier.com (213.155.151.152): icmp_seq=4 ttl=57 time=154 ms

--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 4274ms
rtt min/avg/max/mdev = 45.009/95.870/154.953/46.742 ms

16:40 $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 84:3a:4b:05:34:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global dynamic wlp3s0
       valid_lft 493sec preferred_lft 493sec
    inet6 fe80::863a:4bff:fe05:3408/64 scope link 
       valid_lft forever preferred_lft forever
3: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:21:cc:d4:01:22 brd ff:ff:ff:ff:ff:ff

pukkita · August 19, 2016, 12:49pm

Where do you connect the laptop? To which ether interface?

Try disabling the bridge filters.

Repeat the curl test adding -v for more verbose debugging.

What IP does the laptop get?

risca · August 20, 2016, 9:39am

Hello,

When I connect my laptop with cable the connection is like this:
Laptop – gigabit switch – gigabit switch – hAP ac router (ether2-master)
My laptop get an IP in the 192.168.77.0/24 range and I can browse the Internet.

When I connect my laptop to the guest wifi I get an IP in the 192.168.0.0/24 range and I cannot browse the Internet.

If I change my CAPsMAN datapath configuration so that the guest wifi interfaces are connected to the LAN bridge, as opposed to the LAN-guest bridge, I can browse the internet again. It is only when the guest wifi interfaces are connected to the LAN-guest bridge that things stop working.

I’m currently on my phone. I will try disabling the bridge filter rules when I get home.

EDIT: grammar.

risca · August 20, 2016, 12:27pm

Ok, I’ve tried disabling the bridge filter rules, but I saw no difference.

However, what is extra strange is when I connect to http://www.google.com/ I get a 303 redirect to http://www.google.se/

14:23 $ curl --verbose -m5 "http://www.google.com/"
*   Trying 172.217.22.164...
* Connected to www.google.com (172.217.22.164) port 80 (#0)
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.47.1
> Accept: */*
> 
< HTTP/1.1 302 Found
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< Location: http://www.google.se/?gfe_rd=cr&ei=wUu4V4fGKfDk8AeC6JHQBw
< Content-Length: 258
< Date: Sat, 20 Aug 2016 12:23:29 GMT
< 
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.se/?gfe_rd=cr&ei=wUu4V4fGKfDk8AeC6JHQBw">here</A>.
</BODY></HTML>
* Connection #0 to host www.google.com left intact

14:22 $ curl --verbose -m5 "http://www.google.se/?gfe_rd=cr&ei=wUu4V4fGKfDk8AeC6JHQBw"
*   Trying 216.58.201.163...
* Connected to www.google.se (216.58.201.163) port 80 (#0)
> GET / HTTP/1.1
> Host: www.google.se
> User-Agent: curl/7.47.1
> Accept: */*
> 
* Operation timed out after 5001 milliseconds with 0 bytes received
* Closing connection 0
curl: (28) Operation timed out after 5001 milliseconds with 0 bytes received

Could it be a problem with MTU size? How can I change that?

jebz · August 20, 2016, 11:35pm

I’ve seen it happen a few times with MTU mismatch. Ping works for small packets but browsing is very slow and Skype and some other apps completely fail to connect.

risca · August 21, 2016, 12:49pm

How do I determine what MTU size to use?
How do I set MTU size?