Guest network - works only ping

Pokky · January 17, 2017, 1:20pm

Hello, i have problem with Mikrotik after update to new version. I have 5 Mikrotik devices with virtual AP as guest. This APs are connected with main Mikrotik through EOIP. EOPI tunel and Guest APs are in the same bridge in each devices. Until recently everything worked, but after pre-plast update i have first problem. In this case helped restart of all network elements after update. But after today’s restart, stop working altogether. I do not know, what is needed to diagnostics what log etc.

Thank you in advance for your advice[

normis · January 17, 2017, 2:14pm

what does not work? ping to where works?
is DNS configured in the client?

Pokky · January 17, 2017, 5:07pm

Ping works in 192.168.10.0/24 networks between devices and from this network to WAN a try Google DNS 8.8.8.8. Devices got DNS from DHCP. I draw picture.

Black is local network and each devices works in local_bridge
Red is guest network, which is between themselves through EOIP tunnel

EOIP is set from 10.2 to 10.1, from 10.3 to 10.1 and 10.4 to 10.1, follows the local network structure.

Local network works very good without problem. I have problem in Guest network ping is works, DHCP too, but website not.

2frogs · January 17, 2017, 5:25pm

Most likely missing masquerade rule.

ip firewall nat
add chain=src-nat src-address=192.168.10.0/24 out-interface=ether1 action=masquerade

Pokky · January 17, 2017, 6:32pm

I forgot to write, yes i have masquerade. It’s worked for Several months, but two updates back problems started. Can I Provide some logs, for better diagnostics?

2frogs · January 17, 2017, 10:38pm

If you provide an export that would be most helpful.

/export file=router1

This will create a router1.rsc file that you can download from the device and edit for redaction with a text editor.

I had a similar setup running at one time, but after loosing my main router to a lighting strike
i had issues getting it back up and going. I changed to a vlan setup that is much easier to setup and maintain.

Pokky · January 18, 2017, 9:22am

I’m worried about export and a lot of sensitive data for potential hacker. Passwords can overwrite, but public domains and IPs not.

EDIT: Will it be enough to publish only a part of the log?

2frogs · January 18, 2017, 1:18pm

Use a text editor to remove/mask any sensitive information. Then copy and paste the content to forum. You can also add hide-sensitive to the command to hide some sensitive information.

/export hide-sensitive file=router1

In Terminal you can use the [tab] button to complete commands and show you other options

Pokky · January 23, 2017, 5:19pm

I attach a file from the main (192.168.8.1) and second (192.168.8.7) routers. Thanks.
Router2Censured.rsc (6.93 KB)
RouterMainCensure.rsc (23 KB)

Pokky · January 29, 2017, 6:23pm

Could anyone advise me? Thank You.

normis · January 30, 2017, 8:32am

Thank you for the config, but please answer my questions.

Can client ping your router IP?
Can client ping 8.8.8.8?
Can client ping google.com?

Pokky · January 30, 2017, 2:47pm

Sorry, but incomprehensibly It started to work. Probably helped recent disconnection by the power source. Before that, I rebooted at least 10 times all network elements.I am confused.

Before, ping worked to main router (192.168.8.1 and 192.168.10.1), Google’s DNS Also (8.8.8., but on Google.com probably also, but I’m not sure.What I know, that client had DNS servers list from DHCP.

If you know app IP tools from Google Play (Android), so the application has not been able to get public IP, I think it was, because it was trying to contact some DNS server.