How to diagnose/troubleshoot routing?

yldave · July 5, 2017, 6:02pm

How do I troubleshoot routing on my network?

I found oddly that some external addresses are inaccessible from a wireless connected laptop on my network if I connect via the Mikrotik router but are accessible if I connect directly to my ISP router.
Other sites can be accessed fine.

So I did a traceroute from the Mikrotik and was able to connect (below) but wasn't able to get to the site from a terminal on my laptop (bottom):

[admin@MikroTik] > /tool traceroute firebaseapp.com use-dns=yes

ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS

1 192.168.1.254 (my router from ISP) 0% 63 0.5ms 0.9 0.5 12.2 1.5
...
9 151.101.1.195 0% 62 19.5ms 20.1 19.1 24.7 1.1

But from a laptop connecting via wireless (through an AP on the network)

C:>tracert firebaseapp.com
Tracing route to firebaseapp.com [151.101.65.195]
over a maximum of 30 hops:

1 1 ms <1 ms <1 ms router [192.168.88.1] (my Mikrotik)
2 * * * Request timed out.
...

ZeroByte · July 5, 2017, 6:19pm

Are you mostly intending to use the Mikrotik as a wireless access point? If so, then I’d recommend just converting it into a pure layer 2 bridge (pure access point, not a wireless router).

So at the IP layer, your wireless devices will be on the same network as your wired network.

I assume that only certain sites are affected by this problem, and others work normally, which tells me that your network is properly routed / nat-ed in general.
I also assume that all of your devices (wired and wireless alike) are behind the Mikrotik - i.e. they all have 192.168.88.x IP addresses.

Therefore, I believe that almost certainly your issue is that you’ve got an overly-aggressive set of firewall rules, the most likely culprit being that you’re blocking ICMP. (because traceroute should not fail at the first hop past the Mikrotik for all sites)

Ensure that you’re not blocking all ICMP because what’s probably happening is that these unreachable sites are failing due to path-MTU issues. Normally, if a router out on the Internet somewhere must discard a “don’t fragment” IP packet due to MTU issues, it will send an ICMP message to the sender alerting them that the packet was discarded for MTU reasons, and gives the next-hop’s MTU so that the sender can adjust its path MTU for the intended destination. If your router (or any router upstream from you) discards these ICMP messages, then your PC can’t learn that it needs to send smaller packets.

yldave · July 5, 2017, 6:49pm

That was it! Overly aggressive firewall rules. I did have the (original) rule to accept ICMP but the specific IPs were blocked later in the rule set.

/ip firewall filter
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp

My setup is intended to be able to block certain sites or devices at certain times during the week which is why I was tweaking the firewall. I have multiple wireless APs connecting to it.

Thanks