LAN Connection Issues - no route to host

neural · December 31, 2017, 2:25pm

Hi All
This is my setup:
951Ui-2HnD running ros 6.41. I have an adsl modem connected to ether1 - thin would be the WAN. Wireless is set up, with the other ports on the switch all part of the Bridge/Lan

Having a battle with my network at the moment. I can ping from one device to another in the Bridge, but as soon as I try to run something, it says no route to host. I was testing with Netcat, listening on one device but getting the same issue, no route to host!
Herewith some configuration settings of the router:

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.0.0.2                  1
 1 ADC  10.0.0.0/24        10.0.0.101      ether1                    0
 2 ADC  192.168.88.0/24    192.168.88.1    bridge                    0

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                           
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge                                                                                                                                                                                              
 1 D 10.0.0.101/24      10.0.0.0        ether1 
 
 [admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 5    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 6    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 7    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 8    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

 9    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

10    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN 


[admin@MikroTik] > ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

[admin@MikroTik] > interface print 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  ether1                              ether            1500  1598       2028 6C:3B:6B:A0:53:66
 1   S ether2                              ether            1500  1598       2028 6C:3B:6B:A0:53:67
 2   S ether3                              ether            1500  1598       2028 6C:3B:6B:A0:53:68
 3  RS ether4                              ether            1500  1598       2028 6C:3B:6B:A0:53:69
 4   S ether5                              ether            1500  1598       2028 6C:3B:6B:A0:53:6A
 5  RS wlan1                               wlan             1500  1600       2290 6C:3B:6B:A0:53:6B
 6  R  ;;; defconf
       bridge                              bridge           1500  1598            6C:3B:6B:A0:53:67

Not sure if I need to give other info. This is a strange one, and although not that well versed with RouterOs, the networking seems ok to me, unless I’m missing something obvious.
Anyway, if anyone can help, much appreciated. Have Google’d and searched forums etc, but no joy.

Thanks

sebastia · January 1, 2018, 10:27pm

Hi, some things to check:

is your ether1 in WAN interface list?
that’s for masquerade to work
there is apparently no accept for forward from lan to ether1. Only accept for established and related, but nothing to acutally create these. Currently only ipsec is allowed in forward.
is ip forwarding enabled in ip settings?

Seb

neural · January 2, 2018, 8:14am

Hi Seb
Thanks for responding.
Yes, ether1 is in wan list, see below: (note, weird that I can’t seem to see it in cli, but pic below on web interface seems to indicate this)

[admin@MikroTik] > interface list print detail 
Flags: * - builtin, D - dynamic 
 0 * ;;; contains all interfaces
     name="all" dynamic=no include="" exclude="" 

 1 * ;;; contains no interfaces
     name="none" dynamic=no include="" exclude="" 

 2 * ;;; contains dynamic interfaces
     name="dynamic" dynamic=no include="" exclude="" 

 3   ;;; defconf
     name="WAN" dynamic=no include="" exclude="" 

 4   ;;; defconf
     name="LAN" dynamic=no include="" exclude=""

.

http://imgur.com/a/WKtjH

Regarding your second point, there “should” be no need to go to ether1, that’s going out to the Wan. The problem is that all in the bridge/LAN are not able to connect to ports on the bridge/LAN, with the no route to host message. My understanding, is that everything in the LAN “should” be open and reachable within the LAN. This doesn’t seem to be working for me however.

IP forwarding is enabled, see below:

[admin@MikroTik] > ip settings print 
              ip-forward: yes
          send-redirects: yes
     accept-source-route: no
        accept-redirects: no
        secure-redirects: yes
               rp-filter: no
          tcp-syncookies: no
    max-neighbor-entries: 8192
             arp-timeout: 30s
         icmp-rate-limit: 10
          icmp-rate-mask: 0x1818
             route-cache: yes
         allow-fast-path: yes
   ipv4-fast-path-active: no
  ipv4-fast-path-packets: 0
    ipv4-fast-path-bytes: 0
   ipv4-fasttrack-active: yes
  ipv4-fasttrack-packets: 11188113
    ipv4-fasttrack-bytes: 9998221565

Have you any other suggestions, as this is really messing with my mind, as to why I can’t get comms within the LAN.

Thanks

neural · January 2, 2018, 1:00pm

Found my issue. I had thought that the one device, didn’t have a firewall on, but it turns out it did…

Issue now solved.