Clients connected to the local side of the MT cannot access the internet.
I have even had a tech reset the MT and use a default config script, but still be unable to access the internet.
What step(s) am I skipping?
Which are the known working versions and which is the os version that cause the issue?
I’m not 100% are the version I upgraded from; but the currently installed version is the current stable release as of 1/2/20: 6.46.1
if i remote into the the device via winbox, i can ping 4.2.2.1 without srcing any IP/interface.
however, if I src a LAN IP, I get timeouts and destination cannot be reached responses from my DNS server on the LAN Bridge
However, 0.0.0.0 is reachable via Ether1
An additional test shows that if I use src address 192.168.168.51 with no interface and no routing table; I can ping out to 4.2.2.1
Also, if I had DNS to my network, I get timeouts…
I’m scratching my head on this one..
mkx
January 3, 2020, 1:04pm
6
So why don’t you post full config … execute /export hide-sensitive in CLI, then copy-paste output here inside [__code][/code] environment.
IP address conflict between your Modem and the MT?
Replaced IPs with simple X as /export hide-sensitive did not seem to hide everything I considered sensitive.
[admin@mmcu-parkland] > /export hide-sensitive
# jan/03/2020 11:41:47 by RouterOS 6.46.1
# software id = 4S0Q-PXRF
#
# model = 2011UiAS
# serial number = 608504A51A11
/interface bridge
add admin-mac=4C:5E:0C:F3:3B:45 auto-mac=no comment=defconf igmp-snooping=yes \
name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1
set [ find default-name=ether10 ] comment=WAN2
/interface eoip
add allow-fast-path=no arp-timeout=10m disabled=yes local-address=X \
mac-address=02:E3:DE:6A:19:33 mtu=1500 name=flatnet-tunnel1 remote-address=\
X tunnel-id=1
add allow-fast-path=no arp-timeout=10m disabled=yes local-address=X \
mac-address=02:E3:DE:6A:19:33 name=flatnet-tunnel2 remote-address=\
X tunnel-id=2
/interface ethernet switch port
set 1 vlan-header=always-strip
set 2 default-vlan-id=0 vlan-header=always-strip
set 3 default-vlan-id=0 vlan-header=always-strip
set 4 default-vlan-id=0 vlan-header=always-strip
set 5 default-vlan-id=0 vlan-header=always-strip
set 10 vlan-header=always-strip
set 11 vlan-header=always-strip
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=tunnel
/ip ipsec policy group
add name=tunnel
/ip ipsec profile
set [ find default=yes ] dpd-interval=20s enc-algorithm=aes-256 lifetime=8h \
proposal-check=strict
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
lifetime=1h pfs-group=modp2048
/ip pool
add name=dhcp ranges=172.16.51.10-172.16.51.20
/ip dhcp-server
add add-arp=yes address-pool=dhcp allow-dual-stack-queue=no authoritative=\
after-10sec-delay disabled=no interface=bridge lease-time=4h name=defconf \
relay=192.168.168.130 src-address=192.168.168.130 use-framed-as-classless=no
/system logging action
add name=whisper remember=no target=echo
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf disabled=yes interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=flatnet-tunnel1 learn=yes trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=LAN \
wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether10 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=flatnet-tunnel1 list=tunnel
add interface=flatnet-tunnel2 list=tunnel
/ip accounting
set account-local-traffic=yes enabled=yes
/ip address
add address=192.168.168.51 interface=bridge network=192.168.168.0
add address=X/29 interface=ether1 network=X
add address=172.16.51.1/24 interface=bridge network=172.16.51.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether10
/ip dhcp-relay
add dhcp-server=192.168.168.130 disabled=no interface=bridge local-address=\
192.168.168.51 name=relay1
/ip dhcp-server network
add address=172.16.51.0/24 gateway=172.16.51.1 netmask=24
add address=192.168.168.0/24 comment=defconf dns-none=yes gateway=192.168.168.51 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=172.16.51.1,8.8.8.8,4.2.2.1
/ip dns static
add address=192.168.168.51 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.168.52 list="Remote Trusted"
add address=X list="Remote Trusted"
add address=X list="Remote Trusted"
/ip firewall filter
add action=accept chain=input comment=WINBOX dst-address=X \
dst-port=8291 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-address=X dst-port=8291 \
in-interface=ether10 protocol=tcp
add action=accept chain=input comment=TUNNEL in-interface=ether1 \
src-address-list="Remote Trusted"
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment="WAN1 PING" in-interface=ether1 protocol=\
icmp
add action=accept chain=input comment="WAN2 PING" in-interface=ether10 protocol=\
icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=\
127.0.0.1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-nat-state=srcnat \
new-connection-mark=ISP1 passthrough=yes
add action=fasttrack-connection chain=input connection-mark=ISP1 in-interface=\
ether1
add action=mark-connection chain=prerouting connection-nat-state=srcnat \
new-connection-mark=ISP2 passthrough=yes
add action=fasttrack-connection chain=input connection-mark=ISP2 in-interface=\
ether10
add action=mark-connection chain=prerouting in-interface-list=WAN \
new-connection-mark=tunnel passthrough=yes protocol=ipsec-esp
add action=fasttrack-connection chain=input connection-mark=tunnel \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.168.52 \
out-interface=all-ethernet
add action=masquerade chain=srcnat comment="defconf: masquerade" \
connection-mark=ISP1 ipsec-policy=out,none out-interface=ether1 \
src-address-list=""
add action=masquerade chain=srcnat out-interface=ether10
add action=dst-nat chain=dstnat disabled=yes in-interface=flatnet-tunnel1 \
to-addresses=0.0.0.0
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
/ip ipsec policy
set 0 group=tunnel
/ip route
add distance=1 gateway=Y
add check-gateway=ping disabled=yes distance=1 dst-address=X/32 \
gateway=Y
add check-gateway=ping distance=1 dst-address=X/32 gateway=\
Y
add check-gateway=ping distance=1 dst-address=192.168.168.52/32 gateway=\
flatnet-tunnel1
/ip route rule
add dst-address=0.0.0.0/0 interface=ether1 routing-mark=isp1 table=main
add dst-address=192.168.168.52/32 interface=flatnet-tunnel1 routing-mark=tunnel \
table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set enabled=yes
/ip upnp
set show-dummy-rule=no
/routing rip
set redistribute-connected=yes
/routing rip neighbor
add address=X disabled=yes
/routing rip network
add disabled=yes network=172.16.51.0/24
/system clock
set time-zone-name=America/Chicago
/system identity
set nam
e=mmcu-parkland/system logging
add topics=dhcp
add topics=debug
/system ntp client
set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@mmcu-parkland] >
Still not sure what I’m missing here.