Mikrotik HAP ac Lite networking issues

bogsi · April 21, 2017, 5:18pm

Hello All,
I am new owner of Mikrotik HAP ac Lite
My current setup is like this:
ether01 - Internet/Gatewaye
ether03 - (Z400) Vmware ESXI host > multiple linux and windows VMs
bridge handling wireless adapters as default for other clients.
Now my problem is i cannot ping anything from Linux VMs on Esxi host except internal network.

Here is some config export:

[clouded@MikroTik] > ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; main network
     192.168.88.1/24    192.168.88.0    ether2-master                            
 1   ;;; vm network
     192.168.1.1/24     192.168.1.0     Z400                                     
 2 D 95.43.220.234/22   95.43.220.0     Vivacom

[clouded@MikroTik] > ip dns print 
                      servers: 192.168.1.1,8.8.8.8,8.8.4.4
              dynamic-servers: 212.39.90.42,212.39.90.43
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 5096KiB
                cache-max-ttl: 1w
                   cache-used: 38KiB

[clouded@MikroTik] > ip dhcp-server print 
Flags: X - disabled, I - invalid 
 #   NAME           INTERFACE          RELAY           ADDRESS-POOL          LEASE-TIME ADD-ARP
 0   main dhcp      bridge                             dhcp                  10m       
 1   vm dhcp        Z400                               vm dhcp               10m        yes    
[clouded@MikroTik] >

[clouded@MikroTik] > ip dhcp-server network print 
 # ADDRESS            GATEWAY         DNS-SERVER      WINS-SERVER     DOMAIN             
 0 ;;; vm network
   192.168.1.0/24     192.168.1.1     192.168.1.1                     vsphere.local      
                                      8.8.8.8        
 1 ;;; defconf
   192.168.88.0/24    192.168.88.1

Firewall Config:

[clouded@MikroTik] > ip firewall export 
# apr/21/2017 20:23:45 by RouterOS 6.38.5
# software id = D7XM-FY0Z
#
/ip firewall filter
add action=accept chain=input dst-port=8291 log-prefix=winbox protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=Vivacom
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface=Vivacom
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="RDP Xeon" dst-port=3389 in-interface=Vivacom log-prefix=\
    rdp_w7 protocol=tcp to-addresses=192.168.1.34 to-ports=3389
add action=dst-nat chain=dstnat comment="ESXi https" dst-port=443 in-interface=Vivacom protocol=tcp \
    to-addresses=192.168.1.33 to-ports=443
add action=dst-nat chain=dstnat comment="ESXi https" dst-port=902 in-interface=Vivacom protocol=tcp \
    to-addresses=192.168.1.33 to-ports=902
add action=dst-nat chain=dstnat comment="SAN ssh" dst-port=5722 in-interface=Vivacom protocol=tcp \
    to-addresses=192.168.1.5 to-ports=22
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=Vivacom

NAT:

[clouded@MikroTik] > ip firewall export 
# apr/21/2017 20:23:45 by RouterOS 6.38.5
# software id = D7XM-FY0Z
#
/ip firewall filter
add action=accept chain=input dst-port=8291 log-prefix=winbox protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=Vivacom
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface=Vivacom
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="RDP Xeon" dst-port=3389 in-interface=Vivacom log-prefix=\
    rdp_w7 protocol=tcp to-addresses=192.168.1.34 to-ports=3389
add action=dst-nat chain=dstnat comment="ESXi https" dst-port=443 in-interface=Vivacom protocol=tcp \
    to-addresses=192.168.1.33 to-ports=443
add action=dst-nat chain=dstnat comment="ESXi https" dst-port=902 in-interface=Vivacom protocol=tcp \
    to-addresses=192.168.1.33 to-ports=902
add action=dst-nat chain=dstnat comment="SAN ssh" dst-port=5722 in-interface=Vivacom protocol=tcp \
    to-addresses=192.168.1.5 to-ports=22
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=Vivacom

I just cannot find way to open outgoing traffic from VM’s on ESXi host. Where i am wrong?
Could you please help me?
Thank you!

idlemind · April 22, 2017, 5:06am

/ip firewall nat add action=masquerade chain=srcnat src-address=192.168.1.0/24

I’d drop this rule. Let the catch-all rule at the bottom grab it.

Can you elaborate on the “cannot ping anything from Linux VMs on ESXi host except internal network.” What is the internal network? A host in 192.168.88.0/24 but not say Google public DNS at 8.8.8.8?

bogsi · April 24, 2017, 10:59am

Hello,
Internal Network is 192.168.1.0/24 attached on eth03 port in my config named Z400.
I have added google dns in /ip dns also 192.168.1.1 in /ip dns and /ip dhcp server networks
also checked my VMware esxi network config. All looks fine, but there is still no ping from Linux vm’s attached to ESXi host, also i cannot update packages, etc..
Windows VM which is also attached on ESXi works fine, has ping can download, torrents work. Network settings for all vm’s are same:
gateway: 192.168.1.1
dns: same
Any sugestions what i am doing wrong?

bogsi · April 24, 2017, 11:08am

my sugesstion is DNS Issue as i have tryed nslookup on all virtual machines and they didnt resolve .

idlemind · April 24, 2017, 9:44pm

To stop getting DNS servers from your ISP (assuming you’re using DHCP which it looks like)

/ip dhcp-client print
/ip dhcp-client set <#ofExternalDHCPClient,likely0> use-peer-dns=no

It also looks like you have the local DNS resolver of your MikroTik set to itself. We don’t want that.

/ip dns set servers=8.8.8.8,8.8.4.4

Then we’ll adjust your DHCP server to not send google DNS to clients

/ip dhcp-server network set 0 dns-server=192.168.1.1

That should get everything looking at the MikroTik for DNS resolution which in turn looks to Google.

As a side note I would remove add-arp from the DHCP server configuration and make sure ARP is enabled (by default it is) on the Z400 interface.