Neighbour public IP doesn't work

RouterOS General
1

Hello,

I want to point it out at the start that I’m not an owner of any router running under RouterOS. I’m writing this message in the name of my good friend and neighbour which bought MikroTik RB750Gr3. He’s not experienced in MikroTik routers, neither am I, but I have a better understanding of problem and router configuration. Therefore, that’s the reason he didn’t post here himself.

We both have the same ISP, connected to the same network point and not separated by ISP (I confirmed that with ISP support). We also both have the external IP address from the same subnet. No matter which of us will host some service, everyone can reach it except we cannot reach each other. I’m getting timeout for any request to my neighbour and my neighbour gets “host unreachable” with his own public IP address when trying to reach me. Besides that, he has no issues to connect to any other IP address (at least outside the ISP subnet). ISP support suggests there is something wrong with MikroTik router’s configuration, but I’m not familiar with it and none of my ideas actually worked. I’m looking for guidance here. I can only add that the route list is correct.

Thank you in advance for any help.

2

What method is used?
DHCP? PPPoE? etc.?
What are the two WAN addesses? And Subnet? And Gateway?

Do not publish your real addresses,
but use, for example, at start 77.99.55.xxx/yy but the true xxx/yy for all addresses

3

The problem sounds analogous to the hairpin NAT problem, the difference being that it’s pushed one layer out, into your ISP’s border routers. The logic might be something like “If the source IP belongs to one of our customers, the destination cannot possibly be another of our customers, but only to something out on the wider Internet, so drop it, it’s clearly bogus.”

If that’s right, only your ISP can fix this, if they even want to.

Beware that it’s against the ToS for you to be doing what you’re attempting with some ISPs, so making too many waves might get your account canceled. Check the rules before pursuing this.

4

Virtually every IPv4 address belongs to someone now. That one is part of Virgin Media UK's 77.99.0.0/16 range.

Recommend instead use of these special RFC5735 address ranges:


  • TEST-NET-1: 192.0.2.0/24
  • TEST-NET-2: 198.51.100.0/24
  • TEST-NET-3: 203.0.113.0/24

These are reserved for examples and will never be assigned to real uses.

5

those numbers weren’t random… :wink:

6

Thank you for quick response.
Both routers are configured with DHCP.

Both IP addresses are xxx.xxx.xxx.xxx/22 connected to the same gateway xxx.xxx.xxx.xxx (not sure how much I should go into detail here).

Unfortunately, I was in contact with my ISP for almost an hour and they are sure there is absolutely nothing on their side to block our connection. Also, the difference in connection responses (timeout from my side vs "host unreachable" from friend's side) doesn't sound like it.

7

ok same gateway.

only your wisp can unlock this for you, on two way:

  1. change one IP with one on another block
  2. hope the ISP have network engiiner than can solve wiwth “two routes”…
8

So it's really nothing with MikroTik router? Even considering different network responses?

9

But if your ISP give the same gateway for both of us, your device can’t reach your friend if the ISP router have everytime the gateway IP

It’s hard to explain on english, because I’m italian.

Your ISP router search your friend on… the same ethernet where is the gateway… and is the local machine

10

I understand what you mean. Thank you.
I will wait one day, because maybe there will be yet another explanation. :slight_smile: If not, I will contact my ISP once more.

11

Sorry, but I use the same method, because this way no single IP is wasted, as now IPv4s are out of stock …

But unlike that ISP, which does not seem to me to know what it does,
if someone has such a problem, I solve it immediately,
putting the Public IPs on two different pools… nothing easier…
(trivially it would be enough to change the two gateways and leave the same Public IPs)

But.. can you reach each other via IPv6???

Just an idea… one “IPv6 tunnel” and you can reach you respective LAN or what you want…

12

What is the difference of IP (not put the real numbers) between yours?
For example if one is 10.0.2.53 the other is 10.0.2.72 the difference is 29

13

Unfortunately, my ISP doesn't support IPv6 yet...


My bad. One IP is xxx.xxx.xxx.xxx and the other one is xxx.xxx.xxx.xxx. But still, they are both in the same subnet and connected to the same gateway.

14

Your IP are static or dynamic?

The only thing that I suggest, is contact your ISP to change the IP used on another block

All ISP IPs on that block: 77.92.32.0/19 (77.92.32.0 … 77.92.63.255)
Your pool: 77.92.52.0 … 77.92.55.255
Ask one IP outside that pool (if possible)…

If your ISP can assign any IP outside that pool, and firewall allow comunication between users, is done…

15

Static, but assigned by DHCP.

Understood. I will contact them. They were curious what is wrong with our connections, so I assume they will be happy to try new IP address outside the pool.

16

Really the ISP do not figure what is the problem???


If you have 10.0.1.11/22 (/22!!!) and 10.0.0.1 as gateway, and other user have 10.0.2.22/22 and the same 10.0.0.1 gateway, what happen?

If 10.0.1.11 want contact 10.0.2.22 on internal routes are already present the dynamic-connected 10.0.0.0/22 with distance 0!!!,
and that mean than the router search the other IP not outside, like other servers,
but inside the same WAN port, like is a switch present and the other router WAN is directly connected, but is not that… and fail.

17

I'll try to explain it in English - when two devices are in the same subnet on an Ethernet (or similar) interface, they normally do not use any gateway to talk to each other; instead, the sender sends an ARP request "who has IP x.x.x.x" to determine the MAC address of the destination, and if it gets a response, it sends the packet to that MAC adddress. In access networks of most ISPs who use Ethernet with direct IP assignment (i.e. no PPPoE), customers in the same subnet are connected to the same "switch", but there is "port isolation" in place, preventing Ethernet frames to get from one customer's equipment to another (intentionally). And if the ISP is big enough, the support guy you've talked to may not even know about this. If this is indeed the root cause of your issue, what might help (it did in my case) would be to add a route to your.ip.add.ress/32 via the same gateway IP given by the ISP, because a more narrow destination (longer prefix) always overrides a wider one, no matter what the distance is. But in order that it worked, the same has to be configured also on your router, and as it is not a Mikrotik one, I have no idea whether it is possible or not.

There may also be a misconfiguration at one of the routers, so before you start finding out, I'd recommend you to run /tool sniffer quick ip-adress=your.ip.add.ress ip-protocol=icmp on your friend's Mikrotik while you'll be pinging his address. If nothing arrives there, chances are high that there is the port isolation.

18

Thanks… :mrgreen:

19

This not an easy one. Many things can be wrong, and you have no access, not even a view on the uplink network topology.

What the ISP says, is correct, or is not. I have had many “words” with ISP support, disagreeing with the helpdesk.
There was the risk of being terminated as subscription, while trying to get to the second or third level support.
Its a balancing act. Even if you have the proof in your hands, they may not agree, and see it differently.

So being careful in the communication, try to find out what the real topology is.

What can be wrong? As @sindy already explained, it is common practice to “disable port forwarding” in a switch between clients.

But there is also the IP routing protocol, that optimises on its own, based on assumptions, that may not be there;
IP routing assumes, that IP traffic, in the same subnet, coming in and going out through the same interface, could communicate directly without involving that router.
May be true, may be not true! (eg. the switch port forwarding cfr @sindy, but also the “horizon” set on routers or on bridges. (name for this is Vendor dependent)
Interfaces on a MT bridge with the same “horizon” value , will not communicate. (I do use this quite often, to make the network tree-like)
The uplink has a different horizon value, all downlink ports have the same horizon value. Nodes on the downlink ports cannot communicate with nodes on the other downlink ports. Eliminates broadcast storms, or bonjour storms, or NBT master browser elections in windows, etc etc.
The clients can only communicate over the uplink router. Who optimises, and eg. sends an ICMP redirect to the clients : “don’t use this way, you can go directly without me” , what is actually not true.

How to find out? Name your connection A, your neighbors on the same subnet B.
You probably can PING A from the internet. Idem dito for B. Test it. If A cannot PING B , and B cannot PING A, then that direct communication is broken.
Well you can check in A if you get a MAC address for B , in the ARP table. You can try to send ARP requests (who has IP xxxxx?), or reverse ARP requests (what IP has yy:yy:yy:yy:yy:yy)
If no ARP can be found, then direct communication is a problem. I would not be surprised. (Cable modem ISP is all on the same cable, No problem there)
You can sniff the WAN links for ICMP messages. (redirects and others) Also then you could see broadcasts, and packets send to A or B.
Let’s hope there is no assymetric flow (A->B is not the B>A path) Statefull inspection firewalls will not allow for this, they even randomise TCP packet numbers on the fly. What prevents session spoofing.


How to solve.
As @sindy already suggested, try to get both routers with their addresses A and B , to be in different subnets, at least for what A and B thinks the subnets are.
So give them a smaller subnet than the ISP subnet. A must see B in a different subnet, and will always use the uplink router. Idem dito for B.
You may have to disable DHCP client, and copy that information manually in the WAN interface of A and B. (Let’s hope the gateay does not change IP addresses over time)
You can also disable “accept-redirects (yes | no; Default: no) Whether to accept ICMP redirect messages.” on A and B. But A and B must be in separate subnets , to use the gateway in the first attempt.

Proxy ARP on the gateway is in the hands of the ISP.
Static ARP in A and B using the gateway MAC for B and A IP addresses , is just trying to make A and B comm go over the gateway.

No luck? Quite possible.

Then the ICE (STUN and TURN) techniques may be required to reach each other. This techniques are using a public IP server to initiate the connection, and gradually run down the need for the IP server to be in the flow. STUN is using UDP hole punching to get through a firewall and resolve NAT. TURN will permanently use the cloud IP server. (And this works almost always)
Known providers to me are “Zerotier” and “Hamachi Logmein”. “Teamviewer” is similar, just as “GoToMyPC”, “VNC” be it for defeating NAT and firewalls, their initial setup should work, until the explained ‘network split’ has to be crossed, there it will fail. There are alternatives … as softwares .

Maybe use Traceroute to find the sequence of routing steps for A and for B. What is common? (probably all) What steps work if they point to each other?

20

Regarding the rest, I will find some time today to test as much of what you suggested as it is possible.