Niche DHCP setup, Internet can ping clients, Clients cannot ping internet

I have quite the interesting setup. I’m working on a testlab to provide /32 internet accessible DHCP leases via a radius server. Everything works except the client (Windows 10 machine) is unable to ping the internet.

This testlab’s goal is demonstrating the possibility to replace our current PPPoE network with DHCP assigned /32’s in order to ease setup difficulties for our customers.

The lease provided is (for example) 91.xxx.xxx.231/32 with a default gateway of 91.xxx.xxx.228. An address on the dhcp router is made with 91.xxx.xxx.228/32 as ip with it’s network address being 91.xxx.xxx.231. (The same PTP settings PPPoE uses) This makes our entire network, including the internet able to ping the host. For the reverse, the client is soley able to ping the gateway (including ip’s on the dhcp’s other interfaces including loopback) It’s not able to ping beyond this.

I’ve run a wireshark with the internet pinging the client, and the client pinging the internet. Results as follows:

Client pinging internet:

As you can see the ping request is sent but no response is received.

However things get interesting in the following test, namely:

Internet pinging client

As you can see a ping request is received ant the machine sends a response back. Which is received by the test tool I used (https://tools.keycdn.com/ping)

The DHCP router used is a Mikrotik RB3011 The given leases are statically routed to this machine within our network as to exclude a dynamic routing issue.

Worthy to mention there is no firewall set up its all routed. (No natting either, all IP’s are public)

Configuration RouterOS 7.1 (Stable)
Config truncated to relevant lines

/ip dhcp-server
add add-arp=yes interface=ether2 name=CST000001 use-radius=yes
/ip dhcp-server network
add dns-server=1.1.1.1,1.0.0.1 gateway=91.xxx.xxx.228 netmask=32 ntp-server=162.159.200.1,213.239.154.12
/radius
add address=46.xxx.xxx.238 service=ppp,dhcp src-address=91.xxx.xxx.226
ip
/ip address
add address=91.xxx.xxx.228/32 interface=ether2 network=91.xxx.xxx.231
add address=91.xxx.xxx.226/30 interface=ether1 network=91.xxx.xxx.224
ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=91.xxx.xxx.225 scope=30 suppress-hw-offload=no target-scope=10

The radius has a user for the mac address that I test with, it gives out the 91.xxx.xxx.231/32 ip.

Could anyone give some pointers?

Are you sure there’s no firewall on router, that would be blocking outgoing connections from host?

I never tried with DHCP, only static config, but Windows (since Vista) support point to point just fine. If you can ping the host from anywhere, and there’s no NAT, then outgoing routing from host must be ok. Same for host pinging other router’s addresses than gateway, it means that host correctly uses default gateway. And the only difference between these addresses and any random internet address is that router’s go to chain=input and others to chain=forward.

I did a torch on the DHCP router on it’s “internet” interface, It does appear to receive responses back, it’s just not passing them onto the client. Next week I can set up a monitoring port to verify with wireshark but torch says tx 1 packet rx 1 packet for the icmp packet.

This is the output from /ip/firewall/export. I use this router for multiple tests, it also contains a cgnat configuration but all the jumps are disabled. This is just the redundant CGNat setup I came up with. It only affects traffic in the private ip space reserved for cgnat.

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=cgnat passthrough=yes src-address=100.64.0.0/10
/ip firewall nat
add action=jump chain=srcnat disabled=yes jump-target=CGNAT-CGNAT-A00 src-address=100.100.0.0/24
…snip you get the gist…
add action=jump chain=srcnat disabled=yes jump-target=CGNAT-CGNAT-A31 src-address=100.100.31.0/24
– All netmaps in chain CGNAT stripped because it contains our ip ranges.