Hi,
I have a bit problem. I haven’t internet in Mikrotik, I can’t do ping any site but I have connected a lot of servers/laptop/bridges/ 2 ISP… and all them can surf without some problem. How could I debug it? What info could I paste to check it?
Thanks.
So just to confirm from your post. Your servers and devices can browse internet from behind the mikrotik router but you cannot ping from the mikrotik out to the internet.
Right. All servers and devices can browser withouth problem but MK can’t do it.
Are you able to ping an ip address from the mikrotik ie 8.8.8.8
No, I can’t do ping to 8.8.8.8 neither DNS resolution as google.com
Maybe I forgot any route? Here my address and route:
[admin@MK] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
0 192.168.10.2/24 192.168.10.0 A_XXX
1 192.168.200.1/24 192.168.200.0 lan_XXX
2 192.168.11.1/24 192.168.11.0 XXXX
3 192.168.12.2/24 192.168.12.0 A_XXX:2
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S 0.0.0.0/0 192.168.10.1 1
1 A S 0.0.0.0/0 192.168.11.1 1
2 ADC 192.168.20.0/24 192.168.20.1 XXXX 0
3 ADC 192.168.11.0/24 192.168.11.2 A_XXX 0
4 ADC 192.168.12.0/24 192.168.12.2 A_XXX:2 0
5 A S 192.168.88.0/24 192.168.200.58 1
6 ADC 192.168.200.0/24 192.168.200.1 lan_XXX 0
Thanks.
Which is your wan ip address. do you have mutiple wan ip’s
I’m sorry for late reply.
I have multiple wan (subnet with different servers) but main its → 192.168.10.2/24 192.168.10.0 A_XXX
2 192.168.11.1/24 192.168.11.0 XXXX
1 A S 0.0.0.0/0 192.168.11.1 1Thanks.
Your IP address number 2 and default route number 1 are the same address. this means you pointing default traffic out back at the router. Check this config.
Thanks, but I can’t solve it. Checking steps:
I changed default route to this:
1 A S 0.0.0.0/0 192.168.12.1 1
I have servers running under that route and they have connection without problem.
Perhaps didn’t I specify which route should MK takes?
Can you post updated output after the changes you made earlier.
Flags: X - disabled, I - invalid, D - dynamic
0 192.168.10.2/24 192.168.10.0 A_XXX
1 192.168.200.1/24 192.168.200.0 lan_XXX
2 192.168.11.1/24 192.168.11.0 YYY
3 192.168.12.2/24 192.168.12.0 A_XXX:2
And routes:
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S 0.0.0.0/0 192.168.10.1 1
1 A S 0.0.0.0/0 192.168.12.1 1
2 ADC 192.168.11.0/24 192.168.11.1 YYY 0
3 ADC 192.168.20.0/24 192.168.20.2 A_XXX 0
4 ADC 192.168.12.0/24 192.168.12.2 A_XXX:2 0
5 A S 192.168.88.0/24 192.168.200.58 1
6 ADC 192.168.200.0/24 192.168.200.1 lan_XXXX 0
Basically the connection A_XXX or XXX: 2 are WAN connections of different ISPs. LAN goes through one WAN and the servers exit through another WAN. The router has different configured routes and physical addresses assigned to the router.
How could I tell it to leave the router for a specific one?
Thank you
When running tests you can choose out interface and address traffic is coming from for instance from ping. PCC would allow you to set controls saying what traffic goes out which wan.
I’m sorry dgnevans but I don’t understand you, could you explain me a bit more? thanks.
If you would like to run a ping test to say 8.8.8.8 from your router. from within winbox you can select the advanced tab. Where Src address is you can type in the wan ip of the interface you would like to test from. and run the test.
When you have mutiple WAN ports. You can send traffic out different wan interfaces by either using srcnat and match the traffic using the src address out a certain interface or you can use pcc and setup your mangle rules.
Your original question was that your router cannot ping internet sites. Is this still the case..
Thanks. I tried do it with all WAN’s but not luck. I can’t do ping with any interfaces. With all I receive timeout however all computers connected on that interfaces can surf without problem.
can you post your firewall rules
I’m sorry for delay reply.
Here:
/ip firewall> export
# apr/12/2017 09:17:57 by RouterOS 6.38.5
# software id = 8ZHH-KYXY
#
/ip firewall filter
add action=accept chain=forward dst-port=25 protocol=tcp src-address=192.168.11.X
add action=drop chain=forward dst-port=25 log=yes log-prefix="[SMTPOUT]" protocol=tcp src-address=192.168.200.0/24
add action=accept chain=forward dst-address=192.168.11.X dst-port=25 protocol=tcp
add action=log chain=forward comment="Cia malware check" dst-port=8291 log=yes log-prefix="[CIAMALWARE]" protocol=tcp src-address=0.0.0.0/0
add action=log chain=forward comment="CIA malware check" log=yes log-prefix="[CIAMALWARE]" protocol=tcp src-address=0.0.0.0/0 src-port=8291
/ip firewall mangle
add action=mark-routing chain=prerouting comment="switch lan -> wan1" in-interface=lan_bridge_switch new-routing-mark=wan1route passthrough=yes
add action=mark-routing chain=prerouting comment="servers -> wan2" in-interface=wan1_servers new-routing-mark=wan2route passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat
I am thinking that its probable that I forgot any rule, dont? I receive timeout with all external IP but I can do ping to internal IP’s
Thanks again.
what amazes me the most is how did you get so far (conected all your servers and devices to router) without solving the problem with router first ???
The right path towards solving this mess is to disconnect everything from router, leaving a link to your provider only.
Set the right IP to your wan interface, set the default route and DNS server and then try to ping providers GW - first, some ip address on internet - second and some url -third!
If you fail at first step, you don’t have connectivity.
If you fail at second step you are missing default route
If you fail at third step you have misconfigured your DNS server.
Only after you pass all three steps you can move forward towards connecting your local network to the router.
OK?
This is a bit messed up somehow you got all local ip’s except MK to connect to the internet hehe. Did the ISP give you static IP’s where did you configure them.? And satman is correct i would start to unplug everything from the router reset it to default and start fresh. Connect only isp and configure IP address and static route and another thing to do is masquerade your local traffic to internet (srcnat and use your out interface as the connected ISP interface
Sent from my SM-G900F using Tapatalk
Thanks you all. I will try debug it unplug devices… its hard because we have many of them but I will try.
I am missing a route I think.