Only one direction PING possible

1over0 · November 24, 2024, 3:31pm

Hello
I’m new in Mikrotik world, and I hope I can get some help/advices here.
I manage to set basic LAN and WiFi network to cover multi storage building.
WWW access over LAN and WiFi is running in any of the router… at least I manage to made basic things in couple of days.
I have problem that I cannot access any device nor PING router or device from direction of main router:
Please check the attached image.
Router_3 (192.168.3.1):
I can ping any client in that router (LAN or WiFi). Also Router_2, Main Router and ISP router and 8.8.8.8 - sems all OK.
Router_2 (192.168.2.1):
I can ping any client in that router (LAN or WiFi). Also Main Router and ISP router and 8.8.8.8 - sems all OK.
I cannot PING Router_3 or any of its client.
Main Router (192.168.1.1):
I can ping any client in that router (LAN or WiFi). Also ISP router and 8.8.8.8 - sems all OK.
I cannot PING Router_2 nor Router_3 or any of their clients.
When I check with traceroute in Main Router the tool it shows that when I PING to Router_2 or Router_3 it send PING to 192.168.0.1 Host?

Config for main router:

# 2024-11-24 16:27:26 by RouterOS 7.16.1
# software id = 0EM7-QDKF
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HF8096CZQ1W
/interface bridge
add name=LAN-Bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec1
/interface wifi configuration
add country=Slovenia disabled=no name=cfg1 security=sec1 ssid=Home-WiFi
add country=Slovenia disabled=no name=cfg2 security=sec1 ssid=Home-Wifi_5G
/interface wifi
set [ find default-name=wifi1 ] configuration=cfg1 configuration.mode=ap \
    disabled=no name=wifi1_5G security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] configuration=cfg1 configuration.mode=ap \
    disabled=no name=wifi2_2G security.authentication-types=wpa2-psk
/ip pool
add name=DHCP_Pool_AX3 ranges=192.168.1.50-192.168.1.254
/ip dhcp-server
add address-pool=DHCP_Pool_AX3 interface=LAN-Bridge lease-time=1d name=\
    LAN-DHCP
/interface bridge port
add bridge=LAN-Bridge interface=ether3
add bridge=LAN-Bridge interface=ether4
add bridge=LAN-Bridge interface=ether5
add bridge=LAN-Bridge interface=ether2-LAN
add bridge=LAN-Bridge interface=wifi1_5G
add bridge=LAN-Bridge interface=wifi2_2G
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=\
    none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg1
/ip address
add address=192.168.1.1/24 interface=LAN-Bridge network=192.168.1.0
add address=192.168.0.3/24 interface=ether1-WAN network=192.168.0.0
/ip dhcp-server lease
add address=192.168.1.49 client-id=1:9c:93:4e:41:62:7 mac-address=\
    9C:93:4E:41:62:07 server=LAN-DHCP
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name=ax3_LivingRoom
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes
/system ntp client servers
add address=si.pool.ntp.org
add address=pool.ntp.org

1over0 · November 24, 2024, 4:29pm

I’m not sure if I understand right.
ISP give me cable modem which I need due to physical connection to Coax cable with signal.
The ISP modem is from producer Ubee - to what mode should I put it in?
So hAP ax3 should become default getaway - how to do that, and how to to routes it to other routers and cable modem?

Can I get a bit more details.

jaclaz · November 24, 2024, 6:22pm

Very likely in routers 3 and 2 you have a route for 0.0.0.0/0 pointing “upstream”.

And of course in main router you have a route for 0.0.0.0/0 pointing to the ISP router:

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10

If (still on the main router) you run

/ip route print

you will see the above route to 192.168.0.1 marked as As (Active Static) and you should have a Dynamic route (automatically added by the RoS) marked as DAc (Dynamic Active connected) for 192.168.1.0/24 (it comes from the IP address you have on the bridge).

Now, when you try pinging router 2 at address 192.168.2.1 or router 3 at address 192.168.3.1 which route should be taken?
Not the one on the LAN side, that is only for 192.168.1.x addresses, so it takes the “catch all” one, the 0.0.0.0/0 one pointing to the ISP router at 192.168.0.1.

Check also the output of /ip route print on routers 2 and 3, but likely you have only a static “upstream” route and a dynamic one from bridge address.

Study this very basic example:
https://wiki.mikrotik.com/Manual:Simple_Static_Routing

1over0 · November 28, 2024, 5:47pm

I still have problem - or more precise a lack of knowledge and understanding.
If you can write me which ip route should I ad or change to enable “downstream” pinging possible - for example from Router 2 to Router 3 (then I figures out for Router 1 also).
Those WAN an LAN-bridge is confuses me…
I try several times - but the outcome was that I need to do factory reset since router become unaccusable after my modifications…

Here are the /ip route print:

Router 1 (192.168.1.1)

#     DST-ADDRESS     GATEWAY      DISTANCE
0  As 0.0.0.0/0       192.168.1.1         1
  DAc 192.168.1.0/24  ether1-WAN          0
  DAc 192.168.2.0/24  LAN-Bridge          0

Router 2 (192.168.2.1)

    DST-ADDRESS     GATEWAY      DISTANCE
0  As 0.0.0.0/0       192.168.2.1         1
  DAc 192.168.2.0/24  ether1-WAN          0
  DAc 192.168.3.0/24  LAN-Bridge          0

Router 3 (192.168.3.1)

Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS     GATEWAY      DISTANCE
0  As 0.0.0.0/0       192.168.0.1         1
  DAc 192.168.0.0/24  ether1-WAN          0
  DAc 192.168.1.0/24  LAN-Bridge          0

anav · November 28, 2024, 6:01pm

You need to decide what is the purpose of AX2 devices.

The Ax3 will be your MAIN router terminating the ISP connection( you get a public IP) and create private subnets behind the router.
If you use the AX2 devices you will end up with double triple NAT etc, and unless needed for a specific reason should be avoided.

I would create all the subnets/vlans on the AX3 and simply use the AX2 devices as AP/Switches, minimizes complexity and flexible.

So you need a plan.
What connectivity do you need at each device.
vlan - for guests ( maybe two diff sets of guests ( one for kids, one for adults etc.))
vlan - for media / iot devices
vlan - for home wifi

Do you need a separate vlan for management purpose? or just use the home vlan as the trusted vlan ( this is the vlan where all the smart devices

Vlan guide ----> http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

+++++++++++++++++++++++++++++++++++++++++++++++

vlan filtering can be made simple if you do the configuration from a safe spot…

Set one port off bridge, like ether5
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/ip address
add address=192.168.77.1/30 interface=OffBridge4 network=192.168.77.0

and add interface=OffBridge5 to LAN interface list.

ON PC plug into port5 and change iPv4 settings to 192.168.77.2 and you should be in!!

1over0 · November 28, 2024, 7:05pm

I’m rookie in the field of networking… so things are not optimally configured, I know that.
I have 3 routers to cover the upper floor (AX3) + Lower floor (AX2) and Garage/workshop (AX2). All three are covering area with wired and wireless devices.
Currently all devices have Internet access and CAPsMAN is driving the whole area with same SSID - which is what I desire.

It will take me some time to understand and create good/recommended topology - but will be enough time to play with that in a month or so during long winter evenings…

But at this point it would be sufficient if I can access/ping routers/devices also “downstream” not just “upstream”.
I need a hint how to adjust ip routing to work also in “downstream” for current setup.

jaclaz · November 28, 2024, 7:28pm

You must have somehow mixed the printout.

Let’s start with the main router (the one you posted the configuration on first post) you have on it two IP addresses assigned:

/ip address
add address=192.168.1.1/24 interface=LAN-Bridge network=192.168.1.0
add address=192.168.0.3/24 interface=ether1-WAN network=192.168.0.0

These two addresses create automagically two dynamic routes, one for network 192.168.1.0/24 (on LAN-Bridge) and and one for network 192.168.0.0/24 (on ether1).
Then you have a static route:

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10

The result when you print the routes is the one that you posted as router3:

Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS     GATEWAY      DISTANCE
0  As 0.0.0.0/0       192.168.0.1         1
  DAc 192.168.0.0/24  ether1-WAN          0
  DAc 192.168.1.0/24  LAN-Bridge          0

The above is all the router knows:

When you ping the ISP router you ping 192.168.0.1, imagine (it is not what really happens, only for the sake of explanation) that the above three lines are read in reversed order (from the bottom up), and that they are equivalent to people standing on road corners and you are traveling along the main road:
You ask the first guy: Hey, is this the road to 192.168.0.1?
And he replies: No, I don’t know that place, try next cross road.
You got to the second corner and ask: Hey, is this the road to 192.168.0.1?
And the reply is: Yes, turn here on the right.

When you ping 8.8.8.8:
You ask the first guy: Hey, is this the road to 8.8.8.8?
And he replies: No, I don’t know that place, try next cross road.
You got to the second corner and ask: Hey, is this the road to 8.8.8.8?
And the reply is: No, I don’t know that place, try next cross road.
You got to the third corner and ask: Hey, is this the road to 8.8.8.8?
And the reply is: Yes, this road goes first to 192.168.0.1 and from there you can go anywhere.

When you ping second router. 192.168.2.1:
You ask the first guy: Hey, is this the road to 192.168.2.1?
And he replies: No, I don’t know that place, try next cross road.
You got to the second corner and ask: Hey, is this the road to 192.168.2.1?
And the reply is: No, I don’t know that place, try next cross road.
You got to the third corner and ask: Hey, is this the road to 192.168.2.1?
And the reply is: Yes, this road goes first to 192.168.0.1 and from there you can go anywhere.
This latter guy is sending you to the ISP router because he believes, in good faith, that if you arrived there there is no direct road leading to 192.168.2.1 and he was taught that through the ISP router you can arrive “anywhere” (0.0.0.0/0).

So you need a road leading to 192.168.2.1.

Try (as an experiment only) to add an address:

/ip address
add address=192.168.2.254/24 interface=LAN-Bridge network=192.168.2.0

You need to understand the basics of how routes work, essentially they “catch” the address you want to reach, and there is a “catch all” route at the end (the 0.0.0.0/0).

See, as said, this example, it basically explains the mechanism:
https://wiki.mikrotik.com/Manual:Simple_Static_Routing

This said, it would be much more sense (unless there are particular needs/exigences) to have only one device (the Ax3) set as router, as anav said, with:
Wan 192.168.0.2/24
Lan-bridge 192.168.1.1/24

Router 2 (the leftmost Ax2) set as switch (all ports into a bridge) with:
Lan-Bridge 192.168.1.2/24

Router 3 (the rightmost Ax2) set as switch (all ports into a bridge) with:
Lan-Bridge 192.168.1.3/24

All your other devices will connect as members of the 192.168.1.0/24 network, so you have 254-3=251 ip addresses available, that should be more than enough.

If you don’t really need all ports on each router, it would be a good idea to take a port out of the bridge on each device, let’s say ether5 and assign to it the addresses 192.168.88.1,192.168.88.2,192.168.88.3 and configure it independently, so that you have an access port to which you can connect a laptop in case of need while you are testing various configurations (it is relatively easy to manage to lock yourself out when changing settings the first few times, particularly when attempting to implement segmentation/seoparation using vlans).