PING within same network not working, but arp does

RouterOS Beginner Basics
1

Hello people,
I have the following configuration:

# jan/26/2016 09:11:19 by RouterOS 6.29.1
# software id = U7MF-PNSQ
#
/interface bridge
add name=LAN-WAN-bridge
add name=LAN-bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-UPLINK
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name=ether3-LAN
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether5 ] name=ether5-LAN
set [ find default-name=ether6 ] name=ether6-LAN
set [ find default-name=ether7 ] name=ether7-LAN
set [ find default-name=ether8 ] name=ether8-LAN
set [ find default-name=ether9 ] name=ether9-LAN
set [ find default-name=ether10 ] name=ether10-LAN-WAN
set [ find default-name=ether11 ] name=ether11-LAN-WAN
set [ find default-name=ether12 ] name=ether12-LAN-WAN
/ip firewall layer7-protocol
add name=Facebook regexp="^.+(facebook.com).*\$"
/ip pool
add name=lan ranges=192.168.1.10-192.168.1.254
add name=lan-wan ranges=a.b.c.90-a.b.c.94
/ip dhcp-server
add address-pool=lan bootp-lease-time=lease-time bootp-support=dynamic \
    disabled=no interface=LAN-bridge name=lan
add address-pool=lan-wan bootp-lease-time=lease-time bootp-support=dynamic \
    disabled=no interface=LAN-WAN-bridge name=lan-wan
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set [ find name=default ] name=default
set [ find name=default-encryption ] name=default-encryption
/interface bridge port
add bridge=LAN-bridge interface=ether2-LAN
add bridge=LAN-bridge interface=ether3-LAN
add bridge=LAN-bridge interface=ether4-LAN
add bridge=LAN-bridge interface=ether5-LAN
add bridge=LAN-bridge interface=ether6-LAN
add bridge=LAN-bridge interface=ether7-LAN
add bridge=LAN-WAN-bridge interface=ether10-LAN-WAN
add bridge=LAN-WAN-bridge interface=ether11-LAN-WAN
add bridge=LAN-WAN-bridge interface=ether12-LAN-WAN
/ip address
add address=x.y.z.21/24 comment="default configuration" interface=\
    ether1-UPLINK network=x.y.z.0
add address=192.168.1.1/24 interface=LAN-bridge network=192.168.1.0
add address=a.b.c.89/29 interface=LAN-WAN-bridge network=a.b.c.88
/ip dhcp-server network
add address=a.b.c.88/29 dns-server=8.8.8.8,8.8.4.4 gateway=a.b.c.89 \
    netmask=29
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 \
    netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add chain=forward comment="Internal - allow" connection-state=established
add chain=forward comment="Internal - allow" connection-state=related
add chain=input comment="default configuration" protocol=icmp
add chain=forward dst-address=a.b.c.88/29 protocol=icmp src-address=\
    0.0.0.0/0
add chain=input dst-address=a.b.c.88/29 protocol=tcp src-address=\
    0.0.0.0/0
add chain=forward dst-address=a.b.c.88/29 protocol=tcp src-address=\
    0.0.0.0/0
add chain=output protocol=tcp src-address=a.b.c.88/29
/ip firewall mangle
add action=passthrough chain=prerouting dst-address=a.b.c.88/29
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-UPLINK src-address=\
    !a.b.c.88/29
/ip route
add distance=1 gateway=ether1-UPLINK
add distance=1 dst-address=a.b.c.88/29 gateway=LAN-WAN-bridge
/ip route rule
add dst-address=0.0.0.0/0 interface=ether1-UPLINK routing-mark=main \
    src-address=a.b.c.88/29 table=main
add dst-address=a.b.c.88/29 interface=LAN-WAN-bridge routing-mark=main \
    src-address=0.0.0.0/0 table=main
/system clock
set time-zone-name=Europe/Bucharest
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR protected-routerboot=\
    disabled
/tool romon port
add disabled=no

I have a public subnet a.b.c.88/29 and I connect through x.y.z.21.
I can access the internet from both public subnet and private subnet. I can ping all the gateways from outside.

The problems are the following:

  1. I can’t access a.b.c.90-a.b.c.94
  • from the same LAN I can ping the gateway
  • I can’t ping other clients(I can’t even ping my client’s IP from router - same interface)
  • ARP ping is working[/list]
  • arp -a shows only local gateway(bridge’s gateway) - tested on ubuntu
  • IP is shown in “IP > ARP”

P.S. The router has RouterOS 6.29.1

Can help me in solving this problem? I have already googled for hours but no relevant results were found.
Cheers.

Internal network (same lan) ping problem
2

Sorry for bumping.

Does anyone have any idea?

Thank you.

3

You have the beginnings of some policy route statements in there, but they appear to be unused.
I recommend removing the route rules and the mangle rules.
The router will already forward packets to the correct interface for locally connected IP ranges.
(the static route: /ip route add distance=1 dst-address=a.b.c.88/29 gateway=LAN-WAN-bridge is also redundant and I’d remove it for the sake of tidiness)

Other cleanup:
/ip route add distance=1 gateway=ether1-UPLINK

change the gateway to be the IP of the default GW router on the ISP side. Right now, you’re lucky that the ISP is doing proxy-arp for you. Look in your ARP cache and you’ll see every public IP that has been visited recently. Whoops.

As far as the firewall rules - did you remove any rules while sanitizing the private information? The rules you posted won’t block anything at all because there aren’t any deny rules anywhere. Also - there’s no need to specify src-address=0.0.0.0/0 - just remove the src-address criteria entirely. It’s faster not to check this than it is to check it and allow a match against everything…

The nat rule is perfectly crafted, by the way. :wink:

If these are truly all of your firewall rules, then you should be able to get back and forth between LAN-WAN and LAN all day long.
I suspect that the policy routing rules might be what’s getting you.

Also - make sure that the ethernet interfaces aren’t members of a switch group (if your device supports hardware switching)
/int ethernet set {X} master-port=none

4

Thanks for reply.
My new settings are:

# jan/26/2016 22:08:43 by RouterOS 6.33.5
# software id = U7MF-PNSQ
#
/interface bridge
add name=LAN-WAN-bridge
add name=LAN-bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-UPLINK
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name=ether3-LAN
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether5 ] name=ether5-LAN
set [ find default-name=ether6 ] name=ether6-LAN
set [ find default-name=ether7 ] name=ether7-LAN
set [ find default-name=ether8 ] name=ether8-LAN
set [ find default-name=ether9 ] name=ether9-LAN
set [ find default-name=ether10 ] name=ether10-LAN-WAN
set [ find default-name=ether11 ] name=ether11-LAN-WAN
set [ find default-name=ether12 ] name=ether12-LAN-WAN
/ip firewall layer7-protocol
add name=Facebook regexp="^.+(facebook.com).*\$"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=lan ranges=192.168.1.10-192.168.1.254
add name=lan-wan ranges=a.b.c.90-a.b.c.94
/ip dhcp-server
add address-pool=lan bootp-lease-time=lease-time bootp-support=dynamic \
    disabled=no interface=LAN-bridge name=lan
add address-pool=lan-wan bootp-lease-time=lease-time bootp-support=dynamic \
    disabled=no interface=LAN-WAN-bridge name=lan-wan
/interface bridge port
add bridge=LAN-bridge interface=ether2-LAN
add bridge=LAN-bridge interface=ether3-LAN
add bridge=LAN-bridge interface=ether4-LAN
add bridge=LAN-bridge interface=ether5-LAN
add bridge=LAN-bridge interface=ether6-LAN
add bridge=LAN-bridge interface=ether7-LAN
add bridge=LAN-WAN-bridge interface=ether10-LAN-WAN
add bridge=LAN-WAN-bridge interface=ether11-LAN-WAN
add bridge=LAN-WAN-bridge interface=ether12-LAN-WAN
/ip settings
set route-cache=no
/ip address
add address=x.y.z.21/24 comment="default configuration" interface=\
    ether1-UPLINK network=x.y.z.0
add address=192.168.1.1/24 interface=LAN-bridge network=192.168.1.0
add address=a.b.c.89/29 interface=LAN-WAN-bridge network=a.b.c.88
/ip dhcp-server network
add address=a.b.c.88/29 dns-server=8.8.8.8,8.8.4.4 gateway=a.b.c.89 \
    netmask=29
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 \
    netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input src-address=198.11.247.46
add chain=forward comment="Internal - allow" connection-state=\
    established,related in-interface=LAN-WAN-bridge log=yes protocol=icmp
add chain=input comment="default configuration" in-interface=LAN-WAN-bridge \
    log=yes protocol=icmp
add chain=output log=yes out-interface=LAN-WAN-bridge protocol=icmp
add chain=forward dst-address=a.b.c.88/29 protocol=icmp
add chain=input dst-address=a.b.c.88/29 protocol=tcp
add chain=forward dst-address=a.b.c.88/29 protocol=tcp
add chain=output protocol=tcp src-address=a.b.c.88/29
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-UPLINK src-address=\
    !a.b.c.88/29
/ip route
add check-gateway=ping distance=1 gateway=x.y.z.1
/ip route rule
add disabled=yes dst-address=0.0.0.0/0 interface=ether1-UPLINK routing-mark=\
    main src-address=a.b.c.88/29 table=main
add disabled=yes dst-address=a.b.c.88/29 interface=*11 routing-mark=main \
    src-address=0.0.0.0/0 table=main

Since my last post, I even updated to v6.33.5, I saw that there were ARP fixes but sadly internal ping still doesn’t work :frowning: .

I can not really figure out why it still doesn’t work. I even tried to make switch between ports, but no switch chip available to CCR1036-12G-4S.

5

Again - your firewall doesn’t block anything…

But, for the rules you do have:

This:
add chain=forward comment=“Internal - allow” connection-state=
established,related in-interface=LAN-WAN-bridge log=yes protocol=icmp

Should be this:
add chain=forward comment=“Internal - allow” connection-state=established,related

This is an all-purpose rule that should pretty much be the first rule in input and in forward chains, except for any blacklist rules.

It means - “if it’s already been allowed, then continue allowing it.”
This speeds up your performance and simplifies your firewall configuration.
Any rules in the same chain after this rule will automatically be in the state=new or the state=invalid.

So - after that, you want to allow the “permissible” things based on IP, interface, protocol, etc… and finally, a rule that drops everything else by default.

I think your understanding of the chains themselves is a bit unclear (which is common)
INPUT = talking to the router itself. This doesn’t mean “as you receive a packet on an interface” - it means “a packet that is talking to the mikrotik itself” In other networking terminology, this could be phrased as “packets bound to the control plane of the device”
OUTPUT = from the router CPU itself - the reverse direction of INPUT. This chain is a firewall on what the Mikrotik itself is allowed to go out and do.
FORWARD - all traffic going THROUGH the router. If you want to block ingress packets that will go through the router, then specify in-interface=x. If you want to block packets as they’re being sent out an interface, having been forwarded through the router, then use out-interface=x

So your current output chain, for instance, means this:
Allow icmp from me to anything on the LAN-WAN bridge, regardless of source or destination IP
Allow me to send TCP packets whose source IP falls in the range a.b.c.88-a.b.c.95.
–Allow everything that has not applied to one of these two conditions

This second rule is definitely not what you want because it would mute your Mikrotik except for connections from its LAN-WAN interface…
But I think you were considering OUTPUT to mean the same thing as EGRESS - like “ip access-group MyFilter out” in a Cisco context…

Try erasing your rules and use this simple firewall rule set:

/ip firewall filter
add chain=input connection-state=established,related
add chain=input protocol=icmp
add chain=input in-interface=!ether1-UPLINK
add chain=input action=drop
add chain=forward connection-state=established,related
add chain=forward protocol=icmp
add chain=forward in-interface=!ether1-UPLINK
add chain=forward action=drop

/ip firewall nat
add chain=srcnat out-interface=ether1-UPLINK src-address=!a.b.c.88/29 action=masquerade

A helpful hint while working on firewall rules is to use the chain view filter - a drop-down selector at the top-right. I use it all the time and it really helps to only see the forward chain rules while looking at my forward chain, for instance.

If you still cannot get LAN-WAN hosts to talk to LAN hosts, then it’s the firewall settings on the hosts themselves.

Finally, many people like to specify IP addresses along with the interfaces… I prefer to use strict RPF checking instead because this stops packet spoofing automatically, and you don’t need to add IP address checks to rules that only really care about security policy based on interface.

/ip settings set rp-filter=strict

6

Duh:( dumb me, I’ve forgotten exclamation mark and blocked me out of the router… I’ll test it tomorrow when I’ll get at office…

Thank you… Hope it’ll work.

7

Whoops. Good luck!

8

Sadly, still not working :frowning:. I’ve even tried to mac-ping from the same bridge and from the same ether port but no results.

9

This sounds like client-to-client isolation, or the firewalls running on the hosts themselves.

For the Mikrotik side -
Check the switch configuration to make sure it doesn’t have anything unusual (if your RB supports hardware switching)
Make sure the bridge ports don’t have a horizon value set.
Make sure the bridge filters don’t have any rules defined.

For the clients - make sure they’re not aggressively blocking new connections from the world.

10

Thank you for your support.

I’ve added admin MAC on the bridges.

Few hours later and after some lease expires, I’ve been able to ping one PC from another.
Few retries to ping from gateway the IP, succesfull. After that reboot the router and all works fine.
It seems like voodo, but I really think that adding MAC to bridges was the real sollution.

11

Hmm - didn’t think of that because it usually will create a MAC address dynamically without you needing to specify one.

Glad you got it figured out - and at least your firewall rules are nice and tidy now. :slight_smile:

12

Yes they are… i was trying anything… those would not be my production rules:). But thanks to you, I found out that I could break the logic with all in and forward at random positions.

13

When you say you added the “Admin MAC” to the bridge, what MAC did you use?
I’m having a very similar issue but my bridges already have an admin MAC populated and I’m wondering if I should use something different…

14

Pretty much anything you specify will work, but there are some considerations you want to follow if you want to be “standards-compliant”

If the 7th bit of the first octet is 1, then this means the MAC is “locally administered, i.e. made up by the admin and not assigned as a burned-in address.”
so if the first octet of the MAC address ends in: 2,3,6,7,a,b,e, or f, then this will mean the MAC is locally-administrated, and shouldn’t conflict with any normal MAC address found in ethernet devices.
Furthermore, the 8th bit should be zero, so don’t use odd-numbered values there - because those denote “multicast address”

so 02-xx-xx-xx-xx-xx should be valid and more or less unique.

15

Hi ZeroByte,

I tried applying your suggestion to my config but I’m still having routing issues. Is there any chance you could take a look at my post and possibly help a noob out?
http://forum.mikrotik.com/t/routing-issues-between-multiple-subnets-setup-for-multiple-interfaces/109760/1