ping works, telnet/ssh/ospf doesn't

RouterOS General
1

Hello everybody,

I use multiple units of RB951G and RB750GR3 for educational purposes. OS version is 6.40.5

I can acces every router via telnet or ssh and the IP 192.168.88.1 on ether2.

I set up the interfaces on two routers :
R1: ether3 = 192.168.20.1/30
R2: ether4 = 192.168.20.2/30

I can ping from R1 to R2 :

[admin@R1] > /ping 192.168.20.2
SEQ HOST SIZE TTL TIME STATUS
0 192.168.20.2 56 64 0ms
1 192.168.20.2 56 64 0ms
2 192.168.20.2 56 64 0ms
sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms

Now my problem: I cannot telnet nor ssh fom R1 to R2. That problem arose after resetting the routers to factory-settings.
Another issue: I turned on OSPF but the routers don’t recognize each other als neighbours. Below you find the actual configuration. I tried to fix the problems for several hours, but didn’t have any succes. On each router, I just can see its own link-states. It seems, as if there was no communication through the network 192.168.20.0/30. But then: why does ping work?

Any help is appreciated.

Best regards

Michael

Router R1:
[admin@R1] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; defconf
192.168.88.1/24 192.168.88.0 ether2-master
1 192.168.20.1/30 192.168.20.0 ether3

[admin@R1] > routing ospf interface print
Flags: X - disabled, I - inactive, D - dynamic, P - passive

INTERFACE COST PRIORITY NETWORK-TYPE AUTHENTICATION AUTHENTICATION-KEY

0 D ether3 10 1 broadcast none

[admin@R1] > /interface ethernet print
Flags: X - disabled, R - running, S - slave

NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH

0 ether1 1500 6C:3B:6B:DB:86:66 enabled none switch1
1 R ether2-master 1500 6C:3B:6B:DB:86:67 enabled none switch1
2 R ether3 1500 6C:3B:6B:DB:86:68 enabled none switch1
3 ether4 1500 6C:3B:6B:DB:86:69 enabled none switch1
4 ether5 1500 6C:3B:6B:DB:86:6A enabled none switch1

Router R2:
[admin@R2] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; defconf
192.168.88.1/24 192.168.88.0 bridge
1 192.168.20.2/30 192.168.20.0 ether4

[admin@R2] > routing ospf interface print
Flags: X - disabled, I - inactive, D - dynamic, P - passive

INTERFACE COST PRIORITY NETWORK-TYPE AUTHENTICATION AUTHENTICATION-KEY

0 D ether4 10 1 broadcast none

[admin@R2] > interface ethernet print
Flags: X - disabled, R - running, S - slave

NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH

0 ether1 1500 4C:5E:0C:B1:74:78 enabled none switch1
1 RS ether2-master 1500 4C:5E:0C:B1:74:79 enabled none switch1
2 ether3 1500 4C:5E:0C:B1:74:7A enabled none switch1
3 R ether4 1500 4C:5E:0C:B1:74:7B enabled none switch1
4 ether5 1500 4C:5E:0C:B1:74:7C enabled none switch1

[admin@R2] > routing ospf lsa print
AREA TYPE ID ORIGINATOR SEQUENCE-NUMBER AGE
backbone router 192.168.20.2 192.168.20.2 0x80000003 1627

2

Hello

Pinging will never be an issue as both share the same link.

What you shared is not enough to validate ospf. /routing ospf export is a better approach.

A simple approach for ospf is to go through the tabs in this order:

Networks (add both subsets to backbone area)
Instance
Interfaces

Then go to neighbors to validate that you can see the other router.

That should be that for ospf.

If you still can’t ssh or telnet, check in IP - SERVICES to see if they are disabled.

If nothing works, export and paste your complete config.


Sent from Tapatalk

3

Hello,

thanks a lot for your suggestions.

Meanwhile I have sucessfully set up the usual lab-scenario for my students (http://dt.wara.de/pdf/its/netzwerkTechnik/routing/topologie.pdf) with 3 other routers running OS-versions 6.15 and 6.36.1
ospf is running fine: all routes show up in the tables.

With the routers running OS 6.40.5 I have no success:
I simplified the setup to two routers: R1-ether3----192.168.20.0/30—ether4-R2

telnet and ssh - services are running, I can telnet/ssh from any host to interface ether2 on 192.168.88.1. But from one router I cannot connect to the next one. ICMP packets are transmitted.

At least I would expect on R1 to see R2 as an OSPF-neighbour an vice versa, but there are no neighbours on any router. Both are endlessly sending HELLO-packets. log-data and configuration are attached.

How can I dump incoming frames on a router? Is there anything like tcpdump?

Best regards

Michael


01:22:08 system,info device changed by admin
01:22:11 interface,info ether4 link up (speed 1G, full duplex)
01:22:11 route,ospf,debug Starting OSPFv2 on ether4 (192.168.20.2)
01:22:11 route,ospf,debug area=backbone
01:22:11 route,ospf,debug Opening IPv4 multicast socket
01:22:11 route,ospf,debug ether4 (192.168.20.2): interface event
01:22:11 route,ospf,debug event=OSPF_IFE_UP
01:22:11 route,ospf,debug state=Down
01:22:11 route,ospf,debug State change on ether4 (192.168.20.2) from Down to Waiting
01:22:11 route,ospf,debug Originate Router LSA
01:22:11 route,ospf,debug area=backbone
01:22:11 route,ospf,debug Installing an LSA
01:22:11 route,ospf,debug lsa=Router LSA id=255.255.255.2 originator=255.255.255.2 seqnum=0x80000001
01:22:11 route,ospf,debug Flooding an LSA
01:22:11 route,ospf,debug lsa=Router LSA id=255.255.255.2 originator=255.255.255.2 seqnum=0x80000001
01:22:11 route,ospf,debug area=backbone
01:22:11 route,ospf,debug Originate Router LSA
01:22:11 route,ospf,debug area=backbone
01:22:11 route,ospf,debug Deferring LSA origination
01:22:11 route,ospf,debug type=Router LSA
01:22:11 route,ospf,debug SEND: Hello 192.168.20.2 → 224.0.0.5 on ether4
01:22:12 route,ospf,debug Recalculating all OSPFv2 intra-area routes
01:22:12 route,ospf,debug Recalculating all inter-area routes
01:22:12 route,ospf,debug summary-area=backbone
01:22:12 route,ospf,debug Recalculating AS-external routes
01:22:16 route,ospf,debug Originate Router LSA
01:22:16 route,ospf,debug area=backbone
01:22:21 route,ospf,debug SEND: Hello 192.168.20.2 → 224.0.0.5 on ether4
01:22:31 route,ospf,debug SEND: Hello 192.168.20.2 → 224.0.0.5 on ether4
01:22:41 route,ospf,debug SEND: Hello 192.168.20.2 → 224.0.0.5 on ether4
01:22:51 route,ospf,debug ether4 (192.168.20.2): interface event
01:22:51 route,ospf,debug event=OSPF_IFE_WAIT_TIMER
01:22:51 route,ospf,debug state=Waiting
01:22:51 route,ospf,debug DR elections on ether4 (192.168.20.2):
01:22:51 route,ospf,debug existing DR=0.0.0.0
01:22:51 route,ospf,debug existing BDR=0.0.0.0
01:22:51 route,ospf,debug
01:22:51 route,ospf,debug After first elections:
01:22:51 route,ospf,debug DR=192.168.20.2
01:22:51 route,ospf,debug BDR=192.168.20.2
01:22:51 route,ospf,debug
01:22:51 route,ospf,debug After second elections:
01:22:51 route,ospf,debug DR=192.168.20.2
01:22:51 route,ospf,debug BDR=0.0.0.0
01:22:51 route,ospf,debug Interface ether4 (192.168.20.2) becomes Designated Router
01:22:51 route,ospf,debug Designated Router changed
01:22:51 route,ospf,debug old=0.0.0.0
01:22:51 route,ospf,debug new=192.168.20.2
01:22:51 route,ospf,debug Originate Router LSA
01:22:51 route,ospf,debug area=backbone
01:22:51 route,ospf,debug State change on ether4 (192.168.20.2) from Waiting to Designated Router
01:22:51 route,ospf,debug Originate Router LSA
01:22:51 route,ospf,debug area=backbone
01:22:51 route,ospf,debug SEND: Hello 192.168.20.2 → 224.0.0.5 on ether4
01:23:01 route,ospf,debug SEND: Hello 192.168.20.2 → 224.0.0.5 on ether4
01:23:11 route,ospf,debug SEND: Hello 192.168.20.2 → 224.0.0.5 on ether4
01:23:21 route,ospf,debug SEND: Hello 192.168.20.2 → 224.0.0.5 on ether4
01:23:31 route,ospf,debug SEND: Hello 192.168.20.2 → 224.0.0.5 on ether4
01:23:41 route,ospf,debug SEND: Hello 192.168.20.2 → 224.0.0.5 on ether4
01:23:51 route,ospf,debug SEND: Hello 192.168.20.2 → 224.0.0.5 on ether4
01:24:01 route,ospf,debug SEND: Hello 192.168.20.2 → 224.0.0.5 on ether4
01:24:11 route,ospf,debug SEND: Hello 192.168.20.2 → 224.0.0.5 on ether4
01:24:21 route,ospf,debug SEND: Hello 192.168.20.2 → 22


[admin@R2] > export compact

jan/02/1970 02:38:31 by RouterOS 6.40.5

software id = Y1BB-ZA9H

model = 951G-2HnD

serial number = 4F4304AD953C

/interface bridge
add admin-mac=4C:5E:0C:B1:74:79 auto-mac=no comment=defconf name=bridge
add name=loopback
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto
mode=ap-bridge ssid=MikroTik-B1747D wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/routing ospf instance
set [ find default=yes ] router-id=255.255.255.2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.20.2/30 interface=ether4 network=192.168.20.0
add address=255.255.255.2 interface=loopback network=255.255.255.2
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
add address=::224.0.0.0/100 comment=“defconf: other” list=bad_ipv6
add address=::127.0.0.0/104 comment=“defconf: other” list=bad_ipv6
add address=::/104 comment=“defconf: other” list=bad_ipv6
add address=::255.0.0.0/104 comment=“defconf: other” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=33434-33534 protocol=udp
add action=accept chain=input comment=“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=udp
src-address=fe80::/16
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=input comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1” hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=forward comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
/routing ospf network
add area=backbone network=192.168.20.0/30
/system identity
set name=R2
/system logging
add topics=ospf,!raw
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

4

just found /tool sniffer

5

Using a class E address works? (255.255.255.2) Is that even legal?? Never tried it myself. I stick with classes A, B and C for everything.

Is it normal that 192.168.88.1 is not participating in OSPF? It’s not advertised. Neither is your loopback. At least if your default instance advertised connected networks.

6

Salut Alain,

yes, those router-ids work perfectly on my setup with OS versions 6.15/6.36. But your are right, I’ll change that to class-A.

Cordialement

Michael

[admin@R1] > routing ospf neighbor print
0 instance=default router-id=255.255.255.20 address=192.168.20.2
interface=ether3 priority=1 dr-address=192.168.20.2
backup-dr-address=192.168.20.1 state=“Full” state-changes=5
ls-retransmits=0 ls-requests=0 db-summaries=0 adjacency=12s

1 instance=default router-id=255.255.255.30 address=192.168.10.2
interface=ether4 priority=1 dr-address=192.168.10.2
backup-dr-address=192.168.10.1 state=“Full” state-changes=6
ls-retransmits=0 ls-requests=0 db-summaries=0 adjacency=8m19s

After changing router-ids (now view from R3):

[admin@R3] /routing ospf> neighbor print
0 instance=default router-id=10.255.255.20 address=192.168.30.2
interface=ether3-slave-local priority=1 dr-address=192.168.30.2
backup-dr-address=192.168.30.1 state=“Full” state-changes=5
ls-retransmits=0 ls-requests=0 db-summaries=0 adjacency=24s

1 instance=default router-id=10.255.255.10 address=192.168.10.1
interface=ether4-slave-local priority=1 dr-address=192.168.10.1
backup-dr-address=192.168.10.2 state=“Full” state-changes=5
ls-retransmits=0 ls-requests=0 db-summaries=0 adjacency=18s

7

Hi everybody,

the problem was caused by a filter rule:

/ip firewall filter print

3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

4 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

with the initial settings the interface-list LAN only contains ‘bridge’ as a member.

to have routers with 5 separate interfaces, I always set the master-port of all ethers on all of my routers to ‘none’.
now, the individual ethers not beeing a member of the ‘LAN’-list, the firewall drops all non-icmp-packets entering the router through ether3, ether4,…
(ether2 is not affected, it belongs to ‘bridge’)

by adding all desired ethernet interfaces to the interface list ‘LAN’ , the problem is solved.

regards,
michael

[admin@R2] > /interface list member print
Flags: X - disabled, D - dynamic

LIST INTERFACE

0 ;;; defconf
LAN bridge
1 ;;; defconf
WAN ether1
2 LAN ether2-master
3 LAN ether3
4 LAN ether4
5 LAN ether5

[admin@R2] > /routing ospf neighbor print
0 instance=default router-id=10.255.255.30 address=192.168.30.1
interface=ether3 priority=1 dr-address=192.168.30.1
backup-dr-address=192.168.30.2 state=“Full” state-changes=6
ls-retransmits=0 ls-requests=0 db-summaries=0 adjacency=20m19s