Pinging Default Gateway

dannyn382 · July 8, 2014, 10:13pm

I am having an issue pinging the default gateway on my network.

If I configure the interface using DHCP, I can ping the default gateway telling me that it is connected properly. If I remove DHCP and configure it manually, I can no longer ping the default gateway. When I configure a laptop with the same static IP details using the same cable as plugged into the Mikrotik, I am able to ping the default gateway. When adding the new IP address to the IP address list, I also have been changing the routing and nat information.

1.1.1.1 -> IP address of external interface
2.2.2.2 -> Broadcast IP of external interface
3.3.3.3 -> IP address of telco gateway

/ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 1.1.1.1 3.3.3.3 1
1 ADC 10.1.1.0/24 10.1.1.253 bridge-local 0
2 DC 10.2.10.0/24 10.2.10.1 wlan1 255
3 ADC 2.2.2.2/29 1.1.1.1 ether1-gateway 0

/ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; Inside
10.1.1.253/24 10.1.1.0 ether6-master-local
1 ;;; Outside
1.1.1.1/29 2.2.2.2 ether1-gateway
3 ;;; DMZ
10.2.10.1/24 10.2.10.0 wlan1

/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Nat
chain=srcnat action=src-nat to-addresses=3.3.3.3 src-address=10.1.1.0/24

1 chain=srcnat action=src-nat to-addresses=3.3.3.3 src-address=10.2.10.0/24

/ip arp> print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published

ADDRESS MAC-ADDRESS INTERFACE

0 D 10.1.1.136 X:X:X:X:X:X bridge-local
1 D 192.168.0.1 Y:Y:Y:Y:Y:Y ether1-gateway
2 D 3.3.3.3 Y:Y:Y:Y:Y:Y ether1-gateway

Would someone be able to provide me with a little direction as to what might be the issue?

Thanks,

Dan

Van9018 · July 8, 2014, 11:21pm

Change your src-nat rules

You have them set to 3.3.3.3, so packets are having their src ip changed to the gateway’s IP when it should be your ether1-gateway IP.
Then instead of src-address, change it to out-interface=ether1-gateway. After which, both rules are the same so remove 1 of them.

chain=srcnat action=src-nat to-addresses=1.1.1.1 out-interface=ether1-gateway

This says any packets leaving ether1-gateway should have their src-ip changed to your public IP.

But by default, the router would have used action=masquerade instead of action=srcnat. This would allow you to not worry about setting srcnat rules when changing your public IP

chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway

dannyn382 · July 12, 2014, 4:37am

Hi and sorry for my delayed response. I thought I subscribed to the thread, but I did not recieve an email.

I tried what you suggested below, but to no avail. I also tried disabling all the NAT enabled and just using chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway, which did work for the DHCP address, but again I was still unable to ping with the static.

Do you have any more suggestions?

Thanks!

Dan Nelson

Van9018 · July 12, 2014, 9:00pm

Are you using Winbox? Do pings from the router itself. In the ping dialog you can select which interface to send the ping out on. If you get a reply, then try again without selecting the interface. If no reply then issue would be something with routing.

If no reply when pinging out of your wan interface, then set up a packet capture. Go to Tools > Packet Sniffer. Set Interface to ether1-gateway, click Apply and then Start. Go back to the ping dialog and ping again. Then go back to the Packet Sniffer dialog, click Stop and click Packets. If your nat config is correct, you should see a tx line with src address of your public IP, dst Address of your default gateway (if thats where you’re pinging to). Then if it was working you’d also see an rx packet with src and dst reversed.

if you see the tx packet and src and dst are correct but no reply, then I’d think your ISP is dropping your packets because of an ARP issue. Normally a device would allow multiple IPs to exist for the same MAC address but an ISP may be more strict to prevent malicious activity.

If your laptop has already successfully worked with the static IP, then maybe your ISP won’t allow other MACs to try and use the same IP. Try setting ether1-gateway’s mac address to that of your laptop. This can only be done through command line. The command is:
/interface ethernet set ether1-gateway mac-address=XXXXXXXXXXXX
(maybe unplug the wan, set the mac, then plug the wan back in).

dannyn382 · July 13, 2014, 8:20pm

Hi Van,

Thank you for your reply.

When I have chain=srcnat action=src-nat to-address=1.1.1.1 src-address=10.1.1.0/24 enabled, I get the expected output in the packet sniffer that you describe below. I have lines, among other, that state:
interface → ether1-gateway
direction → tx
scr address → 1.1.1.1
src port → 123
dst. address → 3.3.3.3
dst. port → 123
protocal → 2048

I will give your idea of the MAC address change soon but wanted to give you an update.

Thanks again!

Dan

Van9018 · July 13, 2014, 8:43pm

I forgot to mention Pings use ICMP, so in the packet sniffer dialog go to Filter tab and set IP Protocol to 1 (icmp). ICMP doesn’t use ports, the lines that you show have port 123 which suggests that those packets weren’t part of your ping, but rather your router was trying to look up the time. Gateways probably won’t reply to time requests.

dannyn382 · July 16, 2014, 11:15pm

Hi Van,

Thank you for your information. I tried as you said and have spoken with the carrier and still have not come to a resolution. As you stated, I can see in the packet sniffer with no ports an ICMP ping, but no reply. I would lean to say that something is wrong with the carrier, but the fact that the laptop works tells me that is not the case. I have a block of 5 and tried another on the MikroTik and it has the same problem as the first.

Thanks,

Dan

Van9018 · July 16, 2014, 11:21pm

Did you try changing the Mac address of the ether1-gateway?

Carrier may have associated ether1-gateway’s mac with the DHCP address it took on.

After that, I’m out of ideas.

dannyn382 · July 24, 2014, 1:18am

Hi Van,

Thank you for your reply. I have tried doing as you say to no avail. I have also tried to reset the device and use a default configuration and that did not work either.

Let me know if you think of anything else.

Thanks!

Dan Nelson

Van9018 · July 24, 2014, 2:05am

Seems like yours is correct… I set up a static IP last week and noted the steps. I blocked out the first 2 octects of my IP.

IP: x.x.135.234/30 (Subnet 255.255.255.252)
GW: x.x.135.233

From Default Config in winbox:

IP > DHCP Client, remove the only entry
IP > Addresses > Add I plugged in my static ip with subnet: x.x.135.234/30
I leave network unset, winbox fills it in anyway after I hit ok. It filled it in with x.x.135.232 which would be my broadcast address.

Now IP > Route should show two routes. I added a new route where dst address is 0.0.0.0/0 and gateway is x.x.135.233 The rest of the settings in the route are fine so I hit ok. Then I tested, it works.

In IP > Arp I see ether1-gateway knows the MAC address of the gateway, yours should show it too.

dannyn382 · July 29, 2014, 10:50pm

Hi Van,

Thank you for taking note of those steps. When I reset my unit, I had done those exact steps as well. I do see that IP in the ARP table as well, but still cannot ping.

Thanks!

Dan