PPPoe (Telekom) connected but unable to ping any internet adress

Hello,

I’m using a Mikrotik Router connected to a Zyxel VMG3006-D70A Modem to connect to Deutsche Telekom.

PPPoe Client has been configured to use the necessary VLAN ID 7. This part seems to work, as the client establishes the connection and gets an IP address. After establishing connection the default routes do also exist. NAT rule to masquerade outgoing traffic is also defined.

Unfortunately I am still unable to ping any internet adress from the router or any of its ports.

I’ve been trying to solve that for some hours now. Unfortunately without luck. I still have no Idea what’s wrong.
If anybody could help it would be appreciated.

The current configuration (RouterOS 7.16.2) is shown below.

/interface bridge
add admin-mac=78:9A:18:A7:E8:49 auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface vlan
add comment="Telekom VDSL" interface=ether1 name=VLAN7-VDSL vlan-id=7
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 comment="Telekom VDSL" disabled=no interface=VLAN7-VDSL max-mru=1492 \
    max-mtu=1492 mrru=1500 name=pppoe-t-vdsl user=
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=WTC_PRIV ranges=192.168.177.10-192.168.177.254
/ip dhcp-server
add address-pool=WTC_PRIV interface=bridge lease-time=4h name=WTC_PRIV server-address=192.168.177.1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=pppoe-t-vdsl list=WAN
/ip address
add address=192.168.177.1/24 comment=defconf interface=bridge network=192.168.177.0
add address=192.168.176.2/24 interface=ether2 network=192.168.176.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.177.250 client-id=1:c0:25:6:1b:6e:de mac-address=C0:25:06:1B:6E:DE server=WTC_PRIV
/ip dhcp-server network
add address=192.168.177.0/24 dns-server=192.168.177.1,1.1.1.2,1.0.0.2 domain=wtpriv.home.arpa gateway=192.168.177.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,1.0.0.2,1.1.1.1,116.203.32.217,159.69.114.157
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="accept ospf" protocol=ospf
add action=accept chain=input comment="Allow access from LAN" in-interface-list=LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=\
    !LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="drop everything else" log=yes log-prefix=DROP
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=192.168.177.0/24 src-address=192.168.177.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=192.168.176.0/24 gateway=ether2 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.178.0/24 gateway=192.168.176.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.200.0/24 gateway=192.168.176.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10

hello,

let us try some simple step first,

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

try to include your pppoe and vlan 7 interface to list=wan.

hth.

Hello,

Adding eth1, pppoe and vlan7 interface to list=WAN does not change behavior. Still unable to ping any internet address. Ping on local addresses works like a charm.

ok. let us continue with

ip firewall filter print details
ip firewall nat print details
ip addresses print details
ip route print details

please put those in separate code tag. it’s better to see those output first rather than the config.

Here it is:

firewall filters

Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 
 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 
 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 
 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 log=no log-prefix="" 
 5    ;;; accept ospf
      chain=input action=accept protocol=ospf log=no log-prefix="" 
 6    ;;; Allow access from LAN
      chain=input action=accept in-interface-list=LAN log=no log-prefix="" 
 7    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="!LAN" 
 8    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 
 9    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 
10    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 
11    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 
13    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 
14    ;;; allow port forwarding
      chain=forward action=accept connection-nat-state=dstnat log=no log-prefix="" 
15    chain=forward action=accept in-interface=bridge out-interface=pppoe-t-vdsl log=no log-prefix="" 
16    chain=forward action=accept src-address-list=local_ip_range dst-address-list=local_ip_range log=no log-prefix="" 
17    ;;; drop everything else
      chain=input action=drop log=yes log-prefix="DROP" 
18    ;;; drop everything else
      chain=forward action=drop log=yes log-prefix="drop fwd"

ip firewall nat

Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; hairpin nat
      chain=srcnat action=masquerade src-address=192.168.177.0/24 dst-address=192.168.177.0/24 log=no log-prefix="" 

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none

ip addresses

Flags: D - DYNAMIC; S - SLAVE
Columns: ADDRESS, NETWORK, INTERFACE
#    ADDRESS           NETWORK        INTERFACE   
;;; defconf
0    192.168.177.1/24  192.168.177.0  bridge      
1  S 192.168.176.2/24  192.168.176.0  ether2      
2 D  79.224.52.103/32  62.155.242.73  pppoe-t-vdsl

ip route

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, v - VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS       GATEWAY        DISTANCE
  DAv 0.0.0.0/0         pppoe-t-vdsl          1
  DAc 62.155.242.73/32  pppoe-t-vdsl          0
0   s 192.168.176.0/24  ether2                1
  DAc 192.168.176.0/24  bridge                0
  DAc 192.168.177.0/24  bridge                0
1  As 192.168.178.0/24  192.168.176.1         1
2  As 192.168.200.0/24  192.168.176.1         1

chain=input action=drop in-interface-list=!LAN log=no log-prefix="!LAN"

that part - try to change its action=accept.

if it’s working - then you need to track down how to secure that !lan

2 D  79.224.52.103/32  62.155.242.73  pppoe-t-vdsl

and that pppoe was inside vlan 7. you don’t have ip address for your vlan hence your bridge can’t reach your pppoe.

before you give vlan 7 ip address - just try to ping your pppoe address from your lan - not from the router. if it’s working - then try to traceroute to mikrotik.com and see at which point it fails.

Code: Select all
chain=input action=drop in-interface-list=!LAN log=no log-prefix=“!LAN”
that part - try to change its action=accept.

Changing action to accept didn’t change behavior → still no ping possible (from router and LAN)

Code: Select all
2 D 79.224.52.103/32 62.155.242.73 pppoe-t-vdsl
and that pppoe was inside vlan 7. you don’t have ip address for your vlan hence your bridge can’t reach your pppoe.

I assigned IP adress from local subnet to VLAN7. → Now I can ping pppoe from within the router and from LAN.
Traceroute from LAN PC to mikrotik.com fails (because of dns not working without internet). If I traceroute from LAN PC to IP 8.8.8.8 instead, I get stuck on the router.

Adding eth1, pppoe and vlan7

ok. now… exclude eth1 and vlan 7 from address -list wan.

ok. now… exclude eth1 and vlan 7 from address -list wan.

now there’s only pppoe left in interface-list wan → no change at all, ping fails/traceroute gets stuck on router

Can the router itself ping outside?
Maybe also a Telekom issue…

Edit:

/ip route
add disabled=no distance=1 dst-address=192.168.176.0/24 gateway=ether2 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.178.0/24 gateway=192.168.176.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.200.0/24 gateway=192.168.176.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10

I see no default route 0.0.0.0/0 pointing to the next hop?!

Can the router itself ping outside?

No ping to internet addresses possible from router

I see no default route 0.0.0.0/0 pointing to the next hop?!

Default route gets added when pppoe is connected and points to pppoe, so that is why it is not part of the initially exported config,
ip route print on router shows the following result

Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, v - VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS       GATEWAY        DISTANCE
0  Xs 192.168.178.0/24  ether2                1
  DAv 0.0.0.0/0         pppoe-t-vdsl          1
  DAc 62.155.242.73/32  pppoe-t-vdsl          0
  DAc 192.168.174.0/24  ether2                0
;;; route to 176
1  As 192.168.176.0/24  192.168.174.1         1
  DAc 192.168.177.0/24  bridge                0
;;; route to 178
2  As 192.168.178.0/24  192.168.174.1         1
3  As 192.168.200.0/24  192.168.174.1         1

ok… now try to disable that hairpin

0 ;;; hairpin nat
chain=srcnat action=masquerade src-address=192.168.177.0/24 dst-address=192.168.177.0/24 log=no log-prefix=“”

1. /interface list member
   add comment=defconf interface=bridge list=LAN
   add comment=defconf interface=ether1 list=WAN
   add interface=pppoe-t-vdsl list=WAN

2. Do not use same names for different parts of the config AND REMOVE SERVER ADDRESS it does not belong here!!
   /ip dhcp-server
   add address-pool=WTC_PRIV interface=bridge lease-time=4h name=WTC_PRIV server-address=192.168.177.1

so change name of dhcp server to:
/ip dhcp-server
add address-pool=WTC_PRIV interface=bridge lease-time=4h name=WTC_SERV server-address=192.168.177.1

3. you have given ether2 a separate IP address, and therefore either REMOVE the address for ether2, or REMOVE ether2 from the bridge and add dhcp server, dhcp server network and IP pool for ether2. More than likely you just forgot to get rid of ether2 from default settings. There is something amiss with this unknown subnet??
   
   
   /ip address
   add address=192.168.177.1/24 comment=defconf interface=bridge network=192.168.177.0
   add address=192.168.176.2/24 interface=ether2 network=192.168.176.0

4. You can do one better…
   From:
   add action=accept chain=input comment=“Allow access from LAN” in-interface-list=LAN
   add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN log=yes log-prefix=
   !LAN
   TO:
   add action=accept chain=input comment=“Allow access from LAN” in-interface-list=LAN
   add action=drop chain=input comment=“drop all else”

5. Modify from this
   add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
   connection-state=new in-interface-list=WAN
   add action=drop chain=input comment=“drop everything else” log=yes log-prefix=DROP
   TO the clearer:
   add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
   add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
   add action=drop chain=forward comment=“drop all else”

6. Why do you have a hairpin NAT rule if you have no dst nat or port forwarding in the mix???

7. You have three routes to NOTHING… there is only one subnet on your router 192.168.77.0/24, where are the other three coming from???

now there’s only pppoe left in interface-list wan → no change at all, ping fails/traceroute gets stuck on router

1. ping your gateway ip (and 1.1.1.1 or 8.8.8. from the router with src addr of your pppoe ip. if succeed then,

2. ping your gateway ip (and 1.1.1.1 or 8.8.8. from the router with the src addr of your vlan 7. if it fails then,

3. the problem is the pppoe src nat (and subsequent lan address list to be permitted going outside) - and or the incoming traffic firewall filters.

ip firewall nat add dst addr 0/0 src addr lan out interface pppoe chain postrouting action masquerade.

remember the chain is postrouting - not output.