ashpri
October 20, 2023, 9:42am
1
Lately my organization’s router is behaving oddly. I can’t be sure if its the v6 to 7 upgrade or something else. I haven’t tried backing up and completely restoring the settings since its in a remote location.
I have a couple of VLANS. The problem is the router cannot ping ANY of the clients in the network, with timeout. Internet works, clients can talk to one another just fine. This problems crept up suddenly one day, seemingly without reason. I’ve gone through the config line by line and nothing immediately stands out.
I can’t figure out how to even begin to troubleshoot this issue. How would you suggest I start? Torch?
Thanks in advance.
anav
October 20, 2023, 9:53am
2
Do not post the config!, Its much more fun to guess!!
ashpri
October 20, 2023, 10:46am
3
I’ve tried to group the export in its correct categories. I have some potentially odd rules in mangle and recursive routing but even if this is not correct, as far as I know it shouldn’t impact pings from the router to client devices. Thanks
/interface ethernet
set [ find default-name=ether1 ] comment=LAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment="WAN 3"
set [ find default-name=ether4 ] comment="WAN1"
set [ find default-name=ether5 ] comment="WAN2"
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
add name=LAN
add name=DISCOVERY
/interface list member
add interface=ether5 list=WAN
add interface=ether1 list=LAN
add interface="VL103 Network Devices" list=LAN
add interface="VL105 AV" list=LAN
add interface="VL110 Office" list=LAN
add interface="VL115 HDMI Over IP" list=LAN
add interface="VL120 CCTV" list=LAN
add interface="VL125 Translation" list=LAN
add interface="VL190 GuestNoPortal" list=LAN
add interface="VL199 Guest" list=LAN
add interface=ether4 list=WAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
add interface="VL191 Guest P1" list=LAN
add interface=ether3 list=WAN
add interface=ether1 list=DISCOVERY
add interface=ether2 list=DISCOVERY
add interface=zerotier1 list=DISCOVERY
add interface=wlan1 list=DISCOVERY
add interface=wlan2 list=DISCOVERY
add interface=ether2 list=LAN
add interface=bridge list=LAN
add interface=zerotier1 list=WAN
/ip neighbor discovery-settings
set discover-interface-list=DISCOVERY
/interface vlan
add interface=bridge name=VL1 vlan-id=1
add interface=bridge name="VL103 Network Devices" vlan-id=103
add interface=bridge name="VL105 AV" vlan-id=105
add interface=bridge name="VL110 Office" vlan-id=110
add interface=bridge name="VL115 HDMI Over IP" vlan-id=115
add interface=bridge name="VL120 CCTV" vlan-id=120
add interface=bridge name="VL125 Translation" vlan-id=125
add interface=bridge name="VL130 Lighting" vlan-id=130
add interface=bridge name="VL190 GuestNoPortal" vlan-id=190
add interface=bridge name="VL191 Guest P1" vlan-id=191
add interface=bridge name="VL199 Guest" vlan-id=199
/interface bridge
add fast-forward=no igmp-snooping=yes ingress-filtering=no name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether1
/interface bridge settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=115,120,125,130,190,191,199
add bridge=bridge tagged=bridge,ether1 vlan-ids=103
add bridge=bridge tagged=bridge,ether1 vlan-ids=105
add bridge=bridge tagged=bridge,ether1 vlan-ids=110
/ip pool
add name="VL1 DMZ 100" ranges=192.168.100.100-192.168.100.199
add name="VL103 Net Dev" ranges=192.168.103.100-192.168.103.199
add name="VL105 AV" ranges=192.168.105.120-192.168.105.204
add name="VL110 Office" ranges=192.168.110.100-192.168.110.199
add name="VL115 HDMI Over IP" ranges=192.168.115.100-192.168.115.199
add name="VL120 CCTV" ranges=192.168.120.100-192.168.120.199
add name="VL125 Translation" ranges=192.168.125.100-192.168.125.199
add name="VL199 Guest" ranges=172.16.196.50-172.16.199.254
add name="VL190 GuestNoPortal" ranges=192.168.190.20-192.168.190.254
add name="VL191 Guest P1" ranges=192.168.191.20-192.168.191.254
/ip dhcp-server
add address-pool="VL1 DMZ 100" interface=bridge name="VL1 DMZ 100"
add address-pool="VL103 Net Dev" interface="VL103 Network Devices" name="VL103 Net Dev"
add address-pool="VL105 AV" interface="VL105 AV" name="VL105 AV"
add address-pool="VL110 Office" interface="VL110 Office" name="VL110 Office"
add address-pool="VL115 HDMI Over IP" interface="VL115 HDMI Over IP" name="VL115 HDMI Over IP"
add address-pool="VL120 CCTV" interface="VL120 CCTV" name="VL120 CCTV"
add address-pool="VL125 Translation" interface="VL125 Translation" name="VL125 Translation"
add address-pool="VL199 Guest" interface="VL199 Guest" name="VL199 Guest"
add address-pool="VL190 GuestNoPortal" interface="VL190 GuestNoPortal" name="VL190 GuestNoPortal"
add address-pool="VL191 Guest P1" interface="VL191 Guest P1" name="VL191 Guest P1"
/ip dhcp-server network
add address=172.16.196.0/22 dns-server=1.1.1.1,172.16.196.1 gateway=172.16.196.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
add address=192.168.103.0/24 dhcp-option=unifi dns-server=1.1.1.1,192.168.103.1 gateway=192.168.103.1
add address=192.168.105.0/24 dns-server=1.1.1.1,192.168.105.1 gateway=192.168.105.1
add address=192.168.110.0/24 dns-server=1.1.1.1,192.168.110.1 gateway=192.168.110.1
add address=192.168.115.0/24 dns-server=1.1.1.1,192.168.115.1 gateway=192.168.115.1
add address=192.168.120.0/24 dns-server=1.1.1.1,192.168.120.1 gateway=192.168.120.1
add address=192.168.125.0/24 dhcp-option=unifi dns-server=8.8.8.8,192.168.125.1 gateway=192.168.125.1
add address=192.168.190.0/24 dns-server=1.1.1.1,192.168.190.1 gateway=192.168.190.1
add address=192.168.191.0/24 dns-server=1.1.1.1,192.168.191.1 gateway=192.168.191.1
/ip dhcp-client
add default-route-distance=10 interface=ether4
add default-route-distance=11 interface=ether5
/ip address
add address=192.168.100.1/24 interface=bridge network=192.168.100.0
add address=192.168.103.1/24 interface="VL103 Network Devices" network=192.168.103.0
add address=192.168.105.1/24 interface="VL105 AV" network=192.168.105.0
add address=192.168.110.1/24 interface="VL110 Office" network=192.168.110.0
add address=192.168.115.1/24 interface="VL115 HDMI Over IP" network=192.168.115.0
add address=192.168.120.1/24 interface="VL120 CCTV" network=192.168.120.0
add address=192.168.125.1/24 interface="VL125 Translation" network=192.168.125.0
add address=172.16.196.1/22 interface="VL199 Guest" network=172.16.196.0
add address=192.168.190.1/24 interface="VL190 GuestNoPortal" network=192.168.190.0
add address=192.168.191.1/24 interface="VL191 Guest P1" network=192.168.191.0
add address=172.20.36.2/30 comment="WAN - MY REPUBLIC" interface=ether5 network=172.20.36.0
/ip settings
set max-neighbor-entries=8192
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,172.17.33.100,172.17.13.100
/routing table
add fib name=routemark.wan2
add fib name=routemark.wan1
/ip route
add check-gateway=ping comment="RECURSIVE WAN1 - 3" disabled=no distance=25 \
dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=\
routemark.wan1 scope=30 suppress-hw-offload=no target-scope=12
add check-gateway=ping comment="RECURSIVE WAN2 - 3" disabled=no distance=26 \
dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=\
routemark.wan2 scope=30 suppress-hw-offload=no target-scope=12
add check-gateway=ping comment="RECURSIVE WAN1 - 2" disabled=no distance=6 \
dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=12
add comment="RECURSIVE WAN2 - 1" disabled=no distance=51 dst-address=\
8.8.4.4/32 gateway=192.168.199.1 pref-src="" routing-table=main scope=10 \
suppress-hw-offload=no target-scope=11
add check-gateway=ping comment="RECURSIVE WAN2 - 2" disabled=no distance=7 \
dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=12
add comment="RECURSIVE WAN1 - 1" disabled=no distance=50 dst-address=\
8.8.8.8/32 gateway=192.168.1.1 pref-src="" routing-table=main scope=10 \
suppress-hw-offload=no target-scope=11
/routing bfd configuration
add disabled=no
/routing rule
add action=lookup disabled=no dst-address=172.16.0.0/12 table=main
add action=lookup disabled=no dst-address=10.0.0.0/8 table=main
add action=lookup disabled=no dst-address=192.168.0.0/16 table=main
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall filter
add action=accept chain=input comment="IN defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="IN - accept ICMP from ANYWHERE" \
in-interface-list=all protocol=icmp
add action=accept chain=input comment="IN - Winbox from ANYWHERE" dst-port=8001 \
protocol=tcp
add action=passthrough chain=input comment="----- SEPARATOR -----" disabled=yes
add action=drop chain=input comment="Input - Drop Invalid" connection-state=\
invalid
add action=drop chain=input comment="Input - Drop not from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="Input - Drop All Else"
add action=passthrough chain=input comment="----- SEPARATOR -----" disabled=yes
add action=accept chain=forward comment=\
"IN FWD - accept established,related,untracked" connection-state=\
established,related
add action=accept chain=forward comment="IN FWD - Allow all in dstnat rule (new)" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="OUT FWD - LAN Allowed to WAN" \
out-interface-list=WAN src-address-list="LAN Allowed Out"
add action=accept chain=forward comment="OUT FWD - VPN Clients Allowed to WAN" \
disabled=yes out-interface-list=WAN src-address-list="VPN Pool"
add action=accept chain=forward comment="Allow All LAN to NVR" dst-address-list=\
"Unifi NVR" src-address-list="VLAN All"
add action=accept chain=forward comment="Aswin - Allow Inter VLAN Ping" \
dst-address-list="VLAN All" protocol=icmp src-address-list="VLAN All"
add action=accept chain=forward comment="Aswin - Allow VL125 Data" \
dst-address-list="VL103 Network Devices" src-address-list=\
"VL103 Network Devices"
add action=accept chain=forward comment="Aswin - Allow VL125 Data" \
dst-address-list="VL105 AV" src-address-list="VL105 AV"
add action=accept chain=forward comment="Aswin - Allow VL125 Data" \
dst-address-list="VL110 Office" src-address-list="VL110 Office"
add action=accept chain=forward comment="Aswin - Allow VL125 Data" \
dst-address-list="VL115 HDMI Over IP" src-address-list="VL115 HDMI Over IP"
add action=accept chain=forward comment="Aswin - Allow VL125 Data" \
dst-address-list="VL120 CCTV" src-address-list="VL120 CCTV"
add action=accept chain=forward comment="Aswin - Allow VL125 Data" \
dst-address-list="VL125 Translation" src-address-list="VL125 Translation"
add action=passthrough chain=input comment="----- SEPARATOR -----" disabled=yes
add action=drop chain=forward comment="IN OUT FWD defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="Drop LAN to WAN Traffic" \
out-interface-list=WAN src-address-list="!LAN Allowed Out"
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Aswin - Drop Inter VLAN Traffic" \
dst-address-list="VLAN All" src-address-list="VLAN All"
add action=drop chain=forward comment="Aswin - Drop bogon list" dst-address-list=\
Bogons in-interface-list=WAN
add action=drop chain=forward comment="FWD - Drop All Else"
/ip firewall mangle
add action=mark-connection chain=input comment=\
"Mark Input to Router from Zerotier" connection-mark=no-mark disabled=yes \
in-interface=zerotier1 new-connection-mark=input_ZT passthrough=yes
add action=mark-routing chain=output comment=\
"Ensure Winbox traffic leaves from Zerotier" connection-mark=input_ZT \
disabled=yes new-routing-mark=routemark.ZT passthrough=yes
add action=accept chain=input comment="--- SEPARATOR ---" disabled=yes
add action=mark-connection chain=forward comment="Mark WAN1 to LAN Traffic" \
connection-mark=no-mark in-interface=ether4 new-connection-mark=\
forward_in_wan1 passthrough=yes
add action=mark-routing chain=prerouting comment=\
"Ensure this traffic leaves via WAN1" connection-mark=forward_in_wan1 \
in-interface-list=LAN new-routing-mark=routemark.wan1 passthrough=yes
add action=accept chain=input comment="--- SEPARATOR ---" disabled=yes
add action=mark-connection chain=forward comment="Mark WAN2 to LAN Traffic" \
connection-mark=no-mark in-interface=ether5 new-connection-mark=\
forward_in_wan2 passthrough=yes
add action=mark-routing chain=prerouting comment=\
"Ensure this traffic leaves via WAN2" connection-mark=forward_in_wan2 \
in-interface-list=LAN new-routing-mark=routemark.wan2 passthrough=yes
add action=accept chain=input comment="--- SEPARATOR ---" disabled=yes
add action=mark-routing chain=prerouting in-interface=bridge new-routing-mark=\
routemark.wan1 passthrough=no
add action=mark-routing chain=prerouting in-interface="VL103 Network Devices" \
new-routing-mark=routemark.wan2 passthrough=no
add action=mark-routing chain=prerouting in-interface="VL105 AV" \
new-routing-mark=routemark.wan2 passthrough=no
add action=mark-routing chain=prerouting in-interface="VL110 Office" \
new-routing-mark=routemark.wan2 passthrough=no
add action=mark-routing chain=prerouting in-interface="VL125 Translation" \
new-routing-mark=routemark.wan1 passthrough=no
add action=mark-routing chain=prerouting in-interface="VL190 GuestNoPortal" \
new-routing-mark=routemark.wan1 passthrough=no
add action=mark-routing chain=prerouting in-interface="VL191 Guest P1" \
new-routing-mark=routemark.wan1 passthrough=no
add action=mark-routing chain=prerouting in-interface="VL199 Guest" \
new-routing-mark=routemark.wan2 passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=routemark.wan1 \
passthrough=no src-address-list="VLAN All"
add action=mark-connection chain=forward comment=\
"Guest Network Downloads (Conn Mark)" dst-address-list="Guest Network" \
in-interface-list=WAN new-connection-mark=hotspot.dw.con passthrough=yes
add action=mark-connection chain=forward comment=\
"!Guest Network Downloads (Office, AV) (Conn Mark)" dst-address-list=\
"!Guest Network" in-interface-list=WAN new-connection-mark=office.dw.con \
passthrough=yes
add action=mark-connection chain=forward comment="Upload Priority 1 (Conn Mark)" \
new-connection-mark=p1.up.con out-interface-list=WAN passthrough=yes \
src-address-list="Uploads Priority 1"
add action=mark-connection chain=forward comment="Upload Priority 2 (Conn Mark)" \
new-connection-mark=p2.up.con out-interface-list=WAN passthrough=yes \
src-address-list="!Uploads Priority 1"
add action=mark-packet chain=forward comment=\
"Guest Network Downloads (Packet Mark)" connection-mark=hotspot.dw.con \
new-packet-mark=hotspot.dw.pk passthrough=no
add action=mark-packet chain=forward comment=\
"!Guest Network Downloads (Office, AV) (Packet Mark)" connection-mark=\
office.dw.con new-packet-mark=office.dw.pk passthrough=yes
add action=mark-packet chain=forward comment=\
"Non-Guest DL Priority 1 (Packet Mark)" dst-address-list=\
"Download Priority 1" new-packet-mark=p1.office.dw.pk packet-mark=\
office.dw.pk passthrough=no
add action=mark-packet chain=forward comment=\
"Non-Guest DL Priority 2 (Packet Mark)" dst-address-list=\
"!Download Priority 1" new-packet-mark=p2.office.dw.pk packet-mark=\
office.dw.pk passthrough=no
add action=mark-packet chain=forward comment="Upload Priority 1" connection-mark=\
p1.up.con new-packet-mark=p1.up.pk passthrough=no
add action=mark-packet chain=forward comment="Upload Priority 2" connection-mark=\
p2.up.con new-packet-mark=p2.up.pk passthrough=no
/queue tree
add comment="VL125,190,191,199 (Guest)" max-limit=20M name="1. Guest Downloads" \
packet-mark=hotspot.dw.pk parent="0.1 WAN1 All Bandwidth" queue=\
pcq-download-1M-Burst
add max-limit=90M name="2. Office Downloads" packet-mark=office.dw.pk parent=\
"0.1 WAN1 All Bandwidth" priority=6 queue=pcq-download-default
add comment=VL191 max-limit=45M name="3. Priority 1 Uploads" packet-mark=p1.up.pk \
parent="0.1 WAN1 All Bandwidth" priority=6 queue=pcq-upload-default
add comment=!VL191 max-limit=20M name="4. Priority 2 Uploads" packet-mark=\
p2.up.pk parent="0.1 WAN1 All Bandwidth" queue=pcq-upload-default
add max-limit=80M name="2.1 Office Downloads P1" packet-mark=p1.office.dw.pk \
parent="2. Office Downloads" priority=6 queue=pcq-download-default
add max-limit=30M name="2.2 Office Downloads P2" packet-mark=p2.office.dw.pk \
parent="2. Office Downloads" priority=7 queue=pcq-download-5M-Burst
/ip firewall address-list
add address=192.168.100.1-192.168.100.254 list="VL001 DMZ"
add address=192.168.103.1-192.168.103.254 list="VL103 Network Devices"
add address=192.168.105.1-192.168.105.254 list="VL105 AV"
add address=192.168.110.1-192.168.110.254 list="VL110 Office"
add address=192.168.115.1-192.168.115.254 list="VL115 HDMI Over IP"
add address=192.168.125.1-192.168.125.254 list="VL125 Translation"
add address=172.16.196.1-172.16.199.254 list="VL199 Guest"
add address=192.168.120.1-192.168.120.254 list="VL120 CCTV"
add address=192.168.0.0/16 comment="Bogons RFC1918" list=Bogons
add address=10.0.0.0/8 comment="Bogons RFC1918" list=Bogons
add address=172.16.0.0/12 comment="Bogons RFC1918" list=Bogons
add address=0.0.0.0/8 comment="Bogons Self-Identification [RFC 3330]" list=Bogons
add address=127.0.0.0/8 comment="Bogons Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Bogons Link Local [RFC 3330]" list=Bogons
add address=192.0.2.0/24 comment="Bogons Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="Bogons 6to4 Relay Anycast [RFC 3068]" list=Bogons
add address=198.18.0.0/15 comment="Bogons NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Bogons Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Bogons Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment="Bogons Multicast" list=Bogons
add address=192.0.0.0/24 comment="Bogons RFC6890" list=Bogons
add address=100.64.0.0/10 comment="Bogons RFC6890" list=Bogons
add address=240.0.0.0/4 comment="Bogons RFC6890" list=Bogons
add address=192.168.0.0/16 comment=RFC1918 list="VLAN All"
add address=172.16.0.0/12 comment=RFC1918 list="VLAN All"
add address=10.0.0.0/8 comment=RFC1918 list="VLAN All"
add address=192.168.120.1-192.168.120.254 comment="VL - 120 CCTV" list="LAN Allowed Out"
add address=192.168.103.1-192.168.103.254 comment="VL - 103 Network" list="LAN Allowed Out"
add address=192.168.105.1-192.168.105.254 comment="VL - 105 AV" list="LAN Allowed Out"
add address=192.168.110.1-192.168.110.254 comment="VL - 110 Office" list="LAN Allowed Out"
add address=192.168.125.1-192.168.125.254 comment="VL - 125 Translation" list="LAN Allowed Out"
add address=192.168.100.1-192.168.100.254 comment="VL - 001 DMZ" list="LAN Allowed Out"
add address=172.16.196.1-172.16.199.254 comment="VL - 199 Guest Portal" list="LAN Allowed Out"
add address=192.168.190.1-192.168.190.254 comment="VL - 190 Guest No Portal" list="LAN Allowed Out"
add address=192.168.120.199 comment="IP - Unifi NVR" list="Unifi NVR"
add address=192.168.100.1 list="Device - Router"
add address=192.168.190.1-192.168.190.254 list="VL190 GuestNoPortal"
add address=192.168.190.1-192.168.190.254 comment="VL - 190 Guest No Portal" list="Guest Network"
add address=172.16.196.1-172.16.199.254 comment="VL - 199 Guest Portal" list="Guest Network"
add address=unifi.igeka.biz comment="IP - Unifi Controller" list="Unifi Controller"
add address=192.168.191.1-192.168.191.254 list="VL191 Priority 1"
add address=192.168.191.1-192.168.191.254 comment="VL - 191 Guest P1" list="LAN Allowed Out"
add address=192.168.191.100-192.168.191.254 list="Uploads Priority 1"
add address=192.168.191.1-192.168.191.254 comment="VL - 191 Guest Priority 1" list="Guest Network"
add address=192.168.105.2-192.168.105.254 comment="VL - 105 AV" list="Download Priority 1"
add address=192.168.110.1-192.168.110.254 comment="VL - 110 Office" list="Download Priority 1"
add address=192.168.90.50-192.168.90.99 list="VPN Pool"
add address=192.168.120.198 comment="IP - Unifi NVR Baru (Cloudkey G2 Plus)" list="Unifi NVR"