I recently purchased a dual T-1 line from a new provider. They have given me a full Class C address. Now the T-1’s come into a Paradyne box that muxes them together and this is transparently bridging to my ethernet interface. However, not matter what I do (or what router I use for that matter) I can not get my class C to operate. My machines drop at the gateway (which is the mikrotik) and there are no rules created and the forward chain is set to accept. I’ve also tried a WinXP machine with IP forwarding enabled just to see if I could get my IP addresses to work.
So I complain to the company and they send someone out with a Cisco 800 router. And for some reason, this box works fine and dandy. From this box we setup a .248 subnet and pointed the next subnet to my Mikrotik router. Everything works like a charm there. Now why would this be? Is the Cisco doing something the Mikrotik isn’t to announce the subnet (they say they have it statically assigned to my WAN IP). They say its not there problem because the Cisco works, yet I’ve tried 2 Mikrotiks, 1 Smoothwall (just to try something different) and Linux workstation with ip_forward enabled and a WinXP machine with ip forward enabled via regedit. If anyone has any suggestions, it would be greatly appreciated.
Here is the Cisco 800 config:
Current configuration : 1001 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
no aaa new-model
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
–More-- !
!
!
!
!
interface Ethernet0
ip address 216.147.165.1 255.255.255.0
!
interface Ethernet1
ip address 216.147.160.57 255.255.255.252
duplex auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
–More-- no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 216.147.160.58
ip http server
no ip http secure-server
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
!
scheduler max-task-time 5000
–More-- !
end
Router#
Mikrotik Config:
/ interface ethernet
set Kingston name=“Kingston” mtu=1500 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps
disabled=no
set Realtek name=“Realtek” mtu=1500 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps
disabled=no
/ interface bridge port
set Kingston bridge=none priority=128 path-cost=10
set Realtek bridge=none priority=128 path-cost=10
/ interface l2tp-server server
set enabled=no mtu=1460 mru=1460 authentication=mschap2,mschap1,chap,pap
default-profile=default
/ interface pptp-server server
set enabled=no mtu=1460 mru=1460 authentication=mschap2,mschap1
keepalive-timeout=30 default-profile=default
/ ip accounting
set enabled=no threshold=256
/ ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ ip address
add address=216.147.160.57/30 network=216.147.160.56 broadcast=216.147.160.59
interface=Kingston comment=“” disabled=no
add address=216.147.165.1/24 network=216.147.165.0 broadcast=216.147.165.255
interface=Realtek comment=“” disabled=no
/ ip arp
/ ip dns
set primary-dns=0.0.0.0 secondary-dns=0.0.0.0 allow-remote-requests=no
cache-size=“2048 kB” cache-max-ttl=7d
/ ip firewall
set input name=“input” policy=accept comment=“”
set forward name=“forward” policy=accept comment=“”
set output name=“output” policy=accept comment=“”
/ ip firewall rule forward
add action=accept log=yes comment=“” disabled=no
:there is more to this but I didn’t think it was pertinent.
The default route is present. I must not have copied all of that from the export, but it is there. The mikrotik box can ping/traceroute out fine. I just can’t get anything behind it. It does work if I use masq, but I don’t want to do that. So I know the forwarding is working but for some reason there side isn’t seeing it or something.
Win2k can ping Mikrotik fine and vice versa. W2k can only ping to the external interface of the Mikrotik, I can not get to my providers gateway address. When I traceroute from w2k, I get the first response from the mikrotik and then it just times out.
Whats really strange is I was using the packet sniffer in mikrotik and trying to send 50000 byte pings to my class C addresses (I have only 2 up behind it at the moment). Now when I send to .1 (mikrotik) it receives it and I see the packets/data coming in. Now if I go to .2-.254, I don’t even see traffic making it to the box. This leads me to believe it is a problem with my providers routing as if I do this with my existing T-1 (different provider) to an unused IP address on another mikrotik box that is routing my subnets, I atleast see the data come in each time it is received. I just can’t figure out why it will work fine with there Cisco 800 router but no other router I have tried (I really don’t want to buy a Cisco).
That working Cisco configuration is about as basic as they get. One thing that is enabled by default is Proxy-Arp so you don’t see it in the config unless it’s specifically disallowed by a ‘no proxy-arp’ statement. Try enabling it on the MT.
Cisco devices talk to each other using CDP but this is not used for routing, only management. This is normally disabled on external interfaces.
Can you capture some packet headers on the outside interface of the MT and post them here?
Otherwise, I’d agree with you. It looks like there’s no route to your class C at the provider (Our ISP did this to us last week. Took them two days to fix it). However, this would also break the Cisco config.
Now would this be proxy arp on both interfaces or only the wan side? I will do the packet trace when I get back to work on monday. As for the CDP, I’m not sure that would be of an issue as I believe the router I’m terminated to is a Nortel (not sure what however).
I set the proxy arp on both interfaces and now I can not access the box. Might need a reboot or something though.
Well I managed to get to the box without going into work. Anyhow, I’m not sure if my provider is just flaking out or what. Proxy ARP on the wan interface just made internet not work. I rebooted a couple of times and nothing. So I set it back to enabled and tried again, nothing. Internet does not work at all. I figure they are either down or having some problems or whatever. Whats really weird is after trying to get internet just working (just randomly pinging to see if anything had changed) the box just started working. I could get out and everything. Then, 30 seconds later, its dead… So this atleast tells me its something they have to work out on there end since it worked for a couple of seconds. I time stamped it and saved it so hopefully they can look into some logs at that given time and figure it out. Thanks for your help though.
Turns out the problem was Proxy-Arp. Why would this need to be on in order to pass a static route? Anyhow, apparently I have some timing issues with the lines aswell.. Once again, thanks for your help.
Proxy Arp can hide a whole host of routing sins. A lot of stuff will ‘just work’ if it’s turned on. This is fine until you make a minor change to the network structure and the whole lot comes crashing down around your ears! You can then be left with a completely non-functioning network and very few clues as to where to start looking for the problem.
For this reason, it’s best avoided. I only use it where I need a box to respond to IP addresses other than it’s own (such as a VPN server). It’s on by default on all Cisco boxes but because it’s a default setting you don’t see it in the config.
