Routing/NAT problem

Hello. I just bought 450g(routerOS 4.6) and have problems with setting it up. I have two networks - public and local. So I added address 80.249.194.158/27 to ether1(ip 80.249.194.158, netmask 255.255.255.224) and 192.168.0.1/24 to local network on ether2. Next thing is adding static route 0.0.0.0/0 with gateway 80.249.194.129. After that I go to firewall->nat and add nat rule srcnat out-interface=ether1 and action=masquerade. I can see outgoing connections from computers in 192.168.0.0/24 in firewall but there are only SYN sent, established is only winbox connection.

here is what ip export says

/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.0.1/24 broadcast=192.168.0.255 comment="" disabled=no \
    interface=ether2 network=192.168.0.0
add address=80.249.194.158/27 broadcast=80.249.194.159 comment="" disabled=no \
    interface=ether1 network=80.249.194.128
/ip dhcp-server config
set store-leases-disk=5m
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=512 servers=8.8.8.8
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    ether1
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
/ip neighbor discovery
set ether1 discover=yes
set ether2 discover=yes
set ether3 discover=yes
set ether4 discover=yes
set ether5 discover=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\
    600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
    parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
    0.0.0.0
/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    80.249.194.129 scope=30 target-scope=10
/ip service
set telnet address=0.0.0.0/0 disabled=no port=23
set ftp address=0.0.0.0/0 disabled=no port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
    inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes

Traceroute works fine. Also I can ping from ether1, but can’t from ether2. What is wrong there?

I don’t see a dhcp server set up. Is the 192.168.0.x network all static assignments? If you want dhcp, then
/ip dhcp-server setup
Enter ether2 as the interface, and the rest should be enter-enter-enter. If defaults are not correct, something is not set right.

I tried with and without dhcp, dhcp works fine but the problem remains. Can anyone suggest a way to find out what is causing this problem? I even tried to add static route for example to 8.8.8.8 and make default gateway 80.249.194.129 for it, still does not work. Originally rb450g came with OS3 version, upgrade to latest did not help.

think removing the interface=ether1 in nat rule works
just use
/ip firewall nat add chain=srcnat action=masqurade.

this has to work

Here is more detailed information. The most strange thing is that now I can ping 8.8.8.8 from local computer connected to ether2 port, Changed router settings millon times, sometimes this did not work. I can post more information, just say what to do and how to diagnose it.

ipconfig /all
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 8.8.8.8
208.67.222.222
Lease Obtained. . . . . . . . . . : 27 March 2010 13:39:37
Lease Expires . . . . . . . . . . : 30 March 2010 13:39:37


ping 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:

Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

ping 80.249.194.158

Pinging 80.249.194.158 with 32 bytes of data:

Reply from 80.249.194.158: bytes=32 time<1ms TTL=64
Reply from 80.249.194.158: bytes=32 time<1ms TTL=64
Reply from 80.249.194.158: bytes=32 time<1ms TTL=64
Reply from 80.249.194.158: bytes=32 time<1ms TTL=64

Ping statistics for 80.249.194.158:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:

Reply from 8.8.8.8: bytes=32 time=46ms TTL=241
Reply from 8.8.8.8: bytes=32 time=47ms TTL=241
Reply from 8.8.8.8: bytes=32 time=47ms TTL=241
Reply from 8.8.8.8: bytes=32 time=46ms TTL=241

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 46ms, Maximum = 47ms, Average = 46ms

tracert 80.249.194.158

Tracing route to 80.249.194.158 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 80.249.194.158

Trace complete.

tracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.0.1
2 1 ms <1 ms 4 ms 80.249.194.129
3 1 ms 1 ms 1 ms 80.249.200.65
4 3 ms 3 ms 2 ms 80.233.129.201
5 4 ms 3 ms 4 ms 194.19.254.225
6 4 ms 3 ms 3 ms 62.63.136.34
7 3 ms 4 ms 4 ms 62.63.136.126
8 46 ms 47 ms 46 ms 80.81.192.108
9 45 ms 48 ms 47 ms 209.85.255.170
10 48 ms 45 ms 46 ms 72.14.232.203
11 61 ms 46 ms 59 ms 72.14.239.174
12 49 ms 48 ms 48 ms 8.8.8.8

Trace complete.

tracert 192.168.0.1

Tracing route to 192.168.0.1 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.0.1

Trace complete.

http://i.imgur.com/wiO8O.png
http://i.imgur.com/jXZ5x.png
http://i.imgur.com/r4P5Y.png
http://i.imgur.com/ScQF8.png
http://i.imgur.com/fFdTz.png
http://i.imgur.com/abXBb.png

I think if you use ether2 as the ping interface, it uses that as the outbound port. There is no public gateway on that network, is there? The only ips you should be able to ping (edit: from the router) are the 192.168.0.x ips. If you can ping from a computer on the ether2 interface to a non-local public ip, then it is working correctly.

Yes, I agree with you. But what about all that syn sent outgoing connections? Only ping works, I even can’t resolve a domain name from router. Then NAT is not working properly?

No. It is normally DNS. Can you ping www.yahoo.com?

Tried this one, did not help in my case. May be it is hardware problem?

SurferTim, I can’t ping yahoo.com from computer(Ping request could not find host yahoo.com. Please check the name and try again) or router(it says invalid value for argument address).

The it is certainly a dns issue. That is the response you should get if the dns is not set correctly in the router. If you could post “/ip dns print”, that might help. Or the dns settings in Winbox.

OK,

If the secondary ip in the dns settings was issued by your ISP, use it as the primary dns server. It may be the 8.8.8.8 ip is not responding to dns requests.

8.8.8.8 is google dns, the second one is opendns. But anyway applications such as skype don’t need dns at all. And this does not describe why it can’t complete three way handshake, only syn sent instead.

Your ISP should have issued you two dns server ips along with your ip/netmask and gateway. I recommend you use those.

It seems that I found out what the problem is. My isp is probably blocking internet access by mac adress. I just plugged in the cable directly to my pc and it does not work Plugged it back to my old router and it is fine. Is there a way to change mac address on routerboard? I think it is the case http://en.wikipedia.org/wiki/Unusual_software_bug#Mandelbug

It may be the modem has the mac of your old router in its ARP table. I must power down my cablemodem for a minute, the power it up with the new device up, and it will reset it’s ARP. At least mine does! Well, it did. Now I have a cablemodem with an integral UPS. I must call my tech support and have them reset the modem.

I am connected directly to ISP lan, there is nothing to reboot. Anyway thanks for helping. I found this post about changing mac http://forum.mikrotik.com/t/how-to-change-mac-address/15778/1 . I’ll try it and let you know about how it is

Resolved Changed mac to my old routers mac and now writing this trough routerboard Thanks for support.