[SOLVED] Ping problems in LAN with basic Home AP setup

RouterOS Beginner Basics
1

Hi,

I just received an RB951Ui-2HnD and set it up. I have done nothing except switch it to Home AP configuration, set a wireless password and country, and connected to the wireless network with a couple computers and phones. I also did a factory reset just to be sure I had a clean configuration and installed the latest firmware. I am having trouble connecting to some devices on my LAN. For now, I have these three devices connected to the network:

A: Laptop running Slackware64-14.2 (192.168.88.250)
B: Server running Slackware64-14.2 (192.168.88.253)
C: Android phone (192.168.88.249)

The problem is that if I try to ping B from A, I get the following error:

dan@Thinkpad-T430:~$ ping 192.168.88.253
PING 192.168.88.253 (192.168.88.253) 56(84) bytes of data.
From 192.168.88.250 icmp_seq=1 Destination Host Unreachable
From 192.168.88.250 icmp_seq=2 Destination Host Unreachable
From 192.168.88.250 icmp_seq=3 Destination Host Unreachable
From 192.168.88.250 icmp_seq=4 Destination Host Unreachable
From 192.168.88.250 icmp_seq=5 Destination Host Unreachable
From 192.168.88.250 icmp_seq=6 Destination Host Unreachable
From 192.168.88.250 icmp_seq=7 Destination Host Unreachable
From 192.168.88.250 icmp_seq=8 Destination Host Unreachable
^C
--- 192.168.88.253 ping statistics ---
9 packets transmitted, 0 received, +8 errors, 100% packet loss, time 8002ms
pipe 4

The same error occurs when I try to ping B from C. However, I can ping C from A, and I can ping both from B. Additionally, once A or C is pinged from B, they can successfully ping B back again, at least for awhile or until they disconnect from the network (then, upon reconnecting, the same problem appears once again). Also, all three devices appear in the arp table on the router, and all three can ping the router, and vice versa. I had no such problems with my old Netgear router running DD-WRT that I intend for this MikroTik device to replace. I feel like the problem must be somewhere in my configuration, but I am completely new to MikroTik and don’t really know where to look. Internet searching hasn’t turned up anything fruitful yet.

Here is my router configuration. I’m hoping someone can easily spot the problem, but of course I am willing to do more digging or provide more information as needed:

[admin@MikroTik] > export compact
# jan/04/2018 21:19:38 by RouterOS 6.41
# software id = 9DPP-IEN2
#
# model = 951Ui-2HnD
# serial number = 81580743D6D4
/interface bridge
add admin-mac=64:D1:54:E7:4E:FF auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country="united states" disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=MikroTik-E74F03 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
    [REDACTED] wpa2-pre-shared-key=[REDACTED]
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

Sounds like arp issue: mapping from ip to mac address on wireless. Once you ping from wired to wireless, machines remember mac for a while.

Please verify arp is enabled on all interfaces in bridge.

3

Yes, it is enabled. Machine B is #1 in the list below (its IP has changed since yesterday). MAC addresses have been removed:

[admin@MikroTik] /ip arp> print
Flags:
X - disabled, I - invalid, H - DHCP, D - dynamic, P - published,
C - complete
 #    ADDRESS         MAC-ADDRESS       INTERFACE
 0 DC 209.42.150.1    xx:xx:xx:xx:xx:xx ether1
 1 DC 192.168.88.10   xx:xx:xx:xx:xx:xx bridge
 2 DC 192.168.88.249  xx:xx:xx:xx:xx:xx bridge
 3 DC 192.168.88.250  xx:xx:xx:xx:xx:xx bridge

Also, FYI, all machines are on wireless.

4

Have you tried printing arp table on the wireless devices? Is there some arp filtering along the way?

5

If I do arp -a on the problem machine:

router.lan (192.168.88.1) at xx:xx:xx:xx:xx:xx [ether1] on wlan0

Where xx:xx:xx:xx:xx:xx is the MAC address of the bridge. I don’t have any arp filtering set up, at least not that I know of (that is, unless the router is doing it without my knowledge).

6

Assign 192.168.88.1/24 to your bridge instead of ether2 and see if that helps.

7

I tried that. Doesn’t make any difference.

8

Okay, I have made a discovery. It turns out that I can actually ping machine B, but if the ARP cache is clear on the device doing the pinging, it may take 10-20 tries (sometimes more, sometimes less) before the ping is successful. This isn’t acceptable, because I need to be able to SSH into B from my phone quickly without sitting there pinging it for awhile first. Anyway, does this indicate a problem with my router configuration, or machine B’s network setup, or maybe both?

EDIT: Upon further investigation, I believe there is the same issue with another machine on the network, my wife’s MacBook. However, it requires fewer ping attempts before success; maybe 4 tries instead of 10-20+. Could I simply have a faulty router? I can’t see how this should be happening.

9

The problem seems to have been a WiFi power management setting enabled on machine B. I’m not sure why I didn’t have the same problem with my old router or why machine A doesn’t have this problem (it also has WiFi power management enabled), but disabling that setting seems to have fixed it.

10

Thx for the feedback.