Static gateway unreachable !

bpita · May 27, 2011, 5:25am

Hi, after several days with this problem, with tests and more tests, I decided to see if anyone in the Mikrotik community can help me (it is probably my mistake).

I have the following configuration on a client:

Internet <—> ISP <—> RB493G <—> Private Network

The ISP configuration is:

IP x.x.x.125 / 255.255.255.248
GW x.x.x.121

The private network is:

192.168.100.0/24
IP 192.168.100.1 / 255.255.255.0

The ip route configuration is:

x.x.x.120/29 gateway=ether2
192.168.100.0/24 gateway=ether1
0.0.0.0/0 gateway=ether2 (reachable but doesn’t work)
0.0.0.0/0 gateway=x.x.x.121 (doesn’t work appears unreachable error)

What am I doing wrong or am I forgetting to set ?
In all configurations which use static IP gateway never made the state recheable, why ? If I get a ping to the gateway, how it might be unrecheable ? Someone can explain me ?

FAQ:

I put NAT masquerade in all my tests.
I get a ping to the gateway: YES !
I have tried other configurations: YES !

I tried in my office with another IP public. There I put a static gateway (in this case x.x.x.254) the results it’s the same, the gateway it’s unreachable (the ping to the gateway it’s ok), but when I put 0.0.0.0/0 gateway=ether2 it’s work !
I tried put this RB behind a Mikrotik DHCP Server (set in the ethernet 2 a DCHP client) and it works without problem, I don’t need to create any ip route.
I tried put this RB behind a Mikrotik box with an static IP (192.168.254.30/24 gw 192.168.254.1), I can ping the gateway 192.168.254.1 without problem but if I put the route 0.0.0.0/0 gateway=192.168.254.1 the gateway it’s unreachable again. If I put 0.0.0.0/0 gateway=ether2 it’s recheable but I can’t connect to internet (I put in the same cable network a Netbook with the IP 192.168.254.30 and I can use internet without problem).

The RB comes with the version 4.12, I change to 4.17 with the same problem and then with the 5.2 also.
I testing with TWO new RB493G !

Thanks, Bernardo.

bpita · May 29, 2011, 2:14pm

Hi, nobody has the same problem ? is an expected behavior that the RB tell “unreachable” when I can connect to the gateway IP from trace and ping (see image) ? is a very simple configuration, what might be wrong ?

P.D.: note that I arrive to the gateway IP via traceroute in a single hop.
P.D.: this example corresponds to a configuration with a public IP in my office which is similar to the configuration that I put in my client.

Thanks, Bernardo.
gateway unreachable.jpg

psamsig · May 29, 2011, 2:32pm

Post ‘/ip address’ configuration, it seems like you have entered something wrong, on your screen dump you have a route for 255.255.255.128, that doesn’t seem right!

bpita · May 29, 2011, 2:55pm

Hi psamsig, there is nothing wrong with the subnet … is a typical configuration with a single subnet bit. Anyway, in the configuration of my client’s ISP uses the network 190.x.x.120/255.255.255.248 where the gateway it’s in 190.x.x.121 and the problem is exactly the same, I can trace the gateway in one hop and ping no packet loss and the RB says that the gateway in unreachable (in this scenario when I put 0.0.0.0/0 gateway=ether2 has the same error unlike in my office when I put 0.0.0.0/0 gateway=ether2 it appears recheable… I need to work on my client ).

/ip  address  print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   10.50.2.234/24     10.50.2.0       ether1
 1   200.x.x.198/32     255.255.255.128 ether2

/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0   S  0.0.0.0/0          200.x.x.198     200.x.x.253               1
 2 ADC  10.50.2.0/24       10.50.2.234     ether1                    0
 3 A S  200.x.x.128/25                     ether2                    1
 4 ADC  255.255.255.128/32 200.x.x.198     ether2                    0

Thanks, Bernardo.

psamsig · May 29, 2011, 3:11pm

255.255.255.128 is the network mask, it is NOT what goes under network, here you should put 200.x.x.128.

bpita · May 29, 2011, 3:30pm

Hi psamsig, it’s correct, whit a network mask /25 you have only two networks:

192.168.0.0/25 with broadcast in 192.168.0.127
192.168.0.128/25 with broadcast in 192.168.0.255

so when I put network 200.x.x.128/25 it’s correct to see the other host via ether2.

Thanks, Bernardo.

psamsig · May 29, 2011, 3:43pm

Not sure if last post was an indication that you fixed the problem, or that you didn’t get my point, but in case of the latter:

bpita · May 29, 2011, 4:21pm

Hi psamsig thanks for your time, the netmask 255.255.255.128 it’s a valid netmask maybe not technically correct but it works without problems from more than 10 years.
To avoid further discuss this aspect of the problem, I changed the configuration to a public IP behind my firewall (certainly is a Mikrotik) and as you will see in the image attached the problem is the same. Why the RB gives unreachable to a gateway that it’s arrive in one hop ? that is the question !
gateway unreachable.jpg
PS: on the suggestion of another person (Carlos Funes) change to 5.4 version and moved the public IP to ether1 and the problem persist.
PS: as I said in another post, with the configuration of my client’s ISP is exactly the same.

Thanks, Bernardo.

fewi · May 29, 2011, 4:26pm

255.255.255.128 is a valid subnet mask, but it is NOT a valid network address for the IP network you’re configuring. Subnet mask does not mean network address. Your configuration is invalid.

200.x.x.198/32 is a point to point address. What you want is 200.x.x.198/25 (CIDR notation for 255.255.255.128. The network address for that subnet is 200.x.x.128 and the broadcast address is 200.x.x.255. Delete the IP, recreate it as 200.x.x.198/25 and don’t touch the network and broadcast address. The router will automatically populate them.

Maybe that’s more clear to you, and you understand what he’s been saying all along.

At a cursory glance it’s not possible to see what is wrong with the now changed address. Post the output of “/interface print detail”, “/ip route print detail”, and “/ip address print detail” and don’t edit anything out. Since you have issues with the addresses themselves editing them hides the problem. There isn’t much to posting your IPs here, unless you don’t have adequate firewalls in place.

bpita · May 29, 2011, 4:28pm

Here is the new configuration:

/ip add print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   10.50.2.234/24     10.50.2.0       ether9
 1   200.x.x.59/32      255.255.255.240 ether1
 
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0   S  0.0.0.0/0          200.x.x.59      200.x.x.62                1
 2 ADC  10.50.2.0/24       10.50.2.234     ether9                    0
 3 A S  200.x.x.48/28                      ether1                    1
 4 ADC  255.255.255.240/32 200.x.x.59      ether1                    0

Bernardo.

fewi · May 29, 2011, 4:31pm

You’re still making the same mistake. Stop putting the subnet mask into the network address field. Delete the /32 IP and implement it with the correct CIDR address and don’t touch the network and broadcast address fields. If you really aren’t sure what the difference between a subnet mask and a network address is read up on TCP/IP fundamentals.

Hell, just compare the two IP addresses you have configured. Your LAN address is correct as a /24.

bpita · May 29, 2011, 4:41pm

Hi fewi, you are the man ! but I not put /32 when I add the IP I only put the IP 200.x.x.59 and then the netmask 255.255.255.240 each in his respective field… why I need to put the IP address with the netmask also if I’m completing the netmask field ?

Thanks, Bernardo.

fewi:

255.255.255.128 is a valid subnet mask, but it is NOT a valid network address for the IP network you’re configuring. Subnet mask does not mean network address. Your configuration is invalid.

200.x.x.198/32 is a point to point address. What you want is 200.x.x.198/25 (CIDR notation for 255.255.255.128. The network address for that subnet is 200.x.x.128 and the broadcast address is 200.x.x.255. Delete the IP, recreate it as 200.x.x.198/25 and don’t touch the network and broadcast address. The router will automatically populate them.

Maybe that’s more clear to you, and you understand what he’s been saying all along.

At a cursory glance it’s not possible to see what is wrong with the now changed address. Post the output of “/interface print detail”, “/ip route print detail”, and “/ip address print detail” and don’t edit anything out. Since you have issues with the addresses themselves editing them hides the problem. There isn’t much to posting your IPs here, unless you don’t have adequate firewalls in place.

fewi · May 29, 2011, 4:44pm

Because you were not filling out the netmask field, but the NETWORK ADDRESS field. Those two are not the same thing. The network address the base IP address of the entire subnet. It is NOT the subnet mask.

If you don’t give a CIDR subnet mask on the address it will default to a host address, which is /32.

All credit should go to psamsig, who pointed this out to you over two hours ago. I’m just reiterating what he said all along.

bpita · May 29, 2011, 5:01pm

Estimated psamsig and fewim, thanks for your Sunday time as I supposed it was my mistake and now it is clearer where the problem was… I do not will happen again.

Cheers, Bernardo.