Suddently, MT is blocking some IP's

sansivar · May 24, 2010, 9:50pm

Hello Folks
We have a segment of our wireless network that is bridged. The core router is an x86 MT 3.7v that is blacklisting/blocking some IP’s access to the Internet. The MT box is running at 5-9% CPU capacity. This is not related to the MAC address as I have replaced routers and the problem continues, only solution is to change the CPE’s or customer’s router’s IP. It has happened 8 times in the last three months. Rebooting the MT does not solve the problem either. BTW, this has happened to customer that their CPE’s are in routing and bridged mode. The MT is working as a basic core router, no OSPF or anything fancy, no DHCP, nothing other than some basic firewall rules. Client can ping all the way to the last IP before the MT box, can’t ping the MT box. This happens to all the computers(even mine–no firewall in my laptop) connected to the router with the blacklisted IP. None of the blacklisted IP’s were new, all long time customers. Also, no client has been blacklisted twice–YET!. When I do an IPScan it shows all the IP’s with their respective MAC addresses.

Any suggestions will be greatly appreciated.

Chupaka · May 25, 2010, 5:58am

do you use address-lists in your firewall rules? how?

sansivar · May 25, 2010, 12:04pm

That is the funny thing, there is absolutely no list to allow or deny any specific IP Internet access. Access is global(ie 10.10.20.0/24). The MT has simple queues to throttle traffic by IP and some simple global firewall rules. All IP’s are natted. This MT has been in use for over 5 years. We had no choice and made several changes very quickly rather than the typical one at a time. We changed providers and installed two new backhauls to bring the new bandwidth to the network. We are natting, therefor the IP scheme was maintained. The new backhauls are Ubiquity if it matters, and they are setup as WDS AP>WDS station. Originally the BH were setup in AP>station mode, the difference is that when we did an IP scan from MT all the IP’s responded but they all showed the closest UBNT’s MAC address–that has been resolved, now all the IP’s show their proper MAC address. Any and all suggestions are very welcomed. Thanks

Chupaka · May 25, 2010, 1:26pm

so, “/ip fi ad pr” is empty?..

anyway, you’d better upgrade…

sansivar · May 25, 2010, 1:35pm

so, “/ip fi ad pr” is empty?.. ==Yes

I have no problem upgrading the OS if this is something related to the OS version, I just didn’t want to add another variable. This version had been working fine for the last 5 years and I was going under the “if it ain’t broken, don’t fix it”.

Chupaka · May 25, 2010, 2:24pm

but, according to your post, it IS broken =)

BrianHiggins · May 27, 2010, 1:40pm

3.7 is at most 3 years old

I agree, you should upgrade it. but check for any filter rules with anything set in the “extra” tab, specifically things like the PSD or the Nth section before you do, those rules could cause issues like this if not properly configured.

edit - also look at the limit section