Traceroute problem

djfrancis · October 2, 2017, 10:28am

Hi guys, i have a little problem/question about traceroute..

We have a /23 subnet of public IP from our ISP and i decided to split it in two smaller subnets (2 x /24), one subnet for Wireless clients and another subnet for cable clients:

ISP subnet: 10.0.0.0/23
Wireless subnet: 10.0.0.0/24
Cable subnet: 10.0.1.0/24

There are 2 PPPoE servers running on a Mikrotik CCR router.

PPPoE Server 1

Interface: Bridge_Wireless (eth2 + eth3 + eth4)
Bridge_Wireless IP: 10.0.0.1/24
Profile: Wireless_Profile

/ppp profiles add name=Wireless_Profile local-address=10.0.0.1 remote-address=Wireless_Pool

PPPoE Server 2

Interface: Vlan150 (All clients gets IP over PPPoE using this Vlan)
Vlan150 IP: 10.0.1.1/24
Profile: Cable_Profile

/ppp profiles add name=Cable_Profile local-address=10.0.1.1 remote-address=Cable_Pool

Here is the problem..
1.- If i do a traceroute from a remote PC to a WIRELESS client (10.0.0.0/24) the result is OK, remote host is reachable. Ping works OK
2.- If i do a traceroute from a remote PC to a CABLE client (10.0.1.0/24) the result is timeout when packets arrives to Mikrotik CCR, remote host is unreachable. Ping works OK
3.- If i do a traceroute from a remote Mikrotik device to a WIRELESS client (10.0.0.0/24) the result is OK, remote host is reachable
4.- If i do a traceroute from a remote Mikrotik device to a CABLE client (10.0.1.0/24) the result is OK, remote host is reachable

Several CABLE clients are having issues with online games and other network services because the problem of point 2.

Why windows cant do a correct traceroute to a CABLE clients and mikrotik yes can do it?

What are happen? Can anyone with more experience explain me?

Thanks guys!

djfrancis · October 3, 2017, 5:11pm

Up Up Up

kujo · October 3, 2017, 5:28pm

Try turn on logging in all deny firewall rules log=yes

Yours respectfully!

djfrancis · October 3, 2017, 5:41pm

Hello kujo i was try to disable all firewall rules few days ago without success..

Any other tip or probe?

Thanks!

jeren · September 28, 2019, 2:43pm

Hello All,

i think i have same issue but different with infrastructure. I just set a Mickrotik between a ISP router and Fortigate Firewall. ISP router interface is 192.168.19.253 and Firewall interface IP adress is 41.X.X.222(Real IP address). My Mikrotik device one interface IP addres is 192.168.19.254 other one is 41.X.X.221

Btw ISP ROUTED 41.X.X.220/30 network address to my Mikrotik Device.

INTERNET========>ISP ROUTER========>MIKROTIK=======>FORTIGATE

here is my problem

i CAN
From Mikrotik ping 192.168.19.253
From Mikrotik ping 41.X.X.222

i can see icmp packet arrive to my fortigate firewall and also see it going out from Fortigate and also i can see packet arrive to Mikrotik but not going from 192.168.19.254

diagnose sniffer packet any ‘host 212.X.X.229’ 4
interfaces=[any]
filters=[host 212.X.X.229]
13.157237 wan1 in 212.X.X.229 → 41.X.X.222: icmp: echo request
13.157379 wan1 out 41.X.X.222 → 212.X.X.229: icmp: echo reply
17.911674 wan1 in 212.X.X.229 → 41.X.X.222: icmp: echo request
17.911751 wan1 out 41.X.X.222 → 212.X.X.229: icmp: echo reply

4 packets received by filter
0 packets dropped by kernel

i CANT
From Mikrotik ping 8.8.8.8
From Fortigate ping 8.8.8.8

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 WAN-ISP 1
1 A S 41.X.X.220/30 FORTI-P2P 1
2 ADC 192.168.19.252/30 192.168.19.254 WAN-ISP 0
FORTI-P2P
[admin@MikroTik] > ip route export

jan/02/1970 19:29:33 by RouterOS 6.42.12

software id = M557-VL3M

model = RouterBOARD 3011UiAS

serial number = B88D0A378BFB

/ip route
add check-gateway=arp distance=1 gateway=WAN-ISP
add distance=1 dst-address=41.X.X.220/30 gateway=FORTI-P2P
[admin@MikroTik] >

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 192.168.19.254/30 192.168.19.252 WAN-ISP
1 41.X.X.220/30 41.X.X.220 FORTI-P2P
[admin@MikroTik] > ping 192.168.19.253
SEQ HOST SIZE TTL TIME STATUS
0 192.168.19.253 56 64 1ms
1 192.168.19.253 56 64 0ms
2 192.168.19.253 56 64 0ms
sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=1ms

[admin@MikroTik] > ping 41.X.X.222
SEQ HOST SIZE TTL TIME STATUS
0 41.X.X.222 56 255 0ms
1 41.X.X.222 56 255 0ms
sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=WAN-ISP log=no log-prefix=“”
[admin@MikroTik] > ip firewall nat export

jan/02/1970 19:30:35 by RouterOS 6.42.12

software id = M557-VL3M

model = RouterBOARD 3011UiAS

serial number = B88D0A378BFB

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN-ISP
[admin@MikroTik] >

SO why i cant ping 8.8.8.8 ? Could you give a opinion ?

Thank You
Yours Sincerely

mkx · October 3, 2019, 11:58am

If I understand you right, the only problem is that you can’t ping 8.8.8.8 from your mikrotik router (but from fortigate you can)?

If that is so, then my guess is that ISP doesn’t do NAT (or even blocks private IP addresses). And running /ping src-address=41.X.X.221 address=8.8.8.8 should work …

CZFan · October 3, 2019, 9:06pm

Do not use interfaces as gateway, change this to the IP address of the gateway