Tunnel Is UP, But Host Behind IPSEC Mikrotik Unable To Ping Remote Server

denz · January 24, 2025, 4:07am

Hi guys, I have a condition here where my ipsec tunnel was already established, but my device (cisco switch - 10.205.0.132) unable to reach to zabbix server (10.202.10.13) at remote network.
My existing configuration was like this. I was using LAN-Bridge on eth port 2 connect to cisco switch to propagate several VLANs using VLAN filtering.
My local network was 10.205.0.0/24 and my remote network was 10.202.0.0/20.
From mikrotik side, I was able to ping to zabbix server at remote network. From cisco switch side, I was able to ping to another server at remote network but not to zabbix server.
When I did traceroute from both host, I could see that the traffic always stop at mikrotik device.
I did some research on google and found some suggest to create a new firewall NAT rule to allow specific source and destination right above masquarade NAT rule.
I already did, but still no luck.
I suspect perhaps there were some routes/some policy firewall need to be configured first to allow traffic between both hosts.
Very appreciate from any thoughs of you guys. Please let me know if you need more screenshots.
ping from MKT to Zabbix.jpg
ping + traceroute from Zabbix to Cisco switch.jpg
traceroute from MKT to Zabbix.jpg
ip routes.jpg
ping + traceroute from Cisco Switch to Zabbix.jpg
ip firewall.jpg
address list.jpg

panisk0 · January 24, 2025, 9:17am

http://forum.mikrotik.com/t/ipsec-tunel-3-mt/181393/1

set on route correct pref-src=

denz · January 24, 2025, 10:24am

Hello Panisk,

Thanks for replying my post.
For this ipsec site to site connection, I used Mikrotik and Fortigate.
Actually communication between local and remote networks already successful. I was able to ping to other hosts at remote site within the same subnet. Only to Zabbix server was failed (please see on attachment).
For the static route, I set the preference source to one of Mikrotik’s interface.
Could you tell me which IP should I use for the preference source pointing to remote network ?

Note : There is no firewall applied inside zabbix server as you can see from my previous post that the mikrotik was able to ping to Zabbix server (10.202.10.13).

panisk0 · January 27, 2025, 9:09am

use the address from the network you have added to /ip/ipsec/policy
probably: 10.205.0.1

log on zabbix & show me: iptables -L -n -v

next check: tcpdump icmp

I think zabbix is not responding or has the wrong route set…

denz · January 30, 2025, 3:48am

Hello Panisk,

Sorry for my late respond.
Yes, currently I used ip 10.205.0.1 for the preference source.

Here is the output of iptables :

root@vmzabbix:/home/administrator# iptables -L -n -v
Chain INPUT (policy DROP 478K packets, 82M bytes)
pkts bytes target prot opt in out source destination
1107M 161G ufw-before-logging-input all – * * 0.0.0.0/0 0.0.0.0/0
1107M 161G ufw-before-input all – * * 0.0.0.0/0 0.0.0.0/0
1218K 231M ufw-after-input all – * * 0.0.0.0/0 0.0.0.0/0
478K 82M ufw-after-logging-input all – * * 0.0.0.0/0 0.0.0.0/0
478K 82M ufw-reject-input all – * * 0.0.0.0/0 0.0.0.0/0
478K 82M ufw-track-input all – * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all – * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3575K packets, 300M bytes)
pkts bytes target prot opt in out source destination
1251M 145G ufw-before-logging-output all – * * 0.0.0.0/0 0.0.0.0/0
1251M 145G ufw-before-output all – * * 0.0.0.0/0 0.0.0.0/0
175M 12G ufw-after-output all – * * 0.0.0.0/0 0.0.0.0/0
175M 12G ufw-after-logging-output all – * * 0.0.0.0/0 0.0.0.0/0
175M 12G ufw-reject-output all – * * 0.0.0.0/0 0.0.0.0/0
175M 12G ufw-track-output all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
25036 1958K ufw-skip-to-policy-input udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
39690 9426K ufw-skip-to-policy-input udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
16151 840K ufw-skip-to-policy-input tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
16201 842K ufw-skip-to-policy-input tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
197K 65M ufw-skip-to-policy-input udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
447K 72M ufw-skip-to-policy-input all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
264K 41M LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
117M 25G ACCEPT all – lo * 0.0.0.0/0 0.0.0.0/0
972M 135G ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
567K 51M ufw-logging-deny all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
567K 51M DROP all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
571K 34M ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
3 984 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
16M 1021M ufw-not-local all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp – * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp – * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
16M 1021M ufw-user-input all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
117M 25G ACCEPT all – * lo 0.0.0.0/0 0.0.0.0/0
959M 108G ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
175M 12G ufw-user-output all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
152K 14M RETURN all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
133K 14M LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
16M 862M RETURN all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
134K 13M RETURN all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
699K 147M RETURN all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
741K 149M DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
152M 9131M ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
19M 2761M ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW

Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10050
15M 771M ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10051
356K 19M ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
15 780 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
32 1664 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10050
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10050
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10052

Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination

Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination

Regarding tcpdump, I’ve never done that before. Could you tell me how to do that ?

panisk0 · January 30, 2025, 1:56pm

log on zabbix…

first

root@vmzabbix:/home/administrator# ip ro

root@vmzabbix:/home/administrator# ufw status numbered

&next

root@vmzabbix:/home/administrator# tcpdump icmp

…and bring it to me

TheCat12 · January 30, 2025, 2:33pm

Or, since we’re dealing with VLANs, arp=proxy-arp on the VLAN interfaces but just a wild guess

denz · January 31, 2025, 4:13am

Hi Panisk,

Here is the file you requested :

administrator@vmzabbix:~$ ip ro
default via 10.202.10.1 dev ens160 proto static
10.202.10.0/24 dev ens160 proto kernel scope link src 10.202.10.13

root@vmzabbix:/home/administrator# ufw status numbered
Status: active

To Action From

[ 1] 10050/tcp ALLOW IN Anywhere
[ 2] 10051/tcp ALLOW IN Anywhere
[ 3] 80/tcp ALLOW IN Anywhere
[ 4] 443/tcp ALLOW IN Anywhere
[ 5] 22/tcp ALLOW IN Anywhere
[ 6] 10050 ALLOW IN Anywhere
[ 7] 10052/tcp DENY IN Anywhere
[ 8] 10050/tcp (v6) ALLOW IN Anywhere (v6)
[ 9] 10051/tcp (v6) ALLOW IN Anywhere (v6)
[10] 80/tcp (v6) ALLOW IN Anywhere (v6)
[11] 443/tcp (v6) ALLOW IN Anywhere (v6)
[12] 22/tcp (v6) ALLOW IN Anywhere (v6)
[13] 10050 (v6) ALLOW IN Anywhere (v6)
[14] 10052/tcp (v6) DENY IN Anywhere (v6)

root@vmzabbix:/home/administrator# tcpdump icmp
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), snapshot length 262144 bytes
04:04:02.226308 IP IDJAK-VMPRINT01.ptjafra.co.id > ruckus.elysyle.co.id: ICMP echo request, id 16340, seq 0, length 64
04:04:02.226618 IP ruckus.elysyle.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16340, seq 0, length 64
04:04:03.227296 IP IDJAK-VMPRINT01.ptjafra.co.id > ruckus.elysyle.co.id: ICMP echo request, id 16340, seq 1, length 64
04:04:03.227582 IP ruckus.elysyle.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16340, seq 1, length 64
04:04:04.226844 IP IDJAK-VMPRINT01.ptjafra.co.id > ruckus.elysyle.co.id: ICMP echo request, id 16340, seq 2, length 64
04:04:04.227141 IP ruckus.elysyle.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16340, seq 2, length 64
04:04:04.363044 IP IDJKDT0001.elysyle.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo request, id 43879, seq 256, length 40
04:04:04.363097 IP IDJAK-VMPRINT01.ptjafra.co.id > IDJKDT0001.elysyle.co.id: ICMP echo reply, id 43879, seq 256, length 40
04:04:08.119651 IP IDJAK-VMDNS01.ptjafra.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo request, id 12398, seq 256, length 40
04:04:08.119711 IP IDJAK-VMPRINT01.ptjafra.co.id > IDJAK-VMDNS01.ptjafra.co.id: ICMP echo reply, id 12398, seq 256, length 40
04:04:10.233876 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.205.0.4: ICMP echo request, id 16368, seq 0, length 64
04:04:11.234905 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.205.0.4: ICMP echo request, id 16368, seq 1, length 64
04:04:12.234301 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.205.0.4: ICMP echo request, id 16368, seq 2, length 64
04:04:13.239710 IP IDJAK-VMPRINT01.ptjafra.co.id > forti.elysyle.co.id: ICMP echo request, id 16385, seq 0, length 64
04:04:13.239900 IP forti.elysyle.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16385, seq 0, length 64
04:04:14.240710 IP IDJAK-VMPRINT01.ptjafra.co.id > forti.elysyle.co.id: ICMP echo request, id 16385, seq 1, length 64
04:04:14.240877 IP forti.elysyle.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16385, seq 1, length 64
04:04:15.240708 IP IDJAK-VMPRINT01.ptjafra.co.id > forti.elysyle.co.id: ICMP echo request, id 16385, seq 2, length 64
04:04:15.240843 IP forti.elysyle.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16385, seq 2, length 64
04:04:21.246407 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.9.5: ICMP echo request, id 16429, seq 0, length 64
04:04:21.247018 IP 10.202.9.5 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16429, seq 0, length 64
04:04:22.247383 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.9.5: ICMP echo request, id 16429, seq 1, length 64
04:04:22.247965 IP 10.202.9.5 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16429, seq 1, length 64
04:04:23.247081 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.9.5: ICMP echo request, id 16429, seq 2, length 64
04:04:23.247670 IP 10.202.9.5 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16429, seq 2, length 64
04:04:23.251935 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.9.11: ICMP echo request, id 16445, seq 0, length 64
04:04:23.252608 IP 10.202.9.11 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16445, seq 0, length 64
04:04:24.252923 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.9.11: ICMP echo request, id 16445, seq 1, length 64
04:04:24.253652 IP 10.202.9.11 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16445, seq 1, length 64
04:04:25.252915 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.9.11: ICMP echo request, id 16445, seq 2, length 64
04:04:25.253604 IP 10.202.9.11 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16445, seq 2, length 64
04:04:25.258954 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.205.0.133: ICMP echo request, id 16449, seq 0, length 64
04:04:25.258983 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.205.0.132: ICMP echo request, id 16449, seq 1, length 64
04:04:26.259185 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.205.0.133: ICMP echo request, id 16449, seq 2, length 64
04:04:26.259211 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.205.0.132: ICMP echo request, id 16449, seq 3, length 64
04:04:27.259999 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.205.0.133: ICMP echo request, id 16449, seq 4, length 64
04:04:27.260032 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.205.0.132: ICMP echo request, id 16449, seq 5, length 64
04:04:28.269285 IP IDJAK-VMPRINT01.ptjafra.co.id > wlc.elysyle.co.id: ICMP echo request, id 16466, seq 0, length 64
04:04:28.269754 IP wlc.elysyle.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16466, seq 0, length 64
04:04:29.270178 IP IDJAK-VMPRINT01.ptjafra.co.id > wlc.elysyle.co.id: ICMP echo request, id 16466, seq 1, length 64
04:04:29.270506 IP wlc.elysyle.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16466, seq 1, length 64
04:04:30.269584 IP IDJAK-VMPRINT01.ptjafra.co.id > wlc.elysyle.co.id: ICMP echo request, id 16466, seq 2, length 64
04:04:30.269865 IP wlc.elysyle.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16466, seq 2, length 64
04:04:30.274395 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.8.12: ICMP echo request, id 16477, seq 0, length 64
04:04:30.274422 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.8.11: ICMP echo request, id 16477, seq 1, length 64
04:04:30.274479 IP IDJAK-VMPRINT01.ptjafra.co.id > ruckus1.elysyle.co.id: ICMP echo request, id 16477, seq 2, length 64
04:04:30.274738 IP ruckus1.elysyle.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16477, seq 2, length 64
04:04:30.275116 IP 10.202.8.12 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16477, seq 0, length 64
04:04:30.275132 IP 10.202.8.11 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16477, seq 1, length 64
04:04:31.275401 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.8.12: ICMP echo request, id 16477, seq 3, length 64
04:04:31.275425 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.8.11: ICMP echo request, id 16477, seq 4, length 64
04:04:31.275440 IP IDJAK-VMPRINT01.ptjafra.co.id > ruckus1.elysyle.co.id: ICMP echo request, id 16477, seq 5, length 64
04:04:31.275698 IP ruckus1.elysyle.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16477, seq 5, length 64
04:04:31.276116 IP 10.202.8.11 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16477, seq 4, length 64
04:04:31.276160 IP 10.202.8.12 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16477, seq 3, length 64
04:04:32.275391 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.8.12: ICMP echo request, id 16477, seq 6, length 64
04:04:32.275425 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.8.11: ICMP echo request, id 16477, seq 7, length 64
04:04:32.275451 IP IDJAK-VMPRINT01.ptjafra.co.id > ruckus1.elysyle.co.id: ICMP echo request, id 16477, seq 8, length 64
04:04:32.275746 IP ruckus1.elysyle.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16477, seq 8, length 64
04:04:32.276126 IP 10.202.8.12 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16477, seq 6, length 64
04:04:32.276168 IP 10.202.8.11 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16477, seq 7, length 64
04:04:32.281367 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.8.1: ICMP echo request, id 16493, seq 0, length 64
04:04:32.282987 IP 10.202.8.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16493, seq 0, length 64
04:04:33.282333 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.8.1: ICMP echo request, id 16493, seq 1, length 64
04:04:33.284022 IP 10.202.8.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16493, seq 1, length 64
04:04:34.282339 IP IDJAK-VMPRINT01.ptjafra.co.id > 10.202.8.1: ICMP echo request, id 16493, seq 2, length 64
04:04:34.283547 IP 10.202.8.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16493, seq 2, length 64
04:04:34.522865 IP IDJKDT0001.elysyle.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo request, id 54887, seq 256, length 40
04:04:34.522918 IP IDJAK-VMPRINT01.ptjafra.co.id > IDJKDT0001.elysyle.co.id: ICMP echo reply, id 54887, seq 256, length 40
04:04:35.289458 IP IDJAK-VMPRINT01.ptjafra.co.id > 106.115.150.103.ipt.iforte.net.id.115.150.103.in-addr.arpa: ICMP echo request, id 16505, seq 0, length 64
04:04:35.298693 IP 106.115.150.103.ipt.iforte.net.id.115.150.103.in-addr.arpa > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16505, seq 0, length 64
04:04:36.289866 IP IDJAK-VMPRINT01.ptjafra.co.id > 106.115.150.103.ipt.iforte.net.id.115.150.103.in-addr.arpa: ICMP echo request, id 16505, seq 1, length 64
04:04:36.298406 IP 106.115.150.103.ipt.iforte.net.id.115.150.103.in-addr.arpa > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16505, seq 1, length 64
04:04:37.290426 IP IDJAK-VMPRINT01.ptjafra.co.id > 106.115.150.103.ipt.iforte.net.id.115.150.103.in-addr.arpa: ICMP echo request, id 16505, seq 2, length 64
04:04:37.300234 IP 106.115.150.103.ipt.iforte.net.id.115.150.103.in-addr.arpa > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo reply, id 16505, seq 2, length 64
04:04:37.964657 IP IDJAK-VMDNS01.ptjafra.co.id > IDJAK-VMPRINT01.ptjafra.co.id: ICMP echo request, id 24430, seq 256, length 40
04:04:37.964704 IP IDJAK-VMPRINT01.ptjafra.co.id > IDJAK-VMDNS01.ptjafra.co.id: ICMP echo reply, id 24430, seq 256, length 40
^C
77 packets captured
77 packets received by filter
0 packets dropped by kernel

denz · January 31, 2025, 4:14am

Hi there,

Already tried, but still no luck.

panisk0 · January 31, 2025, 9:33am

0/0 icmp is accepted:

Chain ufw-before-input (1 references)
[b]571K 34M[/b] ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8

do ping on mikrotik from: 10.205.0.1 to: 10.202.10.13

on zabbix

tcpdump icmp and host 10.205.0.1

denz · February 3, 2025, 3:49am

Hi Panisk,

Below are the outputs :

[darmawad@Mikrotik CKR] > ping 10.202.10.13
SEQ HOST SIZE TTL TIME STATUS
0 10.202.10.13 56 62 8ms436us
1 10.202.10.13 56 62 8ms954us
2 10.202.10.13 56 62 8ms530us
3 10.202.10.13 56 62 6ms199us
4 10.202.10.13 56 62 11ms204us
5 10.202.10.13 56 62 8ms656us
6 10.202.10.13 56 62 13ms601us
7 10.202.10.13 56 62 13ms804us
sent=8 received=8 packet-loss=0% min-rtt=6ms199us avg-rtt=9ms923us
max-rtt=13ms804us

root@vmzabbix:/home/administrator# tcpdump icmp and host 10.205.0.1
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:43:48.292161 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.37 unreachable, length 92
03:43:51.639766 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.37 unreachable, length 92
03:43:51.642193 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.37 unreachable, length 92
03:43:59.329665 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.98 unreachable, length 78
03:44:03.319686 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.98 unreachable, length 78
03:44:07.399701 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.99 unreachable, length 78
03:44:11.404708 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.99 unreachable, length 78
03:44:15.409747 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.100 unreachable, length 78
03:44:19.399682 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.100 unreachable, length 78
03:44:23.399750 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.101 unreachable, length 78
03:44:25.002224 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.37 unreachable, length 80
03:44:27.409755 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.101 unreachable, length 78
03:44:31.409733 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.102 unreachable, length 78
03:44:35.409747 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.102 unreachable, length 78
03:44:39.482233 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.103 unreachable, length 78
03:44:43.479721 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.103 unreachable, length 78
03:44:47.479747 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.104 unreachable, length 78
03:44:48.132273 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.37 unreachable, length 92
03:44:51.479749 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.104 unreachable, length 78
03:44:51.719763 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.37 unreachable, length 92
03:44:51.719889 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.37 unreachable, length 92
03:44:55.489786 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.105 unreachable, length 78
03:44:59.483030 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.105 unreachable, length 78
03:45:03.569747 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.106 unreachable, length 78
03:45:07.569780 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.106 unreachable, length 78
03:45:11.559824 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.107 unreachable, length 78
03:45:15.574839 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.107 unreachable, length 78
03:45:19.572302 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.108 unreachable, length 78
03:45:23.562329 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.108 unreachable, length 78
03:45:27.564817 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.109 unreachable, length 78
03:45:29.964846 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.37 unreachable, length 80
03:45:31.564822 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.109 unreachable, length 78
03:45:35.642349 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.110 unreachable, length 78
03:45:39.642339 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.110 unreachable, length 78
03:45:43.652324 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.111 unreachable, length 78
03:45:47.645063 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.111 unreachable, length 78
03:45:48.604868 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.37 unreachable, length 92
03:45:51.652348 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.112 unreachable, length 78
03:45:51.802354 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.37 unreachable, length 92
03:45:51.802383 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.37 unreachable, length 92
03:45:55.652350 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.112 unreachable, length 78
03:45:59.644915 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.113 unreachable, length 78
03:46:03.642437 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.113 unreachable, length 78
03:46:07.724866 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.114 unreachable, length 78
03:46:11.722411 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.114 unreachable, length 78
03:46:15.722418 IP 10.205.0.1 > IDJAK-VMPRINT01.ptjafra.co.id: ICMP host 10.205.0.115 unreachable, length 78
^C
46 packets captured
46 packets received by filter
0 packets dropped by kernel