unable to get internet connection

IlyaR · August 21, 2024, 11:12am

Hello,
I’ve installed a test CHR on VPS-server.
Somehow I’m unable to get internet connection.

VPS hoster provided following settings:
IP-address:109...*
Gateway: 10.0.0.1
Netmask: 255.255.255.255

There’s only ether1 which is connected to outer world.

These are settings I’ve applied:

ip address add address=109.*.*.* netmask=255.255.255.255 interface=ether1 network=109.*.*.* disabled=no

ip firewall nat add chain=srcnat action=masquerade
ip dns set servers=8.8.8.8

ip route add dst-address=0.0.0.0/0 gateway=ether1
ip route add dst-address=10.0.0.1 gateway=ether1

default gateway (10.0.0.1) is pinging ok, however 8.8.8.8 is not pinging at all.

if I add

ip route add dst-address=0.0.0.0/0 gateway=10.0.0.1

instead of

gateway=ether1

, then I get

no route to host

error when pinging 8.8.8.8

What am I missing here?

jaclaz · August 21, 2024, 1:03pm

Post the output of:

/ip route print

IlyaR · August 21, 2024, 1:21pm

dst-address is the same as pref-src and is public ip-address
Tried with only either rule 0, or rule 1, or both

jaclaz · August 21, 2024, 1:34pm

The “no route to host” is normal, as that route (#0 in the screenshot) is “S” but not “A”.

No idea what the problem is, but - for what it costs - I would try a route with gateway=10.0.0.1%ether1

IlyaR · August 21, 2024, 2:08pm

not sure if I really got what you mean.
What is

%

in

gateway=10.0.0.1%ether1

jaclaz · August 21, 2024, 2:27pm

Basically it means 10.0.0.1 on interface ether1, or 10.0.0.1 reachable through interface ether1.

There are two “modifiers” for gateway addresses:
https://wiki.mikrotik.com/wiki/Manual:IP/Route
gateway (IP | interface | IP%interface | IP@table[, IP | string, [..]]; Default: “”) Array of IP addresses or interface names. Specifies which host or interface packets should be sent to. Connected routes and routes with blackhole, unreachable or prohibit type do not have this property. Usually value of this property is a single IP address of a gateway that can be directly reached through one of router’s interfaces (but see nexthop lookup). ECMP routes have more than one gateway value. Value can be repeated several times.

% means “at” when referred to interface
@ means “at” when referred to routing table or VRF

IlyaR · August 21, 2024, 4:03pm

Thanks, didn’t know about this modifier.
However that didn’t help.
“no route to host”

jaclaz · August 21, 2024, 4:16pm

Post again the /ip route print output.

Maybe you can ask the VPS server provider if they have a known to be working Mikrotik setup.

The only other thing I can think of is adding a 10.0.0.x IP address to ether1.

Let’s wait if some of the more experienced members have a solution.

IlyaR · August 22, 2024, 7:27am

here’s the output.

Some more thoughts on the setup.
There was an ubuntu installed on this VPS and it was working just ok.
These settings were as follows:

~root@639930:~# ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group defaul

t qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP grou

p default qlen 1000
    link/ether 52:54:*:*:*:* brd ff:ff:ff:ff:ff:ff
    inet 109.*.*.*/32 brd 109.*.*.* scope global ens3
       valid_lft forever preferred_lft forever
    inet6 fe80::*:*:*:*/64 scope link
       valid_lft forever preferred_lft forever
	   
ip route show
default via 10.0.0.1 dev ens3 onlink

jaclaz · August 22, 2024, 8:16am

Why is that route distance 2?
It should not matter since you have no other routes for 0.0.0.0/0, still it should normally have distance 1.
You should probably specify out-interface=ether1 in your /ip firewall nat masquerade rule. but that is also - I believe - not relevant.

IlyaR · August 22, 2024, 9:18am

Changed the route distance to 1 and specified out-interface=ether1 in /ip firewall nat masquerade rule, but yeah, that didn’t make any difference.

TheCat12 · August 22, 2024, 9:52am

Perhaps you have a typo in the ether1 address?

IlyaR · August 22, 2024, 11:48am

That would be a relief, but no - no typos in IP address. And the gateway is reachable.

IlyaR · August 22, 2024, 1:33pm

VPS hoster provided following settings for mikrotik:

/ip address add address=<IPv4>/32 network=<Gateway> broadcast=<IPv4> interface=ether1
/ip route add dst-address=0.0.0.0/0 gateway=<Gateway>
/ip dns set servers=1.1.1.1,8.8.8.8

Which appears to be mostly the same as I’ve set.

However it is working now!!!

Can someone explain the difference between my initial config and this?

jaclaz · August 22, 2024, 5:21pm

Good.

Your connection/route to 10.0.0.1/32 became ADC, the A is active (as before) but it is not anymore static, it is DC (Dynamic and Connected) and has a distance of 0 which means that the router automatically added it, and this AFAIK only happens if the DST-ADDRESS is in the same subnet as the IP address of the connected interface or however it knows somehow where to find it, I am guessing that the

network=<Gateway> broadcast=<IPv4>

part is somehow doing the latter

Look for “connected routes” here:
https://help.mikrotik.com/docs/display/ROS/IP+Routing
(of course there is nothing about this case).

I found an old reference here (from an official Mikrotik support staff)
http://forum.mikrotik.com/t/ros-on-kvm-on-hosted-server-issue-dedibox-online-net/54695/1
http://forum.mikrotik.com/t/ros-on-kvm-on-hosted-server-issue-dedibox-online-net/54695/1
so maybe it is only the “network” that does the trick.