Community discussions

 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Router won't route LAN to WAN! Totally stumped

Wed Sep 13, 2017 3:03 pm

not my first time around the block with RouterOS and have successfully configured quite a few Mikrotiks for small office use, but predominantly by using WinBox and starting out with base configurations (QuickSet). In the following case, an office is issued a range of static IPs by the ISPs (WAN) and internally (LAN) it is desired to use 192.168.1.xxx

RouterBOARD 962UiGS-5HacT2HnT running RouterOS 6.40.2

LAN: 192.168.1.xxx /24 subnet
WAN: 77.42.220.xxx /29 subnet - issued range of 5 public IP addresses starting at 77.42.220.10 with gateway at 77.42.220.9

I have configured it (in a manner that has worked before in other sites), however, for the life of me I don't understand why it is not routing for LAN devices:

my configuration (simplified):
# sep/13/2017 14:37:32 by RouterOS 6.40.2
# model = RouterBOARD 962UiGS-5HacT2HnT

/interface bridge
add name=LAN

/interface bridge port
add bridge=LAN horizon=1 interface=ether2

/ip address
add address=77.42.220.13/29 interface=ether1 network=77.42.220.8
add address=192.168.1.254/24 interface=LAN network=192.168.1.0

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24

/ip route
add distance=1 gateway=77.42.220.9

/ip pool
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.120

/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
    interface=LAN lease-time=3d name=dhcp1
    
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=\
    205.177.80.3,77.42.130.32,8.8.8.8,8.8.4.4 gateway=192.168.1.254


I can ping the WAN interface successfully (ether1) from the wider internet (as well as access other services, such as ssh, winbox, etc). I can ping the mikrotik from within the LAN. The mikrotik itself makes requests that are routing to the wider internet (using the traceroute tool)...however, within the traceroute tool, if the LAN bridge interface is chosen it fails to route. No devices on the LAN in the respective subnet gets routed out. So, WTF is going on? What am I missing??

Will throughly appreciate anyone's input on the above configuration.
 
User avatar
dgnevans
Member
Member
Posts: 463
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: Router won't route LAN to WAN! Totally stumped

Wed Sep 13, 2017 3:17 pm

What arp are you using on the bridge?
 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Re: Router won't route LAN to WAN! Totally stumped

Wed Sep 13, 2017 8:48 pm

ARP is set to enabled (which i believe is the default)
 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Re: Router won't route LAN to WAN! Totally stumped

Thu Sep 14, 2017 8:50 am

there's no scenario i can conceive in which this failure to route LAN devices through the WAN, with the current configuration makes any sense! Any other thoughts??
 
User avatar
Falklan
newbie
Posts: 25
Joined: Tue Aug 08, 2017 3:15 pm
Location: Louisiana

Re: Router won't route LAN to WAN! Totally stumped

Thu Sep 14, 2017 9:46 am

/ip address
add address=77.42.220.13/29 interface=ether1 network=77.42.220.8
add address=192.168.1.254/24 interface=LAN network=192.168.1.0

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=\
205.177.80.3,77.42.130.32,8.8.8.8,8.8.4.4 gateway=192.168.1.254
Is there a reason you configured the gateway address as the LAN interface?
 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Re: Router won't route LAN to WAN! Totally stumped

Thu Sep 14, 2017 10:24 am

Falklan - it's good practice? That's how I've always done it? In order for the mikrotik itself, sitting on the same subnet as the LAN to be the gateway irrespective the the kind of infrastructure there is beyond it - without having to change LAN network details in the case of any WAN changes?

It's been my understanding that that is the purpose of the static route - when packets arrive at the LAN interface (192.168.1.254) that are destined outside of the LAN subnet, then they should be routed to the gateway (77.42.220.9) - accessible via ether1 -- the NATing works to masquerade those WAN-outgoing packets behind one IP, which is that assigned to the ether1 interface (77.42.220.13)

Regardless, on your tip/question I tested the 77.42.220.9 gateway on a client within the LAN, and it was successful - so that's a good thing - but it's not ideal should anything change with the WAN interface for LAN configuration to have to change on every client... even if clients obtain their TCP/IP/DNS settings via DHCP. Any thoughts??
 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Re: Router won't route LAN to WAN! Totally stumped

Thu Sep 14, 2017 4:13 pm

falklan - take that back. it wasn't successful - well not repeatable, at least. So I'm back to square one. A functioning WAN interface for the mikrotik. A functioning LAN interface. But no routing between them.
 
User avatar
dgnevans
Member
Member
Posts: 463
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: Router won't route LAN to WAN! Totally stumped

Thu Sep 14, 2017 8:19 pm

if you ping an ip address such as your wan gateway from your lan computers do you get a response.
 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Re: Router won't route LAN to WAN! Totally stumped

Thu Sep 14, 2017 8:46 pm

That's part of my basic set of diagnosis tests... in short

pinging the WAN (77.42.220.13)...
...From the mikrotik: setting src-address for ping of 192.168.1.254 (ie. that of the LAN-facing interface on the mikrotik) - SUCCESS
......further pinging the wider internet (by IP address and fqdn) SUCCESS

...however, from any device on the LAN (with correct tcp/ip settings) pinging mikrotik LAN interface at 192.1.254 SUCCESS
......whereas pinging the WAN interface at 77.42.220.13 (or beyond, by IP) FAIL
.........further all DNS resolution FAIL

The mikrotik itself is able to ping hosts on the wider internet successfully from its WAN interface numerically and by FQDN (thus, DNS resolution is working)

Thoughts?
 
Paternot
Member
Member
Posts: 348
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Router won't route LAN to WAN! Totally stumped

Thu Sep 14, 2017 9:23 pm

From your config:

"/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24"

I, usually, use this:
"add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN"

And put all my WANs in this list. You can change "out-interface-list=WAN" to "out-interface=eth1"
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4036
Joined: Wed May 11, 2011 6:08 pm

Re: Router won't route LAN to WAN! Totally stumped

Thu Sep 14, 2017 9:50 pm

Why do you have horizon=1 on the bridge port configuration?
That may possibly be part of the issue.....

plus I agree with Paternot's suggestion to use interface-based NAT decisions. Although what you did shouldn't matter one iota as far as functionality goes.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Re: Router won't route LAN to WAN! Totally stumped

Fri Sep 15, 2017 8:57 pm

@ZeroByte and Paternot - i had tried all permutations of your suggestions to no avail. Also, unset horizon as I agree it isn't really relevant.
Regardless - i still have the same behavior - the router itself sees both WAN-going and LAN-going (from the respective interfaces) AND its LAN interface routes successfully through the WAN - but no devices in the LAN are routed beyond the mikrotik's LAN ip

I'm all out of ideas and all ears !

Thank you all
 
Paternot
Member
Member
Posts: 348
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Router won't route LAN to WAN! Totally stumped

Fri Sep 15, 2017 9:24 pm

There is one thing - weird as it is. Do you have "/ip settings ip-forward" set to "yes"? It is the default, but in this case...
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4036
Joined: Wed May 11, 2011 6:08 pm

Re: Router won't route LAN to WAN! Totally stumped

Fri Sep 15, 2017 10:01 pm

There is one thing - weird as it is. Do you have "/ip settings ip-forward" set to "yes"? It is the default, but in this case...
That sounds like the culprit - it'd have the exact effects seen. I notice your post was marked with the new "accept as answer" checkbox (love that feature btw)
I'm all out of ideas and all ears !
Did Paternot's suggestion work out for you?
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
Paternot
Member
Member
Posts: 348
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Router won't route LAN to WAN! Totally stumped

Fri Sep 15, 2017 11:21 pm

That sounds like the culprit - it'd have the exact effects seen. I notice your post was marked with the new "accept as answer" checkbox (love that feature btw)
Yeah, great feature indeed! :D
But it's not marked to me. He probably just hit the button by accident.
 
idlemind
Forum Veteran
Forum Veteran
Posts: 991
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Router won't route LAN to WAN! Totally stumped

Fri Sep 15, 2017 11:36 pm

I notice your post was marked with the new "accept as answer" checkbox (love that feature btw)
We're getting fancy now.
 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Re: Router won't route LAN to WAN! Totally stumped

Sat Sep 16, 2017 8:31 pm

I haven't marked any answers yet! Must be a bug ;-)
Have yet to verify the setting of /ip settings ip-forward ... will report back as soon as I do.
Thanks
 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Re: Router won't route LAN to WAN! Totally stumped

Mon Sep 18, 2017 12:39 pm

/ip settings ip-forward is set to enabled!!
ARGHGHGHGHGHGHHGG!
I'm losing hair
 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Re: Router won't route LAN to WAN! Totally stumped

Mon Sep 18, 2017 3:06 pm

ok, here's a clue (maybe)

I've discovered that once I ping devices in the LAN (from the mikrotik) that have already been leased/assigned an IP address by the DHCP server (also from the mikrotik) -- 4 or 5 pings in are timeouts, then it starts to ping successfully - THEREAFTER the device on the LAN is finally routed properly through the mikrotik!

It doesn't matter how long the ip address has already been assigned - it won't work unless I do the above from the mikrotik.

All are various flavors of windows and internet-connected devices (printers, and so forth)

This doesn't get any crazier and for obvious reasons isn't practical for a rollout to have to ping every single device... regardless does this provide any insights??
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4036
Joined: Wed May 11, 2011 6:08 pm

Re: Router won't route LAN to WAN! Totally stumped

Mon Sep 18, 2017 4:30 pm

What's your network's internal layer2 infrastructure like?
I'd start connecting some devices directly to the Mikrotik to see if the problem persists - perhaps even with the LAN disconnected in order to rule out any strange stuff that might be happening within your broadcast domain.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Re: Router won't route LAN to WAN! Totally stumped

Tue Sep 19, 2017 9:50 am

interesting thought, but if that's the case then why do clients connected over Wi-Fi also experience the same issue they're bypassing the physical infrastructure
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4036
Joined: Wed May 11, 2011 6:08 pm

Re: Router won't route LAN to WAN! Totally stumped  [SOLVED]

Tue Sep 19, 2017 4:39 pm

I'm not saying it's a rogue DHCP server (probably isn't) but I point it out as an example of something that's attached to the network and can cause troubles of various sorts. Some box doing arp poisoning could cause strangeness as well (e.g. some box trying to do a captive portal - or even something malicious)

It's just that when the usual basic things all seem to check out, it's time to start getting serious in the troubleshooting.
Step 1 - confirm if it's the Mikrotik itself or something in the network.
Step 2 - TBD based on the answer of step 1.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 222
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Router won't route LAN to WAN! Totally stumped

Fri Sep 22, 2017 8:58 pm

Well, just in case, can you ping internet IP's with your LAN IP as source IP?
I have bigger routing table.
 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Re: Router won't route LAN to WAN! Totally stumped

Mon Sep 25, 2017 10:56 am

@blajah - from the mikrotik, yes - that's been stable now.
@ZeroByte - taking your advice and isolating the LAN infrastructure from the mikrotik to see who aint playing nice. As a quick update, in order to get LAN devices routing through the mikrotik - they start off with a valid address lease (from the mikrotik) but unresponsive to pinging from the mikrotik (via LAN facing interface) - Once I ping them, approx 5 timeouts later, they're back in business and working as expected. The leases are set to 5 days (to isolate for now) - give them a few hours with no activity (usually overnight when staff leaves the office), then devices maintain they're DHCP lease, but they initially time-out to pings at first... devices are awake and powered (no sleep/low power modes in play). I've connected one LAN device to the mikrotik directly for now, and will monitor its behavior.

thank you all for the support and insights.
 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Re: Router won't route LAN to WAN! Totally stumped

Wed Sep 27, 2017 4:25 pm

SOLVED!!!! !%!@%$!#%@#!%!@$#@!%$!@#%!$# F$#!!$#@ B%!#%$#!
There was a legacy LAN connected device that connects a serial interface printer to ethernet (essentially a print server) - and it was statically assigned (from like a decade ago) the IP address that is assigned to the mikrotik's LAN. So, I would assume whenever I pinged LAN devices from the mikrotik they would associate the ip address to the mikrotik's MAC address, and it would work for some indefinite time until failing again. At which point of course, LAN devices would be looking for a decade-old print server dongle thingy to route them out to the wider internet! EPIC FAIL
Weird thing is though that this could easily have taken me another week to isolate if it wasn't for the office staff finally complaining that their 15 year old plotter (collecting dust) is no longer working!
I feel bad for doubting RouterOS - my faith was being tested! ;-)

Once again, thanks to all for the insights - especially ZeroByte
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4036
Joined: Wed May 11, 2011 6:08 pm

Re: Router won't route LAN to WAN! Totally stumped

Wed Sep 27, 2017 6:29 pm

No problem!

So it turned out to be essentially a form of ARP poisoning - caused by IP duplication. That's why good troubleshooting steps are essential. Start eliminating things until the problem follows one or the other test you make, helping you narrow down what it could/couldn't be.

Happy routing!
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Re: Router won't route LAN to WAN! Totally stumped

Wed Sep 27, 2017 6:48 pm

:D
happy indeed
 
Paternot
Member
Member
Posts: 348
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Router won't route LAN to WAN! Totally stumped

Wed Sep 27, 2017 7:15 pm

SOLVED!!!! !%!@%$!#%@#!%!@$#@!%$!@#%!$# F$#!!$#@ B%!#%$#!
There was a legacy LAN connected device that connects a serial interface printer to ethernet (essentially a print server) - and it was statically assigned (from like a decade ago) the IP address that is assigned to the mikrotik's LAN.
My $DEITY! That was a good one! :D
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4036
Joined: Wed May 11, 2011 6:08 pm

Re: Router won't route LAN to WAN! Totally stumped

Thu Sep 28, 2017 12:12 am

The moral of the story is: before adding a device with a statically-configured IP address, first ping the proposed address and check the ARP cache. If you get no ARP replies, then the address is free (at the moment). I got burned by this once and the device was a laptop running every commercially-available firewall software package at the time. Needless to say that it did not reply to echo requests. this is when I learned to check the ARP cache too.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
wissamharoun
just joined
Topic Author
Posts: 15
Joined: Wed Sep 13, 2017 1:58 pm

Re: Router won't route LAN to WAN! Totally stumped

Thu Sep 28, 2017 9:35 am

that was the issue - I did a cursory test pinging of the numbers I typically assign for a LAN and .254 came back free (admittedly I wasn't using ARP) and for the life of me I can't imagine why such a device would be in stealth mode...how else was staff supposed to know it's alive - walk over and check the long-dead LEDs??
All the same, all is good and running as expected now. Long live RouterOS!

Routers gonna route

Who is online

Users browsing this forum: No registered users and 2 guests