Community discussions

 
pkrexer
just joined
Topic Author
Posts: 19
Joined: Sat May 21, 2016 4:39 pm

Can't reach google

Thu Dec 15, 2016 8:35 pm

Hey guys,

I'm just trying to narrow down what the problem might be with one of my clients. They can't reach google for some reason, but everything else works fine. If I try to ping google.com from the router, it resolves but is being redirected back to itself? This might be something simple, but I haven't seen this before.

Could this be an ISP issue?


Here are some screenshots:

Image

Image

Image

Image
 
tr00g33k
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: Can't reach google

Thu Dec 15, 2016 9:15 pm

Please poste your routing table, routing rules and magle rules, it looks like routing loop. but this is only to google ? Try to make traceroute to see where the packet start to bounce between two hosts, at least it looks like that.
 
pkrexer
just joined
Topic Author
Posts: 19
Joined: Sat May 21, 2016 4:39 pm

Re: Can't reach google

Thu Dec 15, 2016 9:46 pm

The mangle rules are used for queue tree. I disabled them already just to make sure, had no affect.


Image




Image


Here are the trace routes.

Google:
Image



Yahoo:
Image
 
tr00g33k
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: Can't reach google

Thu Dec 15, 2016 10:01 pm

The only time that this happens is to google? Do you maybe have some firewall rule related to google`s IP, some L7 google firewall rule? Address list? From what i see i wouldnt say it is a ISP problem it looks like the packet doesnt go out from router, could you paste whole config, to see what could it be.

What if you try to do tracerotue from behind the router, from some host on LAN ?
 
pkrexer
just joined
Topic Author
Posts: 19
Joined: Sat May 21, 2016 4:39 pm

Re: Can't reach google

Thu Dec 15, 2016 10:34 pm

It is only google that this is happening to.

Don't have any Layer7 stuff going on or firewall rules that would be trying to redirect / block google related ip addresses.

Still at a loss.


# dec/15/2016 11:15:06 by RouterOS 6.36.4
# software id = A8XP-J0T1
#
/interface bridge
add arp=proxy-arp mtu=1500 name="HVAC Bridge"
add mtu=1500 name="Main Bridge"
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether6 ] comment="HVAC System"
set [ find default-name=ether7 ] comment="HVAC System 2"
/interface eoip
add clamp-tcp-mss=no disabled=yes !keepalive mac-address=02:07:DF:4D:3E:D9 \
    mtu=1500 name="EoIP Waara" remote-address=x.x.x.x tunnel-id=xxxx
/ip neighbor discovery
set ether6 comment="HVAC System"
set ether7 comment="HVAC System 2"
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.199
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface="Main Bridge" lease-time=30m \
    name="Main DHCP"
add address-pool=dhcp_pool1 disabled=no interface="HVAC Bridge" lease-time=3d \
    name="HVAC DHCP"
/port
set 0 name=serial0
/ppp profile
set 1 local-address=dhcp_pool1 remote-address=dhcp_pool1 use-encryption=\
    required use-mpls=yes
/queue tree
add max-limit=50M name=queue_tree_download packet-mark=download parent=global \
    queue=pcq-download-default
add max-limit=3500k name=queue_tree_upload packet-mark=upload parent=global \
    queue=pcq-upload-default
/interface bridge port
add bridge="Main Bridge" interface=ether2
add bridge="Main Bridge" interface=ether4
add bridge="Main Bridge" interface=ether5
add bridge="HVAC Bridge" interface=ether6
add bridge="HVAC Bridge" interface=ether7
add bridge="Main Bridge" interface=ether8
add bridge="Main Bridge" interface=ether9
add bridge="Main Bridge" interface=ether10
add bridge="Main Bridge" interface=ether11
add bridge="Main Bridge" interface=ether12
add bridge="Main Bridge" interface=ether13
add bridge="Main Bridge" interface=ether14
add bridge="Main Bridge" interface=ether15
add bridge="Main Bridge" interface=ether16
add bridge="Main Bridge" interface=ether17
add bridge="Main Bridge" interface=ether18
add bridge="Main Bridge" interface=ether19
add bridge="Main Bridge" interface=ether20
add bridge="Main Bridge" interface=ether21
add bridge="Main Bridge" interface=ether22
add bridge="Main Bridge" interface=ether23
add bridge="Main Bridge" interface=ether24
add bridge="Main Bridge" interface=ether3
add bridge="Main Bridge" interface="EoIP Waara"
/interface ethernet switch port
set 0 dscp-based-qos-dscp-to-dscp-mapping=no
set 1 dscp-based-qos-dscp-to-dscp-mapping=no
set 2 dscp-based-qos-dscp-to-dscp-mapping=no
set 3 dscp-based-qos-dscp-to-dscp-mapping=no
set 4 dscp-based-qos-dscp-to-dscp-mapping=no
set 5 dscp-based-qos-dscp-to-dscp-mapping=no
set 6 dscp-based-qos-dscp-to-dscp-mapping=no
set 7 dscp-based-qos-dscp-to-dscp-mapping=no
set 8 dscp-based-qos-dscp-to-dscp-mapping=no
set 9 dscp-based-qos-dscp-to-dscp-mapping=no
set 10 dscp-based-qos-dscp-to-dscp-mapping=no
set 11 dscp-based-qos-dscp-to-dscp-mapping=no
set 12 dscp-based-qos-dscp-to-dscp-mapping=no
set 13 dscp-based-qos-dscp-to-dscp-mapping=no
set 14 dscp-based-qos-dscp-to-dscp-mapping=no
set 15 dscp-based-qos-dscp-to-dscp-mapping=no
set 16 dscp-based-qos-dscp-to-dscp-mapping=no
set 17 dscp-based-qos-dscp-to-dscp-mapping=no
set 18 dscp-based-qos-dscp-to-dscp-mapping=no
set 19 dscp-based-qos-dscp-to-dscp-mapping=no
set 20 dscp-based-qos-dscp-to-dscp-mapping=no
set 21 dscp-based-qos-dscp-to-dscp-mapping=no
set 22 dscp-based-qos-dscp-to-dscp-mapping=no
set 23 dscp-based-qos-dscp-to-dscp-mapping=no
set 24 dscp-based-qos-dscp-to-dscp-mapping=no
set 25 dscp-based-qos-dscp-to-dscp-mapping=no
/interface pptp-server server
set authentication=chap,mschap1,mschap2 enabled=yes
/ip address
add address=x.x.x.122/29 comment="default configuration" interface=\
    ether1-gateway network=x.x.x.120
add address=192.168.1.250/24 interface=ether2 network=192.168.1.0
add address=192.168.10.1/24 interface="HVAC Bridge" network=192.168.10.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.10 domain=NorthSummit.local \
    gateway=192.168.1.250
add address=192.168.10.0/24 dns-server=192.168.10.1 domain=NorthSummit.local \
    gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall filter
add chain=input protocol=icmp
add chain=input dst-port=8291 protocol=tcp
add chain=input dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1-gateway
/ip firewall mangle
add action=mark-packet chain=postrouting comment="upload mark packet" \
    new-packet-mark=upload out-interface=ether1-gateway
add action=mark-packet chain=prerouting comment="download mark packet" \
    in-interface=ether1-gateway new-packet-mark=download
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=xxxx in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.1.179 to-ports=80
add action=dst-nat chain=dstnat dst-port=xxxx protocol=tcp to-addresses=\
    192.168.1.179 to-ports=5445
add action=dst-nat chain=dstnat dst-port=xxxx protocol=tcp to-addresses=\
    192.168.1.179 to-ports=8201
add action=dst-nat chain=dstnat dst-port=xxxx protocol=tcp to-addresses=\
    192.168.1.179 to-ports=59012
add action=dst-nat chain=dstnat dst-port=xxxx protocol=tcp to-addresses=\
    192.168.1.179 to-ports=59011
add action=dst-nat chain=dstnat dst-port=xxxx protocol=tcp to-addresses=\
    192.168.1.10 to-ports=3389
add action=dst-nat chain=dstnat comment="marina wap" dst-port=xxxx protocol=\
    tcp to-addresses=192.168.1.226 to-ports=8291
add action=dst-nat chain=dstnat dst-port=xxxx protocol=tcp to-addresses=\
    192.168.1.238 to-ports=80
add action=dst-nat chain=dstnat dst-port=xxxx protocol=tcp to-addresses=\
    192.168.1.239 to-ports=80
add action=dst-nat chain=dstnat dst-port=xxxx protocol=tcp to-addresses=\
    192.168.1.240 to-ports=80
add action=dst-nat chain=dstnat dst-port=xxxx protocol=tcp to-addresses=\
    192.168.1.241 to-ports=80
add action=dst-nat chain=dstnat comment="3rd floor wap" dst-port=xxxx \
    protocol=tcp to-addresses=192.168.1.220 to-ports=8291
add action=dst-nat chain=dstnat comment="3rd floor wap" dst-port=xxxx \
    protocol=tcp to-addresses=192.168.1.97 to-ports=8443
add action=dst-nat chain=dstnat comment=NVR dst-port=xxxx protocol=tcp \
    to-addresses=192.168.1.179 to-ports=80
/ip proxy
set cache-path=web-proxy1
/ip route
add distance=1 gateway=x.x.x.121
/lcd
set time-interval=hour
/ppp secret
add name=hvac password=xxxxx profile=default-encryption routes=\
    "192.168.10.0/24 x.x.x.122 1" service=pptp
add name=mike password=xxxxx profile=default-encryption routes=\
    "192.168.10.0/24 x.x.x.122 1" service=pptp
/system clock
set time-zone-name=America/Detroit
/system identity
set name="CenterPointe Main"
/system leds
set 0 interface=sfp1
/system ntp client
set enabled=yes primary-ntp=129.6.15.30 secondary-ntp=64.113.32.5
/system scheduler
add interval=10m name=hairpin_update on-event=hairpin_update policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
    startup
/system script
add name=hairpin_update policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source="# get t\
    he current IP address from the internet (in case of double-nat)\r\
    \n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" dst-\
    path=\"/dyndns.checkip.html\"\r\
    \n:local result [/file get dyndns.checkip.html contents]\r\
    \n\r\
    \n# parse the current IP result\r\
    \n:local resultLen [:len \$result]\r\
    \n:local startLoc [:find \$result \": \" -1]\r\
    \n:set startLoc (\$startLoc + 2)\r\
    \n:local endLoc [:find \$result \"</body>\" -1]\r\
    \n:global currentIP [:pick \$result \$startLoc \$endLoc]\r\
    \n\r\
    \n/ip firewall nat set [find comment~\"hairpin\"] dst-address=\$currentIP"
 
Engitech
Trainer
Trainer
Posts: 64
Joined: Mon Feb 13, 2012 1:59 pm
Location: Geneva - Switzerland
Contact:

Re: Can't reach google

Fri Dec 16, 2016 12:45 am

/interface bridge port
add bridge="Main Bridge" interface=ether2

and

add address=192.168.1.250/24 interface=ether2 network=192.168.1.0

----->>> set ip on bridge not on ether2
 
Van9018
Long time Member
Long time Member
Posts: 515
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Can't reach google

Fri Dec 16, 2016 2:04 am

In Winbox > New Terminal, paste this: :put [:resolve "google.com"] Does it resolve correctly? (or resolve to your ether1 IP?)
I'm guessing it resolves correctly.

You're using a bridge but IP is assigned to ether2 instead of the bridge. Although I doubt this is the issue since most other traffic works.

You also have a script referring to updating a hairpin firewall rule. But I don't see that rule in your config. Do you have one? Your ping to google is getting stuck at ether1. Something (maybe a hairpin rule) is causing the Mikrotik to decide to re-route the ping back to itself where it repeats this until the TTL value is depleted.

If you do a packet capture or torch in Mikrotik, check that the icmp ping packet has the correct IP (which I'm better it does) but also check the dst mac address it has when trying to leave ether1. Dst mac address should be that of your gateway (you can find gateway's mac in IP > Arp).
 
pkrexer
just joined
Topic Author
Posts: 19
Joined: Sat May 21, 2016 4:39 pm

Re: Can't reach google

Fri Dec 16, 2016 6:59 pm

So after digging more into it... Its not "all of google" its only if google resolves to a particular IP. If it resolves to 216.58.192.142, that is when its looped back. If it resolves to something else i.e 216.58.216.238, it works fine and I can ping google.com


So something about 216.58.192.142 it doesn't like.


This is all I see when I try to do a torch:

Image
 
pkrexer
just joined
Topic Author
Posts: 19
Joined: Sat May 21, 2016 4:39 pm

Re: Can't reach google

Fri Dec 16, 2016 10:03 pm

Sorry for wasting your time... Modem just needed rebooted *face palm*

Who is online

Users browsing this forum: No registered users and 49 guests