- LAN-to-LAN cannot ping/reach other
- RouterOS cannot ping LAN devices
- LAN devices can ping RouterOS
- LAN to WAN, WAN to LAN works
I'm using default bridge, ethernet configuration out of the box and was surprised to see this behaviour. I only have one default subnet.
Does anybody have any ideas?
Below is my configuration:
Code: Select all
[admin@ MikroTik] > export hide-sensitive
# jul/01/2020 16:07:38 by RouterOS 6.47
#
#
# model = RB450Gx4
/interface bridge
add admin-mac=C4:AD:34:9A:92:8B auto-mac=no comment=defconf dhcp-snooping=yes igmp-snooping=yes name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=5 max-mru=1500 max-mtu=1460 name=pppoe-out1 service-name=##### user=#####
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=defconf
/queue type
set 0 kind=sfq
add kind=red name=redCustom red-avg-packet=1514
/queue tree
add bucket-size=0.01 max-limit=99M name=DOWN parent=bridge queue=default
add name="1. DNS" packet-mark=DNS parent=DOWN priority=1 queue=default
add limit-at=8M max-limit=10M name="2. VOIP" packet-mark=VOIP parent=DOWN priority=2 queue=default
add name="3. ACK" packet-mark=ACK parent=DOWN priority=3 queue=default
add limit-at=10M max-limit=90M name="4. UDP" packet-mark=UDP parent=DOWN priority=3 queue=default
add name="5. ICMP" packet-mark=ICMP parent=DOWN priority=4 queue=default
add burst-limit=100M burst-threshold=4M burst-time=5s limit-at=8M max-limit=90M name="6. HTTP" packet-mark=HTTP parent=DOWN priority=5 queue=default
add burst-limit=100M burst-threshold=4M burst-time=5s limit-at=8M max-limit=90M name="7. QUIC" packet-mark=QUIC parent=DOWN priority=6 queue=default
add name="8. HTTP_BIG" packet-mark=HTTP_BIG parent=DOWN priority=7 queue=redCustom
add name="9. OTHER" packet-mark=OTHER parent=DOWN queue=redCustom
add bucket-size=0.01 max-limit=99M name=UP parent=pppoe-out1 queue=default
add name="1. DNS_" packet-mark=DNS parent=UP priority=1 queue=default
add limit-at=8M max-limit=10M name="2. VOIP_" packet-mark=VOIP parent=UP priority=2 queue=default
add name="3. ACK_" packet-mark=ACK parent=UP priority=3 queue=default
add limit-at=10M max-limit=90M name="4. UDP_" packet-mark=UDP parent=UP priority=3 queue=default
add name="5. ICMP_" packet-mark=ICMP parent=UP priority=4 queue=default
add burst-limit=100M burst-threshold=4M burst-time=5s limit-at=8M max-limit=90M name="6. HTTP_" packet-mark=HTTP parent=UP priority=5 queue=default
add burst-limit=100M burst-threshold=4M burst-time=5s limit-at=8M max-limit=90M name="7. QUIC_" packet-mark=QUIC parent=UP priority=6 queue=default
add name="8. HTTP_BIG_" packet-mark=HTTP_BIG parent=UP priority=7 queue=redCustom
add name="9. OTHER_" packet-mark=OTHER parent=UP queue=redCustom
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set accept-router-advertisements=yes
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=2m
/ip dhcp-client
add add-default-route=no comment=defconf disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-size=5120KiB max-concurrent-queries=150 max-concurrent-tcp-sessions=30 servers="176.103.130.130,206.189.142.179,9.9.9.10,149.112.112.10,8.8.8.8,1.1.1.1,2a00\
:5a60::ad2:ff,2620:fe::10,2620:fe::fe:10,2001:4860:4860::8888,2001:4860:4860::8844,2606:4700:4700::1111,2606:4700:4700::1001"
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.0.0.0/8 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related in-interface=bridge out-interface=bridge
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment=DNS connection-state=new dst-address-list=!RFC1918 new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS dst-address-list=!RFC1918 new-packet-mark=DNS passthrough=no
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=postrouting connection-mark=DNS new-packet-mark=DNS passthrough=no
add action=mark-connection chain=prerouting comment=VOIP new-connection-mark=VOIP passthrough=yes port=5060-5062,10000-20000 protocol=udp
add action=mark-packet chain=prerouting connection-mark=VOIP new-packet-mark=VOIP passthrough=no tcp-flags=""
add action=mark-packet chain=postrouting comment=ACK new-packet-mark=ACK packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=prerouting dst-address-list=!RFC1918 new-packet-mark=ACK packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment=UDP connection-state=new dst-address-list=!RFC1918 new-connection-mark=UDP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=UDP dst-address-list=!RFC1918 new-packet-mark=UDP passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new dst-address-list=!RFC1918 new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=ICMP dst-address-list=!RFC1918 new-packet-mark=ICMP passthrough=no
add action=mark-connection chain=postrouting connection-state=new dst-address-list=!RFC1918 new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting connection-mark=ICMP dst-address-list=!RFC1918 new-packet-mark=ICMP passthrough=no
add action=mark-connection chain=prerouting comment=QUIC connection-state=new dst-address-list=!RFC1918 new-connection-mark=QUIC passthrough=yes port=80,443 protocol=udp
add action=mark-packet chain=prerouting connection-mark=QUIC dst-address-list=!RFC1918 new-packet-mark=QUIC passthrough=no
add action=mark-connection chain=prerouting comment=HTTP connection-mark=no-mark connection-state=new dst-address-list=!RFC1918 new-connection-mark=HTTP passthrough=yes port=80,443 protocol=\
tcp
add action=mark-connection chain=prerouting connection-bytes=5000000-0 connection-mark=HTTP connection-rate=2M-100M dst-address-list=!RFC1918 new-connection-mark=HTTP_BIG passthrough=yes \
protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG dst-address-list=!RFC1918 new-packet-mark=HTTP_BIG passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP dst-address-list=!RFC1918 new-packet-mark=HTTP passthrough=no
add action=mark-connection chain=prerouting comment=OTHER connection-state=new dst-address-list=!RFC1918 new-connection-mark=POP3 passthrough=yes port=995,465,587 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=POP3 dst-address-list=!RFC1918 new-packet-mark=OTHER passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!RFC1918 new-connection-mark=OTHER passthrough=yes
add action=mark-packet chain=prerouting connection-mark=OTHER dst-address-list=!RFC1918 new-packet-mark=OTHER passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ipv6 address
add from-pool=IPv6-Pool interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=IPv6-Pool rapid-commit=no request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall mangle
add action=mark-connection chain=prerouting comment=DNS connection-state=new dst-address-list=!bad_ipv6 new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS dst-address-list=!bad_ipv6 new-packet-mark=DNS passthrough=no
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=postrouting connection-mark=DNS new-packet-mark=DNS passthrough=no
add action=mark-connection chain=prerouting comment=VOIP new-connection-mark=VOIP passthrough=yes port=5060-5062,10000-20000 protocol=udp
add action=mark-packet chain=prerouting connection-mark=VOIP new-packet-mark=VOIP passthrough=no
add action=mark-packet chain=postrouting comment=ACK new-packet-mark=ACK packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=prerouting dst-address-list=!bad_ipv6 new-packet-mark=ACK packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment=UDP connection-state=new dst-address-list=!bad_ipv6 new-connection-mark=UDP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=UDP dst-address-list=!bad_ipv6 new-packet-mark=UDP passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new dst-address-list=!bad_ipv6 new-connection-mark=ICMP passthrough=yes protocol=icmpv6
add action=mark-packet chain=prerouting connection-mark=ICMP dst-address-list=!bad_ipv6 new-packet-mark=ICMP passthrough=no
add action=mark-connection chain=postrouting connection-state=new dst-address-list=!bad_ipv6 new-connection-mark=ICMP passthrough=yes protocol=icmpv6
add action=mark-packet chain=postrouting connection-mark=ICMP dst-address-list=!bad_ipv6 new-packet-mark=ICMP passthrough=no
add action=mark-connection chain=prerouting comment=QUIC connection-state=new dst-address-list=!bad_ipv6 new-connection-mark=QUIC passthrough=yes port=80,443 protocol=udp
add action=mark-packet chain=prerouting connection-mark=QUIC dst-address-list=!bad_ipv6 new-packet-mark=QUIC passthrough=no
add action=mark-connection chain=prerouting comment=HTTP connection-mark=no-mark connection-state=new dst-address-list=!bad_ipv6 new-connection-mark=HTTP passthrough=yes port=80,443 protocol=\
tcp
add action=mark-connection chain=prerouting connection-bytes=5000000-0 connection-mark=HTTP connection-rate=2M-100M dst-address-list=!bad_ipv6 new-connection-mark=HTTP_BIG passthrough=yes \
protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG dst-address-list=!bad_ipv6 new-packet-mark=HTTP_BIG passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP dst-address-list=!bad_ipv6 new-packet-mark=HTTP passthrough=no
add action=mark-connection chain=prerouting comment=OTHER connection-state=new dst-address-list=!bad_ipv6 new-connection-mark=POP3 passthrough=yes port=995,465,587 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=POP3 dst-address-list=!bad_ipv6 new-packet-mark=OTHER passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!bad_ipv6 new-connection-mark=OTHER passthrough=yes
add action=mark-packet chain=prerouting connection-mark=OTHER dst-address-list=!bad_ipv6 new-packet-mark=OTHER passthrough=no
/ipv6 nd
set [ find default=yes ] advertise-mac-address=no interface=bridge ra-interval=30s-2m
/ipv6 nd prefix default
set preferred-lifetime=1h valid-lifetime=2h
/system clock
set time-zone-name=Asia/Kolkata
/system logging
add disabled=yes topics=dns
/system ntp client
set enabled=yes server-dns-names=time.cloudflare.com
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool graphing
set store-every=24hours
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN