Community discussions

MikroTik App
 
dancho
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Tue May 28, 2013 10:13 pm
Location: Skopje, Macedonia
Contact:

cannot access public IP

Tue Feb 18, 2014 2:37 am

We have new ISP that give us one public IP. They have cisco equipment before our mikrotik.
Now. They give us address xxx.xxx.51.98/32 with gateway xxx.xxx.51.97
Their Cisco have IP xxx.xxx.51.99.

From outside our network I can ping only the gateway but not our router. What should I do so I can access our public IP from anywhere on internet.

Thank you.
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: cannot access public IP

Tue Feb 18, 2014 2:52 am

We have new ISP that give us one public IP. They have cisco equipment before our mikrotik.
Now. They give us address xxx.xxx.51.98/32 with gateway xxx.xxx.51.97
Their Cisco have IP xxx.xxx.51.99.

From outside our network I can ping only the gateway but not our router. What should I do so I can access our public IP from anywhere on internet.

Thank you.
Post your export? Do you have any firewall rules?... We need more info to fix your problem. Can you get to the internet from your network?... Something also seems odd about the addresses? ... your gateway is outside of your subnet (if you really have a /32 address).
 
dancho
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Tue May 28, 2013 10:13 pm
Location: Skopje, Macedonia
Contact:

Re: cannot access public IP

Tue Feb 18, 2014 4:24 am

Yes. Our network is functioning as it is supposed but can not get to our router from outside local network.
[dsgfdg@MAIN_ROUTER] > ip firewall export
# feb/18/2014 03:09:59 by RouterOS 6.7
# software id = G604-UUFT
#
/ip firewall address-list
add address=172.16.16.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=\
bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/16 comment="Private[RFC 1918] - CLASS B" list=\
bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=\
bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=\
bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=\
bogons
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=input comment=\
"Block all access to the winbox - except to support list" dst-port=\
8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" \
dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 \
dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=\
25,587 protocol=tcp src-address-list=spammers
add chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add chain=input comment="Accept to established connections" \
connection-state=established protocol=tcp
add chain=input comment="Accept to related connections" \
connection-state=related protocol=tcp
add chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5 protocol=icmp
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 \
protocol=icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=\
icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=\
22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=dddd \
src-address=10.10.11.0/24
add action=mark-routing chain=prerouting new-routing-mark=gggg \
src-address=10.10.9.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether5 to-addresses=\
0.0.0.0
[dsgfdg@MAIN_ROUTER] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 172.16.16.1/22 172.16.16.0 pppoe
1 xxx.xxx.51.98/32 xx.xx.51.97 ether5
2 D 192.168.101.2/24 192.168.101.0 ether2
3 D 192.168.0.100/24 192.168.0.0 ether1
[dsgfdg@MAIN_ROUTER] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 xxx.xxx.51.97 1
1 ADS 0.0.0.0/0 192.168.0.1 0
2 ADS 0.0.0.0/0 192.168.101.1 2
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: cannot access public IP

Tue Feb 18, 2014 4:53 am

Why is your default gateway 192.168.0.1? The routes will be selected by lowest distance.
[dsgfdg@MAIN_ROUTER] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 xxx.xxx.51.97 1
1 ADS 0.0.0.0/0 192.168.0.1 0
2 ADS 0.0.0.0/0 192.168.101.1 2
 
dancho
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Tue May 28, 2013 10:13 pm
Location: Skopje, Macedonia
Contact:

Re: cannot access public IP

Tue Feb 18, 2014 5:02 am

Our IP pool is 10.10.10.0/24 and that goes trough gateway 192.168.0.1

we have 10.10.9.0/24 that goes trough gateway xxx.xxx.51.97
and 10.10.11.0/24 that goes trough gateway 192.168.101.1

this is done by prerouting. I don't think this has something with what my public IP? :S
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: cannot access public IP

Tue Feb 18, 2014 5:50 am

We have new ISP that give us one public IP. They have cisco equipment before our mikrotik.
Now. They give us address xxx.xxx.51.98/32 with gateway xxx.xxx.51.97
Their Cisco have IP xxx.xxx.51.99.
Are you certain it is a /32 netmask? This is a bit confusing to me. My ISP gave me 8 static ips with a /27 netmask with about the same settings you have.

Are they routing that public ip to your router through another interface besides ether5? Which interface on your router connects to their Cisco router?

I recommend contacting your ISP and find out exactly what netmask you should be using.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: cannot access public IP

Tue Feb 18, 2014 5:55 am

This looks odd:
1 xxx.xxx.51.98/32 xx.xx.51.97 ether5 
If you allocate a /32 then the network is the same as the address so this entry does not make sense. You also mention that the Cisco is at .99. Are they trying to use a Cisco style /31? If so Mikrotik does not support that. It doesn't look like a /30 link network because that would be .96 for network, .97 & .98 for host/gateway and .99 for broadcast.

I think you should clarify what has been provisioned with the upstream.
 
dancho
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Tue May 28, 2013 10:13 pm
Location: Skopje, Macedonia
Contact:

Re: cannot access public IP

Tue Feb 18, 2014 6:28 am

sorry guys probably they made mess or I am mess.. this is what I got from them and didn't even looked before applying..

IP adresa xxx.xxx.51.98
Mask 255.255.255.252
Gateway xxx.xxx.51.97

As I can see this is wrong. this is /30 network and gateway should be .96 not as they told me .97? If yes I guess their router that is right under mine is .97. If yes again then I can ping 97 but still no luck with my 98.
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: cannot access public IP

Tue Feb 18, 2014 1:51 pm

sorry guys probably they made mess or I am mess.. this is what I got from them and didn't even looked before applying..

IP adresa xxx.xxx.51.98
Mask 255.255.255.252
Gateway xxx.xxx.51.97

As I can see this is wrong. this is /30 network and gateway should be .96 not as they told me .97? If yes I guess their router that is right under mine is .97. If yes again then I can ping 97 but still no luck with my 98.
Those addresses at least make more sense than a /32

Sent from my SCH-I545 using Tapatalk
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: cannot access public IP

Tue Feb 18, 2014 1:57 pm

Which interface connects to your ISP? That is the interface that needs that ip/netmask/gateway.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: cannot access public IP

Tue Feb 18, 2014 2:16 pm

sorry guys probably they made mess or I am mess.. this is what I got from them and didn't even looked before applying..

IP adresa xxx.xxx.51.98
Mask 255.255.255.252
Gateway xxx.xxx.51.97

As I can see this is wrong. this is /30 network and gateway should be .96 not as they told me .97? If yes I guess their router that is right under mine is .97. If yes again then I can ping 97 but still no luck with my 98.
No - the gateway can't be .96 - that is the network ID. If they told you .97 for gateway then you should enter this on your interface as x.x.51.98/30. It should then show the network as x.x.51.96. In IP Routes you should have a default route to x.x.51.97.
 
dancho
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Tue May 28, 2013 10:13 pm
Location: Skopje, Macedonia
Contact:

Re: cannot access public IP

Tue Feb 18, 2014 5:06 pm

sorry guys probably they made mess or I am mess.. this is what I got from them and didn't even looked before applying..

IP adresa xxx.xxx.51.98
Mask 255.255.255.252
Gateway xxx.xxx.51.97

As I can see this is wrong. this is /30 network and gateway should be .96 not as they told me .97? If yes I guess their router that is right under mine is .97. If yes again then I can ping 97 but still no luck with my 98.
No - the gateway can't be .96 - that is the network ID. If they told you .97 for gateway then you should enter this on your interface as x.x.51.98/30. It should then show the network as x.x.51.96. In IP Routes you should have a default route to x.x.51.97.

ok I am done with all of this. still can not access my router from internet.

@SurferTim: eth5 is the interface that have this IP netmask and gateway.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: cannot access public IP

Tue Feb 18, 2014 6:54 pm

How are you trying to access the router? Winbox? Ping? There is a rule restricting Winbox to a support list. There doesn't seem to be a default drop on the input chain btw...

If you want the path traced from here email me.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: cannot access public IP

Wed Feb 19, 2014 12:40 am

I didn't ask which interface you had the ip assigned to. I asked which interface is your WAN interface. Which interface connects to your ISP?
 
dancho
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Tue May 28, 2013 10:13 pm
Location: Skopje, Macedonia
Contact:

Re: cannot access public IP

Wed Feb 19, 2014 2:36 am

@CelticComms: I am trying to connect to my router via web. I can not ping my public IP from outside my network. So I can not access it. As I can see it is very easy setup and think the problem is not in my configuration.

@SurferTim: eth 5 connect to my ISP router and has this IP assigned.

I am waiting an answer from my ISP to tell me if there is a problem in their CISCO. They've told me that from their router they can ping my router but can not ping it from the internet. Still if you guys have any solution I could try...
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: cannot access public IP

Wed Feb 19, 2014 3:03 am

If your router responds to a ping from a localnet device (that is what the Cisco is to your Mikrotik) but doesn't respond to an internet device, it is usually your default (0.0.0.0/0) entry in "/ip route". Are these still your entries?
[dsgfdg@MAIN_ROUTER] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 xxx.xxx.51.97 1
1 ADS 0.0.0.0/0 192.168.0.1 0
2 ADS 0.0.0.0/0 192.168.101.1 2
Here are my routes. Note there is only one entry with the dst-address of 0.0.0.0/0. The rest have the interface network as the dst-address.
[admin@test] /ip route> pri
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 68.99.58.97 1
1 ADC 68.99.58.96/27 68.99.58.119 ether1 0
2 DC 192.168.0.0/24 192.168.0.1 wlan1 255
3 ADC 192.168.1.0/24 192.168.1.1 ether2 0
4 DC 192.168.2.0/24 192.168.2.1 ether3 255
If you didn't notice, all but one of those entries were automatically entered when I entered the ip, subnet mask, and interface in "/ip address". Only the default route is static (manually entered by me).
 
dancho
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Tue May 28, 2013 10:13 pm
Location: Skopje, Macedonia
Contact:

Re: cannot access public IP

Thu Feb 20, 2014 6:09 am

If your router responds to a ping from a localnet device (that is what the Cisco is to your Mikrotik) but doesn't respond to an internet device, it is usually your default (0.0.0.0/0) entry in "/ip route". Are these still your entries?
[dsgfdg@MAIN_ROUTER] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 xxx.xxx.51.97 1
1 ADS 0.0.0.0/0 192.168.0.1 0
2 ADS 0.0.0.0/0 192.168.101.1 2
yes still those routes
[admin@test] /ip route> pri
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 68.99.58.97 1
1 ADC 68.99.58.96/27 68.99.58.119 ether1 0
2 DC 192.168.0.0/24 192.168.0.1 wlan1 255
3 ADC 192.168.1.0/24 192.168.1.1 ether2 0
4 DC 192.168.2.0/24 192.168.2.1 ether3 255
If you didn't notice, all but one of those entries were automatically entered when I entered the ip, subnet mask, and interface in "/ip address". Only the default route is static (manually entered by me).

only 0 and 1 are those I need for me so in my router I have:

0 A S 0.0.0.0/0 xxx.xxx.51.97 1
1 ADC xxx.xxx.51.96/30 xxx.xxx.51.98 ether5 0


In few hours I will put windows PC instead of mikrotik to see if I can ping that. Will let you know what will happen.
 
alexzh
just joined
Posts: 6
Joined: Tue Jan 07, 2014 3:44 pm

Re: cannot access public IP

Sat Feb 22, 2014 12:39 pm

do you have internet connection trough pppoe? or normal lan? if you not have more pppoe, than kill interface this. and all will be working.
 
dancho
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Tue May 28, 2013 10:13 pm
Location: Skopje, Macedonia
Contact:

Re: cannot access public IP

Wed Feb 26, 2014 3:11 am

guys it is fixes now. I got it on my own on the hard way.. :(

I just added new route with distance 1 with the gateway they gave me and make other routes distance 2 and 3. The routes I had were only for my routing mark to work. Now I have 2 routes for each gateway. one to show the router the real gateway and to put connection without routing mark to go trough it and one for routing mark. Now I can access my router from all over the world :P Looks like this now:

# DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 192.168.101.1 3 <<<< routing mark
1 A S 0.0.0.0/0 xzxx.xxx.xxx.97 1 <<<< routing mark
2 A S 0.0.0.0/0 yyy.yyy.4.1 2 <<<< routing mark
3 A S 0.0.0.0/0 xxx.xxx.xxx.97 1 <<<< THIS WAS MISSING
4 DS 0.0.0.0/0 yyy.yyy.4.1 2
5 DS 0.0.0.0/0 192.168.101.1 3


Thanks for your help. You've been great!!

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 14 guests