Hi
I am having difficulties to connect a new Internet connection to my Mikrotik RB2011 iL-IN (software version 6.34.3). I tried everything but I am getting frustrated for not being able to put it up and running.
I have an existing Internet connection on physical port 1, and I have the LAN ports on 3, 4, 5, and 7. Everything is up and running.
We are replacing the Internet connection, so I am connecting the new connection to port 2 and setting everything to test until they remove the old connection.
Before anything I tested the new connection. I connected a cable directly from my PC to the new Internet router. It works perfectly. So, I moved on and connected the same cable between the new internet router and the Mikrotik router. I also tested the “Cable test” on Mikrotik’s Interface – general window, and it said: link ok.
The Mikrotik configuration is the same between the 2 links (except for the port and IP addresses). But if I make a traceroute to any external address, I get response when using the current (old) internet connection and timeout if I use the new one.
This is how I have its setup. Where new link and old link are different I put the old link values between brackets:
Interface – general – name: [2] WAN2 ([1] WAN1)
Interface – general – MTU: 1500
Interface – general – L2 MTU: 1598
Interface – general – ARP: enabled
Interface – general – Master port: none
Interface – general – Bandwidth: unlimited/unlimited
Interface – Ethernet – Auto-negotiation: checked
Interface – Ethernet – Tx flow control: off
Interface – Ethernet – Rx flow control: off
Interface – Ethernet – Advertise – 10M half: checked
Interface – Ethernet – Advertise – 100M half: checked
Interface – Ethernet – Advertise – 1000M half: checked
Interface – Ethernet – Advertise – 10M full: checked
Interface – Ethernet – Advertise – 100M full: checked
Interface – Ethernet – Advertise – 1000M full: checked
IP – addresses – Adress: aaa.bbb.ccc.ddd/29 (eee.fff.ggg.hhh/30)
IP – addresses – Network: aaa.bbb.ccc.ddx (eee.fff.ggg.hhy)
IP – addresses – interface: [2] WAN2 ([1] WAN1)
IP – firewall – drop input TCP port 21
IP – firewall – drop input TCP port 23
IP – firewall – accept input UDP port 500 (for both links)
IP – firewall – accept input UDP port 1701 (for both links)
IP – firewall – accept input UDP port 4500 (for both links)
IP – firewall – drop input UDP port 53 (for both links)
Outgoing route:
IP – routes – route – general – dst.address: 0.0.0.0/0
IP – routes – route – general – gateway: aaa.bbb.ccc.ddx reachable [2]WAN2 (eee.fff.ggg.hhy reachable [1]WAN1)
IP – routes – route – general – type: unicast
IP – routes – route – general – distance: 10 (1) – when I increase this last value to use the new link it stops communicating, so I must fix the problem of the new link before changing the distances
IP – routes – route – general – scope: 30
IP – routes – route – general – target scope: 10
Incoming route:
IP – routes – route – general – dst.address: aaa.bbb.ccc.ddd/29 (eee.fff.ggg.hhh/30)
IP – routes – route – general – gateway: [2]WAN2 reachable ([1]WAN1 reachable)
IP – routes – route – general – type: unicast
IP – routes – route – general – distance: 0 (0)
IP – routes – route – general – scope: 10
IP – routes – route – general – target scope: 10
IP – routes – route – general – pref source: aaa.bbb.ccc.ddd (eee.fff.ggg.hhh)
I cannot find anything that justifies that the current link can work normally and the new link is unable to even do a traceroute.
Anyone has a clue on what might be wrong?
Thank you,
Rui

I'm not sure what you mean by "incoming route", but I suggest you to add an individual (/32) route for the address you use for traceroute, indicating the gateway of the new uplink as a gateway, and then traceroute again. If it works, it means that routing was the problem. If it doesn't, post here the output of , , and after replacing the public addresses the way you did above.

I'm not sure what you mean by "incoming route", but I suggest you to add an individual (/32) route for the address you use for traceroute, indicating the gateway of the new uplink as a gateway, and then traceroute again. If it works, it means that routing was the problem. If it doesn't, post here the output of

Code: Select all

/export hide-sensitive

,

Code: Select all

/ip address print

, and

Code: Select all

/ip route print

after replacing the public addresses the way you did above.

Hi Sindy,
Thank you for your response.
When I say incoming, I mean source=0.0.0.0/0 and destination=local IP. I might be using the wrong terminology because I am not a communications expert. Sorry.
I am not sure what do you mean by using /32 for traceroute. The internet provider gave me an IP address with /30 (current link) and /29 (new link) and on the traceroute window I could not find where to enter that filter.
I don't know how to attach a file, so I am sending the output of the configuration below:


# apr/22/2018 09:01:20 by RouterOS 6.34.3
# software id = 6X1L-00W2
#
/interface ethernet
set [ find default-name=ether1 ] name="[1]WAN_FibraVivo"
set [ find default-name=ether2 ] name="[2]WAN_Fibra2"
set [ find default-name=ether3 ] name="[3]LAN_Quartos"
set [ find default-name=ether4 ] name="[4]LAN_WiFi"
set [ find default-name=ether5 ] name="[5]LAN_Admin"
set [ find default-name=ether6 ] disabled=yes name="[6]LAN_Livre"
set [ find default-name=ether7 ] name="[7]WAN_SpeedyDSL"
set [ find default-name=ether8 ] disabled=yes name="[8]LAN_Livre"
set [ find default-name=ether9 ] disabled=yes name="[9]LAN_Livre"
set [ find default-name=ether10 ] name="[10]LAN_Manutencao"
/interface vlan
add interface="[5]LAN_Admin" name=vlanAdm vlan-id=500
add interface="[3]LAN_Quartos" name=vlanQuart vlan-id=300
add interface="[4]LAN_WiFi" name=vlanWifi vlan-id=400
/ip ipsec proposal
add auth-algorithms=sha512,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,3des \
name=proposal1 pfs-group=none
/ip pool
add name=pool_WiFi ranges=192.168.0.129-192.168.0.254
add name=pool_adm_fix ranges=192.168.7.241-192.168.7.253
add name=pool_adm_var ranges=192.168.7.225-192.168.7.239
add name=pool_quartos ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=pool_adm_var disabled=no interface="[5]LAN_Admin" name=\
dhcp_adm
add address-pool=pool_WiFi disabled=no interface="[4]LAN_WiFi" name=dhcp_wifi
add address-pool=pool_quartos disabled=no interface="[3]LAN_Quartos" name=\
dhcp_quartos
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 idle-timeout=4h local-address=\
aaa.bbb.ccc.18 name=VPNTCH rate-limit="" remote-address=pool_adm_var \
use-encryption=required
add change-tcp-mss=yes dns-server=8.8.8.8 idle-timeout=4h local-address=\
ddd.eee.fff.82 name=VPNTCH2 remote-address=pool_adm_var use-encryption=\
required
/interface l2tp-server server
set authentication=mschap2 default-profile=VPNTCH enabled=yes
/ip address
add address=192.168.7.254/27 interface="[5]LAN_Admin" network=192.168.7.224
add address=aaa.bbb.ccc.18/30 interface="[1]WAN_FibraVivo" network=aaa.bbb.ccc.16
add address=192.168.15.1/29 interface="[7]WAN_SpeedyDSL" network=192.168.15.0
add address=192.168.0.1/24 interface="[4]LAN_WiFi" network=192.168.0.0
add address=192.168.1.1/24 interface="[3]LAN_Quartos" network=192.168.1.0
add address=ddd.eee.fff.82/29 interface="[2]WAN_Fibra2" network=ddd.eee.fff.80
add address=ddd.eee.fff.80/29 interface="[2]WAN_Fibra2" network=ddd.eee.fff.80
/ip arp
add address=ddd.eee.fff.81 interface="[2]WAN_Fibra2"
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface="[7]WAN_SpeedyDSL"
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.6.0/24 gateway=192.168.6.1
add address=192.168.7.224/27 gateway=192.168.7.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,200.153.0.68
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface="[1]WAN_FibraVivo" \
protocol=udp
add action=drop chain=input dst-port=53 in-interface="[7]WAN_SpeedyDSL" \
protocol=udp
add action=drop chain=input dst-port=21 protocol=tcp
add action=drop chain=input dst-port=23 protocol=tcp
add action=drop chain=forward dst-address=192.168.7.0/24 src-address=\
192.168.0.0/24
add chain=forward dst-address=0.0.0.0/0 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.7.0/24 src-address=\
192.168.1.0/24
add chain=forward dst-address=0.0.0.0/0 src-address=192.168.1.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=\
192.168.7.0/24
add chain=forward dst-address=0.0.0.0/0 src-address=192.168.7.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=\
192.168.7.0/24
add chain=forward dst-address=0.0.0.0/0 src-address=192.168.7.0/24
add chain=input connection-state=new dst-port=500 in-interface=\
"[1]WAN_FibraVivo" log=yes protocol=udp
add chain=input connection-state=new dst-port=4500 in-interface=\
"[1]WAN_FibraVivo" log=yes protocol=udp
add chain=input connection-limit=100,32 connection-state=new dst-port=1701 \
in-interface="[1]WAN_FibraVivo" limit=0,5:packet log=yes protocol=udp
add action=drop chain=input dst-port=53 in-interface="[2]WAN_Fibra2" \
protocol=udp
add chain=input connection-state=new dst-port=500 in-interface=\
"[2]WAN_Fibra2" log=yes protocol=udp
add chain=input connection-limit=100,32 connection-state=new dst-port=1701 \
in-interface="[2]WAN_Fibra2" limit=0,5:packet log=yes protocol=udp
add chain=input connection-state=new dst-port=4500 in-interface=\
"[2]WAN_Fibra2" log=yes protocol=udp
add chain=input connection-state=new dst-port=500 in-interface=\
"[7]WAN_SpeedyDSL" log=yes protocol=udp
add chain=input connection-state=new dst-port=1701 in-interface=\
"[7]WAN_SpeedyDSL" log=yes protocol=udp
add chain=input connection-state=new dst-port=4500 in-interface=\
"[7]WAN_SpeedyDSL" log=yes protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment=ADM src-address=192.168.6.0/24
add action=masquerade chain=srcnat src-address=192.168.7.224/27
add action=masquerade chain=srcnat comment=Hospedes fragment=no src-address=\
192.168.0.0/24
add action=masquerade chain=srcnat limit=1,5:packet nth=2,1 src-address=\
192.168.1.0/24
/ip ipsec peer
add address=0.0.0.0/32 enc-algorithm=aes-256,3des exchange-mode=main-l2tp \
generate-policy=port-strict hash-algorithm=sha512 secret=\
********************
/ip route
add distance=1 gateway=aaa.bbb.ccc.17
add distance=10 gateway=ddd.eee.fff.81
add distance=20 gateway="[7]WAN_SpeedyDSL"
add distance=1 dst-address=192.168.0.0/24 gateway="[4]LAN_WiFi" pref-src=\
192.168.0.1 scope=10
add distance=1 dst-address=192.168.1.0/24 gateway="[3]LAN_Quartos" pref-src=\
192.168.1.1 scope=10
add distance=10 dst-address=192.168.7.224/27 gateway="[2]WAN_Fibra2" \
pref-src=192.168.7.254 scope=10
add disabled=yes distance=1 dst-address=192.168.7.224/27 gateway=\
"[1]WAN_FibraVivo" pref-src=192.168.7.254 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=vpnh password=******************** profile=VPNH service=l2tp
add name=vpnh2 password=******************** profile=VPNH2 service=l2tp
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name="Hotel"
/system routerboard settings
set protected-routerboot=disabled

Thank you,
Rui

I suppose that ping and traceroute directly to do work - if they don't, there is really something rotten.

If they do, what I had in mind was the following: choose a single remote address you are going to traceroute, such as one of Google's DNS server addresses, 8.8.4.4, and before tracerouting it, do . This adds an exceptional route for this single destination address (hence the in my previous post). If with this route in place the traceroute works, the uplink is fine and you can use it.

I suppose that ping and traceroute directly to

Code: Select all

ddd.eee.fff.81

do work - if they don't, there is really something rotten.

If they do, what I had in mind was the following: choose a single remote address you are going to traceroute, such as one of Google's DNS server addresses, 8.8.4.4, and before tracerouting it, do

Code: Select all

/ip route add dst-address=8.8.4.4/32 gateway=ddd.eee.fff.81

. This adds an exceptional route for this single destination address (hence the

Code: Select all

/32

in my previous post). If with this route in place the traceroute works, the uplink is fine and you can use it.

Hi Sindy,
Unfortunately it gives timeout before and after the route command.
But if I connect that same cable to my PC, I can navigate the Internet without any problem.
Tomorrow I will try to go to my client location and connect it to another router port and adapt all the configurations.
Do you think that if I upgrade the router firmware it can improve? or will I loose the configuration?
Thank you,
Rui

I suppose that ping and traceroute directly to

Code: Select all

ddd.eee.fff.81

do work - if they don't, there is really something rotten.

If they do, what I had in mind was the following: choose a single remote address you are going to traceroute, such as one of Google's DNS server addresses, 8.8.4.4, and before tracerouting it, do

Code: Select all

/ip route add dst-address=8.8.4.4/32 gateway=ddd.eee.fff.81

. This adds an exceptional route for this single destination address (hence the

Code: Select all

/32

in my previous post). If with this route in place the traceroute works, the uplink is fine and you can use it.

Hi Sindy,
Unfortunately it gives timeout before and after the route command.
But if I connect that same cable to my PC, I can navigate the Internet without any problem.
Tomorrow I will try to go to my client location and connect it to another router port and adapt all the configurations.
Do you think that if I upgrade the router firmware it can improve? or will I loose the configuration?
Thank you,
Rui

I found out that I can ping ddd.eee.fff.80 and ddd.eee.fff.82 but I get timeout when I ping ddd.eee.fff.81
But the provider was clear: 80 was the network, 81 the gateway, 82-86 free and 87 is the broadcast.
this means that the port is communicating, but for some reason it cannot go through address 81 to the Internet
So, now I am even more confused.

The answer we are waiting for is can you ping or traceroute to 8.8.8.8 or 8.8.4.4?

The answer we are waiting for is can you ping or traceroute to 8.8.8.8 or 8.8.4.4?

Hi CZFan,
No. I still get timeout when ping or traceroute 8.8.4.4 (when forcing to route through ddd.eee.fff.81

Ok, then we need to dig into matting, routing and fireballing, sorry, I am out for a Capone hours, it is now 2:50 in the morning and going to sleep in next 10 minutes, i am sure someone else will chip in to assist, I will be back once I get up again

I have somehow completely missed the above. Please remove the static ARP record for. 81 and the ip address. 80, keep just the ip address. 82 out of the above. Then try to ping the. 81 again etc.

Code: Select all

/ip address
...
add address=ddd.eee.fff.82/29 interface="[2]WAN_Fibra2" network=ddd.eee.fff.80
add address=ddd.eee.fff.80/29 interface="[2]WAN_Fibra2" network=ddd.eee.fff.80
/ip arp
add address=ddd.eee.fff.81 interface="[2]WAN_Fibra2"

I have somehow completely missed the above. Please remove the static ARP record for. 81 and the ip address. 80, keep just the ip address. 82 out of the above. Then try to ping the. 81 again etc.

Hi Sindy,
It seems that you nailed it. As soon as I removed the static ARP (I am not sure how it appeared there), the ping started working for that interface.
I will just make a few more tests and if no more surprises, I will considered this thread solved.

Thank you so much for your help

Rui