Page 1 of 1

ROS cant reach the internet, Local clients can

Posted: Wed Aug 14, 2019 3:57 pm
by Dudeplayz
Hi,
I have the problem that the mikrotik cant ping or reach any internet address. The local network is working fine and any client or server can reach the internet without problems. Only the mikrotik itself cant ping anything which is not in local network. It also cant resolve DNS.

Here the firewall configuration:
/ip firewall address-list
add address=192.168.55.0/24 list=WAN
add address=192.168.56.0/24 list=WAN
add address=192.168.0.130 list="Internet Drop"
/ip firewall filter
add action=log chain=input disabled=yes in-interface=E6-WAN1-Fritz!Box log=yes log-prefix=Port-Log protocol=udp
add action=accept chain=input comment="VPN L2TP UDP 500, 1701, 4500" connection-state=new dst-port=500,1701,4500 \
    in-interface=E6-WAN1-Fritz!Box protocol=udp
add action=accept chain=input comment="VPN L2TP ESP" connection-state=new in-interface=E6-WAN1-Fritz!Box protocol=\
    ipsec-esp
add action=accept chain=input comment="VPN L2TP AH" disabled=yes protocol=ipsec-ah
add action=accept chain=input connection-state=established,related
add action=accept chain=input src-address=192.168.0.0/16
add action=drop chain=input log-prefix=Firewall-Drop-Log
add action=drop chain=forward dst-address=!192.168.0.0/16 src-address-list="Internet Drop"
add action=accept chain=forward dst-address=!192.168.0.0/16
add action=accept chain=forward connection-state=established,related
/ip firewall mangle
add action=accept chain=prerouting comment="Accept internal LAN" dst-address=192.168.0.0/16 src-address=\
    192.168.0.0/16
add action=mark-connection chain=output comment="Allow ROS -> WAN1" connection-mark=no-mark new-connection-mark=\
    WAN1-ROS passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1-ROS new-routing-mark=Main_Route passthrough=yes
add action=mark-connection chain=input comment="WAN -> MikroTik" connection-mark=no-mark in-interface=\
    E6-WAN1-Fritz!Box new-connection-mark=WAN1-ROS passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=E7-WAN2-GigaCube new-connection-mark=\
    WAN2-ROS passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1-ROS new-routing-mark=Main_Route passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2-ROS new-routing-mark=Backup_Route passthrough=yes
add action=mark-connection chain=forward comment="WAN -> LAN" connection-mark=no-mark in-interface=\
    E6-WAN1-Fritz!Box new-connection-mark=WAN1-LAN passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=E7-WAN2-GigaCube new-connection-mark=\
    WAN2-LAN passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1-LAN new-routing-mark=Main_Route passthrough=yes \
    src-address=192.168.0.0/16
add action=mark-routing chain=prerouting connection-mark=WAN2-LAN new-routing-mark=Backup_Route passthrough=yes \
    src-address=192.168.0.0/16
add action=mark-connection chain=prerouting comment="LAN -> WAN" connection-mark=no-mark dst-address=\
    !192.168.0.0/16 new-connection-mark=LAN-WAN passthrough=yes
add action=mark-routing chain=prerouting comment=WAN-Load_Balancing connection-mark=LAN-WAN new-routing-mark=\
    Main_Route passthrough=yes src-address=192.168.0.0/16
add action=mark-connection chain=prerouting comment="Sticky connections" connection-mark=LAN-WAN \
    new-connection-mark=Sticky_Main passthrough=yes routing-mark=Main_Route
add action=mark-connection chain=prerouting connection-mark=LAN-WAN new-connection-mark=Sticky_Backup passthrough=\
    yes routing-mark=Backup_Route
add action=mark-routing chain=prerouting connection-mark=Sticky_Main new-routing-mark=Main_Route passthrough=yes \
    src-address=192.168.0.0/16
add action=mark-routing chain=prerouting connection-mark=Sticky_Backup new-routing-mark=Backup_Route passthrough=\
    yes src-address=192.168.0.0/16
/ip firewall nat
add action=masquerade chain=srcnat out-interface=E6-WAN1-Fritz!Box
add action=masquerade chain=srcnat out-interface=E7-WAN2-GigaCube
I hope anybody can help. I have no idea what is the reason for this.

Best regards.

Re: ROS cant reach the internet, Local clients can

Posted: Fri Aug 16, 2019 12:21 am
by CZFan
Did not study config you posted, but will suggest you clean up the mangle rules, you have passthrough yes on all, and packets might change again with following mangle rule and results end up not as expected

Re: ROS cant reach the internet, Local clients can

Posted: Fri Aug 23, 2019 1:14 pm
by Dudeplayz
The passthrough is wanted because the rules working together to achive the wanted behavior.

Re: ROS cant reach the internet, Local clients can

Posted: Fri Aug 23, 2019 2:01 pm
by Exiver
Can you please provide more information? Draw a network diagram and please show us the whole configuration ;)

Re: ROS cant reach the internet, Local clients can

Posted: Wed Jul 01, 2020 10:20 am
by Dudeplayz
Sorry for the late reply. I could solve it by supplying a default route without a routing mark. With the routing mark, the error is still there.

Re: ROS cant reach the internet, Local clients can

Posted: Wed Jul 01, 2020 10:47 am
by Zacharias
Sorry for the late reply. I could solve it by supplying a default route without a routing mark. With the routing mark, the error is still there.
Yes, because the Router had no default Route for its main Routing Table...
You could otherwise create a Mangle Rule and choose/set the Routing Table the Router must use in order to reach the Internet. Thus there would be no need to create a default route without a Routing Mark...