Community discussions

MikroTik App
 
jasonsoscomm
just joined
Topic Author
Posts: 8
Joined: Wed Aug 21, 2019 6:03 pm

can ping IP from router but clients cannot access IP

Fri Sep 06, 2019 12:08 am

Hello,
Mikrotik Router RB-3011
I have clients connected to Eth2 on a DCHP pool 192.168.2.100-150

I am trying to access a device via the web. The router can ping this device. But DHCP clients cannot.
The device IP 172.21.54.101

I have two address added to the eth0(wan) Public IP xxx.xxx.xxx.xxx and private: 172.21.2.33

I can ssh to a Linux server with the IP of 172.21.1.34 with no problem. and It shows I am connecting from private: 172.21.2.33. No NAT rule added yet.

I thought that if I added this NAT rule the issue would be corrected:
ip firewall nat:
add action=src-nat chain=srcnat dst-address=172.21.0.0/16 log=yes to-addresses=172.21.2.33

Though I don't believe this has any effect.

Why can the router ping 172.21.54.101 but not the DHCP computer connected to the router?
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: can ping IP from router but clients cannot access IP

Fri Sep 06, 2019 12:43 am

Does the device 172.21.54.101 have a route back to the DHCP range?
 
jasonsoscomm
just joined
Topic Author
Posts: 8
Joined: Wed Aug 21, 2019 6:03 pm

Re: can ping IP from router but clients cannot access IP

Fri Sep 06, 2019 12:51 am

I was told I shouldnt have to add a route. but if so I need a route for all devices on 172.21.0.0/24

Would the route go on the router with DHCP clients?

Routes on the Local router:
https://www.screencast.com/t/X9AQggw1nKh
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: can ping IP from router but clients cannot access IP

Fri Sep 06, 2019 1:19 am

No, I meant that does the 172 device know where to send packets destined for 192 range, i.e. DHCP range?

As a test, add nat rule below and test again from DHCP client
Add chain=srcnat action=masquerade out-interface=eth01_uplink
 
jasonsoscomm
just joined
Topic Author
Posts: 8
Joined: Wed Aug 21, 2019 6:03 pm

Re: can ping IP from router but clients cannot access IP

Fri Sep 06, 2019 2:11 am

> ip firewall nat
[jason@sosedge] /ip firewall nat> chain=srcnat action=masquerade out-interface=eth01_uplink
syntax error (line 1 column 6)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: can ping IP from router but clients cannot access IP

Fri Sep 06, 2019 9:04 am

> ip firewall nat
[jason@sosedge] /ip firewall nat> chain=srcnat action=masquerade out-interface=eth01_uplink
syntax error (line 1 column 6)
[jason@sosedge] /ip firewall nat> add chain=srcnat action=masquerade out-interface=eth01_uplink
 
jasonsoscomm
just joined
Topic Author
Posts: 8
Joined: Wed Aug 21, 2019 6:03 pm

Re: can ping IP from router but clients cannot access IP

Fri Sep 06, 2019 11:21 am

same issue cannot access the device.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: can ping IP from router but clients cannot access IP

Fri Sep 06, 2019 8:00 pm

Then, time is now to post results of "/export hide-sensitive" here, (BETWEEN CODE BRACKETS)
 
jasonsoscomm
just joined
Topic Author
Posts: 8
Joined: Wed Aug 21, 2019 6:03 pm

Re: can ping IP from router but clients cannot access IP

Fri Sep 06, 2019 8:35 pm

Code: Select all

# sep/06/2019 12:30:52 by RouterOS 6.42.9
# software id = CWFI-SM18
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEB09FFEF72
/interface bridge
add name=bridge_uplink
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-full,1000M-full mac-address=B8:69:F4:92:28:3C name=eth01_uplink
set [ find default-name=ether2 ] advertise=100M-full,1000M-full name=eth02
set [ find default-name=ether3 ] advertise=100M-full,1000M-full name=eth03
set [ find default-name=ether4 ] advertise=100M-full,1000M-full name=eth04
set [ find default-name=ether5 ] advertise=100M-full,1000M-full name=eth05
set [ find default-name=ether6 ] advertise=100M-full,1000M-full name=eth06
set [ find default-name=ether7 ] advertise=100M-full,1000M-full name=eth07
set [ find default-name=ether8 ] advertise=100M-full,1000M-full name=eth08
set [ find default-name=ether9 ] advertise=100M-full,1000M-full name=eth09
set [ find default-name=ether10 ] advertise=100M-full,1000M-full name=eth10
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.254
add name=dhcp ranges=192.168.2.20-192.168.2.125
/ip dhcp-server
add address-pool=dhcp disabled=no interface=eth02 name=dhcp1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add name=Total target=""
add max-limit=5M/5M name=VoIP packet-marks=VoIP-Pkt parent=Total priority=1/1 target=""
add max-limit=20M/20M name="Office Computers" queue=pcq-upload-default/pcq-download-default target=192.168.2.0/24
add max-limit=20M/20M name="VPN Users" queue=pcq-upload-default/pcq-upload-default target=192.168.89.0/24
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add disabled=yes interface=eth01_uplink
add interface=eth02
add interface=eth03
add interface=eth04
add interface=eth05
add interface=eth06
add interface=eth07
add interface=eth08
add interface=eth09
add interface=eth10
/interface l2tp-server server
set enabled=yes ipsec-secret=REMOVED! use-ipsec=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=104.36.123.2/30 interface=eth01_uplink network=104.36.123.0
add address=192.168.2.1/24 comment=LOCAL interface=eth02 network=192.168.2.0
add address=172.21.1.33/24 comment=Service interface=eth01_uplink network=172.21.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid interface=eth01_uplink
/ip dhcp-server network
add address=192.0.0.0/8 gateway=192.168.2.1 netmask=8
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,10.50.10.7
/ip firewall mangle
add action=mark-connection chain=prerouting dst-port=4569 new-connection-mark=VoIP-Conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=VoIP-Conn new-packet-mark=VoIP-Pkt passthrough=no
add action=mark-routing chain=prerouting disabled=yes dst-address=172.21.0.0/16 new-routing-mark=shell passthrough=yes src-address=172.21.1.33
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat out-interface=eth01_uplink
add action=dst-nat chain=dstnat disabled=yes dst-address=172.21.0.0/24 to-addresses=172.21.1.33
add action=src-nat chain=srcnat disabled=yes src-address=172.21.1.33 to-addresses=172.21.0.0/22
add action=src-nat chain=srcnat dst-address=172.21.0.0/16 log=yes to-addresses=172.21.2.33
add action=masquerade chain=srcnat out-interface=eth01_uplink
/ip route
add distance=1 gateway=104.36.123.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=40404
set ssh port=22222
set api disabled=yes
set api-ssl disabled=yes
/ppp l2tp-secret
add secret=REMOVED
/ppp secret
******* Removed *******
/system clock
set time-zone-name=America/Chicago
/system identity
set name=sosedge
/system routerboard settings
set silent-boot=no
/tool romon
set enabled=yes secrets=""
/tool user-manager database
set db-path=user-manager
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: can ping IP from router but clients cannot access IP

Fri Sep 06, 2019 11:00 pm

couple of irregularities in your config, my suggestion will be for you to correct these before moving forward, e.g.

1. LAN Gateway IP address/network on router is a /24, but DHCP clients get issued a /8, routing is based on networks, no host info.
2. Instead of having 2 totally different IPs on the same interface, I will add vlans there to separate these

Who is online

Users browsing this forum: Bing [Bot], korg and 96 guests