Community discussions

MikroTik App
 
nbctcp
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Tue Sep 16, 2014 7:32 pm

Cisco vlan ip can't ping Internet

Fri Oct 09, 2020 3:02 am

2020-10-09 06_58_04-Window.png
HW INFO
-RB951
-Cisco Switch 3750

PROBLEMS:
1. cisco vlan ip can't ping internet but can ping any mikrotik vlan ip

MIKROTIK:
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.0.10.1/24 comment=WAN1 interface=vlan10 network=10.0.10.0
add address=10.0.20.1/24 comment=DMZ interface=vlan20 network=10.0.20.0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/interface vlan
add interface=ether2 name=vlan10 vlan-id=10
add interface=ether2 name=vlan20 vlan-id=20
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1 src-address=10.0.10.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=10.0.20.0/24
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.0.10.1/24 comment=WAN1 interface=vlan10 network=10.0.10.0
add address=10.0.20.1/24 comment=DMZ interface=vlan20 network=10.0.20.0

CISCO:
#sh ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan1 192.168.88.213 YES NVRAM up up
Vlan10 10.0.10.213 YES NVRAM up up
Vlan20 10.0.20.213 YES NVRAM up up
#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa2/0/48 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa2/0/48 1,10,20,30,40,50,60,80,90,100

STEPS TAKEN
Ping from MIKROTIK to WAN:
> ping 1.1.1.1 src-address=10.0.10.1 OK
> ping 1.1.1.1 src-address=10.0.20.1 OK

Ping from CISCO VLAN to MIKROTIK VLAN:
#ping 10.0.10.1 source 10.0.10.213 OK
#ping 10.0.20.1 source 10.0.20.213 OK
#ping 10.0.20.1 source 10.0.10.213 OK

Ping from Cisco VLAN to WAN
#ping 1.1.1.1 source 10.0.10.213 FAIL
#ping 1.1.1.1 source 10.0.20.213 FAIL

UPDATE1:
STATUS: SOLVED
This is the culprit
> ip firewall filter export
add action=drop chain=forward comment="ALL USERS"
change to
add action=drop chain=forward comment="ALL USERS" disabled=yes

?
1. Anyone know how to debug which firewall filter rule which causing the problem if I know source ip address?
I try this but it didn't list which filter affected
> ip firewall connection print from=[find src-address="10.0.10.105"]
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying,
F - fasttrack, s - srcnat, d - dstnat
# PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE
0 S C Fs icmp 10.0.10.105 9.9.9.9
tq
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: bpwl, godejsa, Kickoleg, Wmillo and 144 guests