I have a 1100AHx2 with v6.48.1 of the firmware and OS (I upgraded as part of the troubleshooting which didn't help). I am having a problem where a single host on my internal network is unable to connect directly to the router intermittently. When the problem is happening that host can still connect through the router to the internet. It just can't use any services on the router like DNS (I have also tested that I can't access the router via ssh, http, or ping). Also, during the problem all other hosts have no problems connecting directly to the router and all other hosts have no problem interacting with the host having the problem.
I noticed the problem soon after I enabled on a service that backs up data from the problem host to S3. Might be something to do with increased traffic (though we are heavy internet users in general and the syncing shouldn't be unusual in any way I can think of). It pretty much happens every time I start the backup.
Some things I have tried:
- upgrading the router OS (this also reboots the router)
- upgrading the router firmware
- pinging the host from router also doesn't work at the time of the problem (though the router can ping other hosts just fine)
- when I do a sniffer tool session on the router, I see the ping requests coming into the router, but the router never responds
- CPU load never seems to break 10%
- Swapped out internal network cable and changed to different ports on both router and Cisco switch (that is only device between router and problem host)
- Adding the host to a queue that limits upload to about 50% of WAN bandwidth
Other notes:
- It eventually starts working again after a while
- I do sometimes have some ping packet loss (5-10%, not total loss like problem host) from other hosts when the problem is happening
- Problem host has bonded ethernet cables between Cisco switch and host.
Does anyone have ideas as to where to look?
Thank you,
Nate
-
-
natethelen
just joined
- Posts: 8
- Joined:
Re: mikrotik not responding to only one host on internal network
I have got a similar issue only with one of my iPad, which does not reach the router on its LAN's IP.
Like in your case, the iPad can go on internet and do all the rest.
In my case I partially fixed the issue by connecting that iPad to the router's loopback address instead of the one from same LAN, and the iPad was able to connect.
In my case I'm using some terminal program on iPad to do ssh and only once, after that client app updated, I was able to connect to router via LAN's IP.
After updating iOS, same issue again and now I'm connecting to loopback's IP.
Armando
Like in your case, the iPad can go on internet and do all the rest.
In my case I partially fixed the issue by connecting that iPad to the router's loopback address instead of the one from same LAN, and the iPad was able to connect.
In my case I'm using some terminal program on iPad to do ssh and only once, after that client app updated, I was able to connect to router via LAN's IP.
After updating iOS, same issue again and now I'm connecting to loopback's IP.
Armando
-
-
natethelen
just joined
- Posts: 8
- Joined:
Re: mikrotik not responding to only one host on internal network
I wiped my router and started over, adding back in only the items I was confident (or at least highly confident) were not causing the problem. I am back up and running and don't seem to have seen the problem for a while (hour) so I *think* that it must have something to do with these firewall rules:
I am going to carefully try adding some of them above (after 24 hours) and see if I can isolate some more. Will update if any new information
Code: Select all
/ip firewall address-list
add address=192.168.22.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA" list=bogons
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=accept chain=input comment="Accept to established connections" connection-state=established
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=log chain=input disabled=yes
add action=drop chain=input comment="Drop anything else!"
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=yes jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=jump chain=output comment="Jump for icmp output" disabled=yes jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
Re: mikrotik not responding to only one host on internal network
You've got mechanism to automatically black-list some addresses. It can happen that "trusted" host lands on the list. You also have white-list. You should allow connections from white-list before dropping any of black-list (both static list and auto-list).
-
-
natethelen
just joined
- Posts: 8
- Joined:
Re: mikrotik not responding to only one host on internal network
I agree. It HAS to be those first 2 filters that blacklist addresses for 30 minutes with a connection-limit of 30,32. My internal server must have exceeded that and there wasn't anything first whitelisting my internal network
Probably moving this to the top would fix it:
Probably moving this to the top would fix it:
Code: Select all
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support-
-
SamMacDonald
just joined
- Posts: 1
- Joined:
Re: mikrotik not responding to only one host on internal network
Yep, similar issue :C