Community discussions

MikroTik App
 
kitar
just joined
Topic Author
Posts: 9
Joined: Wed Jun 19, 2013 2:54 am

Curiosity

Wed Jun 19, 2013 3:01 am

We have an RB 1100 with ROS 5.25. The config in question has 5 static address on ETH1 which is our external interface. Configuration is x.x.x.36 to .40/24.

At one point all addresses were pingable and worked. After a power outage, only the lowest number--.36 is usable and pingable. A downgrade was performed which yielded use of one more address then another power failure after which again only the lowest number address was usable. I am completely baffled. I did find that occasionaly enabling then disable the addresses will sometimes bring the addresses live again. I would love to hear thoughts on this.
 
lambert
Long time Member
Long time Member
Posts: 537
Joined: Fri Jul 23, 2010 1:09 am

Re: Curiosity

Wed Jun 19, 2013 7:44 am

Why things would have changed after only a reboot, I have no idea. I think we will need to see, at least:
/ip address export compact
/ip firewall export compact
 
kitar
just joined
Topic Author
Posts: 9
Joined: Wed Jun 19, 2013 2:54 am

Re: Curiosity

Wed Jun 19, 2013 2:27 pm

Let me clarify "reboot". All this started to happen after a power outage. I should have specified this.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Curiosity

Wed Jun 19, 2013 3:17 pm

question still stands, we cannot help you if we do not know your ip configuration your firewall and i suspect we want to see interface configuration.

Of course, you can obsfucate your real ip addresses, just use letters like X.X.X.50 and other subnet Y.Y.Y.51 etc. or it will be a complete mess.
 
kitar
just joined
Topic Author
Posts: 9
Joined: Wed Jun 19, 2013 2:54 am

Re: Curiosity

Thu Jun 20, 2013 4:12 am

add address=y.y.y.36/24 comment="Internet Connection" inte
add address=10.254.254.1/24 interface="LAN Bridge"
add address=y.y.y.37/24 comment="Chris Sparks" interface=e
add address=y.y.y.38/24 comment="Chris Sparks" interface=e
add address=192.168.88.2/24 interface=ether7
add address=10.254.250.1/24 comment="BH to MSWT" interface=ethe
add address=10.1.3.1/24 comment="UbiquitiOmni port12" interface
add address=192.168.3.1/24 comment="UbiquitiOmni port12" interf
add address=192.168.1.1/24 interface=ether4
add address=y.y.y.39/24 comment=Claude interface=ether1
add address=y.y.y.40/24 disabled=yes interface=ether1
add address=y.y.y.41/24 disabled=yes interface=ether1
add address=192.168.254.1/24 interface=ether11


/ip firewall nat
add action=src-nat chain=srcnat comment="Chris Sparks SRC-Nat" disabled=yes \
src-address=192.168.3.21 to-addresses=y.y.y.38
add action=dst-nat chain=dstnat disabled=yes dst-address=y.y.y.38 to-addresses=\
192.168.3.21
add action=dst-nat chain=dstnat comment=RADIUS dst-address=y.y.y.36 protocol=udp \
to-addresses=10.254.254.10 to-ports=1810-1816
add action=dst-nat chain=dstnat comment="Server DST-NAT" dst-address=y.y.y.36 \
protocol=tcp to-addresses=10.1.2.15 to-ports=3389
add action=dst-nat chain=dstnat comment="E and W Sharepoint" dst-address=\
y.y.y.39 protocol=tcp to-addresses=10.1.2.13 to-ports=80
add action=dst-nat chain=dstnat comment="Bobs Paint and Body RDP" dst-address=\
y.y.y.39 protocol=tcp to-addresses=10.1.2.15 to-ports=3389
add action=masquerade chain=srcnat comment="Masquerade all traffic" out-interface=\
ether1
add action=src-nat chain=srcnat comment="Server SRC-Nat" disabled=yes src-address=\
10.254.254.10 to-addresses=y.y.y.36
add action=src-nat chain=srcnat comment="Sharon Hoppe" disabled=yes src-address=\
10.1.2.3 to-addresses=y.y.y.38
add action=dst-nat chain=dstnat disabled=yes dst-address=y.y.y.38 to-addresses=\
10.1.2.3
add action=dst-nat chain=dstnat comment=Claude disabled=yes dst-address=y.y.y.39 \
to-addresses=10.2.0.6
add action=src-nat chain=srcnat disabled=yes src-address=10.1.2.6 to-addresses=\
y.y.y.39
 
lambert
Long time Member
Long time Member
Posts: 537
Joined: Fri Jul 23, 2010 1:09 am

Re: Curiosity

Thu Jun 20, 2013 8:54 am

I've reordered the IP addresses to make it easier to parse in my head.

It's unfortunate that your copy and paste truncated some of the lines, but I think we can figure out what is necessary. BTW, your configuration shows 6 IPs on ether1. There may have been a typo in your first post which said 5 IPs
(/ip address)
  add address=y.y.y.36/24 comment="Internet Connection" inte(erface=ether1)
  add address=y.y.y.37/24 comment="Chris Sparks" interface=e(ther1)
  add address=y.y.y.38/24 comment="Chris Sparks" interface=e(ther1)
  add address=y.y.y.39/24 comment=Claude interface=ether1
  add address=y.y.y.40/24 disabled=yes interface=ether1
  add address=y.y.y.41/24 disabled=yes interface=ether1
  add address=10.254.254.1/24 interface="LAN Bridge"
  add address=192.168.88.2/24 interface=ether7
  add address=10.254.250.1/24 comment="BH to MSWT" interface=ethe
  add address=10.1.3.1/24 comment="UbiquitiOmni port12" interface
  add address=192.168.3.1/24 comment="UbiquitiOmni port12" interf
  add address=192.168.1.1/24 interface=ether4
  add address=192.168.254.1/24 interface=ether11
Personally, I would set the prefix length of y.y.y.37-41 to /32; leaving y.y.y.36 with its /24 prefix length. It may not be required on MikroTik, but it probably won't hurt. It has been required on some other systems I have used over the years.

Do you really not have any /ip firewall filter or /ip firewall mangle or /ip firewall address-list in your configuration?

I've reordered the two disabled NAT dst-nat rules to after the masquarade rule to make it easier for my brain to deal with. I also removed the line wrap.
/ip firewall nat
  add action=dst-nat chain=dstnat comment=RADIUS dst-address=y.y.y.36 protocol=udp  to-addresses=10.254.254.10 to-ports=1810-1816
  add action=dst-nat chain=dstnat comment="Server DST-NAT" dst-address=y.y.y.36 protocol=tcp to-addresses=10.1.2.15 to-ports=3389
  add action=dst-nat chain=dstnat comment="E and W Sharepoint" dst-address=y.y.y.39 protocol=tcp to-addresses=10.1.2.13 to-ports=80
  add action=dst-nat chain=dstnat comment="Bobs Paint and Body RDP" dst-address=y.y.y.39 protocol=tcp to-addresses=10.1.2.15 to-ports=3389
  add action=masquerade chain=srcnat comment="Masquerade all traffic" out-interface=ether1
(all disabled rules below here)
  add action=src-nat chain=srcnat comment="Chris Sparks SRC-Nat" disabled=yes src-address=192.168.3.21 to-addresses=y.y.y.38
  add action=dst-nat chain=dstnat disabled=yes dst-address=y.y.y.38 to-addresses=192.168.3.21
  add action=src-nat chain=srcnat comment="Server SRC-Nat" disabled=yes src-address=10.254.254.10 to-addresses=y.y.y.36
  add action=src-nat chain=srcnat comment="Sharon Hoppe" disabled=yes src-address=10.1.2.3 to-addresses=y.y.y.38
  add action=dst-nat chain=dstnat disabled=yes dst-address=y.y.y.38 to-addresses=10.1.2.3
  add action=dst-nat chain=dstnat comment=Claude disabled=yes dst-address=y.y.y.39 to-addresses=10.2.0.6
  add action=src-nat chain=srcnat disabled=yes src-address=10.1.2.6 to-addresses=y.y.y.39
From where are you pinging; from outside ether1, or from behind one of the other interfaces on the RB1100?

I don't see anything "wrong" with the config you gave us. But if you didn't give us the filter/masquerade/address-list parts, we are still blind.

Does "/system routerboard print" and / or "/system routerboard settings print" give you any blank fields or errors? My thinking is that it *might* be possible that the firmware was corrupted so didn't load and you are running on top of the backup bootloader firmware which could be really old and buggy. I don't *know* that would cause any issues. That is just me making a wild guess after not seeing a problem with the config you showed us.

Another wild idea: I also just want to confirm that the prefix length is supposed to be /24 rather than /29. It is acceptable to do it either way, but if it is supposed be a /29, your default gateway would probably be y.y.y.33 and you would be using the five IPs from y.y.y.34-38. Having the wrong prefix length and using some of the wrong IPs might cause some issues like you are reporting. The upstreams gear might have previously been configured more ambiguously and permitted the incorrect configuration on your end.

You are probably correct, but while I am grasping at straws, I thought I would try for more than one. :D
 
kitar
just joined
Topic Author
Posts: 9
Joined: Wed Jun 19, 2013 2:54 am

Re: Curiosity

Thu Jun 20, 2013 1:55 pm

Thank you for your input Lambert. /system routerboard print and /system routerboard settings print do not yield errors. I am pinging from the outside in however when 1 to 1 NAT is configured the inet connection fails to the associated internal host as well. I am thinking firmware corruption, but as a newb to router os I am not sure how to deal with that. I have tried both downgrading and upgrading the os. In one instance, this process yielded positive results in that where an address was not functioning it started to of course only up to when a power failure occurred again then failed. I am aware that one can use the reset function but does this only reset the configuration? Having said that if it is corruption how would one "wipe" it then reload if you will? Thanks a bunch for your help.
 
kitar
just joined
Topic Author
Posts: 9
Joined: Wed Jun 19, 2013 2:54 am

Re: Curiosity

Thu Jun 20, 2013 2:06 pm

I should have posted this. The firmware version is 2.29. I just updated firmware to 3.07, same result.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Curiosity

Thu Jun 20, 2013 2:22 pm

do not mix bootloader with RouterOS - bootloader ensures that OS works on the hardware and initialized it. makes sure that NAND, RAM, PCIe etc. works.

RouterOS in this case is what you have to look at and your configuration.

for 1 to 1 NAT you can use addresses as you are using them already.

See examples in the manual on how 1 to 1 NAT have to be configured for it to work.

Start from basic configuration and then add things up and check if configuration still does what you require it to do.

btw, if you use action src-nat make sure that incoming traffic will be natted accordingly
 
kitar
just joined
Topic Author
Posts: 9
Joined: Wed Jun 19, 2013 2:54 am

Re: Curiosity

Thu Jun 20, 2013 2:36 pm

Thank you for your reply Janisk. 1 to 1 nat was working until the address/s quit responding. Should I just try to reset the thing?
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Curiosity

Thu Jun 20, 2013 3:06 pm

reset only helps if you are stumped by the configuration and do not see what could be wrong.

If you are not sure about some feature, it is better to try it out first on test setup or in a simpler environment.

If in NAT this is all what you have, there should not be a reason why to reset whole thing, just start from simple configuration, like - masquerade everything, then add additional NAT rules for packet forwarding. Then attempt to add additional rules for 1 to 1 nat.

Note that in NAT rules work in same way as in everywhere in firewall, that is first rule in chain that gets the packet, works with it, so make sure that specific src-nat rules are before main masquerade rule since you can set to what address mask source while masquerade will select one of addresses and use it.
 
kitar
just joined
Topic Author
Posts: 9
Joined: Wed Jun 19, 2013 2:54 am

Re: Curiosity

Thu Jun 20, 2013 11:45 pm

Thanks Jansik. I am just graspi9ng at straws. Even with 0 NAT rule and masquerade only the addresses ping erratically so I am not sure what to do.
 
Jorbu
just joined
Posts: 23
Joined: Sun Apr 01, 2012 4:23 am

Re: Curiosity

Sat Jun 22, 2013 12:51 am

Your ISP might've not saved their CPE router's config and it rolled back to a previous configuration after the blackout.

Are you able to disable all but one public IP and ping your ISPs gateway (through routerOS)? Try this will all IPs and see which ones are successful.
 
kitar
just joined
Topic Author
Posts: 9
Joined: Wed Jun 19, 2013 2:54 am

Re: Curiosity

Mon Jun 24, 2013 6:09 am

The IP's work with a different Mikrotik router. Possible interface errors?

Who is online

Users browsing this forum: Bing [Bot], MartinT, td32 and 55 guests