Community discussions

MikroTik App
 
User avatar
consultar
newbie
Topic Author
Posts: 26
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Can't ping gateway

Mon Jun 05, 2023 5:18 pm

Hi everyone, i'm coming to request your help once again with this issue, as the subject's claim, any device in my network (in all vlans), can ping is't default gateway to mikrotik.
Everything else in the network seems to be working propperly, dhcp server are delivering the IP acordingly to each vlan, everybody it's getting internet connection, and the failover between both ISP is working fine as well.

So it wouldn't really bother me, except for the fact that i'm also having problems with inter-vlan communication, and perhaps this could be related to that, i really don't know. But i've been looking everywhere in my config and didn't find anything, and the internet it's not helping me either, it's not very common. I just can't get that ping to the gateway.

If i traceroute 8.8.8.8 the first one that hop is in fact the gateway , so it's working (but ping isn't - it's a linux server so no firewall should be bothering).
(traceroute to 8.8.8.8 (8.8.8.8 ), 30 hops max, 60 byte packets
1 10.0.10.1 (10.0.10.1) 0.362 ms 0.413 ms 0.486 ms)


Any ideas on what's going on here? Any help would be much appreciated!

This is the network layout: https://lucid.app/publicSegments/view/c ... ad0eae6de0

And my config is this:
# jun/03/2023 00:11:10 by RouterOS 6.49.6
# software id = J13U-JGF2
#
# model = 2011UiAS
# serial number = 763307BCEAAB
/interface bridge
add name=BridgeVLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Claro speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Fibercorp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BridgeVLAN name=vlan10-LAN vlan-id=10
add interface=BridgeVLAN name=vlan20-Clientes vlan-id=20
add interface=BridgeVLAN name=vlan30-Camaras vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=ADMIN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_10 ranges=10.0.10.2-10.0.10.99
add name=dhcp_20 ranges=10.0.20.2-10.0.20.254
add name=dhcp_30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_10 disabled=no interface=vlan10-LAN name=dhcp1
add address-pool=dhcp_20 disabled=no interface=vlan20-Clientes name=dhcp2
add address-pool=dhcp_30 disabled=no interface=vlan30-Camaras name=dhcp4
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add email-to=xxx@gmail.com name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=BridgeVLAN comment="PVE3 (Servidor CP)" frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface=ether3
add bridge=BridgeVLAN comment="Switch Soporte (unmanageable)" \
    ingress-filtering=yes interface=ether4 pvid=10
add bridge=BridgeVLAN comment="Switch Aruba (manageable)" frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 untagged=ether4 \
    vlan-ids=10
add bridge=BridgeVLAN tagged=BridgeVLAN,ether5 vlan-ids=20
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 vlan-ids=30
/interface list member
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=vlan10-LAN list=VLAN
add interface=vlan30-Camaras list=VLAN
add interface=vlan20-Clientes list=VLAN
add interface=ether10 list=ADMIN
add interface=vlan10-LAN list=ADMIN
/ip address
add address=10.0.10.1/24 interface=vlan10-LAN network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-Clientes network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-Camaras network=10.0.30.0
add address=192.168.99.1/24 comment="acceso secundario" interface=ether10 \
    network=192.168.99.0
/ip dhcp-client
add comment="Proveedor 1 - Claro" disabled=no interface=ether1-Claro
add add-default-route=no comment="Proveedor 2 - Fibercorp" disabled=no \
    interface=ether2-Fibercorp
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,9.9.9.9
/ip firewall address-list
add address=10.0.10.0/24 comment="Resto de la red" list=a_fibercorp
add address=10.0.20.0/24 comment=VLAN-Clientes list=a_claro
add address=10.0.30.0/24 comment="Camaras" list=a_fibercorp
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow admin to config router" \
    in-interface-list=ADMIN
add action=accept chain=input comment="Allow VLAN DNS queries-UDP" dst-port=\
    53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state="" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="accept inter VLAN traffic" \
    connection-state="" in-interface-list=VLAN out-interface-list=VLAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="allow vlan10 access to other vlans" \
    in-interface=vlan10-LAN out-interface-list=VLAN
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Fibercorp (ISP2)" new-routing-mark=a-fibercorp \
    src-address-list=a_fibercorp
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Claro (ISP1)" new-routing-mark=a-claro \
    src-address-list=a_claro
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=servidor_cp disabled=yes dst-port=\
    XXXX in-interface-list=WAN protocol=tcp to-addresses=10.0.10.101 \
    to-ports=XXXX
add action=dst-nat chain=dstnat comment=cosag dst-port=XXX \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.102 to-ports=XXXX
add action=dst-nat chain=dstnat comment=w2019 dst-port=XXXX \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.103 to-ports=XXX
add action=dst-nat chain=dstnat comment=serverX dst-port=XXX \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.20.253 to-ports=XXXX
add action=dst-nat chain=dstnat comment=Clientes-1 dst-port=XXX \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.110 to-ports=XXX
add action=dst-nat chain=dstnat comment=webserver dst-port=xxxin-interface=\
    ether1-Claro protocol=tcp to-addresses=10.0.10.201 to-ports=xxx
add action=dst-nat chain=dstnat comment="Nginx Reverse Proxy Server" \
    dst-port=XXX in-interface=ether2-Fibercorp protocol=tcp to-addresses=\
    10.0.10.230 to-ports=XXXX
/ip route
add check-gateway=ping comment="Ruta principal Fibercorp" distance=1 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Respaldo Fibercorp" distance=2 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Ruta principal Claro" distance=1 gateway=\
    x.x.x.x routing-mark=a-claro
add check-gateway=ping comment="Respaldo Claro" distance=2 gateway=\
    x.x.x.x routing-mark=a-claro
/ip traffic-flow
set enabled=yes interfaces=ether1-Claro
/lcd
set time-interval=hour
/lcd interface pages
set 0 interfaces="sfp1,ether1-Claro,ether2-Fibercorp,ether3,ether4,ether5,ethe\
    r6,*8,ether8,ether9,ether10"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system logging
add action=email topics=ups
/system scheduler
add interval=5m name="cada 5 minutos" on-event=update_gateways policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/25/2022 start-time=11:00:00
/system script
add dont-require-permissions=no name=update_gateways owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local newgw [ip dhcp-client get [find interface=\"ether1-Claro\"] gateway]\
    ;\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Claro\"] ga\
    teway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Claro\"] gateway=\$new\
    gw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Fibercorp\"] gate\
    way ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Fibercorp\"] gateway=\$newgw\
    ;\r\
    \n}\r\
    \n:local newgw [ip dhcp-client get [find interface=\"ether2-Fibercorp\"] g\
    ateway];\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Fibercorp\"\
    ] gateway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Fibercorp\"] gateway=\
    \$newgw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Claro\"] gateway \
    ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Claro\"] gateway=\$newgw;\r\
    \n}"
/system ups
add name=APC900 offline-time=10h
/tool e-mail
set address=smtp.gmail.com from=zzzz@gmail.com password=\
    ntrtjatvlbgoxsuj port=zzz start-tls=yes user=zzzzz
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN
/tool romon
set enabled=yes
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Can't ping gateway

Tue Jun 06, 2023 4:28 am

It's always the possibility that the gateway is set up to not respond to pings. Some people thing that's the way to go...
 
User avatar
consultar
newbie
Topic Author
Posts: 26
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Can't ping gateway

Tue Jun 06, 2023 4:00 pm

It's always the possibility that the gateway is set up to not respond to pings. Some people thing that's the way to go...
Thanks, for the reply,
I belive this firewall rule it's accepting pings, does it?
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Can't ping gateway

Tue Jun 06, 2023 4:28 pm

As I understand what you say your problem is, all devices on your LAN can ping the Mikrotik, but the Mikrotik can't ping the ISP gateway. My answer was based on that assumption. The firewall rule you posted relates to your client devices on your LAN being able to ping the Mikrotik. That has nothing to do with the ISP gateway responding to ping.
 
User avatar
consultar
newbie
Topic Author
Posts: 26
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Can't ping gateway  [SOLVED]

Tue Jun 06, 2023 5:16 pm

Problem solved!
The pinging and the inter vlan communication.

For anyone struggling with the same issue, it was the routing marks of the different WANs that was generating the problem.
Find this post viewtopic.php?t=133209 that helped me.

It turns out that i needed to add a couple of mangle rules at the top
add action=accept chain=prerouting dst-address=10.0.10.0/24 passthrough=no
add action=accept chain=prerouting dst-address=10.0.20.0/24 passthrough=no
Thanks everybody! :D

Who is online

Users browsing this forum: No registered users and 21 guests