Community discussions

MikroTik App
 
ajglowacki1
just joined
Topic Author
Posts: 17
Joined: Tue May 17, 2022 7:07 pm

Host Can't Ping other Network But MikroTiks Can

Tue May 17, 2022 7:22 pm

I'm setting up a lab in for our Office. For some reason, hosts can't ping outside their network but the MikroTiks can. All MikroTik devices are using RouterOS 6.
Host is connected to ether1.
An Ubiquiti Device to ether24
MikroTik Devices to ether19 thru ether23.

Host is attempting to ping 10.50.50.0/24 network (10.50.50.1 and 10.50.50.198 specifically).
Host IP is 192.168.89.2/24 + GW 192.168.89.31

FULL CONFIG

[admin@MikroTik] > export
# may/17/2022 11:15:16 by RouterOS 6.46.1
# software id = KWDC-246G
#
# model = CRS125-24G-1S-2HnD
# serial number = 49C804C57629
/interface bridge
add name="MGMT Bridge"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-92289D wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment="Maintenance Computer"
set [ find default-name=ether19 ] comment="MGMT 750GR 02"
set [ find default-name=ether20 ] comment="MGMT 750GR 01"
set [ find default-name=ether21 ] comment="MGMT 750GL 03"
set [ find default-name=ether22 ] comment="MGMT 750GL 02"
set [ find default-name=ether23 ] comment="MGMT 750GL 01"
set [ find default-name=ether24 ] comment="GATEWAY: DREAM MACHINE"
/interface vlan
add disabled=yes interface="MGMT Bridge" name="MGMT VLAN" vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no name=defconf
/interface bridge port
add bridge="MGMT Bridge" interface=ether23 trusted=yes
add bridge="MGMT Bridge" interface=ether22 trusted=yes
add bridge="MGMT Bridge" interface=ether21 trusted=yes
add bridge="MGMT Bridge" interface=ether20 trusted=yes
add bridge="MGMT Bridge" interface=ether1 trusted=yes
add bridge="MGMT Bridge" interface=ether24 trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.99.31/24 comment="MGMT VLAN" interface="MGMT VLAN" network=\
192.168.99.0
add address=192.168.89.31/24 comment="MGMT Bridge" interface="MGMT Bridge" \
network=192.168.89.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add disabled=no interface=ether24
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward dst-address=0.0.0.0 in-interface="MGMT Bridge" \
out-interface="MGMT Bridge" src-address=0.0.0.0
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

ROUTES:

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.50.50.1 1
1 ADC 10.50.50.0/24 10.50.50.198 MGMT Bridge 0
2 ADC 192.168.89.0/24 192.168.89.31 MGMT Bridge 0
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Host Can't Ping other Network But MikroTiks Can  [SOLVED]

Wed May 18, 2022 2:52 am

You have masquerade rule with out-interface-list=WAN and ether1 in WAN list, but because ether1 is also bridge port, outgoing interface, as seen by IP firewall, is MGMT Bridge, so masquerade doesn't work. If upstream router doesn't have route to 192.168.89.2, the host has no chance to get out (more accurately, packets can get out, but no reponse will come back). The config is let's say a bit unusual.

Who is online

Users browsing this forum: Google [Bot] and 35 guests