everyone can reach it except we cannot reach each other
use, for example, at start 77.99.55.xxx/yy
Thank you for quick response.What method is used?
DHCP? PPPoE? etc.?
What are the two WAN addesses? And Subnet? And Gateway?
Unfortunately, I was in contact with my ISP for almost an hour and they are sure there is absolutely nothing on their side to block our connection. Also, the difference in connection responses (timeout from my side vs "host unreachable" from friend's side) doesn't sound like it.everyone can reach it except we cannot reach each other
The problem sounds analogous to the hairpin NAT problem, the difference being that it's pushed one layer out, into your ISP's border routers. The logic might be something like "If the source IP belongs to one of our customers, the destination cannot possibly be another of our customers, but only to something out on the wider Internet, so drop it, it's clearly bogus."
If that's right, only your ISP can fix this, if they even want to.
So it's really nothing with MikroTik router? Even considering different network responses?ok same gateway.
only your wisp can unlock this for you, on two way:
1) change one IP with one on another block
2) hope the ISP have network engiiner than can solve wiwth two routes....
I understand what you mean. Thank you.But if your ISP give the same gateway for both of us, your device can't reach your friend if the ISP router have everytime the gateway IP
It's hard to explain on english, because I'm italian.
Your ISP router search your friend on... the same ethernet where is the gateway... and is the local machine
Unfortunately, my ISP doesn't support IPv6 yet...But.. can you reach each other via IPv6???
Just an idea... one "IPv6 tunnel" and you can reach you respective LAN or what you want...
My bad. One IP is xxx.xxx.xxx.xxx and the other one is xxx.xxx.xxx.xxx. But still, they are both in the same subnet and connected to the same gateway.What is the difference of IP (not put the real numbers) between yours?
For example if one is 10.0.2.53 the other is 10.0.2.72 the difference is 29
Static, but assigned by DHCP.Your IP are static or dynamic?
Understood. I will contact them. They were curious what is wrong with our connections, so I assume they will be happy to try new IP address outside the pool.Ask one IP outside that pool (if possible)...
If your ISP can assign any IP outside that pool, and firewall allow comunication between users, is done...
I'll try to explain it in English - when two devices are in the same subnet on an Ethernet (or similar) interface, they normally do not use any gateway to talk to each other; instead, the sender sends an ARP request "who has IP x.x.x.x" to determine the MAC address of the destination, and if it gets a response, it sends the packet to that MAC adddress. In access networks of most ISPs who use Ethernet with direct IP assignment (i.e. no PPPoE), customers in the same subnet are connected to the same "switch", but there is "port isolation" in place, preventing Ethernet frames to get from one customer's equipment to another (intentionally). And if the ISP is big enough, the support guy you've talked to may not even know about this. If this is indeed the root cause of your issue, what might help (it did in my case) would be to add a route to your.ip.add.ress/32 via the same gateway IP given by the ISP, because a more narrow destination (longer prefix) always overrides a wider one, no matter what the distance is. But in order that it worked, the same has to be configured also on your router, and as it is not a Mikrotik one, I have no idea whether it is possible or not.But if your ISP give the same gateway for both of us, your device can't reach your friend if the ISP router have everytime the gateway IP
Regarding the rest, I will find some time today to test as much of what you suggested as it is possible.Maybe use Traceroute to find the sequence of routing steps for A and for B. What is common? (probably all) What steps work if they point to each other?
Why not proxy ARP? What if all your customers with public addresses wanted to communicate with each other? Isn't it kind of stupid (no offence) to give customers public addresses that can be used to communicate with whole world, but not with their next-door neighbours (with public addresses from same ISP)? It's something that should work by default, shouldn't it?if someone has such a problem, I solve it immediately,
putting the Public IPs on two different pools... nothing easier...
When he opens something like https://wtfismyip.com in a browser on the LAN of his router, does it show the address the ISP has assigned him?I have no ideas besides his public IP is misconfigured on ISP side (but as I have no experience here, I might be totally wrong).
Yes, it does.When he opens something like https://wtfismyip.com in a browser on the LAN of his router, does it show the address the ISP has assigned him?I have no ideas besides his public IP is misconfigured on ISP side (but as I have no experience here, I might be totally wrong).
In that case, the setting of the IP address itself is correct. So to move ahead, post an anonymized export of the configuration of the router (change the public IP address as per my automatic signature below, remove the serial number), so that I could give you the exact command line for the sniffer to see what is going on.Yes, it does.
Here it is:In that case, the setting of the IP address itself is correct. So to move ahead, post an anonymized export of the configuration of the router (change the public IP address as per my automatic signature below, remove the serial number), so that I could give you the exact command line for the sniffer to see what is going on.
What were the other options, Latin?I'll try to explain it in English -
@netruitus do not use 3rd party sites for monetizing, or not.
You can add any attachment you want when you make any new post,
without the explosion of banners and advertisements, whether it makes you money or not.
I'm sorry. And thank you for correcting me.Note: instead of pasting the export to an external web, place it here directly into the post, between [code] and [/code] tags.
The only moment we got anything from sniffer was during pinging neighbor IP address from my mobile phone. Nothing happened when I was trying to ping him from my IP address. Here is a sniffing result:So open a command line window (e.g. using the [New Terminal] button in Winbox), make it as wide as your screen allows, and run /tool sniffer quick interface=ether1 ip-protocol=icmp in it. Then ping the public address from your home (or from another neighbor with public address) for 10 seconds; next, ping it for another 10 seconds from somewhere else (a PC connected to a mobile hotspot). Then stop the sniffing (press Ctrl-C) and paste the output of the sniffer here (edit the IP addresses before posting).
INTERFACE TIME NUM DI SRC-MAC DST-MAC VLAN SRC-ADDRESS
ether1 14.083 50 -> XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY <NEIGHBOR IP>
ether1 14.092 51 <- YY:YY:YY:YY:YY:YY XX:XX:XX:XX:XX:XX 1.1.1.1
ether1 14.629 52 -> XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY <NEIGHBOR IP>
ether1 14.64 53 <- YY:YY:YY:YY:YY:YY XX:XX:XX:XX:XX:XX 8.8.8.8
ether1 15.174 54 -> XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY <NEIGHBOR IP>
ether1 15.183 55 <- YY:YY:YY:YY:YY:YY XX:XX:XX:XX:XX:XX 1.1.1.1
ether1 15.765 56 -> XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY <NEIGHBOR IP>
ether1 15.777 57 <- YY:YY:YY:YY:YY:YY XX:XX:XX:XX:XX:XX 8.8.8.8
ether1 16.297 58 -> XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY <NEIGHBOR IP>
ether1 16.307 59 <- YY:YY:YY:YY:YY:YY XX:XX:XX:XX:XX:XX 1.1.1.1
ether1 16.429 60 <- YY:YY:YY:YY:YY:YY XX:XX:XX:XX:XX:XX <MY MOBILE IP>
ether1 16.429 61 -> XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY <NEIGHBOR IP>
ether1 16.865 62 -> XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY <NEIGHBOR IP>
ether1 16.877 63 <- YY:YY:YY:YY:YY:YY XX:XX:XX:XX:XX:XX 8.8.8.8
ether1 17.389 64 <- YY:YY:YY:YY:YY:YY XX:XX:XX:XX:XX:XX <MY MOBILE IP>
ether1 17.389 65 -> XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY <NEIGHBOR IP>
ether1 17.429 66 -> XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY <NEIGHBOR IP>
ether1 17.439 67 <- YY:YY:YY:YY:YY:YY XX:XX:XX:XX:XX:XX 1.1.1.1
ether1 17.974 68 -> XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY <NEIGHBOR IP>
ether1 17.986 69 <- YY:YY:YY:YY:YY:YY XX:XX:XX:XX:XX:XX 8.8.8.8
I have a TP-Link router on which I can set a static route, but I'm not sure if it's the same thing (screenshot from my router attached). To be honest I have no experience with routing that was suggested here. I think I will just contact my ISP hoping they will resolve this issue.So what @Sob and @bpwl have written above relates. The issue is with your ISP, and it may be both an intention or an incompetence, hard to say. If you also had a Mikrotik router, it might work to configure two routes, one to each half of the WAN subnet, via the gateway pushed to you by the ISP via DHCP. But not knowing anything about your own router, I cannot guess whether it is possible on it as well. I mean, it has to be done at both your and your neighbor's router, otherwise the packets would go only one way.
It seems it should work, so you can try. Assuming you get 11.22.33.25/24 as your own address with gateway 11.22.33.1, you would add two routes via WAN:I can set a static route, but I'm not sure if it's the same thing (screenshot from my router attached)
May I ask if there is any difference for mask /22? I think I understand a concept, but I don't want to misconfigure it in any way.It seems it should work, so you can try. Assuming you get 11.22.33.25/24 as your own address with gateway 11.22.33.1, you would add two routes via WAN:I can set a static route, but I'm not sure if it's the same thing (screenshot from my router attached)
destination 11.22.33.0 mask 255.255.255.128 gateway 11.22.33.1
destination 11.22.33.128 mask 255.255.255.128 gateway 11.22.33.1
And the same at the neigbor's Mikrotik.