Community discussions

MikroTik App
 
sebastyan
just joined
Topic Author
Posts: 5
Joined: Thu Mar 16, 2023 4:31 pm

Router itself can not access Internet but IP-s behind him can

Thu Mar 16, 2023 6:35 pm

Hello, I have a Mikrotik CCR1009-7G-1C-1S+ and the ISP assigned me x.y.185.32/28. I connect to them on two bonded interfaces using 802.3ad link aggregation. I have the IP 10.254.39.254/24 set on my bond interface and the ISP router has 10.254.39.1 and this is set as my default gateway on my Mikrotik router. On another interface (on a bridge) I set the IP x.y.185.33/28 witch serves as gateway for some servers that have ip-s from x.y.185.34 to x.y.34.46. Additionally I set up another bridge with a private IP of 192.168.40.1/24 and enabled masquerading to be able to NAT some computers to Internet.

All the servers ip-s from x.y.185.34 to x.y.34.46 are able to access the Internet just fine, but the Mikrotik router itself can not access the Internet. The same thing for the NAT-ed IP-s 192.168.40.0/24, they can not access the Internet.
If I try to traceroute from the Mikrotik to 8.8.8.8 I get total loss 100% and nothing in the Host tab.....
What am I doing wrong ? Why all the IP-s form x.y.185.34 to x.y.34.46 can access the Internet and the router can not ?
Mikrotik schematic.JPG
Traceroute.JPG
You do not have the required permissions to view the files attached to this post.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Router itself can not access Internet but IP-s behind him can

Thu Mar 16, 2023 8:28 pm

Without knowing your configuration, we're guessing. Please export and post your router configuration. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
 
sebastyan
just joined
Topic Author
Posts: 5
Joined: Thu Mar 16, 2023 4:31 pm

Re: Router itself can not access Internet but IP-s behind him can

Fri Mar 17, 2023 11:04 am

Hello and thank you for the quick response. In addition, one important information that I forgot to mention is that from the Internet I can ping the IP of the Mikrotik x.y.185.33
Attached you will find the requested config file.
Thank you.
You do not have the required permissions to view the files attached to this post.
 
elbob2002
Member Candidate
Member Candidate
Posts: 252
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

Re: Router itself can not access Internet but IP-s behind him can

Fri Mar 17, 2023 12:29 pm

You don't seem to have a filter rule to accept established or related INPUT traffic on your WAN interface:

add action=accept chain=input connection-state=established,related
 
Zaesch
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Thu Apr 16, 2009 12:43 pm

Re: Router itself can not access Internet but IP-s behind him can

Fri Mar 17, 2023 12:30 pm

Ok. If I'm seeing it correct. Your Router has a default route to 10.254.39.1 and will masquerade any traffic sourced of 192.168.34 /.40 /.50 .0/24 to source 10.254.39.254.
Your ISP have to masquerade your routers IP 10.254.39.254 to a public IP address. If he does not do this, you can't reach the internet.

The public addresses x.y.185.z will be routed trough the router without masquerading and therefore transported to the internet with a problem (suggesting, that your ISP will not filter that addresses). I suspect, that your ISP know, that this public addresses are behind your Router (10.254.39.254) and have a route for it. Your router knows the public network, because it is directly connected to and will route the answer packages to your servers.

In order to get your router and 192.168.x.x networks internet access, it is necessary to masquerade these sources to a public IP adress. Or ask your provider to do so for your 10.254.39.254 address.
 
sebastyan
just joined
Topic Author
Posts: 5
Joined: Thu Mar 16, 2023 4:31 pm

Re: Router itself can not access Internet but IP-s behind him can

Fri Mar 17, 2023 2:19 pm

Thank you Zaesch. Can you give me an example of how to masquerade to a public IP address ? I did masquerade but it's not working, maybe I did something wrong.
It will be great to solve this without the ISP help (I am having trouble getting support from them).
 
Zaesch
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Thu Apr 16, 2009 12:43 pm

Re: Router itself can not access Internet but IP-s behind him can

Fri Mar 17, 2023 2:58 pm

You can try to overwrite the source IP addresses with the public address of your router, istead of masquerading them, like this:
add chain=srcnat src-address=192.168.40.0/24 action=src-nat to-addresses=x.y.185.33
*Never did something like your setup. So everything to solve it is just guessing from my side ;-) But I'm pretty sure about my explaination of your problem.
Last edited by Zaesch on Fri Mar 17, 2023 3:02 pm, edited 1 time in total.
 
Zaesch
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Thu Apr 16, 2009 12:43 pm

Re: Router itself can not access Internet but IP-s behind him can

Fri Mar 17, 2023 3:02 pm

The problem with your masquerading rules is, that the Mikrotik will use the IP address of the interface, where the packet leaves the router, for masquerading. In your setup that's bond1 with a local IP address (10.254.39.254).
 
sebastyan
just joined
Topic Author
Posts: 5
Joined: Thu Mar 16, 2023 4:31 pm

Re: Router itself can not access Internet but IP-s behind him can

Fri Mar 17, 2023 3:38 pm

Thank you Zaesch, still not working, I tried what you suggested. I've made a request to my ISP to NAT the IP 10.254.39.254 in order to get access to Internet.
I am wondering if I can use one of the IP's from the /28 as a secondary IP on the router on a virtual interface (a bridge with no physical ports) and use that one to NAT the IP's from 192.168.40.0/24 through it.
 
User avatar
nickshore
Long time Member
Long time Member
Posts: 520
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Router itself can not access Internet but IP-s behind him can

Fri Mar 17, 2023 5:22 pm

You can use one of the spare IPs from the /28 set it with /32 on the end, on the WAN interface, and then use a src-nat rule to src-nat the traffic to that IP when going out on that interface
 
sebastyan
just joined
Topic Author
Posts: 5
Joined: Thu Mar 16, 2023 4:31 pm

Re: Router itself can not access Internet but IP-s behind him can

Mon Mar 20, 2023 7:20 pm

Thank you nickshore. I added a new bridge (practically a virtual interface) and added one of the IP's from the /28 class but as you suggested with /32 mask. When I try to ping to 8.8.8.8 using that IP as source it works which is a step forward in the right direction. But when I try to use the 192.168.40.0/24 or 192.168.50.0/24 it's not working. Can you help me with an example on how to make the src-nat rule ?
 
Zaesch
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Thu Apr 16, 2009 12:43 pm

Re: Router itself can not access Internet but IP-s behind him can

Fri Apr 28, 2023 10:11 am

Hey. Sorry for the delay. Busy times these days.

Here is th eNAT rule, that should work:
/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.40.0/24 to-addresses=x.y.185.zzz
x.y.185.zzz is the free address from your public address space.

Basically it overwrites the source address of every packet sourced by your LAN PC network 192.168.40.0/24 to the public address.
It is possible to refine it a bit. So, that the source address is only overwritten, if the package is routed to the internet / transported over the Bond1 interface:
/ip firewall nat
add action=src-nat chain=srcnat out-interface=Bond1 src-address=192.168.40.0/24 to-addresses=x.y.185.zzz

*The new bridge, that you configured, is not needed. Delete it ;-)

Who is online

Users browsing this forum: CGGXANNX, JDF, m4rk3J, mhn6868, Netstumble and 41 guests