Community discussions

MikroTik App
 
DarkNate
just joined
Topic Author
Posts: 23
Joined: Fri Jun 26, 2020 4:37 pm

Reachability/Ping issues on RouterOS 6.47

Wed Jul 01, 2020 1:42 pm

So after settings up my RouterBoard with many changes here and there, I realised that:
  • LAN-to-LAN cannot ping/reach other
  • RouterOS cannot ping LAN devices
  • LAN devices can ping RouterOS
  • LAN to WAN, WAN to LAN works
All LAN devices have the internet working and no problems with port forwarding etc.

I'm using default bridge, ethernet configuration out of the box and was surprised to see this behaviour. I only have one default subnet.

Does anybody have any ideas?

Below is my configuration:
[admin@ MikroTik] > export hide-sensitive
# jul/01/2020 16:07:38 by RouterOS 6.47
# 
#
# model = RB450Gx4
/interface bridge
add admin-mac=C4:AD:34:9A:92:8B auto-mac=no comment=defconf dhcp-snooping=yes igmp-snooping=yes name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=5 max-mru=1500 max-mtu=1460 name=pppoe-out1 service-name=##### user=#####
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=defconf
/queue type
set 0 kind=sfq
add kind=red name=redCustom red-avg-packet=1514
/queue tree
add bucket-size=0.01 max-limit=99M name=DOWN parent=bridge queue=default
add name="1. DNS" packet-mark=DNS parent=DOWN priority=1 queue=default
add limit-at=8M max-limit=10M name="2. VOIP" packet-mark=VOIP parent=DOWN priority=2 queue=default
add name="3. ACK" packet-mark=ACK parent=DOWN priority=3 queue=default
add limit-at=10M max-limit=90M name="4. UDP" packet-mark=UDP parent=DOWN priority=3 queue=default
add name="5. ICMP" packet-mark=ICMP parent=DOWN priority=4 queue=default
add burst-limit=100M burst-threshold=4M burst-time=5s limit-at=8M max-limit=90M name="6. HTTP" packet-mark=HTTP parent=DOWN priority=5 queue=default
add burst-limit=100M burst-threshold=4M burst-time=5s limit-at=8M max-limit=90M name="7. QUIC" packet-mark=QUIC parent=DOWN priority=6 queue=default
add name="8. HTTP_BIG" packet-mark=HTTP_BIG parent=DOWN priority=7 queue=redCustom
add name="9. OTHER" packet-mark=OTHER parent=DOWN queue=redCustom
add bucket-size=0.01 max-limit=99M name=UP parent=pppoe-out1 queue=default
add name="1. DNS_" packet-mark=DNS parent=UP priority=1 queue=default
add limit-at=8M max-limit=10M name="2. VOIP_" packet-mark=VOIP parent=UP priority=2 queue=default
add name="3. ACK_" packet-mark=ACK parent=UP priority=3 queue=default
add limit-at=10M max-limit=90M name="4. UDP_" packet-mark=UDP parent=UP priority=3 queue=default
add name="5. ICMP_" packet-mark=ICMP parent=UP priority=4 queue=default
add burst-limit=100M burst-threshold=4M burst-time=5s limit-at=8M max-limit=90M name="6. HTTP_" packet-mark=HTTP parent=UP priority=5 queue=default
add burst-limit=100M burst-threshold=4M burst-time=5s limit-at=8M max-limit=90M name="7. QUIC_" packet-mark=QUIC parent=UP priority=6 queue=default
add name="8. HTTP_BIG_" packet-mark=HTTP_BIG parent=UP priority=7 queue=redCustom
add name="9. OTHER_" packet-mark=OTHER parent=UP queue=redCustom
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set accept-router-advertisements=yes
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=2m
/ip dhcp-client
add add-default-route=no comment=defconf disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-size=5120KiB max-concurrent-queries=150 max-concurrent-tcp-sessions=30 servers="176.103.130.130,206.189.142.179,9.9.9.10,149.112.112.10,8.8.8.8,1.1.1.1,2a00\
    :5a60::ad2:ff,2620:fe::10,2620:fe::fe:10,2001:4860:4860::8888,2001:4860:4860::8844,2606:4700:4700::1111,2606:4700:4700::1001"
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.0.0.0/8 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related in-interface=bridge out-interface=bridge
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment=DNS connection-state=new dst-address-list=!RFC1918 new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS dst-address-list=!RFC1918 new-packet-mark=DNS passthrough=no
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=postrouting connection-mark=DNS new-packet-mark=DNS passthrough=no
add action=mark-connection chain=prerouting comment=VOIP new-connection-mark=VOIP passthrough=yes port=5060-5062,10000-20000 protocol=udp
add action=mark-packet chain=prerouting connection-mark=VOIP new-packet-mark=VOIP passthrough=no tcp-flags=""
add action=mark-packet chain=postrouting comment=ACK new-packet-mark=ACK packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=prerouting dst-address-list=!RFC1918 new-packet-mark=ACK packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment=UDP connection-state=new dst-address-list=!RFC1918 new-connection-mark=UDP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=UDP dst-address-list=!RFC1918 new-packet-mark=UDP passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new dst-address-list=!RFC1918 new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=ICMP dst-address-list=!RFC1918 new-packet-mark=ICMP passthrough=no
add action=mark-connection chain=postrouting connection-state=new dst-address-list=!RFC1918 new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting connection-mark=ICMP dst-address-list=!RFC1918 new-packet-mark=ICMP passthrough=no
add action=mark-connection chain=prerouting comment=QUIC connection-state=new dst-address-list=!RFC1918 new-connection-mark=QUIC passthrough=yes port=80,443 protocol=udp
add action=mark-packet chain=prerouting connection-mark=QUIC dst-address-list=!RFC1918 new-packet-mark=QUIC passthrough=no
add action=mark-connection chain=prerouting comment=HTTP connection-mark=no-mark connection-state=new dst-address-list=!RFC1918 new-connection-mark=HTTP passthrough=yes port=80,443 protocol=\
    tcp
add action=mark-connection chain=prerouting connection-bytes=5000000-0 connection-mark=HTTP connection-rate=2M-100M dst-address-list=!RFC1918 new-connection-mark=HTTP_BIG passthrough=yes \
    protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG dst-address-list=!RFC1918 new-packet-mark=HTTP_BIG passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP dst-address-list=!RFC1918 new-packet-mark=HTTP passthrough=no
add action=mark-connection chain=prerouting comment=OTHER connection-state=new dst-address-list=!RFC1918 new-connection-mark=POP3 passthrough=yes port=995,465,587 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=POP3 dst-address-list=!RFC1918 new-packet-mark=OTHER passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!RFC1918 new-connection-mark=OTHER passthrough=yes
add action=mark-packet chain=prerouting connection-mark=OTHER dst-address-list=!RFC1918 new-packet-mark=OTHER passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ipv6 address
add from-pool=IPv6-Pool interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=IPv6-Pool rapid-commit=no request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall mangle
add action=mark-connection chain=prerouting comment=DNS connection-state=new dst-address-list=!bad_ipv6 new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS dst-address-list=!bad_ipv6 new-packet-mark=DNS passthrough=no
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=postrouting connection-mark=DNS new-packet-mark=DNS passthrough=no
add action=mark-connection chain=prerouting comment=VOIP new-connection-mark=VOIP passthrough=yes port=5060-5062,10000-20000 protocol=udp
add action=mark-packet chain=prerouting connection-mark=VOIP new-packet-mark=VOIP passthrough=no
add action=mark-packet chain=postrouting comment=ACK new-packet-mark=ACK packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=prerouting dst-address-list=!bad_ipv6 new-packet-mark=ACK packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment=UDP connection-state=new dst-address-list=!bad_ipv6 new-connection-mark=UDP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=UDP dst-address-list=!bad_ipv6 new-packet-mark=UDP passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new dst-address-list=!bad_ipv6 new-connection-mark=ICMP passthrough=yes protocol=icmpv6
add action=mark-packet chain=prerouting connection-mark=ICMP dst-address-list=!bad_ipv6 new-packet-mark=ICMP passthrough=no
add action=mark-connection chain=postrouting connection-state=new dst-address-list=!bad_ipv6 new-connection-mark=ICMP passthrough=yes protocol=icmpv6
add action=mark-packet chain=postrouting connection-mark=ICMP dst-address-list=!bad_ipv6 new-packet-mark=ICMP passthrough=no
add action=mark-connection chain=prerouting comment=QUIC connection-state=new dst-address-list=!bad_ipv6 new-connection-mark=QUIC passthrough=yes port=80,443 protocol=udp
add action=mark-packet chain=prerouting connection-mark=QUIC dst-address-list=!bad_ipv6 new-packet-mark=QUIC passthrough=no
add action=mark-connection chain=prerouting comment=HTTP connection-mark=no-mark connection-state=new dst-address-list=!bad_ipv6 new-connection-mark=HTTP passthrough=yes port=80,443 protocol=\
    tcp
add action=mark-connection chain=prerouting connection-bytes=5000000-0 connection-mark=HTTP connection-rate=2M-100M dst-address-list=!bad_ipv6 new-connection-mark=HTTP_BIG passthrough=yes \
    protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG dst-address-list=!bad_ipv6 new-packet-mark=HTTP_BIG passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP dst-address-list=!bad_ipv6 new-packet-mark=HTTP passthrough=no
add action=mark-connection chain=prerouting comment=OTHER connection-state=new dst-address-list=!bad_ipv6 new-connection-mark=POP3 passthrough=yes port=995,465,587 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=POP3 dst-address-list=!bad_ipv6 new-packet-mark=OTHER passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!bad_ipv6 new-connection-mark=OTHER passthrough=yes
add action=mark-packet chain=prerouting connection-mark=OTHER dst-address-list=!bad_ipv6 new-packet-mark=OTHER passthrough=no
/ipv6 nd
set [ find default=yes ] advertise-mac-address=no interface=bridge ra-interval=30s-2m
/ipv6 nd prefix default
set preferred-lifetime=1h valid-lifetime=2h
/system clock
set time-zone-name=Asia/Kolkata
/system logging
add disabled=yes topics=dns
/system ntp client
set enabled=yes server-dns-names=time.cloudflare.com
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool graphing
set store-every=24hours
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
DarkNate
just joined
Topic Author
Posts: 23
Joined: Fri Jun 26, 2020 4:37 pm

Re: Reachability/Ping issues on RouterOS 6.47  [SOLVED]

Wed Jul 01, 2020 6:49 pm

The problem has been solved, posted the fix details on my Reddit thread: https://www.reddit.com/r/mikrotik/comme ... uteros_647

Hope it helps someone out there who may have the same issue.

Who is online

Users browsing this forum: No registered users and 37 guests