Community discussions

MikroTik App
 
DavidGB
newbie
Topic Author
Posts: 38
Joined: Fri Sep 14, 2018 9:22 pm

Internet / VPN Problem

Mon Feb 15, 2021 2:03 pm

Hi,

I have 2 questions about my mikrotik

Occasionally my mikrotik lost internet connection and it comes back in a few minutes. I try doing ping from mikrotik terminal to 8.8.8.8 and doesn´t response.
But today I´ve seen something strange, i´ve connected my office mikrotik router to mine to access some devices from my home and in the moment I lost internet connection "ping 8.8.8.8" doesn´t response but ping to my office devices response correctly, so I have an internet connection.

In other way, i have a question about VPN connection. My home milkrotik is the server and my office mikrotik is client and I have an L2TP tunnel.
I can doing ping to office router and this routers devices from my home router terminal but I can´t doing that from my home "Administrator devices". My firewall allows administrator fordward and input. Why can´t I do it?

Here my sensitive configuration:
# model = RB4011iGS+

/interface bridge
add comment=LAN_Ppal name=LAN_Ppal
/interface ethernet
set [ find default-name=ether1 ] comment=ISP
set [ find default-name=ether2 ] comment=Switch
set [ find default-name=ether3 ] comment=PC
set [ find default-name=ether5 ] comment=AP
set [ find default-name=ether6 ] comment=LM
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=ether1 name=MasMovil vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=deconf name=LAN
/ip pool
add name=DHCP_LAN_Ppal ranges=192.168.2.20-192.168.2.150
/ip dhcp-server
add address-pool=DHCP_LAN_Ppal disabled=no interface=LAN_Ppal name=DHCP_LAN_Ppal
/interface bridge port
add bridge=LAN_Ppal interface=ether2
add bridge=LAN_Ppal interface=ether3
add bridge=LAN_Ppal interface=ether4
add bridge=LAN_Ppal interface=ether5
add bridge=LAN_Ppal interface=ether6
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=loose
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/interface list member
add interface=MasMovil list=WAN
add interface=LAN_Ppal list=LAN
/ip address
add address=192.168.2.1/24 comment=LAN_Ppal interface=LAN_Ppal network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=MasMovil
/ip dhcp-server lease
add address=192.168.2.225 client-id=1:cc:9e:a2:62:f2:cc comment="Alexa Yoga" mac-address=CC:9E:A2:62:F2:CC server=DHCP_LAN_Ppal
add address=192.168.2.222 comment="Alexa Estudio" mac-address=14:91:38:F3:DF:F0 server=DHCP_LAN_Ppal
add address=192.168.2.221 client-id=1:44:0:49:4d:e4:ab comment="Alexa Salon" mac-address=44:00:49:4D:E4:AB server=DHCP_LAN_Ppal
add address=192.168.2.224 client-id=1:5c:41:5a:93:bd:85 comment="Alexa Cocina" mac-address=5C:41:5A:93:BD:85 server=DHCP_LAN_Ppal
add address=192.168.2.13 client-id=1:44:85:0:30:1e:61 comment="PC Curro" mac-address=44:85:00:30:1E:61 server=DHCP_LAN_Ppal
add address=192.168.2.12 client-id=1:a8:9c:ed:cd:f8:12 comment="Movil David" mac-address=A8:9C:ED:CD:F8:12 server=DHCP_LAN_Ppal
add address=192.168.2.231 comment="Xiaomi Vacuum" mac-address=40:31:3C:A2:E3:3B server=DHCP_LAN_Ppal
add address=192.168.2.145 client-id=1:7c:d5:66:b8:e7:90 comment=Despertador mac-address=7C:D5:66:B8:E7:90 server=DHCP_LAN_Ppal
add address=192.168.2.232 client-id=1:e8:f2:e2:ab:ea:39 comment="TV Salon" mac-address=E8:F2:E2:AB:EA:39 server=DHCP_LAN_Ppal
add address=192.168.2.11 client-id=1:b8:ac:6f:9d:62:d6 comment="PC Estudio" mac-address=B8:AC:6F:9D:62:D6 server=DHCP_LAN_Ppal
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=100.64.0.0/10 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=192.0.0.0/24 list=Bogon
add address=192.0.2.0/24 list=Bogon
add address=192.168.0.0/16 list=Bogon
add address=198.18.0.0/15 list=Bogon
add address=198.51.100.0/24 list=Bogon
add address=203.0.113.0/24 list=Bogon
add address=240.0.0.0/4 list=Bogon
add address=192.168.2.10-192.168.2.20 list=Src_Administradores
add address=192.168.2.205 list=Src_Administradores
add address=192.168.2.20-192.168.2.255 list=Src_Red_LAN
add address=192.168.2.201 list=Dst_Servidores_Usuarios
add address=192.168.2.204 list=Dst_Servidores_Usuarios
add address=192.168.2.205 list=Dst_Servidores_Usuarios
add address=192.168.2.10-192.168.2.255 list=Dst_Red_LAN
add address=192.168.2.201 list=Src_Administradores
add address=192.168.2.202 list=Src_Administradores
add address=192.168.2.3 list=Src_Administradores
add address=10.10.1.201 list=Src_Administradores
/ip firewall filter
add action=add-src-to-address-list address-list=Src_TocToc_Temporal address-list-timeout=1m chain=input comment=TocToc dst-port=5000 protocol=tcp
add action=add-src-to-address-list address-list=Src_TocToc_LM address-list-timeout=5d chain=input comment=AccesoLM dst-port=7000 protocol=tcp src-address-list=Src_TocToc_Temporal
add action=add-src-to-address-list address-list=Src_TocToc_LM_NAS address-list-timeout=5d chain=input comment=AccesoLM_NAS dst-port=8000 protocol=tcp src-address-list=Src_TocToc_Temporal
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment=L2TP dst-port=1701,500,4500 protocol=udp
add action=accept chain=input comment=L2TP protocol=ipsec-esp
add action=accept chain=input comment=L2TP protocol=ipsec-ah
add action=accept chain=input comment="defconf: accepr input from Src_Admin" src-address-list=Src_Administradores
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow services to lan users" in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input comment="Allow services to lan users" in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input comment="drop all else" log=yes log-prefix="Prohibido input resto"
add action=accept chain=forward log=yes log-prefix=Forward src-address-list=Src_Red_LAN
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward src-address-list=Src_Administradores
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix="Prohibido forward invalido"
add action=accept chain=forward comment="allow internet from LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else" log=yes log-prefix="Prohibido forward resto"
/ip firewall nat
add action=dst-nat chain=dstnat comment=DMZ disabled=yes in-interface=ether1 to-addresses=192.168.2.202
add action=dst-nat chain=dstnat comment="CONTROL TOUCH" dst-port=2199 in-interface=MasMovil log=yes log-prefix="Conexion CT" protocol=tcp to-addresses=192.168.2.204 to-ports=2199
add action=dst-nat chain=dstnat comment="xxx Conexion Web (IMP. Dst type adress local para que funcionen las paginas con puerto 80)" dst-address-type=local dst-port=80 log=yes log-prefix=Conexion_Web protocol=tcp to-addresses=192.168.2.202 to-ports=\
    80
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 log=yes log-prefix="Conexion Web" protocol=tcp to-addresses=192.168.2.202 to-ports=443
add action=dst-nat chain=dstnat comment=MQTT_ext dst-port=41883 log=yes log-prefix="Conexion MQTT" protocol=tcp to-addresses=192.168.2.205 to-ports=1883
add action=dst-nat chain=dstnat comment=NAS dst-port=52151 log=yes log-prefix="Conexion NAS" protocol=tcp src-address-list=Src_TocToc_LM_NAS to-addresses=192.168.2.201 to-ports=52151
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 log=yes log-prefix="Conexion Plex" protocol=tcp to-addresses=192.168.2.201 to-ports=32400
add action=dst-nat chain=dstnat comment=LM dst-port=52200 log=yes log-prefix="Conexion NAS" protocol=tcp src-address-list=Src_TocToc_LM_NAS to-addresses=192.168.2.205 to-ports=80
add action=masquerade chain=srcnat comment="Para hacer LoopBack y que no se rompa la consxion si accedemos desde dentro" dst-address=192.168.2.201 dst-port=52151 out-interface=LAN_Ppal protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.202 dst-port=80 out-interface=LAN_Ppal protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.202 dst-port=443 out-interface=LAN_Ppal protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.205 dst-port=80 out-interface=LAN_Ppal protocol=tcp src-address=192.168.2.12
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 dst-address=10.10.2.0/24 gateway=10.10.1.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/ppp secret
add local-address=10.10.1.1 name=David profile=default-encryption remote-address=10.10.1.201
add local-address=10.10.1.1 name=Cliente_2 profile=default-encryption remote-address=10.10.1.2 service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system logging
add disabled=yes topics=firewall
/system ntp client
set primary-ntp=216.239.35.0 secondary-ntp=129.250.35.250
/system scheduler
add interval=15s name="Mikrotik Despierto" on-event="{\r\
    \n/tool fetch url=\"http://remote:AAaa1111@192.168.2.205/scada-remote\" http-data=\"m=json&r=grp&fn=write&alias=34/3/51&value=1\" http-method=post as-value output=user; \t \r\
    \n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=nov/16/2019 start-time=13:44:56
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Thanks so much!
 
tdw
Forum Veteran
Forum Veteran
Posts: 713
Joined: Sat May 05, 2018 11:55 am

Re: Internet / VPN Problem

Mon Feb 15, 2021 5:17 pm

But today I´ve seen something strange, i´ve connected my office mikrotik router to mine to access some devices from my home and in the moment I lost internet connection "ping 8.8.8.8" doesn´t response but ping to my office devices response correctly, so I have an internet connection.
Google provides DNS on 8.8.8.8, but AFAIK it is not guaranteed to respond to pings. I have seen cases where it stops responding to ping for several hours whilst still responding to DNS queries.

My home milkrotik is the server and my office mikrotik is client and I have an L2TP tunnel.
I can doing ping to office router and this routers devices from my home router terminal but I can´t doing that from my home "Administrator devices". My firewall allows administrator fordward and input. Why can´t I do it?
You have a static route on this Mikrotik to 10.10.2.0/24 via 10.10.1.2 which is the remote address in one of the VPN secrets, do you have an equivalent static route at the remote end back to 192.168.2.0/24?
 
DavidGB
newbie
Topic Author
Posts: 38
Joined: Fri Sep 14, 2018 9:22 pm

Re: Internet / VPN Problem

Fri Feb 19, 2021 5:56 pm

Thanks!! It was ip route (wrong IP).

In the other way, mikrotik not only doesnt response to 8.8.8.8. I havent internet conection in lan when this happen (Mani times a day)

Enviado desde mi MI 9 mediante Tapatalk

 
Andrik
just joined
Posts: 3
Joined: Thu Feb 18, 2021 6:11 pm

Re: Internet / VPN Problem

Sat Feb 20, 2021 11:51 am

Glad you found the solution.
I have the same problem I have the fixed my issue from this guide easily. Hope this work for you.
Last edited by Andrik on Mon Mar 01, 2021 10:11 am, edited 1 time in total.
 
DavidGB
newbie
Topic Author
Posts: 38
Joined: Fri Sep 14, 2018 9:22 pm

Re: Internet / VPN Problem

Tue Feb 23, 2021 9:53 pm

Hi! I think i´ve found internet problem in my mikrotik...

I don't know why all these IPs exist in my lan network...
IP ARP.JPG

Can anyone help me?
You do not have the required permissions to view the files attached to this post.
 
Cablenut9
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Fri Jan 08, 2021 5:30 am

Re: Internet / VPN Problem

Tue Feb 23, 2021 9:56 pm

I have the same IP problem, do you have a device that connects and disconnects often?
 
DavidGB
newbie
Topic Author
Posts: 38
Joined: Fri Sep 14, 2018 9:22 pm

Re: Internet / VPN Problem

Tue Feb 23, 2021 11:07 pm

Yes, a few devices, not one only. I think all muy Network. However i have connection with my work mikrotik and internal Network.

Enviado desde mi MI 9 mediante Tapatalk


 
User avatar
nichky
Long time Member
Long time Member
Posts: 681
Joined: Tue Jun 23, 2015 2:35 pm

Re: Internet / VPN Problem

Wed Feb 24, 2021 6:24 am

DavidGB

/export file=conf hide-sensitive
RouterOS does not have a random function. Many has tried to make script to make random text, but all seems to be flawed.
viewtopic.php?f=9&t=160183

!) Safe Mode is your friend;
 
DavidGB
newbie
Topic Author
Posts: 38
Joined: Fri Sep 14, 2018 9:22 pm

Re: Internet / VPN Problem

Wed Feb 24, 2021 9:03 am

DavidGB

/export file=conf hide-sensitive
Hi, here my configuration:
conf.rsc
Thanks Nichky!
You do not have the required permissions to view the files attached to this post.
 
User avatar
nichky
Long time Member
Long time Member
Posts: 681
Joined: Tue Jun 23, 2015 2:35 pm

Re: Internet / VPN Problem

Wed Feb 24, 2021 10:10 am

about your experiencing drops out need to be monitored on real time, could be layer one issues, dont know.
i will disable the followinf roule:
/ip firewall filter
add action=drop chain=forward comment="drop all else" log=yes log-prefix="Prohibido forward resto"


about your vpn i will disable fasttrack, and make sure you have rebooted the device
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
RouterOS does not have a random function. Many has tried to make script to make random text, but all seems to be flawed.
viewtopic.php?f=9&t=160183

!) Safe Mode is your friend;
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 999
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: Internet / VPN Problem

Wed Feb 24, 2021 2:17 pm

Looks like a device with the private MAC address 00:00:5e:00:01:6F (this belongs to a VRRP interface) is doing proxy-arp.
The reply from that MAC address with IP 192.168.2.3 points to a D-Link AP. I'd check its settings.
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
DavidGB
newbie
Topic Author
Posts: 38
Joined: Fri Sep 14, 2018 9:22 pm

Re: Internet / VPN Problem

Fri Feb 26, 2021 9:45 pm

Looks like a device with the private MAC address 00:00:5e:00:01:6F (this belongs to a VRRP interface) is doing proxy-arp.
The reply from that MAC address with IP 192.168.2.3 points to a D-Link AP. I'd check its settings.
-Chris
This mac is ISP router. The next week i´m going to change to vodafone. I think that is the problem.

I have another question about VPN.
I can acces to "Cliente_2" VPN client from my Lan Network (192.168.2.0/24) but i can´t acces from my VPN network (conected to "David" profile "10.10.1.201"). How can I access from this conection? it is necessary to do /ip route?

Thanks

Who is online

Users browsing this forum: acron, Google [Bot], grifild, mkx and 83 guests