Community discussions

MikroTik App
 
User avatar
brunex1986
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:59 am

Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Wed Dec 08, 2021 12:00 am

Hi Guys, I'm experiencing a problem with my configuration, so far I've managed to:

1) Configure 2 ISPs (WAN1 & WAN2)
2) Configure a guest wifi network
3) Added a vlanXX to share internet with my Tp-link router
4) Added some mangle rules for WANs, Bridge, VLAN, and Wifi

I think in the middle of that configuration I've missed something because when I've access to the mirkotik terminal and I try to make a "ping google.com" it says "no route to host"
I'm perfectly fine with the configuration, I've internet in the tp-link router, wifi connections and mirkotik bridged ports connected to my PC, but I can't realize yet what's the issue with the net inside the mikrotik, also I'm connected to the mikrotik LAN 192.168.88.XX so outside the router I can ping perfectly but not inside.

Hope someone can help me with these, here are the configurations:

IP ROUTE PRINT:
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.10.1              2
 1 A S  0.0.0.0/0                          192.168.1.1               1
 2 ADC  10.10.10.0/24      10.10.10.1      bridge-guest              0
 3 ADC  192.168.1.0/24     192.168.1.2     ether2-WAN2               0
 4 ADC  192.168.10.0/24    192.168.10.73   ether1-WAN1               0
 5 ADC  192.168.11.0/24    192.168.11.1    bridge-tp-link-ap         0
 6 ADC  192.168.88.0/24    192.168.88.1    bridge                    0

IP ADDRESS PRINT
 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge                                   
 1   10.10.10.1/24      10.10.10.0      bridge-guest                             
 2   192.168.11.1/24    192.168.11.0    bridge-tp-link-ap                        
 3 D 192.168.10.73/24   192.168.10.0    ether1-WAN1                              
 4 D 192.168.1.2/24     192.168.1.0     ether2-WAN2   
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Wed Dec 08, 2021 2:13 am

/export hide-sensitive file=anynameyouwish
 
User avatar
brunex1986
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:59 am

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Wed Dec 08, 2021 7:49 pm

Hi @anav here are the specs from that export:
# dec/07/2021 16:19:13 by RouterOS 6.47.10
# software id = E1MU-####
#
# model = RB4011iGS
# serial number = F03E0FA7####
/interface bridge
add admin-mac=DC:2C:6E:3C:XX:XX auto-mac=no comment=defconf name=bridge
add name=bridge-guest
add name=bridge-tp-link-ap
/interface ethernet
set [ find default-name=ether1 ] comment="Internet Services - ISP 1" name=\
    ether1-WAN1
set [ find default-name=ether2 ] comment="Arnet / Fibertel - ISP 2" name=\
    ether2-WAN2
set [ find default-name=ether4 ] name=ether4-TpLinkAP
set [ find default-name=ether5 ] name=ether5-LAN
/interface vlan
add interface=ether4-TpLinkAP name=vlan11_tp_link_ap vlan-id=11
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-guest supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-default-security supplicant-identity=""
/interface wirelessset [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge secondary-channel=auto \
    security-profile=profile-default-security ssid=MT-Office-5ghz \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge security-profile=profile-default-security ssid=MT-Office-2ghz \
    wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:XX:XX:XX \
    master-interface=wlan2 multicast-buffering=disabled name=guest-wifi \
    security-profile=profile-guest ssid=MtGuestWf wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool_tp_link_ap ranges=192.168.11.21-192.168.11.250
add name=dhcp_pool2 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=bridge-guest name=\
    dhcp_wifi_guest
add address-pool=pool_tp_link_ap disabled=no interface=bridge-tp-link-ap \
    name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge comment=defconf interface=ether5-LAN
add bridge=bridge-guest interface=guest-wifi
add bridge=bridge-tp-link-ap interface=vlan11_tp_link_ap
add bridge=bridge comment=defconf interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN1 list=WAN
add interface=ether2-WAN2 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.10.1/24 interface=bridge-guest network=10.10.10.0
add address=192.168.11.1/24 interface=bridge-tp-link-ap network=192.168.11.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1-WAN1
add add-default-route=no disabled=no interface=ether2-WAN2
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=192.168.11.0/24 gateway=192.168.11.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=\
    10.10.10.0/24
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.10.0/24 in-interface=\
    bridge
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
    bridge
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether1-WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2-WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=WAN1_conn \
    nth=2,1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge-tp-link-ap \
    new-connection-mark=WAN1_conn nth=2,1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge-guest new-connection-mark=\
    WAN1_conn nth=2,1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=WAN2_conn \
    nth=2,2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge-tp-link-ap \
    new-connection-mark=WAN2_conn nth=2,2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge-guest new-connection-mark=\
    WAN2_conn nth=2,2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=bridge new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=bridge-tp-link-ap new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=bridge-guest new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=bridge new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=bridge-tp-link-ap new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=bridge-guest new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.11.0/24 in-interface=\
    bridge-tp-link-ap
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat out-interface=ether1-WAN1
add action=accept chain=srcnat out-interface=ether2-WAN2
/ip route
add check-gateway=ping distance=2 gateway=192.168.10.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN2
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Wed Dec 08, 2021 8:12 pm

Hi there, have not yet got into the mangles but I see area for improvement.
Took me awhile as I am a one bridge guy and use vlans for all by subnets, much cleaner/easier at least for me to understand.

In your case you seem caught in-between,
You attempt to use both a vlan and a bridge to feed the dumb access point TPLINK. Like tripping over your own feet.
Suggest drop the idea of a VLAN as its not helping.

(1) Thus.....
Remove the definition of the VLAN.
DONE! The rest of the config is set which tells you that the vlan config was not quite right.

(2) Well one small change.
You also had an error in your bridge ports! VLAN interface is not normally a bridge port (normally only etherports and WLANs).

So you need this instead on your /interface bridge port settings:
add bridge=bridge-tp-link-ap interface=ether4--TpLinkAP


(3) Missing entries in Interface list members as well.
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=bridge-guest list=LAN
add comment=defconf interface=bridge-tp-link list=LAN

add comment=defconf interface=ether1-WAN1 list=WAN
add interface=ether2-WAN2 list=WAN

Make those changes and see how things are!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Wed Dec 08, 2021 8:20 pm

1. More fixes needed SOURCNAT

In general you either can use the default rule ( the first one you have) OR split it up into each separate WAN, which your other two lines 'attempted; to do but the format is wrong!!
Suggest the below is all you need
add chain=scrnat action=masquerade out-interface=ether1-WAN1
add chain=srcnat action=masquerade out-interface=ether2-WAN2

2. Before I get into the mangling,
What is your requirement for WANs?
Use WAN1 as primary and WAN2 as backup if WAN1 is not available?
Some users on WAN1 all the time and some users on WAN2 all the time with the alternate WAN as a backup.
Some users on WAN1 all the time and some users on WAN2 all the time with NO alternate?
Etc etc ????????????????????
 
User avatar
brunex1986
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:59 am

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Wed Dec 08, 2021 8:33 pm

Hi @anav I did those changes, can you take a look, the thing is that it seems that my tp-link router stopped working with those changes:

Here they are:
# dec/07/2021 17:03:28 by RouterOS 6.47.10
# software id = E1MU-####
#
# model = RB4011iGS
# serial number = F03E0FA7####
/interface bridge
add admin-mac=DC:2C:6E:XX:XX:XX auto-mac=no comment=defconf name=bridge
add name=bridge-guest
add name=bridge-tp-link-ap
/interface ethernet
set [ find default-name=ether1 ] comment="Internet Services - ISP 1" name=\
    ether1-WAN1
set [ find default-name=ether2 ] comment="Arnet / Fibertel - ISP 2" name=\
    ether2-WAN2
set [ find default-name=ether4 ] name=ether4-TpLinkAP
set [ find default-name=ether5 ] name=ether5-LAN
/interface vlan
add disabled=yes interface=ether4-TpLinkAP name=vlan11_tp_link_ap vlan-id=11
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-guest supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-default-security supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge secondary-channel=auto \
    security-profile=profile-default-security ssid=MT-Office-5ghz \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge security-profile=profile-default-security ssid=MT-Office-2ghz \
    wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:XX:XX:XX \
    master-interface=wlan2 multicast-buffering=disabled name=guest-wifi \
    security-profile=profile-guest ssid=MtGuestWf wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool_tp_link_ap ranges=192.168.11.21-192.168.11.250
add name=dhcp_pool2 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=bridge-guest name=\
    dhcp_wifi_guest
add address-pool=pool_tp_link_ap disabled=no interface=bridge-tp-link-ap \
    name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge comment=defconf interface=ether5-LAN
add bridge=bridge-guest interface=guest-wifi
add bridge=bridge-tp-link-ap interface=ether4-TpLinkAP
add bridge=bridge comment=defconf interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN1 list=WAN
add interface=ether2-WAN2 list=WAN
add comment=defconf interface=bridge-tp-link-ap list=LAN
add comment=defconf interface=bridge-guest list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.10.1/24 interface=bridge-guest network=10.10.10.0
add address=192.168.11.1/24 interface=bridge-tp-link-ap network=192.168.11.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1-WAN1
add add-default-route=no disabled=no interface=ether2-WAN2
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=192.168.11.0/24 gateway=192.168.11.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=\
    10.10.10.0/24
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.10.0/24 in-interface=\
    bridge
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
    bridge
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether1-WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2-WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=WAN1_conn \
    nth=2,1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge-tp-link-ap \
    new-connection-mark=WAN1_conn nth=2,1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge-guest new-connection-mark=\
    WAN1_conn nth=2,1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=WAN2_conn \
    nth=2,2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge-tp-link-ap \
    new-connection-mark=WAN2_conn nth=2,2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge-guest new-connection-mark=\
    WAN2_conn nth=2,2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=bridge new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=bridge-tp-link-ap new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=bridge-guest new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=bridge new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=bridge-tp-link-ap new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=bridge-guest new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.11.0/24 in-interface=\
    bridge-tp-link-ap
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat out-interface=ether1-WAN1
add action=accept chain=srcnat out-interface=ether2-WAN2
/ip route
add check-gateway=ping distance=2 gateway=192.168.10.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN2
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
brunex1986
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:59 am

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Wed Dec 08, 2021 8:38 pm

1. More fixes needed SOURCNAT

In general you either can use the default rule ( the first one you have) OR split it up into each separate WAN, which your other two lines 'attempted; to do but the format is wrong!!
Suggest the below is all you need
add chain=scrnat action=masquerade out-interface=ether1-WAN1
add chain=srcnat action=masquerade out-interface=ether2-WAN2

2. Before I get into the mangling,
What is your requirement for WANs?
Use WAN1 as primary and WAN2 as backup if WAN1 is not available?
Some users on WAN1 all the time and some users on WAN2 all the time with the alternate WAN as a backup.
Some users on WAN1 all the time and some users on WAN2 all the time with NO alternate?
Etc etc ????????????????????
1) it's ok
2) I want to use both internet connections to merge into a single one, because of that I'm using NTH, also if one of those fails the other WAN continue working.
 
User avatar
brunex1986
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:59 am

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Wed Dec 08, 2021 8:52 pm

anyway nothing of those resolve the issue of the ping of the router, I cannot make a ping to an external source like google.com
[admin@MikroTik] > ping google.com
  SEQ HOST                                     SIZE TTL TIME  STATUS                                         
    0                                                         no route to host  
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Wed Dec 08, 2021 9:02 pm

Thus its your NTH and mangling.
Why NTH, no one uses that to share internet
If your intention is to use both connections at the same time use PCC!!

Also I told you these were WRONGly formatted (and if formatted a duplicate of the first rule)> Why are they still there?????
add action=accept chain=srcnat out-interface=ether1-WAN1
add action=accept chain=srcnat out-interface=ether2-WAN2


ALSO believe you are missing two routes. You need two standard routes in the main table, from what I understand.
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.10.1

add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN2
add check-gateway=ping distance=2 gateway=192.168.10.1 routing-mark=to_WAN1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Wed Dec 08, 2021 9:40 pm

suggest time to upgrade to 6.49 latest stable firmware...................
 
User avatar
brunex1986
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:59 am

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Wed Dec 08, 2021 10:29 pm

Thus its your NTH and mangling.
Why NTH, no one uses that to share internet
If your intention is to use both connections at the same time use PCC!!

Also I told you these were WRONGly formatted (and if formatted a duplicate of the first rule)> Why are they still there?????
add action=accept chain=srcnat out-interface=ether1-WAN1
add action=accept chain=srcnat out-interface=ether2-WAN2


ALSO believe you are missing two routes. You need two standard routes in the main table, from what I understand.
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.10.1

add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN2
add check-gateway=ping distance=2 gateway=192.168.10.1 routing-mark=to_WAN1
I've removed these:
add action=accept chain=srcnat out-interface=ether1-WAN1
add action=accept chain=srcnat out-interface=ether2-WAN2

nothing changes, still I can't access to the internet from RB4011 to updagrde that was my intention but I can't (I could do that from the site downloading and importing the file but I don't want to do that, I want to fix the issue first)

Also I've used PCC before too, both configurations "both addresses" and "both addresses and ports" and I've same issues that I've with NTH...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Wed Dec 08, 2021 10:32 pm

To eliminate NTH and mangling disable all the mangling rules and see what happens.
(dont forget to add the routes I noted)
 
User avatar
brunex1986
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:59 am

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Thu Dec 09, 2021 3:26 am

To eliminate NTH and mangling disable all the mangling rules and see what happens.
(dont forget to add the routes I noted)
I've tried what you said before (diable all mangle rules) nothing happen, same issue I can't make a ping from mikrotik terminal, if you have a script changing all those rules, plase share to me and I'll try, for now the changes you requested does not have impact on that.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Thu Dec 09, 2021 4:03 am

Well I am curious about your WAN setup then.
How is that you have two private IPs for gateway and yet you use IP DHCP client.
I note that you have no IP addresses setup for the wan connections.

Can you post snapshots of your IP DHCP client settings (the tabs), (nothing sensitive if its all private IPs etc).
 
User avatar
brunex1986
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:59 am

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Thu Dec 09, 2021 5:08 am

Well I am curious about your WAN setup then.
How is that you have two private IPs for gateway and yet you use IP DHCP client.
I note that you have no IP addresses setup for the wan connections.

Can you post snapshots of your IP DHCP client settings (the tabs), (nothing sensitive if its all private IPs etc).
Yes, sure, I'll do that tomorrow, FYI I've also noticed that the issue with ping inside of the mikrotik is regarding this configuration in routes

add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.10.1

but... If I enable that.. ping start to work, but when I test the PCC "both addresses and ports" it's using only one ISP instead of two... As soon as I disable that configuration, start to work again but I cannot ping.. haha
 
User avatar
brunex1986
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:59 am

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Thu Dec 09, 2021 5:55 pm

suggest time to upgrade to 6.49 latest stable firmware...................
I've already updated the firmware, but there're no changes on my configurations, no new behaviors, etc
 
User avatar
brunex1986
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:59 am

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Thu Dec 09, 2021 7:55 pm

Well I am curious about your WAN setup then.
How is that you have two private IPs for gateway and yet you use IP DHCP client.
I note that you have no IP addresses setup for the wan connections.

Can you post snapshots of your IP DHCP client settings (the tabs), (nothing sensitive if its all private IPs etc).
Hi, here's the screenshot, is this what you mean?
Screenshot from 2021-12-09 14-54-01.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Thu Dec 09, 2021 9:01 pm

Nope.
Click on both entries you have under DHCP client (the one highlighed blue and the other).
This will bring up another mendu.
DHCP is default tab so take a picture of that, and then select the TAB Status and take a picture of that.
Total 4 pics.
 
User avatar
brunex1986
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:59 am

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Sat Dec 11, 2021 4:02 pm

Nope.
Click on both entries you have under DHCP client (the one highlighed blue and the other).
This will bring up another mendu.
DHCP is default tab so take a picture of that, and then select the TAB Status and take a picture of that.
Total 4 pics.
Not necessary, here you have the detail mode:
detail_mode.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Sat Dec 11, 2021 7:41 pm

Please post your complete config again with current settings.
Will have another look to see what I can find............ as I am pretty much out of ideas.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Sat Dec 11, 2021 8:16 pm

Router itself by default uses main routing table, so if there are no routes in main routing table, guess what happens? Correct, there's no ping or any other communication between router and the world. Only exception is connected subnets that do have routes in main routing table. So those two routes suggested by @anav, that's good idea to have them. Or you can simply set add-default-route=yes in dhcp clients.

There's no reason why having these routes should break load balancing, if you do the connection and route marking correctly. But at first sight it doesn't seem to be anything wrong there.
 
User avatar
brunex1986
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:59 am

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Sun Dec 12, 2021 12:25 am

Router itself by default uses main routing table, so if there are no routes in main routing table, guess what happens? Correct, there's no ping or any other communication between router and the world. Only exception is connected subnets that do have routes in main routing table. So those two routes suggested by @anav, that's good idea to have them. Or you can simply set add-default-route=yes in dhcp clients.

There's no reason why having these routes should break load balancing, if you do the connection and route marking correctly. But at first sight it doesn't seem to be anything wrong there.
@sob, that did the trick! thanks!, also @anav I see no issues with current configuration having two WANs, Wifi configuration and external tp-link router to extend connectivity, it's working pretty well, such a nice router this RB4011 :-)

previously I'd a RB750Gr3, and this one makes it look like a toy.
 
User avatar
brunex1986
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:59 am

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Sun Dec 12, 2021 1:51 am

There's no reason why having these routes should break load balancing, if you do the connection and route marking correctly. But at first sight it doesn't seem to be anything wrong there.
@sob I've took a closer look but if I set that option
add-default-route=yes
in the DHCP clients I loose the ability of having working both WANs so when I do a test using fast.com without that I'm receiving the complete bandwith from both, but when I enable that.. Same issue arise.. I've only one WAN measured.. I don't know actually what's the issue with that.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Sun Dec 12, 2021 2:05 am

Disable this rule:
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
But if it helps, and it should, because fasttracked packets bypass firewall, where you mark connections and routing, it will bring interesting question, why lack of routes in main routing table should change how it works.
 
User avatar
brunex1986
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:59 am

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Sun Dec 12, 2021 2:11 am

Disable this rule:
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
But if it helps, and it should, because fasttracked packets bypass firewall, where you mark connections and routing, it will bring interesting question, why lack of routes in main routing table should change how it works.
Hi @Sob, disabled but nothing changes...
Also, previously I've tried disabling all those rules, but that changes nothiing in the end
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Sun Dec 12, 2021 2:57 am

That's weird, because I really don't see anything wrong. Unless somebody else does, time for some desperate attempts. What if you add (before other marking rules, and keep fasttrack disabled):
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local src-address=<address of some device you choose for testing> new-connection-mark=WAN1_conn passthrough=yes
Does the counter for this rule increase? And does that device use only WAN1? And if you change it to new-connection-mark=WAN2_conn, does it switch to WAN2 only?

Who is online

Users browsing this forum: No registered users and 30 guests