Community discussions

MikroTik App
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

mikrotik router can ping some servers, but others timeout

Tue May 17, 2022 7:21 pm

Hi everyone,

My mikrotik router is suddenly no longer able to ping or reach certain websites. We have not made any recent configuration changes, however suddenly can no longer reach out to websites, both through ping or via web.

Using winbox, I can ping google no problem with no timeouts, however when reaching other sites it will timeout. No one on our internal website can reach these resources either.

Below is an output of our config.

The IPs we are trying to reach are 203.90.233.8, which are pingable from outside the network. The DNS server does resolve these IPs, only ping/webserver is not responding.

Thank you!


# may/18/2022 01:07:02 by RouterOS 6.48.4

/interface bridge
add name=bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=nuroWAN speed=10Gbps
set [ find default-name=sfp-sfpplus1 ] name=portLAN01
/interface ipip
add allow-fast-path=no ipsec-secret="password" local-address=\
    2.2.2.2 name=iptunnel remote-address=3.3.3.3
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.2.100-10.0.2.254
add name=ldapvpn ranges=192.168.10.1-192.168.10.126
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-LAN name=dhcp1
/ppp profile
add dns-server=10.0.0.1 incoming-filter="" interface-list=LAN local-address=\
    10.0.0.1 name=ldap-vpn outgoing-filter="" remote-address=ldapvpn \
    use-encryption=required
/queue simple
add max-limit=350M/350M name=ip-tunnel target=iptunnel
/snmp community
add addresses=::/0 name=Devices
/interface bridge port
add bridge=bridge-LAN interface=portLAN01
/interface bridge settings
set use-ip-firewall=yes
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ldap-vpn enabled=yes \
    ipsec-secret= use-ipsec=required
/interface list member
add interface=nuroWAN list=WAN
add interface=bridge-LAN list=LAN
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.0.0.1/16 interface=portLAN01 network=10.0.0.0
add address=172.22.22.1/30 interface=tunnel network=172.22.22.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=nuroWAN
/ip dhcp-server network
add address=10.0.0.0/16 boot-file-name=ipxe.efi dns-server=10.0.0.1 gateway=\
    10.0.0.1 netmask=16 next-server=10.0.5.86 ntp-server=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=\
    dns1,dns2,8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.10.1-192.168.10.126 list=OutVpn
/ip firewall filter
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=nuroWAN \
    protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=nuroWAN \
    port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=nuroWAN port=\
    22 protocol=tcp
add action=accept chain=input dst-port=500,1701,4500 in-interface=nuroWAN \
    protocol=udp
add action=drop chain=input comment="block everything else" in-interface=\
    nuroWAN
/ip firewall mangle
add action=mark-routing chain=prerouting connection-limit=100,32 \
    dst-address-type="" dst-limit=1,5,dst-address/1m40s hotspot="" limit=\
    1,5:packet new-routing-mark=VpnRoute passthrough=no psd=21,3s,3,1 \
    src-address=192.168.10.1-192.168.10.126 src-address-type="" tcp-flags=""
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!10.0.0.0/16 out-interface=\
    nuroWAN src-address=10.0.0.0/16
add action=src-nat chain=srcnat dst-address=10.0.0.1 src-address=\
    192.168.10.1-192.168.10.126 src-address-list=OutVpn to-addresses=10.0.0.1
add action=masquerade chain=srcnat out-interface=nuroWAN
add action=dst-nat chain=dstnat comment=" port 4172 tcp" dst-address=\
    1234 dst-port=4172 protocol=tcp to-addresses=10.0.5.84 \
    to-ports=4172
add action=dst-nat chain=dstnat comment=" port 4172 udp" dst-address=\
    12349 dst-port=4172 protocol=udp to-addresses=10.0.5.84 \
    to-ports=4172
add action=dst-nat chain=dstnat comment=" port 443 tcp" dst-address=\
    1234 dst-port=443 protocol=tcp to-addresses=10.0.5.84 \
    to-ports=443
add action=dst-nat chain=dstnat comment=" port 60443 tcp" \
    dst-address=1234 dst-port=60443 protocol=tcp to-addresses=\
    10.0.5.84 to-ports=60443
/ip route
add check-gateway=ping distance=1 gateway=nuroWAN routing-mark=VpnRoute
add distance=1 dst-address=10.1.0.0/16 gateway=172.22.22.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=10.0.0.0/16,169.254.0.0/16
set api-ssl disabled=yes
/ip traffic-flow
set cache-entries=8k enabled=yes
/ip traffic-flow target
add dst-address=10.0.5.78
/ppp aaa
set use-radius=yes
/ppp profile
set *FFFFFFFE dns-server=10.0.0.1 local-address=10.1.0.0 remote-address=*2
/ppp secret
add local-address=10.0.3.227 name=vpn password=pw
add name=vpn_test password=Temp!234 profile=default-encryption
/radius
add address=10.0.5.79 domain=domain secret=pw service=ppp \
    src-address=10.0.0.1
/snmp
set location=server_room trap-community=Devices trap-target=10.0.5.21 \
    trap-version=2
/system identity
set name=router
/tool sniffer
set filter-interface=nuroWAN filter-ip-address=10.0.3.47/32 filter-port=4172
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: mikrotik router can ping some servers, but others timeout

Tue May 17, 2022 7:45 pm

(1) Unless you need some special bridge firewall rules ( and you know what you are doing - this is an advanced feature set )
suggest stick to filter rules IP Firewall, input and forward chain etc....

(2) Be consistent with the bridge itself. If LAN01 is part of the bridge etc...........
then change this
FROM
/ip address
add address=10.0.0.1/16 interface=portLAN01 network=10.0.0.0

TO
/ip address
add address=10.0.0.1/16 interface=bridge-LAN network=10.0.0.0

(3) SECURITY RISK - do not allow winbox directly from internet............ One should VPN into the router and then access winbox........... same with SSH.
add action=accept chain=input comment="allow Winbox" in-interface=nuroWAN \
port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=nuroWAN port=\
22 protocol=tcp

(4) Do you have main table route for the standard ISP connection?? I see the one with the route marking but typically there is also a default or standard route.
The second one I have no idea what its for?

/ip route
add check-gateway=ping distance=1 gateway=nuroWAN routing-mark=VpnRoute
add distance=1 dst-address=10.1.0.0/16 gateway=172.22.22.2
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Re: mikrotik router can ping some servers, but others timeout

Tue May 17, 2022 7:58 pm

Thanks for the reply.
(1) Unless you need some special bridge firewall rules ( and you know what you are doing - this is an advanced feature set )
suggest stick to filter rules IP Firewall, input and forward chain etc....
I don't quite understand what you mean, could you please explain?
(2) Be consistent with the bridge itself. If LAN01 is part of the bridge etc...........
then change this
FROM
/ip address
add address=10.0.0.1/16 interface=portLAN01 network=10.0.0.0

TO
/ip address
add address=10.0.0.1/16 interface=bridge-LAN network=10.0.0.0
i changed these thanks
(3) SECURITY RISK - do not allow winbox directly from internet............ One should VPN into the router and then access winbox........... same with SSH.
add action=accept chain=input comment="allow Winbox" in-interface=nuroWAN \
port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=nuroWAN port=\
22 protocol=tcp
i switched these to the bridge-LAN, you are are right there is no need for anyone to connect externally
(4) Do you have main table route for the standard ISP connection?? I see the one with the route marking but typically there is also a default or standard route.
The second one I have no idea what its for?

/ip route
add check-gateway=ping distance=1 gateway=nuroWAN routing-mark=VpnRoute
add distance=1 dst-address=10.1.0.0/16 gateway=172.22.22.2
I am not sure, how would I go about setting that up? The second one is for a connection to a second office off-site.
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Re: mikrotik router can ping some servers, but others timeout

Tue May 17, 2022 9:29 pm

some more information with traceroute tool, google for example is reachable no problem

could there be an error with the server 58.138.80.245 where the timeout begins to occur ?

[@router] /tool> traceroute google.com // no problem
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 us 0% 7 1.9ms 2.6 1.8 4 0.7
2 ... 0% 7 1.5ms 1.3 0.7 1.6 0.3
3 110.232.156.165 0% 7 8.1ms 3.3 1.6 8.1 2.1
4 202.213.194.1 0% 7 1ms 3.3 0.9 15.9 5.2
5 202.213.193.59 0% 7 1.6ms 1.8 1.1 3.1 0.6
6 142.250.160.100 0% 7 3.5ms 4.9 3.2 11.3 2.7
7 142.251.61.119 0% 7 2.4ms 2.6 2 3.1 0.4
8 172.253.75.195 0% 7 2ms 2.5 2 3.1 0.4
9 172.217.175.78 0% 7 1.6ms 1.4 1 1.6 0.2

[@router] /tool> traceroute 203.90.233.8
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 us 0% 2 1.8ms 2.2 1.8 2.5 0.4
2 ... 0% 2 3.5ms 3.2 2.9 3.5 0.3
3 110.232.156.97 0% 2 1.8ms 2.1 1.8 2.3 0.3
4 202.213.193.34 0% 2 1.3ms 1.7 1.3 2.1 0.4
5 202.232.9.13 0% 2 1.2ms 1.3 1.2 1.4 0.1
6 58.138.100.197 0% 2 0.8ms 1 0.8 1.1 0.2
7 58.138.81.174 0% 2 57.1ms 57.2 57.1 57.2 0.1
8 58.138.80.245 0% 2 56.9ms 57 56.9 57 0.1
9 100% 2 timeout
10 100% 2 timeout
11 100% 2 timeout
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: mikrotik router can ping some servers, but others timeout

Tue May 17, 2022 11:28 pm

Well if this is a public IP facing router you should have at least a decent set of default firewall rules.
Most people only add the functionality of firewall directly on the bridge for very specific niche cases (not the norm).

Here are some basic examples for firewall setup. (based on allow rules and then a drop all rule at the end of the input and forward chain).
viewtopic.php?t=180838

Yes print the IP routes detail and put it in and that way we can see if the automated routes (DAC) and the manual routes inserted.
Just ensure no real WANIPs are showing.

Also what does this relate to ? - 169.254.0.0/16
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Re: mikrotik router can ping some servers, but others timeout

Tue May 17, 2022 11:46 pm

Hello anav,

Thank you for the reply, however I am not sure how it will solve the issue I am facing.

The IP address we are trying to reach is not accessible whereas we can get to other resources no problem.

Traceroute shows there is possibly an issue between our router and the destination. I'm not sure how to go about solving this, help would be appreciated!~
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: mikrotik router can ping some servers, but others timeout

Sat May 21, 2022 1:11 am

Hello anav,

Thank you for the reply, however I am not sure how it will solve the issue I am facing.

The IP address we are trying to reach is not accessible whereas we can get to other resources no problem.

Traceroute shows there is possibly an issue between our router and the destination. I'm not sure how to go about solving this, help would be appreciated!~
If the problem is between your ISP and the destination web site, there is nothing you can do on your router to make the website available directly. You may be able to "bypass" the problem ("e.g. take a detour around the route that has a bridge out") by using a VPN service.

Who is online

Users browsing this forum: Amazon [Bot], arebelo, Bing [Bot], Google [Bot], jaclaz and 90 guests