Community discussions

MikroTik App
 
dannongruver
just joined
Topic Author
Posts: 3
Joined: Thu Apr 06, 2023 5:08 am

AC3: Cannot ping WAN port (ether1) but can from bridge, lte & without interface

Thu May 04, 2023 5:27 pm

Hi. I have an AC3 v7.9 (192.168.1.2) with a cable modem/router (192.168.1.1) connected to ether1 interface and cellular on LTE1 interface.

It's strange but pinging from bridge interface, or no interface specified, works but pinging from ether1 does not work. Ether1 is connected to a cable modem router that has its DHCP turned off (I'm not network smart enough to configure it in bridge mode) but ether1 interface is successfully passing traffic thru to WAN b/c the speed test is showing gig speed which LTE is much slower.

I've disabled the firewall rules, restarted and still no luck.

Bridge:
ping 8.8.8.8 interface=bridge count=3
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 57 15ms229us
1 8.8.8.8 56 57 15ms771us
2 8.8.8.8 56 57 19ms600us
sent=3 received=3 packet-loss=0% min-rtt=15ms229us avg-rtt=16ms866us max-rtt=19ms600us

No interface:
ping 8.8.8.8 count=3
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 57 14ms921us
1 8.8.8.8 56 57 18ms659us
2 8.8.8.8 56 57 17ms418us
sent=3 received=3 packet-loss=0% min-rtt=14ms921us avg-rtt=16ms999us max-rtt=18ms659us

LTE:
ping 8.8.8.8 interface=lte1 count=3
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 112 206ms971us
1 8.8.8.8 56 112 26ms609us
2 8.8.8.8 56 112 27ms872us
sent=3 received=3 packet-loss=0% min-rtt=26ms609us avg-rtt=87ms150us max-rtt=206ms971us

PROBLEM...Ether1:
ping 8.8.8.8 interface=ether1 count=3
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 timeout
1 192.168.1.2 84 64 341ms707us host unreachable




CONFIGURATION:


# may/04/2023 09:22:55 by RouterOS 7.9
# software id = KQH9-SBIK
#
# model = RBD53GR-5HacD2HnD
# serial number = DC900D2432BE
/interface bridge
add admin-mac=xx:xx:xx...:xx auto-mac=no comment=defconf name=bridge
add name=bridge2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country="united states" distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=MikroTik-6E8028 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country="united states" distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-6E8029 \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] use-peer-dns=no
add apn=broadband default-route-distance=10 use-network-apn=yes use-peer-dns=\
no
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=broadband band=\
""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=WAN
add bridge=bridge interface=LAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=ether1 list=WAN
add address=192.168.1.1 client-id=1:xxxxxxx comment="NETGEAR CAX80" \
mac-address=xxxxxx server=defconf
/ip dhcp-server network
add address=192.0.0.0/8 comment=defconf dns-server=192.168.1.2 gateway=\
192.168.1.2 netmask=8
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1
/ip dns static
add address=192.168.1.2 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid in-interface-list=WAN
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input dst-address=!192.168.1.1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping comment=NETGEAR_XFINITY disabled=no distance=1 \
dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=MIKROTIK_NETGEAR disabled=no distance=1 \
dst-address=128.0.0.1/32 gateway=ether1 pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool e-mail
set address=smtp.gmail.com from=pipnee@gmail.com port=587 user=pipnee
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=CheckCon disabled=yes down-script="\r\
\n:log info \"Netwatch Initial Test: Xfinity Down\"\r\
\n:if ([/ping 8.8.8.8 interface=ether1 count=10] =0) do={\r\
\n:log info \"XFINITY Netwatch down\"\r\
\n/ip route set [find comment=\"MIKROTIK_NETGEAR\"] distance=111\r\
\n/ip route set [find comment=\"NETGEAR_XFINITY\"] distance=111\r\
\n/tool e-mail send to=\"8324449009@txt.att.net\" subject=\"XFINITY Down\"\
\_body=\"DOWN\" tls=starttls\r\
\n} else={\r\
\n:log info \"Tested: XFINITY Down.\"\r\
\n}\r\
\n" host=8.8.8.8 http-codes="" interval=5s test-script="" timeout=2s \
type=simple up-script="\r\
\n:local i\r\
\n:log info \"Netwatch Initial Test: Xfinity Up\"\r\
\n:do {\r\
\n:set \$i [/ping 8.8.8.8 interface=ether1 count=50]\r\
\n:log info \"Test: XFINITY Ping\"\r\
\n} while=(\$i != 50);\r\
\n:if (\$i = 50) do={\r\
\n:log info \"XFINITY Netwatch up.\"\r\
\n/ip route set [find comment=\"MIKROTIK_NETGEAR\"] distance=1\r\
\n/ip route set [find comment=\"NETGEAR_XFINITY\"] distance=1\r\
\n/tool e-mail send to=\"8324449009@txt.att.net\" subject=\"XFINITY UP\" b\
ody=\"UP\" tls=starttls\r\
\n} else={\r\
\n:log info \"Tested: XFINITY Up\"\r\
\n}"
/tool sniffer
set filter-interface=ether1
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: AC3: Cannot ping WAN port (ether1) but can from bridge, lte & without interface

Thu May 04, 2023 10:25 pm

My guess: when you specify interface=ether1, router doesn't perform SRC-NAT. The description of packet flow doesn't support my guess, but then (I guess again) that some commands (like ping with interface selected) may bypass some of boxes which are normally on packet's path.

Who is online

Users browsing this forum: akakua, melomac, menyarito and 56 guests