Everything else in the network seems to be working propperly, dhcp server are delivering the IP acordingly to each vlan, everybody it's getting internet connection, and the failover between both ISP is working fine as well.
So it wouldn't really bother me, except for the fact that i'm also having problems with inter-vlan communication, and perhaps this could be related to that, i really don't know. But i've been looking everywhere in my config and didn't find anything, and the internet it's not helping me either, it's not very common. I just can't get that ping to the gateway.
If i traceroute 8.8.8.8 the first one that hop is in fact the gateway , so it's working (but ping isn't - it's a linux server so no firewall should be bothering).
(traceroute to 8.8.8.8 (8.8.8.8 ), 30 hops max, 60 byte packets
1 10.0.10.1 (10.0.10.1) 0.362 ms 0.413 ms 0.486 ms)
Any ideas on what's going on here? Any help would be much appreciated!
This is the network layout: https://lucid.app/publicSegments/view/c ... ad0eae6de0
And my config is this:
Code: Select all
# jun/03/2023 00:11:10 by RouterOS 6.49.6
# software id = J13U-JGF2
#
# model = 2011UiAS
# serial number = 763307BCEAAB
/interface bridge
add name=BridgeVLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Claro speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Fibercorp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BridgeVLAN name=vlan10-LAN vlan-id=10
add interface=BridgeVLAN name=vlan20-Clientes vlan-id=20
add interface=BridgeVLAN name=vlan30-Camaras vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=ADMIN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_10 ranges=10.0.10.2-10.0.10.99
add name=dhcp_20 ranges=10.0.20.2-10.0.20.254
add name=dhcp_30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_10 disabled=no interface=vlan10-LAN name=dhcp1
add address-pool=dhcp_20 disabled=no interface=vlan20-Clientes name=dhcp2
add address-pool=dhcp_30 disabled=no interface=vlan30-Camaras name=dhcp4
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add email-to=xxx@gmail.com name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=BridgeVLAN comment="PVE3 (Servidor CP)" frame-types=\
admit-only-vlan-tagged ingress-filtering=yes interface=ether3
add bridge=BridgeVLAN comment="Switch Soporte (unmanageable)" \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=BridgeVLAN comment="Switch Aruba (manageable)" frame-types=\
admit-only-vlan-tagged ingress-filtering=yes interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 untagged=ether4 \
vlan-ids=10
add bridge=BridgeVLAN tagged=BridgeVLAN,ether5 vlan-ids=20
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 vlan-ids=30
/interface list member
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=vlan10-LAN list=VLAN
add interface=vlan30-Camaras list=VLAN
add interface=vlan20-Clientes list=VLAN
add interface=ether10 list=ADMIN
add interface=vlan10-LAN list=ADMIN
/ip address
add address=10.0.10.1/24 interface=vlan10-LAN network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-Clientes network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-Camaras network=10.0.30.0
add address=192.168.99.1/24 comment="acceso secundario" interface=ether10 \
network=192.168.99.0
/ip dhcp-client
add comment="Proveedor 1 - Claro" disabled=no interface=ether1-Claro
add add-default-route=no comment="Proveedor 2 - Fibercorp" disabled=no \
interface=ether2-Fibercorp
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,9.9.9.9
/ip firewall address-list
add address=10.0.10.0/24 comment="Resto de la red" list=a_fibercorp
add address=10.0.20.0/24 comment=VLAN-Clientes list=a_claro
add address=10.0.30.0/24 comment="Camaras" list=a_fibercorp
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow admin to config router" \
in-interface-list=ADMIN
add action=accept chain=input comment="Allow VLAN DNS queries-UDP" dst-port=\
53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 \
in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state="" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="accept inter VLAN traffic" \
connection-state="" in-interface-list=VLAN out-interface-list=VLAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward comment="allow vlan10 access to other vlans" \
in-interface=vlan10-LAN out-interface-list=VLAN
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
"Env\EDo de tr\E1fico a Fibercorp (ISP2)" new-routing-mark=a-fibercorp \
src-address-list=a_fibercorp
add action=mark-routing chain=prerouting comment=\
"Env\EDo de tr\E1fico a Claro (ISP1)" new-routing-mark=a-claro \
src-address-list=a_claro
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=servidor_cp disabled=yes dst-port=\
XXXX in-interface-list=WAN protocol=tcp to-addresses=10.0.10.101 \
to-ports=XXXX
add action=dst-nat chain=dstnat comment=cosag dst-port=XXX \
in-interface-list=WAN protocol=tcp to-addresses=10.0.10.102 to-ports=XXXX
add action=dst-nat chain=dstnat comment=w2019 dst-port=XXXX \
in-interface-list=WAN protocol=tcp to-addresses=10.0.10.103 to-ports=XXX
add action=dst-nat chain=dstnat comment=serverX dst-port=XXX \
in-interface-list=WAN protocol=tcp to-addresses=10.0.20.253 to-ports=XXXX
add action=dst-nat chain=dstnat comment=Clientes-1 dst-port=XXX \
in-interface-list=WAN protocol=tcp to-addresses=10.0.10.110 to-ports=XXX
add action=dst-nat chain=dstnat comment=webserver dst-port=xxxin-interface=\
ether1-Claro protocol=tcp to-addresses=10.0.10.201 to-ports=xxx
add action=dst-nat chain=dstnat comment="Nginx Reverse Proxy Server" \
dst-port=XXX in-interface=ether2-Fibercorp protocol=tcp to-addresses=\
10.0.10.230 to-ports=XXXX
/ip route
add check-gateway=ping comment="Ruta principal Fibercorp" distance=1 gateway=\
x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Respaldo Fibercorp" distance=2 gateway=\
x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Ruta principal Claro" distance=1 gateway=\
x.x.x.x routing-mark=a-claro
add check-gateway=ping comment="Respaldo Claro" distance=2 gateway=\
x.x.x.x routing-mark=a-claro
/ip traffic-flow
set enabled=yes interfaces=ether1-Claro
/lcd
set time-interval=hour
/lcd interface pages
set 0 interfaces="sfp1,ether1-Claro,ether2-Fibercorp,ether3,ether4,ether5,ethe\
r6,*8,ether8,ether9,ether10"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system logging
add action=email topics=ups
/system scheduler
add interval=5m name="cada 5 minutos" on-event=update_gateways policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/25/2022 start-time=11:00:00
/system script
add dont-require-permissions=no name=update_gateways owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local newgw [ip dhcp-client get [find interface=\"ether1-Claro\"] gateway]\
;\r\
\n:local routegw [/ip route get [find comment=\"Ruta principal Claro\"] ga\
teway ];\r\
\n:if (\$newgw != \$routegw) do={\r\
\n /ip route set [find comment=\"Ruta principal Claro\"] gateway=\$new\
gw;\r\
\n}\r\
\n:local routegw [/ip route get [find comment=\"Respaldo Fibercorp\"] gate\
way ];\r\
\n:if (\$newgw != \$routegw) do={\r\
\n /ip route set [find comment=\"Respaldo Fibercorp\"] gateway=\$newgw\
;\r\
\n}\r\
\n:local newgw [ip dhcp-client get [find interface=\"ether2-Fibercorp\"] g\
ateway];\r\
\n:local routegw [/ip route get [find comment=\"Ruta principal Fibercorp\"\
] gateway ];\r\
\n:if (\$newgw != \$routegw) do={\r\
\n /ip route set [find comment=\"Ruta principal Fibercorp\"] gateway=\
\$newgw;\r\
\n}\r\
\n:local routegw [/ip route get [find comment=\"Respaldo Claro\"] gateway \
];\r\
\n:if (\$newgw != \$routegw) do={\r\
\n /ip route set [find comment=\"Respaldo Claro\"] gateway=\$newgw;\r\
\n}"
/system ups
add name=APC900 offline-time=10h
/tool e-mail
set address=smtp.gmail.com from=zzzz@gmail.com password=\
ntrtjatvlbgoxsuj port=zzz start-tls=yes user=zzzzz
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN
/tool romon
set enabled=yes