Community discussions

MikroTik App
  4. RouterOS
  5. General

Host unreachable on only one client  [SOLVED]

Post Reply
 
mrdipeosodios
just joined
Topic Author
Posts: 3
Joined: Mon Jan 29, 2024 2:29 pm

Host unreachable on only one client

Sat Feb 10, 2024 2:38 am

I have a little Raspberry pi zero with diet pi installed on it. With my old router it was working fine, but since i got this new one i cant seem to get it to work reliably.

From the Mikrotik router i can ping the pi and the pi can ping the router the pi can also ping the internet but when i ping any other machine on the local network i get host unreachable or the machines ping it i get they get same reply. The machines can be on ethernet or or wifi, doesnt matter.. same host unreachable reply. The machines im pinging from/to are have various OS's, windows/linux. And they have no issues, they can ping eachother, the internet etc but not this specific Rasberry pi.

I did reinstall dietpi thinking i broke something but i get the same error and there are no firewall rules on by default.

192.168.1.11 is the Raspberry pi machine. Not sure why it has such a long ID..

Please help me get this machine working and figure out whats wrong, thanks in advance.
Code: Select all
/ip export hide-sensitive   
# 2024-02-10 01:31:23 by RouterOS 7.13.4
# software id = L002-KS3F
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = XXXXXXXXXXX
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf interface="ether1 (WAN)" use-peer-dns=no
/ip dhcp-server lease
add address=192.168.1.254 mac-address=54:60:09:FB:7E:D2 server=defconf
add address=192.168.1.111 client-id=1:60:45:cb:9a:a1:22 mac-address=60:45:CB:9A:A1:22 server=defconf
add address=192.168.1.69 client-id=1:0:11:32:30:4b:51 mac-address=00:11:32:30:4B:51 server=defconf
add address=192.168.1.13 client-id=1:7a:45:76:24:e2:3c comment="if\E5n" mac-address=7A:45:76:24:E2:3C server=defconf
add address=192.168.1.80 client-id=1:94:c6:91:1e:be:39 mac-address=94:C6:91:1E:BE:39 server=defconf
add address=192.168.1.123 client-id=1:4:5d:4b:4d:85:f5 comment=sonytv mac-address=04:5D:4B:4D:85:F5 server=defconf
add address=192.168.1.10 client-id=1:10:4a:7d:24:b9:ef comment=chromeos mac-address=10:4A:7D:24:B9:EF server=defconf
add address=192.168.1.11 client-id=ff:eb:11:fc:86:0:1:0:1:2d:41:b3:1c:b8:27:eb:11:fc:86 mac-address=B8:27:EB:11:FC:86 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d cache-size=8192KiB use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set rtsp disabled=no
/ip service
set telnet disabled=yes
set www-ssl disabled=no
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface="ether1 (WAN)" type=external
Last edited by mrdipeosodios on Mon Feb 12, 2024 5:59 pm, edited 2 times in total.
Top
 
IlKa
newbie
Posts: 38
Joined: Sun Jan 03, 2021 11:42 pm

Re: Host unreachable on only one client

Sun Feb 11, 2024 5:27 am

Do PI and other machines on the network see each others' mac addresses in arp?
On Linux, try
Code: Select all
ip nei
On Windows
Code: Select all
arp -a
Top
 
mrdipeosodios
just joined
Topic Author
Posts: 3
Joined: Mon Jan 29, 2024 2:29 pm

Re: Host unreachable on only one client

Sun Feb 11, 2024 10:05 am

Hi, thanks for replying!

On a Linux machine it shows up as FAILED (new ip adress is 192.168.1.12 since i cleared the dhcp lease):
Code: Select all
sudo ip neigh
192.168.1.12 dev eth0  FAILED
(Before i ping its empty - no mention at all, but after i ping i get the above reply: FAILED)


And on Windows it doesnt show up at all even after trying to ping when doing
Code: Select all
arp -a
Last edited by mrdipeosodios on Sun Feb 11, 2024 11:17 am, edited 1 time in total.
Top
 
mrdipeosodios
just joined
Topic Author
Posts: 3
Joined: Mon Jan 29, 2024 2:29 pm

Re: Host unreachable on only one client  [SOLVED]

Sun Feb 11, 2024 6:00 pm

I think i found the problem! There are filter rules in bridge and when i disable these (temporarily) everything seems to work! HOWEVER; im unsure of what will brake when i do this, what is a bridge filter really compared to the normal firewall?

The Pi zero is connected to wifi2 and cant connect to anything (wifi2 is 2.4ghz).
Code: Select all
> interface/ bridge/ filter/ print 
Flags: X - disabled, I - invalid, D - dynamic 
 0 I ;;; no interface
     chain=forward action=drop in-interface=*9 log=no log-prefix="" 

 1 I ;;; no interface
     chain=forward action=drop out-interface=*9 log=no log-prefix="" 

 2   chain=forward action=drop in-interface=wifi2 log=no log-prefix="" 

 3   chain=forward action=drop out-interface=wifi2 log=no log-prefix="" 

 4 I ;;; no interface
     chain=forward action=drop in-interface=*B log=no log-prefix="" 

 5 I ;;; no interface
     chain=forward action=drop out-interface=*B log=no log-prefix="" 

 6 I ;;; no interface
     chain=forward action=drop in-interface=*C log=no log-prefix="" 
 
 7 I ;;; no interface
     chain=forward action=drop out-interface=*C log=no log-prefix=""
Are these default rules? How do i fix this properly, i disabled rule 2-3 that block wifi2 and it works.. i can ping/connect to the device = everything seems to work, but im worried ive done something i dont understand, so please help! :)
Last edited by mrdipeosodios on Sun Feb 11, 2024 6:16 pm, edited 1 time in total.
Top
 
jaclaz
Forum Guru
Forum Guru
Posts: 2220
Joined: Tue Oct 03, 2023 4:21 pm

Re: Host unreachable on only one client

Sun Feb 11, 2024 9:08 pm

The rules #2 and #3 essentially say do not forward anything that passes through wifi2, they are not default AFAIK, and it's unlikely that they did self-generate, more probably they are remains of previous experiments/tests.

Besides, whenever you find something like *1, *2, etc (asterisk followed by a number or letter) in Mikrotik configuration it is a sort of placeholder for *something* that was there but that doesn't exist anymore or that however the Ros lost a reference to.

You don't have an interface called *9, nor *B or *C.

You should export the whole configuration, then open it in notepad or similar and search for "*" (asterisk) as likely you will have other instances of "non-referenced" items.
Top
 
mrdipeosodios
just joined
Topic Author
Posts: 3
Joined: Mon Jan 29, 2024 2:29 pm

Re: Host unreachable on only one client

Sun Feb 11, 2024 9:17 pm

i exported my settings and result of "*" is only in the bridge filter rules! I will disable all those bridge filter rules and finally deleting them in a few days.

Could it be remnants from enabling the Guest wireless network and then disabling it?
Top
 
jaclaz
Forum Guru
Forum Guru
Posts: 2220
Joined: Tue Oct 03, 2023 4:21 pm

Re: Host unreachable on only one client

Sun Feb 11, 2024 11:20 pm

Could it be remnants from enabling the Guest wireless network and then disabling it?
Cannot say, but it is possibile, the general idea of those rules seem to be that of keeping traffic in interfaces separate.

You can delete them, anyway the two for wifi2 are those blocking the function you want, and the other ones are invalid (because of the asterisks).

You could try to redo what you did (enable.than disable the Guest network) BUT this time use SAFE mode:
https://help.mikrotik.com/docs/display/ ... Management
and see if they are recreated.
Top
 
mrdipeosodios
just joined
Topic Author
Posts: 3
Joined: Mon Jan 29, 2024 2:29 pm

Re: Host unreachable on only one client

Sun Feb 11, 2024 11:37 pm

I guess we can confirm this, adding a guest network ads those rules! Man this was a annoying problem to hunt down.
Top
 
jaclaz
Forum Guru
Forum Guru
Posts: 2220
Joined: Tue Oct 03, 2023 4:21 pm

Re: Host unreachable on only one client

Mon Feb 12, 2024 12:21 am

Good to know.
It seems to me like something that you should report to Mikrotik support, even if it is not a catastrophic bug, it can - as seen in your case - create issues and make users lose time to find the cause.
Top
Post Reply
  4. RouterOS
  5. General