Community discussions

MikroTik App
 
User avatar
yesurbius
just joined
Topic Author
Posts: 4
Joined: Mon Oct 16, 2017 8:10 am
Location: Edmonton, Canada

I can't ping router from LAN interface, but can from mgmt interface.

Mon Oct 16, 2017 8:30 am

Hi everyone. This is my first post on the forums.

I've been working for quite some time to get my router configuration working and I am coming up empty.
It has to be something small that I'm missing - but I'm not seeing it.
I have tried removing all NAT and Firewall configuration sections and I am still having the same problem.

The router is bound to 192.168.0.1 (LAN) and 192.168.88.1 (Management).

When my machine is 192.168.0.33 (Plugged into Lan Interface)
ping 192.168.0.1 will get 0-2 replies - the rest will Time Out
ping 192.168.88.1 will get 0-2 replies - the rest will Time Out

When my machine is 192.168.88.18 (Plugged into the Management Interface)
ping 192.168.0.1 works perfectly
ping 192.168.88.1 works perfectly.

I am at a complete loss.

Here is my configuration script:

Code: Select all

# Last Updated Oct 15 2017
#
# model = 2011UiAS
#

##############################
#### ROUTER CONFIGURATION ####
##############################

/system identity
set name=PaulBlart

### Update RouterOS Software on the "bugfix" channel
/system package update
set channel=bugfix

### Setup the system clock
/system clock
set time-zone-autodetect=no time-zone-name=America/Edmonton

### Configure NTP Client
/system ntp client
set enabled=yes primary-ntp=136.159.2.1 secondary-ntp=132.205.1.1

### Configure Router Tools
/tool mac-server set [ find default=yes ] disabled=yes
/tool sniffer set filter-ip-protocol=icmp
/tool bandwidth-server set enabled=no

##################################
#### PHYSICAL INTERFACE SETUP ####
##################################

/interface ethernet
set [ find default-name=ether1 ] name=ether1 disabled=yes
set [ find default-name=ether2 ] name=ether2 disabled=yes
set [ find default-name=ether3 ] name=ether3 disabled=yes
set [ find default-name=ether4 ] name=ether4 disabled=yes
set [ find default-name=ether5 ] name=ether5 disabled=yes
set [ find default-name=ether6 ] name=ether6 disabled=yes
set [ find default-name=ether7 ] name=ether7 disabled=yes
set [ find default-name=ether8 ] name=ether8 disabled=yes
set [ find default-name=ether9 ] name=ether9 disabled=yes
set [ find default-name=ether10 ] name=ether10 disabled=yes
set [ find default-name=sfp1 ] name=sfp1 disabled=yes

# WAN Uplink to ISP Modem (Bridging Mode Enabled)
set [ find default-name=ether6 ] name=if_wan disabled=no

# Raspberry Pi
set [ find default-name=ether7 ] name=if_pi disabled=no

# Connection to switch on VLAN2 (VoIP Traffic)
set [ find default-name=ether2 ] name=if_voip disabled=no

# Connection to switch on VLAN1 (LAN Traffic)
set [ find default-name=ether8 ] name=if_lan disabled=no

# Dedicated connection specifically for Router Management
set [ find default-name=ether9 ] name=if_mgmt disabled=no

# Connect to Wireless Access Point
set [ find default-name=ether10 ] name=if_wlan disabled=no


######################
#### IP ADDRESSES ####
######################

/ip address
add address=192.168.0.1/24 interface=if_lan network=192.168.0.0
add address=192.168.0.1/24 interface=if_wlan network=192.168.0.0
add address=192.168.0.1/24 interface=if_voip network=192.168.0.0
add address=192.168.88.1/24 interface=if_mgmt network=192.168.88.0
add address=192.168.55.254/24 interface=if_pi network=192.168.55.0

#####################
#### IP SETTINGS ####
#####################

/ip settings
set allow-fast-path=no
set ip-forward=no
set route-cache=no
set secure-redirects=no
set send-redirects=no

/ip traffic-flow
set interfaces=if_wan

##########################
#### IP ADDRESS POOLS ####
##########################
/ip pool
remove [find]

# Wired LAN Address Pool
# 192.168.0.33 - 192.168.0.62 (30 Addresses)
add name=pool_lan ranges=192.168.0.32/27

# VoIP Address Pool
# 192.168.0.65 - 192.168.0.94 (30 Addresses)
add name=pool_voip ranges=192.168.0.64/27

# Wireless LAN Address Pool
# 192.168.0.97 - 192.168.0.125 (30 Addresses)
add name=pool_wlan ranges=192.168.0.96/27

# Management Address Pool
# 192.168.88.17 - 192.168.88.22 (6 Addresses)
add name=pool_mgmt ranges=192.168.88.16/29

# Raspberry Pi Address
# 192.168.55.1 - 192.168.55.1 (1 Address)
add name=pool_pi ranges=192.168.55.1/32

###################################################
#### DHCP SERVER - ROUTER GIVING OUT ADDRESSES ####
###################################################

/ip dhcp-server
add address-pool=pool_lan disabled=no interface=if_lan lease-time=3d name=dhcpd_lan
add address-pool=pool_voip disabled=no interface=if_voip lease-time=3d name=dhcpd_voip
add address-pool=pool_wlan disabled=no interface=if_wlan lease-time=1h name=dhcpd_wlan
add address-pool=pool_mgmt disabled=no interface=if_mgmt lease-time=1h name=dhcpd_mgmt
add address-pool=pool_pi disabled=no interface=if_pi lease-time=3d name=dhcpd_pi

/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
add address=192.168.55.0/24 gateway=192.168.55.1 netmask=24
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24

##############
#### UPNP ####
##############
/ip upnp set enabled=yes
/ip upnp interfaces
add interface=if_wan type=external
add interface=if_lan type=internal
add interface=if_wlan type=internal

####################
#### IP ROUTING ####
####################

/ip route add check-gateway=ping distance=1 gateway=108.181.92.1 routing-mark=wan-route

#####################
#### IP SERVICES ####
#####################
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

###################################################
#### DHCP CLIENT - OBTAINING ADDRESS FOR ROUTER ###
###################################################
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=if_wan use-peer-ntp=no use-peer-dns=yes

###########################
#### DNS CONFIGURATION ####
###########################

/ip dns set allow-remote-requests=no cache-size=512KiB max-udp-packet-size=512 cache-max-ttl=10m

#############################
#### PROXY CONFIGURATION ####
#############################

/ip proxy
set src-address=192.168.0.1
set anonymous=yes
set enabled=yes

###########################################
#### NETWORK ADDRESS TRANSLATION (NAT) ####
###########################################

/ip firewall nat
add comment="NAT LAN traffic to the internet" \
chain=srcnat action=masquerade \
out-interface=if_wan \
disabled=no

################################
#### FIREWALL CONFIGURATION ####
################################

### Address Lists

/ip firewall address-list
add address=0.0.0.0/8 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=192.168.0.0/16 list=Bogon

# Hosts banned from communicating with router
add address=5.188.10.102 list=Banlist

### Firewall Service Ports

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

########################
#### FIREWALL RULES ####
########################

/ip firewall filter

add comment="Allow forward Established and Related - FastTrack" chain=forward \
action=fasttrack-connection \
connection-state=established,related \
disabled=yes

add comment="Allow forward Established and Related" chain=forward \
action=accept \
connection-state=established,related

add comment="Allow input Established and Related" chain=input \
action=accept \
connection-state=established,related

add comment="Ban List" chain=forward \
action=drop src-address-list=Banlist

add comment="Allow input Ping" chain=input \
action=accept protocol=icmp

add comment="Drop Port_Scanners" chain=input \
action=drop in-interface=if_wan src-address-list=Port_Scanners

add comment="Drop Port_Scanners Forward" chain=forward \
action=drop in-interface=if_wan src-address-list=Port_Scanners

add comment="Drop Bogon Forward" chain=forward \
action=drop in-interface=if_wan src-address-list=Bogon

# Firewall - Build Address Lists based on negative activity detection

add comment="Port_Scanners to list" chain=input \
action=add-src-to-address-list \
address-list=Port_Scanners address-list-timeout=2w \
in-interface=if_wan protocol=tcp psd=21,3s,3,1

add comment="NMAP FIN Stealth scan" chain=input \
action=add-src-to-address-list \
address-list=Port_Scanners address-list-timeout=2w \
in-interface=if_wan protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg

add comment="SYN/FIN scan" chain=input \
action=add-src-to-address-list \
address-list=Port_Scanners address-list-timeout=2w \
in-interface=if_wan protocol=tcp tcp-flags=fin,syn

add comment="SYN/RST scan" chain=input \
action=add-src-to-address-list \
address-list=Port_Scanners address-list-timeout=2w \
in-interface=if_wan protocol=tcp tcp-flags=syn,rst

add comment="FIN/PSH/URG scan" chain=input \
action=add-src-to-address-list \
address-list=Port_Scanners address-list-timeout=2w \
in-interface=if_wan protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack

add comment="ALL/ALL scan" chain=input \
action=add-src-to-address-list \
address-list=Port_Scanners address-list-timeout=2w \
in-interface=if_wan protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg

add comment="NMAP NULL scan" chain=input \
action=add-src-to-address-list \
address-list=Port_Scanners address-list-timeout=2w \
in-interface=if_wan protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg

# Drop unwanted connections

add comment="Drop forward not Dst NAT" chain=forward action=drop \
in-interface=if_wan connection-nat-state=!dstnat connection-state=new log=yes

add comment="Drop forward Invalid" chain=forward action=drop \
in-interface=if_wan

add comment="Drop input All" chain=input action=drop \
in-interface=if_wan connection-state=invalid log=yes

###############
### SCRIPTS ###
###############
/system script
add name=Configure_DHCP_Routes \
policy=reboot,read,write,policy,test \
source=":local entcounter\r\
\n:local routecounter\r\
\n:local duplicatecounter\r\
\nlocal routeupdated \"no\"\r\
\nforeach clientcounter in=[/ip dhcp-client find] do={\r\
\nlocal routingmarkname ([/ip dhcp-client get \$clientcounter interface] .\
\_\"-route\")\r\
\nlocal newroutinggateway [ip dhcp-client get \$clientcounter gateway]\r\
\nforeach routecounter in=[/ip route find where routing-mark=\$routingmark\
name] do={\r\
\n:local routinggateway [/ip route get [find routing-mark=\$routingmarknam\
e] gateway]\r\
\n\r\
\n:if ([:len \$newroutinggateway] > 0) do={\r\
\n:if (\$\"routinggateway\" != \"newroutinggateway\") do={\r\
\n/ip route set \$routecounter gateway=\$newroutinggateway\r\
\n:set routeupdated \"yes\"\r\
\n}\r\
\n}\r\
\n}\r\
\n:if ([:len \$newroutinggateway] > 0) do={\r\
\n:if (\$routeupdated = \"no\") do={\r\
\n/ip route add routing-mark=\$routingmarkname gateway=\$newroutinggateway\
\_dst-address=0.0.0.0/0\r\
\n}\r\
\n}\r\
\n}"

#######################
### SCHEDULED TASKS ###
#######################

/system scheduler

add comment="Configure DHCP Routes" \
interval=1m name=Every_Minute \
on-event="/system script run Configure_DHCP_Routes" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
start-date=jan/01/1970 start-time=01:00:00

#####################
#### LCD DISPLAY ####
#####################
/lcd
set enabled=yes
set backlight-timeout=120s
set read-only-mode=yes
set time-interval=daily
set touch-screen=disabled
backlight state=on
set default-screen=stats

/lcd interface
disable numbers=[find interface!=if_wan]
display if_wan

#####################
### USER ACCOUNTS ###
#####################
/user add comment="Main Admin User" \
name=rosadmin group=full password="ChangeMe!"
/user remove numbers=[ find name="admin" ]
I would _really_ appreciate anyone that could help me solve this ping issue

Thanks

Dan
 
User avatar
evince
Member
Member
Posts: 355
Joined: Thu Jul 05, 2012 12:11 pm
Location: Harzé - Belgique
Contact:

Re: I can't ping router from LAN interface, but can from mgmt interface.

Tue Oct 17, 2017 1:09 pm

Hello, there is a problem in your config :

/ip address
add address=192.168.0.1/24 interface=if_lan network=192.168.0.0
add address=192.168.0.1/24 interface=if_wlan network=192.168.0.0
add address=192.168.0.1/24 interface=if_voip network=192.168.0.0
add address=192.168.88.1/24 interface=if_mgmt network=192.168.88.0
add address=192.168.55.254/24 interface=if_pi network=192.168.55.0

You need different address for each interface.
 
User avatar
yesurbius
just joined
Topic Author
Posts: 4
Joined: Mon Oct 16, 2017 8:10 am
Location: Edmonton, Canada

Re: I can't ping router from LAN interface, but can from mgmt interface.

Wed Oct 18, 2017 6:37 am

Thanks eVince. I did miss that but the problem persisted even when I fixed that.

By sheer luck - I stumbled on the cause of the problem. The 2011UiAS has two physical switches: Switch1 and Switch2. When one of the 192.168.0.x interfaces is on the other switch, the pings have problems. If I put all interfaces on the same physical switch it works.

I'm still not sure on WHY it causes the pings to stop.

Unrelated - but I also notice that if I disable all interfaces on a switch, it disables the switch cpu .. but if I'm connected on switch 2 it drops the WinBox connection.

Who is online

Users browsing this forum: concretegolem, DoryIII and 18 guests