Static IP not resolving Internet

SecCon · Fri Jun 03, 2022 4:28 pm

I know it sounds weird.

The last few days I have a severe issue with a Windows Server machine that just won't take to the Internet consistently. It is a new installation on trusted and tested hardware and it worked a few days ago. At the time I was having some issues getting it to take a static IP, but managed to solve it by removing the entry from DHCP leases, adding it manually with MAC and Device ID, yet it will still not go outside my Lan. I guess it is a dangerous world after all.

I have done the usual OS troubleshooting, repairing, refreshing clearing DNS and what not. There are no DNS or AD machines involved. Only the DNS from my ISP.
None of this seem to help:

ipconfig /renew /flushdns
or
netsh winsock reset
netsh int ip reset

The /ip/dhcp export reads:

jun/03/2022 15:16:02 by RouterOS 7.2.1
software id = Y7E5-SEZ7
model = RB1100x4
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 name=dhcp1
/ip dhcp-server lease
add address=192.168.1.5 client-id=1:8:55:31:c1:67:57 mac-address=08:55:31:C1:67:57 server=dhcp1
add address=192.168.1.30 mac-address=58:9E:C6:19:81:1D server=dhcp1
add address=192.168.1.100 mac-address=10:BF:48:89:F3:3C server=dhcp1
add address=192.168.1.40 mac-address=18:16:C9:D0:8B:B2 server=dhcp1
add address=192.168.1.62 client-id=1:00:0C:29:BE:88:60 mac-address=00:0C:29:BE:88:60 server=dhcp1
add address=192.168.1.10 client-id=1:e4:35:c8:7e:37:ee mac-address=E4:35:C8:7E:37:EE server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24

This is the one:
add address=192.168.1.10 client-id=1:e4:35:c8:7e:37:ee mac-address=E4:35:C8:7E:37:EE server=dhcp1

If you need more info or additional export, let me know, I am at a loss. Lan drivers are OK, connectivity is excellent, hardware tests with Intel PROset done successfully. I have switched LAN port and that did not help, back and forth a couple of times, and updated the IP address and MAC accordingly...

Knowing Windows and having some experience with installations looking fine but still gone awry I am kinda ready to wipe the drives and install the OS a new, but before wasting those 10 hours, I figure I ask here.

Have a nice Friday y'all.

Znevna · Fri Jun 03, 2022 4:49 pm

I'm curious what this is used for and why are you keeping it in the config

/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24

For your static IP to resolve the internet (???) we'd need more info, like, ya know, the rest of the config, not only the DHCP part.

SecCon · Fri Jun 03, 2022 4:59 pm

# jun/03/2022 15:56:01 by RouterOS 7.2.1
# software id = Y7E5-SEZ7
#
# model = RB1100x4
/ip pool
add name=dhcp ranges=192.168.1.0/24
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 name=dhcp1
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip arp
add address=192.168.1.234 interface=bridge1 mac-address=2C:76:8A:AD:27:86
add address=192.168.1.10 interface=bridge1 mac-address=00:25:90:4B:6B:4B
add address=192.168.1.16 interface=bridge1 mac-address=00:15:5D:01:EA:01
add address=192.168.1.33 interface=bridge1 mac-address=00:15:5D:01:EA:08
add address=192.168.1.35 interface=bridge1 mac-address=00:15:5D:01:EA:09
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.1.5 client-id=1:8:55:31:c1:67:57 mac-address=08:55:31:C1:67:57 server=dhcp1
add address=192.168.1.30 mac-address=58:9E:C6:19:81:1D server=dhcp1
add address=192.168.1.100 mac-address=10:BF:48:89:F3:3C server=dhcp1
add address=192.168.1.40 mac-address=18:16:C9:D0:8B:B2 server=dhcp1
add address=192.168.1.62 always-broadcast=yes client-id=1:00:0C:29:BE:88:60 mac-address=00:0C:29:BE:88:60 server=dhcp1
add address=192.168.1.10 client-id=1:e4:35:c8:7e:37:ee mac-address=E4:35:C8:7E:37:EE server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall address-list
add address=192.168.1.2-192.168.1.245 list=allowed_to_router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes log=yes log-prefix="fast-track for established,related"
add action=accept chain=forward comment="accept forward established,related, untracked" connection-state=established,related,untracked log=yes
add action=drop chain=forward comment=invalid connection-state=invalid
add action=drop chain=forward comment="drop access to clients behind NAT form WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix="drop access to clients behind NAT form WAN"
add action=accept chain=input comment="default configuration, input accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allowed to router" log=yes src-address-list=allowed_to_router
add action=accept chain=input comment="icmp allowed" log=yes protocol=icmp
add action=drop chain=input comment="drop access"
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=22002 in-interface-list=WAN protocol=tcp src-address=185.189.49.215 to-addresses=192.168.1.62
add action=dst-nat chain=dstnat dst-port=22002 in-interface-list=WAN protocol=tcp src-address=5.150.195.195 to-addresses=192.168.1.62
add action=dst-nat chain=dstnat dst-port=22002 in-interface-list=WAN protocol=tcp src-address=185.189.48.4 to-addresses=192.168.1.62
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes

I think that is a relevant export from /IP

About your question
I don't know, its from the initial setup that was done with quickset I think... no one said any about it before, I guess it can be removed safely?

Znevna · Fri Jun 03, 2022 5:10 pm

Your firewall is a mess. I've sorted your rules by chain,

/ip firewall filter
add action=accept chain=input comment="default configuration, input accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allowed to router" log=yes src-address-list=allowed_to_router
add action=accept chain=input comment="icmp allowed" log=yes protocol=icmp
add action=drop chain=input comment="drop access"
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes log=yes log-prefix="fast-track for established,related"
add action=accept chain=forward comment="accept forward established,related, untracked" connection-state=established,related,untracked log=yes
add action=drop chain=forward comment=invalid connection-state=invalid
add action=drop chain=forward comment="drop access to clients behind NAT form WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix="drop access to clients behind NAT form WAN"
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN

And I'm guessing this rule is the cause of your problems.
Disable it.

add action=drop chain=input comment="drop access"

Don't mess with your firewall if you don't know what you're doing.
Also this

add action=drop chain=forward comment="drop access to clients behind NAT form WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix="drop access to clients behind NAT form WAN"

Is the same as the default (last one) this

add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN

And your IPsec rules are supposed to stay above the drop line.

SecCon · Fri Jun 03, 2022 5:17 pm

I am very sorry for following the recommendations, tutorials and posts here on this forum. Considering that, how do I know yours is ok, if you say others is not?
Check my post history, I have ONLY implemented what others claim should be implemented.

tdw · Fri Jun 03, 2022 5:31 pm

You are manually setting an ARP entry which conflicts with the DHCP lease entry:

/ip arp
add address=192.168.1.10 interface=bridge1 mac-address=00:25:90:4B:6B:4B
and
/ip dhcp-server lease
add address=192.168.1.10 client-id=1:e4:35:c8:7e:37:ee mac-address=E4:35:C8:7E:37:EE server=dhcp1

Znevna · Fri Jun 03, 2022 5:32 pm

This is the default firewall configuration on most devices:

/interface list member add list=LAN interface=bridge comment="defconf"
/interface list member add list=WAN interface=ether1 comment="defconf"
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
/ip firewall filter 
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

So you can compare it with yours.
Now I see that you don't even have the WAN/LAN lists defined.
Meh.
I didn't even catch what @tdw caught above.
Is that also from forum advices? lol

SecCon · Fri Jun 03, 2022 8:10 pm

lol

And from the documentation Wiki. Yes I know to little about this shit to experiment. I never experiment, I am a standards and process guy and have been for ever.

Regardless of which are you saying that ONE device loosing Internet because of this? 'Cause I had no issues with any other that I am aware of.

SecCon · Fri Jun 03, 2022 8:13 pm

You are manually setting an ARP entry which conflicts with the DHCP lease entry:

/ip arp
add address=192.168.1.10 interface=bridge1 mac-address=00:25:90:4B:6B:4B
and
/ip dhcp-server lease
add address=192.168.1.10 client-id=1:e4:35:c8:7e:37:ee mac-address=E4:35:C8:7E:37:EE server=dhcp1

I NEVER set that ARP manually. Only thing I did was add an entry to dhcp for static.

Removing it helped though. Thanks for pointing that out. Again, not set by me, and RoS did not detect this as a conflict.

Znevna · Fri Jun 03, 2022 8:23 pm

Ok, good luck!

rextended · Fri Jun 03, 2022 9:06 pm

I NEVER set that ARP manually

/ip arp
add address=192.168.1.234 interface=bridge1 mac-address=2C:76:8A:AD:27:86
add address=192.168.1.10 interface=bridge1 mac-address=00:25:90:4B:6B:4B
add address=192.168.1.16 interface=bridge1 mac-address=00:15:5D:01:EA:01
add address=192.168.1.33 interface=bridge1 mac-address=00:15:5D:01:EA:08
add address=192.168.1.35 interface=bridge1 mac-address=00:15:5D:01:EA:09

Ah, no? There is no script inside the export, unless you have it hidden, and on RouterOS there is not a single function that can do this automatically...
Only you may have clicked to "make static" on ip/arp probably thinking they are the button "make static" on DHCP leases, instead...

SecCon · Sat Jun 04, 2022 12:54 am

If setting a static address in the IP DHCP table also goes to the ARP table, sure then I understand why it happened. As for manually setting an ARP address in Webfig > IP > ARP, no. Never done it. Nor in Terminal, nor in WinBox, just to be clear.

According to the old manual: https://wiki.mikrotik.com/wiki/Manual:IP/ARP NO explanation as to what ARP is, only some examples of what it does, and I do not understand how that text is relevant in any part except for some, to me, obscure "machine addressing" from DHCP, but all DHCP entries are using MAC, so how is that different from regular IP DHCP addressing is beyond me.
According to the new manual: its down for maintenance.

Also made a ticket with same information to Mikrotik, ticket number SUP-83516, we have exchanged a bit of info, four days and 9 messages back and forth, but still no answer that helped me.

I got that answer here in the forum by TDW.

So I am happy that I posted, and glad that you guys are around.

rextended · Sat Jun 04, 2022 1:04 am

If setting a static address in the IP DHCP table also goes to the ARP table, sure then I understand why it happened.
As for manually setting an ARP address in Webfig > IP > ARP, no. Never done it. Nor in Terminal, nor in WinBox, just to be clear.

I don't want to bully, but it's useless for you to insist.
Anything you export with "/export" is not dynamic,
adding DHCP leases manually or automatically does not create ANY STATIC rules in the ARP table.
The entries in the ARP table are exclusively dynamic (except if added manually or by script...)
and if the device with the static lease is turned off until the dynamic entry timeout, the ARP table does not have the respective entry.
Either you tried some weird scripts, or you put them like I explained on previous post.
Anyone on the forum can confirm this.

rextended · Sat Jun 04, 2022 1:08 am

[...] According to the old manual: https://wiki.mikrotik.com/wiki/Manual:IP/ARP NO explanation as to what ARP is [...]

The manual and the help is not made for teach the A-B-C of the networks.
Is better you buy some book for understand at least the basis.

SecCon · Sat Jun 04, 2022 1:33 am

Either you tried some weird scripts, or you put them like I explained on previous post.
Anyone on the forum can confirm this.

No.

If you don't believe me, so be it, I have no way to prove you wrong that I know of. It's the first time ever, and ever is more than 30 years, that I have been accused of outright lying in a forum.

Don't worry, you won't see me again.

rextended · Sat Jun 04, 2022 1:39 am

It seems to me that you are exaggerating a lot,
no one accused you to be a liar ...

I too am wrong and have made far more serious mistakes without realizing it.
But that doesn't mean I did it on purpose.
If I have offended you, forgive me, but I certainly did not accused you to be a liar.

Static IP not resolving Internet

Static IP not resolving Internet

Re: Static IP not resolving Internet

Re: Static IP not resolving Internet

Re: Static IP not resolving Internet

Re: Static IP not resolving Internet

Re: Static IP not resolving Internet

Re: Static IP not resolving Internet

Re: Static IP not resolving Internet

Re: Static IP not resolving Internet

Re: Static IP not resolving Internet

Re: Static IP not resolving Internet

Re: Static IP not resolving Internet

Re: Static IP not resolving Internet

Re: Static IP not resolving Internet

Re: Static IP not resolving Internet

Re: Static IP not resolving Internet

Who is online