Hi All I've been having some ping problems with the Ping Tool, I can connect a laptop to the Mikrotik Lan or WIFI interface and ping 8.8.8.8 or any other address on the internet without a problem
I can use ping tool and select the PPOE interface and it works fine but if I select the LAN interface or Wifi then I get destination unreachable, please see below config
Any help appreciated thanks in advance
# apr/14/2017 00:32:13 by RouterOS 6.38.5
# software id = 3YIQ-RPP1
#
/interface bridge
add name=LAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=xxxxx use-peer-dns=yes user=xxxxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=2437 mode=ap-bridge
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys wpa2-pre-shared-key=xxxxx
/ip pool
add name=dhcp_pool0 ranges=192.168.20.2-192.168.20.40
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN name=dhcp1
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=wlan1
/ip address
add address=192.168.20.1/24 interface=LAN network=192.168.20.0
add address=192.168.20.2/24 interface=ether2 network=192.168.20.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.20.0/24 list=Trusted
/ip firewall filter
add action=drop chain=input comment="Drop Invalid Packetts to Firewall" connection-state=invalid
add action=drop chain=forward comment="Drop Invalid Packetts on Forward" connection-state=invalid
add action=accept chain=input comment="Accept Connections from Trusted zones to firewall" src-address-list=Trusted
add action=accept chain=input comment="Allow Winbox" dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow SSH To Firewall" dst-port=22 protocol=tcp
add action=accept chain=input comment="Allow Established connections to Firewall" connection-state=established
add action=accept chain=input comment="Allow Related connections to Firewall" connection-state=related
add action=drop chain=input comment="Drop Everything Else" connection-state="" log=yes log-prefix="Firewall Drop"
add action=accept chain=forward comment="Allow New connections from Lan" connection-state=new in-interface=LAN src-address-list=Trusted
add action=accept chain=forward comment="Allow Related established connections to Lan" connection-state=established
add action=accept chain=forward comment="Allow Related connections to Lan" connection-state=related
add action=drop chain=forward comment="Drop everything else" connection-state="" log=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=pppoe-out1 src-address=192.168.20.0/24
/system clock
set time-zone-name=Europe/London
/system ntp client
set enabled=yes server-dns-names=0.uk.pool.ntp.org
Re: Ping Problems
Code: Select all
add address=192.168.20.2/24 interface=ether2 network=192.168.20.0You shouldn't have an IP assigned to an interface that is part of a bridge, just assign it to the Bridge "LAN" like you do before it. Also, don't have two IP's for the same subnet on different interfaces.
Re: RE: Re: Ping Problems
First things first.This is wrong in two different ways.Code: Select alladd address=192.168.20.2/24 interface=ether2 network=192.168.20.0
You shouldn't have an IP assigned to an interface that is part of a bridge, just assign it to the Bridge "LAN" like you do before it. Also, don't have two IP's for the same subnet on different interfaces.
You have a :bridge on wlan1 & ether2 and no ip for the bridge only ether 2.
You have a dhcp client on ether1 and a pppoe-client on ether1.
What interface is on dhcp server?
What are you actually trying to do on your setup?
Would help to know
Your setup is not right
Sent from my SM-G900F using Tapatalk
Re: RE: Re: RE: Re: Ping Problems
To answer your question.
You will be able to get internet "ping to google dns " from behind your pppoe-client because your nat rule hides your your local IP's behind your Public IP(PPoE IP) your traffic is natted to your public ip which gets internet.
When you ping using lan or wlan interface you actually send a echo request to nothing then it stops before the nat rule.
Understand ? I did not explain it in the best proffesional way but hope you understand what im trying to say.
Sent from my SM-G900F using Tapatalk
You will be able to get internet "ping to google dns " from behind your pppoe-client because your nat rule hides your your local IP's behind your Public IP(PPoE IP) your traffic is natted to your public ip which gets internet.
When you ping using lan or wlan interface you actually send a echo request to nothing then it stops before the nat rule.
Understand ? I did not explain it in the best proffesional way but hope you understand what im trying to say.
Sent from my SM-G900F using Tapatalk
Re: Ping Problems
Thanks for the advice everyone I've cleaned up my config as you can see below, According to Amolis there is no way I can ping the internet using the LAN interface, it dose make seance what hes saying, in other words when the ping tool uses the LAN interface to ping the outside world it's not applying the NAT rules, is there any work around for this so I can use the LAN interface to ping the outside world as this would be handy for trouble shooting.
/interface bridge
add name=LAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=XXXXX use-peer-dns=yes user=XXXX
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=2437 mode=ap-bridge
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys wpa2-pre-shared-key=XXX
/ip pool
add name=dhcp_pool0 ranges=192.168.20.2-192.168.20.40
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN name=dhcp1
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=wlan1
/ip address
add address=192.168.20.1/24 interface=LAN network=192.168.20.0
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.20.0/24 list=Trusted
/ip firewall filter
add action=drop chain=input comment="Drop Invalid Packetts to Firewall" connection-state=invalid
add action=drop chain=forward comment="Drop Invalid Packetts on Forward" connection-state=invalid
add action=accept chain=input comment="Accept Connections from Trusted zones to firewall" src-address-list=Trusted
add action=accept chain=input comment="Allow Winbox" dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow SSH To Firewall" dst-port=22 protocol=tcp
add action=accept chain=input comment="Allow Established connections to Firewall" connection-state=established
add action=accept chain=input comment="Allow Related connections to Firewall" connection-state=related
add action=drop chain=input comment="Drop Everything Else" connection-state="" log=yes log-prefix="Firewall Drop"
add action=accept chain=forward comment="Allow New connections from Lan" connection-state=new in-interface=LAN src-address-list=Trusted
add action=accept chain=forward comment="Allow Related established connections to Lan" connection-state=established
add action=accept chain=forward comment="Allow Related connections to Lan" connection-state=related
add action=drop chain=forward comment="Drop everything else" connection-state="" log=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=pppoe-out1 src-address=192.168.20.0/24
/system clock
set time-zone-name=Europe/London
/system ntp client
set enabled=yes server-dns-names=0.uk.pool.ntp.org
To answer your question.
You will be able to get internet "ping to google dns " from behind your pppoe-client because your nat rule hides your your local IP's behind your Public IP(PPoE IP) your traffic is natted to your public ip which gets internet.
When you ping using lan or wlan interface you actually send a echo request to nothing then it stops before the nat rule.
Understand ? I did not explain it in the best proffesional way but hope you understand what im trying to say.
Sent from my SM-G900F using Tapatalk
/interface bridge
add name=LAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=XXXXX use-peer-dns=yes user=XXXX
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=2437 mode=ap-bridge
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys wpa2-pre-shared-key=XXX
/ip pool
add name=dhcp_pool0 ranges=192.168.20.2-192.168.20.40
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN name=dhcp1
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=wlan1
/ip address
add address=192.168.20.1/24 interface=LAN network=192.168.20.0
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.20.0/24 list=Trusted
/ip firewall filter
add action=drop chain=input comment="Drop Invalid Packetts to Firewall" connection-state=invalid
add action=drop chain=forward comment="Drop Invalid Packetts on Forward" connection-state=invalid
add action=accept chain=input comment="Accept Connections from Trusted zones to firewall" src-address-list=Trusted
add action=accept chain=input comment="Allow Winbox" dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow SSH To Firewall" dst-port=22 protocol=tcp
add action=accept chain=input comment="Allow Established connections to Firewall" connection-state=established
add action=accept chain=input comment="Allow Related connections to Firewall" connection-state=related
add action=drop chain=input comment="Drop Everything Else" connection-state="" log=yes log-prefix="Firewall Drop"
add action=accept chain=forward comment="Allow New connections from Lan" connection-state=new in-interface=LAN src-address-list=Trusted
add action=accept chain=forward comment="Allow Related established connections to Lan" connection-state=established
add action=accept chain=forward comment="Allow Related connections to Lan" connection-state=related
add action=drop chain=forward comment="Drop everything else" connection-state="" log=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=pppoe-out1 src-address=192.168.20.0/24
/system clock
set time-zone-name=Europe/London
/system ntp client
set enabled=yes server-dns-names=0.uk.pool.ntp.org
Re: Ping Problems
If I understand correctly, you're using the Ping tool from the router, out the LAN Bridge (which has no default gateway) to try and ping yahoo, google and such? That's not going to go anywhere, just the L2 segment of your LAN and WLAN and none of the devices on them are going to respond to a ping of an IP that isn't theirs.