That is the export of the entire firewall on that router, there are no forward, nat or mangle rules, therefore there shouldn't be anything keeping the data from getting to/from anything, let alone blocking all but one IP address in the IP range.
It's a /29 block, ip is x.x.x.x/29 on the router interface to the switch, /29 in OSPF network as well. This is why I'm completely stumped, everything looks fine. We're going to roll that router back tonight to 7.1.5 the "long term" version to see if that does anything. -- Christopher Tyler Senior Network Engineer MTCRE/MTCNA/MTCTCE/MTCWE Total Highspeed Internet Solutions 1091 W. Kathryn Street Nixa, MO 65714 (417) 851-1107 x. 9002 www.totalhighspeed.com This institution is an equal opportunity provider and employer. Esta institución es un proveedor de servicios con igualdad de oportunidades. ----- Original Message ----- > From: "Josh Luthman" <j...@imaginenetworksllc.com> > To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> > Sent: Wednesday, May 4, 2022 11:39:22 AM > Subject: Re: [AFMUG] Weird IP issue > Input/output aren't relevant for forward traffic. > > Are your subnets right everywhere? > > On Wed, May 4, 2022 at 12:20 PM Christopher Tyler < [ > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > wrote: > > > Very minimal, really just basic input rules, nothing that would block the IP > addresses from getting through. No NAT or Mangle rules on this router. > > /ip firewall filter > add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ > connection-state=established,related > add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf > add action=accept chain=input comment="ACCEPT ICMP (ping)" protocol=icmp > add action=accept chain=input comment="ACCEPT SNMP" dst-port=160-161 > protocol=\ > udp > add action=accept chain=input comment="ACCEPT DHCP" dst-port=67 protocol=udp > add action=accept chain=input comment="Allow MTIK Bandwidth Test" dst-port=\ > 2000-3000 protocol=tcp > add action=accept chain=input comment="Allow MTIK Bandwidth Test" dst-port=\ > 2000-3000 protocol=udp > add action=accept chain=input dst-port=5678 protocol=tcp > add action=accept chain=input comment="ACCEPT THIS Mgmt" src-address-list=\ > THIS_ADMIN > add action=accept chain=output comment="ACCEPT ALL OUTBOUND" > add action=drop chain=input comment="DROP ALL OTHER INPUT" > > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] > > This institution is an equal opportunity provider and employer. > Esta institución es un proveedor de servicios con igualdad de oportunidades. > > ----- Original Message ----- >> From: "Josh Luthman" < [ mailto:j...@imaginenetworksllc.com | >> j...@imaginenetworksllc.com ] > >> To: "AnimalFarm Microwave Users Group" < [ mailto:af@af.afmug.com | >> af@af.afmug.com ] > >> Sent: Wednesday, May 4, 2022 11:12:55 AM >> Subject: Re: [AFMUG] Weird IP issue > >> Firewall filter rules? >> >> Double check the gateway and subnet on the server. >> >> On Wed, May 4, 2022 at 11:17 AM Christopher Tyler < [ >> mailto: [ mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] | [ >> mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] ] > wrote: >> >> >> We have one of the new Mikrotik CCR2216-1G-12XS-2XQ routers running RouterOS >> 7.2.1 with a Mikrotik switch (running 6.44.3) hanging off of it. I have two >> servers on that switch both in the the same public IP block. I can ping both >> servers from the router, and they can ping each other. One server is globally >> reachable and the other is not reachable other than from the router or switch >> itself. I plugged in my laptop and assigned it an IP in that same range and >> cannot reach it extrenally either. The router is using OSPF and I can see the >> route for that IP block from both sides of the router, but traceroutes/pings >> to >> anything other than the server that is working stop at the router. No vlans >> or >> special configuration between the router and the switch, just basic IP, all >> ports on the switch are bridged. Forwarded ports (dstnat) don't appear to >> work >> from the router either. >> >> I'm stumped, so I figured I would ask if anyone else has seen anything like >> this >> and have a solution, or am I looking at a possible RouterOS 7 issue? >> >> -- >> Christopher Tyler >> Senior Network Engineer >> MTCRE/MTCNA/MTCTCE/MTCWE >> >> Total Highspeed Internet Solutions >> 1091 W. Kathryn Street >> Nixa, MO 65714 >> (417) 851-1107 x. 9002 >> [ [ http://www.totalhighspeed.com/ | http://www.totalhighspeed.com/ ] | [ >> http://www.totalhighspeed.com/ | www.totalhighspeed.com ] ] >> >> This institution is an equal opportunity provider and employer. >> Esta institución es un proveedor de servicios con igualdad de oportunidades. >> >> -- >> AF mailing list >> [ mailto: [ mailto:AF@af.afmug.com | AF@af.afmug.com ] | [ >> mailto:AF@af.afmug.com | AF@af.afmug.com ] ] >> [ [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] | >> [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] ] >> >> -- >> AF mailing list >> [ mailto:AF@af.afmug.com | AF@af.afmug.com ] >> [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] > > -- > AF mailing list > [ mailto:AF@af.afmug.com | AF@af.afmug.com ] > [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | > http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
