If it's not something obvious with routing or firewall, my next step would be to look at torch and/or packet captures to narrow it down.
On Wed, May 4, 2022 at 3:34 PM <dmmoff...@gmail.com> wrote: > Fair enough, but traffic through the router would be forward chain. Input > chain only affects traffic destined for the router itself. > I agree it's an easy thing to check. > > -----Original Message----- > From: AF <af-boun...@af.afmug.com> On Behalf Of Larry Smith > Sent: Wednesday, May 04, 2022 4:17 PM > To: AnimalFarm Microwave Users Group <af@af.afmug.com> > Subject: Re: [AFMUG] Weird IP issue > > > Yes, but it ends with an INPUT "drop all" entry. > Agree it does not "appear" to be anything in the firewall, but only takes > a few seconds to test and prove one way or the other. > > -- > Larry Smith > lesm...@ecsis.net > > On Wed May 4 2022 14:58, Christopher Tyler wrote: > > That is the export of the entire firewall on that router, there are no > > forward, nat or mangle rules, therefore there shouldn't be anything > > keeping the data from getting to/from anything, let alone blocking all > > but one IP address in the IP range. > > > > It's a /29 block, ip is x.x.x.x/29 on the router interface to the > > switch, > > /29 in OSPF network as well. > > > > This is why I'm completely stumped, everything looks fine. We're going > > to roll that router back tonight to 7.1.5 the "long term" version to > > see if that does anything. > > > > -- > > Christopher Tyler > > Senior Network Engineer > > MTCRE/MTCNA/MTCTCE/MTCWE > > > > Total Highspeed Internet Solutions > > 1091 W. Kathryn Street > > Nixa, MO 65714 > > (417) 851-1107 x. 9002 > > www.totalhighspeed.com > > > > This institution is an equal opportunity provider and employer. > > Esta institución es un proveedor de servicios con igualdad de > > oportunidades. > > > > ----- Original Message ----- > > > > > From: "Josh Luthman" <j...@imaginenetworksllc.com> > > > To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> > > > Sent: Wednesday, May 4, 2022 11:39:22 AM > > > Subject: Re: [AFMUG] Weird IP issue > > > > > > Input/output aren't relevant for forward traffic. > > > > > > Are your subnets right everywhere? > > > > > > On Wed, May 4, 2022 at 12:20 PM Christopher Tyler < [ > > > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > wrote: > > > > > > > > > Very minimal, really just basic input rules, nothing that would > > > block the IP addresses from getting through. No NAT or Mangle rules on > this router. > > > > > > /ip firewall filter > > > add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ > > > connection-state=established,related > > > add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf > > > add action=accept chain=input comment="ACCEPT ICMP (ping)" > > > protocol=icmp add action=accept chain=input comment="ACCEPT SNMP" > > > dst-port=160-161 protocol=\ udp add action=accept chain=input > > > comment="ACCEPT DHCP" dst-port=67 protocol=udp add action=accept > > > chain=input comment="Allow MTIK Bandwidth Test" dst-port=\ 2000-3000 > > > protocol=tcp add action=accept chain=input comment="Allow MTIK > > > Bandwidth Test" > > > dst-port=\ 2000-3000 protocol=udp > > > add action=accept chain=input dst-port=5678 protocol=tcp add > > > action=accept chain=input comment="ACCEPT THIS Mgmt" > > > src-address-list=\ THIS_ADMIN > > > add action=accept chain=output comment="ACCEPT ALL OUTBOUND" > > > add action=drop chain=input comment="DROP ALL OTHER INPUT" > > > > > > > > > -- > > > Christopher Tyler > > > Senior Network Engineer > > > MTCRE/MTCNA/MTCTCE/MTCWE > > > > > > Total Highspeed Internet Solutions > > > 1091 W. Kathryn Street > > > Nixa, MO 65714 > > > (417) 851-1107 x. 9002 > > > [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] > > > > > > This institution is an equal opportunity provider and employer. > > > Esta institución es un proveedor de servicios con igualdad de > > > oportunidades. > > > > > > ----- Original Message ----- > > > > > >> From: "Josh Luthman" < [ mailto:j...@imaginenetworksllc.com | > > >> j...@imaginenetworksllc.com ] > > > >> To: "AnimalFarm Microwave Users Group" < [ mailto:af@af.afmug.com | > > >> af@af.afmug.com ] > > > >> Sent: Wednesday, May 4, 2022 11:12:55 AM > > >> Subject: Re: [AFMUG] Weird IP issue > > >> > > >> Firewall filter rules? > > >> > > >> Double check the gateway and subnet on the server. > > >> > > >> On Wed, May 4, 2022 at 11:17 AM Christopher Tyler < [ > > >> mailto: [ mailto:ch...@totalhighspeed.net | > > >> ch...@totalhighspeed.net ] | [ mailto:ch...@totalhighspeed.net | > > >> ch...@totalhighspeed.net ] ] > > > >> wrote: > > >> > > >> > > >> We have one of the new Mikrotik CCR2216-1G-12XS-2XQ routers running > > >> RouterOS 7.2.1 with a Mikrotik switch (running 6.44.3) hanging off > > >> of it. I have two servers on that switch both in the the same > > >> public IP block. I can ping both servers from the router, and they > > >> can ping each other. One server is globally reachable and the other > > >> is not reachable other than from the router or switch itself. I > > >> plugged in my laptop and assigned it an IP in that same range and > > >> cannot reach it extrenally either. The router is using OSPF and I > > >> can see the route for that IP block from both sides of the router, > > >> but traceroutes/pings to anything other than the server that is > > >> working stop at the router. No vlans or special configuration > > >> between the router and the switch, just basic IP, all ports on the > > >> switch are bridged. Forwarded ports (dstnat) don't appear to work > from the router either. > > >> > > >> I'm stumped, so I figured I would ask if anyone else has seen > > >> anything like this and have a solution, or am I looking at a > > >> possible RouterOS 7 issue? > > >> > > >> -- > > >> Christopher Tyler > > >> Senior Network Engineer > > >> MTCRE/MTCNA/MTCTCE/MTCWE > > >> > > >> Total Highspeed Internet Solutions > > >> 1091 W. Kathryn Street > > >> Nixa, MO 65714 > > >> (417) 851-1107 x. 9002 > > >> [ [ http://www.totalhighspeed.com/ | http://www.totalhighspeed.com/ > > >> ] | [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] ] > > >> > > >> This institution is an equal opportunity provider and employer. > > >> Esta institución es un proveedor de servicios con igualdad de > > >> oportunidades. > > >> > > >> -- > > >> AF mailing list > > >> [ mailto: [ mailto:AF@af.afmug.com | AF@af.afmug.com ] | [ > > >> mailto:AF@af.afmug.com | AF@af.afmug.com ] ] [ [ > > >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com | > > >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] | [ > > >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com | > > >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] ] > > >> > > >> -- > > >> AF mailing list > > >> [ mailto:AF@af.afmug.com | AF@af.afmug.com ] [ > > >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com | > > >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] > > > > > > -- > > > AF mailing list > > > [ mailto:AF@af.afmug.com | AF@af.afmug.com ] [ > > > http://af.afmug.com/mailman/listinfo/af_af.afmug.com | > > > http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] > > > > > > -- > > > AF mailing list > > > AF@af.afmug.com > > > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com >
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
