Confirmed that firewall is not the issue, disabled the rules, no change. I don't know why, but I didn't even think of torch/packet capture, brain-fart I guess. If the downgrade doesn't fix it I'll look at that next.
-- Christopher Tyler Senior Network Engineer MTCRE/MTCNA/MTCTCE/MTCWE Total Highspeed Internet Solutions 1091 W. Kathryn Street Nixa, MO 65714 (417) 851-1107 x. 9002 www.totalhighspeed.com This institution is an equal opportunity provider and employer. Esta institución es un proveedor de servicios con igualdad de oportunidades. ----- Original Message ----- > From: "castarritt" <castarr...@gmail.com> > To: "AnimalFarm Microwave Users Group" <af@af.afmug.com> > Sent: Wednesday, May 4, 2022 3:51:18 PM > Subject: Re: [AFMUG] Weird IP issue > If it's not something obvious with routing or firewall, my next step would be > to > look at torch and/or packet captures to narrow it down. > > On Wed, May 4, 2022 at 3:34 PM < [ mailto:dmmoff...@gmail.com | > dmmoff...@gmail.com ] > wrote: > > > Fair enough, but traffic through the router would be forward chain. Input > chain > only affects traffic destined for the router itself. > I agree it's an easy thing to check. > > -----Original Message----- > From: AF < [ mailto:af-boun...@af.afmug.com | af-boun...@af.afmug.com ] > On > Behalf Of Larry Smith > Sent: Wednesday, May 04, 2022 4:17 PM > To: AnimalFarm Microwave Users Group < [ mailto:af@af.afmug.com | > af@af.afmug.com ] > > Subject: Re: [AFMUG] Weird IP issue > > > Yes, but it ends with an INPUT "drop all" entry. > Agree it does not "appear" to be anything in the firewall, but only takes a > few > seconds to test and prove one way or the other. > > -- > Larry Smith > [ mailto:lesm...@ecsis.net | lesm...@ecsis.net ] > > On Wed May 4 2022 14:58, Christopher Tyler wrote: >> That is the export of the entire firewall on that router, there are no >> forward, nat or mangle rules, therefore there shouldn't be anything >> keeping the data from getting to/from anything, let alone blocking all >> but one IP address in the IP range. >> >> It's a /29 block, ip is x.x.x.x/29 on the router interface to the >> switch, >> /29 in OSPF network as well. >> >> This is why I'm completely stumped, everything looks fine. We're going >> to roll that router back tonight to 7.1.5 the "long term" version to >> see if that does anything. >> >> -- >> Christopher Tyler >> Senior Network Engineer >> MTCRE/MTCNA/MTCTCE/MTCWE >> >> Total Highspeed Internet Solutions >> 1091 W. Kathryn Street >> Nixa, MO 65714 >> (417) 851-1107 x. 9002 >> [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] >> >> This institution is an equal opportunity provider and employer. >> Esta institución es un proveedor de servicios con igualdad de >> oportunidades. >> >> ----- Original Message ----- >> >> > From: "Josh Luthman" < [ mailto:j...@imaginenetworksllc.com | >> > j...@imaginenetworksllc.com ] > >> > To: "AnimalFarm Microwave Users Group" < [ mailto:af@af.afmug.com | >> > af@af.afmug.com ] > >> > Sent: Wednesday, May 4, 2022 11:39:22 AM >> > Subject: Re: [AFMUG] Weird IP issue >> > >> > Input/output aren't relevant for forward traffic. >> > >> > Are your subnets right everywhere? >> > >> > On Wed, May 4, 2022 at 12:20 PM Christopher Tyler < [ >> > mailto: [ mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] | [ >> > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] ] > wrote: >> > >> > >> > Very minimal, really just basic input rules, nothing that would >> > block the IP addresses from getting through. No NAT or Mangle rules on this >> > router. >> > >> > /ip firewall filter >> > add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ >> > connection-state=established,related >> > add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf >> > add action=accept chain=input comment="ACCEPT ICMP (ping)" >> > protocol=icmp add action=accept chain=input comment="ACCEPT SNMP" >> > dst-port=160-161 protocol=\ udp add action=accept chain=input >> > comment="ACCEPT DHCP" dst-port=67 protocol=udp add action=accept >> > chain=input comment="Allow MTIK Bandwidth Test" dst-port=\ 2000-3000 >> > protocol=tcp add action=accept chain=input comment="Allow MTIK >> > Bandwidth Test" >> > dst-port=\ 2000-3000 protocol=udp >> > add action=accept chain=input dst-port=5678 protocol=tcp add >> > action=accept chain=input comment="ACCEPT THIS Mgmt" >> > src-address-list=\ THIS_ADMIN >> > add action=accept chain=output comment="ACCEPT ALL OUTBOUND" >> > add action=drop chain=input comment="DROP ALL OTHER INPUT" >> > >> > >> > -- >> > Christopher Tyler >> > Senior Network Engineer >> > MTCRE/MTCNA/MTCTCE/MTCWE >> > >> > Total Highspeed Internet Solutions >> > 1091 W. Kathryn Street >> > Nixa, MO 65714 >> > (417) 851-1107 x. 9002 >> > [ [ http://www.totalhighspeed.com/ | http://www.totalhighspeed.com/ ] | [ >> > http://www.totalhighspeed.com/ | www.totalhighspeed.com ] ] >> > >> > This institution is an equal opportunity provider and employer. >> > Esta institución es un proveedor de servicios con igualdad de >> > oportunidades. >> > >> > ----- Original Message ----- >> > >> >> From: "Josh Luthman" < [ mailto: [ mailto:j...@imaginenetworksllc.com | >> >> j...@imaginenetworksllc.com ] | >> >> [ mailto:j...@imaginenetworksllc.com | j...@imaginenetworksllc.com ] ] > >> >> To: "AnimalFarm Microwave Users Group" < [ mailto: [ >> >> mailto:af@af.afmug.com | >> >> af@af.afmug.com ] | >> >> [ mailto:af@af.afmug.com | af@af.afmug.com ] ] > >> >> Sent: Wednesday, May 4, 2022 11:12:55 AM >> >> Subject: Re: [AFMUG] Weird IP issue >> >> >> >> Firewall filter rules? >> >> >> >> Double check the gateway and subnet on the server. >> >> >> >> On Wed, May 4, 2022 at 11:17 AM Christopher Tyler < [ >> >> mailto: [ mailto: [ mailto:ch...@totalhighspeed.net | >> >> ch...@totalhighspeed.net ] >> >> | >> >> [ mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] ] | [ >> >> mailto: [ >> >> mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] | >> >> [ mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] ] ] > >> >> wrote: >> >> >> >> >> >> We have one of the new Mikrotik CCR2216-1G-12XS-2XQ routers running >> >> RouterOS 7.2.1 with a Mikrotik switch (running 6.44.3) hanging off >> >> of it. I have two servers on that switch both in the the same >> >> public IP block. I can ping both servers from the router, and they >> >> can ping each other. One server is globally reachable and the other >> >> is not reachable other than from the router or switch itself. I >> >> plugged in my laptop and assigned it an IP in that same range and >> >> cannot reach it extrenally either. The router is using OSPF and I >> >> can see the route for that IP block from both sides of the router, >> >> but traceroutes/pings to anything other than the server that is >> >> working stop at the router. No vlans or special configuration >> >> between the router and the switch, just basic IP, all ports on the >> >> switch are bridged. Forwarded ports (dstnat) don't appear to work from the >> >> router either. >> >> >> >> I'm stumped, so I figured I would ask if anyone else has seen >> >> anything like this and have a solution, or am I looking at a >> >> possible RouterOS 7 issue? >> >> >> >> -- >> >> Christopher Tyler >> >> Senior Network Engineer >> >> MTCRE/MTCNA/MTCTCE/MTCWE >> >> >> >> Total Highspeed Internet Solutions >> >> 1091 W. Kathryn Street >> >> Nixa, MO 65714 >> >> (417) 851-1107 x. 9002 >> >> [ [ [ http://www.totalhighspeed.com/ | http://www.totalhighspeed.com/ ] | >> >> [ >> >> http://www.totalhighspeed.com/ | http://www.totalhighspeed.com/ ] >> >> ] | [ [ http://www.totalhighspeed.com/ | http://www.totalhighspeed.com/ ] >> >> | [ >> >> http://www.totalhighspeed.com/ | www.totalhighspeed.com ] ] ] >> >> >> >> This institution is an equal opportunity provider and employer. >> >> Esta institución es un proveedor de servicios con igualdad de >> >> oportunidades. >> >> >> >> -- >> >> AF mailing list >> >> [ mailto: [ mailto: [ mailto:AF@af.afmug.com | AF@af.afmug.com ] | [ >> >> mailto:AF@af.afmug.com | AF@af.afmug.com ] ] | [ >> >> mailto: [ mailto:AF@af.afmug.com | AF@af.afmug.com ] | [ >> >> mailto:AF@af.afmug.com >> >> | AF@af.afmug.com ] ] ] [ [ >> >> [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | >> >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] | >> >> [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | >> >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] ] | [ >> >> [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | >> >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] | >> >> [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | >> >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] ] ] >> >> >> >> -- >> >> AF mailing list >> >> [ mailto: [ mailto:AF@af.afmug.com | AF@af.afmug.com ] | [ >> >> mailto:AF@af.afmug.com | AF@af.afmug.com ] ] [ >> >> [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | >> >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] | >> >> [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | >> >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] ] >> > >> > -- >> > AF mailing list >> > [ mailto: [ mailto:AF@af.afmug.com | AF@af.afmug.com ] | [ >> > mailto:AF@af.afmug.com | AF@af.afmug.com ] ] [ >> > [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | >> > http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] | >> > [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | >> > http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] ] >> > >> > -- >> > AF mailing list >> > [ mailto:AF@af.afmug.com | AF@af.afmug.com ] >> > [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | >> > http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] > > -- > AF mailing list > [ mailto:AF@af.afmug.com | AF@af.afmug.com ] > [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | > http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] > > > -- > AF mailing list > [ mailto:AF@af.afmug.com | AF@af.afmug.com ] > [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | > http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
