Re: [AFMUG] Weird IP issue
Did you reset to defaults to start? Bunch of MT config stuff hidden away from factory... On 5/4/22 14:57, Christopher Tyler wrote: Confirmed that firewall is not the issue, disabled the rules, no change. I don't know why, but I didn't even think of torch/packet capture, brain-fart I guess. If the downgrade doesn't fix it I'll look at that next. -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Weird IP issue
Confirmed that firewall is not the issue, disabled the rules, no change. I don't know why, but I didn't even think of torch/packet capture, brain-fart I guess. If the downgrade doesn't fix it I'll look at that next. -- Christopher Tyler Senior Network Engineer MTCRE/MTCNA/MTCTCE/MTCWE Total Highspeed Internet Solutions 1091 W. Kathryn Street Nixa, MO 65714 (417) 851-1107 x. 9002 www.totalhighspeed.com This institution is an equal opportunity provider and employer. Esta institución es un proveedor de servicios con igualdad de oportunidades. - Original Message - > From: "castarritt" > To: "AnimalFarm Microwave Users Group" > Sent: Wednesday, May 4, 2022 3:51:18 PM > Subject: Re: [AFMUG] Weird IP issue > If it's not something obvious with routing or firewall, my next step would be > to > look at torch and/or packet captures to narrow it down. > > On Wed, May 4, 2022 at 3:34 PM < [ mailto:dmmoff...@gmail.com | > dmmoff...@gmail.com ] > wrote: > > > Fair enough, but traffic through the router would be forward chain. Input > chain > only affects traffic destined for the router itself. > I agree it's an easy thing to check. > > -Original Message- > From: AF < [ mailto:af-boun...@af.afmug.com | af-boun...@af.afmug.com ] > On > Behalf Of Larry Smith > Sent: Wednesday, May 04, 2022 4:17 PM > To: AnimalFarm Microwave Users Group < [ mailto:af@af.afmug.com | > af@af.afmug.com ] > > Subject: Re: [AFMUG] Weird IP issue > > > Yes, but it ends with an INPUT "drop all" entry. > Agree it does not "appear" to be anything in the firewall, but only takes a > few > seconds to test and prove one way or the other. > > -- > Larry Smith > [ mailto:lesm...@ecsis.net | lesm...@ecsis.net ] > > On Wed May 4 2022 14:58, Christopher Tyler wrote: >> That is the export of the entire firewall on that router, there are no >> forward, nat or mangle rules, therefore there shouldn't be anything >> keeping the data from getting to/from anything, let alone blocking all >> but one IP address in the IP range. >> >> It's a /29 block, ip is x.x.x.x/29 on the router interface to the >> switch, >> /29 in OSPF network as well. >> >> This is why I'm completely stumped, everything looks fine. We're going >> to roll that router back tonight to 7.1.5 the "long term" version to >> see if that does anything. >> >> -- >> Christopher Tyler >> Senior Network Engineer >> MTCRE/MTCNA/MTCTCE/MTCWE >> >> Total Highspeed Internet Solutions >> 1091 W. Kathryn Street >> Nixa, MO 65714 >> (417) 851-1107 x. 9002 >> [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] >> >> This institution is an equal opportunity provider and employer. >> Esta institución es un proveedor de servicios con igualdad de >> oportunidades. >> >> - Original Message - >> >> > From: "Josh Luthman" < [ mailto:j...@imaginenetworksllc.com | >> > j...@imaginenetworksllc.com ] > >> > To: "AnimalFarm Microwave Users Group" < [ mailto:af@af.afmug.com | >> > af@af.afmug.com ] > >> > Sent: Wednesday, May 4, 2022 11:39:22 AM >> > Subject: Re: [AFMUG] Weird IP issue >> > >> > Input/output aren't relevant for forward traffic. >> > >> > Are your subnets right everywhere? >> > >> > On Wed, May 4, 2022 at 12:20 PM Christopher Tyler < [ >> > mailto: [ mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] | [ >> > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] ] > wrote: >> > >> > >> > Very minimal, really just basic input rules, nothing that would >> > block the IP addresses from getting through. No NAT or Mangle rules on this >> > router. >> > >> > /ip firewall filter >> > add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ >> > connection-state=established,related >> > add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf >> > add action=accept chain=input comment="ACCEPT ICMP (ping)" >> > protocol=icmp add action=accept chain=input comment="ACCEPT SNMP" >> > dst-port=160-161 protocol=\ udp add action=accept chain=input >> > comment="ACCEPT DHCP" dst-port=67 protocol=udp add action=accept >> > chain=input comment="Allow MTIK Bandwidth Test" dst-port=\ 2000-3000 >> > protocol=tcp add action=accept chain=input comment="Allow MTIK >> > Bandwidth Test" >> >
Re: [AFMUG] Weird IP issue
If it's not something obvious with routing or firewall, my next step would be to look at torch and/or packet captures to narrow it down. On Wed, May 4, 2022 at 3:34 PM wrote: > Fair enough, but traffic through the router would be forward chain. Input > chain only affects traffic destined for the router itself. > I agree it's an easy thing to check. > > -Original Message- > From: AF On Behalf Of Larry Smith > Sent: Wednesday, May 04, 2022 4:17 PM > To: AnimalFarm Microwave Users Group > Subject: Re: [AFMUG] Weird IP issue > > > Yes, but it ends with an INPUT "drop all" entry. > Agree it does not "appear" to be anything in the firewall, but only takes > a few seconds to test and prove one way or the other. > > -- > Larry Smith > lesm...@ecsis.net > > On Wed May 4 2022 14:58, Christopher Tyler wrote: > > That is the export of the entire firewall on that router, there are no > > forward, nat or mangle rules, therefore there shouldn't be anything > > keeping the data from getting to/from anything, let alone blocking all > > but one IP address in the IP range. > > > > It's a /29 block, ip is x.x.x.x/29 on the router interface to the > > switch, > > /29 in OSPF network as well. > > > > This is why I'm completely stumped, everything looks fine. We're going > > to roll that router back tonight to 7.1.5 the "long term" version to > > see if that does anything. > > > > -- > > Christopher Tyler > > Senior Network Engineer > > MTCRE/MTCNA/MTCTCE/MTCWE > > > > Total Highspeed Internet Solutions > > 1091 W. Kathryn Street > > Nixa, MO 65714 > > (417) 851-1107 x. 9002 > > www.totalhighspeed.com > > > > This institution is an equal opportunity provider and employer. > > Esta institución es un proveedor de servicios con igualdad de > > oportunidades. > > > > - Original Message - > > > > > From: "Josh Luthman" > > > To: "AnimalFarm Microwave Users Group" > > > Sent: Wednesday, May 4, 2022 11:39:22 AM > > > Subject: Re: [AFMUG] Weird IP issue > > > > > > Input/output aren't relevant for forward traffic. > > > > > > Are your subnets right everywhere? > > > > > > On Wed, May 4, 2022 at 12:20 PM Christopher Tyler < [ > > > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > wrote: > > > > > > > > > Very minimal, really just basic input rules, nothing that would > > > block the IP addresses from getting through. No NAT or Mangle rules on > this router. > > > > > > /ip firewall filter > > > add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ > > > connection-state=established,related > > > add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf > > > add action=accept chain=input comment="ACCEPT ICMP (ping)" > > > protocol=icmp add action=accept chain=input comment="ACCEPT SNMP" > > > dst-port=160-161 protocol=\ udp add action=accept chain=input > > > comment="ACCEPT DHCP" dst-port=67 protocol=udp add action=accept > > > chain=input comment="Allow MTIK Bandwidth Test" dst-port=\ 2000-3000 > > > protocol=tcp add action=accept chain=input comment="Allow MTIK > > > Bandwidth Test" > > > dst-port=\ 2000-3000 protocol=udp > > > add action=accept chain=input dst-port=5678 protocol=tcp add > > > action=accept chain=input comment="ACCEPT THIS Mgmt" > > > src-address-list=\ THIS_ADMIN > > > add action=accept chain=output comment="ACCEPT ALL OUTBOUND" > > > add action=drop chain=input comment="DROP ALL OTHER INPUT" > > > > > > > > > -- > > > Christopher Tyler > > > Senior Network Engineer > > > MTCRE/MTCNA/MTCTCE/MTCWE > > > > > > Total Highspeed Internet Solutions > > > 1091 W. Kathryn Street > > > Nixa, MO 65714 > > > (417) 851-1107 x. 9002 > > > [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] > > > > > > This institution is an equal opportunity provider and employer. > > > Esta institución es un proveedor de servicios con igualdad de > > > oportunidades. > > > > > > - Original Message - > > > > > >> From: "Josh Luthman" < [ mailto:j...@imaginenetworksllc.com | > > >> j...@imaginenetworksllc.com ] > > > >> To: "AnimalFarm Microwave Users Group&
Re: [AFMUG] Weird IP issue
Fair enough, but traffic through the router would be forward chain. Input chain only affects traffic destined for the router itself. I agree it's an easy thing to check. -Original Message- From: AF On Behalf Of Larry Smith Sent: Wednesday, May 04, 2022 4:17 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Weird IP issue Yes, but it ends with an INPUT "drop all" entry. Agree it does not "appear" to be anything in the firewall, but only takes a few seconds to test and prove one way or the other. -- Larry Smith lesm...@ecsis.net On Wed May 4 2022 14:58, Christopher Tyler wrote: > That is the export of the entire firewall on that router, there are no > forward, nat or mangle rules, therefore there shouldn't be anything > keeping the data from getting to/from anything, let alone blocking all > but one IP address in the IP range. > > It's a /29 block, ip is x.x.x.x/29 on the router interface to the > switch, > /29 in OSPF network as well. > > This is why I'm completely stumped, everything looks fine. We're going > to roll that router back tonight to 7.1.5 the "long term" version to > see if that does anything. > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > www.totalhighspeed.com > > This institution is an equal opportunity provider and employer. > Esta institución es un proveedor de servicios con igualdad de > oportunidades. > > - Original Message - > > > From: "Josh Luthman" > > To: "AnimalFarm Microwave Users Group" > > Sent: Wednesday, May 4, 2022 11:39:22 AM > > Subject: Re: [AFMUG] Weird IP issue > > > > Input/output aren't relevant for forward traffic. > > > > Are your subnets right everywhere? > > > > On Wed, May 4, 2022 at 12:20 PM Christopher Tyler < [ > > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > wrote: > > > > > > Very minimal, really just basic input rules, nothing that would > > block the IP addresses from getting through. No NAT or Mangle rules on this > > router. > > > > /ip firewall filter > > add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ > > connection-state=established,related > > add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf > > add action=accept chain=input comment="ACCEPT ICMP (ping)" > > protocol=icmp add action=accept chain=input comment="ACCEPT SNMP" > > dst-port=160-161 protocol=\ udp add action=accept chain=input > > comment="ACCEPT DHCP" dst-port=67 protocol=udp add action=accept > > chain=input comment="Allow MTIK Bandwidth Test" dst-port=\ 2000-3000 > > protocol=tcp add action=accept chain=input comment="Allow MTIK > > Bandwidth Test" > > dst-port=\ 2000-3000 protocol=udp > > add action=accept chain=input dst-port=5678 protocol=tcp add > > action=accept chain=input comment="ACCEPT THIS Mgmt" > > src-address-list=\ THIS_ADMIN > > add action=accept chain=output comment="ACCEPT ALL OUTBOUND" > > add action=drop chain=input comment="DROP ALL OTHER INPUT" > > > > > > -- > > Christopher Tyler > > Senior Network Engineer > > MTCRE/MTCNA/MTCTCE/MTCWE > > > > Total Highspeed Internet Solutions > > 1091 W. Kathryn Street > > Nixa, MO 65714 > > (417) 851-1107 x. 9002 > > [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] > > > > This institution is an equal opportunity provider and employer. > > Esta institución es un proveedor de servicios con igualdad de > > oportunidades. > > > > - Original Message - > > > >> From: "Josh Luthman" < [ mailto:j...@imaginenetworksllc.com | > >> j...@imaginenetworksllc.com ] > > >> To: "AnimalFarm Microwave Users Group" < [ mailto:af@af.afmug.com | > >> af@af.afmug.com ] > > >> Sent: Wednesday, May 4, 2022 11:12:55 AM > >> Subject: Re: [AFMUG] Weird IP issue > >> > >> Firewall filter rules? > >> > >> Double check the gateway and subnet on the server. > >> > >> On Wed, May 4, 2022 at 11:17 AM Christopher Tyler < [ > >> mailto: [ mailto:ch...@totalhighspeed.net | > >> ch...@totalhighspeed.net ] | [ mailto:ch...@totalhighspeed.net | > >> ch...@totalhighspeed.net ] ] > > >> wrote: > >> > >> > >> We have one of the ne
Re: [AFMUG] Weird IP issue
Yes, but it ends with an INPUT "drop all" entry. Agree it does not "appear" to be anything in the firewall, but only takes a few seconds to test and prove one way or the other. -- Larry Smith lesm...@ecsis.net On Wed May 4 2022 14:58, Christopher Tyler wrote: > That is the export of the entire firewall on that router, there are no > forward, nat or mangle rules, therefore there shouldn't be anything keeping > the data from getting to/from anything, let alone blocking all but one IP > address in the IP range. > > It's a /29 block, ip is x.x.x.x/29 on the router interface to the switch, > /29 in OSPF network as well. > > This is why I'm completely stumped, everything looks fine. We're going to > roll that router back tonight to 7.1.5 the "long term" version to see if > that does anything. > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > www.totalhighspeed.com > > This institution is an equal opportunity provider and employer. > Esta institución es un proveedor de servicios con igualdad de > oportunidades. > > - Original Message - > > > From: "Josh Luthman" > > To: "AnimalFarm Microwave Users Group" > > Sent: Wednesday, May 4, 2022 11:39:22 AM > > Subject: Re: [AFMUG] Weird IP issue > > > > Input/output aren't relevant for forward traffic. > > > > Are your subnets right everywhere? > > > > On Wed, May 4, 2022 at 12:20 PM Christopher Tyler < [ > > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > wrote: > > > > > > Very minimal, really just basic input rules, nothing that would block the > > IP addresses from getting through. No NAT or Mangle rules on this router. > > > > /ip firewall filter > > add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ > > connection-state=established,related > > add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf > > add action=accept chain=input comment="ACCEPT ICMP (ping)" protocol=icmp > > add action=accept chain=input comment="ACCEPT SNMP" dst-port=160-161 > > protocol=\ udp > > add action=accept chain=input comment="ACCEPT DHCP" dst-port=67 > > protocol=udp add action=accept chain=input comment="Allow MTIK Bandwidth > > Test" dst-port=\ 2000-3000 protocol=tcp > > add action=accept chain=input comment="Allow MTIK Bandwidth Test" > > dst-port=\ 2000-3000 protocol=udp > > add action=accept chain=input dst-port=5678 protocol=tcp > > add action=accept chain=input comment="ACCEPT THIS Mgmt" > > src-address-list=\ THIS_ADMIN > > add action=accept chain=output comment="ACCEPT ALL OUTBOUND" > > add action=drop chain=input comment="DROP ALL OTHER INPUT" > > > > > > -- > > Christopher Tyler > > Senior Network Engineer > > MTCRE/MTCNA/MTCTCE/MTCWE > > > > Total Highspeed Internet Solutions > > 1091 W. Kathryn Street > > Nixa, MO 65714 > > (417) 851-1107 x. 9002 > > [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] > > > > This institution is an equal opportunity provider and employer. > > Esta institución es un proveedor de servicios con igualdad de > > oportunidades. > > > > - Original Message - > > > >> From: "Josh Luthman" < [ mailto:j...@imaginenetworksllc.com | > >> j...@imaginenetworksllc.com ] > > >> To: "AnimalFarm Microwave Users Group" < [ mailto:af@af.afmug.com | > >> af@af.afmug.com ] > > >> Sent: Wednesday, May 4, 2022 11:12:55 AM > >> Subject: Re: [AFMUG] Weird IP issue > >> > >> Firewall filter rules? > >> > >> Double check the gateway and subnet on the server. > >> > >> On Wed, May 4, 2022 at 11:17 AM Christopher Tyler < [ > >> mailto: [ mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] | > >> [ mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] ] > > >> wrote: > >> > >> > >> We have one of the new Mikrotik CCR2216-1G-12XS-2XQ routers running > >> RouterOS 7.2.1 with a Mikrotik switch (running 6.44.3) hanging off of > >> it. I have two servers on that switch both in the the same public IP > >> block. I can ping both servers from the router, and they can ping each > >> other. One server is globally reachable and the other is not reachable > >> other tha
Re: [AFMUG] Weird IP issue
When I connected my laptop, I had internet, which is also weird since it was unreachable by ping. But yes I statically assigned the IP to the laptop with the correct IP, gateway and subnet. -- Christopher Tyler Senior Network Engineer MTCRE/MTCNA/MTCTCE/MTCWE Total Highspeed Internet Solutions 1091 W. Kathryn Street Nixa, MO 65714 (417) 851-1107 x. 9002 www.totalhighspeed.com This institution is an equal opportunity provider and employer. Esta institución es un proveedor de servicios con igualdad de oportunidades. - Original Message - > From: "AnimalFarm Microwave Users Group" > To: "AnimalFarm Microwave Users Group" > Cc: "David Sovereen" > Sent: Wednesday, May 4, 2022 3:04:42 PM > Subject: Re: [AFMUG] Weird IP issue > Does the server without connectivity have a working default gateway? > > Dave > >> On May 4, 2022, at 4:00 PM, Christopher Tyler >> wrote: >> >> Rebooted both the router and the switch, no joy, issue persists. >> >> -- >> Christopher Tyler >> Senior Network Engineer >> MTCRE/MTCNA/MTCTCE/MTCWE >> >> Total Highspeed Internet Solutions >> 1091 W. Kathryn Street >> Nixa, MO 65714 >> (417) 851-1107 x. 9002 >> www.totalhighspeed.com >> >> This institution is an equal opportunity provider and employer. >> Esta institución es un proveedor de servicios con igualdad de oportunidades. >> >> - Original Message - >>> From: "Adam Moffett" >>> To: "AnimalFarm Microwave Users Group" >>> Sent: Wednesday, May 4, 2022 2:50:13 PM >>> Subject: Re: [AFMUG] Weird IP issue >> >>> If this is a Mikrotik switch, reboot it before you waste a lot of time. >>> >>> I've seen weird stuff too many times. I had a CRS317 the other day where >>> we >>> got 98% packet loss to one specific host. Watching the switch hosts table >>> it >>> seemed like it kept changing it's mind as to which interface that MAC >>> address >>> was on. Reboot cleared it right up. >>> >>> -Adam >>> >>> >>> -Original Message- >>> From: AF On Behalf Of Larry Smith >>> Sent: Wednesday, May 04, 2022 12:50 PM >>> To: AnimalFarm Microwave Users Group >>> Subject: Re: [AFMUG] Weird IP issue >>> >>> >>> To verify that, drop the firewall and then test again. >>> If its firewall related it will start working. >>> >>> -- >>> Larry Smith >>> lesm...@ecsis.net >>> >>> On Wed May 4 2022 11:18, Christopher Tyler wrote: >>>> Very minimal, really just basic input rules, nothing that would block >>>> the IP addresses from getting through. No NAT or Mangle rules on this >>>> router. >>>> >>>> /ip firewall filter >>>> add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ >>>>connection-state=established,related >>>> add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf add >>>> action=accept chain=input comment="ACCEPT ICMP (ping)" protocol=icmp >>>> add action=accept chain=input comment="ACCEPT SNMP" dst-port=160-161 >>>> protocol=\ udp add action=accept chain=input comment="ACCEPT DHCP" >>>> dst-port=67 protocol=udp add action=accept chain=input comment="Allow >>>> MTIK Bandwidth Test" dst-port=\ 2000-3000 protocol=tcp add >>>> action=accept chain=input comment="Allow MTIK Bandwidth Test" >>>> dst-port=\ 2000-3000 protocol=udp >>>> add action=accept chain=input dst-port=5678 protocol=tcp add >>>> action=accept chain=input comment="ACCEPT THIS Mgmt" src-address-list=\ >>>>THIS_ADMIN >>>> add action=accept chain=output comment="ACCEPT ALL OUTBOUND" >>>> add action=drop chain=input comment="DROP ALL OTHER INPUT" >>>> >>>> >>>> -- >>>> Christopher Tyler >>>> Senior Network Engineer >>>> MTCRE/MTCNA/MTCTCE/MTCWE >>>> >>>> Total Highspeed Internet Solutions >>>> 1091 W. Kathryn Street >>>> Nixa, MO 65714 >>>> (417) 851-1107 x. 9002 >>>> www.totalhighspeed.com >>>> >>>> This institution is an equal opportunity provider and employer. >>>> Esta institución es un proveedor de servicios con igualdad de >>>> oportunidades. >>>> >>>> - O
Re: [AFMUG] Weird IP issue
Yup, x.x.x.x/29 in the same range. -- Christopher Tyler Senior Network Engineer MTCRE/MTCNA/MTCTCE/MTCWE Total Highspeed Internet Solutions 1091 W. Kathryn Street Nixa, MO 65714 (417) 851-1107 x. 9002 www.totalhighspeed.com This institution is an equal opportunity provider and employer. Esta institución es un proveedor de servicios con igualdad de oportunidades. - Original Message - > From: "Josh Luthman" > To: "AnimalFarm Microwave Users Group" > Sent: Wednesday, May 4, 2022 3:01:47 PM > Subject: Re: [AFMUG] Weird IP issue >>It's a /29 block, ip is x.x.x.x/29 on the router interface to the switch, /29 >>in >>OSPF network as well. > > And the servers/laptop? > > On Wed, May 4, 2022 at 4:00 PM Christopher Tyler < [ > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > wrote: > > > That is the export of the entire firewall on that router, there are no > forward, > nat or mangle rules, therefore there shouldn't be anything keeping the data > from getting to/from anything, let alone blocking all but one IP address in > the > IP range. > > It's a /29 block, ip is x.x.x.x/29 on the router interface to the switch, /29 > in > OSPF network as well. > > This is why I'm completely stumped, everything looks fine. We're going to roll > that router back tonight to 7.1.5 the "long term" version to see if that does > anything. > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] > > This institution is an equal opportunity provider and employer. > Esta institución es un proveedor de servicios con igualdad de oportunidades. > > - Original Message - >> From: "Josh Luthman" < [ mailto:j...@imaginenetworksllc.com | >> j...@imaginenetworksllc.com ] > >> To: "AnimalFarm Microwave Users Group" < [ mailto:af@af.afmug.com | >> af@af.afmug.com ] > >> Sent: Wednesday, May 4, 2022 11:39:22 AM >> Subject: Re: [AFMUG] Weird IP issue > >> Input/output aren't relevant for forward traffic. >> >> Are your subnets right everywhere? >> >> On Wed, May 4, 2022 at 12:20 PM Christopher Tyler < [ >> mailto: [ mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] | [ >> mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] ] > wrote: >> >> >> Very minimal, really just basic input rules, nothing that would block the IP >> addresses from getting through. No NAT or Mangle rules on this router. >> >> /ip firewall filter >> add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ >> connection-state=established,related >> add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf >> add action=accept chain=input comment="ACCEPT ICMP (ping)" protocol=icmp >> add action=accept chain=input comment="ACCEPT SNMP" dst-port=160-161 >> protocol=\ >> udp >> add action=accept chain=input comment="ACCEPT DHCP" dst-port=67 protocol=udp >> add action=accept chain=input comment="Allow MTIK Bandwidth Test" dst-port=\ >> 2000-3000 protocol=tcp >> add action=accept chain=input comment="Allow MTIK Bandwidth Test" dst-port=\ >> 2000-3000 protocol=udp >> add action=accept chain=input dst-port=5678 protocol=tcp >> add action=accept chain=input comment="ACCEPT THIS Mgmt" src-address-list=\ >> THIS_ADMIN >> add action=accept chain=output comment="ACCEPT ALL OUTBOUND" >> add action=drop chain=input comment="DROP ALL OTHER INPUT" >> >> >> -- >> Christopher Tyler >> Senior Network Engineer >> MTCRE/MTCNA/MTCTCE/MTCWE >> >> Total Highspeed Internet Solutions >> 1091 W. Kathryn Street >> Nixa, MO 65714 >> (417) 851-1107 x. 9002 >> [ [ http://www.totalhighspeed.com/ | http://www.totalhighspeed.com/ ] | [ >> http://www.totalhighspeed.com/ | www.totalhighspeed.com ] ] >> >> This institution is an equal opportunity provider and employer. >> Esta institución es un proveedor de servicios con igualdad de oportunidades. >> >> - Original Message - >>> From: "Josh Luthman" < [ mailto: [ mailto:j...@imaginenetworksllc.com | >>> j...@imaginenetworksllc.com ] | >>> [ mailto:j...@imaginenetworksllc.com | j...@imaginenetworksllc.com ] ] > >>> To: "AnimalFarm Microwave Users Group" < [ mailto: [ mailto:af@af.a
Re: [AFMUG] Weird IP issue
Does the server without connectivity have a working default gateway? Dave > On May 4, 2022, at 4:00 PM, Christopher Tyler > wrote: > > Rebooted both the router and the switch, no joy, issue persists. > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > www.totalhighspeed.com > > This institution is an equal opportunity provider and employer. > Esta institución es un proveedor de servicios con igualdad de oportunidades. > > - Original Message - >> From: "Adam Moffett" >> To: "AnimalFarm Microwave Users Group" >> Sent: Wednesday, May 4, 2022 2:50:13 PM >> Subject: Re: [AFMUG] Weird IP issue > >> If this is a Mikrotik switch, reboot it before you waste a lot of time. >> >> I've seen weird stuff too many times. I had a CRS317 the other day where we >> got 98% packet loss to one specific host. Watching the switch hosts table it >> seemed like it kept changing it's mind as to which interface that MAC address >> was on. Reboot cleared it right up. >> >> -Adam >> >> >> -Original Message- >> From: AF On Behalf Of Larry Smith >> Sent: Wednesday, May 04, 2022 12:50 PM >> To: AnimalFarm Microwave Users Group >> Subject: Re: [AFMUG] Weird IP issue >> >> >> To verify that, drop the firewall and then test again. >> If its firewall related it will start working. >> >> -- >> Larry Smith >> lesm...@ecsis.net >> >> On Wed May 4 2022 11:18, Christopher Tyler wrote: >>> Very minimal, really just basic input rules, nothing that would block >>> the IP addresses from getting through. No NAT or Mangle rules on this >>> router. >>> >>> /ip firewall filter >>> add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ >>>connection-state=established,related >>> add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf add >>> action=accept chain=input comment="ACCEPT ICMP (ping)" protocol=icmp >>> add action=accept chain=input comment="ACCEPT SNMP" dst-port=160-161 >>> protocol=\ udp add action=accept chain=input comment="ACCEPT DHCP" >>> dst-port=67 protocol=udp add action=accept chain=input comment="Allow >>> MTIK Bandwidth Test" dst-port=\ 2000-3000 protocol=tcp add >>> action=accept chain=input comment="Allow MTIK Bandwidth Test" >>> dst-port=\ 2000-3000 protocol=udp >>> add action=accept chain=input dst-port=5678 protocol=tcp add >>> action=accept chain=input comment="ACCEPT THIS Mgmt" src-address-list=\ >>>THIS_ADMIN >>> add action=accept chain=output comment="ACCEPT ALL OUTBOUND" >>> add action=drop chain=input comment="DROP ALL OTHER INPUT" >>> >>> >>> -- >>> Christopher Tyler >>> Senior Network Engineer >>> MTCRE/MTCNA/MTCTCE/MTCWE >>> >>> Total Highspeed Internet Solutions >>> 1091 W. Kathryn Street >>> Nixa, MO 65714 >>> (417) 851-1107 x. 9002 >>> www.totalhighspeed.com >>> >>> This institution is an equal opportunity provider and employer. >>> Esta institución es un proveedor de servicios con igualdad de >>> oportunidades. >>> >>> - Original Message - >>> >>>> From: "Josh Luthman" >>>> To: "AnimalFarm Microwave Users Group" >>>> Sent: Wednesday, May 4, 2022 11:12:55 AM >>>> Subject: Re: [AFMUG] Weird IP issue >>>> >>>> Firewall filter rules? >>>> >>>> Double check the gateway and subnet on the server. >>>> >>>> On Wed, May 4, 2022 at 11:17 AM Christopher Tyler < [ >>>> mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > wrote: >>>> >>>> >>>> We have one of the new Mikrotik CCR2216-1G-12XS-2XQ routers running >>>> RouterOS 7.2.1 with a Mikrotik switch (running 6.44.3) hanging off of it. >>>> I have two servers on that switch both in the the same public IP >>>> block. I can ping both servers from the router, and they can ping >>>> each other. One server is globally reachable and the other is not >>>> reachable other than from the router or switch itself. I plugged in >>>> my laptop and assigned it an IP in that same range and canno
Re: [AFMUG] Weird IP issue
>It's a /29 block, ip is x.x.x.x/29 on the router interface to the switch, /29 in OSPF network as well. And the servers/laptop? On Wed, May 4, 2022 at 4:00 PM Christopher Tyler wrote: > That is the export of the entire firewall on that router, there are no > forward, nat or mangle rules, therefore there shouldn't be anything keeping > the data from getting to/from anything, let alone blocking all but one IP > address in the IP range. > > It's a /29 block, ip is x.x.x.x/29 on the router interface to the switch, > /29 in OSPF network as well. > > This is why I'm completely stumped, everything looks fine. We're going to > roll that router back tonight to 7.1.5 the "long term" version to see if > that does anything. > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > www.totalhighspeed.com > > This institution is an equal opportunity provider and employer. > Esta institución es un proveedor de servicios con igualdad de > oportunidades. > > - Original Message - > > From: "Josh Luthman" > > To: "AnimalFarm Microwave Users Group" > > Sent: Wednesday, May 4, 2022 11:39:22 AM > > Subject: Re: [AFMUG] Weird IP issue > > > Input/output aren't relevant for forward traffic. > > > > Are your subnets right everywhere? > > > > On Wed, May 4, 2022 at 12:20 PM Christopher Tyler < [ > > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > wrote: > > > > > > Very minimal, really just basic input rules, nothing that would block > the IP > > addresses from getting through. No NAT or Mangle rules on this router. > > > > /ip firewall filter > > add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ > > connection-state=established,related > > add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf > > add action=accept chain=input comment="ACCEPT ICMP (ping)" protocol=icmp > > add action=accept chain=input comment="ACCEPT SNMP" dst-port=160-161 > protocol=\ > > udp > > add action=accept chain=input comment="ACCEPT DHCP" dst-port=67 > protocol=udp > > add action=accept chain=input comment="Allow MTIK Bandwidth Test" > dst-port=\ > > 2000-3000 protocol=tcp > > add action=accept chain=input comment="Allow MTIK Bandwidth Test" > dst-port=\ > > 2000-3000 protocol=udp > > add action=accept chain=input dst-port=5678 protocol=tcp > > add action=accept chain=input comment="ACCEPT THIS Mgmt" > src-address-list=\ > > THIS_ADMIN > > add action=accept chain=output comment="ACCEPT ALL OUTBOUND" > > add action=drop chain=input comment="DROP ALL OTHER INPUT" > > > > > > -- > > Christopher Tyler > > Senior Network Engineer > > MTCRE/MTCNA/MTCTCE/MTCWE > > > > Total Highspeed Internet Solutions > > 1091 W. Kathryn Street > > Nixa, MO 65714 > > (417) 851-1107 x. 9002 > > [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] > > > > This institution is an equal opportunity provider and employer. > > Esta institución es un proveedor de servicios con igualdad de > oportunidades. > > > > - Original Message - > >> From: "Josh Luthman" < [ mailto:j...@imaginenetworksllc.com | > >> j...@imaginenetworksllc.com ] > > >> To: "AnimalFarm Microwave Users Group" < [ mailto:af@af.afmug.com | > >> af@af.afmug.com ] > > >> Sent: Wednesday, May 4, 2022 11:12:55 AM > >> Subject: Re: [AFMUG] Weird IP issue > > > >> Firewall filter rules? > >> > >> Double check the gateway and subnet on the server. > >> > >> On Wed, May 4, 2022 at 11:17 AM Christopher Tyler < [ > >> mailto: [ mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > | [ > >> mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] ] > wrote: > >> > >> > >> We have one of the new Mikrotik CCR2216-1G-12XS-2XQ routers running > RouterOS > >> 7.2.1 with a Mikrotik switch (running 6.44.3) hanging off of it. I have > two > >> servers on that switch both in the the same public IP block. I can ping > both > >> servers from the router, and they can ping each other. One server is > globally > >> reachable and the other is not reachable other than from the router or > switch > >> itself. I plugged in my laptop and assigned it a
Re: [AFMUG] Weird IP issue
Rebooted both the router and the switch, no joy, issue persists. -- Christopher Tyler Senior Network Engineer MTCRE/MTCNA/MTCTCE/MTCWE Total Highspeed Internet Solutions 1091 W. Kathryn Street Nixa, MO 65714 (417) 851-1107 x. 9002 www.totalhighspeed.com This institution is an equal opportunity provider and employer. Esta institución es un proveedor de servicios con igualdad de oportunidades. - Original Message - > From: "Adam Moffett" > To: "AnimalFarm Microwave Users Group" > Sent: Wednesday, May 4, 2022 2:50:13 PM > Subject: Re: [AFMUG] Weird IP issue > If this is a Mikrotik switch, reboot it before you waste a lot of time. > > I've seen weird stuff too many times. I had a CRS317 the other day where we > got 98% packet loss to one specific host. Watching the switch hosts table it > seemed like it kept changing it's mind as to which interface that MAC address > was on. Reboot cleared it right up. > > -Adam > > > -Original Message- > From: AF On Behalf Of Larry Smith > Sent: Wednesday, May 04, 2022 12:50 PM > To: AnimalFarm Microwave Users Group > Subject: Re: [AFMUG] Weird IP issue > > > To verify that, drop the firewall and then test again. > If its firewall related it will start working. > > -- > Larry Smith > lesm...@ecsis.net > > On Wed May 4 2022 11:18, Christopher Tyler wrote: >> Very minimal, really just basic input rules, nothing that would block >> the IP addresses from getting through. No NAT or Mangle rules on this router. >> >> /ip firewall filter >> add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ >> connection-state=established,related >> add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf add >> action=accept chain=input comment="ACCEPT ICMP (ping)" protocol=icmp >> add action=accept chain=input comment="ACCEPT SNMP" dst-port=160-161 >> protocol=\ udp add action=accept chain=input comment="ACCEPT DHCP" >> dst-port=67 protocol=udp add action=accept chain=input comment="Allow >> MTIK Bandwidth Test" dst-port=\ 2000-3000 protocol=tcp add >> action=accept chain=input comment="Allow MTIK Bandwidth Test" >> dst-port=\ 2000-3000 protocol=udp >> add action=accept chain=input dst-port=5678 protocol=tcp add >> action=accept chain=input comment="ACCEPT THIS Mgmt" src-address-list=\ >> THIS_ADMIN >> add action=accept chain=output comment="ACCEPT ALL OUTBOUND" >> add action=drop chain=input comment="DROP ALL OTHER INPUT" >> >> >> -- >> Christopher Tyler >> Senior Network Engineer >> MTCRE/MTCNA/MTCTCE/MTCWE >> >> Total Highspeed Internet Solutions >> 1091 W. Kathryn Street >> Nixa, MO 65714 >> (417) 851-1107 x. 9002 >> www.totalhighspeed.com >> >> This institution is an equal opportunity provider and employer. >> Esta institución es un proveedor de servicios con igualdad de >> oportunidades. >> >> - Original Message - >> >> > From: "Josh Luthman" >> > To: "AnimalFarm Microwave Users Group" >> > Sent: Wednesday, May 4, 2022 11:12:55 AM >> > Subject: Re: [AFMUG] Weird IP issue >> > >> > Firewall filter rules? >> > >> > Double check the gateway and subnet on the server. >> > >> > On Wed, May 4, 2022 at 11:17 AM Christopher Tyler < [ >> > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > wrote: >> > >> > >> > We have one of the new Mikrotik CCR2216-1G-12XS-2XQ routers running >> > RouterOS 7.2.1 with a Mikrotik switch (running 6.44.3) hanging off of it. >> > I have two servers on that switch both in the the same public IP >> > block. I can ping both servers from the router, and they can ping >> > each other. One server is globally reachable and the other is not >> > reachable other than from the router or switch itself. I plugged in >> > my laptop and assigned it an IP in that same range and cannot reach >> > it extrenally either. The router is using OSPF and I can see the >> > route for that IP block from both sides of the router, but >> > traceroutes/pings to anything other than the server that is working >> > stop at the router. No vlans or special configuration between the >> > router and the switch, just basic IP, all ports on the switch are >> > bridged. Forwarded ports (dstnat) don't appear to work from the router >> > either. >> > >> > I'm stumped, so I figured I would ask if anyone el
Re: [AFMUG] Weird IP issue
That is the export of the entire firewall on that router, there are no forward, nat or mangle rules, therefore there shouldn't be anything keeping the data from getting to/from anything, let alone blocking all but one IP address in the IP range. It's a /29 block, ip is x.x.x.x/29 on the router interface to the switch, /29 in OSPF network as well. This is why I'm completely stumped, everything looks fine. We're going to roll that router back tonight to 7.1.5 the "long term" version to see if that does anything. -- Christopher Tyler Senior Network Engineer MTCRE/MTCNA/MTCTCE/MTCWE Total Highspeed Internet Solutions 1091 W. Kathryn Street Nixa, MO 65714 (417) 851-1107 x. 9002 www.totalhighspeed.com This institution is an equal opportunity provider and employer. Esta institución es un proveedor de servicios con igualdad de oportunidades. - Original Message - > From: "Josh Luthman" > To: "AnimalFarm Microwave Users Group" > Sent: Wednesday, May 4, 2022 11:39:22 AM > Subject: Re: [AFMUG] Weird IP issue > Input/output aren't relevant for forward traffic. > > Are your subnets right everywhere? > > On Wed, May 4, 2022 at 12:20 PM Christopher Tyler < [ > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > wrote: > > > Very minimal, really just basic input rules, nothing that would block the IP > addresses from getting through. No NAT or Mangle rules on this router. > > /ip firewall filter > add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ > connection-state=established,related > add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf > add action=accept chain=input comment="ACCEPT ICMP (ping)" protocol=icmp > add action=accept chain=input comment="ACCEPT SNMP" dst-port=160-161 > protocol=\ > udp > add action=accept chain=input comment="ACCEPT DHCP" dst-port=67 protocol=udp > add action=accept chain=input comment="Allow MTIK Bandwidth Test" dst-port=\ > 2000-3000 protocol=tcp > add action=accept chain=input comment="Allow MTIK Bandwidth Test" dst-port=\ > 2000-3000 protocol=udp > add action=accept chain=input dst-port=5678 protocol=tcp > add action=accept chain=input comment="ACCEPT THIS Mgmt" src-address-list=\ > THIS_ADMIN > add action=accept chain=output comment="ACCEPT ALL OUTBOUND" > add action=drop chain=input comment="DROP ALL OTHER INPUT" > > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] > > This institution is an equal opportunity provider and employer. > Esta institución es un proveedor de servicios con igualdad de oportunidades. > > ----- Original Message - >> From: "Josh Luthman" < [ mailto:j...@imaginenetworksllc.com | >> j...@imaginenetworksllc.com ] > >> To: "AnimalFarm Microwave Users Group" < [ mailto:af@af.afmug.com | >> af@af.afmug.com ] > >> Sent: Wednesday, May 4, 2022 11:12:55 AM >> Subject: Re: [AFMUG] Weird IP issue > >> Firewall filter rules? >> >> Double check the gateway and subnet on the server. >> >> On Wed, May 4, 2022 at 11:17 AM Christopher Tyler < [ >> mailto: [ mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] | [ >> mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] ] > wrote: >> >> >> We have one of the new Mikrotik CCR2216-1G-12XS-2XQ routers running RouterOS >> 7.2.1 with a Mikrotik switch (running 6.44.3) hanging off of it. I have two >> servers on that switch both in the the same public IP block. I can ping both >> servers from the router, and they can ping each other. One server is globally >> reachable and the other is not reachable other than from the router or switch >> itself. I plugged in my laptop and assigned it an IP in that same range and >> cannot reach it extrenally either. The router is using OSPF and I can see the >> route for that IP block from both sides of the router, but traceroutes/pings >> to >> anything other than the server that is working stop at the router. No vlans >> or >> special configuration between the router and the switch, just basic IP, all >> ports on the switch are bridged. Forwarded ports (dstnat) don't appear to >> work >> from the router either. >> >> I'm stumped, so I figured I would ask if anyone else has seen anything like >> this >> and have a solution, or am I looking at a possible RouterOS 7 issue
Re: [AFMUG] Weird IP issue
If this is a Mikrotik switch, reboot it before you waste a lot of time. I've seen weird stuff too many times. I had a CRS317 the other day where we got 98% packet loss to one specific host. Watching the switch hosts table it seemed like it kept changing it's mind as to which interface that MAC address was on. Reboot cleared it right up. -Adam -Original Message- From: AF On Behalf Of Larry Smith Sent: Wednesday, May 04, 2022 12:50 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Weird IP issue To verify that, drop the firewall and then test again. If its firewall related it will start working. -- Larry Smith lesm...@ecsis.net On Wed May 4 2022 11:18, Christopher Tyler wrote: > Very minimal, really just basic input rules, nothing that would block > the IP addresses from getting through. No NAT or Mangle rules on this router. > > /ip firewall filter > add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ > connection-state=established,related > add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf add > action=accept chain=input comment="ACCEPT ICMP (ping)" protocol=icmp > add action=accept chain=input comment="ACCEPT SNMP" dst-port=160-161 > protocol=\ udp add action=accept chain=input comment="ACCEPT DHCP" > dst-port=67 protocol=udp add action=accept chain=input comment="Allow > MTIK Bandwidth Test" dst-port=\ 2000-3000 protocol=tcp add > action=accept chain=input comment="Allow MTIK Bandwidth Test" > dst-port=\ 2000-3000 protocol=udp > add action=accept chain=input dst-port=5678 protocol=tcp add > action=accept chain=input comment="ACCEPT THIS Mgmt" src-address-list=\ > THIS_ADMIN > add action=accept chain=output comment="ACCEPT ALL OUTBOUND" > add action=drop chain=input comment="DROP ALL OTHER INPUT" > > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > www.totalhighspeed.com > > This institution is an equal opportunity provider and employer. > Esta institución es un proveedor de servicios con igualdad de > oportunidades. > > - Original Message - > > > From: "Josh Luthman" > > To: "AnimalFarm Microwave Users Group" > > Sent: Wednesday, May 4, 2022 11:12:55 AM > > Subject: Re: [AFMUG] Weird IP issue > > > > Firewall filter rules? > > > > Double check the gateway and subnet on the server. > > > > On Wed, May 4, 2022 at 11:17 AM Christopher Tyler < [ > > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > wrote: > > > > > > We have one of the new Mikrotik CCR2216-1G-12XS-2XQ routers running > > RouterOS 7.2.1 with a Mikrotik switch (running 6.44.3) hanging off of it. > > I have two servers on that switch both in the the same public IP > > block. I can ping both servers from the router, and they can ping > > each other. One server is globally reachable and the other is not > > reachable other than from the router or switch itself. I plugged in > > my laptop and assigned it an IP in that same range and cannot reach > > it extrenally either. The router is using OSPF and I can see the > > route for that IP block from both sides of the router, but > > traceroutes/pings to anything other than the server that is working > > stop at the router. No vlans or special configuration between the > > router and the switch, just basic IP, all ports on the switch are > > bridged. Forwarded ports (dstnat) don't appear to work from the router > > either. > > > > I'm stumped, so I figured I would ask if anyone else has seen > > anything like this and have a solution, or am I looking at a > > possible RouterOS 7 issue? > > > > -- > > Christopher Tyler > > Senior Network Engineer > > MTCRE/MTCNA/MTCTCE/MTCWE > > > > Total Highspeed Internet Solutions > > 1091 W. Kathryn Street > > Nixa, MO 65714 > > (417) 851-1107 x. 9002 > > [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] > > > > This institution is an equal opportunity provider and employer. > > Esta institución es un proveedor de servicios con igualdad de > > oportunidades. > > > > -- > > AF mailing list > > [ mailto:AF@af.afmug.com | AF@af.afmug.com ] [ > > http://af.afmug.com/mailman/listinfo/af_af.afmug.com | > > http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] > > > > -- > > AF mailing list > > AF@af.afmug.com > > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Weird IP issue
To verify that, drop the firewall and then test again. If its firewall related it will start working. -- Larry Smith lesm...@ecsis.net On Wed May 4 2022 11:18, Christopher Tyler wrote: > Very minimal, really just basic input rules, nothing that would block the > IP addresses from getting through. No NAT or Mangle rules on this router. > > /ip firewall filter > add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ > connection-state=established,related > add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf > add action=accept chain=input comment="ACCEPT ICMP (ping)" protocol=icmp > add action=accept chain=input comment="ACCEPT SNMP" dst-port=160-161 > protocol=\ udp > add action=accept chain=input comment="ACCEPT DHCP" dst-port=67 > protocol=udp add action=accept chain=input comment="Allow MTIK Bandwidth > Test" dst-port=\ 2000-3000 protocol=tcp > add action=accept chain=input comment="Allow MTIK Bandwidth Test" > dst-port=\ 2000-3000 protocol=udp > add action=accept chain=input dst-port=5678 protocol=tcp > add action=accept chain=input comment="ACCEPT THIS Mgmt" src-address-list=\ > THIS_ADMIN > add action=accept chain=output comment="ACCEPT ALL OUTBOUND" > add action=drop chain=input comment="DROP ALL OTHER INPUT" > > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > www.totalhighspeed.com > > This institution is an equal opportunity provider and employer. > Esta institución es un proveedor de servicios con igualdad de > oportunidades. > > - Original Message - > > > From: "Josh Luthman" > > To: "AnimalFarm Microwave Users Group" > > Sent: Wednesday, May 4, 2022 11:12:55 AM > > Subject: Re: [AFMUG] Weird IP issue > > > > Firewall filter rules? > > > > Double check the gateway and subnet on the server. > > > > On Wed, May 4, 2022 at 11:17 AM Christopher Tyler < [ > > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > wrote: > > > > > > We have one of the new Mikrotik CCR2216-1G-12XS-2XQ routers running > > RouterOS 7.2.1 with a Mikrotik switch (running 6.44.3) hanging off of it. > > I have two servers on that switch both in the the same public IP block. I > > can ping both servers from the router, and they can ping each other. One > > server is globally reachable and the other is not reachable other than > > from the router or switch itself. I plugged in my laptop and assigned it > > an IP in that same range and cannot reach it extrenally either. The > > router is using OSPF and I can see the route for that IP block from both > > sides of the router, but traceroutes/pings to anything other than the > > server that is working stop at the router. No vlans or special > > configuration between the router and the switch, just basic IP, all ports > > on the switch are bridged. Forwarded ports (dstnat) don't appear to work > > from the router either. > > > > I'm stumped, so I figured I would ask if anyone else has seen anything > > like this and have a solution, or am I looking at a possible RouterOS 7 > > issue? > > > > -- > > Christopher Tyler > > Senior Network Engineer > > MTCRE/MTCNA/MTCTCE/MTCWE > > > > Total Highspeed Internet Solutions > > 1091 W. Kathryn Street > > Nixa, MO 65714 > > (417) 851-1107 x. 9002 > > [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] > > > > This institution is an equal opportunity provider and employer. > > Esta institución es un proveedor de servicios con igualdad de > > oportunidades. > > > > -- > > AF mailing list > > [ mailto:AF@af.afmug.com | AF@af.afmug.com ] > > [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | > > http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] > > > > -- > > AF mailing list > > AF@af.afmug.com > > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Weird IP issue
Input/output aren't relevant for forward traffic. Are your subnets right everywhere? On Wed, May 4, 2022 at 12:20 PM Christopher Tyler wrote: > Very minimal, really just basic input rules, nothing that would block the > IP addresses from getting through. No NAT or Mangle rules on this router. > > /ip firewall filter > add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ > connection-state=established,related > add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf > add action=accept chain=input comment="ACCEPT ICMP (ping)" protocol=icmp > add action=accept chain=input comment="ACCEPT SNMP" dst-port=160-161 > protocol=\ > udp > add action=accept chain=input comment="ACCEPT DHCP" dst-port=67 > protocol=udp > add action=accept chain=input comment="Allow MTIK Bandwidth Test" > dst-port=\ > 2000-3000 protocol=tcp > add action=accept chain=input comment="Allow MTIK Bandwidth Test" > dst-port=\ > 2000-3000 protocol=udp > add action=accept chain=input dst-port=5678 protocol=tcp > add action=accept chain=input comment="ACCEPT THIS Mgmt" src-address-list=\ > THIS_ADMIN > add action=accept chain=output comment="ACCEPT ALL OUTBOUND" > add action=drop chain=input comment="DROP ALL OTHER INPUT" > > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > www.totalhighspeed.com > > This institution is an equal opportunity provider and employer. > Esta institución es un proveedor de servicios con igualdad de > oportunidades. > > - Original Message - > > From: "Josh Luthman" > > To: "AnimalFarm Microwave Users Group" > > Sent: Wednesday, May 4, 2022 11:12:55 AM > > Subject: Re: [AFMUG] Weird IP issue > > > Firewall filter rules? > > > > Double check the gateway and subnet on the server. > > > > On Wed, May 4, 2022 at 11:17 AM Christopher Tyler < [ > > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > wrote: > > > > > > We have one of the new Mikrotik CCR2216-1G-12XS-2XQ routers running > RouterOS > > 7.2.1 with a Mikrotik switch (running 6.44.3) hanging off of it. I have > two > > servers on that switch both in the the same public IP block. I can ping > both > > servers from the router, and they can ping each other. One server is > globally > > reachable and the other is not reachable other than from the router or > switch > > itself. I plugged in my laptop and assigned it an IP in that same range > and > > cannot reach it extrenally either. The router is using OSPF and I can > see the > > route for that IP block from both sides of the router, but > traceroutes/pings to > > anything other than the server that is working stop at the router. No > vlans or > > special configuration between the router and the switch, just basic IP, > all > > ports on the switch are bridged. Forwarded ports (dstnat) don't appear > to work > > from the router either. > > > > I'm stumped, so I figured I would ask if anyone else has seen anything > like this > > and have a solution, or am I looking at a possible RouterOS 7 issue? > > > > -- > > Christopher Tyler > > Senior Network Engineer > > MTCRE/MTCNA/MTCTCE/MTCWE > > > > Total Highspeed Internet Solutions > > 1091 W. Kathryn Street > > Nixa, MO 65714 > > (417) 851-1107 x. 9002 > > [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] > > > > This institution is an equal opportunity provider and employer. > > Esta institución es un proveedor de servicios con igualdad de > oportunidades. > > > > -- > > AF mailing list > > [ mailto:AF@af.afmug.com | AF@af.afmug.com ] > > [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | > > http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] > > > > -- > > AF mailing list > > AF@af.afmug.com > > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Weird IP issue
Very minimal, really just basic input rules, nothing that would block the IP addresses from getting through. No NAT or Mangle rules on this router. /ip firewall filter add action=accept chain=input comment="ACCEPT ESTABLISHED/RELATED" \ connection-state=established,related add action=accept chain=input comment="ACCEPT OSPF" protocol=ospf add action=accept chain=input comment="ACCEPT ICMP (ping)" protocol=icmp add action=accept chain=input comment="ACCEPT SNMP" dst-port=160-161 protocol=\ udp add action=accept chain=input comment="ACCEPT DHCP" dst-port=67 protocol=udp add action=accept chain=input comment="Allow MTIK Bandwidth Test" dst-port=\ 2000-3000 protocol=tcp add action=accept chain=input comment="Allow MTIK Bandwidth Test" dst-port=\ 2000-3000 protocol=udp add action=accept chain=input dst-port=5678 protocol=tcp add action=accept chain=input comment="ACCEPT THIS Mgmt" src-address-list=\ THIS_ADMIN add action=accept chain=output comment="ACCEPT ALL OUTBOUND" add action=drop chain=input comment="DROP ALL OTHER INPUT" -- Christopher Tyler Senior Network Engineer MTCRE/MTCNA/MTCTCE/MTCWE Total Highspeed Internet Solutions 1091 W. Kathryn Street Nixa, MO 65714 (417) 851-1107 x. 9002 www.totalhighspeed.com This institution is an equal opportunity provider and employer. Esta institución es un proveedor de servicios con igualdad de oportunidades. - Original Message - > From: "Josh Luthman" > To: "AnimalFarm Microwave Users Group" > Sent: Wednesday, May 4, 2022 11:12:55 AM > Subject: Re: [AFMUG] Weird IP issue > Firewall filter rules? > > Double check the gateway and subnet on the server. > > On Wed, May 4, 2022 at 11:17 AM Christopher Tyler < [ > mailto:ch...@totalhighspeed.net | ch...@totalhighspeed.net ] > wrote: > > > We have one of the new Mikrotik CCR2216-1G-12XS-2XQ routers running RouterOS > 7.2.1 with a Mikrotik switch (running 6.44.3) hanging off of it. I have two > servers on that switch both in the the same public IP block. I can ping both > servers from the router, and they can ping each other. One server is globally > reachable and the other is not reachable other than from the router or switch > itself. I plugged in my laptop and assigned it an IP in that same range and > cannot reach it extrenally either. The router is using OSPF and I can see the > route for that IP block from both sides of the router, but traceroutes/pings > to > anything other than the server that is working stop at the router. No vlans or > special configuration between the router and the switch, just basic IP, all > ports on the switch are bridged. Forwarded ports (dstnat) don't appear to work > from the router either. > > I'm stumped, so I figured I would ask if anyone else has seen anything like > this > and have a solution, or am I looking at a possible RouterOS 7 issue? > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > [ http://www.totalhighspeed.com/ | www.totalhighspeed.com ] > > This institution is an equal opportunity provider and employer. > Esta institución es un proveedor de servicios con igualdad de oportunidades. > > -- > AF mailing list > [ mailto:AF@af.afmug.com | AF@af.afmug.com ] > [ http://af.afmug.com/mailman/listinfo/af_af.afmug.com | > http://af.afmug.com/mailman/listinfo/af_af.afmug.com ] > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Weird IP issue
Firewall filter rules? Double check the gateway and subnet on the server. On Wed, May 4, 2022 at 11:17 AM Christopher Tyler wrote: > We have one of the new Mikrotik CCR2216-1G-12XS-2XQ routers running > RouterOS 7.2.1 with a Mikrotik switch (running 6.44.3) hanging off of it. I > have two servers on that switch both in the the same public IP block. I can > ping both servers from the router, and they can ping each other. One server > is globally reachable and the other is not reachable other than from the > router or switch itself. I plugged in my laptop and assigned it an IP in > that same range and cannot reach it extrenally either. The router is using > OSPF and I can see the route for that IP block from both sides of the > router, but traceroutes/pings to anything other than the server that is > working stop at the router. No vlans or special configuration between the > router and the switch, just basic IP, all ports on the switch are bridged. > Forwarded ports (dstnat) don't appear to work from the router either. > > I'm stumped, so I figured I would ask if anyone else has seen anything > like this and have a solution, or am I looking at a possible RouterOS 7 > issue? > > -- > Christopher Tyler > Senior Network Engineer > MTCRE/MTCNA/MTCTCE/MTCWE > > Total Highspeed Internet Solutions > 1091 W. Kathryn Street > Nixa, MO 65714 > (417) 851-1107 x. 9002 > www.totalhighspeed.com > > This institution is an equal opportunity provider and employer. > Esta institución es un proveedor de servicios con igualdad de > oportunidades. > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
[AFMUG] Weird IP issue
We have one of the new Mikrotik CCR2216-1G-12XS-2XQ routers running RouterOS 7.2.1 with a Mikrotik switch (running 6.44.3) hanging off of it. I have two servers on that switch both in the the same public IP block. I can ping both servers from the router, and they can ping each other. One server is globally reachable and the other is not reachable other than from the router or switch itself. I plugged in my laptop and assigned it an IP in that same range and cannot reach it extrenally either. The router is using OSPF and I can see the route for that IP block from both sides of the router, but traceroutes/pings to anything other than the server that is working stop at the router. No vlans or special configuration between the router and the switch, just basic IP, all ports on the switch are bridged. Forwarded ports (dstnat) don't appear to work from the router either. I'm stumped, so I figured I would ask if anyone else has seen anything like this and have a solution, or am I looking at a possible RouterOS 7 issue? -- Christopher Tyler Senior Network Engineer MTCRE/MTCNA/MTCTCE/MTCWE Total Highspeed Internet Solutions 1091 W. Kathryn Street Nixa, MO 65714 (417) 851-1107 x. 9002 www.totalhighspeed.com This institution is an equal opportunity provider and employer. Esta institución es un proveedor de servicios con igualdad de oportunidades. -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
