Re: [MT-AU Public] Network Routing Issues
Windows firewall on the workstation perhaps? ________________________________ From: Christopher Hawker <chris@thesysadmin.dev> Sent: Thursday, 3 February 2022 19:05 To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Network Routing Issues Hi Dave, That was my thought too, however I've placed a rule at the top #1 that allows ICMP from any IP on any zone to reach any other IP on any other zone, same result. ________________________________ From: Public <public-bounces@talk.mikrotik.com.au> on behalf of Dave Browning <dave@dlbnetworks.com> Sent: Thursday, February 3, 2022 6:39 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Network Routing Issues Given you can get one way, it’ll be a firewall issue. I reckon your are being “Sophos’d” and it’s simply blocking inbound ICMP.
On 3 Feb 2022, at 5:32 pm, Christopher Hawker <chris@thesysadmin.dev> wrote:
Hello all,
I'm trying to work on a setup using 2 x CHRs at separate locations, with an EoIP tunnel between them. The tunnel itself works, and I am able to route across it.
At the A-side is a workstation (192.168.0.1) with a Sophos router as the default gateway (192.168.0.254) and the A-side CHR is the tunnel gateway (192.168.0.253). At the Z-side, there is the single CHR (172.16.100.254) which is acting as the default gateway and a Windows server (172.16.100.1) behind it. I have BGP configured between the two sites over the tunnel and this works as expected. Sessions are up and routes have propagated.
192.168.0.1 is able to ping and can traceroute to 172.16.100.1 and results are returned however, 172.16.100.1 cannot ping/traceroute to 192.168.0.1 which has me puzzled. I did some more digging, and the traceroute to 192.168.0.1 shows that the last hop before timeout is 192.168.0.253.
I apologise for my poor explanation; however I hope it makes sense to someone. Would anyone be able to shed some light on why it may be doing this, or what I am missing?
Thanks, CH _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Redirects? -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Michael Junek Sent: Thursday, 3 February 2022 6:30 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Network Routing Issues Windows firewall on the workstation perhaps? ________________________________ From: Christopher Hawker <chris@thesysadmin.dev> Sent: Thursday, 3 February 2022 19:05 To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Network Routing Issues Hi Dave, That was my thought too, however I've placed a rule at the top #1 that allows ICMP from any IP on any zone to reach any other IP on any other zone, same result. ________________________________ From: Public <public-bounces@talk.mikrotik.com.au> on behalf of Dave Browning <dave@dlbnetworks.com> Sent: Thursday, February 3, 2022 6:39 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Network Routing Issues Given you can get one way, it’ll be a firewall issue. I reckon your are being “Sophos’d” and it’s simply blocking inbound ICMP.
On 3 Feb 2022, at 5:32 pm, Christopher Hawker <chris@thesysadmin.dev> wrote:
Hello all,
I'm trying to work on a setup using 2 x CHRs at separate locations, with an EoIP tunnel between them. The tunnel itself works, and I am able to route across it.
At the A-side is a workstation (192.168.0.1) with a Sophos router as the default gateway (192.168.0.254) and the A-side CHR is the tunnel gateway (192.168.0.253). At the Z-side, there is the single CHR (172.16.100.254) which is acting as the default gateway and a Windows server (172.16.100.1) behind it. I have BGP configured between the two sites over the tunnel and this works as expected. Sessions are up and routes have propagated.
192.168.0.1 is able to ping and can traceroute to 172.16.100.1 and results are returned however, 172.16.100.1 cannot ping/traceroute to 192.168.0.1 which has me puzzled. I did some more digging, and the traceroute to 192.168.0.1 shows that the last hop before timeout is 192.168.0.253.
I apologise for my poor explanation; however I hope it makes sense to someone. Would anyone be able to shed some light on why it may be doing this, or what I am missing?
Thanks, CH _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Unfortunately that’s not it either. Turned off the firewall on both ends to be 100% sure. CH Sent from my iPhone
On 3 Feb 2022, at 7:37 pm, Tim Warnock <timoid@timoid.org> wrote:
Redirects?
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Michael Junek Sent: Thursday, 3 February 2022 6:30 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Network Routing Issues
Windows firewall on the workstation perhaps? ________________________________ From: Christopher Hawker <chris@thesysadmin.dev> Sent: Thursday, 3 February 2022 19:05 To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Network Routing Issues
Hi Dave,
That was my thought too, however I've placed a rule at the top #1 that allows ICMP from any IP on any zone to reach any other IP on any other zone, same result. ________________________________ From: Public <public-bounces@talk.mikrotik.com.au> on behalf of Dave Browning <dave@dlbnetworks.com> Sent: Thursday, February 3, 2022 6:39 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Network Routing Issues
Given you can get one way, it’ll be a firewall issue. I reckon your are being “Sophos’d” and it’s simply blocking inbound ICMP.
On 3 Feb 2022, at 5:32 pm, Christopher Hawker <chris@thesysadmin.dev> wrote:
Hello all,
I'm trying to work on a setup using 2 x CHRs at separate locations, with an EoIP tunnel between them. The tunnel itself works, and I am able to route across it.
At the A-side is a workstation (192.168.0.1) with a Sophos router as the default gateway (192.168.0.254) and the A-side CHR is the tunnel gateway (192.168.0.253). At the Z-side, there is the single CHR (172.16.100.254) which is acting as the default gateway and a Windows server (172.16.100.1) behind it. I have BGP configured between the two sites over the tunnel and this works as expected. Sessions are up and routes have propagated.
192.168.0.1 is able to ping and can traceroute to 172.16.100.1 and results are returned however, 172.16.100.1 cannot ping/traceroute to 192.168.0.1 which has me puzzled. I did some more digging, and the traceroute to 192.168.0.1 shows that the last hop before timeout is 192.168.0.253.
I apologise for my poor explanation; however I hope it makes sense to someone. Would anyone be able to shed some light on why it may be doing this, or what I am missing?
Thanks, CH _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
As in like ip->settings and disable redirects -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Christopher Hawker Sent: Thursday, 3 February 2022 6:42 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Network Routing Issues Unfortunately that’s not it either. Turned off the firewall on both ends to be 100% sure. CH Sent from my iPhone
On 3 Feb 2022, at 7:37 pm, Tim Warnock <timoid@timoid.org> wrote:
Redirects?
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Michael Junek Sent: Thursday, 3 February 2022 6:30 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Network Routing Issues
Windows firewall on the workstation perhaps? ________________________________ From: Christopher Hawker <chris@thesysadmin.dev> Sent: Thursday, 3 February 2022 19:05 To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Network Routing Issues
Hi Dave,
That was my thought too, however I've placed a rule at the top #1 that allows ICMP from any IP on any zone to reach any other IP on any other zone, same result. ________________________________ From: Public <public-bounces@talk.mikrotik.com.au> on behalf of Dave Browning <dave@dlbnetworks.com> Sent: Thursday, February 3, 2022 6:39 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Network Routing Issues
Given you can get one way, it’ll be a firewall issue. I reckon your are being “Sophos’d” and it’s simply blocking inbound ICMP.
On 3 Feb 2022, at 5:32 pm, Christopher Hawker <chris@thesysadmin.dev> wrote:
Hello all,
I'm trying to work on a setup using 2 x CHRs at separate locations, with an EoIP tunnel between them. The tunnel itself works, and I am able to route across it.
At the A-side is a workstation (192.168.0.1) with a Sophos router as the default gateway (192.168.0.254) and the A-side CHR is the tunnel gateway (192.168.0.253). At the Z-side, there is the single CHR (172.16.100.254) which is acting as the default gateway and a Windows server (172.16.100.1) behind it. I have BGP configured between the two sites over the tunnel and this works as expected. Sessions are up and routes have propagated.
192.168.0.1 is able to ping and can traceroute to 172.16.100.1 and results are returned however, 172.16.100.1 cannot ping/traceroute to 192.168.0.1 which has me puzzled. I did some more digging, and the traceroute to 192.168.0.1 shows that the last hop before timeout is 192.168.0.253.
I apologise for my poor explanation; however I hope it makes sense to someone. Would anyone be able to shed some light on why it may be doing this, or what I am missing?
Thanks, CH _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi, Is your EOIP tunnel marked as a LAN at the 192.168.0.253 end (assuming near default firewall rules in MT) Regards Roger ---------------------------- Roger Plant
in A-side Try adding a static route from 192.168.0.1 to 192.168.100.0 network and 192.168.0.253 as route. (need admin permission on workstation) route -p add 192.168.100.0 mask 255.255.255.0 192.168.0.253 in Z-side put a firewall rule to open all incoming and outgoing traffic to 192.168.0.0/24 network and put those 2 rules on top. Regards, Avinash Perera Data Centre Engineer 1300 654 653 avinash@ozisp.com.au www.ozisp.com.au 19 Walkers Road, Nunawading, Victoria 3131 This message is confidential, and may contain proprietary or legally privileged information which may not be duplicated or re-used without the written permission of Uniware Pty Ltd. If you have received this email in error, please notify the sender and delete it immediately. Internet communications are not secure. You should scan this message and any attachments for viruses. Under no circumstances do we accept liability for any damage or loss which may result from your receipt of this message or any attachments. -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Tim Warnock Sent: Thursday, 3 February 2022 7:44 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Network Routing Issues As in like ip->settings and disable redirects -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Christopher Hawker Sent: Thursday, 3 February 2022 6:42 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Network Routing Issues Unfortunately that’s not it either. Turned off the firewall on both ends to be 100% sure. CH Sent from my iPhone
On 3 Feb 2022, at 7:37 pm, Tim Warnock <timoid@timoid.org> wrote:
Redirects?
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Michael Junek Sent: Thursday, 3 February 2022 6:30 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Network Routing Issues
Windows firewall on the workstation perhaps? ________________________________ From: Christopher Hawker <chris@thesysadmin.dev> Sent: Thursday, 3 February 2022 19:05 To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Network Routing Issues
Hi Dave,
That was my thought too, however I've placed a rule at the top #1 that allows ICMP from any IP on any zone to reach any other IP on any other zone, same result. ________________________________ From: Public <public-bounces@talk.mikrotik.com.au> on behalf of Dave Browning <dave@dlbnetworks.com> Sent: Thursday, February 3, 2022 6:39 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Network Routing Issues
Given you can get one way, it’ll be a firewall issue. I reckon your are being “Sophos’d” and it’s simply blocking inbound ICMP.
On 3 Feb 2022, at 5:32 pm, Christopher Hawker <chris@thesysadmin.dev> wrote:
Hello all,
I'm trying to work on a setup using 2 x CHRs at separate locations, with an EoIP tunnel between them. The tunnel itself works, and I am able to route across it.
At the A-side is a workstation (192.168.0.1) with a Sophos router as the default gateway (192.168.0.254) and the A-side CHR is the tunnel gateway (192.168.0.253). At the Z-side, there is the single CHR (172.16.100.254) which is acting as the default gateway and a Windows server (172.16.100.1) behind it. I have BGP configured between the two sites over the tunnel and this works as expected. Sessions are up and routes have propagated.
192.168.0.1 is able to ping and can traceroute to 172.16.100.1 and results are returned however, 172.16.100.1 cannot ping/traceroute to 192.168.0.1 which has me puzzled. I did some more digging, and the traceroute to 192.168.0.1 shows that the last hop before timeout is 192.168.0.253.
I apologise for my poor explanation; however I hope it makes sense to someone. Would anyone be able to shed some light on why it may be doing this, or what I am missing?
Thanks, CH _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com .au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (5)
-
avinash@ozisp.com.au
-
Christopher Hawker
-
Michael Junek
-
Roger Plant
-
Tim Warnock