I have the new network permitted in my ingress and egress ACLs for our outbound interface. I've also tried using a smaller subnet of IPs from a different pool that we've been using for years. And I briefly disabled the ACLs altogether to test.
And when I attach this network direct to the riverstone, everything works. That's why I though it was an internal routing misconfiguration. -Paul On Feb 11, 2010, at 9:47 AM, Data Technology wrote: > Could it be a firewall rule? > > > Paul Gerstenberger wrote: >> Same story, I disabled OSPF on both devices (but both are still on the >> 10.0.4.0 network) put this route in the riverstone: >> >> ip add route yyy.yyy.yyyy.0/24 gateway 10.0.4.3 >> >> and this in the mikrotik: >> >> ip route add dst-address=0.0.0.0/0 gateway=10.0.4.1 (pretty sure, I >> did it from WinBox) >> >> Again, I can ping out to all local resources off the riverstone, but I time >> out when trying to get outside, but I can ping into those publics from an >> external network. >> >> MacBook-Pro:~ pgerst$ traceroute 4.2.2.1 >> traceroute to 4.2.2.1 (4.2.2.1), 64 hops max, 52 byte packets >> 1 yyy.yyy.yyy.1 (yyy.yyy.yyy.1) 0.673 ms 0.132 ms 0.165 ms >> 2 10.0.4.1 (10.0.4.1) 0.406 ms 0.365 ms 0.358 ms >> 3 * * * >> >> -Paul >> >> On Feb 11, 2010, at 3:57 AM, Bret Clark wrote: >> >> >>> Paul Gerstenberger wrote: >>> >>>> There are a number of blackhole routes and ACL lines for unallocated IPs, >>>> that's why it's so long. Probably overkill. >>>> >>>> I'm not running NAT on the mikrotik, but I'm planning doing so with some >>>> of these IPs. >>>> >>>> [ad...@mikrotik] > /routing ospf export >>>> # feb/11/2010 05:34:32 by RouterOS 4.5 >>>> # software id = QQQQ-QQQQ >>>> # >>>> /routing ospf instance >>>> set default comment="" disabled=no distribute-default=never >>>> in-filter=ospf-in metric-bgp=20 \ >>>> metric-connected=20 metric-default=1 metric-other-ospf=auto >>>> metric-rip=20 metric-static=20 \ >>>> name=default out-filter=ospf-out redistribute-bgp=no >>>> redistribute-connected=as-type-1 \ >>>> redistribute-other-ospf=no redistribute-rip=no redistribute-static=no >>>> router-id=10.0.4.3 >>>> /routing ospf area >>>> set backbone area-id=0.0.0.0 comment="" disabled=no instance=default >>>> name=backbone type=default >>>> /routing ospf interface >>>> add authentication=none authentication-key="" authentication-key-id=1 >>>> comment="" cost=10 \ >>>> dead-interval=40s disabled=no hello-interval=10s instance-id=0 >>>> interface=ether1-gateway \ >>>> network-type=broadcast passive=no priority=1 retransmit-interval=5s >>>> transmit-delay=1s \ >>>> use-bfd=no >>>> /routing ospf network >>>> add area=backbone comment="" disabled=no network=10.0.4.0/27 >>>> >>>> >>>> >>>> Here are the relevant routes: >>>> >>>> RS-1# ip show routes >>>> >>>> Destination Gateway Owner Netif >>>> ----------- ------- ----- ----- >>>> default ZZZ.ZZZ.ZZZ.25 Static HREC-EIA >>>> 10.0.4.0/27 directly connected - WISP-201 >>>> YYY.YYY.YYY.0/24 10.0.4.3 OSPF_ASE WISP-201 >>>> XXX.XXX.XXX.24/30 directly connected - HREC-EIA >>>> >>>> [ad...@mikrotik] > ip route print >>>> >>>> Flags: X - disabled, A - active, D - dynamic, >>>> C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, >>>> B - blackhole, U - unreachable, P - prohibit >>>> >>>> # DST-ADDRESS PREF-SRC GATEWAY DISTANCE >>>> 0 ADo 0.0.0.0/0 - 10.0.4.1 110 >>>> 2 ADC 10.0.4.0/27 10.0.4.3 ether1-gateway 0 >>>> 30 ADC yyy.yyy.yyy.0/24 zzz.zzz.zzz.1 ether2-local 0 >>>> >>>> 44 ADo xxx.xxx.xxx.24/30 - 10.0.4.1 110 >>>> >>>> -Paul >>>> >>>> >>> Strange...everything looks right to me. Routing tables are as I would >>> expect. You don't happen to have any ACL's being applied to the >>> interface that the Mikrotik is attached too? What happen if you >>> eliminate using OSPF for now and just setup the configuration using >>> static routes? Does it work then? >>> >>> >>> -------------------------------------------------------------------------------- >>> WISPA Wants You! Join today! >>> http://signup.wispa.org/ >>> -------------------------------------------------------------------------------- >>> >>> WISPA Wireless List: [email protected] >>> >>> Subscribe/Unsubscribe: >>> http://lists.wispa.org/mailman/listinfo/wireless >>> >>> Archives: http://lists.wispa.org/pipermail/wireless/ >>> >> >> >> >> -------------------------------------------------------------------------------- >> WISPA Wants You! Join today! >> http://signup.wispa.org/ >> -------------------------------------------------------------------------------- >> >> WISPA Wireless List: [email protected] >> >> Subscribe/Unsubscribe: >> http://lists.wispa.org/mailman/listinfo/wireless >> >> Archives: http://lists.wispa.org/pipermail/wireless/ >> >> >> > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: [email protected] > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
