Community discussions

MikroTik App
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Can ping IP's/Websites, but no internet.

Sun May 08, 2022 12:10 am

I absolutely desperately need to solve this issue, so I'm going to try this again now that I've narrowed down my problem a bit.

RBM11G + Quectel RM502Q-AE + Tmobile

This modem was working since December, but stopped working a few weeks ago. After it stopped working, I could still ping IP's from PC, but not addresses. I could ping both in winbox. I've since tweaked my configuration and can now ping both from my PC, but I still have no internet. This isn't isolated to my PC, but my asus router and all devices. Winbox even times out when searching for updates, so I assume the modem itself lacks the internet as well.

My configuration tweak was removing the DNS servers I had originally set, 8.8.8.8/8.8.4.4. Another tweak that was recommended was setting the DNS to 192.168.88.1 and turning "allow remote requests" on.

Configuration:

EDIT: Sorry, I wasn't aware export didn't do the full configuration. Here's the full export verbose configuration.
# may/08/2022 19:34:15 by RouterOS 7.2.2
#
# model = RBM11G
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1596 loop-protect=default loop-protect-disable-time=\
    5m loop-protect-send-interval=5s mac-address=48:8F:5A:C6:E8:42 mtu=1500 name=ether1 orig-mac-address=48:8F:5A:C6:E8:42 rx-flow-control=\
    off speed=1Gbps tx-flow-control=off
/interface ethernet switch
set 0 !cpu-flow-control l3-hw-offloading=no mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 !egress-rate !ingress-rate
set 1 !egress-rate !ingress-rate
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" include="" name=static
add exclude="" include="" name=WAN
add exclude="" include="" name=LAN
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=fast.t-mobile.com authentication=none default-route-distance=2 ip-type=auto name=default \
    use-network-apn=no use-peer-dns=yes
/interface lte
set [ find ] allow-roaming=no apn-profiles=default band="" disabled=no !modem-init mtu=1472 name=lte1 network-mode=3g,lte,5g nr-band=""
/queue interface
set lte1 queue=no-queue
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wireless security-profiles
set [ find default=yes ] authentication-types="" disable-pmkid=no eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m \
    interim-update=0s management-protection=disabled mode=none mschapv2-username="" name=default radius-called-format=mac:ssid \
    radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=\
    XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none \
    static-sta-private-algo=none static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=none tls-mode=no-certificates \
    unicast-ciphers=aes-ccm
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=flash/hotspot html-directory-override="" http-cookie-lifetime=3d \
    http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d \
    name=default !parent-queue !queue-type shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
    lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default \
    pfs-group=modp1024
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 authoritative=yes disabled=no interface=ether1 lease-script="" lease-time=10m name=dhcp1 use-radius=no
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none stop-bits=1
set 1 baud-rate=auto data-bits=8 flow-control=none name=usb2 parity=none stop-bits=1
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=default \
    use-ipv6=yes use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes \
    !dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default-encryption on-down="" on-up=\
    "" only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default \
    use-encryption=yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=no encryption-protocol=DES name=public read-access=yes security=\
    none write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=flash/log disk-lines-per-file=1000 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto \
    syslog-time-format=bsd-syslog target=remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy,!dude \
    skin=default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy,!dude \
    skin=default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!dude \
    skin=default
/caps-man aaa
set called-format=mac:ssid interim-update=disabled mac-caching=disabled mac-format=XX:XX:XX:XX:XX:XX mac-mode=as-username
/caps-man manager
set ca-certificate=none certificate=none enabled=no package-path="" require-peer-certificate=no upgrade-policy=none
/caps-man manager interface
set [ find default=yes ] disabled=no forbid=no interface=all
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=static lldp-med-net-policy-vlan=disabled protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    max-neighbor-entries=8192 route-cache=yes rp-filter=no secure-redirects=yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled disable-ipv6=no forward=yes \
    max-neighbor-entries=4096
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \
    default-profile=default-encryption enabled=no keepalive-timeout=30 l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
    !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface list member
add disabled=no interface=lte1 list=WAN
add disabled=no interface=ether1 list=LAN
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60 mac-address=\
    FE:F2:D3:CA:07:92 max-mtu=1500 mode=ip netmask=24 port=1194 protocol=tcp require-client-certificate=no tls-version=any
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=\
    1500 mrru=disabled pfs=no port=443 tls-version=any verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
    frames-per-second=25 receive-all=no ssid-all=no
/interface wireless cap
set bridge=none caps-man-addresses="" caps-man-certificate-common-names="" caps-man-names="" certificate=none discovery-interfaces="" \
    enabled=no interfaces="" lock-to-caps-man=no static-virtual=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 multiple-channels=no only-headers=no receive-errors=no streaming-enabled=no \
    streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip address
add address=192.168.88.1/24 comment=defconf disabled=no interface=ether1 network=192.168.88.0
/ip cloud
set ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=5m
/ip dhcp-server network
add address=192.168.88.0/24 caps-manager="" dhcp-option="" dns-server="" gateway=192.168.88.1 !next-server ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-concurrent-queries=100 max-concurrent-tcp-sessions=20 \
    max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s servers="" use-doh-server="" verify-doh-cert=no
/ip firewall mangle
add action=change-ttl chain=postrouting new-ttl=set:65 out-interface=lte1 passthrough=yes
add action=change-ttl chain=prerouting in-interface=lte1 new-ttl=set:65 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1 !to-addresses !to-ports
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
    max-cache-object-size=2048KiB max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no src-address=::
/ip service
set telnet address="" disabled=no port=23 vrf=main
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80 vrf=main
set ssh address="" disabled=no port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes port=443 tls-version=any vrf=main
set api address="" disabled=no port=8728 vrf=main
set winbox address="" disabled=no port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no port=8729 tls-version=any vrf=main
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/flash/pub disabled=no max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=200 port=1080 version=4
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no host-key-size=2048 strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=64k enabled=no inactive-flow-timeout=15s interfaces=all packet-sampling=no sampling-interval=0 \
    sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=\
    yes igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes ipv6-flow-label=yes is-multicast=yes last-forwarded=yes \
    nat-dst-address=yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes protocol=yes \
    src-address=yes src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes \
    tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no dns="" hop-limit=unspecified interface=all \
    managed-address-configuration=no mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m reachable-time=\
    unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/radius incoming
set accept=no port=3799
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/snmp
set contact="" enabled=no engine-id="" location="" src-address=:: trap-community=public trap-generators=temp-exception trap-target="" \
    trap-version=1
/system clock
set time-zone-autodetect=no time-zone-name=US/Central
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+00:00
/system console
set [ find port=serial0 ] channel=0 disabled=no port=serial0 term=vt102
/system identity
set name="MikroTik Modem"
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no mode=unicast servers=""
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no local-clock-stratum=5 manycast=no multicast=no use-local-clock=no
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
/system resource irq rps
set ether1 disabled=no
/system resource usb settings
set authorization=no
/system routerboard settings
set auto-upgrade=yes boot-device=nand-if-fail-then-ethernet boot-protocol=bootp disable-pci=no force-backup-booter=no protected-routerboot=\
    disabled reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set address=0.0.0.0 from=<> port=25 tls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" auto-erase=no channel=0 port=none receive-enabled=no
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any filter-interface="" filter-ip-address="" filter-ip-protocol="" \
    filter-ipv6-address="" filter-mac-address="" filter-mac-protocol="" filter-operator-between-entries=or filter-port="" filter-size="" \
    filter-stream=no memory-limit=100KiB memory-scroll=yes only-headers=no streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0

ip dns> print results:
                      servers: 
              dynamic-servers: 192.0.0.1,fd00:976a::9,fd00:976a::10
               use-doh-server: 
              verify-doh-cert: no
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 47KiB

Ping & NSlookup results:
C:\Users\#########>ping google.com

Pinging google.com [142.250.190.14] with 32 bytes of data:
Reply from 142.250.190.14: bytes=32 time=101ms TTL=64
Reply from 142.250.190.14: bytes=32 time=32ms TTL=64
Reply from 142.250.190.14: bytes=32 time=42ms TTL=64
Reply from 142.250.190.14: bytes=32 time=48ms TTL=64

Ping statistics for 142.250.190.14:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 32ms, Maximum = 101ms, Average = 55ms

C:\Users\#########>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=124ms TTL=64
Reply from 8.8.8.8: bytes=32 time=44ms TTL=64
Reply from 8.8.8.8: bytes=32 time=40ms TTL=64
Reply from 8.8.8.8: bytes=32 time=39ms TTL=64

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 39ms, Maximum = 124ms, Average = 61ms

C:\Users\#########>nslookup
Default Server:  UnKnown
Address:  192.168.88.1

> google.com
Server:  UnKnown
Address:  192.168.88.1

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4009:817::200e
          142.250.190.14
Last edited by MobiusToad on Mon May 09, 2022 3:41 am, edited 4 times in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 1814
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 9:42 am

Is that the full config ?

Why the mangle rule for lte ?
I don't have it on my SXT lte device so I'm curious ?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3150
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 10:42 am

Is that the full config ?
Can not be. Missing DHCP/Bridge/interface config +++
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 11:32 am

You are using the DNS of a device most likely a modem: 192.0.0.1,fd00:976a::9,fd00:976a::10....these IPv6 DNS servers seems indeed to be used by t-mobile.

If t-mobile is blocking DNS request made to other DNS servers than you could experience what you describe.

See: https://www.reddit.com/r/tmobile/commen ... hijacking/

Why do some ask always for the full config while reading the given info, give a clue where to begin looking!
 
holvoetn
Forum Guru
Forum Guru
Posts: 1814
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 12:33 pm

Ping works from Mikrotik device so DNS is working, but only partially since it doesn't work from lan.
Hence the (logical) request to see the rest of the config.

Quick test could also be to manually set dns to 8.8.8.8 or 1.1.1.1 or whatever you like.
If that works, then that wrong dns was the problem.
If it doesn't, something else is wrong.
And then the full config needs to be shown.
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 12:50 pm

Ping in Winbox is using the DNS of the device you are using to run Winbox.

If you want to test from the router then use :resolve in terminal.
:put [:resolve "www.mikrotik.com"]
 
holvoetn
Forum Guru
Forum Guru
Posts: 1814
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 12:58 pm

Ping in Winbox is using the DNS of the device you are using to run Winbox.
This would be hard to believe... winbox is nothing more then a kind of telnet session.
Whatever you do there, is ON that device.
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 1:04 pm

Nope, not for DNS in Winbox. Addres-list excluded that resolves inside the router.
 
holvoetn
Forum Guru
Forum Guru
Posts: 1814
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 1:07 pm

I still don't believe that's true.
Have had plenty of situations were ping worked from winbox but not from local cmd window.
So that does not make sense if your statement would be true.

What about webfig then ?
Or plain ssh ?

I need more info to be convinced of that statement.
 
holvoetn
Forum Guru
Forum Guru
Posts: 1814
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 1:20 pm

Other argument
Winbox can work ONLY having MAC access.
How would DNS be possible then ??
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 1:40 pm

dynamic-servers: 192.0.0.1,fd00:976a::9,fd00:976a::10

Where are you getting 192.0.0.1 from? That's a special-purpose IANA address, not something you should be using on a private LAN, nor for use by T-Mobile.

I suspect you could solve your problem simply by configuring the DHCP client on the router to "use-peer-dns=yes". That will allow the router's DHCP server to offer 192.168.88.1 as the DNS to local clients as you've got it configured now, acting as a DNS cache for T-Mobile's DNS.
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 1:48 pm

dynamic-servers: 192.0.0.1,fd00:976a::9,fd00:976a::10

Where are you getting 192.0.0.1 from? That's a special-purpose IANA address, not something you should be using on a private LAN, nor for use by T-Mobile.

I suspect you could solve your problem simply by configuring the DHCP client on the router to "use-peer-dns=yes". That will allow the router's DHCP server to offer 192.168.88.1 as the DNS to local clients as you've got it configured now, acting as a DNS cache for T-Mobile's DNS.
I already answered that earlier. T-mobile can do in their network what they want. Outside their network that is different.
Last edited by msatter on Sun May 08, 2022 1:56 pm, edited 1 time in total.
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 1:54 pm

I still don't believe that's true.
Have had plenty of situations were ping worked from winbox but not from local cmd window.
So that does not make sense if your statement would be true.

What about webfig then ?
Or plain ssh ?

I need more info to be convinced of that statement.
I am writing about Winbox ping in Tools and not of ping in Terminal. In Terminal it uses the DNS server defined in the router.
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 1:57 pm

Where are you getting 192.0.0.1 from?
I already answered that earlier.

Not to my satisfaction.

FC00::/7 is a private IPv6 space, likely used by T-Mobile for CGNAT. I don't see that the same explanation applies to 192.0.0.0/24; the equivalent in IPv4 land is 100.64.0.0/10.

My wild guess is it's a typo for 192.168.0.1, the user's LTE modem IP.

If your point is that T-Mobile's DNS plays games with advertising and such, that still doesn't address my point, since using a broken IPv4 DNS IP doesn't solve that problem, either. The OP said they previously used Google's DNS to get around that, but if T-Mobile is blocking common third-party DNS, the solution is DoH or similar.
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 2:11 pm

If you look at the DNS printout you see that it are dynamic-servers. There is no user input possible there.

That is not my point. My point is that t-mobile can control what you can visit (resolved) or not, like the EU/Dutch government is doing in the Netherlands forcing ISP's to filter their DNS.

T-mobile can enforce that you use their DNS. You can then switch your router in War-mode by using DoH or use a VPN to have your freedom back.
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 2:14 pm

If you look at the DNS printout you see that is dynamic-servers. There is no user input possible there.

The answer to my initial question then is, "T-Mobile is misusing 192.0.0.1". If so, that sucks.

Thanks for clarifying.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 9479
Joined: Tue Feb 25, 2014 12:49 pm
Location: 🇮🇹, my 💔 is in 🇺🇦

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 4:03 pm

@holvoetn
Other argument
Winbox can work ONLY having MAC access.
How would DNS be possible then ??
Winbox use the DNS of the windows machine (simulated or not) where is used.
No matter if to the device is connected by MAC or by IP.
Try yourself setting on windows non-routerboard IP and removing DNS IP from routerboard.

For force RouterOS to solve the resoluction of a DNS using specific server, just:
:put [:resolve www.mikrotik.com server=1.1.1.1]
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 9479
Joined: Tue Feb 25, 2014 12:49 pm
Location: 🇮🇹, my 💔 is in 🇺🇦

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 4:09 pm

@holvoetn
Why the mangle rule for lte ?
This is one hack for thetering when that is not allowed from provider.
Usually, if the provider notices it, then it will no longer make the connection work, until you change IMEI or MAC...
Some provider block directly MikroTik IMEI for this...
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 7:09 pm

I updated the main post with the full configuration. Sorry about that, I wasn't aware of export verbose.

Is that the full config ?

Why the mangle rule for lte ?
I don't have it on my SXT lte device so I'm curious ?

Mangle is so that tmobile treats it as phone data (unlimited) instead of hotspot/tethering (a measly 40GB/month for their best package, after which it is capped at 600kbps). I have tried with and without the mangle rules, so those aren't causing the problem. Again, this config (minus the recent changes to DNS) worked fine for months and a few times for several hours in the days following my internet loss.

Ping works from Mikrotik device so DNS is working, but only partially since it doesn't work from lan.
Hence the (logical) request to see the rest of the config.

Quick test could also be to manually set dns to 8.8.8.8 or 1.1.1.1 or whatever you like.
If that works, then that wrong dns was the problem.
If it doesn't, something else is wrong.
And then the full config needs to be shown.

I started out with 8.8.8.8/8.8.4.4 and it worked fine for months, and I recently tried the current configuration, having no DNS servers, and using the IPv4 servers that were in use by my phone to no avail. I had a couple periods for several hours the days following my internet outage where the internet worked with my old configuration, but nothing since. I could ping ip's, but I couldn't ping urls until after removed my old dns servers.
Last edited by MobiusToad on Sun May 08, 2022 11:38 pm, edited 2 times in total.
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Sun May 08, 2022 10:10 pm

I have no idea if this helps:

> :put [:resolve www.mikrotik.com server=1.1.1.1]
failure: dns server failure
> :put [:resolve www.mikrotik.com server=8.8.8.8]
failure: dns server failure
> :put [:resolve www.mikrotik.com]
159.148.147.196
> :put [:resolve www.mikrotik.com server=208.54.80.113]
failure: dns server failure
> :put [:resolve www.mikrotik.com server=fd00:976a::10]
159.148.147.196

The only tested server that works is the IPv6 dynamic server from tmobile, which I'm assuming the serverless option also used. The 208.54.80.113 server is an IPv4 server that ipleak says my phone is using.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 9479
Joined: Tue Feb 25, 2014 12:49 pm
Location: 🇮🇹, my 💔 is in 🇺🇦

Re: Can ping IP's/Websites, but no internet.

Mon May 09, 2022 12:49 am

You already have the soluction:
viewtopic.php?t=185775#p931830
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Mon May 09, 2022 1:59 am

You already have the soluction:
viewtopic.php?t=185775#p931830

I see a suggestion on what the problem might be, but I don't see an actual fix? I've been trying to use tmobiles DNS servers for a few days now, which is why I can ping addresses now vs when I was using 8.8.8.8, but I still have no internet.
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Tue May 10, 2022 6:57 am

Bump

I still have no internet, but I mostly took the day off because it's my birthday (unfortunately I didn't get my internet back as a present :( ). I did try to setup DoH on the routerboard yesterday night, and assuming I did it correctly, it didn't solve my issue. I also tried it through firefox a little while ago, and verified that it was working through the cloudflare dns test, and it didn't solve my issue either (I made sure it was working correctly while I was tethered first). I did forget to mention that I do have a VPN, but I haven't been able to connect with it either.
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 557
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Can ping IP's/Websites, but no internet.

Tue May 10, 2022 7:57 am

dynamic-servers: 192.0.0.1,fd00:976a::9,fd00:976a::10

Where are you getting 192.0.0.1 from? That's a special-purpose IANA address, not something you should be using on a private LAN, nor for use by T-Mobile.

I suspect you could solve your problem simply by configuring the DHCP client on the router to "use-peer-dns=yes". That will allow the router's DHCP server to offer 192.168.88.1 as the DNS to local clients as you've got it configured now, acting as a DNS cache for T-Mobile's DNS.
Until this discussion, i was unaware of rfc6333 which discusses 192.0.0.0/29 and Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion.

I skimmed the rfc, but I can't say I undertand it. But it is possible that T-Mobile is following the standard.
Last edited by Buckeye on Wed May 11, 2022 12:28 am, edited 1 time in total.
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Tue May 10, 2022 10:31 pm

Tried a few different IPv6 DNS's today with no luck. I was able to ping with them, but still no internet. Tried searching for solutions for a few hours and found nothing. I'm coming down with the flu that my family has had the last week, so I doubt I'll be messing around with it unless somebody gives me something new to try.
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Tue May 10, 2022 10:45 pm

Hi, me again. Seen this being done so many times and you can't anything about it then taking a different ISP.

Normal DNS goes over port 53 TCP/UDP. T-mobile has complete control over those ports and any other DNS resolvers you try to contact are dropped or redirected.

Ask written earlier you can switch over DoH by putting your router in 'War' mode. T-mobile could see that you have your knife out, cutting your way out of their control.

Yes thry can block that too by filtering on IP address but then it is certainly time seek an other ISP or emigrate to more free country. ;-)
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 12:41 am

Hi, me again. Seen this being done so many times and you can't anything about it then taking a different ISP.

Normal DNS goes over port 53 TCP/UDP. T-mobile has complete control over those ports and any other DNS resolvers you try to contact are dropped or redirected.

Ask written earlier you can switch over DoH by putting your router in 'War' mode. T-mobile could see that you have your knife out, cutting your way out of their control.

Yes thry can block that too by filtering on IP address but then it is certainly time seek an other ISP or emigrate to more free country. ;-)

What is war mode? I'm having a hard time finding any reference to this in my search results. I have an ASUS router, BTW.

No winking required. I'd gladly emigrate if it were easier/cheaper to do so and the Netherlands would definitely be in my top five.
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 1:53 am

The Netherlands is a less free country than the USA so you are down to four. Luckily is Musk in your country yanking on the steering wheel to get back to the middle of the road now. Ehen you are back in the middle the other countries will line up also.

I am really AGAINST DoH in General and DoT instead would please me. DoH should only be used in countries where the people are oppressed and can't have free gathering of information in an other way.

DoH circumvent the control but the information gathering firms (Big Tech) jumped the que and love to offer their DoH services. So I am twice against DoH. Sad sad world.

I use the authorative DNS servers to resolve, but that way is sadly also t-mobile closed for you. The provider I use over here is named Freedom because there your choice is answered. Dispite they have to obey the decretes from the EU.
Sky UK did/does give back some IP addresses from authoritative DNS servers to frustrate resolving. That is also evil.

DoH was added to RouterOS a while ago, not seeing DoT also be there looks looks skewed to me.

Then, it is perfectly fine to use do DoH when your ISP restricts your freedom of choice for the DNS provider.

ps. 4.4.4.4/8.8.8.8 is Google (Alpabeth) and they are EVIL. They removed the text 'don't be evil' from their corporate code of conduct in 2015.

War mode: https://help.mikrotik.com/docs/display/ ... HTTPS(DoH)

Please enter in your static DNS of your Mikrotik router cloudflare-dns.com address 1.1.1.1 this in case t-mobile also blocks that in their DNS. The domainname is important to check the certificate used for DoH.
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 3:52 am

The Netherlands is a less free country than the USA so you are down to four. Luckily is Musk in your country yanking on the steering wheel to get back to the middle of the road now. Ehen you are back in the middle the other countries will line up also.

I am really AGAINST DoH in General and DoT instead would please me. DoH should only be used in countries where the people are oppressed and can't have free gathering of information in an other way.

DoH circumvent the control but the information gathering firms (Big Tech) jumped the que and love to offer their DoH services. So I am twice against DoH. Sad sad world.

I use the authorative DNS servers to resolve, but that way is sadly also t-mobile closed for you. The provider I use over here is named Freedom because there your choice is answered. Dispite they have to obey the decretes from the EU.
Sky UK did/does give back some IP addresses from authoritative DNS servers to frustrate resolving. That is also evil.

DoH was added to RouterOS a while ago, not seeing DoT also be there looks looks skewed to me.

Then, it is perfectly fine to use do DoH when your ISP restricts your freedom of choice for the DNS provider.

ps. 4.4.4.4/8.8.8.8 is Google (Alpabeth) and they are EVIL. They removed the text 'don't be evil' from their corporate code of conduct in 2015.

War mode: https://help.mikrotik.com/docs/display/ ... HTTPS(DoH)

Please enter in your static DNS of your Mikrotik router cloudflare-dns.com address 1.1.1.1 this in case t-mobile also blocks that in their DNS. The domainname is important to check the certificate used for DoH.

I guess we have completely different ideas of what freedom is, what direction the US is actually headed in, where the so-called center currently is, and where it's actually been/is drifting. I disagree about Musk, but I'm no fan of google at all.

> ping google.com
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    while resolving ip-address: could not get answer from dns server

Log: DoH server connection error: Idle timeout - connecting


Unless I'm doing something wrong (I left the passphrase empty, and tried with and without verify on), DoH isn't working.
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 6:27 am

rfc6333 which discusses 192.0.0.0/29 and Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion.

I skimmed the rfc, but I can't say I undertand it.

I've now skimmed the RFC, too, and if I do understand it, it explains the OP's problems perfectly. The money quote is §6.4, which I paraphrase as "…a DS-Lite node…will perform DNS resolution over IPv6, [not over the 192.0.0.1 address]." The key fact from this is that 192.0.0.1 isn't a DNS server address at all!

As far as I can tell, RouterOS doesn't implement RFC 6333, nor the related RFC 6334, a companion for DHCPv6 that tells the CPE (the OP's RBM11G in this case) that it needs to shift into RFC 6333 behavior on this network.

Until MikroTik gets around to implementing these DS-Lite protocols, the only option I see for getting your clients working on that network is to disable IPv4 on each client. DS-Lite isn't traditional dual-stack; it requires the CPE to do the B4/AFTR stuff the RFC talks about to get IPv4 over IPv6 in such a network. Since RouterOS currently can't do that, any attempt to use IPv4 on that network will fail.

The implications for doing may not be terrible, if your Internet usage is typical. One of the upsides of all this cloud-everything consolidation is that the vast bulk of Internet sites and services are available over IPv6 these days. (That's by popularity, not by IP address. There's a long tail effect here.) This includes sites you think of as independent because they're hosted on one of the big clouds. Even tiny one-person part-time blogs are likely to be on WordPress, SquareSpace, etc.

Within those restrictions, I believe you can solve this problem with:

/ip dhcp-client
add interface=lte1 use-peer-dns=no
/ip dns
set servers=d00:976a::9,fd00:976a::10

That is, we're deliberately dropping the 192.0.0.1 address from that list to force RouterOS to use the IPv6 DNS addresses. Those should give IPv6 AAAA records back, which then makes your client access each site over IPv6.

You might be able to use IPv6-only DNS schemes like CloudFlare's instead, but that's pure speculation. I recommend getting things working with T-Mobile's DNS before getting tricky.

The reason I say you need to make your clients ignore IPv4 is that so much of what you do online these days is via a web browser, and all of the major browser vendors skip traditional DNS entirely by default these days. (Details: Chrome; Safari; Firefox.) If your browser thinks it can do IPv4, it won't force these services to return IPv6 addresses, so the connection will fail because the CPE can't do that cute B4/AFTR dance on the browser's behalf.

So, one more big wish for the RouterOS v7 list! Let's hope they get around to implementing it before IPv4 goes away entirely, currently scheduled for 2088.
Last edited by tangent on Wed May 11, 2022 7:06 am, edited 3 times in total.
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 6:58 am

rfc6333 which discusses 192.0.0.0/29 and Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion.

I skimmed the rfc, but I can't say I undertand it.

I've now skimmed the RFC, too, and if I do understand it, it explains the OP's problem's perfectly. The money quote is §6.4, which I paraphrase as "…a DS-Lite node…will perform DNS resolution over IPv6, [not over the 192.0.0.1 address]." The key fact from this is that 192.0.0.1 isn't a DNS server address at all!

As far as I can tell, RouterOS doesn't implement RFC 6333, nor the related RFC 6334, a companion for DHCPv6 that tells the CPE (the OP's RBM11G in this case) that it needs to shift into RFC 6333 behavior on this network.

Until MikroTik get around to implementing these protocols, the only option forward I see on that network is to disable IPv4 on your clients, since you need the CPE to do the B4/AFTR stuff the RFC talks about to get IPv4 over IPv6 in such a network. It isn't traditional dual-stack, so RouterOS can't get IPv4 to work any other way.

The implications for doing may not be terrible, if your Internet usage is typical. One of the upsides of all this cloud-everything consolidation is that the vast bulk of Internet sites and services are available over IPv6 these days. This includes sites you think of as independent because they're hosted on one of the big clouds. Even tiny one-person part-time blogs are likely to be on WordPress, SquareSpace, etc.

Within those restrictions, I believe you can solve this problem with:

/ip dhcp-client
add interface=lte1 use-peer-dns=no
/ip dns
set servers=d00:976a::9,fd00:976a::10

That is, we're deliberately dropping the 192.0.0.1 address from that list to force RouterOS to use the IPv6 DNS addresses. Those should give IPv6 AAAA records back, which then makes your client access each site over IPv6.

You might be able to use IPv6-only DNS schemes like CloudFlare's instead, but that's pure speculation. I recommend getting things working with T-Mobile's DNS before getting tricky.

The reason I say you need to make your clients ignore IPv4 is that so much of what you do online these days is via a web browser, and all of the major browser vendors skip traditional DNS entirely by default these days. (Details: Chrome; Safari; Firefox.) If your browser thinks it can do IPv4, it won't force these services to return IPv6 addresses, so the connection will fail because the CPE can't do that cute B4/AFTR dance on the browser's behalf.

So, one more big wish for the RouterOS list!

/ip/dhcp-client> add interface=lte1 use-peer-dns=no
input does not match any value of interface

I don't seem to be able to pick lte1 as an interface, only ether1.

BTW, I really appreciate the solid attempt and time you and anyone else is putting into this.
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 7:02 am

I don't know how LTE on RouterOS works. Maybe it has implicit DHCP?

Try the DNS server override. If it works, it should keep working until you restart the router or the DHCP lease expires.

By the way, you really don't have to quote the entire message. It's up above for everyone to see. Quoting is so you can refer to an element of a longer post, or to make it clear who you're replying to. A sentence or two usually suffices.
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 7:25 am

A useful test for whether any of this is working is to visit these two URLs in succession:

http://[2620:12e:1000::a00:f]
http://v6.testmyipv6.com/

The first one may change after I post this: it's the current raw IPv6 address for that site.

If the first works but the second doesn't, I'm right that you have IPv6 support, but your DNSv6 isn't working right.

If both work but something else doesn't, we can debug it from there.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3150
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 8:05 am

I am really AGAINST DoH in General and DoT instead would please me. DoH should only be used in countries where the people are oppressed and can't have free gathering of information in an other way.
After https was introduced, DNS was the most easy way for ISP to log what you do. I am living in a free country and have no restriction on the internet, but I still like to chose who should see my DNS request. That I can do with DoH. Why is DoT better than DoH? Isn't the goal the same, just different approach?
Last edited by Jotne on Wed May 11, 2022 9:23 am, edited 1 time in total.
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 8:21 am

I added those two servers and tried the two links. I got nothing from either of them.

Command Prompt Ping Results:
>ping v6.testmyipv6.com
Ping request could not find host v6.testmyipv6.com. Please check the name and try again.

>ping 2620:12e:1000::a00:f

Pinging 2620:12e:1000::a00:f with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 2620:12e:1000::a00:f:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

Can't ping the tmobile IPv6 address either.

Mikrotik Terminal Ping Results:
> ping v6.testmyipv6.com
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    failure: dns name exists, but no appropriate record
> ping 2620:12e:1000::a00:f
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                      
    0 2620:12e:1000::a00:f                       56  53 156ms2us   echo reply         

Can't ping the tmobile IPv6 address either, results in a timeout.

I can turn off "use peer dns" in the LTE APN settings, which causes the three dynamic servers to vanish, but the results are the same.
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 10:16 am

> ping 2620:12e:1000::a00:f
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                      
    0 2620:12e:1000::a00:f                       56  53 156ms2us   echo reply         

That looks like partial success to me.

I went poking into the LTE interface settings in WinBox, and even though I don't have an LTE modem, it let me see that you might have two settings still wrong, if your updated config in the top post is still valid:

1. IP type should be IPv6 until you get IPv4 tunelling working, not "auto".
2. IPv6 Interface should be set. I hesitate to guess "lte1" again, but there is likely only going to be one choice on the drop-down in WinBox.

I can turn off "use peer dns" in the LTE APN settings

Yes, that looks good. Use manual IPv6 DNS servers of some kind (not necessarily T-Mobile's) until you get IPv4 tunelling working.

Since posting the above, I've learned that T-Mobile started doing IPv6-only in 2013 via RFC 6877, which is a different scheme entirely. Maybe what happened to you earlier this year is that your local segment of T-Mobile switched to DS-Lite?
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 12:14 pm

I am really AGAINST DoH in General and DoT instead would please me. DoH should only be used in countries where the people are oppressed and can't have free gathering of information in an other way.
After https was introduced, DNS was the most easy way for ISP to log what you do. I am living in a free country and have no restriction on the internet, but I still like to chose who should see my DNS request. That I can do with DoH. Why is DoT better than DoH? Isn't the goal the same, just different approach?
DoH and DoT are not the same. DoT is a encrypted version of DNS resolv requests. In the Netherlands, the Dutch government enforces a EU decrete, that all ISP filter certain results.

DoH is there to circumvent control in the upstream for DNS cached resolve.

Your ISP can log your resolve requests so choose your ISP carefully. DoT encrypt traffic, so that third parties can't see your traffic. You can choose and other DNS provider than that of your ISP if then the ISP allows that. If not, use DoH which is build to go to WAR.

And here we go bring in the EU: https://nitter.net/moritzkoerner/statu ... 0721438721 the document is in English
Last edited by msatter on Wed May 11, 2022 2:14 pm, edited 2 times in total.
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 1:51 pm

On Ds-lite rfc6333 and rfc6334 there is an topic about it, and the needed information can be read out from V7.

viewtopic.php?p=762286

https://help.mikrotik.com/docs/display/ROS/DHCP
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 2:21 pm

the needed information can be read out

Reading between the lines in that thread and RFC 6334, it looks like the DHCP option sets a variable called “tunnel-endpoint-name” which you can then plug into scripts like @tdw’s in this thread.

I believe the variable’s value goes where he’s got the m-online.net tunnel endpoint now.

Putting all this supposition together and testing it would be within my scope if I had a copy of the OP’s hardware and a T-mobile network subscription to run it against, but I don’t.

Until then, I still believe you can use their network in IPv6-only mode without this IPIP refinement.
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 7:14 pm

Ok, "use peer dns" is off, IP is set to IPv6, and interface is set to lte1 (I can choose between ether1, lte1, and none). I tried the two addresses again with no success.

Command Prompt Results:
>ping mikrotik.com

Pinging mikrotik.com [159.148.147.196] with 32 bytes of data:
Reply from 192.168.88.1: Destination net unreachable. // I was sometimes getting 1-2 of this result per ping command
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 159.148.147.196:
    Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),

>ping 2620:12e:1000::a00:f

Pinging 2620:12e:1000::a00:f with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 2620:12e:1000::a00:f:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\MobiusToad>ping v6.testmyipv6.com
Ping request could not find host v6.testmyipv6.com. Please check the name and try again.

>ping 2606:4700:4700::1111 // Cloudflare DNS

Pinging 2606:4700:4700::1111 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 2606:4700:4700::1111:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

>ping fd00:976a::9 // Tmobile DNS

Pinging fd00:976a::9 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for fd00:976a::9:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Mikrotik Terminal Results:
> ping mikrotik.com count=5
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                      
    0                                                              no route to host                                                            
    1                                                              no route to host                                                            
    2                                                              no route to host                                                            
    3                                                              no route to host                                                            
    4                                                              no route to host                                                            
    sent=5 received=0 packet-loss=100% 

> ping 2620:12e:1000::a00:f count=5
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                      
    0 2620:12e:1000::a00:f                       56  53 508ms469us echo reply                                                                  
    1 2620:12e:1000::a00:f                       56  53 82ms413us  echo reply                                                                  
    2 2620:12e:1000::a00:f                       56  53 131ms957us echo reply                                                                  
    3 2620:12e:1000::a00:f                       56  53 90ms506us  echo reply                                                                  
    4 2620:12e:1000::a00:f                       56  53 96ms531us  echo reply                                                                  
    sent=5 received=5 packet-loss=0% min-rtt=82ms413us avg-rtt=181ms975us max-rtt=508ms469us 

> ping v6.testmyipv6.com count=5
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    failure: dns name exists, but no appropriate record
> ping 2606:4700:4700::1111 count=5 // Cloudflare DNS
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                      
    0 2606:4700:4700::1111                       56  56 35ms43us   echo reply                                                                  
    1 2606:4700:4700::1111                       56  56 52ms181us  echo reply                                                                  
    2 2606:4700:4700::1111                       56  56 51ms136us  echo reply                                                                  
    3 2606:4700:4700::1111                       56  56 43ms547us  echo reply                                                                  
    4 2606:4700:4700::1111                       56  56 45ms778us  echo reply                                                                  
    sent=5 received=5 packet-loss=0% min-rtt=35ms43us avg-rtt=45ms537us max-rtt=52ms181us 

> ping fd00:976a::9 count=5 // Tmobile DNS
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                      
    0 fd00:976a::9                                                 timeout                                                                     
    1 fd00:976a::9                                                 timeout                                                                     
    2 fd00:976a::9                                                 timeout                                                                     
    3 fd00:976a::9                                                 timeout                                                                     
    4 fd00:976a::9                                                 timeout                                                                     
    sent=5 received=0 packet-loss=100% 
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 8:07 pm

So Mikrotik.com has IPv6 and IPv4. Then when you use to ping with the IPv4 address then you did not get an answer. This due to as it has become clear by now the you have DS-lite and Mikrotik does not support that. This only allows IPv6 traffic and you are not able to use IPv4 at all. Was I wrong that t-mobile blocks any external DNS servers? Try this:
nslookup mikrotik.com 2001:4860:4860::8888
This will show if Google DNS is reachable or not. Or that t-mobile intercepts and answer for Goorgle:
Server: yyyyyyyyyy
Address: xxxxxxxxxxxxx

Non-authoritative answer:
Name: mikrotik.com
Addresses: 2a02:610:7501:1000::2
159.148.147.196


If xxxxxxxxxxxx is 2001:4860:4860::8888 then Google was allowed by t-mobile to answer
if xxxxxxxxxxxx is fd00:976a::9 or fd00:976a::10 then t-mobile answered instead.
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 8:53 pm

>ping mikrotik.com
Pinging mikrotik.com [159.148.147.196] with 32 bytes of data:

Just because you ask a DNS server for an address over IPv6 doesn't mean you'll get an IPv6 address back. Here, it gave you an IPv4 address, which we know won't work under DS-Lite until you get the IPIP tunnel working per the tdw postings in the other thread I linked, combined with the DHCPv6 RFC 6334 results.

I don't see a way to force the matter in RouterOS short of disabling IPv4 entirely, and I don't even know how to do that for certain.

The CLI tools for the various desktop operating systems are generally more powerful, and therefore can force an IPv6 address lookup, even when IPv4 is enabled. Example:

C:\> nslookup
> set type=aaaa
> server 2606:4700:4700::64
Default server: 2606:4700:4700::64
Address: 2606:4700:4700::64#53
> mikrotik.com
Server:		2606:4700:4700::64
Address:	2606:4700:4700::64#53

Non-authoritative answer:
mikrotik.com	has AAAA address 2a02:610:7501:1000::2

The nslookup tool is installed by default on Windows. The key is the "set type=aaaa" command, forcing an IPv6 address record (AAAA) lookup. The default is "a", being IPv4 address (A) record lookup.

This pattern repeats in other areas, such as in the "-6" flag to the Windows implementation of ping, to force an ICMPv6 ping packet instead of the default IPv4.

>ping 2620:12e:1000::a00:f

Pinging 2620:12e:1000::a00:f with 32 bytes of data:
PING: transmit failed. General failure.

I'm not sure what's up with that. I can ping it from here, but I'm doing it with "ping6", the standard Linux/BSD/macOS tool for this, roughly equivalent to Windows' "ping -6". You need a tool that can be forced to speak IPv6 as long as IPv4 is known-broken in your setup.

ping fd00:976a::9 // Tmobile DNS

This one I can't help you with because fc00::/7 is the IPv6 equivalent of RFC 1918 private LAN addressing. (That scope includes fd00::/8.) If that address is a valid DNS server, it's only available on your local T-Mobile subnet.

It's possible that it is a real DNS server, but it isn't pingable. It's not a nice thing to do, but in this wide crazy world, there are network operators that do a lot of not-nice things.
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 9:30 pm

nslookup results for msatter:
>nslookup mikrotik.com 2001:4860:4860::8888
Server:  UnKnown
Address:  2001:4860:4860::8888

*** UnKnown can't find mikrotik.com: No response from server

Ping -6 and nslookup results for tangent:
>ping -6 mikrotik.com
Ping request could not find host mikrotik.com. Please check the name and try again.

>ping -6 2620:12e:1000::a00:f

Pinging 2620:12e:1000::a00:f with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 2620:12e:1000::a00:f:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

ping -6 v6.testmyipv6.com
Ping request could not find host v6.testmyipv6.com. Please check the name and try again.

>ping -6 2606:4700:4700::1111

Pinging 2606:4700:4700::1111 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 2606:4700:4700::1111:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

>ping -6 fd00:976a::9

Pinging fd00:976a::9 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for fd00:976a::9:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
	
	>nslookup
Default Server:  UnKnown
Address:  192.168.88.1

> set type=aaaa
> server 2606:4700:4700::64
Default Server:  dns64.cloudflare-dns.com
Address:  2606:4700:4700::64

> mikrotik.com
Server:  dns64.cloudflare-dns.com
Address:  2606:4700:4700::64

*** dns64.cloudflare-dns.com can't find mikrotik.com: No response from server

BTW, I'm trying to keep up, but I'm somewhat incapacitated due to the flu (covid test was negative).
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 11:18 pm

So no answer. Then try directly from RouterOS and the command in terminal is:

:put [:resolve mikrotik.com server=2001:4860:4860::8888]

and then

:put [:resolve mikrotik.com server=fd00:976a::9]

I wish you and your family the best of health and that flu will be over soon.
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 11:29 pm

Here you go:
> :put [:resolve mikrotik.com server=2001:4860:4860::8888] 
159.148.147.196
> :put [:resolve mikrotik.com server=fd00:976a::9] 
159.148.147.196

And thanks for the well wishes.
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Wed May 11, 2022 11:52 pm

Thanks, it is not what I expected so the next one should certainly not work:
:put [:resolve mikrotik.com server=8.8.8.8]
If it works then the DNS resolver of the router answers the resolve request.

Also clear DNS cache: IP DNS Cache and then click flush.
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Thu May 12, 2022 12:52 am

Cleared DNS cache, and correct, it doesn't work.
> :put [:resolve mikrotik.com server=8.8.8.8]
failure: dns server failure
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Thu May 12, 2022 10:42 am

Can you do the same flushing with this again:

:put [:resolve mikrotik.com server=2001:4860:4860::8888]

If so then you can use an other DNS resolver then the one of t-mobile.

Then you still lack the conversion of IPv4 traffic to DS-lite so over the LTE you only can use IPv6.

I don't know much about DS-lite.
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Thu May 12, 2022 5:25 pm

> :put [:resolve mikrotik.com server=2001:4860:4860::8888]
159.148.147.196
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Can ping IP's/Websites, but no internet.

Thu May 12, 2022 5:38 pm

> :put [:resolve mikrotik.com server=2001:4860:4860::8888]
159.148.147.196

I don't see the point of proceeding with RouterOS commands that can't force IPv6 AAAA lookups and such. You're just confusing yourselves with all this IPv4 admixture.

As for the "Ping -6 and nslookup results for tangent" above, that's total failure, but I wonder if you have an IPv6 network set up on the Windows box, and if the RouterOS box is a member of it. What are the IPs? What's the Windows box's IPv6 gateway? etc.

MobiusToad, realize that you have the itch, the hardware, and the network. I don't think any of your respondents in this thread have any one element matching that, much less all three elements together. At some point, I think you're going to have to carry this ball over the line.

Even if — wild thought — you bought one or even some of us the gear you're using and subscribed us to T-Mobile, the very fact that we're in different parts of the world might be enough to prevent us from properly advising you beyond a certain point. National-scale networks are complex; a solution that works in one region may well fail in another.

There's no substitute for knowing what you're doing.
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Fri May 13, 2022 10:38 am

The only thing I was intersted in if there was the choice to usea third party DNS.

The DNS of the router does not prefer IPv4 or IPv6 but you could create a DNS resolver that only return IPv6.

Or even better DNS64 adresses if it are IPv4 resovled ones.

https://github.com/NLnetLabs/unbound/bl ... ADME.DNS64

DNS64 Module Options

The dns64 module must be configured in the module-config: “dns64 validator iterator” directive and be compiled into the daemon to be enabled. These settings go in the server: section.

dns64-prefix: <IPv6 prefix>

This sets the DNS64 prefix to use to synthesize AAAA records with. It must be /96 or shorter. The default prefix is 64:ff9b::/96.
dns64-synthall: <yes or no>

Debug option, default no. If enabled, synthesize all AAAA records despite the presence of actual AAAA records.
dns64-ignore-aaaa: <name>

List domain for which the AAAA records are ignored and the A record is used by dns64 processing instead. Can be entered multiple times, list a new domain for which it applies, one per line. Applies also to names underneath the name given.
Testing:
:put [:resolve mikrotik.com server=2001:4860:4860::6464]
:put [:resolve mikrotik.com server=2001:4860:4860::64]
https://developers.google.com/speed/pub ... docs/dns64

If Moses can not go to the mountain, then the mountain has to go to Moses.
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Fri May 13, 2022 11:32 am

DUH....is DS-lite just an DNS server returning adapted IPv4 addresses in special IPv6 format. The NAT is on the side of the ISP and that takes care of the converting and connecting to the IPv4 only device and return traffic on the IPv6 address of the client.

If it is only the DNS rewriting the addresses then it should not be to difficult for Mikrotik to implement that. The drawback is that IPv4 firewall becomes useless and confuse the user because they think I am using an IPv4 address. Then it gets complicated when the IPv4 is handled as IPv6 address but still gets handled by the IPv4 firewall...a kind of split horizon....to many different options.

DS-lite looks simple but when is an IPv4 address an IPv4 address and when is it a special IPv6 address. If you put an check on the WAN and only the WAN that it is an DS-lite connection then check if for any plain IPv4 addresses and convert those to a special IPv6 address. Routing, VPN etc. can still work as before and only if the traffic reaches the WAN the IPv4 addresses, source and destination are exchanged for IPv6 ones. When traffic returns the opposite is done. Then it should be transparent for RouterOS

Then you can't indeed not ping any plain written IPv4 addresses because the IPv4 stack is missing it's own lane to the ISP. You can ping domain names because that are rewritten by the DNS server of the ISP here to an special IPv6 format.

How about DNSSEC then. The DNS provider can check and set the DS flag but a check on the client side should fail if the target does not have also a IPv6 address.

https://blog.apnic.net/2016/06/09/lets- ... 64-dnssec/
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Fri May 13, 2022 8:36 pm

As for the "Ping -6 and nslookup results for tangent" above, that's total failure, but I wonder if you have an IPv6 network set up on the Windows box, and if the RouterOS box is a member of it. What are the IPs? What's the Windows box's IPv6 gateway? etc.

Stock W10pro network settings, just reinstalled a little over a week ago when my nvme drive decided to die on me. IPv6 seems to be activated for each adapter and each lists both IPv4 and IPv6 addresses. Though I knew of it and the reason it exists, I haven't dealt with IPv6 until now, and I am doing research, but I'm not quite sure how to tell if the routerboard "is a member of it".

Even if — wild thought — you bought one or even some of us the gear you're using and subscribed us to T-Mobile, the very fact that we're in different parts of the world might be enough to prevent us from properly advising you beyond a certain point. National-scale networks are complex; a solution that works in one region may well fail in another.

I wish I could afford that, but the setup wasn't cheap and things are tight right now due to "inflation" (some for legitimate reasons, most of it not so much) and a bad string of medical related downtime's and expenses (sure wish we had universal healthcare), and now the flu getting us and a car having problems. The most I could possibly offer right now is maybe a small bounty for a working configuration.

MobiusToad, realize that you have the itch, the hardware, and the network. I don't think any of your respondents in this thread have any one element matching that, much less all three elements together. At some point, I think you're going to have to carry this ball over the line.

There's no substitute for knowing what you're doing.

I've always built my own PC's, I'm a self taught programmer, and I've even done some php/java/sql web development in the past, so I normally have the same viewpoint. I had planned on simply getting more knowledgeable as I slowly expanded the network to include a Mikrotik PoE router, switch, and some access points. If I had plenty of time on my hands I could probably reach that point, but I'm pretty busy and have the family getting very impatient with the internet situation, including myself, and outside of pure luck don't see myself getting it working in a reasonable time frame without help, especially if people far more experienced in Mikrotik and networking here don't have the solution.
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Can ping IP's/Websites, but no internet.

Fri May 13, 2022 9:19 pm

I'm not quite sure how to tell if the routerboard "is a member of it".

Same way you do with IPv4: look at the addresses on both sides and look at the subnet masks. If both hosts aren't part of the same IPv6 subnet and the RouterOS box isn't set as the Windows box's IPv6 gateway, then it's no wonder you can't ping through the router.

The most I could possibly offer right now is maybe a small bounty…

It was a hypothetical put out to show that even if you did everything within reason to help us, a solution we made here for our local piece of the world-wide T-Mobile network might not apply to the network you have there.

I'm pretty busy and have the family getting very impatient with the internet situation

Then I recommend one of two paths:

1. Change ISPs. It's rare for an ISP to pose the difficulties you're seeing. The only reason to put up with it is if they're offering you something compelling, and you have the skills to use their oddball setup. I'm pretty sure you lack those skills, and you complain of lack of time to acquire them.

2. Buy an off-the-shelf commodity solution known to work with your local network. Surely T-Mobile would be happy to sell you such a thing. Why are you trying to avoid buying and using their first-party offering? I assume there is a good answer to that question, so let me add a follow-on question: Did you expect a third-party lash-up to work without effort and expertise?
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Fri May 13, 2022 9:21 pm

reply to msatter:
> :put [:resolve mikrotik.com server=2001:4860:4860::6464]
159.148.147.196                                                                                          
> :put [:resolve mikrotik.com server=2001:4860:4860::64]
159.148.147.196
Thanks for the info. I'll definitely look further into that once my head stops feeling like it going to explode. Even if I end up copy/pasting something from the forum that gets everything working, I'd still like to fully understand said solution.
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Fri May 13, 2022 11:17 pm

Same way you do with IPv4: look at the addresses on both sides and look at the subnet masks. If both hosts aren't part of the same IPv6 subnet and the RouterOS box isn't set as the Windows box's IPv6 gateway, then it's no wonder you can't ping through the router.


Sorry, my brain isn't working today. My adapter says no network access under IPv6 Connectivity and no IPv6 default gateway in details. I assume the reason Windows hasn't filled those in itself is because the routerboard isn't supplying those details to Windows. I'll try and look through all the IPv6 documentation when my head stops feeling like it's going to explode.

1. Change ISPs. It's rare for an ISP to pose the difficulties you're seeing. The only reason to put up with it is if they're offering you something compelling, and you have the skills to use their oddball setup. I'm pretty sure you lack those skills, and you complain of lack of time to acquire them.

That oddball setup didn't exist when I got it. I switched to tmobile from tracfone because I needed to move to a full data family plan and tmobile seemed like it was best option. My only other option is possibly AT&T and/or getting on the starlink waiting list and probably not getting it until 2023.

2. Buy an off-the-shelf commodity solution known to work with your local network. Surely T-Mobile would be happy to sell you such a thing. Why are you trying to avoid buying and using their first-party offering? I assume there is a good answer to that question, so let me add a follow-on question: Did you expect a third-party lash-up to work without effort and expertise?

The answer to that question is that tmobile (or any other service) wasn't offering home internet to this address or any proxy address I could use at the time of us moving, plus most people disliked the modem they were using, and so I needed to go the modem+phone sim card route in order to get the internet. I wanted a PoE modem located outdoors next to an outdoor antenna for the best possible connection I could muster. I couldn't find an off the shelf option available, all were outdated (no 5G capability or lacking bands) or were indoor wireless router combos (if I can't get this setup working, I might have to purchase one and configure/mod it for my purposes if one of those is a working option). And in my defense, I was able to get the modem up and running properly before moving and it did work well for a few months.
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Can ping IP's/Websites, but no internet.

Fri May 13, 2022 11:28 pm

My adapter says no network access under IPv6 Connectivity and no IPv6 default gateway in details. I assume the reason Windows hasn't filled those in itself is because the routerboard isn't supplying those details to Windows. I'll try and look through all the IPv6 documentation when my head stops feeling like it's going to explode.

You have no v6 configuration on the LAN side at all. You need a static IP for the router and a DHCPv6 server at minimum.
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.

Sun May 15, 2022 2:51 am

Still feeling like crap from the flu, but I did make a bit of progress today. I messed around a bit with the DHCP servers, made no progress, and decided to reset my RBM11G configuration and start from scratch. I did my basic configuration, minus DHCP servers and IP Pools. I did the usual srcnat masquerade rules under IPv4 NAT, and IPv6 NAT (don't know if this is needed), the TTL mangle rules (doesn't seem to exist under IPv6...), added cloudflare IPv6 DNS addresses, and then went to mess with the APN settings. Under APN, I set it to IPv6 and then changed the IPv6 interface to ether1 (vs lte1)... and under windows the adapter did pickup the RMB11G as the default IPv6 gateway and I now have IPv6-only internet at the moment. Definitely not the correct configuration yet, but at the very least it gives me some much needed hope and verifies the speculation of what my issue is.

Unrelated WTF, for a few minutes I lost said internet because it decided to pickup a tower 2000 miles away in the British Virgin Islands :? . Saw the red "no roaming allowed" text on my LTE interface and did a cellmapper search for the tower I was connected to. How on earth is that possible?
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Can ping IP's/Websites, but no internet.

Sun May 15, 2022 3:07 am

I now have IPv6-only internet at the moment

Hallelujah!

Now you just need to wrap your head around the IPIP and DHCPv6 stuff from the other threads to get IPv4 working.

And when you’re done, you can sell preconfigured T-Mobile routers to your social circle.

IPv6 NAT (don't know if this is needed)

It shouldn't be. Your router's DHCPv6 client should be set for "request=address,prefix". The prefix request should yield a big fat /64 or similar, giving you enough IPs for an Internet’s worth of Internets in your house.

Should be enough. 😉
 
User avatar
MobiusToad
newbie
Topic Author
Posts: 28
Joined: Tue Dec 07, 2021 9:09 pm
Location: Missouri, USA

Re: Can ping IP's/Websites, but no internet.  [SOLVED]

Mon May 16, 2022 6:07 am

Soooo... I got IPv4 working. Just an idea that suddenly popped into my head. Apparently it was as simple as changing IP type to IPv4 in APN settings. My original configuration was set to auto, and I guess my internet had stopped working because auto had simply started choosing IPv6 instead of IPv4.

I'm terribly sorry to all those that helped me that it was such an face palmingly simple fix. At the very least I learned quite bit through this process...

I still plan on getting IPv6 working at some point to get rid of the whole double NAT on game consoles issue, but only after the TTL firewall mangle rules are implemented for IPv6.
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Can ping IP's/Websites, but no internet.

Mon May 23, 2022 8:40 pm

DoH and DoT are not the same. DoT is a encrypted version of DNS resolv requests. In the Netherlands, the Dutch government enforces a EU decrete, that all ISP filter certain results.

The Dutch coalition FOIC is making news with requesting a ruling by the European court

FOIC, a coalition of internet service providers and internet and press freedom organisations, requests a ruling on the blockade of RT and Sputnik

A coalition of internet service providers, as well as internet and press freedom organisations, will petition the European court to rule on the legality of the EU-wide blockade of Russian state channels RT and Sputnik (and others). On May 24, FOIC will file a petition with the European Court in Luxembourg.

Read on: https://www.bit.nl/FOIC-goes-to-court
 
nsaldanh
just joined
Posts: 12
Joined: Mon Aug 13, 2018 1:27 am

Re: Can ping IP's/Websites, but no internet.

Sun Oct 16, 2022 11:10 pm

Soooo... I got IPv4 working. Just an idea that suddenly popped into my head. Apparently it was as simple as changing IP type to IPv4 in APN settings. My original configuration was set to auto, and I guess my internet had stopped working because auto had simply started choosing IPv6 instead of IPv4.
Hello,

I have a Mikrotik Chateau 5G. It has a Quectel RG502Q-EA modem. I'm trying to use T-Mobile but no matter what I do I can't get an IPV4 address. I do get an IPV6 address, but since it's a /64 address it's of limited use to me.

APN used: Fast.t-mobile.com

Could you please post your config if possible?

Thanks very much!

Who is online

Users browsing this forum: Bing [Bot] and 16 guests