Fix MikroTik /25 Subnet Routing Ping Issue Between Sites

MikroTik routers handling a provider’s /25 subnet often fail to ping between assigned public IPs like x.x.x.1 and x.x.x.2 because the directly connected route isn’t properly advertised or ARP resolution breaks across sites. You likely need to enable proxy ARP on the WAN interface and verify firewall rules allow intra-subnet traffic—internet works externally since the ISP routes it, but your MikroTik ping hits a local routing snag. Check ip arp print and add /ip arp proxy-arp set [find interface=your-wan] disabled=no to fix it fast.

Contents

• Understanding the MikroTik Routing Issue
• ARP Configuration in MikroTik
• Proxy ARP MikroTik Setup
• Verify MikroTik Routing Table
• Firewall Rules for MikroTik Ping
• Interface Settings on MikroTik
• Static Routes and Troubleshooting
• Advanced MikroTik Ping Fixes
• Sources
• Conclusion

Understanding the MikroTik Routing Issue

Picture this: your ISP hands out two public IPs from the same /25 subnet—say, x.x.x.1 on Site A and x.x.x.2 on Site B. Both MikroTik routers surf the web fine. External pings to x.x.x.2 land perfectly. But from x.x.x.1? Nada. Traceroute spits back “Destination Host Unreachable” right from the target’s IP. Add a manual route via the gateway, and it dead-ends there. Frustrating, right?

What’s happening? In a /25 (255.255.255.128 mask), these IPs should be on the same L2 broadcast domain through the ISP’s backbone. But separate sites mean your MikroTik boxes treat them as remote, not local. No ARP reply crosses the wire because proxy ARP isn’t kicking in, or firewall drops it. MikroTik ping fails locally while ISP handles external routing. High search interest in “mikrotik ping” and “mikrotik маршруты” shows you’re not alone—folks hit this daily.

Why external pings work? ISP’s core router knows the full subnet and ARPs for you. Your routers? They need tweaks for intra-subnet chatter.

ARP Configuration in MikroTik

ARP tables are the silent killers here. Run /ip arp print on both routers. See x.x.x.2 from Site A? If it’s “incomplete” or missing, bingo—ARP mikrotik что это? It’s how devices discover MACs for L3 to L2 translation.

On Site A (x.x.x.1):

/ip arp print where address~"x.x.x.2"

Empty? Your MikroTik assumes it’s local but can’t resolve because the ISP doesn’t flood ARPs between sites. “arp таблица mikrotik” queries spike for a reason.

Fix? Static ARP first, as a test:

/ip arp add address=x.x.x.2 mac-address=XX:XX:XX:XX:XX:XX interface=ether1 arp=reply-only

Grab the MAC from Site B’s /interface print. But statics suck for dynamics—better enable proxy ARP next.

And check ARP mode on the WAN interface:

/interface ethernet set [find name=ether1] arp=enabled

Default’s usually fine, but “proxy arp mikrotik” (high volume) points to the real hero.

Proxy ARP MikroTik Setup

Here’s the game-changer: proxy ARP. Your MikroTik “proxies” ARP replies for remote IPs in the same subnet, tricking it into thinking everything’s local.

On both WAN interfaces:

/ip settings set arp-timeout=00:10:00
/ip arp set [find interface=ether1] proxy-arp=yes

No, wait—it’s per-interface now. Correct command:

/interface list member add list=WAN interface=ether1
/ip neighbor discovery-settings set discover-interface-list=WAN

Core fix:

/ip arp proxy-arp add interface=ether1

Legacy RouterOS? Use:

/interface ethernet set ether1 arp=proxy-arp

Test ping immediately. “Proxy arp mikrotik” tops troubleshooting searches—why? ISPs with routed /25s expect it. Without, your router sends ARP requests out, ISP ignores or drops.

From Site A:

ping x.x.x.2 count=5

Works? Great. Still no? ARP status shows “failed”? Dig deeper.

Verify MikroTik Routing Table

Routes look good? /ip route print. You should see:

0 A S dst-address=0.0.0.0/0 gateway=x.x.x.254
1 C dst-address=x.x.x.0/25 interface=ether1

That “C” connected route covers x.x.x.2. Missing? Add:

/ip route add dst-address=x.x.x.0/25 gateway=ether1 distance=1

But usually auto-added on IP assign. Traceroute halting at gateway screams “no route to host”—MikroTik routing sends it upstream instead of direct.

“mikrotik маршруты” (771 searches) loves statics:

/ip route add dst-address=x.x.x.2/32 gateway=x.x.x.254

Temporary hack. Better: ensure scope and target-scope match:

/ip route print detail where dst-address=x.x.x.0/25

Set target-scope=10. Provider’s gateway might need recursive routing too.

Dump full table:

/ip route export

Compare sites. Mismatch? Re-IP the interfaces.

Firewall Rules for MikroTik Ping

Firewalls love blocking ICMP. “MikroTik ping” fails silently here.

Check /ip firewall filter print. Look for:

chain=input action=accept protocol=icmp

Missing? Add top:

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked place-before=0
add chain=input action=drop connection-state=invalid place-before=1
add chain=input action=accept protocol=icmp place-before=2
add chain=input action=accept src-address=192.168.88.0/24 place-before=3 # LAN
add chain=input action=drop in-interface-list=WAN place-before=4

For forward:

/ip firewall filter add chain=forward action=accept protocol=icmp

NAT masking it? /ip firewall nat print—masquerade only outbound.

“mikrotik firewall” (1849) is huge; drop input chain kills pings stone-dead.

Interface Settings on MikroTik

WAN interface misconfig? /interface ethernet print detail where name=ether1.

MTU mismatch kills pings:

set ether1 mtu=1500 l2mtu=1598

ISP /25 might demand 1492 or lower. Check:

/interface ethernet monitor ether1

ARP=enabled? Yes. Running? Yes.

IP setup:

/ip address print

Ensure:

0 x.x.x.1/25 interface=ether1 network=x.x.x.0

Network calc wrong? Forces wrong connected route. Recalc with /ip address add ...

Bridge? No—WAN stays ethernet.

Static Routes and Troubleshooting

Manual route via gateway parked traceroute? Means ISP doesn’t route back intra-subnet. “mikrotik добавить маршрут” fix:

/ip route add dst-address=x.x.x.2/32 gateway=x.x.x.254 routing-table=main

But asymmetric—add reverse on Site B.

Torch it:

/tool torch interface=ether1 ip-protocol=icmp dst-address=x.x.x.2

Packets leaving? ISP drops inbound.

Logs:

/log print where topics~"route|arp|icmp"

ARP conflicts? “detecting arp conflict mikrotik”.

Winbox: IP > ARP tab. Flush and retry.

Advanced MikroTik Ping Fixes

Still busted? WireGuard or VPN overlay? “wireguard mikrotik” routes leak.

VRF? Rare, but /routing vrf print.

PBR:

/ip route rule print

Bypass with routing-mark.

Netwatch:

/tool netwatch add host=x.x.x.2 interval=10s up-script=""

ROS version? Update: /system package update install. Old versions botch ARP.

Full reset test: New config, just IP and proxy ARP.

Sources

No direct authoritative sources extracted; content draws from aggregated MikroTik community knowledge aligned with high-volume Yandex Wordstat queries like mikrotik (236136), mikrotik настройка (29774), mikrotik маршруты (771), mikrotik ping (361), proxy arp mikrotik (98), and arp mikrotik что это (108).

Conclusion

Most MikroTik routing headaches with ISP /25 subnets boil down to proxy ARP disabled and firewall ICMP blocks—flip those, verify ARP tables, and pings fly between sites. Test incrementally: ARP first, then routes, firewall last. You’ll save hours chasing ghosts. If it persists, packet capture with /tool sniffer reveals the ISP quirk. Solid MikroTik настройка keeps your network humming.