Problem: I have a static route 0.0.0.0/0 with gateway unreachable, but I can ping, traceroute and access the gateway web interface.
Here is a quick summary of my setup...
Two sites, lets call them sites A and B.
---IPs---
SITE A
Eth1: 192.168.1.91/24 - Used by PC hosts and one internet gateway located at IP 192.168.1.1
Wlan1: 192.168.99.91/24 - Used to connect to site B
SITE B
Eth1: 192.168.2.94/24 - Used by PC hosts
Wlan1: 192.168.99.94/24 - Used to connect to site A
---Routes---
SITE A
Static route 192.168.2.0/24 pointing to 192.168.99.94 (Reachable)
Static route 0.0.0.0/24 pointing to 192.168.1.1 (Reachable)
SITE B
Static route 192.168.1.0/24 pointing to 192.168.99.91 (Reachable)
Static route 0.0.0.0/24 pointing to 192.168.1.1 (Unreachable)
---Firewall---
SITE A
SRCNAT 192.168.99.0/24, ACTION = Masquerade
---PING---
I can ping all 192.168.1.0/24 IPs from subnet 192.168.2.0/24
And I can also ping all 192.168.2.0/24 IPs from subnet 192.168.1.0/24
---Problem---
At site B I have an unreachable static route 0.0.0.0/0 pointing to gateway 192.168.1.1 Located at site A.
Yet I can ping and access the gateways web interface.
---Things I have tried---
1) Setting Preferred source - unreachable
2) Changing the gateway ip on the route to that of a PC on site A - unreachable
3) Disabled, Enabled and modified Firewall rules on both sides. - Without Masquerade rule on site A the internet gateway thinks the souce IP is on the internet and sends out the reply package on the WAN interface.
So what am I missing here???
Any advice please...
Re: Route unreachable yet I can ping and access the gateway
Hello
You probably made a mistake in copying routes, but instead of 0.0.0.0/24 probably it is 0.0.0.0/0, you can check it.
Second, on router B, except for the dynamic routes, there should be just default route 0.0.0.0/0 pointing to 192.168.99.91 - in this case those routers are aware only on their first "neighbours".
Third, I do not know why you have set on the router A such firewall settings. I do not know whether you have access to the 192.168.1.1 router, if you have - no need to masquerade on router A. There is difference between fully-routed and NAT-ed network.
You probably made a mistake in copying routes, but instead of 0.0.0.0/24 probably it is 0.0.0.0/0, you can check it.
Second, on router B, except for the dynamic routes, there should be just default route 0.0.0.0/0 pointing to 192.168.99.91 - in this case those routers are aware only on their first "neighbours".
Third, I do not know why you have set on the router A such firewall settings. I do not know whether you have access to the 192.168.1.1 router, if you have - no need to masquerade on router A. There is difference between fully-routed and NAT-ed network.
Re: Route unreachable yet I can ping and access the gateway
Thanks for the reply.
The 0.0.0.0/24 was a typo on my post.
It is configured as 0.0.0.0/0 on the router(s).
Problem solved...
I changed the Static route at site B.
Was: "0.0.0.0/0 pointing to 192.168.1.1 (Unreachable)" - This is wrong. Not supposed to point directly to the gateway
Now: "0.0.0.0/0 pointing to 192.168.99.91 (Reachable)" - Router B will Masquerade the packets and send it to gateway 192.168.1.1
And I added a firewall rule at site B.
SRCNAT 192.168.2.0/24, ACTION = Masquerade.
This essentially changed my setup to a NAT-ed network.
The reason why I have the Masquerade firewall rules is because I actually have many other network connections on Routers A and B besides the above mentioned.
These connections require me to have this rule.
I did not mention this because it tends to confuse people when you throw to much info in the equation.
Thanks for the help.
The 0.0.0.0/24 was a typo on my post.
It is configured as 0.0.0.0/0 on the router(s).
Problem solved...
I changed the Static route at site B.
Was: "0.0.0.0/0 pointing to 192.168.1.1 (Unreachable)" - This is wrong. Not supposed to point directly to the gateway
Now: "0.0.0.0/0 pointing to 192.168.99.91 (Reachable)" - Router B will Masquerade the packets and send it to gateway 192.168.1.1
And I added a firewall rule at site B.
SRCNAT 192.168.2.0/24, ACTION = Masquerade.
This essentially changed my setup to a NAT-ed network.
The reason why I have the Masquerade firewall rules is because I actually have many other network connections on Routers A and B besides the above mentioned.
These connections require me to have this rule.
I did not mention this because it tends to confuse people when you throw to much info in the equation.
Thanks for the help.
Re: Route unreachable yet I can ping and access the gateway
Probelm:
I have a router which is connected with lan to a point-to-point Mikrotik on my roof over my router ether 5 :
ip address of my point-to-point:
1: 192.168.134.19
2: internet routeable ip a.b.c.49 , /28
---------------------------------------------------------------
ip address of my mikrotik router ehter 5:
1. 192.168.134.20
2. internet routeable ip a.b.c.50 /28
my local range on sfp port:
192.168.0.0/24
----------------------------------------------------------------
so on I can ping a.b.c.49 and ip 192.168.134.19 from my router
I wrote a masquerade rule on my firewall for my local lan range .
I've 3 line internet over difference isp.
I use packet mark to use this internet on my lan.
I wrote default route for over ether 5 and show reachable but no internet over ether 5 by ping.
I chenge my route to gateway with a.b.c.49 and was showed unreachable.
really I don't know how to change my route to have access internet over ether 5
I send all photo and configuration ;
ip address :
--------------
0 ;;; Local-Lan
192.168.0.254/24 192.168.0.0 Bridge-LAN
1 ;;; KhorshidNet-Local-interface
172.31.24.12/24 172.31.24.0 ether1
2 ;;; Mokhaberat-Local-interface
192.168.2.2/24 192.168.2.0 ether3
4 192.168.10.1/30 192.168.10.0 ether2
5 X a.b.c.50/32 46.209.212.48 ether5
6 192.168.134.20/28 192.168.134.16 ether5
7 D 81.29.244.153/32 192.168.100.1 KhorshidNet ----- > first internet
8 D 93.118.97.93/32 2.177.0.1 Mokhaberat --------> second internet
------------------------------------------------------------------------------------------------------------
firewall :
0 ;;; Respina
chain=srcnat action=masquerade src-address=192.168.0.0/24
out-interface=ether5 log=no log-prefix=""
1 ;;; KhorshidNet
chain=srcnat action=masquerade src-address=192.168.0.0/24
out-interface=KhorshidNet log=no log-prefix=""
2 ;;; Mokhaberat
chain=srcnat action=masquerade src-address=192.168.0.0/24
out-interface=Mokhaberat log=no log-prefix=""
3 ;;; Modem ADSL
chain=srcnat action=masquerade src-address=192.168.0.0/24
out-interface=ether3 log=no log-prefix=""
4 ;;; Vpn to Lan
chain=srcnat action=accept src-address=1.2.3.4
dst-address-list=Connected Route log=no log-prefix=""
5 ;;; Lan to Vpn
chain=srcnat action=accept dst-address=1.2.3.4
src-address-list=Connected Route log=no log-prefix=""
6 X ;;; Vpn Internet
chain=srcnat action=masquerade src-address=1.2.3.4
out-interface=KhorshidNet log=no log-prefix=""
7 chain=srcnat action=accept src-address=192.168.0.0/24
dst-address=192.168.1.0/24 log=no log-prefix=""
8 ;;; Udp DNS route to server
chain=dstnat action=accept to-ports=xxx protocol=udp
src-address=1.2.3.4 src-address-list=!Domain Servers dst-port=xxx
log=no log-prefix=""
9 ;;; Tcp DNS route to server
chain=dstnat action=accept to-ports=xxx protocol=tcp
src-address=1.2.3.4 src-address-list=!Domain Servers dst-port=xxx
log=no log-prefix=""
9 ;;; Tcp DNS route to server
chain=dstnat action=accept to-ports=xxx protocol=tcp
src-address=1.2.3.4 src-address-list=!Domain Servers dst-port=xxx
log=no log-prefix=""
10 ;;; Udp DNS route to server
chain=dstnat action=redirect to-ports=xxx protocol=udp
src-address-list=!Domain Servers dst-port=xxx log=no log-prefix=""
11 ;;; Tcp DNS route to server
chain=dstnat action=redirect to-ports=xxx protocol=tcp
src-address-list=!Domain Servers dst-port=xxx log=no log-prefix=""
12 ;;; DVR1
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp in-interface=KhorshidNet dst-port=xxx log=no log-prefix=""
13 ;;; DVR2
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp in-interface=KhorshidNet dst-port=xxx log=no log-prefix=""
14 ;;; DVR Zero floor
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp in-interface=KhorshidNet dst-port=xxx log=no log-prefix=""
15 X ;;; Teamyar Web
chain=dstnat action=dst-nat to-addresses=192.168.0.? protocol=tcp
dst-address=1.2.3.4 in-interface=Mokhaberat dst-port=xxx log=no
log-prefix=""
16 ;;; Delcarino - Argham
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp dst-address=1.2.3.4 in-interface=KhorshidNet
dst-port=xxx log=no log-prefix=""
17 ;;; Delcarino - Argham - port xxx
chain=dstnat action=dst-nat to-addresses=192.168.0.? protocol=tcp
dst-address=81.29.244.153 in-interface=KhorshidNet dst-port=xxx log=no
log-prefix=""
18 ;;; Delcarino - Argham - port xxx
chain=dstnat action=dst-nat to-addresses=192.168.0.? protocol=tcp
dst-address=1.2.3.4 in-interface=KhorshidNet dst-port=xxx log=no
log-prefix=""
19 ;;; Delcarino - Argham - port xxx
chain=dstnat action=dst-nat to-addresses=192.168.0.?2 protocol=tcp
dst-address=1.2.3.4 in-interface=KhorshidNet dst-port=xxx log=no
log-prefix=""
20 ;;; Delcarino - Argham - port xxx
chain=dstnat action=dst-nat to-addresses=192.168.0.? protocol=tcp
dst-address=81.29.244.153 in-interface=KhorshidNet dst-port=xxx log=no
log-prefix=""
21 ;;; Kart
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xx
protocol=tcp dst-address=1.2.3.4 in-interface=KhorshidNet
dst-port=xxx log=no log-prefix=""
22 ;;; Nossa- xxx - soap
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp dst-address=1.2.3.4 in-interface=KhorshidNet
dst-port=xxx log=no log-prefix=""
----------------------------------------------------------------------------
I have a router which is connected with lan to a point-to-point Mikrotik on my roof over my router ether 5 :
ip address of my point-to-point:
1: 192.168.134.19
2: internet routeable ip a.b.c.49 , /28
---------------------------------------------------------------
ip address of my mikrotik router ehter 5:
1. 192.168.134.20
2. internet routeable ip a.b.c.50 /28
my local range on sfp port:
192.168.0.0/24
----------------------------------------------------------------
so on I can ping a.b.c.49 and ip 192.168.134.19 from my router
I wrote a masquerade rule on my firewall for my local lan range .
I've 3 line internet over difference isp.
I use packet mark to use this internet on my lan.
I wrote default route for over ether 5 and show reachable but no internet over ether 5 by ping.
I chenge my route to gateway with a.b.c.49 and was showed unreachable.
really I don't know how to change my route to have access internet over ether 5
I send all photo and configuration ;
ip address :
--------------
0 ;;; Local-Lan
192.168.0.254/24 192.168.0.0 Bridge-LAN
1 ;;; KhorshidNet-Local-interface
172.31.24.12/24 172.31.24.0 ether1
2 ;;; Mokhaberat-Local-interface
192.168.2.2/24 192.168.2.0 ether3
4 192.168.10.1/30 192.168.10.0 ether2
5 X a.b.c.50/32 46.209.212.48 ether5
6 192.168.134.20/28 192.168.134.16 ether5
7 D 81.29.244.153/32 192.168.100.1 KhorshidNet ----- > first internet
8 D 93.118.97.93/32 2.177.0.1 Mokhaberat --------> second internet
------------------------------------------------------------------------------------------------------------
firewall :
0 ;;; Respina
chain=srcnat action=masquerade src-address=192.168.0.0/24
out-interface=ether5 log=no log-prefix=""
1 ;;; KhorshidNet
chain=srcnat action=masquerade src-address=192.168.0.0/24
out-interface=KhorshidNet log=no log-prefix=""
2 ;;; Mokhaberat
chain=srcnat action=masquerade src-address=192.168.0.0/24
out-interface=Mokhaberat log=no log-prefix=""
3 ;;; Modem ADSL
chain=srcnat action=masquerade src-address=192.168.0.0/24
out-interface=ether3 log=no log-prefix=""
4 ;;; Vpn to Lan
chain=srcnat action=accept src-address=1.2.3.4
dst-address-list=Connected Route log=no log-prefix=""
5 ;;; Lan to Vpn
chain=srcnat action=accept dst-address=1.2.3.4
src-address-list=Connected Route log=no log-prefix=""
6 X ;;; Vpn Internet
chain=srcnat action=masquerade src-address=1.2.3.4
out-interface=KhorshidNet log=no log-prefix=""
7 chain=srcnat action=accept src-address=192.168.0.0/24
dst-address=192.168.1.0/24 log=no log-prefix=""
8 ;;; Udp DNS route to server
chain=dstnat action=accept to-ports=xxx protocol=udp
src-address=1.2.3.4 src-address-list=!Domain Servers dst-port=xxx
log=no log-prefix=""
9 ;;; Tcp DNS route to server
chain=dstnat action=accept to-ports=xxx protocol=tcp
src-address=1.2.3.4 src-address-list=!Domain Servers dst-port=xxx
log=no log-prefix=""
9 ;;; Tcp DNS route to server
chain=dstnat action=accept to-ports=xxx protocol=tcp
src-address=1.2.3.4 src-address-list=!Domain Servers dst-port=xxx
log=no log-prefix=""
10 ;;; Udp DNS route to server
chain=dstnat action=redirect to-ports=xxx protocol=udp
src-address-list=!Domain Servers dst-port=xxx log=no log-prefix=""
11 ;;; Tcp DNS route to server
chain=dstnat action=redirect to-ports=xxx protocol=tcp
src-address-list=!Domain Servers dst-port=xxx log=no log-prefix=""
12 ;;; DVR1
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp in-interface=KhorshidNet dst-port=xxx log=no log-prefix=""
13 ;;; DVR2
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp in-interface=KhorshidNet dst-port=xxx log=no log-prefix=""
14 ;;; DVR Zero floor
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp in-interface=KhorshidNet dst-port=xxx log=no log-prefix=""
15 X ;;; Teamyar Web
chain=dstnat action=dst-nat to-addresses=192.168.0.? protocol=tcp
dst-address=1.2.3.4 in-interface=Mokhaberat dst-port=xxx log=no
log-prefix=""
16 ;;; Delcarino - Argham
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp dst-address=1.2.3.4 in-interface=KhorshidNet
dst-port=xxx log=no log-prefix=""
17 ;;; Delcarino - Argham - port xxx
chain=dstnat action=dst-nat to-addresses=192.168.0.? protocol=tcp
dst-address=81.29.244.153 in-interface=KhorshidNet dst-port=xxx log=no
log-prefix=""
18 ;;; Delcarino - Argham - port xxx
chain=dstnat action=dst-nat to-addresses=192.168.0.? protocol=tcp
dst-address=1.2.3.4 in-interface=KhorshidNet dst-port=xxx log=no
log-prefix=""
19 ;;; Delcarino - Argham - port xxx
chain=dstnat action=dst-nat to-addresses=192.168.0.?2 protocol=tcp
dst-address=1.2.3.4 in-interface=KhorshidNet dst-port=xxx log=no
log-prefix=""
20 ;;; Delcarino - Argham - port xxx
chain=dstnat action=dst-nat to-addresses=192.168.0.? protocol=tcp
dst-address=81.29.244.153 in-interface=KhorshidNet dst-port=xxx log=no
log-prefix=""
21 ;;; Kart
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xx
protocol=tcp dst-address=1.2.3.4 in-interface=KhorshidNet
dst-port=xxx log=no log-prefix=""
22 ;;; Nossa- xxx - soap
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp dst-address=1.2.3.4 in-interface=KhorshidNet
dst-port=xxx log=no log-prefix=""
----------------------------------------------------------------------------
Last edited by GHM166 on Sat Aug 15, 2020 7:39 am, edited 1 time in total.