abnormal routing

assistenza · November 25, 2013, 5:11pm

Hi
I have the following problem
I’m doing tests on a routerboard 751 and I accroto of this problem.
751
wan 12.32.121.170/28
gw 12.32.121.161

lan 192.168.0.0/24

if I stand at the same level of wan with this configuration:
12.32.121.169/28
gw 12.32.121.170

I can surf the internet …
What is not correct because I am out of the lan …

thanks

aaronhun22 · November 27, 2013, 12:59am

What is the print-out of your config and the gateway and public IP assigned by your ISP?

assistenza · November 27, 2013, 7:32am

/interface bridge
add l2mtu=1598 name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=italy disabled=no
frequency=2452 frequency-mode=regulatory-domain l2mtu=2290 mode=ap-bridge
ssid=Sistel wireless-protocol=802.11
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk eap-methods=“”
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=***********
wpa2-pre-shared-key=*************
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip pool
add name=dhcp ranges=192.168.0.209-192.168.0.242
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp2
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip address
add address=192.168.0.1/24 interface=ether3 network=192.168.0.0
add address=12.32.121.170/28 interface=ether1 network=12.32.121.160
add address=192.168.23.24/20 interface=ether2 network=192.168.16.0
add address=12.32.121.165/28 interface=ether1 network=12.32.121.160
add address=10.168.23.24/20 interface=ether2 network=10.168.16.0
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add action=drop chain=input protocol=icmp
add chain=forward src-address=91.157.82.213
add chain=forward disabled=yes src-address=88.113.37.160
add chain=forward src-address=81.30.2.205
add chain=forward src-address=109.238.17.166
add action=drop chain=input dst-port=5060 in-interface=ether1 protocol=udp
add chain=input connection-state=related
add chain=input connection-state=established
add chain=forward connection-state=new
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=input in-interface=ether1
add action=drop chain=forward in-interface=ether1
/ip firewall mangle
add action=log chain=forward protocol=tcp tcp-flags=!,ack
add action=log chain=forward protocol=udp
/ip firewall nat
add action=dst-nat chain=dstnat comment=Tracenet dst-port=5060 in-interface=
ether1 protocol=udp src-address=81.30.2.205 to-addresses=192.168.0.252
to-ports=5060
add action=dst-nat chain=dstnat comment=“Finland old” dst-port=5060
in-interface=ether1 protocol=udp src-address=88.113.37.160 to-addresses=
192.168.0.252 to-ports=5060
add action=dst-nat chain=dstnat comment=Digitel dst-port=5060 in-interface=
ether1 protocol=udp src-address=109.238.17.166 to-addresses=192.168.0.252
to-ports=5060
add action=dst-nat chain=dstnat comment=Finland dst-port=5060 in-interface=
ether1 protocol=udp src-address=91.157.82.213 to-addresses=192.168.0.252
to-ports=5060
add action=src-nat chain=srcnat comment=“Centralino nat uscita”
out-interface=ether1 src-address=192.168.0.252 to-addresses=88.32.121.165
add action=masquerade chain=srcnat dst-address=10.168.16.0/20 out-interface=
ether2 src-address=192.168.0.0/24
add action=masquerade chain=srcnat dst-address=192.168.16.0/20 out-interface=
ether2 src-address=192.168.0.0/24
add action=src-nat chain=srcnat out-interface=ether1 src-address=
192.168.0.0/24 to-addresses=12.32.121.170
/ip route
add distance=1 gateway=12.32.121.161
add distance=1 dst-address=192.168.16.0/20 gateway=192.168.16.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=wlan1 type=internal
add interface=ether1 type=external
/snmp
set enabled=yes trap-community=public
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=“Classe 0”
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=193.204.114.232 secondary-ntp=
193.204.114.233
/tool e-mail
set address=213.82.109.139 from=<classe0@sistel.it>
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=wlan1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=wlan1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5

aaronhun22 · November 28, 2013, 2:15am

First you need to remove the routes you have and add this:

ip route add dst-address=0.0.0.0/0 gateway=12.32.121.161 distance=1

Then remove your masquerade rules and the source nat rule for 12.32.121.170 and add:

add action=masquerade chain=srcnat out-interface=ether1

And remove address 12.32.121.165 unless you have 2 public IP’s?

This will get your internet working at least with source addresses 91.157.82.213, 81.30.2.205, and 109.238.17.166 going by what you have for firewall rules.