hi to all,
I cannot figure out how to fix this:
I have a telecom Italia router with ip 192.168.1.1 and 2 mikrotiks connected trough eth1-wan to the Telecom router. the mikrotik-1 have 192.168.1.10 on the eth1-wan interface and the mikrotik-2 have 192.168.1.20 on the eth1-wan interface. then all the other ports are bridged with assigned networks 192.168.10.0/24 for mikrotik-1 and 192.168.20.0/24 for mikrotik-2. I have added a masquerade rule on both mikrotiks and dhcp server preferences. so everything works and I can access internet, winbox, and the telefom italia interface from both networks.. but I can’t access from mikrotik-1 the wan interface of mikrotik-2 and viceversa. any suggestions? I need this because I need to manage the mikrotik-2 interface using the mikrotik-1 lan due the phisical distance beetween the 2 networks. many thanks
Did you adjust firewall settings on mikrotik-2? Default firewall does not allow any connectivity initiated from WAN interface and connections from mikrotik-1 are considered WAN connections by mikrotik-2 …
for the moment firewall table is empty except for the nat masquerade rule, may I have to add an accept rule?
romon…
No, there’s implicit “accept all” at the end of (now empty) firewall rule list.
Which kind of administration tool are you trying to use (winbox, webfig, ssh, …) and are you trying to connect using IP address (supposedly 192.168.1.20)?
You might want to check /ip services on mikrotik-2 to verify that selected management method is enabled.
You may also want to verify that WAN interfaces of both mikrotiks have set same subnet mask. As you don’t have any firewall, mikrotik-2 should reply to ping-s. You can try pinging it from mikrotik-1 using command /tool ping-speed 192.168.1.20, after a few seconds ut should display some non-zero throughput.
I m trying trough wimbox and web interface and they are all enabled, cause if I connect directly to the telecom italia router I can access 192.168.1.20 amd 192.168.1.10 from web interface or winbox with no problems. but I cannot do this if I’m connected to mikrotik-1 router
yes subnet is the same 192.168.1.10/24 network 192.168.1.0 for mikrotik-1 and 192.168.1.20/24 network 192.168.1.0 for mikrotik-2
Next thing to check: that NAT rule on mikrotik-1 … how exactly does it look like?
masquerade srcnat nothing more, if I disable thia rule nothing changes except that obviously I cannot navigate internet
But how exactly does masquerade look like?
If you didn’t have masquerade enabled, then you’d gave to add routes to reach local lans on the other router.
E.g.
#mikrotik-1:
/ip route
add dst-address=192.168.20.0/24 gateway=192.168.1.20
#
# mikrotik-2:
/ip route
add dst-address=192.168.10.1/24 gateway=192.168.1.10
Or, if you only want to access mikrotik-2 from mt-1 LAN, you have to add route on mikrotik-2 so that it knows how to send replies.
If your masqueeade us complete, this should not be necessary as all connections from mt-1 LAN would appear to originate from 192.168.1.10 and mikrotik-2 knows how to send replies there.
– I am assuming that you have a default route (default gateway) as the Italia Telecom router, probably something like 0.0.0.0/0 ====> 192.168.1.1
– Therefore if you are connected to the Italia Telecom Router, you can connect to both Mikrotiks, since they are all on the same subnet of 192.168.1.0/24
– But if you are connected to either of the Mikrotiks, you cannot connect to the other, because you must route from 192.168.10.0 to 192.168.20.0 and vice versa.
– You need to add static routes on each Mikrotik to the other mikrotik subnet. For example, on Mikrotik with address in range 192.168.10.0, add a route that routes all traffic to the 192.168.20.0 network to the gateway of 192.168.1.20. On the Mikrotik with address 192.168.20.0, add a route that routes all traffic to 192.168.10.0 to gateway 192.168.1.10
EDIT: mkx said it better than me, we must have been typing at exactly the same time …