I'm new to Mikrotik , before moving this new machine into production I'm tesing and creating certain rule to migrate with out any issue in less down time.
WAN = 172.16.188.253 /21
LAN = 172.16.144.1 /20
I've some machines which are on WAN subnet , actually wan is my old LAN so I picked up one IP as wan for my new Mikrotik for internet purpose and access those old LAN machine during configuration.
When I ping from Mikrotik to 172.16.188.22 I get reply from machine. But when I ping from Client behind LAN interface of Mikrotik I get timedout.
Client-IP : 172.16.144.6
Route Print Table
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 172.16.188.254 1
1 ADC 172.16.144.0/21 172.16.144.1 ether4 0
2 ADC 172.16.188.0/21 172.16.188.241 ether2 0
3 A S 255.255.248.0/32 172.16.188.254 1 <== it a gateway of WAN-IP
I want to access 172.16.188.22 machine behind my LAN but client unable to access that machine on WAN subnet. even I can not ping WAN IP address from behind LAN.
3 one is useless it has no impact on routing . client 6 having a proper gateway he can access internet and network resources. But can not access a machine which is on wan interface sunet. Even client 6 can not ping Wan interface IP address.
I thought you meant 172.16.188.253 as exact address, but maybe you mean “Wan interface IP address” as any other adddress connected to WAN? If that’s the case, you also need either route to 172.16.144.1/20 on those devices (will work for communication established both ways), or srcnat on router (allows to establish connections from LAN to WAN).
The way you describe it, it is a routing issue on the host 172.16.188.22 which can respond to pings from 172.16.188.253 itself because both are in the same subnet, but it sends its responses to pings coming from 172.16.144.6 to its default gateway which is probably not your Mikrotik at 172.16.188.253.
Or, as you say 172.16.144.6 doesn’t get responses to ping even from the Mikrotik itself, there may be some firewall rules on your Mikrotik which prevent devices in 172.16.144.0/24 from accessing the Mikrotik itself and/or anything in 172.168.188.0/24. There are separate rule chains in /ip firewall filter for packets to/from Mikrotik itself and for packets transiting through Mikrotik. See my automatic signature for further steps.
Other than that, /tool sniffer helps you a lot to visualize what is going on. So you can use
/tool sniffer set filter-interface=ether2 filter-ip-protocol=icmp
/tool sniffer start
/tool sniffer packet print detail interval=1s
to see whether the pings coming from 172.16.144.6 via ether4 are being sent out via ether2 and whether any responses are coming back.
If you can see the requests but not the responses, the issue is outside the Mikrotik; if you don’t see the requests, you have to find out whether firewall rules on Mikrotik itself are responsible or whether the 172.16.144.6 doesn’t send the requests the right way, so do