Hi
My mikrotik has an address of 192.168.2.1 and hands out DHCP over ports 2 - 4.
On port 5 I have an address of 192.168.1.21 which is connected to another subnet 192.168.1.0
I am able to ping each and every host on 192.168.1.0 through winbox on the mikrotik.
I CANT ping any of the hosts on the 192.168.1.0 subnet from any host on the 192.168.2.0 subnet.
So obviously the mikrotik is not letting the communication through.
I have included my export below and hope someone can help.
Thanks
# may/27/2014 20:14:59 by RouterOS 6.12
# software id = JMB0-NPVK
#
/interface wireless
set [ find default-name=wlan1 ] l2mtu=2290 mode=ap-bridge ssid=macweb \
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] name="ether5 Macweb"
/ip neighbor discovery
set ether1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 \
default-route-distance=1 dial-on-demand=no disabled=no interface=ether1 \
keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=disabled name=\
pppoe-out1 profile=default service-name="" use-peer-dns=yes user=\
mylesmacaulay@afrihost.co.za
/ip address
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
add address=192.168.1.21/24 interface="ether5 Macweb" network=192.168.1.0
/ip dhcp-server lease
add address=192.168.2.51 client-id=1:50:e5:49:c1:2b:d8 mac-address=\
50:E5:49:C1:2B:D8 server=dhcp1
add address=192.168.2.54 client-id=1:10:fe:ed:6:32:39 mac-address=\
10:FE:ED:06:32:39 server=dhcp1
add address=192.168.2.53 client-id=1:b8:27:eb:59:35:70 mac-address=\
B8:27:EB:59:35:70 server=dhcp1
add address=192.168.2.52 mac-address=00:50:8D:B5:39:19 server=dhcp1
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1 netmask=24
/ip dns
set servers=192.168.2.1,8.8.8.8
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=Other
add action=mark-packet chain=prerouting connection-mark=Other \
new-packet-mark="Other Traffic" passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 to-addresses=\
0.0.0.0
add action=dst-nat chain=dstnat dst-port=9990 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.2.51 to-ports=8080
add action=dst-nat chain=dstnat dst-port=9991 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.2.51 to-ports=8989
add action=dst-nat chain=dstnat dst-port=9992 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.2.51 to-ports=8082
add chain=srcnat to-addresses=0.0.0.0
/ip route
add distance=1 dst-address=192.168.1.40/32 gateway=192.168.1.1
/ip upnp
set allow-disable-external-interface=no enabled=yes
/ip upnp interfaces
add interface=ether2 type=internal
add interface=pppoe-out1 type=external
/system clock
set time-zone-name=Africa/Johannesburg
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=205.196.146.72 secondary-ntp=\
108.61.73.243
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface="ether5 Macweb"
add interface=wlan1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface="ether5 Macweb"
add interface=wlan1
When I check the config, I see this errors:
-
You not have set one DNS server on dhcp server / network
-
you can not self define the router as dns server of router itself.
I now check the rest of the export…
For what is this route?
/ip route
add distance=1 dst-address=192.168.1.40/32 gateway=192.168.1.1
If you put 192.168.1.1/24 on ether5, the system automatically add 192.168.1.0/24 route rule to pass by ether5
Remove last rule on firewall nat:
/ip firewall nat
[…]
add chain=srcnat to-addresses=0.0.0.0
I’m finish.
REMEMBER: YOU CAN NOT PING BETWEEN THE TWO SUBNET, IF YOU NOT PUT 192.168.2.0/24 → 192.168.1.21 ROUTE RULE ON 192.168.1.1 ROUTER…
On alternative you can add src-nat masquerade from ether2 to ether5, but all 192.168.1.0/24 devices do not see true IP, but only 192.168.1.21 as source of ping,
and 192.168.1.0/24 can not ping directly 192.168.2.0/24 devices.
Thank you very much for your replies. I have done every step you mention but still cant ping. I have connected directly to the other subnet so i could get the config from the mikrotik on 192.168.1.0
Here is mikrotik of 192.168.1.0
# may/27/2014 20:47:51 by RouterOS 6.9
# software id = VZXF-BS2S
#
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2-master-local lease-time=\
10m name=default
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 \
default-route-distance=1 dial-on-demand=no disabled=no interface=\
ether1-gateway keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=\
disabled name=pppoe-out1 password=******** profile=default service-name=\
"" use-peer-dns=yes user=*********@afrihost.co.za
/queue simple
add name=Gareth target=192.168.1.39/32
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=\
ether2-master-local network=192.168.1.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
ether1-gateway
/ip dhcp-server lease
add address=192.168.1.123 client-id=1:0:e0:4c:3:c:7c mac-address=\
00:E0:4C:03:0C:7C server=default
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" dns-server=\
192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
ether1-gateway
add chain=forward comment="default configuration" connection-state=\
established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=10000-10001 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.45 to-ports=10000-10001
/ip route
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.1.21
/ip upnp
set allow-disable-external-interface=no
/system clock
set time-zone-name=Africa/Johannesburg
/system ntp client
set enabled=yes mode=unicast primary-ntp=205.196.146.72 secondary-ntp=\
108.61.73.243
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
And here is the new export of 192.168.2.0 after your suggestions.
# may/27/2014 20:53:14 by RouterOS 6.12
# software id = JMB0-NPVK
#
/interface wireless
set [ find default-name=wlan1 ] l2mtu=2290 mode=ap-bridge ssid=macweb \
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] name="ether5 Macweb"
/ip neighbor discovery
set ether1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 \
default-route-distance=1 dial-on-demand=no disabled=no interface=ether1 \
keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=disabled name=\
pppoe-out1 profile=default service-name="" use-peer-dns=yes user=\
mylesmacaulay@afrihost.co.za
/ip address
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
add address=192.168.1.21/24 interface="ether5 Macweb" network=192.168.1.0
/ip dhcp-server lease
add address=192.168.2.51 client-id=1:50:e5:49:c1:2b:d8 mac-address=\
50:E5:49:C1:2B:D8 server=dhcp1
add address=192.168.2.54 client-id=1:10:fe:ed:6:32:39 mac-address=\
10:FE:ED:06:32:39 server=dhcp1
add address=192.168.2.53 client-id=1:b8:27:eb:59:35:70 mac-address=\
B8:27:EB:59:35:70 server=dhcp1
add address=192.168.2.52 mac-address=00:50:8D:B5:39:19 server=dhcp1
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1 netmask=24
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=Other
add action=mark-packet chain=prerouting connection-mark=Other \
new-packet-mark="Other Traffic" passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 to-addresses=\
0.0.0.0
add action=dst-nat chain=dstnat dst-port=9990 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.2.51 to-ports=8080
add action=dst-nat chain=dstnat dst-port=9991 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.2.51 to-ports=8989
add action=dst-nat chain=dstnat dst-port=9992 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.2.51 to-ports=8082
/ip upnp
set allow-disable-external-interface=no enabled=yes
/ip upnp interfaces
add interface=ether2 type=internal
add interface=pppoe-out1 type=external
/system clock
set time-zone-name=Africa/Johannesburg
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=205.196.146.72 secondary-ntp=\
108.61.73.243
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface="ether5 Macweb"
add interface=wlan1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface="ether5 Macweb"
add interface=wlan1
Thanks again for your help.
The 192.168.2.1 board is ok, now i check the other.
On the routerboard 192.168.1.1 try to disable last firewall rule:
add action=drop chain=forward comment=“default configuration” connection-state=invalid
All the ohers parameters are OK on both boards, for me…
P.S: are you sure 192.168.1.21 is free and assigned only on RB 192.168.2.1?
P.P.S: I just notice: 6.9 is unstable use 6.13 on both boards…
Hi
Thanks!!! I have got it working now! It turned out to be firmware 6.9 on the other subnet. Have upgraded and it worked straight away.
I really appreciate your help! I have been going mad trying to get this to work.