Can't Access static device from other subnets

tonyirl · April 15, 2020, 10:51pm

Hi Everyone,

Hoping someone can help me out here as been struggling and going rond in circles as i read up and try and figure it out, so any help would be much appreciated.

I use 4 WANs (eth5,6,7,8) and 1 LAN (eth1 - which has 4 pools 192.168.10.x, 11.x,12.x and 13.x)

Stations login via pppoe and get assigned an ip from 10,11,12 or 13 depending on the WAN they are assigned to. The problem I have is that only stations within the subnet
can contact each other, so 10.x cannot contact 11.x, 12.x etc I want to setup a NAS on 10.10 so everyone on 10,11,12 and 13 can access it. When i use ping from the router itself
i can ping all pools.

Most of my code below:

/interface bridge
add admin-mac=E4:8D:8=4C:0F:A1:A1 auto-mac=no comment=
“created from master port” name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-lan speed=100Mbps
set [ find default-name=ether7 ] name=ether7-wan3 speed=100Mbps
set [ find default-name=ether8 ] name=ether8-wan4 speed=100Mbps

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether5-wan1 name=pppoe-wan1 user=A7@XXX.com
add add-default-route=yes disabled=no interface=ether6-wan2 name=pppoe-wan2 user=A6@XXX.com
add add-default-route=yes disabled=no interface=ether7-wan3 name=pppoe-wan3 user=A4@XXX.com
add add-default-route=yes disabled=no interface=ether8-wan4 name=pppoe-wan4 user=A5@XXX.com

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip hotspot profile
add hotspot-address=192.168.10.1 name=hsprof1

/ip pool
add name=pool1-wan1 ranges=192.168.10.30-192.168.10.254
add name=pool2-wan2 ranges=192.168.11.5-192.168.11.254
add name=pool3-wan3 ranges=192.168.12.5-192.168.12.254
add name=pool4-wan4 ranges=192.168.13.5-192.168.13.254
add name=pool5-wan5 ranges=192.168.14.5-192.168.14.254

/ip dhcp-server
add address-pool=pool1-wan1 authoritative=after-2sec-delay disabled=no
interface=bridge1 lease-time=23h59m59s name=dhcp1

/ppp profile
add dns-server=8.8.8.8 local-address=192.168.10.1 name=profile1-ppp remote-address=pool1-wan1

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether1-lan

/interface pppoe-server server
add authentication=chap default-profile=profile1-ppp disabled=no interface=
bridge1 max-mru=1400 max-mtu=1400 mrru=1600 service-name=service1

/interface pptp-server server
set default-profile=profile1-ppp enabled=yes
/ip address
add address=113.79.50.139 interface=ether5-wan1 network=113.79.120.139
add address=113.79.50.124 interface=ether6-wan2 network=113.79.120.124
add address=113.79.50.0 interface=ether7-wan3 network=113.79.120.0
add address=113.79.50.1 interface=ether8-wan4 network=113.79.120.1
add address=192.168.6.21 interface=ether4-wan5 network=192.168.6.0
add address=192.168.10.1/24 comment=lan interface=bridge1 network=192.168.10.0

/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1

/ip dns
set allow-remote-requests=yes cache-size=5000KiB servers=221.132.112.8,8.8.8.8
/ip firewall mangle
add action=mark-routing chain=prerouting comment=“wan 2 routing”
new-routing-mark=wan2 passthrough=yes src-address=192.168.11.0/24
add action=mark-routing chain=prerouting comment=“wan 3 routing”
new-routing-mark=wan3 passthrough=yes src-address=192.168.12.0/24
add action=mark-routing chain=prerouting comment=“wan 4 routing”
new-routing-mark=wan4 passthrough=yes src-address=192.168.13.0/24
add action=mark-routing chain=prerouting comment=“wan 5 routing”
new-routing-mark=wan5 passthrough=yes src-address=192.168.14.0/24
add action=mark-connection chain=input in-interface=ether5-wan1
new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input in-interface=ether6-wan2
new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=input in-interface=ether7-wan3
new-connection-mark=WAN3_conn passthrough=yes
add action=mark-connection chain=input in-interface=ether8-wan4
new-connection-mark=WAN4_conn passthrough=yes
add action=mark-connection chain=input in-interface=ether4-wan5
new-connection-mark=WAN5_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn
new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn
new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_conn
new-routing-mark=to_WAN3 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN4_conn
new-routing-mark=to_WAN4 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN5_conn
new-routing-mark=to_WAN5 passthrough=yes
add action=accept chain=prerouting dst-address=113.79.120.139 in-interface=bridge1
add action=accept chain=prerouting dst-address=113.79.120.124 in-interface=bridge1
add action=accept chain=prerouting dst-address=113.79.120.0 in-interface=bridge1
add action=accept chain=prerouting dst-address=113.79.120.1 in-interface=bridge1
add action=accept chain=prerouting dst-address=192.168.6.0/24 in-interface=bridge1
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=bridge1 new-connection-mark=WAN1_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:5/0
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=bridge1 new-connection-mark=WAN2_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:5/1
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=bridge1 new-connection-mark=WAN3_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:5/2
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=bridge1 new-connection-mark=WAN4_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:5/3
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=bridge1 new-connection-mark=WAN5_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:5/4
add action=mark-routing chain=prerouting connection-mark=WAN1_conn
in-interface=bridge1 new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn
in-interface=bridge1 new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn
in-interface=bridge1 new-routing-mark=to_WAN3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN4_conn
in-interface=bridge1 new-routing-mark=to_WAN4 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN5_conn
in-interface=bridge1 new-routing-mark=to_WAN5 passthrough=yes
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu
passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat out-interface=ether5-wan1
add action=masquerade chain=srcnat out-interface=ether6-wan2
add action=masquerade chain=srcnat out-interface=ether7-wan3
add action=masquerade chain=srcnat out-interface=ether8-wan4
add action=masquerade chain=srcnat out-interface=ether4-wan5
add action=masquerade chain=srcnat comment=“masquerade wan 1” src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment=“masquerade wan 2” src-address=192.168.13.0/24
add action=masquerade chain=srcnat comment=“masquerade wan 3” src-address=192.168.12.0/24
add action=masquerade chain=srcnat comment=“masquerade wan 4” src-address=192.168.11.0/24
add action=masquerade chain=srcnat comment=“masquerade wan 5” src-address=192.168.14.0/24
add action=masquerade chain=srcnat out-interface=pppoe-wan2
add action=masquerade chain=srcnat out-interface=pppoe-wan3
add action=masquerade chain=srcnat out-interface=pppoe-wan4
add action=masquerade chain=srcnat out-interface=pppoe-wan1
/ip route
add comment=“wan 2 ppp routing” distance=1 gateway=pppoe-wan2 routing-mark=wan2
add comment=“wan 3 ppp routing” distance=1 gateway=pppoe-wan3 routing-mark=wan3
add comment=“wan 4 ppp routing” distance=1 gateway=pppoe-wan4 routing-mark=wan4
add comment=“wan 5 ppp routing” distance=1 gateway=192.168.6.1 routing-mark=wan5
add check-gateway=ping distance=1 gateway=pppoe-wan1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=pppoe-wan2 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=pppoe-wan3 routing-mark=to_WAN3
add check-gateway=ping distance=1 gateway=pppoe-wan4 routing-mark=to_WAN4
add check-gateway=ping distance=1 gateway=192.168.6.1 routing-mark=to_WAN5
add check-gateway=ping distance=1 gateway=pppoe-wan1
add check-gateway=ping distance=2 gateway=pppoe-wan2
add check-gateway=ping distance=3 gateway=pppoe-wan3
add check-gateway=ping distance=4 gateway=pppoe-wan4
add check-gateway=ping distance=5 gateway=192.168.6.1

Zacharias · April 15, 2020, 11:45pm

It is obvious since:

add action=mark-routing chain=prerouting comment="wan 2 routing" \
new-routing-mark=wan2 passthrough=yes src-address=192.168.11.0/24

this will change the main routing Table for the source address 192.168.11.0/24 and instead will use the routing Table WAN2… So when you ping eg. 192.168.12.x, this goes out through the WAN Interface…
So am not really sure that you indeed can ping the other subnets… In the above code add (and for the rest of the subnets 12,13,14 etc):

dst-address-type=!local

And let me know

tonyirl · April 16, 2020, 12:10am

Zacharias,

Thanks for your reply. I added dst-address-type=!local to the 11 subnet and made no difference. I am current on 192.168.10.34 and tried to ping from windows to 192.168.11.2 but just timed out. But if I use ping from the mikrotik / tools then I can pink all subnets. Anything else I could try, appreciate your help.

Zacharias · April 16, 2020, 12:44am

Yes because Mikrotik itself will use the output chain that is just fine…
Please, just for testing, disable all your mangle rules and let me know of the result… i might have missed something… it’s late here right now

Or you can add accept rules on top of the mangles rules for src-adress.10.0/24,.11.0/24,.12.0/24 etc… just to make sure…

tonyirl · April 16, 2020, 6:05pm

Zacharias,

I disabled the following mangle and it worked, I was able to ping to it from the 192.168.10 network.

add action=mark-routing chain=prerouting comment=“wan 2 routing”
new-routing-mark=wan2 passthrough=yes src-address=192.168.11.0/24

Could you give me an example of the code to add for the accept mangles on src-address to get it working with the above mangle enabled. Do i still need to add dst-address-type=!local to the above mangle?

Again thanks for your work last night when it was late and my brain was half fried.

Zacharias · April 16, 2020, 6:09pm

Ok so i was right after all…am not sure why in a previous post you told me that adding !local did not work for you.
You must change the mangle rules at the top as follows:

add action=mark-routing chain=prerouting comment="wan 2 routing" dst-address-type=!local\
new-routing-mark=wan2 passthrough=yes src-address=192.168.10.0/24
add action=mark-routing chain=prerouting comment="wan 2 routing" dst-address-type=!local\
new-routing-mark=wan2 passthrough=yes src-address=192.168.11.0/24
add action=mark-routing chain=prerouting comment="wan 2 routing" dst-address-type=!local\
new-routing-mark=wan2 passthrough=yes src-address=192.168.12.0/24
add action=mark-routing chain=prerouting comment="wan 2 routing" dst-address-type=!local\
new-routing-mark=wan2 passthrough=yes src-address=192.168.13.0/24
add action=mark-routing chain=prerouting comment="wan 2 routing" dst-address-type=!local\
new-routing-mark=wan2 passthrough=yes src-address=192.168.14.0/24

tonyirl · April 16, 2020, 6:16pm

I will try that now, but just before i do, I assume that it shouldn’t be wan2 for all, that it should be wan1,2,3,4,5 like i changed below? Just want to make sure i get it right.

add action=mark-routing chain=prerouting comment=“wan 1 routing” dst-address-type=!local
new-routing-mark=wan1 passthrough=yes src-address=192.168.10.0/24
add action=mark-routing chain=prerouting comment=“wan 2 routing” dst-address-type=!local
new-routing-mark=wan2 passthrough=yes src-address=192.168.11.0/24
add action=mark-routing chain=prerouting comment=“wan 2 routing” dst-address-type=!local
new-routing-mark=wan3 passthrough=yes src-address=192.168.12.0/24
add action=mark-routing chain=prerouting comment=“wan 3 routing” dst-address-type=!local
new-routing-mark=wan4 passthrough=yes src-address=192.168.13.0/24
add action=mark-routing chain=prerouting comment=“wan 4 routing” dst-address-type=!local
new-routing-mark=wan5 passthrough=yes src-address=192.168.14.0/24

tonyirl · April 16, 2020, 7:13pm

Zacharias,

Yea that worked, and I can ping all subnets now. I guess it didn’t work last night because there was no mangle for WAN1, so from your latest post I created one. Thanks for your support,

tonyirl · April 16, 2020, 7:45pm

I think I celebrated too soon!
When I am on the 192.168.10 network i can ping everything on 10,11,12,etc networks.
But as soon as I move myself onto 192.168.11 , 12 or 13 network then I can only ping 192.168.10.1 which is the router address, it does not even let me ping address within the network. eg 192.168.11.30 cant ping 192.168.11.35

Any ideas?

Zacharias · April 16, 2020, 8:21pm

i ll see your mangles again…
Sorry but your mangles with the change we made seem to be ok… You could disable them all just to test the case i missed something…
Other than that i do not see your firewall… you might be blocking something there…

tonyirl · April 16, 2020, 8:42pm

When I put myself onto the 192.168.11 network and disable that wan2 mangle then I am able to ping all the subnets, Once i enable it again the only address i can ping is 192.168.10.1

Wan2 mangle
add action=mark-routing chain=prerouting comment=“wan 2 routing” dst-address-type=!local new-routing-mark=wan2 passthrough=yes src-address=192.168.11.0/24

So at the moment 10 network is working perfect, but 11 ,12 and 13 only works when I disable the mangle

tonyirl · April 16, 2020, 9:02pm

I deselected ‘Invert’ in the address type for the 11 mangle and it seems to ping 10 ok, it will only ping the 12 and 13 network if the INVERT is selected on those mangles, as when i deselected the invert it would not ping 12 or 13 network. Does this make any sense

tonyirl · April 17, 2020, 10:30am

Zacharias,

My conclusions so far:

(1) If all mangles are Disabled then all subnets can ping each other,(192.168.10,11,12 and13)

(2) If all mangles are Enabled and dst-address-type=!local (eg. below) then 192.168.10 can ping 11,12,etc but 192.168.11, 12 etc cannot ping any subnet until I change the invert to
dst-address-type=local and that will allow me to ping other subnets, but other subnets then cannot ping me

/ip firewall mangle
add action=mark-routing chain=prerouting comment=“wan 1 routing” dst-address-type=!local new-routing-mark=wan1 passthrough=yes src-address=192.168.10.0/24
add action=mark-routing chain=prerouting comment=“wan 2 routing” dst-address-type=!local new-routing-mark=wan2 passthrough=yes src-address=192.168.11.0/24
add action=mark-routing chain=prerouting comment=“wan 3 routing” dst-address-type=!local new-routing-mark=wan3 passthrough=yes src-address=192.168.12.0/24

I am not bothered about 11,12,and 13 pinging each other, I just want 192.168.10 to ping every subnet and every subnet to be able to ping 192.168.10, or is there any easy way to allow one specific address 192.168.10.10 to be public to all subnets, as that is the address of my NAS drive, so everyone has access.

I have no problem allowing you access to my mikrotik and paying you for your time, as i seem to be missing something and going round in circles.

Zacharias · April 17, 2020, 3:48pm

I just saw your whole config and under /ip address i only see the subnet 192.168.10.0/24.. where are all the other subnets ?
That is why !local was not working as it should…

tonyirl · April 17, 2020, 4:27pm

Sorry I have 4 pools created and each of these are assigned one of the 4 WANs , so pool 192.168.11. xx will get WAN 2.

Should I have created 4 subnets like below ?

/ip address
add address=192.168.10.1/24 comment=lan interface=bridge1 network= 192.168.10.0
add address=192.168.11.1/24 comment=lan interface=bridge1 network= 192.168.11.0
add address=192.168.12.1/24 comment=lan interface=bridge1 network= 192.168.12.0
add address=192.168.13.1/24 comment=lan interface=bridge1 network= 192.168.13.0

Again I would like to pay you for your time, and if you can see an easier way for all pools (10,11,12,13) to access my NAS drive on 192.169.10.10

Zacharias · April 17, 2020, 5:10pm

In case you mean that:
WAN1 Router has the address 192.168.11.1
WAN2 Router has the address 192.168.12.1
WAN3 Router has the address 192.168.13.1
WAN4 Router has the address 192.168.14.1
And their Pools are11.0/24 12.0/24 13.0/24 and 14.0/24…

Then on your Mikrotik Router you must create an ip address as follows:
For the ethernet interface that WAN1 router is connected assign the address 192.168.11.2/24
For the ethernet interface that WAN2 router is connected assign the address 192.168.12.2/24
For the ethernet interface that WAN3 router is connected assign the address 192.168.13.2/24
For the ethernet interface that WAN4 router is connected assign the address 192.168.14.2/24

Then the Four first mangle rules we did edit earlier, change them to exactly this or better delete them and create new ones as follows:

add chain=prerouting dst-address=192.168.11.0/24  action=accept in-interface=bridge1
add chain=prerouting dst-address=192.168.12.0/24  action=accept in-interface=bridge1
add chain=prerouting dst-address=192.168.13.0/24  action=accept in-interface=bridge1
add chain=prerouting dst-address=192.168.14.0/24  action=accept in-interface=bridge1

tonyirl · April 17, 2020, 5:45pm

My 4 WAN routers are bridged and use /interface pppoe-client to authenticate , I have the 4 WAN routers specified in /ip address, so its the different pools that are ip ranges 11,12,13.

/ip address
add address=113.79.50.139 interface=ether5-wan1 network=113.79.50.139
add address=113.79.50.124 interface=ether6-wan2 network=113.79.50.124
add address=113.79.50.0 interface=ether7-wan3 network=113.79.50.0
add address=113.79.50.1 interface=ether8-wan4 network=113.79.50.1
add address=192.168.10.1/24 comment=lan interface=bridge1 network=192.168.10.0

Is there anything simple that I can do to let 192.168.10.10 be visible to everything inside the mikrotik, and i am sorry for confusing you as I am slowly trying to learn the mikrotik and not explaining things.

Zacharias · April 17, 2020, 8:20pm

I still do not understand where those pools are located… you should provide a diagram with your network topology…

tonyirl · April 18, 2020, 11:30am

Hope this makes sense to you.https://ibb.co/fpTXg8N.

So from this diagram I want for eg.192.168.11.232 to be communicate with 192.168.10.35 and vice versa. At the moment 10.35 can communicate with 11.232, but I cannot ping from 11.232 back to 10.35, i can only ping 10.1 which is the mikrotik. I plan to have a NAS drive on 192.168.10.10 which everyone can access, so should i be looking at some other method. Thanks again for your help.

Zacharias · April 18, 2020, 2:40pm

For each subnet you want to communicate with the other create an accept rule on top…
E.g. if you want 192.168.11.0/24 to communicate with 192.168.12.0/24, bypassing the mangles, create an accept rule wit src-address 192.168.11.0/24 and dst-adress 192.168.12.0/24 action accept…
Do the same for each communication you want to allow…
Since all the subnets except 192.168.10.0/24 are not on your Router, they are not considered as local thus we cant use the local attribute…