Can't connect from one LAN to another

cvv · September 6, 2010, 7:28pm

Greetings
I have 2 LAN and 2 WAN interfaces with failover scripts. Everything works fine except for I can’t ping from LAN 1 (172.16.1.2) to LAN 2 (172.16.2.2). I can ping either network from the router, but can’t make it pass through.

[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; Default Route
        0.0.0.0/0                          pppoe-out1         1       
 1   S  ;;; Backup Route
        0.0.0.0/0          192.168.1.100   192.168.1.1        2       
 2 ADC  1.1.1.0/30         1.1.1.1         Loopback1          0       
 3 ADC  10.198.128.0/17    10.198.150.41   satnet             0       
 4 A S  92.255.86.24/32                    cvv                1       
 5 A S  ;;; Test Route
        98.137.149.56/32                   pppoe-out1         1       
 6   S  ;;; Bogus loopback route for pppoe test
        98.137.149.56/32                   Loopback1          100     
 7 ADC  172.16.1.0/24      172.16.1.1      cvv                0       
 8 ADC  172.16.2.0/24      172.16.2.1      natasha            0       
 9 ADC  192.168.0.2/32     92.255.86.24    pppoe-out1         0       
10 ADC  192.168.1.0/24     192.168.1.100   dlink-2540u        0

[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
 0   172.16.1.1/24      172.16.1.0      172.16.1.255    cvv                    
 1   192.168.1.100/24   192.168.1.0     192.168.1.0     dlink-2540u            
 2   172.16.2.1/24      172.16.2.0      172.16.2.255    natasha                
 3   1.1.1.1/30         1.1.1.0         1.1.1.3         Loopback1              
 4 D 10.198.150.41/17   10.198.128.0    10.198.255.255  satnet                 
 5 D 92.255.86.24/32    192.168.0.2     0.0.0.0         pppoe-out1

Letni · September 6, 2010, 7:47pm

When this has happened to me in the past I did not have the default gateway set right on one/both the clients.

On device 172.16.1.2 make sure the default gateway is 172.16.1.1
On device 172.16.2.2 make sure the default gateway is 172.16.2.1

-Louis

cvv · September 6, 2010, 8:07pm

Thanks for you reply.
Default getway on both devices is set as you’ve suggested

Letni · September 6, 2010, 8:11pm

From 172.16.1.2
ping 172.16.1.1. What the results?
ping 172.16.2.1. What are the results?
ping 172.16.2.2 What are the results?

What does a trace route show?

I am going to assume that you do not have any firewall rules that may be interfering since you did not include them before?

-Louis

fewi · September 6, 2010, 8:12pm

Post the output of “/ip firewall export”

On a side note, the IP address you’re using on the loopback interface has recently been assigned by the IANA.

cvv · September 6, 2010, 8:22pm

pinging 1.1 is OK, for it’s the router address for 1.2
pigning 2.1 or 2.2 fails

I have only set some NAT rules in firewall here they are:

[admin@MikroTik] > /ip firewall export
# sep/07/2010 00:17:58 by RouterOS 4.3
# software id = KV57-VKPA
#
/ip firewall address-list
add address=93.186.226.130 comment="" disabled=no list=vkontakte
add address=93.186.227.124 comment="" disabled=no list=vkontakte
add address=93.186.227.125 comment="" disabled=no list=vkontakte
add address=93.186.227.126 comment="" disabled=no list=vkontakte
add address=93.186.227.129 comment="" disabled=no list=vkontakte
add address=93.186.227.130 comment="" disabled=no list=vkontakte
add address=93.186.228.129 comment="" disabled=no list=vkontakte
add address=93.186.228.130 comment="" disabled=no list=vkontakte
add address=93.186.229.2 comment="" disabled=no list=vkontakte
add address=93.186.229.3 comment="" disabled=no list=vkontakte
add address=93.186.229.129 comment="" disabled=no list=vkontakte
add address=93.186.229.130 comment="" disabled=no list=vkontakte
add address=93.186.231.218 comment="" disabled=no list=vkontakte
add address=93.186.231.219 comment="" disabled=no list=vkontakte
add address=93.186.231.220 comment="" disabled=no list=vkontakte
add address=93.186.231.221 comment="" disabled=no list=vkontakte
add address=93.186.231.222 comment="" disabled=no list=vkontakte
add address=93.186.225.211 comment="" disabled=no list=vkontakte
add address=93.186.225.212 comment="" disabled=no list=vkontakte
add address=93.186.226.4 comment="" disabled=no list=vkontakte
add address=93.186.226.5 comment="" disabled=no list=vkontakte
add address=10.198.129.101 comment="" disabled=no list=blocked
add address=93.186.227.123 comment="" disabled=no list=vkontakte
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=reject chain=forward comment="" disabled=yes dst-address-list=vkontakte protocol=tcp reject-with=\
    icmp-admin-prohibited
add action=drop chain=forward comment="" disabled=yes src-address-list=blocked
/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=209.131.36.159 new-routing-mark=\
    to-pppoe passthrough=no
add action=mark-connection chain=prerouting comment="p2p conn" disabled=no new-connection-mark=p2p_conn p2p=\
    all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment="p2p packet" connection-mark=p2p_conn disabled=no \
    new-packet-mark=p2p passthrough=no
add action=mark-connection chain=prerouting comment="http conn" disabled=no dst-port=80 new-connection-mark=\
    http_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="http packet" connection-mark=http_conn disabled=no \
    new-packet-mark=http passthrough=no
add action=mark-connection chain=prerouting comment="other conn" disabled=no new-connection-mark=other_conn \
    passthrough=yes
add action=mark-packet chain=prerouting comment="other packet" connection-mark=other_conn disabled=no \
    new-packet-mark=other passthrough=yes
add action=mark-connection chain=prerouting comment="smart conn" disabled=no dst-address=82.204.220.34 \
    new-connection-mark=smart_conn passthrough=yes
add action=mark-connection chain=prerouting comment="smart conn" disabled=no dst-address=213.247.232.238 \
    new-connection-mark=smart_conn passthrough=yes
add action=mark-packet chain=prerouting comment="smart packet" connection-mark=smart_conn disabled=no \
    new-packet-mark=smart passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=dlink-2540u
add action=src-nat chain=srcnat comment="" disabled=no out-interface=pppoe-out1 src-address=172.16.1.2 \
    to-addresses=92.255.86.24
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=92.255.86.24 in-interface=pppoe-out1 \
    to-addresses=172.16.1.2
add action=masquerade chain=srcnat comment="For local satnet site" disabled=no out-interface=satnet
add action=masquerade chain=srcnat comment="" disabled=no out-interface=pppoe-out1 src-address=172.16.2.2
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

Letni · September 6, 2010, 8:43pm

Since you are not getting a response from 2.1 then your NAT rules are causing the issue.
If you disable them then it should work as expected OR
Option 2 is to add a couple more rules like
/ip firewall nat chain=srcnat action=accept src-address=172.16.1.0/24 dst-address=172.16.2.0/24
/ip firewall nat chain=srcnat action=accept src-address=172.16.2.0/24 dst-address=172.16.1.0/24
Make sure these are before your NAT rules.
-Louis

cvv · September 6, 2010, 8:54pm

Well, I’ve just disabled them all, doesn’t help

I’ve disabled all the previous rules and added yours, no change

cvv · September 9, 2010, 12:38am

Any other suggestions what to look at?

cvv · September 22, 2010, 8:58pm

I’ve found the solution, finally.
Silly me!

On windows-based computer 172.16.1.2 network mask was set occasionally to 255.255.0.0 (by default) instead of 255.255.255.0
That was the issue

Letni · September 22, 2010, 9:59pm

Traceroute results would have shown that sooner.
Glad you found your answer.

-Louis