Can't ping between subnets

poduck · April 26, 2020, 9:28pm

I multiple subnets on one router. I am unable to get traffic between them. Traffic between them and the default gateway seems to be fine individually, but for instance, I can’t ping between 10.0.1.155 and 10.1.0.244, in either direction.

I have three lans, essentially. 10.0.1.0/24., 10.1.0.0/24, and 10.0.3.0/24. The 10.0.3.0/24 is for vpn connections. Is it a route, or a NAT rule I need, or am I completely off base?

/ip route
add distance=1 gateway=69.174.129.201

/ip address
add address=10.0.1.1/24 comment=defconf interface=bridge1-lan network=10.0.1.0
add address=10.1.0.1/24 interface=bridge2-NoPawn network=10.1.0.0
add address=69.174.129.202/30 interface="ether1 Gateway-2-Metro" network=69.174.129.200

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=10.0.1.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=10.1.0.0/24
add action=masquerade chain=srcnat src-address=10.0.3.0/24

Zacharias · April 26, 2020, 10:58pm

Unless you block them with your Firewall Filter, you should be able to reach each subnet from your hosts…
Or you have not properly configured Mangles / Policy Route Rules…

anav · April 27, 2020, 2:11am

The point is your guessing again Zach.
For the op, post your config, snippets are useless.

/export hide-sensitive file=anynameyouwish

poduck · April 27, 2020, 1:19pm

I have no mangle rules or policy routes, so that’s not the problem.

Here is the entire configuration. I only posted what I posted because I don’t see anywhere else that I might need to change things, and my experience is an entire config is often ignored here.

/interface bridge
add name=bridge1-lan
add name=bridge2-NoPawn
/interface ethernet
set [ find default-name=combo1 ] disabled=yes
set [ find default-name=ether1 ] name="ether1 Gateway-2-Metro"
set [ find default-name=ether2 ] name=ether2-Front-PCs
set [ find default-name=ether3 ] name=ether3-server1
set [ find default-name=ether4 ] name=ether4-NoPawn
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] name=ether7-switch
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface list
add name=WAN
add name=LAN
/ip dhcp-server option
add code=1 name=option1 value="s'10.0.1.174'"
/ip pool
add name=dhcp ranges=10.0.1.150-10.0.1.254
add name=vpn-pool ranges=10.0.3.1-10.0.3.254
add name=dhcp_pool3 ranges=10.1.0.2-10.1.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1-lan name=dhcp1
add address-pool=dhcp_pool3 disabled=no interface=bridge2-NoPawn name=dhcp2
/ppp profile
add bridge=bridge1-lan change-tcp-mss=yes dns-server=10.0.1.100,8.8.8.8 local-address=vpn-pool name=VPN-profile only-one=yes \
    remote-address=vpn-pool use-encryption=yes
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
add access=own-routers,own-users,own-profiles,own-limits,config-payment-gw backup-allowed=yes disabled=no login=MikroTik \
    paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no permissions=owner signup-allowed=no time-zone=-00:00
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/dude
set enabled=yes
/interface bridge port
add bridge=bridge1-lan interface=ether2-Front-PCs
add bridge=bridge1-lan interface=ether3-server1 trusted=yes
add bridge=bridge2-NoPawn interface=ether4-NoPawn
add bridge=bridge1-lan interface=ether6
add bridge=bridge1-lan interface=ether7-switch
add bridge=bridge1-lan interface=sfp-sfpplus1
add bridge=bridge1-lan interface=combo1
add bridge=bridge2-NoPawn interface=ether5
/interface list member
add interface="ether1 Gateway-2-Metro" list=WAN
add interface=bridge1-lan list=LAN
/interface pptp-server server
set authentication=chap,mschap1,mschap2 default-profile=VPN-profile enabled=yes
/ip address
add address=10.0.1.1/24 comment=defconf interface=bridge1-lan network=10.0.1.0
add address=10.1.0.1/24 interface=bridge2-NoPawn network=10.1.0.0
add address=69.174.129.202/30 interface="ether1 Gateway-2-Metro" network=69.174.129.200
/ip arp
add address=10.1.0.246 interface=bridge2-NoPawn mac-address=C0:74:AD:0C:32:3A
add address=10.1.0.244 interface=bridge2-NoPawn mac-address=6C:71:D9:8F:AB:AB
/ip dhcp-client
add interface="ether1 Gateway-2-Metro"
/ip dhcp-server lease
add address=10.1.0.246 client-id=1:c0:74:ad:c:32:3a mac-address=C0:74:AD:0C:32:3A server=dhcp2
/ip dhcp-server network
add address=10.0.1.0/24 dhcp-option=*6,*3 gateway=10.0.1.1 netmask=24 next-server=10.0.1.55
add address=10.1.0.0/24 gateway=10.1.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=bogons
add address=10.0.0.0/8 list=support
/ip firewall filter
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=drop chain=forward dst-port=68 protocol=udp src-address=!10.0.1.1 src-port=67
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR \
    SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=drop chain=input comment=\
    "Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" icmp-options=8:0 limit=\
    2,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="LAN HAIRPIN NAT" dst-address=10.0.1.0/24 out-interface="ether1 Gateway-2-Metro" \
    src-address=10.0.1.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=10.0.1.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=10.1.0.0/24
add action=masquerade chain=srcnat src-address=10.0.3.0/24
/ip route
add distance=1 gateway=69.174.129.201
/ip service
set telnet address=10.0.1.0/24,10.0.3.0/24
set ftp address=10.0.1.0/24,10.0.3.0/24
set www address=10.0.1.0/24,10.0.3.0/24
set ssh address=10.0.1.0/24,10.0.3.0/24
set api address=10.0.1.0/24,10.0.3.0/24
set api-ssl address=10.0.1.0/24,10.0.3.0/24
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ppp secret
add name=staff profile=VPN-profile service=pptp
add name=george profile=VPN-profile service=pptp
/snmp
set enabled=yes
/system clock
set time-zone-name=America/Indiana/Indianapolis
/tool sniffer
set filter-direction=rx filter-ip-address=10.0.1.55/32 filter-stream=yes streaming-enabled=yes streaming-server=10.0.1.174
/tool user-manager database
set db-path=user-manager
/tool user-manager router
add coa-port=1700 customer=MikroTik disabled=no ip-address=10.0.1.1 log=auth-fail name=router1 use-coa=no
/tool user-manager user
add customer=MikroTik disabled=no ip-address=192.168.2.5 ipv6-dns=:: shared-users=1 username=F0:9F:C2:91:90:02 wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""

anav · April 27, 2020, 1:27pm

Personally I think your firewall rules are a complete mess and resetting those to defaults and getting your basic network needs working should be the priority.
Then if you want to still add in the crap, then you will be doing so from a working status.

For example (you have so much overkill fear rules and yet you allow full access to the router on UDP ???)
add action=accept chain=input comment=“Accept DNS - UDP” port=53 protocol=udp
add action=accept chain=input comment=“Accept DNS - TCP” port=53 protocol=tcp

For example
You are missing so many basic forward rules its not funny.

Summary: Reset FW rules to default and then we can work on issues.

mkx · April 27, 2020, 1:34pm

Well, OP never mentioned which device type he’s using. If it’s from the pro-line (CCR, CRS3xx, RB1xxx), then it comes with empty default config and OP can’t really revert to default config.

But then configuring those devices requires pro-admin who knows his job …

poduck · April 27, 2020, 1:54pm

The problem persists even if I disable all the filter rules. I considered removing them from the config so we wouldn’t be having this discussion. That’s the first place I tested.

As for what router this is, it’s a CCR1009-7g-1c-1s+

anav · April 27, 2020, 1:57pm

As mkx stated, if you dont know what you are doing, you can postulize, suggest, make assumptions till blue in the face.
FW rules actually have functionality in them to ensure the router is working correctly.

Sob · April 27, 2020, 2:00pm

There’s not much in forward chain. Icmp could be affected (but echo request and reply is allowed) and tcp 25 or 587 could be blocked if there’s too many connections. But everything else is wide open. So I’d first check firewall on target devices, if it’s allowed there.

poduck · April 27, 2020, 2:35pm

I just did more tests, and for some reason almost everything is working now. I have one virtual machine on the server that should have multiple IP addresses on it, and is having trouble receiving traffic from different subnets, but only in one direction. At this point, it’s got to be with that single machine.

I don’t think I have changed anything since posting this, so I’m unsure what happened.

Zacharias · April 27, 2020, 3:56pm

The point is your guessing again Zach.

@anav i really try not to guess…
However i just mentioned some basics that could lead to such a problem, nothing more nothing less…
Since no extra configuration is needed for 2 or more Subnets to communicate through the same Routing device when they are directly Configured on it…

poduck · April 28, 2020, 12:31pm

I figured it out. My freepbx server was causing the problem. I’m exactly sure how, but it must have been causing a conflict with traffic somehow. When I put it on a bridge with only a single subnet, everything works fine.