Can't ping between two specific LANs

Hi
The router is RB3011UiAS Ver 7.1.3
There are multiple LANs on ports 4,5 and 6
Hosts on LAN on port 4 and 5, can ping each other but hosts LAN on port 6 are not reachable from LAN4 and LAN5.
Specific host on LAN6 has static IP and gateway is MT router. It has internet from the MT router. MT Router can ping the specific host.
On connections table, I see a C beside the connection of ping.
It seems that packets can’t forward from port6 LAN.
The config on the router is not complicated and there is no difference between LAN5 and LAN6 config.


This is the config:
/interface pptp-server
add comment=“Emertat PPTP In” name=pptp-in-emertat user=emertat
/interface bridge
add comment=“General Bridge” name=bridge-General protocol-mode=none
add comment=“Software Bridge” name=bridge-Software protocol-mode=none
add comment=“VPN Bridge” name=bridge-VPN protocol-mode=none
add comment=“Voip Bridge” name=bridge-Voip protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=“Mena LAN” name=ether1-Mena
set [ find default-name=ether2 ] comment=“TCT LAN” name=ether2-TCT
set [ find default-name=ether3 ] comment=“Pars LAN” name=ether3-Pars
set [ find default-name=ether4 ] comment=“Software LAN” name=ether4-Software
set [ find default-name=ether5 ] comment=“General LAN” name=ether5-General
set [ find default-name=ether6 ] comment=“Voip LAN” name=ether6-Voip
set [ find default-name=ether7 ] comment=“TCT Voip VLAN” name=ether7-TCT3703
set [ find default-name=ether8 ] comment=“Fiber Modem Port4” name=
ether8-Fiber4
set [ find default-name=sfp1 ] comment=“Fiber Module” disabled=yes name=sfp
/interface l2tp-server
add comment=“WAN L2TP In” name=L2TP-In user=Vahid
/interface eoip
add mac-address=02:3D:8F:42:63:3E mtu=1500 name=eoip-GermanVPS
remote-address=x.x.x.x tunnel-id=80
/interface pppoe-client
add comment=“Mena PPPOE” disabled=no interface=ether1-Mena keepalive-timeout=
60 max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-Mena user=lan-emertat
add comment=“Pars PPPOE” disabled=no interface=ether3-Pars keepalive-timeout=
60 max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-Pars user=2188647505
add comment=“TCT PPPOE” disabled=no interface=ether2-TCT keepalive-timeout=60
name=pppoe-TCT user=2199119970@tct8
/interface list
add name=VPN
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=150 name=“Cisco Option” value=“‘192.168.0.6’”
add code=66 name=“TFTP Server” value=“‘192.168.0.6’”
add code=2 name=“Time Offset” value=0x3138
add code=46 name=“WINS/NBT Node Type” value=0x08
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=L2TP-VPN ranges=192.168.77.11-192.168.77.249
add name=Local-VPN-Pool ranges=192.168.75.11-192.168.75.249
add name=dhcp-General ranges=192.168.0.41-192.168.0.199
add name=dhcp-Software ranges=192.168.5.41-192.168.5.249
add name=dhcp-VPN-Bridge ranges=192.168.80.11-192.168.80.249
/ip dhcp-server
add address-pool=dhcp-VPN-Bridge interface=bridge-VPN lease-time=1h name=
VPN-Bridge
add address-pool=dhcp-Software authoritative=after-2sec-delay interface=
bridge-Software lease-time=3d name=dhcp-Software
add address-pool=dhcp-General authoritative=after-2sec-delay interface=
bridge-General lease-time=3d name=dhcp-General
/port
set 0 name=serial0
/ppp profile
set *0 use-ipv6=default
add comment=“WAN In L2TP” dns-server=192.168.77.1 local-address=192.168.77.1
name=L2TP remote-address=L2TP-VPN use-compression=yes use-encryption=yes
use-ipv6=default
add comment=“Emertat Internal VPN” dns-server=8.8.8.8,1.1.1.1 local-address=
192.168.75.1 name=PPTP remote-address=Local-VPN-Pool use-compression=yes
use-encryption=yes use-ipv6=default
/routing table
add disabled=no fib name=Mena
add disabled=no fib name=Pars
add disabled=no fib name=TCT
add disabled=no fib name=VPN
/interface bridge port
add bridge=bridge-VPN interface=eoip-GermanVPS
add bridge=bridge-General interface=ether5-General trusted=yes
add bridge=bridge-Software interface=ether4-Software
add bridge=bridge-VPN interface=ether8-Fiber4
add bridge=bridge-Voip interface=ether6-Voip
add bridge=bridge-Voip interface=ether7-TCT3703
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set accept-redirects=yes accept-source-route=yes
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=L2TP enabled=
yes use-ipsec=yes
/interface list member
add interface=L2TP-In list=VPN
add interface=bridge-VPN list=VPN
add interface=eoip-GermanVPS list=VPN
add interface=pptp-in-emertat list=VPN
add interface=bridge-General list=LAN
add interface=bridge-Software list=LAN
add interface=ether4-Software list=LAN
add interface=ether5-General list=LAN
add interface=pppoe-Mena list=WAN
add interface=pppoe-Pars list=WAN
add interface=pppoe-TCT list=WAN
add interface=ether6-Voip list=LAN
add interface=ether8-Fiber4 list=VPN
/interface pptp-server server
set default-profile=PPTP enabled=yes
/ip address
add address=192.168.0.5/24 interface=bridge-General network=192.168.0.0
add address=192.168.5.5/24 interface=bridge-Software network=192.168.5.0
add address=192.168.80.2/24 interface=bridge-VPN network=192.168.80.0
add address=10.198.20.5/30 interface=bridge-Voip network=10.198.20.4
/ip dhcp-server lease
add address=192.168.0.18 client-id=1:c8:fe:30:ff:d7:32 comment=Citex
mac-address=C8:FE:30:FF:D7:32 server=dhcp-General
add address=192.168.0.100 client-id=1:48:5b:39:51:9d:dc comment=
“Alizadeh-NB LAN” mac-address=48:5B:39:51:9D:DC server=dhcp-General
add address=192.168.0.110 client-id=1:8c:73:6e:b7:d7:71 comment=
“Sadatfar-NB LAN” mac-address=8C:73:6E:B7:D7:71 server=dhcp-General
add address=192.168.0.111 client-id=1:0:26:b9:a7:f1:d5 comment=
“Pakdaman-NB LAN” mac-address=00:26:B9:A7:F1:D5 server=dhcp-General
add address=192.168.0.200 client-id=1:28:d2:44:42:aa:15 comment=
“Zarrabi-NB LAN” mac-address=28:D2:44:42:AA:15 server=dhcp-General
/ip dhcp-server network
add address=192.168.0.0/24 comment=“General LAN DHCP” dhcp-option=
“Time Offset,WINS/NBT Node Type” dns-server=192.168.0.2 domain=emertat.
gateway=192.168.0.5 netmask=24 ntp-server=192.168.0.2 wins-server=
192.168.0.2
add address=192.168.5.0/24 comment=“Software LAN DHCP” dns-server=192.168.5.5
gateway=192.168.5.5 netmask=24
add address=192.168.80.0/24 comment=“VPN Bridge DHCP” dns-server=8.8.8.8
domain=1.1.1.1 gateway=192.168.80.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=185.51.200.2,178.22.122.100
/ip firewall address-list
add address=192.168.0.0/24 comment=“General LAN Network” list=
“General LAN Network”
add address=x.x.x.x comment=“German VPS” list=“German VPS”
add address=192.168.5.0/24 comment=“Software LAN Network” list=
“Software LAN Network”
add address=192.168.0.15 comment=Software-Server list=Software-Server
add address=192.168.5.2 list=Software-Server
add address=192.168.80.0/24 comment=“VPN Bridge Network” list=
“VPN Bridge Network”
add address=192.168.0.100 comment=“Alizadeh-NB LAN” disabled=yes list=VIP
add address=192.168.0.200 comment=“Zarrabi-NB LAN” disabled=yes list=VIP
add address=192.168.0.110 comment=“Sadatfar-NB LAN” list=VIP
add address=192.168.0.111 comment=“Pakdaman-NB LAN” disabled=yes list=VIP
add address=10.198.20.6 comment=“Voip Center” list=PBX
add address=192.168.0.6 list=PBX
/ip firewall filter
add action=accept chain=input comment=Winbox dst-port=7353 protocol=tcp
add action=accept chain=input comment=“L2TP In” dst-port=4500,500,1701
in-interface-list=WAN protocol=udp
add action=accept chain=input comment=ICMP in-interface-list=!WAN protocol=
icmp
add action=accept chain=input comment=“DNS Server” dst-port=53
in-interface-list=!WAN protocol=udp
add action=accept chain=input comment=Webfig dst-port=80 in-interface=
bridge-General protocol=tcp
add action=accept chain=input comment=PPTP in-interface-list=LAN protocol=gre
add action=accept chain=input dst-port=1723 in-interface-list=LAN protocol=
tcp
add action=accept chain=input comment=“German VPS Incoming” src-address-list=
“German VPS”
add action=accept chain=input comment=“Established, Untracked, Related Allow”
connection-state=established,related,untracked
add action=accept chain=output comment=“Default Output”
add action=drop chain=forward comment=“Drop Between Software and General”
in-interface=bridge-Software out-interface=bridge-General
add action=drop chain=forward comment=“Invalid Forward Drop”
connection-state=invalid
add action=drop chain=input comment=“Default Input Drop”
/ip firewall mangle
add action=mark-connection chain=forward comment=“Mena In DesNAT Connection”
connection-nat-state=dstnat in-interface=pppoe-Mena new-connection-mark=
MenaIn passthrough=yes
add action=mark-connection chain=forward comment=“Pars In DesNAT Connection”
connection-nat-state=dstnat in-interface=pppoe-Pars new-connection-mark=
ParsIn passthrough=yes
add action=mark-connection chain=forward comment=“TCT In DesNAT Connection”
connection-nat-state=dstnat in-interface=pppoe-TCT new-connection-mark=
TCTIn passthrough=yes
add action=mark-routing chain=prerouting comment=
“Mena In Connection Preroute” connection-mark=MenaIn new-routing-mark=
Mena passthrough=no
add action=mark-routing chain=prerouting comment=
“Pars In Connection Preroute” connection-mark=ParsIn new-routing-mark=
Pars passthrough=no
add action=mark-routing chain=prerouting comment=“TCT In Connection Preroute”
connection-mark=TCTIn new-routing-mark=TCT passthrough=no
add action=mark-routing chain=prerouting comment=“Server1 & 2”
new-routing-mark=Mena passthrough=no src-address=192.168.0.1-192.168.0.2
add action=mark-routing chain=prerouting comment=Server3 new-routing-mark=TCT
passthrough=no src-address=192.168.0.3
add action=mark-routing chain=prerouting comment=“Software Server”
new-routing-mark=TCT passthrough=no src-address-list=Software-Server
add action=mark-routing chain=prerouting comment=“Issabel NAT”
new-routing-mark=TCT passthrough=no src-address-list=PBX
add action=mark-routing chain=prerouting comment=“VClient Marking”
new-routing-mark=Mena passthrough=no src-address=192.168.0.25
add action=mark-routing chain=prerouting comment=“VIP Marking”
new-routing-mark=TCT passthrough=no src-address-list=VIP
add action=mark-routing chain=prerouting comment=“General Bridge”
new-routing-mark=Pars passthrough=no src-address-list=
“General LAN Network”
add action=mark-routing chain=prerouting comment=“Software Bridge”
new-routing-mark=TCT passthrough=no src-address-list=
“Software LAN Network”
add action=mark-routing chain=prerouting comment=“PPTP Emertat Route”
new-routing-mark=VPN passthrough=no src-address=
192.168.75.11-192.168.75.249
add action=mark-routing chain=prerouting comment=“L2TP Emertat Route”
new-routing-mark=TCT passthrough=no src-address=
192.168.77.11-192.168.77.249
/ip firewall nat
add action=dst-nat chain=dstnat comment=“VClient RDP” dst-port=3399 protocol=
tcp to-addresses=192.168.0.25 to-ports=3389
add action=dst-nat chain=dstnat comment=“Server2 SQL” dst-port=1444
in-interface=pppoe-Mena protocol=tcp to-addresses=192.168.0.2 to-ports=
1433
add action=dst-nat chain=dstnat comment=DVRs dst-port=6036 in-interface=
pppoe-Mena protocol=tcp to-addresses=192.168.0.21
add action=dst-nat chain=dstnat dst-port=6036 in-interface=pppoe-TCT
protocol=tcp to-addresses=192.168.0.22
add action=dst-nat chain=dstnat comment=“Issabel IAX” dst-port=6265
in-interface=pppoe-Mena protocol=udp to-addresses=10.198.20.6 to-ports=
4569
add action=dst-nat chain=dstnat comment=“Server3 RDP” dst-port=8978
in-interface=pppoe-Mena protocol=tcp to-addresses=192.168.0.3 to-ports=
3389
add action=dst-nat chain=dstnat comment=“Alizadeh-NB RDP” disabled=yes
dst-port=33100 protocol=tcp to-addresses=192.168.0.100 to-ports=3389
add action=masquerade chain=srcnat comment=“TCT NAT” out-interface=pppoe-TCT
add action=masquerade chain=srcnat comment=“Pars NAT” out-interface=
pppoe-Pars
add action=masquerade chain=srcnat comment=“Mena NAT” out-interface=
pppoe-Mena
/ip firewall service-port
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add comment=“German VPS Marked” disabled=no dst-address=0.0.0.0/0 gateway=
192.168.80.1 routing-table=VPN suppress-hw-offload=no
add comment=“TCT Marked Route” disabled=no distance=1 dst-address=0.0.0.0/0
gateway=pppoe-TCT pref-src=“” routing-table=TCT scope=30
suppress-hw-offload=no target-scope=10
add comment=“Mena Marked Route” disabled=no dst-address=0.0.0.0/0 gateway=
pppoe-Mena routing-table=Mena suppress-hw-offload=no
add comment=“Pars Marked Route” disabled=no distance=1 dst-address=0.0.0.0/0
gateway=pppoe-Pars pref-src=“” routing-table=Pars scope=30
suppress-hw-offload=no target-scope=10
add comment=“Router Default Gateway” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=pppoe-Mena pref-src=77.237.74.108 routing-table=main
scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=7353
set api-ssl disabled=yes
/lcd interface
set ether1-Mena disabled=yes
set ether2-TCT disabled=yes
set ether3-Pars disabled=yes
set sfp disabled=yes
set ether6-Voip disabled=yes
set ether7-TCT3703 disabled=yes
set ether8-Fiber4 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
add interface=pppoe-Mena
add interface=pppoe-Pars
add interface=pppoe-TCT
/lcd interface pages
set 0 interfaces=
ether4-Software,ether5-General,pppoe-Mena,pppoe-TCT,pppoe-Pars
/ppp secret
add comment=“Shekarpour VPN User” name=Vahid profile=L2TP service=l2tp
add comment=“Emertat Internal VPN” name=emertat profile=PPTP service=pptp
/routing rule
add action=lookup-only-in-table comment=“German VPS” disabled=no dst-address=
5.9.219.69/32 table=TCT
add action=lookup-only-in-table comment=“General Bridge” disabled=no
dst-address=192.168.0.0/24 table=main
add action=lookup-only-in-table comment=“Software Bridge” disabled=no
dst-address=192.168.5.0/24 table=main
add action=lookup-only-in-table comment=“German VPS eoip Tunnel” disabled=no
dst-address=192.168.80.0/24 table=main
add action=lookup-only-in-table comment=“L2TP In” disabled=no dst-address=
192.168.77.0/24 table=main
add action=lookup-only-in-table comment=“Voip Bridge” disabled=no
dst-address=10.198.20.4/30 table=main
/system clock
set time-zone-name=Asia/Tehran
/system identity
set name=“Emertat 1001N”
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=192.168.0.2
add address=20.101.57.9

It seems that nobody will help me. Even a small point is appreciated.

Sure, but I work in vlans and one bridge. All those bridges and mangling, sorry thats worse then frogs in my bed…
Its a tad too complex for me to spot any obvious errors.

Personally I think your firewall rules are a disorganized mess, but if it works it works.
This is the only forward chain blocking I could see
add action=drop chain=forward comment=“Drop Between Software and General”
in-interface=bridge-Software out-interface=bridge-General

If I understand your config right, it seams that you haven’t multiple LANs on on port, you have some LANs on multiple Ports.

/interface bridge port
add bridge=bridge-VPN interface=eoip-GermanVPS
add bridge=bridge-General interface=ether5-General trusted=yes
add bridge=bridge-Software interface=ether4-Software
add bridge=bridge-VPN interface=ether8-Fiber4
add bridge=bridge-Voip interface=ether6-Voip
add bridge=bridge-Voip interface=ether7-TCT3703

ether-6 and ether7 are in the bridge “bridge-Voip” and the bridge got the ip “10.198.20.5/30”.

/ip address
add address=192.168.0.5/24 interface=bridge-General network=192.168.0.0
add address=192.168.5.5/24 interface=bridge-Software network=192.168.5.0
add address=192.168.80.2/24 interface=bridge-VPN network=192.168.80.0
add address=10.198.20.5/30 interface=bridge-Voip network=10.198.20.4

As fr as I know a 10.198.20.4/30 has only 2 usable IP-addresses:
10.198.20.5< - the bridge and
10.198.20.6<- one other host.
.4 is the network-address and 7 the broadcast-address.
Have you a problem with your netmask ? Can you ping 10.198.20.5 from “Software LAN” or “General LAN” ?
And 404Network is right about your firewall, there are only 2 forward rules,
one that drops invalid traffic and one that drops traffic from “bridge-Software” to “bridge-General”.

/ip firewall filter
add action=accept chain=input comment=Winbox dst-port=7353 protocol=tcp
add action=accept chain=input comment="L2TP In" dst-port=4500,500,1701 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=ICMP in-interface-list=!WAN protocol=icmp
add action=accept chain=input comment="DNS Server" dst-port=53 in-interface-list=!WAN protocol=udp
add action=accept chain=input comment=Webfig dst-port=80 in-interface=bridge-General protocol=tcp
add action=accept chain=input comment=PPTP in-interface-list=LAN protocol=gre
add action=accept chain=input dst-port=1723 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="German VPS Incoming" src-address-list="German VPS"
add action=accept chain=input comment="Established, Untracked, Related Allow" connection-state=established,related,untracked
add action=accept chain=output comment="Default Output"
add action=drop chain=forward comment="Drop Between Software and General" in-interface=bridge-Software out-interface=	
add action=drop chain=forward comment="Invalid Forward Drop" connection-state=invalid
add action=drop chain=input comment="Default Input Drop"
/ip firewall mangle

So nothing form port 4 or 5 should be block. (And nothing from the other bridges or the VLAs or the internet …).

And if you hover with your mouse over the entry in the first column of firewall connection you got o popup like this:

For a successful ping you need a SC, if you only get a C, than the router didn’t get replay packets or the packets cant be matched to the request.

Thanks for your lovely response.
Exactly. I have one host behind bridge-voip with IP: 10.198.20.6. It’s visible from router and router is visible from host but bridge-general and bridge-software hosts can’t see the specified host and host can’t see them too.
I see a C only beside the connection. I tried disabling all the filter rules and even mangles but no use. I tried other IP addressing for host and voip bridge with 24 bit subnet range but no use.

Thanks for your response. I have three WANs, eight LANs and some complicated routing. It works good. But you’re right, it’s somehow weired!

Three WANS is fine, I would just have one bridge and that bridge would not be involved in dhcp etc.
It would be all vlans vice LANS.

Only to make it sure…
For a while i came across some devices, that were only reachable on the same network, because they where configured/build that way.
A few of these devices hat a option to change this behavior, other not.
I had to google for a while to find the information.

I think perhaps you can do a traceroute or tracert in both directions to make sure that there isn’t something funny in the routing.
As far as I see it, I would expect 2 entries (ip of your router and ip of your target host) in the list if it would be successful or the ip of your router followed by lines without ip addresses and all times are ‘*’.
If you find other ip addresses or the address of your router a couple of times, i would expect a routing problem.
If possible I would recommend the test in both directions, because sometimes the way back is the problem.

You can also make a packet recording (tools packet-sniffer) on your router while pinging. If you use the option to write it in a file like ‘dump.pcap’ you can open and analyze it with wireshark.

I did the trace. From router the first hop is the host. From host the first hop is the router and there are more just by a * sign. If I trace the router from host, first hop is the router and not anymore.
Port6 is on the second switch of router. It doesnot make the problem?
How I should use packet-sniffer?