Can't ping different Network in Policy Routing

RouterOS General
1

Hello,
I just configure policy routing for 2 of my uplink from different ISP. Both are running well, but I cannot ping one network from other one. Below is my route list

ip route> rule print
Flags: X - disabled, I - inactive
0 src-address=1XX.10X.38.32/28 routing-mark=FiberNet action=lookup
table=FiberNet



ip route> print

DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 ADC 1XX.10X.38.20/30 1XX.10X.38.22 Wan
1 ADC 1XX.10X.38.32/28 1XX.10X.38.33 Lan
3 ADC 2YY.14Y.58.80/30 2YY.14Y.58.82 Wan
4 ADC 2YY.14Y.58.96/27 2YY.14Y.58.97 Lan
5 A S ;;; added by setup
0.0.0.0/0 r 2YY.14Y.58.81 Wan
6 A S ;;; added by setup
0.0.0.0/0 r 1XX.10X.38.21 Wan

ip firewall mangle> print

chain=prerouting src-address=1XX.10X.38.32/28 action=mark-routing
new-routing-mark=FiberNet passthrough=yes


From
Network 2YY.14Y.58.96/27 I cannot ping to 1XX.10X.38.32/28 and vice-versa.

Any solutions plz.

Rafiq…

2

Could you post your firewall rules ?

MT allow ping in different line.

I think you must make some firewall rule to stop it. (May be ICMP drop)

3

No firewall to drop ICMP of any usefull port, where from each network (2YY.14Y.58.96/27 & 1XX.10X.38.32/28) everything is running well and fine. Both network can out and available from outside. But not accessible with each other. Where they(network) live together and sharing same room(interface & machine) but seems they are divorced(no route).

Can anyone plz help me to make their(network) relations good.

:sunglasses:

Rafiq..

4

Do a trace route from any of your computers one computer from each segment. and post the results here.

for example, on compter from range 1XX.10X.38.32/28

tracert 2YY.14Y.58.100 -d
5

From Network 1XX.10X.38.32/28
tracert 2YY.14Y.58.100 -d

Tracing route to 202.148.58.102 over a maximum of 30

1 <1 ms <1 ms <1 ms 1XX.10X.38.33
2 <1 ms <1 ms <1 ms 1XX.10X.38.21
3 1 ms <1 ms <1 ms 1XX.10X.38.1
4 3 ms 2 ms 1 ms 1XX.10X.32.18

And then got IPs from 1XX.10X.38.32/28 block ISP and goes route loop.

And from 2YY.14Y.58.100

traceroute 1XX.10X.38.42

traceroute to 1XX.10X.38.42 (1XX.10X.38.42), 30 hops max, 38 byte packets
1 2YY.14Y.58.97 (202.148.58.97) 0.205 ms 0.151 ms 0.149 ms
2 * * *
3 * * *


Rafiq…

6

I think in loop and You can use Spanning tree protocol to break such type of loop.


Regards

Avijit

7

I think, that you have to exclude traffic betweern these subnets from policy-routing rules, then communication should work,
it should be like ‘ip firewall mangle add src-address=local_subnet_1 dst-address=local_subnet_2 action=accept passtrough=no’.
Place this rule before mark-routing rules.

8

Dear sergejs,
I just put the following mangle rule, but things remain same. I also used pre routing chain.
ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward src-address=2YY.14Y.58.96/27 dst-address=1XX.10X.38.32/28
action=accept

Rafiq…

9

Dear Abab

try to disable these two records from your routing table:

0.0.0.0/0 r 2YY.14Y.58.81 Wan 
0.0.0.0/0 r 1XX.10X.38.21 Wan

after that try tracert again, and let me know.

10

Dear sariao,
Those two

0.0.0.0/0 r 2YY.14Y.58.81 Wan
0.0.0.0/0 r 1XX.10X.38.21 Wan

are my network default gateway. By disabling those causes my network down from outside. !!

Any other solutions plz.

Rafiq…

11

I know these are your defualt gateways man, disable them do the trace and sumbit the results. after that you can reenable them! plus sumbit your routing table with detials and submit your NAT rule if you have so.

12

Dear sariao,
It is a fully running system and it is not possible to stop the system. Plz any other solutions ??

Thankx for your reply.

Rafiq…

13

Fine, then post your routing table with full details and your NAT, and Filter Rules.