Can't ping host on other subnet, only other subets gateway.

RouterOS General
1

Greetings

I’m having an issue with subnetting on my MicroTik router.

I am attempting to have two subnets comunicate with each other. This is something i’ve done many times before without issue, however tonight stuff just isn’t working. :frowning:

Router has 5 ports…

Ext1 1 = WAN
Int1 = Office1 LAN (10.1.20.1/24)
Int2 and 3 = Empty
Int4 = Office2 LAN (10.66.89.1/24)

I am able to ping from a host on Office1 to the gateway on Office2 and thats it. I can not ping anything on Office2 other than the gateway, cant ping any hosts on Office2.

IP / Interface / Route settings: http://i.imgur.com/g4Nmg.png

When i use the ping utility within MicroTik i cannot ping either gateway from the other…

Ping from Int1 to 10.66.89.1 on Int4: http://i.imgur.com/b6iPy.png

Ping from Int4 to 10.1.20.1 on Int1: http://i.imgur.com/f57xg.png

Using the same utility, I can NOT ping From Int1 to 8.8.8.8 (Google’s DNS)

I also can NOT ping From Int4 to 8.8.8.8 (Google’s DNS)

Here is a screenshot of this. The result is the saem when selecting either interface.

http://i.imgur.com/sIo94.png

The only interface which can ping it is Ext1 as thats the WAN.

Hosts in the Office1 subnet have FULL internet access, DNS, can ping google’s DNS, everything is dandy. For whatever reason the router cant though… :confused:

2

Please post /ip firewall export

3

add address=24.38.66.235 comment=“VHS Main IP” disabled=no list=VHSAdmin
add address=24.190.238.7 comment=“Andrew Home” disabled=no list=VHSAdmin
add address=24.38.66.244 disabled=no list=VHSAdmin
add address=24.228.141.237 disabled=no list=VHSAdmin
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=" Only accept administrative packets from
addresses in the address list VHSAdmin." disabled=no dst-port=8291,8728,22
protocol=tcp src-address-list=VHSAdmin
add action=drop chain=input disabled=no dst-port=21,22,23,80,443,8291 protocol=
tcp
add action=accept chain=input comment=“Allow Winbox from internal network.”
disabled=no dst-port=8291 protocol=tcp src-address=10.1.20.0/24
add action=drop chain=input comment=
“Drop all packets sent to router on port 8291.” disabled=no dst-port=8291
protocol=tcp
add action=drop chain=input comment=
“Drop and packets which can’t be classified as ESTABLISHED, RELATED, NEW.”
connection-state=invalid disabled=no
add action=accept chain=input comment=
“If the packet is part of an established connection, accept it.”
connection-state=established disabled=no
add action=accept chain=input comment=“L2TP Ports” disabled=no dst-port=
500,1701,4500 protocol=udp
add action=accept chain=input comment=“L2TP ESP” disabled=no protocol=ipsec-esp
/ip firewall nat
add action=masquerade chain=srcnat comment=“Masquerade Out Main IP” disabled=no
out-interface=Ext1
add action=accept chain=srcnat disabled=no dst-address=192.168.1.0/24
src-address=10.1.20.0/24
add action=dst-nat chain=dstnat comment=“FWD FNet(14426) to Jargon” disabled=no
dst-port=14426 protocol=udp to-addresses=10.1.20.69 to-ports=14426
add action=dst-nat chain=dstnat comment=
“FWD RDP(3389) to Jarogon, Translate to 3390.” disabled=no dst-address=
24.38.66.235 dst-port=3390 protocol=tcp src-address-list=VHSAdmin
to-addresses=10.1.20.69 to-ports=3389
add action=dst-nat chain=dstnat comment=“FWD SMTP(25) to Exchange svr.”
disabled=no dst-address=24.38.66.235 dst-port=25 protocol=tcp to-addresses=
10.1.20.102 to-ports=25
add action=dst-nat chain=dstnat comment=“FWD HTTP(80) to Exchange svr”
disabled=no dst-address=24.38.66.235 dst-port=80 protocol=tcp to-addresses=
10.1.20.102 to-ports=80
add action=dst-nat chain=dstnat comment=“FWD HTTPS(443) to Exchange svr”
disabled=no dst-address=24.38.66.235 dst-port=443 protocol=tcp
to-addresses=10.1.20.102 to-ports=443
add action=dst-nat chain=dstnat comment=
“FWD HTTP(80) to Exchange svr and translate port to 81.” disabled=no
dst-address=24.38.66.236 dst-port=80 protocol=tcp to-addresses=10.1.20.105
to-ports=81
add action=dst-nat chain=dstnat comment=
“FWD HTTPS(443) to Exchange svr and translate port to 444.” disabled=no
dst-address=24.38.66.236 dst-port=443 protocol=tcp to-addresses=10.1.20.105
to-ports=444
add action=src-nat chain=srcnat comment=“Multi-Tennant Autodiscover Redirect”
disabled=no src-address=10.1.20.105 to-addresses=24.38.66.236
add action=dst-nat chain=dstnat comment=“FWD RDP(3389) to vCenter svr.”
disabled=no dst-address=24.38.66.235 dst-port=3389 protocol=tcp
to-addresses=10.1.20.3 to-ports=3389

4

I don’t see anything right off that would not allow traffic from one subnet to the other. What are you trying to ping from one subnet to another?

5

Yes, This is very odd.

I am RDP’d in a host on Office1 netwrok. The host has an IP of 10.1.20.3

I am trying to ping a host in Office2 which has an ip of 10.66.89.200.

I can ping the 10.66.89.1 gateway but not the 10.66.89.200 host.

6

Do you have Windows Firewall disabled? Windows Firewall blocks icmp automatically, therefore you would not be able to ping the machine.

7

Yes, It’s disables on the service level.
RDP is definitely enabled on that box and i can’t connect.

8

If you don’t mind export your whole config. I don’t have a whole lot going on and I will put it on a router and see what is going on.

9

Sorry for the late reply.

Here you go

http://www.2shared.com/file/qxS_ia6b/HalpConfigrsc.html?

10

Do you have your network settings correct on the machines you are working with. I put your configuration on a 450G we have laying around and everything worked great. We were able to communicate between the two networks. The only change I made was change your CPU from 100MHz to 680MHz. What RB are you using that you are running on 100MHz?

11

http://i.imgur.com/AwfcS.png

Here is a screen of the resources tab.

Thank you for taking the time and extra effort to look at this. I’m baffled :confused:

12

Here is what was in the export you gave me.

/system routerboard settings
set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=\
    100MHz silent-boot=no

But after I removed that your configuration worked just fine. It may have worked with it but it was slow so I removed it. You possibly have the IP, Gateway, or Subnet Mask setup wrong on the computers.

13

I’m not sure why. It reads as 680mhz. I will correct the configuration in about 45 mins and report back.

14

When i came into the office today i refreshed each host’s IP settings and all was well.

Unfortunately i’ve begun a lot of filetransfers before changing that CPU setting. I have yet to restart the router and see if it makes a difference. Now that i’m here again and working, i do notice that it is a bit slow. :confused:

15

I’m glad it is working for you. Did you confirm it is running at 100MHz?

16

No, it reads 680 just like my screenshot says.

I’ve rebooted now and it still reads 680.

I’m doing a file transfer across it to my san, speed is only around 20mbps, usually iget 100 or so.

Am very busy today so i cant look into it too much. it might be the switch here in this office and not the MTK, though it’s CPU is at 90%