Central rOS can't ping any other net of connected rOS except

Central rOS is connected to ISP (Public IP) & it has 4 more NICs. Of which 2 are connected to other rOS that has 3/4 NIC in each for creating more LANs. VLSM of 172.17.0.0 was used for all networks.

All NIC/nets of R0 from any nets of R1 & R2 can be pingged. 172.17.4.130 (behind R2) can ping 172.17.5.5, 172.17.5.1, 192.168.0.1 or host 192.168.0.199 even of R0. However, R0 can only ping 172.17.5.2 of R1 & 172.17.5.6 of R2. i.e. a host (say 192.168.0.199) behind R0 can’t ping 172.17.4.1 or 172.17.2.1 … 172.17.2.2. For R2 172.17.4.130 (NIC of R2)… 172.17.4.131 (host).

SNAT masquerade was done one all routers. Internet is available on all sites’ nets. While, central router’s all NICs/net can be pinged from all network of two routers; but, central router can’t ping any network, gateway, (XP) host of those two locations’ rOS except WAN. Only central router has basic firewall filter. Tried disabling all rules to test, didn’t help.

How to solve this problem anyone?

When you say there’s source NAT on all routers, do you mean that the networks behind R1 are NAT’d to 172.17.5.2 when being put on the wire towards R0?

If so, R0 probably doesn’t have a route to the networks behind R1 and cannot initiate pings to them. It can reply to pings from them because due to the src NAT it believes the ping request is actually coming from 172.17.5.2, which it can reach because of the directly connected network.

It is bad design to NAT on every route. Only R0 should source NAT traffic out to the Internet. Either implement a dynamic routing protocol, or set static route to all networks on R0. Since R1 and R2 are stubs they just need a default route to R0.

If those guesses are wrong, please post the firewall filter and NAT rules, routing table and IP address list from each router (/ip firewall export, /ip route print, /ip address print).

Kindly let me know if following info serves the purpose…

For R0:

[admin@R0] > / ip address print
0 203.ABC.D.22/28 203.ABC.D.16 203.ABC.D.31 ISP
1 192.168.0.1/24 192.168.0.0 192.168.0.255 local
2 172.17.5.5/30 172.17.5.4 172.17.5.7 ToR2
3 172.17.5.1/30 172.17.5.0 172.17.5.3 ToR1
4 172.17.4.193/26 172.17.4.192 172.17.4.255 Servers

[admin@R0] > /ip firewall nat print
0 chain=srcnat action=masquerade src-address=192.168.0.0/24
1 chain=srcnat action=masquerade src-address=172.17.5.0/30
2 chain=srcnat action=masquerade src-address=172.17.5.4/3

[admin@R0] > /ip route print

0 A S 0.0.0.0/0 203.ABC.D.30 1
1 ADC 172.17.4.192/26 172.17.4.193 Servers 0
2 ADC 172.17.5.0/30 172.17.5.1 ToR1 0
3 ADC 172.17.5.4/30 172.17.5.5 ToR2 0
4 ADC 192.168.0.0/24 192.168.0.1 local 0
5 ADC 203.ABC.D.16/28 203.ABC.D.22 ISP 0

[admin@R0] > /ip firewall filter print

0 chain=input action=accept connection-state=related
1 chain=input action=accept connection-state=established
4 chain=input action=accept src-address=192.168.0.0/24
5 chain=forward action=accept src-address=172.17.5.0/30
6 chain=forward action=accept src-address=172.17.5.4/30
9 chain=input action=accept protocol=tcp src-address=172.17.0.0/16 dst-port=22
10 chain=input action=accept protocol=udp dst-port=53
11 chain=input action=accept protocol=tcp src-address=172.17.0.0/16 dst-port=8291
56 chain=input action=drop
chain=forward action=drop dst-address=69.10.232.100

For R1:

[admin@R1] > / ip address print

0 172.17.5.2/30 172.17.5.0 172.17.5.3 ToR0
1 172.17.4.1/26 172.17.4.0 172.17.4.63 restricted
2 172.17.2.1/24 172.17.2.0 172.17.2.255 non-restricted

[admin@R1] > /ip firewall nat print

0 chain=srcnat action=masquerade src-address=172.17.2.0/24
1 chain=srcnat action=masquerade src-address=172.17.4.0/26

[admin@R1] > /ip route print

0 A S 0.0.0.0/0 reachable 172.17.5.1 1 ToR0
1 ADC 172.17.2.0/24 172.17.2.1 0 non-restricted
2 ADC 172.17.4.0/26 172.17.4.1 0 restricted
3 ADC 172.17.5.0/30 172.17.5.2 0 ToR0

For R2:

[admin@R2] > / ip address print

0 172.17.5.6/30 172.17.5.4 172.17.5.7 ToR0
1 192.168.110.254/24 192.168.110.0 192.168.110.255 Accounts
2 172.17.3.1/24 172.17.3.0 172.17.3.255 Local
3 172.17.4.129/26 172.17.4.128 172.17.4.191 Admin

[admin@R2] > /ip firewall nat print

0 chain=srcnat action=masquerade src-address=172.17.3.0/24
1 chain=srcnat action=masquerade src-address=172.17.4.128/26
2 chain=srcnat action=masquerade src-address=192.168.110.0/24

[admin@R2] > /ip route print

0 A S 0.0.0.0/0 172.17.5.5 1
1 ADC 172.17.3.0/24 172.17.3.1 Local 0
2 ADC 172.17.4.128/26 172.17.4.129 Admin 0
3 ADC 172.17.5.4/30 172.17.5.6 ToR0 0
4 ADC 192.168.110.0/24 192.168.110.254 Accounts 0

Remove all masquerade rules on all routers, on R0 implement a new one with out-interface=ISP as the only qualifier. On R0 add routes for all networks behind R1 and R2 with a gateway address of their respective /30 addresses.

And permit in your R0 firewall filter rules everything that you need to, such as ICMP from the networks behind R1 and R2.

As you suggested I 'll check disabling all masquerade on R0, R1 and R2 and adding following in R0:

/ip firewall nat add chain=srcnat action=masquerade out-interface=ISP

While, instead of adding static route earlier I had tried RIP on all Routers to add networks behind them as it is necessary be able get to network(s) behind R1 from network(s) behind R2 … not only R0; but, it didn’t work.

Thanks.

While, making static route to networks behind two stub networks allowed to ping those networks/hosts or access hosts from hosts of networks behind central router and vice versa; I feel it would be wise to do RIP on all 3 and advertise networks behind them. Don’t know why it didn’t work when I tried last time (as my routers were configured like stated before).

Ironic! having singe masquerade on out-interface of central router didn’t allow networks behind stub network to ping or access hosts of networks behind central router.

Being able to do these two implementation would be smart.