Forward traffic to another router

RasCongo · April 26, 2019, 12:46pm

Hi,

I have the following topology:

I would like to forward all traffic with destination 192.168.2.0/24 to the pfSense Router. All other traffic can find their way out from the ISP Router.
I tried with static route, FW policy etc but nothing seems to work. The current stage of this project is:

I can ping from the node with IP 192.168.2.10 to the node with IP 192.168.1.10
I can Ping 192.168.2.1 from the MikroTik ether4
I cannot Ping from Node with IP 192.168.1.10 to 192.168.2.0/24
When I traceroute from Node with IP 192.168.1.10 the traffic stops at the interface 192.168.1.1 (ether2)

I am not familiar with MikroTik, what I am missing here?

Anumrak · April 26, 2019, 12:53pm

Hey. Paste your ipv4 route list here pls

Does your pfSense server have a default route?

RasCongo · April 26, 2019, 1:12pm

[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.10.254            1
 1 ADC  10.10.10.0/24      10.10.10.1      ether3                    0
 2 ADC  192.168.1.0/24     192.168.1.1     ether2                    0
 3 ADC  192.168.2.0/24     192.168.2.41    ether4                    0
 4 ADC  192.168.10.0/24    192.168.10.248  ether1                    0
 5 ADC  192.168.10.10/32   192.168.10.10   ether1                    0

No, pfsense does not. But I dont see any traffic coming into it and being denied. The traffic does not coming out from ether 2.
PfSense though is able to communicate with the Node 192.168.1.10 cause they are directly connected.
My guess is something blocks the traffic from 192.168.1.0/24 to reach interface ether4.

Anumrak · April 26, 2019, 1:27pm

I don’t understand how you directly connect 1.10 and 1.“something” on server second interface. Because your router doesn’t have any 1.0 ip address on ether4 interface. And second note - server from 2.0 network can not interact with 1.0 without a route(specific or default one). You need fix this thing.

mkx · April 26, 2019, 3:19pm

How does look traceroute from 192.168.2.10 towards 192.168.1.0/24?

I guess hosts in 192.168.2.0/24 should use pfSense 192.168.2.1 as their default gateway (or else pfSense has no function there). And pfSense should have appropriate IP address of Mikrotik as its default gateway. And that appropriate IP address should not be from 192.168.2.0/24 to avoid routing triangle.

Mentioned routing triangle is this: when e.g. 192.168.2.10 sends a packet towards 192.168.1.10, it should use 192.168.2.1 as gateway. pfSense receives packet, does its magic and pushes packet to its gateway (Mikrotik at 192.168.2.41). Then MT pushes it out from ether2. 192.168.1.10 replies with packet sending it to its gateway (Mikrotik at 192.168.1.1), MT figures that destination 192.168.2.10 is directly accessible via interface ether4 and delivers it to 192.168.2.10 bypassing pfSense. Which might make pfSense upset (or not, depending on its configuration … but in long term it should).

So think about how packets need to be pushed around and create appropriate routes … either for subnets or default.