Help connecting 2 Mikrotiks WAN to WAN

Nova · August 4, 2014, 1:29pm

Hello.

First of all… I’m not native english, so forgive me for any errors with the language.

I want to configure a VPN with mikrotiks routers using IPSEC/L2TP. But before that I’m testing to connect two routers mikrotik (RB2011UAS-2HND-IN) without any VPN tunnel created.
The idea is to connect two mikrotiks with one cable from eth1 to eth1 and in each router in Eth2 connect the LAN cable and make a bridge with the rests of the ports. Then make a ping from one router to the LAN of the other.

The configuration I made is:

First I made a bridge with Eth2 + Eth6 (because this mikrotik has 2 switchs).
Then I added slaves to Eth2 (3-4-5) und Eth6(7-8-9), I didn’t configure port 10 just in case I lose connection to the router.
Configured IP - Addresses.
R1 WAN: 192.168.90.1 LAN: 192.168.88.1
R2: WAN: 192.168.99.1 LAN: 192.168.80.1
In R2:

(Since the test is only with two mikrotiks connected to each other, I guess is not a problem to put WAN 192.168… Neither did I configure Firewall or NAT)

Something like this:

Then just for comodity I created a DHCP server.

The problem I think is in the configuration of IP routes.

I have it like this now, and I’m able to ping from each router to the WAN of the other, but when I try to ping the LAN of the other it says timeout.

R1:

R2:

(One thing strange here is that when in the gateway I write in the 0.0.0.0/0 the WAN IP (192.168.99.1 for example) it says unreachable, but when I select the gateway with the name it works)

Ping from R1 to WAN of R2:

Ping from R1 to LAN of R2:

I not really understand either why number 2 has “special” ping to that IP.

I would appreciate any help.

Thanks and greetings.

jayd2k · August 6, 2014, 4:10am

I assume that on both routers you’ve already configured the respective name (identity)? E.g. identity “R1” and “R2”. You can do this either via WebFig or WinBox using System → Identity. The identity is reflected on the command line making it easier to identity the router a command was executed on.

Now, use the terminal to execute the following statements on both routers and post the output:
interface print detail
ip address print
ip route print
ip firewall filter printThe following two commands will remove all ip filter and nat rules eliminating the firewall as a possible cause while testing your setup:
ip firewall filter remove [find]
ip firewall nat remove [find]As far as I can tell you’ve just misconfigured the WAN subnet whereby R1 is using 192.168.90.0/24 while R2 uses 192.168.99.0/24.

These are two separate subnets which can’t communicate with each other w/o having another router in between.

To solve your issue it should be sufficient to place R1 on the wan subnet of of R2:

R1 - ether1 - 192.168.99.1/24
R2 - ether1 - 192.168.99.2/24

Once you did that they should be able to see and ping each other.

However to allow LAN@R1 to communicate with LAN@R2 and vice versa you’d still have to configure static routes or a dynamic routing protocol like OSPF.

Hope this helps.

Nova · August 7, 2014, 12:08pm

Thank you very much for your answer.

Indeed it was that, I’ve changed both ip WAN and put them in the same subnet and now it works perfectly.

I also succeed creating IPSec and IPSec+ L2TP tunnels.

Thanks again.

jayd2k · August 8, 2014, 1:36pm

solved.