I am using one mikrotik router. Two hosts connected to it. I have attached the connection image. Its a simple basic connection.
Host 1 connected to Point B of Mikrotik Router .
Host 2 connected to Point D of Mikrotik Router .
Host 1 IP : 192.168.12.4
Host 2 IP : 192.168.110.4
IP of Router point B , where host 1 is connected to : 192.168.12.6
IP of Router point D , where host 2 is connected to : 192.168.110.3
No firewall policies , no routing rules , nothing..!!
Previously I was not able to ping from Router point B to Host 2 .
After When i add the below policy in router , the ping is working ..!!
Added the below policy in router :
ip firewall nat add chain=srcnat action=masquerade
After this policy B to C and D to A is pingable.
Still host1 to host2 is not pingable..!!
some more info:
I initiated a ping from host1 to host 2 and looked at the arp table of router.
i could see in ether 1 (ie,point B) , ip of host1 only and like that i could see in ether 2 (ie,point D) , ip of host2 only.
So the expected is like in the arp table of ether 1 ,the ip of point D shoud also be there , right?
So the packet is not forwarded from point B to D. Am i correct here.
Kindly help me on this.
Do i need to add any policy.
a) Some small typo somewhere.
b) Firewall on hosts blocking pings from non-local subnets.
For start, ping both addresses on router (192.168.12.6 and 192.168.110.3) from both host1 and host2. All four combinations must work. It will tell you if routing is correct. And since it will be initiated by host, it won’t be blocked by its firewall (unless you have some really unusual config).
You dont need nat or static routes !!! Just add in firewall filter 2 rules:
/ip fi fi
add chain=forward src-address=192.168.12.0/24 dst-address=192.168.110.0/24 action=accept
add chain=forward src-address=192.168.110.0/24 dst-address=192.168.12.0/2 action=accept
Thanks for the response.
I removed the masquerade policy as you mentioned.
From Host1 , ping to point-B is working whereas ping to Point-D is not working .
Then try pings from router:
/ping src-address=192.168.12.6 address=192.168.12.4 -- Its working
/ping src-address=192.168.12.6 address=192.168.110.4 -- not working
/ping src-address=192.168.110.3 address=192.168.12.4 --not working
/ping src-address=192.168.110.3 address=192.168.110.4 --working
Please help me on this.
With the masquerade policy , ping from POint B to Point C is working and Ping from POint D to point A is working.
Without that , these pings are also not working.
I used tools->Torch and monitored both the interfaces.
I could see like when ping from Host 1 to Point D is done , I done the torch command on ether2 (ie, point D) nothing is showing in TX-PACKET and RX-PACKET field.
Thanks for the help.
Please help me on this
I tried to ping from Host 1 to Point D . I took the tool torch on the interfaces of router .
I could see like the ping is reaching point B and D but no response from Host 2.
Sorry, I missed your replies before. So to sum up the progress (or lack of progress) so far, you can only ping addresses from same subnet. That of course must work, otherwise something would be horribly broken. But you have zero success between the two subnets. With masquerade it doesn’t count, because that changes addresses to same subnet.
To clear one misconception:
I could see like when ping from Host 1 to Point D is done , I done the torch command on ether2 (ie, point D) nothing is showing in TX-PACKET and RX-PACKET field.
There’s no point watching ether2 (with address D), because Host1 is connected to ether1 (with address B). All communication between Host1 and router (no matter if address B or D) will only happen on ether1.
So far it looks like there’s something wrong with routes on hosts. You have the routes written correctly in image, but check again if it’s really what you added.
When you ping D from Host1, you must see incoming packets to D on ether1 (where B address is).
When you ping B from Host2, you must see incoming packets to B on ether2 (where D address is).
Thanks for the reply.
When I ping D from Host1 , I could see incoming packets on ether 1 .
ie , I pinged from Host 1 to PointD , i took the packet sniffer tool on ether 1 , in the source address filed i could see both the address of Host1 and PointD . But the ping is not successfull.
Like that when i ping from Host1 to Host2 , i took the packet sniffer on ether1 and ether2 , I could see the ip of Host1 in both the interfaces.
In host1 , I have added route as :
sudo route add default gw 192.168.12.6 dev eth0
In host2 , I have added route as :
sudo route add default gw 192.168.110.3 dev eth0
Thanks for the reply.
I have attached the same for your reference.
Please note that currently the IPs have been changed to :
Host1 IP = Point A = 192.168.197.2
Host2 IP = Point C = 192.168.66.10
Point B = Router ether 1 = 192.168.197.5
Point D = Router ether 2 = 192.168.66.4
Hi ,
I did this : /ping src-address=192.168.12.6 address=192.168.110.4
i took the tool sniffer on ether 2 , i could observe like 192.168.12.6 has reached ether 2 , no other packets.
I initiated ping from Host 1 to pint D . i took the tool sniffer on ether1 , i could observe both the ips of Host1 and pointD .
Since the ping is not successful , seems like the packet is forwarded to Host1 from point B.
Please help
Thanks for the reply.
I have attached the same for your reference.
Please note that currently the IPs have been changed to :
Host1 IP = Point A = 192.168.197.2
Host2 IP = Point C = 192.168.66.10
Point B = Router ether 1 = 192.168.197.5
Point D = Router ether 2 = 192.168.66.4
I understood what am struggling is like ,with the basic thing .
But to be honest am not able to make it up.
I am hiding nothing , because I need to have a solution for this.
I tried with a fresh reload but still not working.
So the config is pretty much empty. You have two interfaces with different subnet on each, inactive dhcp client (judging by previous screenshot of /ip address print), and firewall filter rules explicitly allowing traffic between these subnets (which are unnecessary in this case and you can remove them, because no rules mean everything allowed). Clearly, you can’t do anything here.
It must be something on hosts, try “iptables -L” to see firewall rules there.
