Host unreachable from one direction

pentorion · August 26, 2022, 7:20pm

Hello mikrotik forum

A router is in cpe mode and is connected wirelessly to a router which is in ap mode.
Both of them have a computer connected to their local network.
I can ping successfully from the computer that is connected to the cpe router the computer that is connected to the ap router.
But I can’t ping from the other way around. I get a “destination net unreachable” error. It seems that I can’t ping the local network behind the cpe router.
In the cpe router I have one NAT rule which is:
action=masquerade
chain=srcnat
src. ddress=192.168.1.0/24
out.interface=wlan1

In the ap router there is the default’s configuration masquerade rule.
I’m pretty sure that I have to add a dstnat rule, so in the cpe router i tried:
action=dstnat
to-addresses=192.168.1.0/24
chain=dstnat
dst. ddress=(the IP of the wlan)
out.interface=wlan1

but with no luck.
Do I have to add a NAT rule in both routers? and what rule?

Sob · August 26, 2022, 10:09pm

You probably need route on AP:

/ip route
add dst-address=192.168.1.0/24 gateway=<whatever address CPE has on its port connected to AP>

And once you do that, whole masquerade may not be needed anymore. Dstnat rule could be another solution, but it would go to only single address behind CPE and you’d be connecting to CPE’s address. Feel free to share more details, to help decide what you really need.

pentorion · August 26, 2022, 10:35pm

You probably need route on AP:
/ip route
add dst-address=192.168.1.0/24 gateway=<whatever address CPE has on its port connected to AP>
And once you do that, whole masquerade may not be needed anymore. Dstnat rule could be another solution, but it would go to only single address behind CPE and you’d be connecting to CPE’s address. Feel free to share more details, to help decide what you really need.

OK I put the rule you suggested in ip → routes on AP. I get “almost” the same error. Before your suggestion I sent 4 ping packets (with destination the computer behind the CPE) and I got the same message 4 times: “Reply from 62.169.255.54: Destination net unreachable.”
Now I get “Reply from xxx.xx.xx.x (the IP address of the NIC of my computer I send the ping packets): Destination host unreachable”, and the respones of the other 3 packets are exactly the same as before I apply your suggestion. I don’t know if it’s noteworthy.

Some details:
There was already another route in the list (of the AP) which is dst-address=xxx.xx.xx.0/24 which is the address of the local network on my AP, and gateway=bridge. Should I keep it?
Actually there will be only a single address behind CPE which I want to communicate with the computer behind the AP.

Sob · August 27, 2022, 4:37pm

I think it will need significantly more details, what’s this whole thing, how is everything configured, etc.

anav · August 27, 2022, 4:42pm

@S0b, When will you ever learn to ask for such information first?
( Můžete přivést osla k vodě, ale nemůžete ho přimět pít )