No routing to external network

RouterOS General
1

Hello,
I have a problem with routing for one of my networks on mikrotik RB750GL. There are three networks:
10.54.10.0/24 - bridge network on mikrotik named bridge10
10.54.250.0/24 - bridge network on mikrotik named bridge250
10.53.0.0/16 - network, that i want to access
Interface ether2 is in the bridge10 network and it is connected to Cisco ASA, which is a firewall to the third network.
Interfaces ether 3,4 and 5 is in the bridge250.

From bridge10, any device is routed and succesfully connect with any device on 10.53.0.0 network. Problem is with bridge250, no device have connection to the 10.53.0.0.
The firewall on cisco ASA enable both networks, bridge10 and bridge250.
Problem is with routing on mikrotik. Traceroute from device on bridge250 network ended on their own gateway 10.54.250.1, but ping is sucessfully to cisco ASA interface 10.54.10.1. (Interface ether2 has ip 10.54.10.2) Also ping from ASA to devices in bridge250 is successfull.
Any ideas to solve this, please?
Thank you

2

Get rid of the Crisco device and get a real firewall…
Seriously, without seeing the config on the MT its hard to guess.

/export hide-sensitive file=yourconfig17jun

3

Sorry, but the Cisco device is not a problem. Packets do not even reach its interface and log on the cisco device does not show any activity from bridge250. Problem is on mikrotik, he is not route from bridge250 to external network through bridge10.

4

As @anav suggested: post full config of RB and you’ll get some quality advice. Until then we’ll just bitch around.

5

Hi, here is my configuration. I repeat, devices from bridge10 network can access to 10.53.0.0/16, but from bridge250 network is not working. Thanks for help.

model = 750GL

serial number = 3B0502770449

/interface bridge
add name=bridge10
add name=bridge250
/interface vlan
add interface=ether3 name=vlan10 vlan-id=10
add interface=ether4 name=vlan10 vlan-id=10
add interface=ether5 name=vlan10 vlan-id=10
/ip dhcp-server
add address-pool=dhcp_pool10-net-quest disabled=no interface=bridge10-net-quest name=dhcp10
add address-pool=dhcp_pool250 disabled=no interface=bridge250-ap-mng name=dhcp250
/interface bridge port
add bridge=bridge250 interface=ether3
add bridge=bridge250 interface=ether4
add bridge=bridge250 interface=ether5
add bridge=bridge10 interface=vlan10
add bridge=bridge10 interface=vlan10
add bridge=bridge10 interface=vlan10
add bridge=bridge10 interface=ether2
/ip address
add address=10.54.10.2/24 comment=net-quest interface=bridge10 network=10.54.10.0
add address=195.168.8.62/29 interface=ether1 network=195.168.8.56
add address=10.54.250.1/24 interface=bridge250 network=10.54.250.0
/ip dhcp-server network
add address=10.54.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.54.10.1
add address=10.54.250.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.54.250.1
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway out-interface-list=WAN
/ip route
0 A S 0.0.0.0/0 195.168.8.57 1
1 A S 10.53.0.0/16 10.54.10.2 bridge10 1
2 ADC 10.54.10.0/24 10.54.10.2 bridge10 0
3 ADC 10.54.250.0/24 10.54.250.1 bridge250 0
4 ADC 195.168.8.56/29 195.168.8.62 ether1-gateway 0

6

Why people insist on not showing their firewall rules is beyond me as its often key as to why some items are blocked you know as in filter rules.
Shall we assume you have no filter rules??

Can one assume ether ports 2,3,4,5 connect to ports on the Cisco???
I am assuming the bridg10 traffic works because you have identified vlan10 on the cisco.
Since you are not using a vlan on the bridg250 network, I am not sure how the ports connected to the cisco 3,4,5 will be integrated into the switch?

As for the setup its not working because its misconfigured (the word chaos comes to mind... okay maybe not that bad lol).............

Try this, cleaned up a bit...........

model = 750GL

serial number = 3B0502770449

/interface bridge
add name=bridge10
add name=bridge250
/interface vlan
add interface=bridge10 name=vlan10 vlan-id=10

/ip dhcp-server
add address-pool=dhcp_pool10-net-quest disabled=no interface=vlan10 name=dhcp10
add address-pool=dhcp_pool250 disabled=no interface=bridge250-ap-mng name=dhcp250
/interface bridge port
add bridge=bridge250 interface=ether3
add bridge=bridge250 interface=ether4
add bridge=bridge250 interface=ether5
add bridge=bridge10 interface=ether2
/ip address
add address=10.54.10.2/24 comment=net-quest interface=vlan10 network=10.54.10.0
add address=195.168.8.62/29 interface=ether1 network=195.168.8.56
add address=10.54.250.1/24 interface=bridge250 network=10.54.250.0
/ip dhcp-server network
add address=10.54.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.54.10.1
add address=10.54.250.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.54.250.1

7

I changed the configuration as you said, but its not working. When i connect with device to bridge10, i don´t get IP address from DHCP server. And if you believe or not, there is no firewall rule on mikrotik. We have firewall rules on the another devices, so firewall configuration on mikrotik is only this:
add action=masquerade chain=srcnat comment=“default configuration” out-interface=ether1-gateway out-interface-list=WAN

8

I think your route towards “unreachable” network is wrong:

/ip route
0 A S 0.0.0.0/0 195.168.8.57 1
1 A S 10.53.0.0/16 10.54.10.2 bridge10 1
2 ADC 10.54.10.0/24 10.54.10.2 bridge10 0
3 ADC 10.54.250.0/24 10.54.250.1 bridge250 0
4 ADC 195.168.8.56/29 195.168.8.62 ether1-gateway 0

The marked route should have gateway set to Cisco’s address in the 10.54.10.0/24 subnet (probably 10.54.10.1) … not the interface (bridge10).

It makes me wonder how routing for 10.54.10.0/24 can work … Ah, spotted: clients in subnet 10.54.10.0/24 are using Cisco directly as their gateway anyways (as per DHCP gateway setting).
Another question is this: does Cisco use RB as gateway for reaching 10.54.250.0/24?

Another problem is use of same name for all of your vlan interfaces with vlan-id=10 … you should use different names so that it would be clear as to which interface=vlan10 you’re referring to.

The whole bridge / VLAN setup is a slight mess and not according to current dogma of using single bridge per device. It’s not clear whether ether3,4,5 are indeed hybrid ports (untagged on bridge250 and tagged on bridge10), I’ll asume they are. So your setup would translate to something like

/interface bridge
add bridge=bridge
/interface bridge port
add interface=ether2 bridge=bridge pvid=10
add interface=ether3 bridge=bridge
add interface=ether4 bridge=bridge
add interface=ether5 bridge=bridge
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3,ether4,ether5 untagged=ether2 vlan-ids=10

For L3 config, you’d then use

  • “interface” bridge where you’re currently using “bridge250”
  • interface vlan10 where you’re currently using “bridge10”

When things are fine for untagged (currently bridge250), you should enable vlan-filtering (enable safe mode before enabling it … sidable safe mode afterwards if you still have admin access to the device):

/interface bridge
set [ find name=bridge ] vlan-filtering=yes
9

My boss changes task, now i need to have in the same network devices (APs) and the wireless clients, that are connected to the same network. I put interfaces ether 3,4,5 to the bridge10 network and I can forget about the network bridge250.
So, my APs are in the bridge10, they get IP from DHCP on mikrotik. I see them, but where i ping it, sometime i ping for 5 times , then i get timeout for 6 times and still over again and again.
Another problem is with distribute this network. If its AP in bridge10, that is also VLAN10 distributed for wireless clients, they can connect but with no internet access. Somewhere is a mismatch between VLAN10 and bridge10, which are in the same network. How do i configure it to work properly? Thanks