Not able to ping different subnet

shahenjit · August 29, 2018, 2:00pm

Hello,

New to Mikrotik and been trying to figure out this for a while and nothing worked. I have 2 different subnets running. One subnet is 10.10.0.0/24(ether10) and the other is 192.168.0.0/24(ether5). Both have different ISP’s running. I am trying to ping 192.168.0.x from 10.0.0.x and it does not ping. I need to do this so that people in the office can access the file server which in 192.168.0.10. Below is my export. Any help will be appreciated. Thanks!

/interface ethernet
set [ find default-name=ether7 ] master-port=ether10
set [ find default-name=ether8 ] master-port=ether10
/ip pool
add name=dhcp-pool ranges=192.168.0.10-192.168.0.254
add name=airtel-dhcp ranges=10.0.0.10-10.0.0.254
add name=pool1 ranges=10.10.0.10-10.10.0.254
add name=pool2 ranges=10.20.0.10-10.20.0.254
add name=pool3 ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp-pool disabled=no interface=ether5 name=dhcp
add address-pool=airtel-dhcp interface=ether7 name=airteldhcp
add address-pool=airtel-dhcp disabled=no interface=ether10 name=Unifi
# DHCP server can not run on slave interface!
add address-pool=pool1 disabled=no interface=ether1 name=airtel2
add address-pool=pool1 interface=ether2 name=server1
/interface bridge port
add bridge=bridge1 interface=ether1
/ip address
add address=203.110.84.178/29 interface=ether4 network=203.110.84.176
add address=192.168.0.1/24 interface=ether5 network=192.168.0.0
add address=10.0.0.1/24 interface=ether7 network=10.0.0.0
add address=10.0.0.1/24 interface=ether10 network=10.0.0.0
add address=10.10.0.1/24 interface=ether1 network=10.10.0.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=ether6
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=ether2
add default-route-distance=0 disabled=no interface=ether3
/ip dhcp-server lease
add address=10.0.0.201 client-id=\
    ff:40:56:63:a2:0:2:0:0:ab:11:68:e8:aa:59:c6:87:60:ee mac-address=\
    C4:E9:84:01:D0:27 server=Unifi
add address=192.168.0.10 client-id=\
    ff:cb:39:a:c7:0:2:0:0:ab:11:68:e8:aa:59:c6:87:60:ee mac-address=\
    B8:97:5A:62:39:E1 server=dhcp
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=192.168.0.1 gateway=10.0.0.1
add address=10.10.0.0/24 dns-server=192.168.0.1 gateway=10.10.0.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,192.168.0.1
/ip dns static
add address=192.168.0.10 name=files.periscope.com
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=DellDsl passthrough=\
    no src-address=192.168.0.0/24
add action=mark-routing chain=prerouting new-routing-mark=airtel passthrough=\
    yes src-address=10.0.0.0/24
add action=accept chain=prerouting dst-address=192.168.0.1 src-address=\
    192.168.0.0/24
add action=accept chain=prerouting dst-address=10.0.0.1 src-address=10.0.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether4
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.0.16 \
    out-interface=all-ethernet protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=203.110.84.178 dst-address-list="" \
    dst-port=3999 in-interface=ether4 protocol=tcp to-addresses=192.168.0.16 \
    to-ports=3999
add action=dst-nat chain=dstnat dst-port=554 in-interface=ether4 protocol=tcp \
    to-addresses=192.168.0.16 to-ports=554
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether4 protocol=tcp \
    to-addresses=192.168.0.16 to-ports=443
add action=dst-nat chain=dstnat dst-port=8000 in-interface=ether4 protocol=tcp \
    to-addresses=192.168.0.16 to-ports=8000
add action=masquerade chain=srcnat out-interface=ether6
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
/ip route
add distance=1 gateway=203.110.84.177 routing-mark=DellDsl
add distance=1 gateway=172.16.16.16 routing-mark=airtel
add disabled=yes distance=1 gateway=203.110.84.177
add disabled=yes distance=1 dst-address=0.0.0.0/32 gateway=172.16.16.16
/lcd
set backlight-timeout=never
/lcd interface
set sfp1 disabled=yes
set ether1 disabled=yes
set ether3 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes

sindy · August 29, 2018, 2:20pm

The point is that once you assign a routing mark using /ip firewall mangle rules, it applies to all packets, including those towards connected subnets, and there is no route to the connected subnets with either of the routing marks you assign.

Your current /ip firewall mangle rules are a bit messy - the third rule never matches because the first rule fully shadows it (passthrough=no, same source address like the third rule, no other conditions), and the fourth rule effectively does nothing (the routing mark is assigned by the second rule and the fourth rule doesn’t constitute an exception from the second one as it doesn’t precede it).

So one of several possibilities is to use _/ip route rule_s to neutralize the routing marks previously assigned by the /ip firewall mangle rules:

/ip route rule
add dst-address=192.168.0.0/24 action=lookup-only-in-table table=main
add dst-address=10.10.0.0/24 action=lookup-only-in-table table=main

Another way to do the same is to prevent the routing marks from being assigned by adding proper mangle rules at proper position in the chain:

/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.0.0/24
add action=accept chain=prerouting dst-address=10.10.0.0/24
add action=mark-routing chain=prerouting new-routing-mark=DellDsl passthrough=no src-address=192.168.0.0/24
add action=mark-routing chain=prerouting new-routing-mark=airtel passthrough=yes src-address=10.0.0.0/24

In both cases you may remove the last two /ip firewall mangle rules in your current configuration as they are useless.