Hi all. My first question here If I missed some of the info please point that out to me.
So i have Mikrotik 450g router, a 3 WAN and i LAN network
LAN is 192.168.1.0/24
WAN 1 is static IP x.x.x.x
WAN 2 addr is y.y.y.y
It’s obtained by dhcp but is always static cause we’re pretty important client they just can’t tel us bridge connections and have PPPoE. Oh well…
WAN 3 is at the moment another mikrotik which resides inside of the lan scope. 192.168.1.253 is it’s address. That will soon change, and we will have only it’s ext. ip via separate cable but this is situation for now.
OK, among many problems which I’m solving as I go by, there is one thing torturing me.
I can not ping, let’s say 192.168.1.10 in the LAN from any other interface but it’s own. I’m talking about ping tool inside RouterOS of course.
I think that is the reason behing my not being able to to dst-nat Radmin ports throung WAN 1 or WAN 2 to my computer which is also in LAN. I capture packets enter WAN 1, dst-nat pickes them up but doesn’t know what to do with them. They stay there untill expiring and that’s it. So i figured, they can’t actually enter in LAN. Tried to ping anything in LAN from WANs and got Connection Timeout.
No, it’s not like that. I obviously explained that one badly.
Few weeks a go, we only had one WAN. It was on the mikrotik 500 which belongs to our ISP and it’s on the antenna on the roof. They set one interface to be 192.168.1.253, so everyone in the LAN could access it easely as gateway. Their public ip is another interface, i think eth 3 (not that it matters in this case).
So now we got ourselves 450g, and connected two ISP’s on it, as well as our local LAN which currently contains our old WAN in form of local IP adress. And that one works. i just point what i need to .253 and it’s OK. We will ask them to remove that local IP and give us just a direct access to public IP but before that I need everything up and running on mu 450g, and flawlessly. We have several servers that must be accessible from outside at every given moment (allowed downtime is less than 10 min a month so no time for experimenting) and there is some MAC binding involved, etc etc.
So I tried at first to dst-nat my radmin just to test things out for the real deal, and… failed.
edit: I tried to set dstnat for both new ISPs (WAN 1 and WAN 2). None worked
Hope I was bit more clearer this time in my explanation. Thanks for taking interest in my topic jager
I think I got it now, but a simple drawing will remove any doubts
Well, 192.168.1.0/24 is you local LAN. Your gateway that is masqueraded to the internet is 192.168.1.253
This works OK if it is your only gateway to the internet. You should either change your LAN to 192.168.2.0/24, or change the 192.168.1.253 to something else if you have access to that device. All the WAN’s should come straightforward to your 750G and then you can do whatever you wish (load balancing, etc)
Please, attach a simple drawing to be sure about your network.
For start, if you can, change the WAN3 IP address to, let’s say 192.168.10.x. You need any other subnet than those you are couurently use ofr other WANs or LAN.
Or, if you don’t have access to that device, you will need to change your LAN’s subnet. This means all computers in the local LAN will need to change IP.
Seems to me like a default route problem. Do the hosts on 192.168.1.0/24 use .253 as their default gateway? If yes, that is your problem. They receive a packet from a source address outside their broadcast domain. While it enters the network through the RouterBOARD, the clients don’t have specific routes back, so they send the packet to .253. That router is going to also source NAT the reply, and while the packet might make it back across the Internet, it will come back with a different source IP and the host that originally initiated the connection will discard the packet.
There really isn’t a good solution to this other than making the RouterBOARD the gateway for the LAN. For the time being you can still point the RouterBOARDs default route back out through .253, but at least it could continue the connections it originated via directly connected networks.
I can’t change anything in LAN. My servers are in the same LAN and there is a lot of complicated bindings involved. They have to stay in 192.168.1.0/24. Same thing applies for the .253. It is their default gateway, but…
@both:
everything I’m testing is from my own computer, and my default gateway is .205.
OK, i disconnected myself completley from the LAN and made my own lan 10.0.0.0/24. My address is .2, eth5 on the router is .1
So now there’s only WAN1, WAN2 and me.
Everything is still the same. Radmin packets entering, but now reaching me.
Do you want me to print some of the configuration and what?
I can’t change anything in LAN. My servers are in the same LAN and there is a lot of complicated bindings involved. They have to stay in 192.168.1.0/24. Same thing applies for the .253. It is their default gateway
Worst case scenario
But if your LAN is on 192.168.1.0/24 and the gateway of the clients in that LAN is 192.168.1.253, no traffic is forwarded by your router on 192.168.1.205. The clients (your servers) are simply talking directly to their gateway (.253) and does not even know about presence of your router.
You must be able to do some changes to your configuration to get the things as you would like them to be. There is no other way, sorry
As I said, i succesfully moved myself to new LAN - 10.10.10.0/24, and thus eliminated WAN3 and whole 192.168.1.0/24 LAN.
Good news is, NAT is finally working Everything went exactly as jager and fewi expected.
Only thing I’m still wondering is how to make it possible to ping myself from WAN interfaces. I remember reading some other guys topic with fairly similar situation compared to mine, and fewi told him that with that (mine also) configuration he won’t be able to do that.
What do I have to do to in order to enable pinging clients in LAN from WAn interfaces?
Thanks for this so far. Karma’s for all definitley
Got a link to that? I don’t immediately see why it wouldn’t work in your scenario.
Also post the output of “/ip address print detail”, “/ip route print detail”, “/interface print detail”, “/ip firewall export”, and the result of an attempted ping.
I’ll find the topic as soon as i get to the office. 'Till then, here are the prints.
In teh firewall export, there’s a lot of rules that are made but not in use. That is for the future setup and was required for me to make at the time.
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 X 192.168.1.205/24 192.168.1.0 192.168.1.255 BETA LAN (eth1)
1 X 192.168.2.2/24 192.168.2.0 192.168.2.255 ABSOLUT (eth3)
2 *.108.*.14/30 *.108.*.12 *.108.*.15 VERAT (eth4)
3 D *.148.*.145/22 *.148.*.0 *.148.*.255 SBB (eth2)
4 10.0.0.1/24 10.0.0.0 10.0.0.255 ether5
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 X S 0.0.0.0/0 VERAT (eth4) 1
1 X S 0.0.0.0/0 ABSOLUT (eth3) 1
2 X S 0.0.0.0/0 192.168.1.253 1
3 X S 0.0.0.0/0 62.108.98.13 1
4 X S 0.0.0.0/0 62.108.98.13 1
5 X S 0.0.0.0/0 SBB (eth2) 1
6 A S 0.0.0.0/0 62.108.98.13 1
7 X S 0.0.0.0/0 62.108.98.13 1
8 ADC 10.0.0.0/24 10.0.0.1 ether5 0
9 ADC *.108.*.12/30 *.108.*.14 VERAT (eth4) 0
10 ADC *.148.*.0/22 *.148.*.145 SBB (eth2) 0
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="BETA LAN (eth1)" type="ether" mtu=1500 l2mtu=1524
1 R name="SBB (eth2)" type="ether" mtu=1500 l2mtu=1524
2 X name="ABSOLUT (eth3)" type="ether" mtu=1500 l2mtu=1524
3 R name="VERAT (eth4)" type="ether" mtu=1500 l2mtu=1524
4 R name="ether5" type="ether" mtu=1500 l2mtu=1524
I don’t see anything in that prevent ICMP from a WAN interface to a host on 10.0.0.0/24. What kind of host is it? What does its routing table look like, and could a firewall on the host simply be blocking ICMP?
I too think there isn’t any. 10.0.0.0/24 is the new LAN i created. It’s on eth5 on mu RB450g. I am the only client in that lan and my address is .2. So i’m pinging myself. Firewall is set to let ICMp pass
Aren’t there any static router between interfaces involved?
It would be logical to me that every interface can access every other, but then again I may very well be wrong. Still can’t ping one computer that is on 192.168.2.2/24 eth2 from 10.0.0.2/24 on eth5 interface.
I misspelled router for routes in my last post. Sorry about that. Well, as I said, two networks are on the two interfaces, and on the same RB 450g router.
Default routes are to their own interfaces with interface IP as preferred source. Or I didn’t understand your question correctly
Those aren’t static, they are connected (C). The router can route between those two networks. I’m either missing something obvious in the firewall export you posted earlier, or you have a host firewall issue that has nothing to do with the router. Start analyzing traffic on the hosts with a tool such as wireshark to see what packets arrive at and leave the interfaces.
If I missed some of the info please point that out to me.
