Hi
I'm a very newbie on networking and routing, so I apologise for my question:

I have 3 subnets:
192.168.5.0/24 eth6-Sec
192.168.1.0/24 eth2-LAN
192.168.20.0/24 eth3-Prod

with 192.168.200.250 as gateway.

Now: I would like to let all subnets ping each other, and then write the firewall policies.
As default I understood that Mikrotik RouterOS lets all the subnets ping each other, it's a router, but in my case happens something of strange:

eth2-LAN can ping everything
eth6-Sec and eth3-Prod can ping each other, but both can't ping eth2-LAN
All the subnets can reach the gateway. I can't understand why!

Please help me!

I paste my configuration:

jan/02/1970 01:40:42 by RouterOS 6.5

software id = EY0F-RYXQ

/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=eth1
set [ find default-name=ether2 ] name=eth2-LAN
set [ find default-name=ether3 ] name=eth3-Prod
set [ find default-name=ether4 ] disabled=yes name=eth4-
set [ find default-name=ether5 ] disabled=yes name=eth5-
set [ find default-name=ether6 ] name=eth6-Sec
set [ find default-name=ether7 ] disabled=yes name=eth7-IPCop
set [ find default-name=ether8 ] disabled=yes name=eth8-
set [ find default-name=ether9 ] name=eth9-Internet
set [ find default-name=ether10 ] disabled=yes name=eth10-
set [ find default-name=sfp1 ] disabled=yes
/ip neighbor discovery
set eth1 discover=no
/ip dhcp-server
add name=default
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/port
set 0 name=serial0
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.5.241/24 interface=eth6-Sec network=192.168.5.0
add address=192.168.1.241/24 interface=eth2-LAN network=192.168.1.0
add address=192.168.20.241/24 interface=eth3-Prod network=192.168.20.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=eth9-Internet
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=eth9-Internet
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth9-Internet
/ip route
add distance=1 gateway=192.168.200.250
/lcd interface
set sfp1 interface=sfp1
set eth1 interface=eth1
set eth2-LAN interface=eth2-LAN
set eth3-Prod interface=eth3-Prod
set eth4- interface=eth4-
set eth5- interface=eth5-
set eth6-Sec interface=eth6-Sec
set eth7-IPCop interface=eth7-IPCop
set eth8- interface=eth8-
set eth9-Internet interface=eth9-Internet
set eth10- interface=eth10-
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=eth2-LAN
add interface=eth3-Prod
add interface=eth4-
add interface=eth5-
add interface=eth6-Sec
add interface=eth7-IPCop
add interface=eth8-
add interface=eth9-Internet
add interface=sfp1
add
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=eth2-LAN
add interface=eth3-Prod
add interface=eth4-
add interface=eth5-
add interface=eth6-Sec
add interface=eth7-IPCop
add interface=eth8-
add interface=eth9-Internet
add interface=sfp1

Yes, by default all networks can access each other. Actually, if you want them NOT to access each other within the router, you have to specifically block them in the router firewall settings.

Make sure your devices (laptops or whatever) have the proper gateway set and that their own firewalls are not blocking anything.

This. Is this RB2011 the default GW for all 3 of these LANs, or is there some other device that’s the default GW?
If some other device is the GW, then on each of the LANs, the default gw router for each LAN will need to create static routes that use .241 as the gateway to reach the other two LANs.

If the config you posted is completely un-doctored in the ip firewall section, then this will allow all LANs to communicate with each other exactly as you want.

Basically if a device doesn’t know to use your RB2011 as the gateway to reach the other 2 lans, then it doesn’t matter how much permission they have in the 2011, or how correct the 2011’s configuration is.