Problem routing traffic from one lan to another

maxuell · May 28, 2021, 5:53pm

Hello, I’m trying to connect 2 lan through mikrotik in order to apply firewall rules, but something strange is happening.
Starting from scratch:

PC: 172.30.0.1/24 GW 172.30.0.254 DNS 172.30.0.254 (Mikrotik GW)

Mikrotik:
Address List
ether1 - LAN - 172.30.0.254/24
ether2 - RLAN - 219.7.221.252/24

Route List
219.0.0.0/8 GW 219.7.221.254 “Reachable ether2”

Filter Roules
Forward accept

At this point if i make a ping (ex: 219.100.0.1) on the mikrotik console, I already have an answer, but if it is from the PC I don’t get an answer, if I make a trace, go to the mikrotik and don’t go any further.

If I change to:
NAT
srcnat - masquerade

I can already ping the PC, the tracert also advances to the destination, but I cannot establish connections, ex: RDP

I’ve been trying to solve this for days, what will be escaping me?
Thank you for your help

k6ccc · May 28, 2021, 6:18pm

Since you only gave a few details, the most obvious issue is your 219 subnet on the router is /24, and it is trying to communicate with devices outside that subnet IP range. Other than that, you did not give enough details. Export and post your config. If there are more devices involved, a network drawing would be helpful.

anav · May 28, 2021, 6:55pm

/export hide-sensitive file=anynameyouwish

and if network is complicated a network diagram is a good idea

Machello · May 29, 2021, 11:14am

Maybe you can try a VLAN config
LAN: Bridge
Make sure there is no other LAN on the Interface list
Make 2 VLANs with separate VLAN ID
Mount each VLAN to its own ether port on the Interface option box
Add both VLANs to the main bridge as ports
Configure what ever is connected to each ether port with a VLAN ID you used on that ether port of the router
Make sure in addresses that the Bridge has an IP address and is the main IP for the router
After you set up all the VLAN IDs respectively to the ether ports that is connected to each other
You can remove ether1 and ether2 as ports of the Bridge, just remember if you remove the ether1 and ether2 before you set up the VLAN IDs you gonna lose contact with the router

LAN: Bridge
VLAN1: Interface - ether1 / VLAN ID - 500 <— add this VLAN and/or VLAN ID to what ever port/device connects to ether1
VLAN2: Interface - ether2 / VLAN ID - 501 <— add this VLAN and/or VLAN ID to what ever port/device connects to ether2
Bridge Ports: VLAN1 and VLAN2, remove ether1 and ether2 after every thing has VLAN and/or VLAN IDs
Addresses: What ever IP/IPs to the Bridge

It sounds to me like you are trying to connect 2 separate and isolated networks together that is running their own Bridge each. That can cause you to set up DHCP clients across the bridges. Even if they are connected, the bunch of bridges is not reading each others routing tables.

maxuell · June 9, 2021, 6:33pm

Hello, I will return with more detailed information about the problem.

I intend to put the mikrotik to route the 2 networks and firewall

/interface ethernet
set [ find default-name=ether1 ] comment=LAN
set [ find default-name=ether2 ] comment=COOP
/ip address
add address=128.136.254.254/16 interface=ether1 network=128.136.0.0
add address=219.7.221.252/24 interface=ether2 network=219.7.221.0
/ip cloud
set update-time=no
/ip firewall filter
add action=accept chain=forward out-interface=ether2
/ip route
add distance=1 dst-address=219.0.0.0/8 gateway=219.7.221.254

With this configuration within the mikrotik I can ping the 219 network, but from the PC it dies in the mikrotik.
With tracert leaves the PC to MK and dies there.

mkx · June 9, 2021, 6:57pm

I’ll assume the network subnets are real even if IP addresses aren’t. So … there are two potential problems:

Does router 219.7.221.254 have static route towards 128.136.0.0/16 via 219.7.221.252?
Does router 219.7.221.254 run stateful firewall? You are possibly creating routing triangle between mikrotik, devices in 219.7.221.0/24 and said router where packets from 128.136.0.0/16 towards that /24 subnet will be set directly from mikrotik to devices, return packets might go via router 219.7.221.254 (if devices don’t use mikrotik directly as first hop on way back) … stateful firrewalls burp if they don’t see all packets of connection traveling in both directions
Same consideration applies to side of 128.1360.0.0/16.

Neither of problems applies to mikrotik itself as it will (by default) use own address “closest” to the destination address when establishing connection.

anav · June 9, 2021, 7:05pm

So in other words, there is a router attached to all the computers on one subnet and another router attached to all the computers on the other subnet and you want to add a third router in between to get the LANS to see each other for some purposes not clearly defined.

In other words, your network diagram and explanation are incomplete. Where is the internet for both LANs coming from?
If the answer is through the mikrotik as the MT has ether1 going to ISP1 and ether2 going to ISP 2, then all makes sense for firewall rules and routing etc…

Are the two LANs even in the same building?