Request kindly help on a issue with routing

RouterOS General
1

First of all hello everyone i am new with this community :slight_smile: I anticipate that it’s my first time using this routing software, i tried as much as i could with wiki and this forum but sometimes is all too simple or to messy.

Now with this issue, this is my network:

The main goal of this architecture was that the network 172.16.7.0/24 must go through the first router (mikrotik OS 4.16) with 2 interfaces VDH (172.16.7.254/24) and QDH (192.168.100.251/24) and reach 192.168.100.0/24 and also being able to reach internet via the other router (which i don’t have access on).
The 192.168.100.0/24 net shouldn’t reach the 172.16.7.0/24.
With my test i could only achieve to ping the 192.168.100.0/24 net from 172.16.7.0/24 but when i try to do a tracert 8.8.8.8 from one of the host on 172.16.7.0/24 i get:

172.16.7.251 1st hop
192.168.100.254 2nd hop
than all timeouts

(from the 192.168.100.0/24 net the tracert command get resolved without problems)

i’m really struggling to get this right :frowning:

here are the details of my actual configuration (sorry for inevitable mess of rules/chains), at least i tried :slight_smile:

[SysAdmin@MikroTik] > ip address print detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=172.16.7.254/24 network=172.16.7.0 broadcast=172.16.7.255 
     interface=VDH actual-interface=VDH 

 1   address=192.168.100.251/24 network=192.168.100.0 broadcast=192.168.100.255 
     interface=QDH actual-interface=QDH 


[SysAdmin@MikroTik] > ip firewall nat print detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade src-address=172.16.7.0/24 out-interface=QDH


[SysAdmin@MikroTik] > ip firewall mangle print detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting action=mark-routing new-routing-mark=mark_vdh_from_qdh 
     passthrough=no src-address=172.16.7.0/24 


[SysAdmin@MikroTik] > ip route print detail 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.100.254 
        gateway-status=192.168.100.254 reachable QDH distance=1 scope=30 
        target-scope=10 routing-mark=mark_vdh_from_qdh 

 1 X S  dst-address=0.0.0.0/0 gateway=192.168.100.254 
        gateway-status=192.168.100.254 inactive distance=1 scope=30 
        target-scope=10 

 2 ADC  dst-address=172.16.7.0/24 pref-src=172.16.7.254 gateway=VDH 
        gateway-status=VDH reachable distance=0 scope=10 

 3 ADC  dst-address=192.168.100.0/24 pref-src=192.168.100.251 gateway=QDH 
        gateway-status=QDH reachable distance=0 scope=10 


[SysAdmin@MikroTik] > ip route print detail 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.100.254 
        gateway-status=192.168.100.254 reachable QDH distance=1 scope=30 
        target-scope=10 routing-mark=mark_vdh_from_qdh 

 1 X S  dst-address=0.0.0.0/0 gateway=192.168.100.254 
        gateway-status=192.168.100.254 inactive distance=1 scope=30 
        target-scope=10 

 2 ADC  dst-address=172.16.7.0/24 pref-src=172.16.7.254 gateway=VDH 
        gateway-status=VDH reachable distance=0 scope=10 

 3 ADC  dst-address=192.168.100.0/24 pref-src=192.168.100.251 gateway=QDH 
        gateway-status=QDH reachable distance=0 scope=10

so in brief with this configuration i can’t resolve internet ip and thus access to it…i really don’t know what’s the problem here.

If anyone can be of any help it will be be much appreciated,
thank you.

Bye

2

I am not sure what you are trying to do with the mangle rules but meantime trying using Torch on the QDH interface while pinging (say) 8.8.8.8 from the 172 subnet. Are you seeing those ping attempts? Have they been masqueraded to appear from the 192 address? (If not the other router would have no idea where to return the replies to.).

Also look and see if you are getting both RX and TX traffic on the QDH interface for the ping traffic.

3

Hi celticcomms,
thank you for you reply, now i dunno what the torch utility does i mean i dunno how to fully comprehend those info (values keeps changing so i try to take a decent screen of those values).




keep in mind that from my host (where i did the ping) all the messages are “timeout” (ping 8.8.8.8 )

I am not sure what you are trying to do with the mangle rules

this config is done with the bit and pieces that i get here and there (wiki, forum i tool the parts from a post about redirecting a certain kind of traffic http) so if there is a more simple way to do it, please tell me

thanks again

4

You might get a clearer picture if you check the options and set the timeout to (say) 30 seconds rather than 3.

Are there other hosts on the 192.168.100.0/24 network? Can they all ping 8.8.8.8 OK? Can they still do it if you disconnect the routerboard from that network and temporarily give the other host the .251 number?

5

ye i did put 30 sec and the result is the same the packet from 8.8.8.8 seems to come back and point to my router 192.168.100.251 interface since i can see Tx but the Rx counter stays at 0.

Yes on the 192.168.100.0/24 there are other host there is a switch between the 2 routers and they can ping and do a tracert to 8.8.8.8 without any problems (this network always existed and worked only the mikrotik + 172.16.7.0/24 is new)

6

From the torch screenshot, you can see that 8.8.8.8 is replying to 192.168.100.251.
Have you tried to ping the mentioned address from the router itself?

/ping 8.8.8.8
7

We are seeing tx traffic from 192.168.100.251 to 8.8.8.8 with no rx replies.

Are you sire that the other routing has the same view of the subnet size as your config? is .251 free? Did you try isolating the routerboard and using .251 on one of the other hosts?

8

hi,

with the ping command from the router itself i get a timeout message and i’m sure that the 192.168.100.251 is the only one on the network (i unplugged the router and pinged it).

Maybe i miss some more configuration for routing the packed once it gets to the QDH interface of the router and thus go into the VDH?

Now i have reduce my config to 2 simple rules:

  • one masquerade in nat for the 172.16.7.0/24 that should go out from QDH interface (192.168.100.0/24)
  • i route 0.0.0.0/24 with the default gateway of the other router on the QDH 192.168.100.254/24

but the problem is still there :frowning:

9

Resolved guys i’m really a nab…in the DNS part of the WinBOX i discovered that the button “Settings” has what i need to set in every net a damn DNS…i was only adding it to the list below.

Thank you all for your help +karma :slight_smile:


Thanks again,
Fred