Route betweene Subnet

droopy · September 18, 2011, 6:26pm

Hi
i have a

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 vpn.Anonine.net 1
1 ADS 0.0.0.0/0 82.196.108.1 1
2 ADC 82.196.108.0/23 82.196.108.172 WAN 0
3 ADC 188.126.80.0/32 188.126.94.233 vpn.Anonine.net 0
4 ADC 192.168.88.0/26 192.168.88.1 LAN2-master 0
5 ADC 192.168.88.64/26 192.168.88.64 LAN3 0

but my problem is that IP on lan2 cant talk to ip on lan3 and viseversa.

any exempel code how i can fix this??

fewi · September 18, 2011, 6:32pm

By default a router would route between all directly connected networks. That’s what routers do, after all.

If you can’t route between directly connected networks there are three common possibilities:

you are explicitly blocking that traffic via the IP firewall filter in the ‘forward’ chain
hosts on the two networks are not configured correctly to use the router as their default gateway, so the router isn’t being given any packets to route
hosts on the two networks are implementing host firewalls, and while traffic is routing just fine (i.e., the router is doing its job) the host firewalls are throwing away the packets.

Now, another thing that is throwing me off is that one interface is called “LAN2-master”, while the other is called “LAN3”. “master” often refers to master ports for switch chips when RouterOS is involved. Is that the case? Can you post the output of “/interface ethernet print detail” if you don’t know how to check yourself? Please wrap any future output in

 tags to keep things legible.

droopy · September 18, 2011, 6:50pm

/interface ethernet print
Flags: X - disabled, R - running, S - slave 
 #    NAME              MTU MAC-ADDRESS       ARP        MASTER-PORT           SWITCH          
 0 R  WAN              1500 00:0C:42:AD:1B:7A enabled    none                  switch1         
 1 R  LAN2-master      1500 00:0C:42:AD:1B:7B proxy-arp  none                  switch1         
 2 R  LAN3             1500 00:0C:42:AD:1B:7C proxy-arp  none                  switch1         
 3  S LAN4-slave       1500 00:0C:42:AD:1B:7D enabled    LAN2-master           switch1         
 4  S LAN5-slave       1500 00:0C:42:AD:1B:7E enabled    LAN2-master           switch1

Can i provide any more information? to help you to help me

fewi · September 18, 2011, 6:53pm

Switching is fine. That leaves the other three options I mentioned. Have you ruled out the firewall on the router, the firewall on the hosts, and the host configuration for default gateways? You can post your firewall rules here to have them looked over via “/ip firewall export”.

Can hosts on LAN2 and LAN3 get to the Internet? How are you testing connectivity between LAN2 and LAN3 - what exact test are you running, what are you expecting the test to result in, and what result are you getting instead?

droopy · September 18, 2011, 7:16pm

the thing is that if i put the cable in to LAN5 everything works i cn ping the hosts and so on.

/ip firewall filter
add action=log chain=input comment="Accept established connections" connection-state=established disabled=yes log-prefix="Accept established connections"
add action=accept chain=input comment="Accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=log chain=input comment="Drop invalid connections" connection-state=invalid disabled=no log-prefix="Drop invalid connections"
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=log chain=input comment="Allow limited pings" disabled=no limit=50/5s,2 log-prefix="Allow limited pings" protocol=icmp
add action=accept chain=input comment="Allow limited pings" disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=icmp
add action=drop chain=forward comment="drop invalid connections DELETE" connection-state=invalid disabled=no
add action=drop chain=input comment="drop ssh brute forcers" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp
add action=accept chain=output content="530 Login incorrect" disabled=yes dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" disabled=yes protocol=tcp
add action=drop chain=forward comment="Blocks SSH" disabled=yes dst-port=22 protocol=tcp
add action=accept chain=input comment="SSH for secure shell" disabled=no dst-port=22 protocol=tcp
add action=accept chain=input comment=winbox disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment=web disabled=no dst-port=80 protocol=tcp
add action=log chain=input comment="From our private LAN" disabled=no log-prefix="From LAN" src-address=192.168.88.0/24
add action=accept chain=input comment="From our private LAN" disabled=no src-address=192.168.88.0/24
add action=log chain=input comment="From our private LAN" disabled=no log-prefix="From LAN" src-address=192.168.88.64/26
add action=accept chain=input comment="From our private LAN" disabled=no src-address=192.168.88.64/26

add action=log chain=input comment="Log everything else" disabled=no log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else" disabled=no

/ip route> print
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          vpn.Anonine.net           1
 1 ADS  0.0.0.0/0                          82.196.xx.xx             1
 2 ADC  82.196.xx.xx/23    82.196.xx.x  WAN                       0
 3 ADC  188.126.80.0/32    188.126.xx.xx  vpn.Anonine.net           0
 4 ADC  192.168.88.0/26    192.168.88.1    LAN2-master               0
 5 ADC  192.168.88.64/26   192.168.88.64   LAN3                      0

and tanx for awsering.

droopy · September 18, 2011, 7:20pm

lan 2 kan connect to internet. lan3 only get ip but noting more.

fewi · September 18, 2011, 7:33pm

Then it’s a problem with network connectivity on LAN3 in general. The firewall on the router also wouldn’t be blocking things.

How do hosts on LAN3 receive IP addressing? Statically, or via DHCP? If via DHCP please post the output of “/ip address print detail”, “/ip pool print detail”, and “/ip dhcp-server export”.

Also, just to be thorough, add the output of “/ip firewall nat export”.

droopy · September 18, 2011, 7:46pm

 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                           
 0   ;;; default configuration
     192.168.88.1/26    192.168.88.0    LAN2-master                                                                                                                                                                                                         
 1 D 82.196.108.172/23  82.196.108.0    WAN                                                                                                                                                                                                                 
 2 D 188.126.94.233/32  188.126.80.0    vpn.Anonine.net                                                                                                                                                                                                     
 3   ;;; default configuration
     192.168.88.64/26   192.168.88.64   LAN3

 0   chain=srcnat action=masquerade src-address=192.168.88.0/24 

 1 X ;;; default configuration
     chain=srcnat action=masquerade out-interface=WAN

fewi · September 18, 2011, 8:15pm

I should have noticed this from your routing table - at a closer look your IP address for LAN3 is 192.168.88.64/26 - that isn’t valid. 192.168.88.64 is the network address for that network. Your IP address on the router would have to be .65 (or any other non-network, non-broadcast IP address on that network). You didn’t post your DHCP details so I take it you’re not using DHCP, but make sure you’re handing out that IP address as the default gateway if you are.

droopy · September 18, 2011, 8:36pm

i change it to 65 an now i can ping from lan2 to pan3 but not from lan3 to lan2.
what can that bee?

fewi · September 18, 2011, 8:55pm

Something is wrong with the hosts. Obviously traffic can be routed both ways: pinging is an ICMP echo request from LAN2 to LAN3, and then an ICMP echo reply from LAN3 to LAN2. Traffic must therefore be routed correctly.