route to another MK

cavaughan · September 9, 2021, 1:21am

Probably really messed this up, but it seems like there should be a way to make this work.
I wish to note right now that I am having to fix this remotely so a complete reset is not an option.

I have a main MK router (MK1), which is the router to the Internet and firewall. It hosts DHCP for internal 192.168.1.0/24. It’s IP is 192.168.1.1
Another MK router (MK2) has a client IP of 192.168.1.154. But it too hosts DHCP for 192.168.88.0/24. It is connected to ETH10 on MK1.
Of course all client on the 88.0 network can access the 1.0 network no problem. But not visa versa.
It seems to me there should be a way to route traffic from the 1.0 network over to the 88.0 network. But so far I have not figured it out.

There is effectively pretty much no firewall on MK2 since it’s not necessary. However, just to be certain that that wasn’t an issue, I added a firewall rule to allow all traffic from 1.0 to 88.0, just as I have on MK1.

I’ve seen set ups on the web where there is a completely different subnet between the 2 MK’s. But I don’t think that’ll be an option considering that I’m having to remote in.
Any advice that solves the issue would be greatly appreciated.

cavaughan · September 9, 2021, 1:38am

Here's the routing tables. You see I created the 4th one, but, it no work....

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

2 ADC 192.168.1.0/24 192.168.1.1 bridge 0
3 ADC 192.168.23.0/24 192.168.23.1 bridge-guests 0
4 AS 192.168.88.0/24 192.168.1.154 2

2frogs · September 9, 2021, 1:40am

On MK1, it is a simple route:

/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.1.154

On MK2, you will need to exclude 192.168.1.0/24 from the default src-nat rule (using dst-address=!192.168.1.0/24 or address list) or disable the scr-nat rule on MK2 and let MK1 handle all for both (the default src-nat rule on MK1 will work for both.)

Edit: I see you already have half of it!

cavaughan · September 9, 2021, 1:48am

2frogs! Thank you so much for the reply.
On MK2 the NAT config is:

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

But you’re saying it should be:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade dst-address=!192.168.1.0/24 out-interface-list=WAN log=no log-prefix=“” ipsec-policy=out,none
[admin@MikroTik] /ip firewall nat>

Doesn’t seem to work…

cavaughan · September 9, 2021, 1:53am

I then tried disabling src-nat, but that also isn’t working…

Wait I’m just masquerading… I should be doing something else, no?

Ok I changed it to:

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix=“” ipsec-policy=out,none

1 chain=srcnat action=accept dst-address=!192.168.1.0/24 log=no log-prefix=“”

Still not working.

2frogs · September 9, 2021, 2:01am

Do you still have the default filter rules on MK2? The last one for chain=forward is to drop every thing not dst-nat, so you would need to disable it or add an accept above it for the other network.

/ip firewall filter
add chain=forward src-address=192.168.1.0/24 action=accept

If you are still having issues, from terminal do /export hide-sensitive filename=myexport. You can download the myexport.rsc from each and use your favorite text editor to remove any other sensitve/personal information and post them in the code wrapper.

cavaughan · September 9, 2021, 2:05am

Here are the rules. You see the 3rd rule I would have hoped allowed anything from the other network.

Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

2 ;;; winbox http
chain=input action=accept protocol=tcp src-address=192.168.1.0/24 dst-port=80 log=no log-prefix=“”

3 chain=forward action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24 log=no log-prefix=“”

4 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

6 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1

7 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

10 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

11 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

2frogs · September 9, 2021, 2:12am

You are routing to 192.168.88.0/24, but that filter rule is for traffic destined to 192.168.2.0/24. So which one are you trying to reach?

cavaughan · September 9, 2021, 2:15am

I’ll delete the 88.0 dst. But yeah, that’s exactly what I need to reach from 1.0 network.

OMG! I had 2.0 in there. Now I see. I’m an idiot…

cavaughan · September 9, 2021, 2:21am

OK, I think it’s starting to work!
Thank you SO MUCH TWOFROGS!!!

How many times did I look at the rules and the 2 never set off an alarm!!!