Route unreachable yet I can ping and access the gateway

achmed · February 9, 2014, 5:57pm

Problem: I have a static route 0.0.0.0/0 with gateway unreachable, but I can ping, traceroute and access the gateway web interface.

Here is a quick summary of my setup…
Two sites, lets call them sites A and B.

—IPs—

SITE A
Eth1: 192.168.1.91/24 - Used by PC hosts and one internet gateway located at IP 192.168.1.1
Wlan1: 192.168.99.91/24 - Used to connect to site B

SITE B
Eth1: 192.168.2.94/24 - Used by PC hosts
Wlan1: 192.168.99.94/24 - Used to connect to site A

—Routes—

SITE A
Static route 192.168.2.0/24 pointing to 192.168.99.94 (Reachable)
Static route 0.0.0.0/24 pointing to 192.168.1.1 (Reachable)

SITE B
Static route 192.168.1.0/24 pointing to 192.168.99.91 (Reachable)
Static route 0.0.0.0/24 pointing to 192.168.1.1 (Unreachable)

—Firewall—

SITE A
SRCNAT 192.168.99.0/24, ACTION = Masquerade

—PING—
I can ping all 192.168.1.0/24 IPs from subnet 192.168.2.0/24
And I can also ping all 192.168.2.0/24 IPs from subnet 192.168.1.0/24

—Problem—
At site B I have an unreachable static route 0.0.0.0/0 pointing to gateway 192.168.1.1 Located at site A.
Yet I can ping and access the gateways web interface.

—Things I have tried—

Setting Preferred source - unreachable
Changing the gateway ip on the route to that of a PC on site A - unreachable
Disabled, Enabled and modified Firewall rules on both sides. - Without Masquerade rule on site A the internet gateway thinks the souce IP is on the internet and sends out the reply package on the WAN interface.

So what am I missing here???
Any advice please…

marcusses · February 9, 2014, 7:59pm

Hello

You probably made a mistake in copying routes, but instead of 0.0.0.0/24 probably it is 0.0.0.0/0, you can check it.
Second, on router B, except for the dynamic routes, there should be just default route 0.0.0.0/0 pointing to 192.168.99.91 - in this case those routers are aware only on their first “neighbours”.
Third, I do not know why you have set on the router A such firewall settings. I do not know whether you have access to the 192.168.1.1 router, if you have - no need to masquerade on router A. There is difference between fully-routed and NAT-ed network.

achmed · February 13, 2014, 7:49pm

Thanks for the reply.
The 0.0.0.0/24 was a typo on my post.
It is configured as 0.0.0.0/0 on the router(s).

Problem solved…
I changed the Static route at site B.
Was: “0.0.0.0/0 pointing to 192.168.1.1 (Unreachable)” - This is wrong. Not supposed to point directly to the gateway
Now: “0.0.0.0/0 pointing to 192.168.99.91 (Reachable)” - Router B will Masquerade the packets and send it to gateway 192.168.1.1

And I added a firewall rule at site B.
SRCNAT 192.168.2.0/24, ACTION = Masquerade.

This essentially changed my setup to a NAT-ed network.

The reason why I have the Masquerade firewall rules is because I actually have many other network connections on Routers A and B besides the above mentioned.
These connections require me to have this rule.
I did not mention this because it tends to confuse people when you throw to much info in the equation.

Thanks for the help.

GHM166 · August 12, 2020, 8:46am

Probelm:

I have a router which is connected with lan to a point-to-point Mikrotik on my roof over my router ether 5 :

ip address of my point-to-point:

1: 192.168.134.19
2: internet routeable ip a.b.c.49 , /28

ip address of my mikrotik router ehter 5:

192.168.134.20
internet routeable ip a.b.c.50 /28

my local range on sfp port:
192.168.0.0/24

so on I can ping a.b.c.49 and ip 192.168.134.19 from my router
I wrote a masquerade rule on my firewall for my local lan range .

I’ve 3 line internet over difference isp.
I use packet mark to use this internet on my lan.

I wrote default route for over ether 5 and show reachable but no internet over ether 5 by ping.
I chenge my route to gateway with a.b.c.49 and was showed unreachable.

really I don’t know how to change my route to have access internet over ether 5

I send all photo and configuration ;

ip address :

0 ;;; Local-Lan
192.168.0.254/24 192.168.0.0 Bridge-LAN
1 ;;; KhorshidNet-Local-interface
172.31.24.12/24 172.31.24.0 ether1
2 ;;; Mokhaberat-Local-interface
192.168.2.2/24 192.168.2.0 ether3
4 192.168.10.1/30 192.168.10.0 ether2
5 X a.b.c.50/32 46.209.212.48 ether5
6 192.168.134.20/28 192.168.134.16 ether5
7 D 81.29.244.153/32 192.168.100.1 KhorshidNet ----- > first internet
8 D 93.118.97.93/32 2.177.0.1 Mokhaberat --------> second internet

firewall :
0 ;;; Respina
chain=srcnat action=masquerade src-address=192.168.0.0/24
out-interface=ether5 log=no log-prefix=“”

1 ;;; KhorshidNet
chain=srcnat action=masquerade src-address=192.168.0.0/24
out-interface=KhorshidNet log=no log-prefix=“”

2 ;;; Mokhaberat
chain=srcnat action=masquerade src-address=192.168.0.0/24
out-interface=Mokhaberat log=no log-prefix=“”

3 ;;; Modem ADSL
chain=srcnat action=masquerade src-address=192.168.0.0/24
out-interface=ether3 log=no log-prefix=“”

4 ;;; Vpn to Lan
chain=srcnat action=accept src-address=1.2.3.4
dst-address-list=Connected Route log=no log-prefix=“”

5 ;;; Lan to Vpn
chain=srcnat action=accept dst-address=1.2.3.4
src-address-list=Connected Route log=no log-prefix=“”

6 X ;;; Vpn Internet
chain=srcnat action=masquerade src-address=1.2.3.4
out-interface=KhorshidNet log=no log-prefix=“”

7 chain=srcnat action=accept src-address=192.168.0.0/24
dst-address=192.168.1.0/24 log=no log-prefix=“”

8 ;;; Udp DNS route to server
chain=dstnat action=accept to-ports=xxx protocol=udp
src-address=1.2.3.4 src-address-list=!Domain Servers dst-port=xxx
log=no log-prefix=“”

9 ;;; Tcp DNS route to server
chain=dstnat action=accept to-ports=xxx protocol=tcp
src-address=1.2.3.4 src-address-list=!Domain Servers dst-port=xxx
log=no log-prefix=“”
9 ;;; Tcp DNS route to server
chain=dstnat action=accept to-ports=xxx protocol=tcp
src-address=1.2.3.4 src-address-list=!Domain Servers dst-port=xxx
log=no log-prefix=“”

10 ;;; Udp DNS route to server
chain=dstnat action=redirect to-ports=xxx protocol=udp
src-address-list=!Domain Servers dst-port=xxx log=no log-prefix=“”

11 ;;; Tcp DNS route to server
chain=dstnat action=redirect to-ports=xxx protocol=tcp
src-address-list=!Domain Servers dst-port=xxx log=no log-prefix=“”

12 ;;; DVR1
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp in-interface=KhorshidNet dst-port=xxx log=no log-prefix=“”

13 ;;; DVR2
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp in-interface=KhorshidNet dst-port=xxx log=no log-prefix=“”

14 ;;; DVR Zero floor
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp in-interface=KhorshidNet dst-port=xxx log=no log-prefix=“”

15 X ;;; Teamyar Web
chain=dstnat action=dst-nat to-addresses=192.168.0.? protocol=tcp
dst-address=1.2.3.4 in-interface=Mokhaberat dst-port=xxx log=no
log-prefix=“”

16 ;;; Delcarino - Argham
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp dst-address=1.2.3.4 in-interface=KhorshidNet
dst-port=xxx log=no log-prefix=“”

17 ;;; Delcarino - Argham - port xxx
chain=dstnat action=dst-nat to-addresses=192.168.0.? protocol=tcp
dst-address=81.29.244.153 in-interface=KhorshidNet dst-port=xxx log=no
log-prefix=“”

18 ;;; Delcarino - Argham - port xxx
chain=dstnat action=dst-nat to-addresses=192.168.0.? protocol=tcp
dst-address=1.2.3.4 in-interface=KhorshidNet dst-port=xxx log=no
log-prefix=“”

19 ;;; Delcarino - Argham - port xxx
chain=dstnat action=dst-nat to-addresses=192.168.0.?2 protocol=tcp
dst-address=1.2.3.4 in-interface=KhorshidNet dst-port=xxx log=no
log-prefix=“”
20 ;;; Delcarino - Argham - port xxx
chain=dstnat action=dst-nat to-addresses=192.168.0.? protocol=tcp
dst-address=81.29.244.153 in-interface=KhorshidNet dst-port=xxx log=no
log-prefix=“”

21 ;;; Kart
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xx
protocol=tcp dst-address=1.2.3.4 in-interface=KhorshidNet
dst-port=xxx log=no log-prefix=“”

22 ;;; Nossa- xxx - soap
chain=dstnat action=dst-nat to-addresses=192.168.0.? to-ports=xxx
protocol=tcp dst-address=1.2.3.4 in-interface=KhorshidNet
dst-port=xxx log=no log-prefix=“”