Routing and redirect from same network

Hello! I have problem and can’t find a solution … probably asking wrong questions;(

I need to add new isolated networks for external servers communicating by different WAN but provide communication witch selected hosts from existing internal network.
I can’t replace existing Linksys router, but I added route to my new network behind mikrotik.

I got filter rules and NAT sorted, but I have more basic problem with routing.
My workstations have default route pointing to Linksys 192.168.2.110
In Linksys I added Route to 10.64.128.0 MASK 255.255.248.0 thru 192.168.2.111
but it does not work unless I ping 192.168.2.110 form my mikrotik 192.168.2.111
or add route to my 10.64.128.x network on specific workstation.

If I ping 10.64.128.2 from 192.168.2.4 most of the time I can see with Torch ping packets coming to bridge port eth2 but not to the bridge.

I tested /ip settings RP filter set to loose but no effects.
What I’m do wrong?

You’ve lost me at this line:

I can’t correlate your explanation with the network chart.

Other than that: if Linksys works like a decent router, it reacts to packets originating from 192.168.2.0/24 and targeting 10.64.128.0/22 with ICMP redirect sent to original sender. If original sender is using over-configured firewall, it can drop this ICMP packet and keep bothering Linksys. IMHO linksys is supposed to forward all packets to RB, but then Linksys could implement that differently.
It is weird that Linksys only forwards packets to RB if RB pings it … as if RB was pushing itself into Linksys’ ARP table while Linksys were not able to find RB’s MAC address on its own (perhaps there’s a bug where Linksys won’t do ARP request if it had to forward packet to better router or something?).

Will it help if you connect mikrotik directly to linksys, not via the switch?

eth2 is port of bridge-g on mikrotik
but now I can’t see it.

No.
still same symptoms

Torch can’t see packets on which bridge, bridge-g or bridge-s?

BTW, if eth2 is the only member of bridge-g, you can eliminate bridge-g and set IP address directly on eth2 port.

I do not know how to check Linksys ARP table.
I only can check routes

There are also wifi interfaces in bridge-g
I will tray remove bridge for test but can’t do it today.

So, once again:

1. you create a route on linksys
2. it doesn’t work - devices on 192.168.2.0/24 can’t reach devices in 10.64.128.0/22.
   3a) you ping 192.168.2.110 from 192.168.2.111: the route starts working and devices on 192.168.2.0/24 can reach devices in 10.64.128.0/22 - everything works as it should?
   3b) you add a route to 10.64.128.0/22 on one device from 192.168.2.0/24, try to ping 10.64.128.0/22 and then all devices gain access to 10.64.128.0/22? or just that one device with the route?
3. how you return to step 2, when everything is not working again?

How does 192.168.2.111 get it’s address: from DHCP on 192.168.2.110 or you assign it manually?

1. yes
2. yes
   3a) yes when ping is performed everything works as it should
   Ping takes about 5 timeouts before receiving replays, and when it is running (and few seconds after) devices from 192.168.2.0/24 can communicate with 10.64.128/22
   3b) only device with route configured
3. I don’t understand question.
   If you asking how to return to state where 192.168.2.0/24 can not communicate with 10.64.128/22, then I just stop pinging.
   
   
   

How does 192.168.2.111 get it’s address: from DHCP on 192.168.2.110 or you assign it manually?

It is assigned manually, as most devices in that network.

One more interesting observation:
if I ping 192.168.2.111 from 129.168.2.110 it is receiving replays, but 192.168.2.0/24 still can’t communicate with 10.64.128/22.

P.s. sorry for delay, I had to get out form building before alarm armed itself.

In your Linksys config for the route I see, that you choose “3 (DMZ)”.
Is it possible, that Linksys applies some different firewall behaviour to this route because of that?
For example opening/closing ports automatically?
Are DMZ settings configured anywhere else?

“DMZ” is a name I have given to the route.
1 rule is for 192.168.0.0/24
2 rule is for 192.168.20.0/24
3 is for 10.64.128.0/16
On Linksys there is only one forwarded port (9xxx) configured.
Just NAT for 192.168.2/24 and 3 routes.
DMZ function is disabled

I can ping any machine in 192.168.2.0/24 network from others routes - 192.168.0.0 and 192.168.20.0

How does the route to 192.168.2.0/24 on mikrotik look like?

/ip> route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          91.xxx.xxx.xxx            1
 1 X S  0.0.0.0/0          91.xxx.xxx.xxx  91.xxx.xxx.xxx            1
 2 ADC  10.64.128.0/24     10.64.128.1     vlan128                   0
 3 ADC  10.64.130.0/24     10.64.130.1     vlan130                   0
 4 ADC  10.64.131.0/24     10.64.131.1     vlan131                   0
 5 ADC  91.xxx.xxx.xxx/28  91.xxx.xxx.xxx  ether1                    0
 6 A S  192.168.0.0/24     192.168.2.111   192.168.2.110             1
 7 ADC  192.168.2.0/24     192.168.2.111   bridge-geo                0

I don’t see anything wrong except the distance for №6 - why not 0?
But that’s unrelated to the current problem.

Do you have any specific rules in your firewall?
Post your /ip firewall export here.

Can’t think of anything else that can be a problem on mikrotik’s side.

I have many specific rules in /ip firewall
in nat there is few dst-nat for trusted networks, and few others for anybody
in filter I have rules blocking almost anything from WAN and my DMZ except 10.64.128.0/24
but for tests I’m placing before them Allow filters for INPUT, FORWARD and OUTPUT.
In other cases I had problems with FastTrack so I disabled it for tests in /IP settings.

# aug/24/2018 22:15:00 by RouterOS 6.42.7
# model = RBD52G-5HacD2HnD

/ip firewall address-list
add address=foo.bar.com comment=#WEBEWID list=\
    NET-Ext-Trusted
add address=xxx.xxx.xxx.x48 comment="#WEBEWID Geodezja" list=NET-Ext-Trusted
add address=xxx.yyy.zzz.10 comment=firma list=NET-Ext-Trusted
add address=some.network.com comment="#Knock: Allow some.network.com" list=\
    ALLOWED_EXTERNAL_HOSTS
add address=xxx.xxx.xxx.x46 comment="#WEBEWID Geodezja WebEwid OLD" list=\
    NET-Ext-Trusted
add address=xxx.yyy.zzz.57 comment="#ZSIP HyperView" list=NET-Ext-Trusted
add address=some.network.com comment="#Knock: Allow some.network.com" list=\
    NET-Ext-Trusted
add address=xxx.yyy.zzz.10 comment=firma list=ALLOWED_EXTERNAL_HOSTS
/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add action=log chain=forward comment=#WEBEWID disabled=yes protocol=icmp
add action=accept chain=input comment="#TEST: ALLOW ALL INPUT" disabled=yes
add action=accept chain=forward comment="#TEST: ALLOW ALL FORWARD" disabled=\
    yes
add action=accept chain=output comment="#TEST: ALLOW ALL OUTPUT" disabled=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept DNS from DMZ" \
    dst-port=53 in-interface-list=DMZ_LAN protocol=udp
add action=add-src-to-address-list address-list=PORTKNOCK_STAGE_1 \
    address-list-timeout=20s chain=input comment=#Knock connection-state=new \
    dst-port=15000 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=PORTKNOCK_STAGE_2 \
    address-list-timeout=20s chain=input comment=#Knock connection-state=new \
    dst-port=1500 in-interface-list=WAN protocol=tcp src-address-list=\
    PORTKNOCK_STAGE_1
add action=add-src-to-address-list address-list=ALLOWED_EXTERNAL_HOSTS \
    address-list-timeout=15m chain=input comment=#Knock connection-state=new \
    dst-port=9999 in-interface-list=WAN protocol=tcp src-address-list=\
    PORTKNOCK_STAGE_2
add action=accept chain=input comment="#Knock: allow without knocking" \
    disabled=yes dst-port=10000,2222,8000 protocol=tcp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
    protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="#Knock: Allow input if knocked" \
    connection-state=new in-interface-list=WAN src-address-list=\
    ALLOWED_EXTERNAL_HOSTS
add action=accept chain=input comment="Port Knocking Secured" disabled=yes \
    src-address-list=Knocking-secure
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Accept LAN forwarding" \
    in-interface-list=LAN out-interface-list=LAN
add action=accept chain=forward comment=#WEBEWID dst-address=192.168.2.7 \
    src-address=10.64.130.2
add action=accept chain=forward comment=#WEBEWID dst-address=10.64.130.2 \
    src-address=192.168.2.7
add action=accept chain=forward comment="#ZSIP #ISDP_WS #ISDP_WN" \
    dst-address=192.168.2.7 src-address=10.64.131.0/30
add action=accept chain=forward comment="#ZSIP #ISDP_WS #ISDP_WN" \
    dst-address=10.64.131.0/30 src-address=192.168.2.7
add action=accept chain=forward comment=#MGMT dst-address=192.168.2.0/24 \
    src-address=10.64.128.2
add action=accept chain=forward comment=#MGMT dst-address=10.64.128.2 \
    src-address=192.168.2.0/24
add action=accept chain=forward comment=#MGMT disabled=yes dst-address=\
    192.168.2.0/24 src-address=10.64.130.2
add action=accept chain=forward comment=#MGMT disabled=yes dst-address=\
    10.64.130.2 src-address=192.168.2.0/24
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="#Knock: allow without knocking" \
    disabled=yes dst-port=80,443 protocol=tcp
add action=accept chain=forward comment=\
    "#WebEwid: Allow acces to www; \r\
    \n#Knock: allow without knocking" dst-port=80,443 out-interface=vlan130 \
    protocol=tcp
add action=accept chain=forward comment=\
    "#ZSIP: Allow acces to www; \r\
    \n#Knock: allow without knocking" dst-port=80,443 out-interface=vlan131 \
    protocol=tcp
add action=accept chain=forward comment=\
    "#ISDP_WS: Allow acces to OpenVPN; \r\
    \n#Knock: allow without knocking" dst-port=1194 out-interface=vlan131 \
    protocol=udp
add action=accept chain=forward comment="ALLOW trusted networks" \
    src-address-list=NET-Ext-Trusted
add action=accept chain=forward comment="#Knock: Allow forward if knocked" \
    connection-state=new src-address-list=ALLOWED_EXTERNAL_HOSTS
add action=accept chain=forward comment="#TEST: drop all forward from WAN" \
    disabled=yes in-interface-list=WAN log=yes
add action=drop chain=forward comment="#Knock: drop all forward from WAN" \
    in-interface-list=WAN
add action=drop chain=forward comment="#Knock: drop all forward from DMZ" \
    in-interface-list=DMZ_LAN
add action=drop chain=forward comment="#Knock: drop all forward all Other" \
    disabled=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="#WEBEWID Management" dst-address=\
    xxx.xxx.xxx.x51 dst-port=22 protocol=tcp src-address-list=NET-Ext-Trusted \
    to-addresses=10.64.130.2
add action=dst-nat chain=dstnat comment=\
    "#WEBEWID Ext_WebEwid -> (vlan130) Int_WebEwid" dst-address=xxx.xxx.xxx.x51 \
    dst-port=80,443 in-interface-list=WAN protocol=tcp to-addresses=\
    10.64.130.2
add action=dst-nat chain=dstnat comment="#ZSIP RDP" dst-address=xxx.xxx.xxx.x47 \
    dst-port=3389 protocol=tcp src-address-list=NET-Ext-Trusted to-addresses=\
    10.64.131.2
add action=dst-nat chain=dstnat comment=\
    "#ZSIP Ext_ZSIP -> (vlan131) Int_ZSIP" dst-address=xxx.xxx.xxx.x47 \
    dst-port=80,443 in-interface-list=WAN protocol=tcp src-address-list=\
    NET-Ext-Trusted to-addresses=10.64.131.2
add action=dst-nat chain=dstnat comment="#ISDP_WN RDP" dst-address=\
    xxx.xxx.xxx.x49 dst-port=3389 protocol=tcp src-address-list=NET-Ext-Trusted \
    to-addresses=10.64.131.3
add action=dst-nat chain=dstnat comment=\
    "#ISDP_WN Ext_ISDP -> (vlan131) Int_ISDP_WN" dst-address=xxx.xxx.xxx.x49 \
    dst-port=80,443 in-interface-list=WAN protocol=tcp src-address-list=\
    NET-Ext-Trusted to-addresses=10.64.131.3
add action=dst-nat chain=dstnat comment=\
    "#ISDP_WS Ext_ISDP -> (vlan131)  Int_ISDP_W_Stary" dst-address=\
    xxx.xxx.xxx.x49 dst-port=1194 in-interface-list=WAN protocol=udp \
    to-addresses=10.64.131.4
add action=src-nat chain=srcnat comment=\
    "#FIXME! #WEBEWID Int_WebEwid -> Ext_WebEwid (vlan130)" disabled=yes log=\
    yes out-interface-list=!LAN src-address=10.64.130.0/24 to-addresses=\
    xxx.xxx.xxx.x51
add action=src-nat chain=srcnat comment="src-nat because static IP (others)" \
    disabled=yes ipsec-policy=out,none out-interface-list=WAN to-addresses=\
    xxx.xxx.xxx.x47
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

And /interface

# aug/25/2018 12:48:19 by RouterOS 6.42.7
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=B8:69:F4:09:6B:B6 auto-mac=no comment=defconf name=bridge-geo
add fast-forward=no name=bridge-servers
add disabled=yes fast-forward=no name=bridge-wlan
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=SPO_GK_01 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=SPO_GK_01 wireless-protocol=802.11
/interface vlan
add interface=bridge-servers name=vlan128 vlan-id=128
add interface=bridge-servers name=vlan130 vlan-id=130
add interface=bridge-servers name=vlan131 vlan-id=131
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=LAN name=DMZ_LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=*** \
    wpa2-pre-shared-key=***
/interface bridge filter
add action=log chain=input disabled=yes in-interface=ether2 ip-protocol=icmp \
    mac-protocol=ip
/interface bridge port
add bridge=bridge-geo comment=defconf interface=ether2
add bridge=bridge-geo comment=defconf disabled=yes interface=ether3
add bridge=bridge-geo comment=defconf disabled=yes interface=ether4
add bridge=bridge-geo comment=defconf disabled=yes interface=ether5
add bridge=bridge-geo comment=defconf interface=wlan1
add bridge=bridge-geo comment=defconf interface=wlan2
add bridge=bridge-servers interface=ether3
add bridge=bridge-servers interface=ether5
add bridge=bridge-servers interface=ether4
/interface list member
add comment=defconf interface=bridge-geo list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge-wlan list=LAN
add interface=vlan128 list=DMZ_LAN
add interface=vlan130 list=DMZ_LAN
add comment=defconf disabled=yes interface=ether2 list=LAN
add interface=vlan131 list=DMZ_LAN
add interface=bridge-servers list=LAN
/interface pptp-server server
set default-profile=Geo_as_local enabled=yes

I didn’t spot any potential problems.
Especially if you allow everything in firewall during the tests.

I can suggest you to take any other mikrotik router and try to simulate the situation.
First placing in instead of LinkSys, with your first mikrotik in place, and configured as it is now.
And second - in place of your current mikrotik, with simplified configuration.