Routing error between networks

amunoz72 · January 11, 2026, 12:51pm

Good morning! I am experiencing a routing problem between two private networks, which I will explain:

Context:
1.- Edge firewall, it is a Mikrotik CCR1009 model.

a.- On this Mikrotik, there are Firewall rules such as Filter, NAT, Mangle, and RAW (specifically to rule out the problem I have).

b.- Under this, there are Mikrotik routers for different services, for example, Mikrotik A with subnets (networks a and b) and Mikrotik B (... x, y, z) connected to various Internet service nodes.

2.- Most of the Mikrotiks are updated to firmware 7.2x.

Symptom:

1.- When performing a trace from Mikrotik A with network a (10.10.20.2/30) to network y (10.250.220.1/28), THERE ARE NO PROBLEMS.
2.- However, from Mikrotik A with network b (192.168.233.0/24) to network y (10.250.220.1/28), IT DOES NOT REACH. It stops at the Firewall (Mikrotik CCR1009).
3.- Performing the trace in the reverse direction according to the previous step obviously does not succeed and stops at the CCR1009 Firewall.

4.- We created a RAW rule to avoid any conflict that might occur with the other firewall rules, and the log generates these results. See image_1, image_2.

What could be the problem?

jaclaz · January 11, 2026, 2:17pm

Anything in the configurations you did not post (not even the single RAW rule you used, you shared only a couple log entries it produced).

Is this a sort of quiz or is it an actual problem you are having and that you are asking some assistance for solving?

If the second, post the configurations of the devices involved, instructions here:

mkx · January 11, 2026, 3:28pm

Depending on particular setup, there might be a routing triangle between those 3 routers: packet from network a is passing router A then main router then router B and then towards target network x. If packet in reverse direction skips main router (because router B somehow knows that router A is gateway towards subnet a), then firewall (connection tracking machinery in particular) on main router gets out of sync because some packets are bypassing it.

One test to see if this is indeed the problem would be to add raw firewall rule with action "notrack" for traffic between subnets off routers A and B (and have a firewall filter rule which allows untracked packets as one of early rules). More permanent (and "cheaper" for CPUs on routers) solution would be to add appropriate routes on routers A and B.

If you actually want to force traffic between those subnets through main router for some reason, then you'll have to look into routing settings on all 3 routers ... or actually have connections between main router and each of routers A and B in different L2/L3 subnet so that direct path between router A and router B won't be available.

amunoz72 · January 12, 2026, 4:41pm

Hi mkx, thanks for replying. Here's some more information from the RAW rule log:

error_10.250.222.0 prerouting: in:sfp-sfpplus1 out:(unknown 0), connection-state:invalid src-mac 04:f4:1c:4c:ed:95, proto ICMP (type 8, code 0), 192.168.233.19->10.250.222.161, len 84

I also have another network on the 233.19 network, and it works fine. This only happens between 192.168.233.0/24 and 10.250.0.0/16