Routing from Wan to Lan

Kermit999 · November 17, 2016, 6:00pm

Hi,

i want to allow routing from the Wan to the Lan network.

i have a private network 10.0.3.0/24 on the Wan side
and a private network 10.0.0.0/24 on the Lan side
there ist no NAT

The Firewall has just a one accept all rule. (I know this is not best practise, i am solviing one problem at a time)

I can acces internet through the router.
I can acces the wan network from the lan network.

I can not acces the lan network from the lan network. I can not see anthing thats different from the other direction. What the concept behind this ?
I have found some infos on how to make this work, but they always include ip masquerading. I just want simple routing.

Thanks for any information.

Sob · November 17, 2016, 6:55pm

Router is made to route, so if you don’t block anything using firewall, it will route any packet it receives. But router can’t control everything. If you have two connected subnets, devices in both must know where to find the other one. The simplest way is when all have same router as default gateway. But it’s also possible that some need to have different default gateway. In such case you must add static route to other subnet to either each device or to their default gateway.

Paternot · November 17, 2016, 7:05pm

I believe you wanted to say “I can not access the lan network from the WAN network.”

The machines at WAN network will use another router as their default gateway. This router doesn’t know how to reach the LAN - so this will not work. Machines from LAN know how to reach WAN, so everything works.

There are two simple solutions:

Include a static route ate the default gateway, used by the WAN machines, pointing to the LAN, through the LAN’s default gateway. Or,
Include this static route on the DHCP server of the WAN.

Both these options assume you have control over the WAN gateway. If this isn’t true You can still solve this. Just insert a static route, in each WAN machine, pointing to LAN trough its gateway.

Kermit999 · November 18, 2016, 5:56am

My Intenet gateway is a FritzBox 7490 with ip 10.0.3.1/24. I had already added a static route there :
Network Mask Gateway
10.0.0.0 255.255.255.0 10.0.3.2

Here is a traceroute from the wan network ip 10.0.3.163:

Routenverfolgung zu 10.0.0.101 über maximal 30 Hops
1 1 ms 1 ms <1 ms 10.0.3.1 ← Defaul Gateway / Frittzbox
2 2 ms 1 ms 1 ms 10.0.0.101 ← Lan Port of the Mikrotik, works ok
Ablaufverfolgung beendet.

Routenverfolgung zu 10.0.0.21 über maximal 30 Hops ← 10.0.0.21 is a computer on the Lan
1 1 ms <1 ms 1 ms 10.0.3.1 ← default gateway / Fritzbox
2 2 ms 1 ms 1 ms 10.0.3.2 ← Wan-Port of the Microtik. Why Wanport here and lan port above ??
3 * * * Timeout

So it seems to hang in the Microtik
A Ping in the microtik to 10.0.0.21 works.

Kermit999 · November 18, 2016, 3:13pm

This is driving me nuts.
I have nearly the same setup now on a different mikrotik and this one does no routing at all with nat diasbled.

I start with default config, adjust ip, everything works.
I disable Nat, no routing at all.
Why oh why ? Is there any point in the config besides ip/firewall/filter rules needed to make him route a packet, given that the router itself can ping any ip ?
Is there supposed to be any rule in ip/firewall/nat ?

To be clear i understand this right : NAT ist only needed to get several computer in the net with a single public ip. If the router has no public ip, Nat should be disabled.

ErfanDL · November 18, 2016, 3:30pm

Using vpn server

Sent from my C6833 using Tapatalk

Sob · November 18, 2016, 3:53pm

I find it best to start with blank config (/system reset-configuration no-defaults=yes), rather than removing stuff from default config. It makes sure that you don’t leave anything behind by accident. If you try it, just remember that you’ll first have to connect to router using MAC address with WinBox, because it won’t have any IP address initially.

But first make sure that it’s not just another case of “device replies to pings only from same subnet” problem with 10.0.0.21 (e.g. Windows do that by default).

Kermit999 · November 18, 2016, 4:20pm

Ok, i have now startet with a clean empty config, no defaults.

Set the ip addresses and dhcp. No routing happens.

Then I add a NAT roule :
0 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”
And routing works. I can ping both subnets from lan side but not from wan side, probably because of nat.
But i do not want/need nat or masquerading.
So how do i get it to route ?

Kermit999 · November 18, 2016, 5:00pm

Ok, so the problen in this case was the missing static route in the default gateway of the wan network.

Now i have nat disabled and can acces the internet and the wan network from the lan network.

But i still can’t acces the lan network from the wan network.

ErfanDL · November 18, 2016, 5:49pm

Withou vpn you can’t do it

Sob · November 18, 2016, 5:54pm

Try simple test. Start Torch on router’s wan interface, or add logging rule to prerouting. Limit it to some unique random port. Then try to connect from device in wan network to :. Two things can happen:

a) You’ll see incoming syn packet.
b) You won’t see anything.

If it’s a), then routing is fine from wan and it must be something on your router or device behind it. You can use the same way to see if packets correctly pass through router and leave to lan. If it’s b), then the problem is in wan, where for some reason packets are not routed correctly to your router.

Paternot · November 18, 2016, 6:39pm

Not quite. NAT is needed when you want to force a subnet to access everything from that point on using a single IP. Usually we use it to save public IP addresses - but this isn’t a requirement.

I, for example, have an OpenVpn server wich does NAT from the clients to the intranet. Legacy issues. All IPs, including VPN ones, are from the 10.x range.

Paternot · November 18, 2016, 7:12pm

Are You sure there is no routing? Run a sniffer at the client. Ping the client. Do You see the ping request arriving? The situation You describe is, usually, solved with a static route. Either given trough DHCP or explicitly declared on the client.

To be clear:

INTERNET <-----> ROUTER1 <-----> NETWORK1 <-----> ROUTER2 <-------> NETWORK2 <-----> CLIENT2

Router1 has internet access. Easy, since it has the public IP
Router2 has internet access. Easy, since Router1 has a public IP, is doing NAT and is the default gateway to Router2. Also, as Router2 WAN interface uses the intranet of Router1, it knows how to reach it.
Fun starts with Client2.

Case 1: Router2 does NAT. This is easy. Everything from Router2 on will answer to its WAN - that sits on Network1. This is the same case as the second line - Router2 using internet.
Case 2: Router2 does NOT do NAT. And this is your problem. Router1 does not know how to reach Network2. So you insert a static route. Now it does know where Network2 is, and how to get there. But this does not change the clients at Network1: they still doesn’t know how to reach Network2. When you ping one of them, from Network2, the client will send the answer to its default gateway: Router1. This is no good.

That is why we need a specific route at the client, stating that Router2 is the gateway to the Network2.

Kermit999 · November 21, 2016, 3:53pm

So i finally got it all working.
Thanks to everyone for your input.

In the end there have been only small mistakes. One problem was that windows firewall blocks ping requests, and windows tends to switch the firewall back on if it feels it needs to.

Basically its all very simple, once the penny drops. Looking back i can’s say what has been so difficult.