Routing issue from Internal network

cfryback · April 29, 2011, 11:39pm

I’ve set a few of these things up, but this one has got me scratching my head a bit…

Got a ADSL Router living on 192.168.1.254 (non bridged, as I need it for IPTV - but that is another topic), giving out a small DHCP range of 192.168.1.1-10

MikroTik 5.2’s IP Addresses:

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   ;;; Green Address range
     172.16.1.1/24      172.16.1.0      GREEN
 1   ;;; Billion Router - G/W 192.168.1.254
     192.168.1.11/24    192.168.1.0     RED

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.1.254      1
 1 ADC  172.16.1.0/24      172.16.1.1      GREEN              0
 2 ADC  192.168.1.0/24     192.168.1.11    RED                0

Now from MikroTik I can Traceroute to my ISP’s DNS servers, but not from the 172.16.1.x network.

I know it is something simple, but it eludes me at the minute!

fewi · April 30, 2011, 1:11am

/ip firewall export

At a wild guess, though, the ADSL router can’t handle IPs that aren’t directly connected, so you have to double NAT - first to 192.168.1.11, and then again on the ADSL router.

cfryback · April 30, 2011, 6:20am

#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] /ip firewall>

Yeah, I know I double NAT’d but that requires further investigation from my ISP as to options.

Router quite happily does double NAT’ing, it doesn’t really care - I know this because my previous configuration was a Smoothwall firewall/router that was configured the same way.

Pretty much still stumpted on this though, because it should just work.

fewi · April 30, 2011, 6:14pm

If that is the entirety of the output of “/ip firewall export” then you’re not doing NAT on the Mikrotik router at all. If the ADSL router can only handle directly connected networks that might be the issue. I have never used SmoothWall and don’t know if it would NAT by default. Try this:

/ip firewall nat add chain=srcnat out-interface=RED action=masquerade

If NAT isn’t required, does the ADSL router have a route to 172.16.1.0/24 via 192.168.1.11? If it does not it won’t known how to send traffic back. NAT would of course solve that issue I a non-elegant way.

cfryback · May 1, 2011, 2:16pm

Hey thanks for that! Up and running.

Going to look for firewall rules.

Hopefuly, I can get my IPTV Fetch TV going through this as well and run the router back in bridged mode and get MikroTik to do the PPP.