I’m fairly new to the Mikrotik family, but am loving it thus far. I would very much appreciate any assistance!
Device: RB2011UiAS (latest firmware)
Port 1: WAN to Internet
Port 2: Direct Connect to Desktop - Subnet 192.168.12.0/24
Port 3: Connection to TP-Link Access Point - Subnet 192.168.14.0/24
Port 4: Connection to TP-Link Access Point - Subnet 192.168.14.0/24
Internal Wireless - - Subnet 192.168.13.0/24
2 Bridges, one for direct connections to lan segment and another for the 2 Access Points (sub 14.x)
Here’s the problem:
I am unable to route between the subnets (devices not being detected), cannot ping gateways of other subnets, cannot ping devices on other subnets, and cannot ping devices within the same subnet.
DHCP Server is configured for each subnet, all IP addresses and DHCP networks added, IP Pools created, IP routes are displaying with the dynamic routes (tried adding static but still failed).
I have tried messing with src/dst natting, mangle but with no success.
I have removed all filter rules to ensure it was a firewall rule blocking traffic.
I attempted to setup OSPF, but that too failed to cooperate (one thing to note is it never populated the gateway address, always stayed at 0.0.0.0 for all of the OSPF routes)
I have gone through every setting more times than I can count and have spent weeks searching the forums and trying various suggestions found but still having issues.
Attached is my config, please note that I have redacted some private data and cleaned up firewall config to shorten file (removed configs that are not causing issues).
Well, that is a bit unhelpful towards the newbie, isn’t it?
Hint: you should not put the addresses on the ethernet ports, but on the bridge you have put them in.
Whenever an ethernet port, VLAN, etc is member of a bridge, all IP network level configuration for it is done on the bridge level, not on the port level.
I have corrected IP Address conflicts within the IP Address table and ensured the appropriate interfaces are associated with the proper bridge. I tested with multiple static IP Routes to set routing paths but am still unable to route traffic from Subnet 12.x to Subnet 14.x. I disabled all rules in my firewall to ensure that was not the problem, still unable to route traffic with firewall rules disabled. Would someone be able to provide next steps for troubleshooting as I’m at a complete loss? MTConfExport-06262017.txt (5.26 KB)
Still no progress made on the routing issue between the subnets, however I did notice that the ARP table is not seeing the default gateways for each subnet. So 192.168.14.1 and 192.168.12.1, which are assigned to both bridges via the IP Address section, are not showing up within the ARP table. I’m going to try and dig down this rabbit hole, any assistance would be most appreciated!
~Side note, during my research I noticed this exact topic has been discussed many times (not within mikrotik forum, but Internet queries) so you may be able to help not one but many!
I recommend starting with the basics and working up from there.
Firewall NAT rules - you only need one:
out-interface=ether1 action=masquerade
You don’t want to have NAT internally between your various LAN segments. If you want to block communications of various types for various reasons, that’s fine, but don’t think of NAT as the mechanism that blocks/allows this. That’s the filter table’s job.
For now, make your filter rules simple:
INPUT chain:
allow connection-state=established,related
allow protocol=icmp
allow in-interface=!ether1
drop
FORWARD chain:
fasttrack-connection connection-state=established,related
allow conenction-state=established,related
drop in-interface=ether1
no mangle rules
This is a very basic firewall that will allow anything outbound and block anything new inbound from the Internet side.
Then every device should be able to ping its own default gw (192.168.x.1 in your schema), as well as the Mikrotik’s IP addresses in other LAN segments, and on the Internet as a whole.
Remember that as a router, Mikrotiks WANT to forward IP between LAN interfaces. You have to tell them NOT to do it. Thus, if you cannot make connections between LAN segments, then the problem is going to lie in the firewalls running on the individual hosts, especially if hosts on all 3 of your LAN segments can reach the Internet.