Hello,
I have a router (RB2011UiAS-RM) who has static IP and DNS addresses and is able to connect to Internet without any issues (ping tests).
I tried to use default network (192.168.88.0) with a laptop to communicate with the other network and I wasn’t able. I tried configurations of scope and target scope unsuccessfully.
I attach network flow.
any suggestions?
edit [solved] post #10
Do you have srcnat active for the WAN interface?
Hi,
Can you post your NAT rules?
You can do this using the terminal with the command:
ip firewall nat print
If you’re not sure how to use the terminal then take a screen shot of the NAT config page: IP > Firewall > NAT.
Make sure you obscure any public IP info!
You need a masquerade rule and it is advisable to make dhcp server to provide all necessary ip settings to the lan connected devices.
/ip firewall nat src-address=192.168.88.0/24 action=masquerade out-interface=ether3 chain=src-nat
meaning
address incoming to router with address 192.168.88.0/24 will be source-nated
with technique masquerade (meaning it will use the outgoing address of interface) ether3.
Thanks for reply!
I currently have this conf:
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.88.1/24 192.168.88.0 bridge-local
1 200.200.200.88/24 200.200.200.0 ether3
[admin@MikroTik] > /interface print where running
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU MAC-ADDRESS
2 RS ether3 ether 1500 1598 4074 4C:5E:0C:43:91:95
4 RS ether5 ether 1500 1598 4074 4C:5E:0C:43:91:97
11 R bridge-local bridge 1500 1598 4C:5E:0C:43:91:94
[admin@MikroTik] > /ip dns static print
Flags: D - dynamic, X - disabled, R - regexp
# NAME ADDRESS TTL
0 router 192.168.88.1 1d
[admin@MikroTik] > /ip dns print
servers: 200.200.200.250
dynamic-servers:
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 38KiB
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=sfp1-gateway
1 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway
2 chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface=ether3
and from the router I’m able to do this:
[admin@MikroTik] > ping http://www.lufthansa.com
HOST SIZE TTL TIME STATUS
172.229.169.118 56 53 99ms
172.229.169.118 56 53 99ms
172.229.169.118 56 53 98ms
but from my laptop I got this:
# ping http://www.lufthansa.com
PING e2929.g.akamaiedge.net (172.229.169.118) 56(84) bytes of data.
From router (192.168.88.1): icmp_seq=2 Redirect Host(New nexthop: 200.200.200.250)
From router (192.168.88.1): icmp_seq=4 Redirect Host(New nexthop: 200.200.200.250)
From router (192.168.88.1): icmp_seq=6 Redirect Host(New nexthop: 200.200.200.250)
# nslookup http://www.lufthansa.com
Server: 192.168.88.1
Address: 192.168.88.1#53
Non-authoritative answer:
http://www.lufthansa.com canonical name = lufthansa.com.edgekey.net.
lufthansa.com.edgekey.net canonical name = lufthansa.com.edgekey.net.globalredir.akadns.net.
lufthansa.com.edgekey.net.globalredir.akadns.net canonical name = e2929.g.akamaiedge.net.
Name: e2929.g.akamaiedge.net
Address: 172.229.169.118
the browser in the laptop doesn’t navigate, so, currently it’s most related to a laptop misconfigure than the router, right?
This looks like your routing is setup wrong, can you please post the output from
ip route print
?
Also, you have too many masquerade rules, you should only have the
chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface=ether3
one, the others need to be removed.
my
ip route print
is:
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 200.200.200.250 1
1 ADC 192.168.88.0/24 192.168.88.1 bridge-local 0
2 ADC 200.200.200.0/24 200.200.200.88 bridge-local 0
about
/ip firewall nat
, when I deleted 0 and 1 I not even got the Redirect Host message when pinged
I think part of the issue is that you public interface and private interface are on the same bridge.
Remove ether3 from bridge-local.
Then remove the public IP from bridge-local and add it to just ether3.
ok,now I have this:
[admin@MikroTik] /ip firewall nat> /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC 192.168.88.0/24 192.168.88.1 ether5 0
1 ADC 200.200.200.0/24 200.200.200.88 ether3 0
[admin@MikroTik] /ip firewall nat> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; default configuration
chain=srcnat action=masquerade out-interface=sfp1-gateway
1 X ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway
2 chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface=ether3
note 0 and 1 are disabled in nat.
with this conf I’m still unable to see 200.200.200.0/24 from 192.168.88.0/24
any suggestion?
update
with above configuration and even with rules 0 and 1 enabled I am able to ping 200.200.200.0/24 from 192.168.88.0/24, so it seems that problem was that both interfaces were on the same bridge.
Despite above, I am not able to ping 8.8.8.8, so currently I only can connect to router’s gateway and not beyond.
solved routing rule was needed
so, my config is:
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 200.200.200.250 1
1 ADC 192.168.88.0/24 192.168.88.1 ether5 0
2 ADC 200.200.200.0/24 200.200.200.88 ether3 0
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; default configuration
chain=srcnat action=masquerade out-interface=sfp1-gateway
1 X ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway
2 chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface=ether3
not sure if disable 0 and 1 is needed
[admin@MikroTik] /ip route> /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 X ;;; default configuration
192.168.88.1/24 192.168.88.0 bridge-local
1 200.200.200.88/24 200.200.200.0 ether3
2 192.168.88.1/24 192.168.88.0 ether5
thanks for your help!