[Solved] Route between different subnets managed by RouterOS

RouterOS Beginner Basics
1

After familiarising myself with RouterOS, I’ve been happily using it for last few years with no particular issues and impressive uptime.

Recently I have got another box and decided to split home network into different subnets:

  • Subnet A: 192.168.2.1/24
  • Subnet B: 192.168.3.1/24
  • Subnet C: 192.168.4.1/24

Here I am, with two RB951s running the latest stable RouterOS: one is connected to upstream that has WAN access, while another is supposed to route traffic between Groups B and C.

For the sake of this post, let’s call 1st RB “Alpha” and 2nd one “Beta”. I have added respective static routes to both and setup src-nat.
However, I can’t ping anything past Alpha from Beta’s side.

On Beta:

/ip route add comment="Route all to uplink" distance=1 gateway=e5_uplink
/ip address add address=192.168.4.1/24 comment="New subnet for physical terminals" interface=terminals network=192.168.4.0
/ip address add address=192.168.2.10/24 interface=e5_uplink network=192.168.2.0
/ip firewall nat add action=masquerade chain=srcnat comment="SrcNat to Uplink" out-interface=e5_uplink

I have checked Firewall rules, there seems to be nothing that would prevent packets from passing through (at least nothing that affects counters numbers).

I have no issues with Alpha whatsoever: router functionality, wireless AP, DHCP server - all work fine.
Clients connected to Alpha either via Wireless interface or via Ethernet cable all work they should.
Problem is that I can’t make Beta to NAT / interoperate with Alpha.

2

Please, be more clear about your network layout: where is subnet B: 192.168.3.1/24 connected? Alpha or Beta?
And post config exports for both devices.

3

Concise explanation:

Config export from Beta (has leftovers from Alpha… which is where it was initially copied from)

# aug/24/2019 by RouterOS 6.44.5
# model = 951G-2HnD
/interface ethernet set [ find default-name=ether1 ] comment="p1" name=e1_p
/interface ethernet set [ find default-name=ether2 ] comment=p2 name=e2_p
/interface ethernet set [ find default-name=ether3 ] comment=p3 name=e3_p
/interface ethernet set [ find default-name=ether4 ] comment="Reserved port" name=e4_p
/interface ethernet set [ find default-name=ether5 ] comment="Link to another RB951" loop-protect=on name=e5_uplink
/interface bridge add name=terminals protocol-mode=none
/interface list add name=WAN
/interface list add name=LAN
/ip pool add name=dhcp ranges=255.255.255.0
/system logging action add name=null remote=127.0.0.1 target=remote
/interface bridge filter add action=drop chain=forward comment="Drop ipv6 packets" mac-protocol=ipv6
/interface bridge port add bridge=terminals comment=p2 interface=e2_p
/interface bridge port add bridge=terminals comment=p3 interface=e3_p
/interface bridge port add bridge=terminals comment="Reserved port" interface=e4_p
/interface bridge port add bridge=terminals comment="p1" interface=e1_p
/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings set discover-interface-list=none
/ip settings set rp-filter=strict secure-redirects=no send-redirects=no
/interface ethernet switch host add drop=yes mac-address=00:15:5D:BB:50:13 ports=e2_p share-vlan-learned=no switch=switch1 vlan-id=1
/interface list member add interface=e5_uplink list=WAN
/interface list member add interface=terminals list=LAN
/ip address add address=192.168.4.1/24 comment="New subnet for physical terminals" interface=terminals network=192.168.4.0
/ip address add address=192.168.2.10/24 interface=e5_uplink network=192.168.2.0
/ip cloud set update-time=no
/ip dhcp-client add dhcp-options=hostname,clientid interface=e1_p
/ip dns set allow-remote-requests=yes cache-size=65535KiB servers=192.168.2.2
/ip dns static add address=127.0.0.1 name=moon.mt.lv
/ip dns static add address=127.0.0.1 name=mimas.mt.lv
/ip dns static add address=127.0.0.1 name=mikrotik.com
/ip firewall address-list add address=0.0.0.0/8 list=LANs
/ip firewall address-list add address=10.0.0.0/8 list=LANs
/ip firewall address-list add address=100.64.0.0/10 list=LANs
/ip firewall address-list add address=127.0.0.0/8 list=LANs
/ip firewall address-list add address=169.254.0.0/16 list=LANs
/ip firewall address-list add address=172.16.0.0/12 list=LANs
/ip firewall address-list add address=192.0.0.0/24 list=LANs
/ip firewall address-list add address=192.0.2.0/24 list=LANs
/ip firewall address-list add address=192.168.0.0/16 list=LANs
/ip firewall address-list add address=192.88.99.0/24 list=LANs
/ip firewall address-list add address=198.18.0.0/15 list=LANs
/ip firewall address-list add address=198.51.100.0/24 list=LANs
/ip firewall address-list add address=203.0.113.0/24 list=LANs
/ip firewall address-list add address=224.0.0.0/4 list=LANs
/ip firewall address-list add address=240.0.0.0/4 list=LANs
/ip firewall address-list add address=192.168.4.0/24 list=Terminals
/ip firewall address-list add address=192.168.3.0/24 list=WLAN
/ip firewall address-list add address=192.168.5.0/24 list=VMs
/ip firewall filter add action=drop chain=input comment="Drop non-established outside of LAN" connection-state=!established disabled=yes in-interface-list=!LAN
/ip firewall filter add action=accept chain=input comment="established or related" connection-state=established,related disabled=yes
/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related disabled=yes
/ip firewall filter add action=drop chain=forward comment="Drop invalid" connection-state=invalid disabled=yes log-prefix=invalid
/ip firewall filter add action=drop chain=forward comment="Packets which don't have unicast source IP address" disabled=yes src-address-type=!unicast
/ip firewall filter add action=drop chain=forward comment="Drop incoming packets that are not NATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=e5_uplink log-prefix=!NAT
/ip firewall filter add action=drop chain=forward comment="Drop packets from WAN which don't have public IP" disabled=yes in-interface=e5_uplink log-prefix=!PUBLIC src-address=!192.168.1.1 src-address-list=LANs
/ip firewall filter add action=drop chain=forward comment="Drop packets from LAN which don't have LAN IP" disabled=yes in-interface=terminals src-address=!192.168.2.0/24
/ip firewall filter add action=reject chain=forward comment="Reject forwarding LAN networks to WAN" disabled=yes dst-address=!192.168.1.1 dst-address-list=LANs log-prefix=LAN-to-WAN out-interface=e1_p reject-with=icmp-net-prohibited
/ip firewall filter add action=drop chain=forward comment="Drop all multicast" disabled=yes dst-address-type=multicast
/ip firewall filter add action=drop chain=forward comment="Drop broadcast" disabled=yes dst-address-type=broadcast src-address-type="" tcp-flags=""
/ip firewall filter add action=drop chain=forward comment="Drop LLMNR" disabled=yes port=5355 protocol=udp
/ip firewall filter add action=drop chain=forward comment="Drop mDNS" disabled=yes port=5353 protocol=udp
/ip firewall filter add action=drop chain=forward comment="Drop NETBIOS" disabled=yes port=137 protocol=udp
/ip firewall filter add action=accept chain=forward comment="Established, Related" connection-state=established,related disabled=yes
/ip firewall filter add action=accept chain=forward comment="Allow new connections from LAN to WAN" connection-state=new disabled=yes out-interface=e5_uplink src-address-list=Terminals
/ip firewall filter add action=accept chain=forward comment="Allow DNS from WLAN" connection-mark=dns connection-state=new disabled=yes dst-address=192.168.2.2 in-interface=terminals
/ip firewall filter add action=drop chain=forward comment="Drop rest of Forwards" disabled=yes log-prefix=FWD:
/ip firewall filter add action=drop chain=output comment="Drop invalid outgoing" connection-state=invalid disabled=yes
/ip firewall filter add action=accept chain=output comment="Established or related outgoing" connection-state=established,related disabled=yes
/ip firewall filter add action=accept chain=output comment="Allow outgoing HTTPs and DNS" disabled=yes dst-port=80,443,53 protocol=tcp
/ip firewall filter add action=accept chain=output comment="Allow DNS and NTP" disabled=yes dst-port=123,53 protocol=udp
/ip firewall filter add action=accept chain=output comment="Allow ICMP" disabled=yes dst-address-list=LANs protocol=icmp src-address-list=""
/ip firewall filter add action=drop chain=output comment="Drop rest of outgoing" disabled=yes log=yes log-prefix=RB951_OUT
/ip firewall mangle add action=mark-connection chain=forward comment="Mark DNS connections for further usage in Firewall" dst-address=192.168.2.2 new-connection-mark=dns passthrough=yes port=53 protocol=udp src-address=192.168.2.0/24
/ip firewall mangle add action=mark-connection chain=forward dst-address=192.168.2.2 new-connection-mark=dns passthrough=yes port=53 protocol=tcp src-address=192.168.2.0/24
/ip firewall mangle add action=set-priority chain=postrouting comment="Set priority for WMM" disabled=yes new-priority=from-dscp-high-3-bits passthrough=yes
/ip firewall nat add action=masquerade chain=srcnat comment="SrcNat to WAN" out-interface=e5_uplink
/ip firewall nat add action=dst-nat chain=dstnat comment="Force DNS to xxx" dst-port=53 protocol=udp src-address=!192.168.2.2 src-address-list=Localnet to-addresses=192.168.2.2 to-ports=53
/ip firewall nat add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=!192.168.2.2 src-address-list=Localnet to-addresses=192.168.2.2 to-ports=53
/ip firewall nat add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=192.168.2.8 to-addresses=192.168.2.1 to-ports=53
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set irc ports=7000
/ip firewall service-port set h323 disabled=yes ports=7000
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip route add comment="Route all to uplink" distance=1 gateway=e5_uplink
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh address=192.168.4.8/32
/ip service set api disabled=yes
/ip service set winbox address=192.168.4.8/32
/ip service set api-ssl disabled=yes
/ip smb set allow-guests=no interfaces=e1_p
/ip smb shares set [ find default=yes ] disabled=yes
/ip ssh set forwarding-enabled=remote strong-crypto=yes
/system logging set 0 disabled=yes
/system logging add topics=firewall
/system ntp client set enabled=yes primary-ntp=192.168.1.1
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no

Config export from Alpha:

# oct/27/2019 by RouterOS 6.44.5
# model = 951G-2HnD
/interface ethernet set [ find default-name=ether1 ] name=e1_wan
/interface ethernet set [ find default-name=ether2 ] name=e2_switch
/interface ethernet set [ find default-name=ether3 ] name=e3_apu
/interface ethernet set [ find default-name=ether4 ] name=e4_vpn
/interface ethernet set [ find default-name=ether5 ] name=e5_printer
/interface bridge add name=bridge1 protocol-mode=none
/interface wireless set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-onlyn country=mycountry default-authentication=no default-forwarding=no disabled=no disconnect-timeout=5s distance=indoors frame-lifetime=100 frequency=auto hw-protection-mode=rts-cts hw-protection-threshold=512 installation=indoor keepalive-frames=disabled mode=ap-bridge multicast-helper=disabled name=wlan_main radio-name=SSID ssid=SSID tx-power=15 tx-power-mode=all-rates-fixed wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface wireless nstreme set wlan_main enable-polling=no
/interface list add name=WAN
/interface list add name=LAN
/interface list add name=WLAN
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=dynamic-keys supplicant-identity=Canberra
/ip pool add name=dhcp ranges=255.255.255.0
/ip dhcp-server add add-arp=yes address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/system logging action add name=null remote=127.0.0.1 target=remote
/interface bridge filter add action=drop chain=forward comment="Drop ipv6 packets" mac-protocol=ipv6
/interface bridge port add bridge=bridge1 interface=e2_switch
/interface bridge port add bridge=bridge1 interface=e3_apu
/interface bridge port add bridge=bridge1 interface=e4_vpn
/interface bridge port add bridge=bridge1 interface=e5_printer
/interface bridge port add bridge=bridge1 interface=wlan_main
/interface bridge settings set use-ip-firewall=yes
/ip neighbor discovery-settings set discover-interface-list=none
/ip settings set rp-filter=strict secure-redirects=no send-redirects=no
/interface list member add interface=e1_wan list=WAN
/interface list member add interface=bridge1 list=LAN
/interface list member add interface=wlan_main list=WLAN
/ip address add address=192.168.1.2/24 interface=e1_wan network=192.168.1.0
/ip address add address=192.168.2.1/24 interface=e2_switch network=192.168.2.0
/ip address add address=192.168.4.2/24 interface=e2_switch network=192.168.4.0
/ip cloud set update-time=no
/ip dhcp-client add dhcp-options=hostname,clientid interface=e1_wan
# Leases here...
/ip dhcp-server network add address=192.168.2.0/24 dns-server=192.168.2.2 gateway=192.168.2.1 netmask=24 ntp-server=192.168.2.1
/ip dns set allow-remote-requests=yes cache-size=65535KiB servers=192.168.2.2
/ip dns static add address=127.0.0.1 name=moon.mt.lv
/ip dns static add address=127.0.0.1 name=mimas.mt.lv
/ip dns static add address=127.0.0.1 name=mikrotik.com
/ip firewall address-list add address=0.0.0.0/8 list=LANs
/ip firewall address-list add address=10.0.0.0/8 list=LANs
/ip firewall address-list add address=100.64.0.0/10 list=LANs
/ip firewall address-list add address=127.0.0.0/8 list=LANs
/ip firewall address-list add address=169.254.0.0/16 list=LANs
/ip firewall address-list add address=172.16.0.0/12 list=LANs
/ip firewall address-list add address=192.0.0.0/24 list=LANs
/ip firewall address-list add address=192.0.2.0/24 list=LANs
/ip firewall address-list add address=192.168.0.0/16 list=LANs
/ip firewall address-list add address=192.88.99.0/24 list=LANs
/ip firewall address-list add address=198.18.0.0/15 list=LANs
/ip firewall address-list add address=198.51.100.0/24 list=LANs
/ip firewall address-list add address=203.0.113.0/24 list=LANs
/ip firewall address-list add address=224.0.0.0/4 list=LANs
/ip firewall address-list add address=240.0.0.0/4 list=LANs
/ip firewall address-list add address=192.168.2.0/24 list=Localnet
/ip firewall address-list add address=192.168.2.4 list=Printing
/ip firewall address-list add address=192.168.2.7 list=Printing
/ip firewall address-list add address=192.168.2.8 list=Printing
/ip firewall address-list add address=192.168.2.107 disabled=yes list=Printing
/ip firewall filter add action=drop chain=input comment="Drop everything not from LAN" connection-state=!established in-interface-list=!LAN log-prefix=LTE-to-LAN
/ip firewall filter add action=accept chain=input comment="established or related" connection-state=established,related
/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="Drop all multicast" dst-address-type=multicast log-prefix=MULTICAST
/ip firewall filter add action=drop chain=forward comment="Packets which don't have unicast source IP address" log=yes log-prefix=NONUNICAST src-address-type=!unicast
/ip firewall filter add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=INVALID
/ip firewall filter add action=drop chain=forward comment="Drop broadcast" dst-address-type=broadcast src-address-type="" tcp-flags=""
/ip firewall filter add action=drop chain=forward comment="Reject forwarding LAN networks to WAN" dst-address=!192.168.1.1 dst-address-list=LANs log-prefix=LAN-to-WAN out-interface=e1_wan
/ip firewall filter add action=drop chain=forward comment="Drop packets from WAN which don't have public IP" in-interface=e1_wan log-prefix=!PUBLIC src-address=!192.168.1.1 src-address-list=LANs
/ip firewall filter add action=drop chain=forward comment="Drop packets from LAN which don't have LAN IP" in-interface=bridge1 src-address=!192.168.0.0/16
/ip firewall filter add action=drop chain=forward comment="Drop mDNS" port=5353 protocol=udp
/ip firewall filter add action=drop chain=forward comment="Drop LLMNR" port=5355 protocol=udp
/ip firewall filter add action=drop chain=forward comment="Drop NETBIOS" port=137 protocol=udp
/ip firewall filter add action=drop chain=forward comment="Drop incoming packets that are not NATed" connection-nat-state=!dstnat connection-state=new in-interface=e1_wan log-prefix=!NAT
/ip firewall filter add action=drop chain=forward comment="New connections from Printer to WAN" dst-address=!192.168.0.0/16 log=yes log-prefix="!!_PRINTER_!! " src-address=192.168.2.6
/ip firewall filter add action=drop chain=forward comment="Any connections to printer not from \"printing\" clients" connection-state="" dst-address=192.168.2.6 src-address-list=!Printing
/ip firewall filter add action=accept chain=forward comment="Established, Related" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="Allow new connections from LAN to WAN" connection-state=new out-interface=e1_wan src-address=192.168.0.0/16
/ip firewall filter add action=accept chain=forward comment="Allow DNS from WLAN" connection-mark=dns connection-state=new dst-address=192.168.2.2 in-interface=bridge1
/ip firewall filter add action=accept chain=forward comment="Allow connection from iPad only to Calibre server" disabled=yes dst-address=192.168.2.8 dst-port=8080 protocol=tcp src-address=192.168.2.101
/ip firewall filter add action=accept chain=forward comment="Allow from 8770 to iPad" disabled=yes dst-address=192.168.2.100 dst-port=8080,80,443 protocol=tcp src-address=192.168.2.8
/ip firewall filter add action=drop chain=forward comment="Drop rest of Forwards" log-prefix=FWD:
/ip firewall filter add action=drop chain=output comment="Drop invalid outgoing" connection-state=invalid
/ip firewall filter add action=accept chain=output comment="Established or related outgoing" connection-state=established,related
/ip firewall filter add action=accept chain=output comment="Allow DNS and NTP" dst-port=123,53 protocol=udp
/ip firewall filter add action=accept chain=output comment="Allow outgoing HTTPs and DNS" dst-port=80,443,53 protocol=tcp
/ip firewall filter add action=drop chain=output comment="Drop rest of outgoing" log=yes log-prefix=RB951_OUT protocol=!icmp
/ip firewall mangle add action=mark-connection chain=forward comment="Mark DNS connections for further usage in Firewall" dst-address=192.168.2.2 new-connection-mark=dns passthrough=yes port=53 protocol=udp src-address=192.168.0.0/16
/ip firewall mangle add action=mark-connection chain=forward dst-address=192.168.2.2 new-connection-mark=dns passthrough=yes port=53 protocol=tcp src-address=192.168.0.0/16
/ip firewall mangle add action=set-priority chain=postrouting comment="Set priority for WMM" disabled=yes new-priority=from-dscp-high-3-bits passthrough=yes
/ip firewall nat add action=masquerade chain=srcnat comment="SrcNat to WAN" out-interface-list=WAN
/ip firewall nat add action=dst-nat chain=dstnat comment="Force DNS to XXX" dst-port=53 protocol=udp src-address=!192.168.2.2 src-address-list=Localnet to-addresses=192.168.2.2 to-ports=53
/ip firewall nat add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=!192.168.2.2 src-address-list=Localnet to-addresses=192.168.2.2 to-ports=53
/ip firewall nat add action=dst-nat chain=dstnat comment="Forward YYY to Mikrotik proxy" disabled=yes dst-port=80,443 protocol=tcp src-address=192.168.2.8 to-addresses=192.168.2.1 to-ports=8080
/ip firewall nat add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=192.168.2.8 to-addresses=192.168.2.1 to-ports=53
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set irc ports=7000
/ip firewall service-port set h323 disabled=yes ports=7000
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip proxy set anonymous=yes enabled=yes max-cache-object-size=10000KiB max-cache-size=50000KiB max-fresh-time=1d
/ip proxy access add dst-host=mp.microsoft.com dst-port=80,443 src-address=192.168.2.0/24
/ip proxy access add dst-host=*.mp.microsoft.com dst-port=80,443 src-address=192.168.2.0/24
/ip proxy access add dst-host=wustat.windows.com dst-port=80,443 src-address=192.168.2.0/24
/ip proxy access add dst-host=ntservicepack.microsoft.com dst-port=80,443 src-address=192.168.2.0/24
/ip proxy access add dst-host=*.windowsupdate.com dst-port=80,443 src-address=192.168.2.0/24
/ip proxy access add dst-host=windowsupdate.com dst-port=80,443 src-address=192.168.2.0/24
/ip proxy access add dst-host=*.download.microsoft.com dst-port=80,443 src-address=192.168.2.0/24
/ip proxy access add dst-host=download.microsoft.com dst-port=80,443 src-address=192.168.2.0/24
/ip proxy access add dst-host=*.download.windowsupdate.com dst-port=80,443 src-address=192.168.2.0/24
/ip proxy access add dst-host=download.windowsupdate.com dst-port=80,443 src-address=192.168.2.0/24
/ip proxy access add dst-host=*.update.microsoft.com dst-port=80,443 src-address=192.168.2.0/24
/ip proxy access add dst-host=update.microsoft.com dst-port=80,443 src-address=192.168.2.0/24
/ip proxy access add action=deny dst-host=*
/ip route add distance=1 gateway=192.168.1.1
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh address=192.168.2.4/32
/ip service set api disabled=yes
/ip service set winbox address=192.168.2.4/32
/ip service set api-ssl disabled=yes
/ip smb set allow-guests=no interfaces=e1_wan
/ip smb shares set [ find default=yes ] disabled=yes
/ip ssh set forwarding-enabled=remote strong-crypto=yes
/system identity set name=Alpha
/system logging set 0 disabled=yes
/system logging add topics=firewall
/system ntp client set enabled=yes primary-ntp=192.168.1.1
/system package update set channel=long-term
/tool bandwidth-server set enabled=no
/tool graphing resource add allow-address=192.168.2.8/32
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no

Both are edited only to remove sensitive information.

4

To be honest i haven’t read the whole post… But as i can see from your diagram, i guess you cant reach subnet 4.1 right?

This is normal to happen…!

Two directly connected routers know each other… that is why 1.1 and 2.1 can communicate with each other… so 1.1 knows 2.1, 2.1 knows 4.1 BUT 1.1 does not know where 4.1 is… you need a route for that…!

5

You need to make your nat rule more specific so it does not nat traffic internal to your network.
E.g. add the extra check dst-address=!192.168.0.0/16

6
  1. Why you have this on Alpha?
/ip address add address=192.168.4.2/24 interface=e2_switch network=192.168.4.0
  1. Why you need so complex firewall on Beta?
  2. You definitely don’t need NAT on Beta.
  3. I can’t see where DHCP-server for 192.168.4.0/24 is at all?
7

It seems you need to decide something first, or at least state it clearly: what device will be responsible for filtering between .2.X and .4.X: Alpha or Beta?

8

I can’t reach outside of 192.168.2.1 from 192.168.4.1.

For example, from Beta (192.168.2.4) this works:

ping 192.168.2.1

…and this fails on timeout:

ping 62.105.39.3

When you are saying “it needs a route for that”, could you please elaborate as to where?
4.1 knows how to reach 2.1, 2.1 has the path to 1.1 and, consequently, to the outer world… Surely I am missing something here.



Tried it, made no difference.



  1. Great question… Added during furious “i’ll make this damn thingy work!” rage.
  2. Leftovers from Alpha (where this firewall config serves its purpose).
  3. Err… Ok. What about suggestion from Zacharias above?
  4. DHCP is irrelevant, all LAN-connected devices have static IPs set. Please feel free to correct me if it is in fact relevant here.
9

For example, from Beta (192.168.2.4) this works:
ping 192.168.2.1
…and this fails on timeout:
ping 62.105.39.3

Who is 62.105.39.3 ?
Whom are you trying to ping and from where ???

10

Sorry, let me rephrase. From BETA (192.168.4.1), I can ping ALPHA (192.168.2.1). There is a static route added to the former, so it knows where to toss a packet.
However, I am unable to ping past it. Example above was an entirely random IP from the Internet.

11

There is a static route added to the former, so it knows where to toss a packet.

You dont need a static route for that but anyways…

Ok so you dont have internet on your last router right?
Is there a default gateway route on your last router?
Export the routes of your last router…

12
  1. Delete all leftovers. No way somebody here will want to try to understand wether they are interacting with something or not, if they are not needed at all. I definitely don’t want to.
  2. What is the network interconnecting the two routers: please add to you scheme what address are on that link on both sides (or at least what port are used).
  3. You are talking about static routes, but I don’t see any on Alpha.
13

OK, I have completely reset the router and after configuring it from scratch everything “magically” works. Pretty much the same configuration shrugs

Perhaps irrelevant, but I have noticed that firmware was rather ancient v3.33 while the device was running RouterOS v6.44. Upgraded before resetting the config.

Thanks all :slight_smile: