Static route between 2 routers,2 networks

boneyard21 · June 14, 2019, 3:57am

Hi everyone,

I try to setup a static route for 2 Lans communication.
Now, PC2 and R2 are able to reach PC1 and R1.
But PC1 is unable to reach PC2 and R2.
And R1 is able to reach R2, not reach PC2.
In addition, I have setup Qos for both network.
Eventhough I set it off, nothing changed.

Thank you for the advice.

R1
/ip address
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
add address=aaa.bbb.ccc.127/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.128/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.129/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.130/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.131/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.132/24 interface=ether1 network=aaa.bbb.ccc.0
add address=172.16.1.1/30 interface=ether6 network=172.16.1.0
/ip firewall mangle
add action=accept chain=prerouting comment=“Mark Connection & Routing”
dst-address=192.168.10.0/24 in-interface=bridge
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether6 new-connection-mark=LAN_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address=192.168.11.0/24 dst-address-type=!local in-interface=bridge
new-connection-mark=LAN_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=LAN_conn
dst-address=192.168.11.0/24 in-interface=bridge new-routing-mark=to_LAN
passthrough=no
add action=mark-routing chain=output connection-mark=LAN_conn
new-routing-mark=to_LAN passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=pppoe-out1 new-connection-mark=pppoe1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=bridge new-connection-mark=
pppoe1_conn passthrough=yes src-address-list=IP_topppoe1
add action=mark-routing chain=prerouting connection-mark=pppoe1_conn
in-interface=bridge new-routing-mark=to_pppoe1 passthrough=no
src-address-list=IP_topppoe1
add action=mark-routing chain=output connection-mark=pppoe1_conn
new-routing-mark=to_pppoe1 passthrough=no
add action=mark-packet chain=forward comment=“QoS Full Speed”
dst-address-list=QoS-Full in-interface=pppoe-out1 new-packet-mark=
QoS-FullSpeedDown passthrough=no
add action=mark-packet chain=forward dst-address-list=QoS-Full in-interface=
pppoe-out2 new-packet-mark=QoS-FullSpeedDown passthrough=no
add action=mark-packet chain=forward new-packet-mark=QoS-FullSpeedUp
out-interface=pppoe-out1 passthrough=no src-address-list=QoS-Full
add action=mark-packet chain=forward new-packet-mark=QoS-FullSpeedUp
out-interface=pppoe-out2 passthrough=no src-address-list=QoS-Full
add action=mark-packet chain=forward comment=“QoS limit” dst-address-list=
QoS-limit in-interface=pppoe-out1 new-packet-mark=QoS-LimitDown75
passthrough=no
add action=mark-packet chain=forward new-packet-mark=QoS-LimitUp30
out-interface=pppoe-out1 passthrough=no src-address-list=QoS-limit
/ip firewall nat
add action=masquerade chain=srcnat comment=“masq. pppoe traffic”
out-interface=pppoe-out1 src-address-list=IP_topppoe1
add action=masquerade chain=srcnat out-interface=pppoe-out2 src-address-list=
IP_topppoe12
add action=masquerade chain=srcnat comment=“NAT Loopback 192” dst-address=
192.168.10.0/24 out-interface=bridge src-address=192.168.10.0/24
/ip route
add distance=10 gateway=pppoe-out1 routing-mark=to_pppoe1
add distance=1 dst-address=192.168.11.0/24 gateway=172.16.1.2 routing-mark=
to_LAN
add distance=5 gateway=aaa.bbb.ccc.254
add distance=10 gateway=pppoe-out1
add distance=1 dst-address=192.168.11.0/24 gateway=172.16.1.2
R2
/ip address
add address=192.168.11.1/24 interface=bridge network=192.168.11.0
add address=172.16.1.2/30 interface=ether6 network=172.16.1.0
add address=aaa.bbb.ccc.16/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.17/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.18/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.52/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.53/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.54/24 interface=ether1 network=aaa.bbb.ccc.0
/ip dhcp-server network
add address=192.168.11.0/24 gateway=192.168.11.1
/ip firewall mangle
add action=accept chain=prerouting comment=“Mark Connection & Routing”
dst-address=192.168.11.0/24 in-interface=bridge
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether6 new-connection-mark=LAN_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address=192.168.10.0/24 dst-address-type=!local in-interface=bridge
new-connection-mark=LAN_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=LAN_conn
dst-address=192.168.10.0/24 in-interface=bridge new-routing-mark=to_LAN
passthrough=no
add action=mark-routing chain=output connection-mark=LAN_conn
new-routing-mark=to_LAN passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=pppoe-out1 new-connection-mark=pppoe1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=bridge new-connection-mark=
pppoe1_conn passthrough=yes src-address-list=IP_topppoe1
add action=mark-routing chain=prerouting connection-mark=pppoe1_conn
in-interface=bridge new-routing-mark=to_pppoe1 passthrough=no
src-address-list=IP_topppoe1
add action=mark-routing chain=output connection-mark=pppoe1_conn
new-routing-mark=to_pppoe1 passthrough=no
add action=mark-packet chain=forward comment=“QoS Full Speed”
dst-address-list=QoS-Full in-interface=pppoe-out1 new-packet-mark=
QoS-FullSpeedDown passthrough=no
add action=mark-packet chain=forward new-packet-mark=QoS-FullSpeedUp
out-interface=pppoe-out1 passthrough=no src-address-list=QoS-Full
add action=mark-packet chain=forward comment=“QoS limit” dst-address-list=
QoS-limit in-interface=pppoe-out1 new-packet-mark=QoS-LimitDown75
passthrough=no
add action=mark-packet chain=forward new-packet-mark=QoS-LimitUp30
out-interface=pppoe-out1 passthrough=no src-address-list=QoS-limit
/ip firewall nat
add action=masquerade chain=srcnat comment=“masq. pppoe traffic”
out-interface=pppoe-out1 src-address-list=IP_topppoe1
add action=masquerade chain=srcnat comment=“NAT Loopback 192” dst-address=
192.168.11.0/24 out-interface=bridge src-address=192.168.11.0/24
/ip route
add distance=1 dst-address=192.168.10.0/24 gateway=172.16.1.1 routing-mark=
to_LAN
add distance=10 gateway=pppoe-out1 routing-mark=to_pppoe1
add distance=5 gateway=aaa.bbb.ccc.254
add distance=10 gateway=pppoe-out1
add distance=1 dst-address=192.168.10.0/24 gateway=172.16.1.1

sebastia · June 14, 2019, 7:56am

Hi

You have two relevant routes on each router: one without mark and one with mark. So, whether it’s marked or not routing should work.
Although the whole connection / routing marking for “to_LAN” looks unnecessary to me (in current context) → one route entry WITHOUT mark should have been enough.

You’ll need to check your firewall settings next I think.

boneyard21 · June 14, 2019, 8:25am

Thanks for your reply.
I have disable “to_LAN” form route list, but if I disable the the whole connection / routing marking from mangle, PC2 is unable to reach R1 and PC1.

Here is /ip firewall filter, both 2 routers are the same
/ip firewall filter
add action=drop chain=input dst-port=21,22,23,80,1723,5000-5004,8291,9999,33391-33400 protocol=tcp
src-address-list=ros_login5
add action=add-src-to-address-list address-list=ros_login5
address-list-timeout=none-static chain=input connection-state=new
dst-port=21,22,23,80,1723,5000-5004,8291,9999,33391-33400 protocol=tcp
src-address-list=ros_login4
add action=add-src-to-address-list address-list=ros_login4
address-list-timeout=3m chain=input connection-state=new dst-port=
21,22,23,80,1723,5000-5004,8291,9999,33391-33400 protocol=tcp
src-address-list=ros_login3
add action=add-src-to-address-list address-list=ros_login3
address-list-timeout=3m chain=input connection-state=new dst-port=
21,22,23,80,1723,5000-5004,8291,9999,33391-33400 protocol=tcp
src-address-list=ros_login2
add action=add-src-to-address-list address-list=ros_login2
address-list-timeout=3m chain=input connection-state=new dst-port=
21,22,23,80,1723,5000-5004,8291,9999,33391-33400 protocol=tcp
src-address-list=ros_login1
add action=add-src-to-address-list address-list=ros_login1
address-list-timeout=3m chain=input connection-state=new dst-port=
21,22,23,80,1723,5000-5004,8291,9999,33391-33400 protocol=tcp
src-address-list=!LanIP
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=21,22,23,25,80,110,443 protocol=tcp
add action=accept chain=forward dst-port=80,443 in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-port=80,443 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
add action=drop chain=input in-interface=pppoe-out1
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid

mkx · June 14, 2019, 9:03am

My reply might not be very constructive, but never the less: your routing is overly complicated and your firewall rule set is not safe at all.

My suggestion: reset router to default (if it’s a SOHO unit, else apply what’s default firewall filter rule set on SOHO routers) and add simple static route for the other LAN. Adjust firewall filter rules as needed to have connectivity between both LANs (by default that will be blocked as ether6 port won’t be member of neither LAN nor WAN interface lists.

After you get that working, add whatever you really need (e.g. QoS … don’t over complicate setup unless you really need something set up).

boneyard21 · June 14, 2019, 9:24am

Thanks for your reply.

I got your point. It is a good idea.
But I will keep trying before I find a time to do as your advice.

sebastia · June 14, 2019, 9:39am

Your firewall is allowing all which is not explicitly blocked. So that should be fine.

add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid

Are the firewalls same for both routers?

boneyard21 · June 14, 2019, 9:50am

Your firewall is allowing all which is not explicitly blocked. So that should be fine.
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
Are the firewalls same for both routers?

Yes.
I have tried to disable all the rule in filter, the result is the same.

sebastia · June 14, 2019, 11:24am

the default gateways are set on both pc’s?

try pinging one hop further at a time to discover where “connection breaks”, from both ends.