Static Routes accross different LANs

Arpanet · June 29, 2015, 4:31pm

Network scenario:
Internet-> VDSL Modem LAN 192.168.6.1 Dhcp server on → RB750GL WAN 192.168.6.15 static- LAN 192.168.1.1 Dhcp server on.

I set static router on VDSL Modem:
Destination: 192.168.1.0
Netmask: 255.255.255.0
Gateway: 192.168.6.15

But I cannot access static or dhcp clients (e.g. 192.168.1.50), only main router 192.168.1.1

Where am I going wrong?

boen_robot · June 29, 2015, 4:47pm

When you say “access”, do you mean with just ping, or other services (HTTP, UNC, etc.)?

If just ping… check any firewall filters on the RB.

If other services, your issue may be NAT. With NAT enabled, when your devices reply back, they get src-nat-ed to the router IP, which the other end in turn treats as an invalid connection (since it was expecting the actual IP). You need to tweak the NAT rule so that it does masquerade/src-nat only if the dst-address is not in the 192.168.6.0/24 subnet.

Arpanet · June 29, 2015, 5:10pm

I mean access via winbox through port 8291.

Nat is made only in RB750 that translates 192.168.6.0 to 192.168.1.0

all other devices are bridged and transparent.

Should I say rb750 to do src-nat only if addresses are not in 192.168.6.0/24?

pukkita · June 29, 2015, 5:27pm

Sure.

Post

/ip firewall nat export

If you don’t manage to get it working.

Arpanet · June 29, 2015, 5:35pm

/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway

pukkita · June 29, 2015, 5:44pm

I assume 192.168.6.15 is set on ether1-gateway with no other IP address assigned to it.

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade other networks" \
out-interface=ether1-gateway src-address=!192.168.6.0/24

Arpanet · June 29, 2015, 5:55pm

/ip address print
 0   192.168.1.1/24     192.168.1.0     ether2-master-local                                   
 1   192.168.6.15/24    192.168.6.0     ether1-gateway

Thanks, but it does not work. Can’t understand why

I’m trying to access from 192.168.6.0/24 lan, maybe problem is DHCP?

pukkita · June 29, 2015, 6:15pm

What does not work? 192.168.1.x hosts not being able to reach Internet? Or pings from VDSL to LAN ips?

I’d check the VDSL modem NAT to make sure it masquerades both .1.0 and .6.0 networks (or 192.168.0.0/16) and disable nat on the mikrotik if you want to be able to ping from other .6.0/24 hosts (guess there are more apart from the VDSL itself?)

Arpanet · June 29, 2015, 6:19pm

 0    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 1    chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix="" 

 2    ;;; default configuration
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 3    ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 

 4    ;;; default configuration
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 5    ;;; default configuration
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 6    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 7    ;;; default configuration
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix=""

Arpanet · June 30, 2015, 1:34pm

anyone could help me?

rmmccann · June 30, 2015, 3:17pm

I suspect that your traffic between 192.168.1.0/24 and 192.168.6.0/24 is being blocked by rule #3. If you want bilateral communication, you need to create a filter rule that explicitly ALLOWS communication between those two subnets.

The easiest thing to do would be to create an address list with both subnets. Then, create a filter rule above your drop rule (currently #3), specifying the address list you created in both the src and dest address lists. Change action to accept and in-interface to ether1.

Alternatively, you could disable all the firewall rules altogether if you don’t need any additional protection - such as if your VDSL router is already firewalling internet traffic for you and you don’t want to hinder any type of communication between 192.168.6.0/24 and 192.168.1.0/24. This would essentially put your RB750 in router-only mode.

Lastly, make sure that any client devices on either LAN have firewall rules to allow traffic to 192.168.6.0/24 or 192.168.1.0/24. Sometimes the built-in firewall (especially on Windows machines) will block traffic outside its local subnet.

Arpanet · June 30, 2015, 4:05pm

rmmccann:

I suspect that your traffic between 192.168.1.0/24 and 192.168.6.0/24 is being blocked by rule #3. If you want bilateral communication, you need to create a filter rule that explicitly ALLOWS communication between those two subnets.

The easiest thing to do would be to create an address list with both subnets. Then, create a filter rule above your drop rule (currently #3), specifying the address list you created in both the src and dest address lists. Change action to accept and in-interface to ether1.

Alternatively, you could disable all the firewall rules altogether if you don’t need any additional protection - such as if your VDSL router is already firewalling internet traffic for you and you don’t want to hinder any type of communication between 192.168.6.0/24 and 192.168.1.0/24. This would essentially put your RB750 in router-only mode.

Lastly, make sure that any client devices on either LAN have firewall rules to allow traffic to 192.168.6.0/24 or 192.168.1.0/24. Sometimes the built-in firewall (especially on Windows machines) will block traffic outside its local subnet.

Thank you so much, you solved my problem!