Static Routing (can't ping)

RouterOS General
1

Hello!

I would to do static route for 2 mikrotik
and tried to look for answer here with no luck :frowning:

MK1
2 Wan Load Balance (192.168.1.2 , 192.168.2.2)
eth2: 192.168.88.1

MK2
eth0: 192.168.88.2
eth1: 192.168.100.1

I am able to ping from MK2 to MK1
Internet is ok from MK2
but I fail to ping from MK1 to MK2
from winbox(MK1 and MK2) I am able to ping/tracert all ip within 192.168.100.x or 192.168.88.x
but MK1’s PC, i couldn’t ping at all
Mk2’s PC, i am able to ping MK1 and with internet access.

what did i set wrong here?

Thanks in advance.

MK1 route
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.1.1               1
 1 A S  0.0.0.0/0                          192.168.2.1               1
 2 A S  0.0.0.0/0                          192.168.1.1               1
 3  DS  0.0.0.0/0                          192.168.1.1               1
 4  DS  0.0.0.0/0                          192.168.2.1               1
 5   S  0.0.0.0/0                          192.168.2.1               2
 6 ADC  192.168.1.0/24     192.168.1.2     WAN1                      0
 7 ADC  192.168.2.0/24     192.168.2.2     WAN2                      0
 8 ADC  192.168.88.0/24    192.168.88.1    Local                     0
 9 A S  ;;; route 2F
        192.168.100.0/22                   192.168.88.2              1




MK2 route
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.88.1              1
 1 A S  192.168.88.0/22                    192.168.88.1              1
 2 ADC  192.168.88.0/24    192.168.88.2    ether1-gateway            0
 3 ADC  192.168.100.0/24   192.168.100.1   ether2-master-l...        0
2

in one place you have /22 in other /24 what are details for ip addresses added?

All i can say - double check your configuration.

3

still new to networking
i have no idea what i am doing with /22 and /24
i copy from example of static routing but couldn’t get it to work.

Could you please explain in detail regards the setting I should cross check?

Thanks.

4

btw, this is my address from both MK
i change the route to /24 now.. but still same.

MK 1
 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; default configuration
     192.168.88.1/24    192.168.88.0    Local                                    
 1 D 192.168.2.2/24     192.168.2.0     WAN2                                     
 2 D 192.168.1.2/24     192.168.1.0     WAN1




MK 2
 #   ADDRESS            NETWORK         INTERFACE                              
 0   ;;; default configuration
     192.168.100.1/24   192.168.100.0   ether2-master-local                    
 1 D 192.168.88.2/24    192.168.88.0    ether1-gateway
5

Do you have anything in “/ip firewall nat” or “/ip firewall filter” that might stop that?
Add: If you are going to route the network, there should be no NATs except in the core router (MK1).

6

Hello!
There is only default rule in nat and firewall.
I just tried to disable all but still could not ping :frowning:

Thanks!

MTK2  Firewall
0 X ;;; default configuration
     chain=input action=accept protocol=icmp 

 1 X ;;; default configuration
     chain=input action=accept connection-state=established 

 2 X ;;; default configuration
     chain=input action=accept connection-state=related 

 3 X ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway




MTK2 NAT
0 X ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 
     out-interface=ether1-gateway
7

How about NAT and firewall rules in MK1? Anything there?

8

MTK 1 is doing some filtering for facebook, youtube and QoS.

MTK1  firewall filter
 0   chain=forward action=drop src-address=192.168.88.119 
 1   chain=forward action=accept src-address-list=admin_user_dl_list 
     layer7-protocol=web-facebook 
 2   chain=forward action=accept src-address-list=sp_user_dl_list 
     layer7-protocol=web-facebook 
 3   chain=forward action=accept src-address=192.168.88.124 
     layer7-protocol=web-facebook 
 4   chain=forward action=accept src-address-list=admin_user_dl_list 
     layer7-protocol=web-youtube 
 5   chain=forward action=accept src-address-list=sp_user_dl_list 
     layer7-protocol=web-youtube 
 6   ;;; facebook
     chain=forward action=drop src-address=192.168.88.2-192.168.88.255 
     layer7-protocol=web-facebook 
 7   ;;; youtube
     chain=forward action=drop src-address=192.168.88.2-192.168.88.255 
     layer7-protocol=web-youtube 
 8   ;;; yahoo msg
     chain=forward action=drop src-address=192.168.88.2-192.168.88.255 
     layer7-protocol=yahoo msger 
 9 X ;;; google plus
     chain=forward action=drop protocol=tcp 
     src-address=192.168.88.2-192.168.88.255 dst-port=80 
     content=plus.google.com 
10 X ;;; google plus
     chain=forward action=drop protocol=tcp 
     src-address=192.168.88.2-192.168.88.255 dst-port=443 
     content=plus.google.com 

     src-address=192.168.88.2-192.168.88.255 dst-port=443 
     content=plus.google.com 
11 X chain=forward action=drop src-address=192.168.88.2-192.168.88.255 
     layer7-protocol=qq 
12   ;;; default configuration
     chain=input action=accept protocol=icmp 
13   ;;; default configuration
     chain=input action=accept connection-state=established 
14   ;;; default configuration
     chain=input action=accept connection-state=related 
15 X ;;; VPN
     chain=input action=accept protocol=tcp dst-port=1723 
16 X ;;; VPN
     chain=forward action=accept protocol=gre 
17   ;;; default configuration
     chain=input action=drop in-interface=WAN1 
18   ;;; default configuration
     chain=input action=drop in-interface=WAN2




MTK 1  NAT
1   chain=srcnat action=masquerade out-interface=WAN1 

 2   chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=WAN2 

 3   ;;; VPN internet passthrough
     chain=srcnat action=masquerade src-address=192.168.10.0/24 

 4   ;;; port forwarding
     chain=dstnat action=dst-nat to-addresses=192.168.88.53 to-ports=47494 
     protocol=tcp dst-port=47494 

 5   chain=dstnat action=dst-nat to-addresses=192.168.88.53 to-ports=43634 
     protocol=udp dst-port=43634
9

Why is this here? Which device is assigned that address?

0   chain=forward action=drop src-address=192.168.88.119

What is the ip of the computer on MK1 (192.168.88.x) that can’t ping? It may make it easier to troubleshoot if I knew that.

10

MTK1 PC’s
can’t ping anything actually

I tried 192.168.100.1 to 192.168.100.50 (which is all valid of course in MTK 2)
meanwhile, MTK2 can ping all and with internet access. :confused:

Thank you for trying to help!

11

Can you ping 192.168.88.1 from those same computers? How about 192.168.88.2?

12

PC1: 192.168.88.53
able to ping 192.168.88.1 192.168.88.2
fail to ping 192.168.100.1 - 192.168.100.50

PC2: 192.168.100.254,
(gateway: 192.168.100.1 DNS: 192.168.88.1)
able to ping 192.168.88.1 192.168.88.2
able to ping 192.168.100.1 - 192.168.100.50

13

What method are you using for load balancing? I suspect you are using PCC, which means you are using routing marks to route the traffic.
If that is the case, on the first router, you should add a rule which does not process the traffic from LAN1 to LAN2 through the PCC rules:

/ip firewall mangle
add chain=prerouting src-address=192.168.88.0/24 dst-address=192.168.100.0/24 action=accept

This rule should sit above the others.

14

you are right!!

thank you!! i could ping now!