Subnet Routing Config Trouble

RouterOS General
1

I feel dumb for asking this since it would seem simple enough. I have a small LAN that I was brought into that is an existing /24 network with ip addresses used up all over this space that I cannot change at this time to make subnetting easier. We are joining a new small dept to this LAN as a subnet by adding another router into the mix. Routes R1 and R2 are both mikrotik RB532’s running ROS 3.10.

The R1 router is configured to use NAT (src-nat / masquerade).
R1 has ether1 going to the internet, ether2 going to a switch which goes to R2
The R2 router: I am trying to avoid double-natting. It has no firewall rules and no nat rules.
R2 has ether1 going to ether2 on R1 via the switch, and ether2 going to the new LAN subnet

A small pdf drawing is attached of the setup if it helps visualize.
subnet.pdf (59.2 KB)
I have static routes for R1 to the LAN on R2 and vice versa.
I can ping internally across subnets, but I cannot ping anything public from R2

R1 Routes

 #      DST-ADDRESS        PREF-SRC        GATEWAY-STATE GATEWAY                 DISTANCE INTERFACE       
 0 ADS  0.0.0.0/0                          reachable     XX.XX.XX.1             0        ether1          
 1 A S  10.10.10.0/24                      reachable     192.168.1.3             1        ether2          
 2 ADC  XX.XX.XX.0/24     XX.XX.XX.XXX                                         0        ether1          
 3 ADC  192.168.1.0/24     192.168.1.1                                           0        ether2

R2 Routes

 #      DST-ADDRESS        PREF-SRC        GATEWAY-STATE GATEWAY            DISTANCE INTERFACE   
 0 A S  0.0.0.0/32                         reachable     192.168.1.1        1        ether1      
 1 ADC  10.10.10.0/24     10.10.10.1                                       0        ether2  
 2 ADC  192.168.1.0/24     192.168.1.3                                      0        ether1

I am lacking something here, can this be done or am I an idiot? I appreciate any help anyone can give on getting this type of scenario to work. Thanks for your time,

2

In R1, what do you have in
/ip firewall filter
Anything there that would stop R2? It would be a forward rule maybe?

3

This is the Firewall for router R1:

[admin@CLYCLPTEST] > ip firewall filter pr
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Drop Public Broadcast Traffic
     chain=input action=drop dst-address-type=broadcast,multicast in-interface=ether1 

 1 X ;;; Disable Open Proxy
     chain=input action=drop src-address=0.0.0.0/0 in-interface=ether1 dst-port=8080 protocol=tcp 

 2   ;;; Allow Known Public Addresses
     chain=input action=accept src-address-list=Allow 

 3   ;;; Allow Established Connections
     chain=input action=accept connection-state=established 

 4   ;;; Allow Related Connections
     chain=input action=accept connection-state=related 

 5   ;;; Drop Invalid Connections
     chain=input action=drop connection-state=invalid 

 6   ;;; Allow Pings on all Interfaces
     chain=input action=accept protocol=icmp limit=5,5 

 7   ;;; Allow Lan
     chain=input action=accept in-interface=ether2 

 8   ;;; Allow Remote SSH
     chain=input action=accept in-interface=ether1 dst-port=22 protocol=tcp 

 9   ;;; Drop Everything Else
     chain=input action=drop 

10   ;;; Limit Single User Connections
     chain=forward action=drop protocol=tcp connection-limit=50,32 

11   ;;; Block Spamming
     chain=forward action=drop src-address-list=spammer dst-port=25 protocol=tcp 

12   ;;; Add Spam IP Addresses to a Block List
     chain=forward action=add-src-to-address-list address-list=spammer address-list-timeout=0s dst-port=25 protocol=tcp connection-limit=30,32 limit=50,5




[admin@CLYCLPTEST] > ip firewall nat pr detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; NAT
     chain=srcnat action=masquerade 

 1 X ;;; Proxy
     chain=dstnat action=redirect to-ports=8080 dst-port=80 protocol=tcp
4

On your nat rules, the masquerade rule should have an interface entry
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

5

On R1, changed the outgoing interface to be ether1 for the masquerade nat rule.

Logged into R2 and tried to ping 64.233.167.104 (google) and still got a no route to host.
From R2 I can ping 192.168.1.1
From a pc behind R2 on the 10.10.10.0 LAN, I can ping 192.168.1.1 also, but nothing public (which I assumed)

So R2 traffic can get to the LAN default gateway on R1, but cannot get out past there. This doesn’t make any sense to me at all as to why. To me, the R2 traffic should look like it’s coming from 192.168.1.3 since it is directly connected and on the same subnet, so what is the problem. Apparently my lack of knowledge is one part of the equation…


Thanks for the help thus far, please keep the ideas coming.

6

Haven’t talked IP addreses yet.
R1 ether2 interface should be assigned 192.168.1.1/24
R2 ether1 interface should be assigned 192.168.1.3/24
R2 ether2 interface should be assigned 10.10.10.1/24

And the part about looking like 192.168.1.3, no. Unless you srcnat or masquerade R2, then all maintain their original IP address to R1 ether2. Between R1 ether2 and R1 ether 1, they will be masqueraded. To the world, they will appear as the IP of R1 ether1. You are ok there. There is a gateway route in R1 for the 10.10.10.0/24 net. That would be the only set it would not know how to find.

7

any update to this? i having a very similar problem.

8

I don’t know about yours, but I think I spotted the challenge jlxl has.
It appears the default gateway route on R1 is not correct. That first line should be
0 A S 0.0.0.0/0 r x.x.x.x 1 ether1
The “0” after the gateway IP should be a “1”. That “0” indicates a local interface. The default gateway should show a “1” under distance.
The gateway IP should be the one your ISP gave you with your IP/netmask and dns servers. Insure you did not assign the gateway IP to ether1 too.