Unable to get simple subnet routing to work.

I have a single router, port 1 is nat’d to the internet. Port 2 is address 192.168.88.1/24, and port 3 is address 192.168.2.1/24.

All hosts on each subnet has a default route set to the .1 address in its subnet. i.e. host 192.168.88.23 has a default gateway to 192.168.88.1.

All hosts can access the internet correctly. and hosts in 88.1 can ping ip 192.168.2.1, but not any other host in the 2.x subnet, and vice versa is the same.

I am pretty confident, that without any additional static routes, that 88.x hosts should be able to access 2.x hosts as they are on the same router, and Mikrotik rules forwards by default.

What am I missing, why can these two subnets not see each other?

I have reset the router config to nothing, and just created the essential addresses and masquerade rule, nothing else. So no rules are blocking the traffic.

I setup the same config in a GNS3 simulator, and it worked as expected.

Did the default security settings in the Router OS change?

Can you post your config?

export hide-sensitive

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-CBN password=\
    ********* user=*******
/ip address
add address=192.168.2.1/24 interface=ether5 network=192.168.2.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-CBN

Your pared-back configuration requires me to ask something you could’ve shown straightforwardly: are these three ports still bridged together, as they presumably are in the default configuration for whatever device you’re using?

The full (but sanitized) configuration would’ve answered both questions.

As I wrote in my original post, I reset the configuration to nothing, then entered just these commands, so there is no bridging.

What makes you think they should be able to see eachother?

By my understanding, subnets on different ports on the same router can see each other. As I recall, the default rules on a MIkrotik are to forward packets between these ports/subnets.

Are you saying they should not by default be able to see each other? If so, what routes do I setup so they can see each other?

What does “/ip/route/print” say?

 
 0 ADS  0.0.0.0/0                          pppoe-CBN                 1
 1 ADC  *.*.*.*/32   *.*.*.*  pppoe-CBN                 0
 2 ADC  192.168.2.0/24     192.168.2.1     ether5                0
 3 ADC  192.168.88.0/24    192.168.88.1    ether2              0

That output shows that “simple subnet routing” does work as you expect. All those dynamic routes (“D”) are what you were expecting RouterOS to add for you.

(Incidentally, you can drop the “network=192.168.88.0” type stuff from your “/ip/address/add” commands. It’s implicit from the host IP and the mask.)

These clients of yours…they wouldn’t happen to be Windows boxes, would they? It blocks ping by default, for the past few major releases. Unblocking instructions.

Ok, so I am not going mad. The subnet routing should work with that simple configuration.

One of the test hosts is a Windows, but I also testing with a Mac and a Raspberry Pi running the latest Pi OS.

So, now I am at a loss. The router seems ok, the router config seems ok. Will look at unblocking ping on the Windows system, but that does not explain the Mac and Pi.

Thanks for your help. Back to the drawing board.

I would next look at routing on the clients, presumably learned via DHCP. The ping packet may get to the client from the router, that doesn’t tell you that the client then knows how to get the reply back to the router.

The command varies: “ip route” on modern Linux, “netstat -r” on BSDish OSes, “route print” on Windows… They’re all functionally equivalent to the RouterOS command above.