Hi. I am rather new to Microtic and i guess i have a very simple question.. But i didnt manage to cope with it by myself...
I got two networks:
1. WAN: 10.1.200.0/24
2. LAN: 10.1.0.0/17
I want Microtic to route everything from LAN to WAN and from WAN to LAN. I dont need NAT, Firewals, etc. Just a simple routing and DHCP + WiFi access point in LAN network
I configured the main router in WAN to have 10.1.200.1 interface and pass all the packets, destinated to 10.1.0.0/17 to address 10.1.200.2 and configured Microtic using the 'WISP AP' preset:
---
Internet

Port: Eth1
Address Acquisition: static
IP Address: 10.1.200.2
Netmask: 255.255.255.0 (/24)
Gateway: 10.1.200.1
Firewall Router: false

Local Network

IP Address: 10.1.100.1
Netmask: 255.255.128.0 (/17)
DHCP Server: true
DHCP Server range: 10.1.100.100-10.1.100.254
NAT: false
---

Now all computers in LAN network can access WAN without problems, but WAN clients cant access anything from LAN except the LAN-address of the Microtic itself.
So from client on WAN i can ping 10.1.200.2 and 10.1.100.1 (Microtic addresses), but i cant ping client with 10.1.100.10 address, which is perfectly accessible from the LAN network.
Tracert shows, that packets reach Microtic, but dont go any further.

I have RB2011UiAS-2HnD-IN board with preinstalled RouterOS.

So, what am i missing?

but WAN clients cant access anything from LAN except the LAN-address of the Microtic itself.

this is perfectly normal as they don't know where to forward traffic with dst-address to 10.1.100.0/17 network and traffic heading to this network will be dropped.

WAN clients will have a gateway, their gateway needs a static route, that says: for traffic with destination IP range of 10.1.100.0/17, should be forwarded to 10.1.200.2
so it's the wan network you need to change.

WAN clients will have a gateway, their gateway needs a static route, that says: for traffic with destination IP range of 10.1.100.0/17, should be forwarded to 10.1.200.2
so it's the wan network you need to change.

As I said, I have a WAN gateway with such settings. When I start tracert from computer in WAN, i can see, that package with destination 10.1.100.10 succefully reach Microtic (10.1.200.2), but then it is lost. It looks like Microtic has some firewall enabled, but I have disabled firewall in preset configuration as well as the rule 'drop all from WAN not DSTNATed' in IP->Firewall window (it was added by default I guess)

sorry missed that bit. that was before my morning coffee...

can you see the packets coming from WAN on your Mikrotik ?
use to catch the traffic.

also I assume you can ping any IP on 10.1.200.0/24 from the LAN side of Mikrotik?
Not sure what NAT: false means in your post but you need masquerade on ether face for LAN traffic to reach WAN. otherwise return traffic will not be able to make it back to 10.1.200.0/24

If routing is properly setup, you will not need NATing (src nat / masquerade). I suspect the clients in the LAN side is Windows clients and the default Windows firewall config will block connections originating from outside their local network

sorry missed that bit. that was before my morning coffee...

can you see the packets coming from WAN on your Mikrotik ?
use

Code: Select all

add chain=forward action=log src-address=10.1.200.0/24

to catch the traffic.

also I assume you can ping any IP on 10.1.200.0/24 from the LAN side of Mikrotik?
Not sure what NAT: false means in your post but you need masquerade on ether face for LAN traffic to reach WAN. otherwise return traffic will not be able to make it back to 10.1.200.0/24

Ye, checked the logs and found my mistake. It was incorrect setting of the gateway on Microtic's clients. Sorry, my stupid mistake... Everything works fine now.

glad you have found the issue. In most cases it's something simple but it's the process of fault finding that matters.

Greetings!

I'm facing the same problem but the difference is a firewall is enabled and NAT too. I can ping and access everything from LAN to WAN but can only ping and access Mikrotik IP address from WAN side.

Here is my setup:
USG:
Internet: 192.168.100.3/24
LAN : 20.10.10.0/24
VLAN : 192.168.1.0/24
VLAN : 192.168.9.0/24------------------------->Mikrotik:
.......................................................................Internet: 192.168.9.135/24
......................................................................Lan: 192.168.1.0/24
......................................................................VLAN: 10.13.10.0/28
..................................................................... VLAN: 10.10.10.0/25

You might be wondering what's with the IP's but I'm in the situation where I can't change cause it will cause bigger problems. So for the meantime, I want to try to solve this first.
The thing is, I want to access the VLAN 10.13.10.0/28 from the USG side(WAN). When I try to ping it: REQUEST TIME OUT

I tried tracert from WAN side and here is the result:
Can somebody please point me what could be missing?
Your help would be really much appreciated, Thank you so much.

Can somebody please point me what could be missing?

You're missing a route on USG. I don't know the syntax, but on ROS it would be something like:

I'll just dismiss the fact that 13.0.0.0/8 is a public routable address block and in principle you can't use it locally (unless you actually got subnet of it assigned to you from ARIN).

@ mkx,

Thanks! I can now access them.

And your right, it should be 10.13.10.0/28. Thanks again for pointing it out