Routing between 2 subnet

Solaris · Thu Sep 24, 2015 5:42 pm

I have the following setup :
ether1 = 10.8.8.0/24
ether2 = 10.9.9.0/24

ip route :

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          42.80.80.1                1
 1 ADC  10.8.8.0/24        10.8.8.1        ether1                    0
 2 ADC  10.9.9.0/24        10.9.9.1        ether2                    0
 3 ADC  42.80.80.1/32      42.80.80.233    Internet                  0

ip firewall nat :

 0    ;;; Bonding to internet!
      chain=srcnat action=masquerade out-interface=Internet log=no 
      log-prefix="" 

 1  D chain=dstnat action=dst-nat to-addresses=10.9.9.254 to-ports=63495 
      protocol=tcp dst-address=42.80.80.47 dst-port=63495 log=no 
      log-prefix="" 

 2  D chain=dstnat action=dst-nat to-addresses=10.9.9.254 to-ports=63495 
      protocol=udp dst-address=42.80.80.47 dst-port=63495 log=no 
      log-prefix="" 

 3  D chain=dstnat action=dst-nat to-addresses=10.9.9.254 to-ports=6881 
      protocol=udp dst-address=42.80.80.47 dst-port=6881 log=no log-prefix="" 

 4  D chain=dstnat action=dst-nat to-addresses=10.9.9.254 to-ports=6881 
      protocol=tcp dst-address=42.80.80.47 dst-port=6881 log=no log-prefix="" 

 5  D chain=dstnat action=dst-nat to-addresses=10.9.9.254 to-ports=49302 
      protocol=tcp dst-address=42.80.80.47 dst-port=49302 log=no 
      log-prefix=""

ether1 able to ping into ether2 but the problem is ether2 cannot ping into ether1, both internet access are fine. How to allow inter-connection between ether1 and ether2?

I have tried the following rule

/ip route
add dst-address=10.8.8.0/24 gateway=ether2

But ether2 still not able to ping ether1.

Solaris · Sat Sep 26, 2015 1:16 pm

anyone ?, i have a feeling it's something easy but still cannot quite figure out the problem.

descartes · Sat Sep 26, 2015 5:25 pm

HI,

Please post the output of:
/ip address print

Also, can you describe your issue in more detail, do you mean users at LAN ether2 can not ping to the LAN users of ether1?

regards,

Solaris · Sat Sep 26, 2015 7:34 pm

Yes client on ether2 cannot ping/access client on ether1, client on ether1 has purposely enabled to accept icmp by default, so it's not firewall issue on the ether1 client.

Here is it
/ip address

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   10.8.8.1/24        10.8.8.0        ether1                                   
 1   10.9.9.1/24        10.9.9.0        ether2                                   
 2 D 40.111.222.33/32   40.111.222.1     Internet

descartes · Sun Sep 27, 2015 7:43 am

So can you try to ping from any ether2 LAN clients to 10.9.9.1 (your gateway), as well as to 10.8.8.1 (ether1) network.

Also, what is your client OS on both sides ether1 and ether2?

regards,

Solaris · Sun Sep 27, 2015 11:12 am

Pinging from a client in 10.9.9.0/24 to 10.9.9.1 is succeed, the same wtih 10.8.8.1 gateway, strangely with ping to a client in ether1 is failed with request time out error.

ether2 client was windows 8.1 64 bit Pro, ether1 client was Windows 10 64 Bit Enterprise.

Finally found out that windows firewall on windows 10, it looks like blocking icmp by default !, fixed by either disabling windows firewall or adding icmp rules.

Now i can ping from ether2 client to ether1 client! thx descartes, but now the problem is getting weird, even-tough i can ping, i cannot access a ftp server in which hosted in one of the client in ether1!, the error from the ftp client just connection reset by peer on ether2, my ftp server on ether1 is running on port 5420.

Do you have any idea on why ether2 client cannot access the ftp server on ether1?. Is there any firewall rules that i should be add?.

Solaris · Sun Sep 27, 2015 11:22 am

Adding the following rules, now i can access the ftp server!, i just posted here if in-case someone needs it

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether1

@descartes
Are these the proper way to nat 2 different subnet?

descartes · Sun Sep 27, 2015 2:42 pm

Hi,

great, good to hear that you can ping each other.

yes, windows by default will not reply to a icmp from another subnet, this is what I was getting at.
we need to investigate more on the ftp.

on the nat masquerading, this is the correct way (there in no other way I can think of).

However, please note that there are times when you want to have full IP access to each other on both LANs, for example some protocols do not work well on NAT scenario (e.g. SIP) and so doing nat (masq) might not be a good idea, we do (nat/masq) when we want to block, protect, or even preserve IP address-es, just like we normally do with a router or internet gateway.

regards,

JJCinAZ · Sun Sep 27, 2015 7:20 pm

Adding the following rules, now i can access the ftp server!, i just posted here if in-case someone needs it
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether1
@descartes
Are these the proper way to nat 2 different subnet?

Sure, you're now NAT'ing between the subnets, but your original question was routing between the subnets. If you want to simply route, delete those two masquerade statements. While your FTP may work now, your SMB/CIFS traffic will now be broken.

Solaris · Sun Sep 27, 2015 9:29 pm

@descartes @JJCinAZ
So how i am able to properly make these 2 subnet communicating each other in any other protocol, other than icmp?, without breaking any protocol of course.
I am also noticing that the ftp server detected the ip of client on ether2 as 10.8.8.1 which is ether1 gateway. How to route and reserve the ip of the ether2 client on ether1 ?

descartes · Mon Sep 28, 2015 8:49 am

I think this is the point that we are making, if you take 2 subnets and make them NAT(MASQ) on both sides, all we see is the IP address-es of each gateway (10.8.8.1 or 10.9.9.1). And we have to do the DNAT, in order, for example to make your FTP to work.

In a normal routing way, especially when we manage both subnets, we should allow all traffic to pass freely without any translation, in the default mode, all routers would not do any translations (dnat,snat, etc), between subnets or network interfaces in this case. Unless there is a specific reason (e.g. security or otherwise), we normally we would allow all the traffics to go through.

With no firewall rules to worry, we then just move forward to work on other issues which is normally on the application layers, like FTP, Windows Share (SMB), printing, etc.

regards,

Solaris · Mon Sep 28, 2015 10:53 am

Thanks for the explanation, but i am still couldn't figuring out on how to make translation between subnet, DNAT as you have mentioned is destination-nat?, i have now modified the rules as following :

/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.9.9.0/24 out-interface=\
    ether2 src-address=10.8.8.0/24
add action=masquerade chain=srcnat dst-address=10.8.8.0/24 out-interface=\
    ether1 src-address=10.9.9.0/24
add action=dst-nat chain=dstnat disabled=yes src-address=10.9.9.0/24 \
    to-addresses=10.8.8.0/24
add action=src-nat chain=srcnat disabled=yes src-address=10.8.8.0/24 \
    to-addresses=10.9.9.0/24

But those rules broke everything, couldn't access internet, lan inter-connection broke. Would you please give an example about your explanation in my case as a mikrotik rules?.

Strangely without any masquaerade rules for lan, iperf on port 5201 works flawlessly, while ftp on port 5420 broke. What i want to do is to expose all available 65534 port both tcp and udp for both lan in order both of them to inter-communicating.

JJCinAZ · Mon Sep 28, 2015 2:31 pm

You just need one NAT rule:

/ip firewall nat
add chain=srcnat out-interface=Internet action=masquerade

Disable all the rules in the Forward chain on firewall filters:

/ip firewall filter
:foreach i in=[find where chain=forward] do={disable $i}

If you can't communicate between the subnets, then you have issues with host configurations on the subnets (e.g. bad network masks, bad default gateways, extraneous routes, etc.).

If you can communicate between subnets, then you can add back forward filter rules until you see what breaks.

Solaris · Mon Sep 28, 2015 3:55 pm

@JJCinAZ
Thanks but on my firewall filter, there is no rules for forward chain, only rules to block port scanner/nmap.
I have just re-checked my lan setup, both (ether1 and ether2) of them are fine, no erroneous gateway/dns server,all of the routes are only the default one that are generated by mikrotik.

The current problem is i can ping/iperf from each of them but cannot access a ftp server on ether1 client from ether2 client, unless i am also masquerade ether1 and ether2 which is not a proper solution because the detected client ip would be from the gateway, so i need a way to inter-communicating each of them with preserving its IP.

I am pulling my hair out on why iperf works fine without masquerade both lan.

Edit :
Duh found out it's a software issue! after diving into my ftp server log, i have forgotten to include the IP to allow list in my ftp server!. My mistakes on my end, i apologize. The ftp client wasn't output the correct log, other than connection reset by peer, not IP restrictions log, hence made me to think that the connection wasn't go through, and straightly thinking it's a routing/mikrotik issues.

Thanks goes to descartes and JJCinAZ who are patiently walk-through my problems. I hope everything will goes really well to you both. Cann't thank you enough.

TomosRider · Mon Sep 28, 2015 4:58 pm

It would be nice if you rewarded their time with some karma points..just sayin'.

descartes · Mon Sep 28, 2015 5:00 pm

Good to hear that it is finally working...

@JJCinAZ
Thanks but on my firewall filter, there is no rules for forward chain, only rules to block port scanner/nmap.
I have just re-checked my lan setup, both (ether1 and ether2) of them are fine, no erroneous gateway/dns server,all of the routes are only the default one that are generated by mikrotik.

The current problem is i can ping/iperf from each of them but cannot access a ftp server on ether1 client from ether2 client, unless i am also masquerade ether1 and ether2 which is not a proper solution because the detected client ip would be from the gateway, so i need a way to inter-communicating each of them with preserving its IP.

I am pulling my hair out on why iperf works fine without masquerade both lan.

Edit :
Duh found out it's a software issue! after diving into my ftp server log, i have forgotten to include the IP to allow list in my ftp server!. My mistakes on my end, i apologize. The ftp client wasn't output the correct log, other than connection reset by peer, not IP restrictions log, hence made me to think that the connection wasn't go through, and straightly thinking it's a routing/mikrotik issues.

Thanks goes to descartes and JJCinAZ who are patiently walk-through my problems. I hope everything will goes really well to you both. Cann't thank you enough.

Routing between 2 subnet

Routing between 2 subnet

Re: Routing between 2 subnet

Re: Routing between 2 subnet

Re: Routing between 2 subnet

Re: Routing between 2 subnet

Re: Routing between 2 subnet

Re: Routing between 2 subnet

Re: Routing between 2 subnet

Re: Routing between 2 subnet

Re: Routing between 2 subnet

Re: Routing between 2 subnet

Re: Routing between 2 subnet

Re: Routing between 2 subnet

Re: Routing between 2 subnet

Re: Routing between 2 subnet

Re: Routing between 2 subnet

Who is online