Community discussions

MikroTik App
 
wassy83
newbie
Topic Author
Posts: 39
Joined: Fri Jul 21, 2017 5:41 pm

access different subnet from wan interface

Thu Sep 27, 2018 11:15 pm

hi to all,
I cannot figure out how to fix this:
I have a telecom Italia router with ip 192.168.1.1 and 2 mikrotiks connected trough eth1-wan to the Telecom router. the mikrotik-1 have 192.168.1.10 on the eth1-wan interface and the mikrotik-2 have 192.168.1.20 on the eth1-wan interface. then all the other ports are bridged with assigned networks 192.168.10.0/24 for mikrotik-1 and 192.168.20.0/24 for mikrotik-2. I have added a masquerade rule on both mikrotiks and dhcp server preferences. so everything works and I can access internet, winbox, and the telefom italia interface from both networks.. but I can't access from mikrotik-1 the wan interface of mikrotik-2 and viceversa. any suggestions? I need this because I need to manage the mikrotik-2 interface using the mikrotik-1 lan due the phisical distance beetween the 2 networks. many thanks
 
mkx
Forum Guru
Forum Guru
Posts: 4988
Joined: Thu Mar 03, 2016 10:23 pm

Re: access different subnet from wan interface

Thu Sep 27, 2018 11:26 pm

Did you adjust firewall settings on mikrotik-2? Default firewall does not allow any connectivity initiated from WAN interface and connections from mikrotik-1 are considered WAN connections by mikrotik-2 ...
BR,
Metod
 
wassy83
newbie
Topic Author
Posts: 39
Joined: Fri Jul 21, 2017 5:41 pm

Re: access different subnet from wan interface

Thu Sep 27, 2018 11:30 pm

for the moment firewall table is empty except for the nat masquerade rule, may I have to add an accept rule?
 
adialupoaie
just joined
Posts: 1
Joined: Wed Apr 16, 2014 9:53 am

Re: access different subnet from wan interface

Thu Sep 27, 2018 11:42 pm

romon......
 
mkx
Forum Guru
Forum Guru
Posts: 4988
Joined: Thu Mar 03, 2016 10:23 pm

Re: access different subnet from wan interface

Thu Sep 27, 2018 11:43 pm

No, there's implicit "accept all" at the end of (now empty) firewall rule list.

Which kind of administration tool are you trying to use (winbox, webfig, ssh, ...) and are you trying to connect using IP address (supposedly 192.168.1.20)?
You might want to check /ip services on mikrotik-2 to verify that selected management method is enabled.

You may also want to verify that WAN interfaces of both mikrotiks have set same subnet mask. As you don't have any firewall, mikrotik-2 should reply to ping-s. You can try pinging it from mikrotik-1 using command /tool ping-speed 192.168.1.20, after a few seconds ut should display some non-zero throughput.
BR,
Metod
 
wassy83
newbie
Topic Author
Posts: 39
Joined: Fri Jul 21, 2017 5:41 pm

Re: access different subnet from wan interface

Thu Sep 27, 2018 11:49 pm

I m trying trough wimbox and web interface and they are all enabled, cause if I connect directly to the telecom italia router I can access 192.168.1.20 amd 192.168.1.10 from web interface or winbox with no problems. but I cannot do this if I'm connected to mikrotik-1 router
 
wassy83
newbie
Topic Author
Posts: 39
Joined: Fri Jul 21, 2017 5:41 pm

Re: access different subnet from wan interface

Thu Sep 27, 2018 11:57 pm

yes subnet is the same 192.168.1.10/24 network 192.168.1.0 for mikrotik-1 and 192.168.1.20/24 network 192.168.1.0 for mikrotik-2
 
mkx
Forum Guru
Forum Guru
Posts: 4988
Joined: Thu Mar 03, 2016 10:23 pm

Re: access different subnet from wan interface

Fri Sep 28, 2018 12:08 am

Next thing to check: that NAT rule on mikrotik-1 ... how exactly does it look like?
BR,
Metod
 
wassy83
newbie
Topic Author
Posts: 39
Joined: Fri Jul 21, 2017 5:41 pm

Re: access different subnet from wan interface

Fri Sep 28, 2018 12:42 am

masquerade srcnat nothing more, if I disable thia rule nothing changes except that obviously I cannot navigate internet
 
mkx
Forum Guru
Forum Guru
Posts: 4988
Joined: Thu Mar 03, 2016 10:23 pm

Re: access different subnet from wan interface

Fri Sep 28, 2018 3:31 pm

But how exactly does masquerade look like?

If you didn't have masquerade enabled, then you'd gave to add routes to reach local lans on the other router.

E.g.
#mikrotik-1:
/ip route
add dst-address=192.168.20.0/24 gateway=192.168.1.20
#
# mikrotik-2:
/ip route
add dst-address=192.168.10.1/24 gateway=192.168.1.10
Or, if you only want to access mikrotik-2 from mt-1 LAN, you have to add route on mikrotik-2 so that it knows how to send replies.

If your masqueeade us complete, this should not be necessary as all connections from mt-1 LAN would appear to originate from 192.168.1.10 and mikrotik-2 knows how to send replies there.
Last edited by mkx on Fri Sep 28, 2018 3:32 pm, edited 1 time in total.
BR,
Metod
 
stoser
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 21, 2016 12:04 am

Re: access different subnet from wan interface

Fri Sep 28, 2018 3:32 pm

I have a telecom Italia router with ip 192.168.1.1 and 2 mikrotiks connected trough eth1-wan to the Telecom router. the mikrotik-1 have 192.168.1.10 on the eth1-wan interface and the mikrotik-2 have 192.168.1.20 on the eth1-wan interface. then all the other ports are bridged with assigned networks 192.168.10.0/24 for mikrotik-1 and 192.168.20.0/24 for mikrotik-2.
-- I am assuming that you have a default route (default gateway) as the Italia Telecom router, probably something like 0.0.0.0/0 ====> 192.168.1.1
-- Therefore if you are connected to the Italia Telecom Router, you can connect to both Mikrotiks, since they are all on the same subnet of 192.168.1.0/24
-- But if you are connected to either of the Mikrotiks, you cannot connect to the other, because you must route from 192.168.10.0 to 192.168.20.0 and vice versa.
-- You need to add static routes on each Mikrotik to the other mikrotik subnet. For example, on Mikrotik with address in range 192.168.10.0, add a route that routes all traffic to the 192.168.20.0 network to the gateway of 192.168.1.20. On the Mikrotik with address 192.168.20.0, add a route that routes all traffic to 192.168.10.0 to gateway 192.168.1.10

EDIT: mkx said it better than me, we must have been typing at exactly the same time ...

Who is online

Users browsing this forum: tdw and 63 guests