Accessing subnets behind mikrotik

01101110110110 · Fri Apr 27, 2012 1:03 am

My MK server has 3 interfaces, LAN, WAN1, WAN2 and I do loadbalancing on both wans, however I can't access either WAN subnets to get to the router's config page.

LAN = 192.168.0.0/24
WAN1 = 192.168.1.0/24 (router's ip is 192.168.1.98, MK's interface is 99)
WAN2 = 192.168.2.0/24 (router's ip is 192.168.2.98, MK's interface is 99)
Both router's are configured in bridge mode and I have 2 additional PPPoE interfaces
TEdata1 from wan1
TEdata2 from wan2

Here is my nat table, I tried masquerading everything but that doesn't seem to have helped. Can anyone tell me what I need to change in order to get it to work ?

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    TEdata1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    TEdata2
add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN2
add action=masquerade chain=srcnat comment="" disabled=no out-interface=LAN

jandafields · Fri Apr 27, 2012 3:04 am

I have my LAN setup as 192.168.0.0/24, my wan (2 routers) setup in the 192.168.1.0/24 range, with the mikrotik server having one interface in each. I'd like to be able to access the routers (config page) from my LAN without using bridge mode. I have an ip firewall masquerade rule for 192.168.0.0/24 only, while the server can ping both lines. I'd also like to get ping commands from my LAN to work while accessing the routers.

Any ideas ?

This is just basic networking. You need to put a src-nat masquerade rule for data going to 192.168.1.0/24, and make sure the mikrotik itself has a /24 address for both interfaces. At that point, it will work if you have the gateways on all your devices set properly.

01101110110110 · Fri Apr 27, 2012 10:03 am

this is what i have

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
 0   192.168.0.99/24    192.168.0.0     192.168.0.255   LAN
 1   192.168.1.99/24   192.168.1.0     192.168.1.255   WAN1                  
 2   192.168.2.99/24   192.168.2.0     192.168.2.255   WAN2

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade src-address=192.168.0.0/24 
     out-interface=WAN 
 1   chain=srcnat action=masquerade src-address=192.168.1.0/24

I still can't get my PC on 192.168.0.0/24 to ping/access my router at 192.168.1.97. I can get internet from it through the mikrotik router, but I'm blind to that subnet

01101110110110 · Sun Apr 29, 2012 8:09 pm

if its really a simple problem why can't I get a quick solution ? please someone help.

01101110110110 · Sun May 13, 2012 5:01 pm

I've updated the first post to reflect changes in the network, help still required.

CelticComms · Mon May 14, 2012 6:56 pm

Try posting the current routing table and firewall rulles. In an eaqrlier port there was a masquerade rule with an out onterface or "wan" rather than "wan1" or "wan2" so a clean overview of the current status would help.

You should not have to marsquerade the traffic out of the LAN connection and doing so can be dangerous so I suggest removing that entry.

01101110110110 · Tue May 15, 2012 1:05 am

yes I had posted that when I only had one operational line. Now I have 3 ethernet interfaces, LAN, WAN1, WAN2. The last 2 each connects to a single router in bridge mode. There are 2 more PPPoE interfaces called TEdata1(4mb) & TEdata2(2mb). I've removed the LAN masquerade rule, below is all the data you've requested.

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    TEdata1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    TEdata2
add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN2

/ip route
add check-gateway=ping comment="" disabled=no distance=2 dst-address=\
    0.0.0.0/0 gateway=TEdata2
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=TEdata2 routing-mark=to_WAN2
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=TEdata1
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=TEdata1 routing-mark=to_WAN1

/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    WAN2 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    WAN1 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=WAN1_conn \
    disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=WAN2_conn \
    disabled=no new-routing-mark=to_WAN2 passthrough=yes
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=LAN new-connection-mark=WAN1_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=LAN new-connection-mark=WAN1_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=LAN new-connection-mark=WAN2_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting comment="" connection-mark=WAN1_conn \
    disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=WAN2_conn \
    disabled=no in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    192.168.1.0/24 in-interface=LAN
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    192.168.2.0/24 in-interface=LAN

/ip address
add address=192.168.0.99/24 broadcast=192.168.0.255 comment="" disabled=no \
    interface=LAN network=192.168.0.0
add address=192.168.1.99/24 broadcast=192.168.1.255 comment="" disabled=no \
    interface=WAN2 network=192.168.1.0
add address=192.168.2.99/24 broadcast=192.168.2.255 comment="" disabled=no \
    interface=WAN1 network=192.168.2.0

Tue May 15, 2012 1:37 pm

Your modem on 192.168.1.97 won't have a route to send reply packets to 192.168.0.x

So you need to NAT packets destined to the modem

Add a rule like:

add action=src-nat chain=srcnat dst-address=192.168.1.97 out-interface=WAN1 to-addresses=192.168.1.99

Hope that helps
Nick.

01101110110110 · Tue May 15, 2012 7:13 pm

Doesn't seem to work. Wouldn't IP routes be sufficient though ? Apparently dynamic routes aren't exported, but here they are. Each interface created one of those

 8 ADC  192.168.0.0/24     192.168.0.99                           0        LAN 
 9 ADC  192.168.1.0/24     192.168.1.99                           0        WAN2
10 ADC  192.168.2.0/24     192.168.2.99                           0        WAN1

The nat rules don't seem to work either, do I need to reboot or something ? Below are the 2 rules I added

add action=src-nat chain=srcnat dst-address=192.168.1.98 out-interface=WAN2 to-addresses=192.168.1.99
add action=src-nat chain=srcnat dst-address=192.168.2.98 out-interface=WAN1 to-addresses=192.168.2.99

p.s: both routers are 192.168.x.98 in either subnet

CelticComms · Wed May 16, 2012 9:58 pm

If you are masquerading the traffic headed out of the WAN interfaces then they should be able to communicate with the bridge mode modems just as any other external host.

I suggest that you do this:

Insert a bridge between one of the modems and the router. Attach a PC and set to another address on the relevant subnet. Check that the PC can communicate with both the modem and router on the expected addresses. I suspect that there is something wrong with the underlying assumptions.

01101110110110 · Thu May 17, 2012 2:30 am

Insert a bridge between one of the modems and the router. Attach a PC and set to another address on the relevant subnet. Check that the PC can communicate with both the modem and router on the expected addresses. I suspect that there is something wrong with the underlying assumptions.

That is how I'm forced to access the config pages atm, but unfortunately that results in the internet being disconnected from the rest of the network until I disable the bridge. I don't understand why it doesn't work, when i had a single line I also had this issue (when I started this topic), I don't recall what I did and got it working. But now that I've implimented load balancing with a 2nd line I can't get it to work anymore. I can ping both subnets from the MK server, and when bridged I can access the routers too, the problem seems to be in the NAT'ing/routing part.

Thu May 17, 2012 4:26 pm

Are your mangle rules catching the traffic and routing it incorrectly ?

Maybe add some mangle rules specifically to mark routes to the correct wan interface just in case.

Nick.

CelticComms · Thu May 17, 2012 4:40 pm

Run traceroute from a PC on the LAN to the DSL modem's IP and see how far it is getting. The last IP that reports should give a good clue as to what is wrong.

01101110110110 · Fri May 18, 2012 12:11 pm

Run traceroute from a PC on the LAN to the DSL modem's IP and see how far it is getting. The last IP that reports should give a good clue as to what is wrong.

can't seem to get any IP's, it keeps going without getting a reading on any hop. However if I traceroute a website, the first hop is unknown and all the other hops appear starting with my ISP at 2nd. I'm guessing the first one is my router which I'm unable to access.

Are your mangle rules catching the traffic and routing it incorrectly ?

I tried disabling the mangle rules, no reply either

ConnectiviaSrl · Tue May 22, 2012 12:46 am

Hi there

the problem in your configuration is the order in which the mangling rules are processed.
Plese move up at the beginning of the prerouting chain, the accepting rules :

add action=accept chain=prerouting comment="" disabled=no dst-address=\
    192.168.1.0/24 in-interface=LAN
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    192.168.2.0/24 in-interface=LAN

in such way that they will be the first to be processed .

Looking ahead about good news from you

01101110110110 · Thu May 24, 2012 4:42 pm

sorry for the late response, I've changed it as requested, no change. Here are my current mangle/nat tables.

/ip firewall mangle
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    192.168.1.0/24 in-interface=LAN
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    192.168.2.0/24 in-interface=LAN
add action=mark-connection chain=prerouting comment="" connection-state=new \
    disabled=no in-interface=LAN new-connection-mark=payment_reminderM \
    passthrough=no src-address-list=payment_reminder
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
    192.168.1.99 new-routing-mark=test passthrough=no src-address=\
    192.168.0.0/24
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    WAN2 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    WAN1 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=WAN1_conn \
    disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=WAN2_conn \
    disabled=no new-routing-mark=to_WAN2 passthrough=yes
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=LAN new-connection-mark=WAN1_conn \
    passthrough=yes per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=LAN new-connection-mark=WAN1_conn \
    passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=LAN new-connection-mark=WAN2_conn \
    passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-routing chain=prerouting comment="" connection-mark=WAN1_conn \
    disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=WAN2_conn \
    disabled=no in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes

/ip firewall nat
add action=src-nat chain=srcnat comment="" disabled=no dst-address=\
    192.168.2.98 out-interface=WAN1 to-addresses=192.168.2.99
add action=src-nat chain=srcnat comment="" disabled=no dst-address=\
    192.168.1.98 out-interface=WAN2 to-addresses=192.168.1.99
add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN2
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    TEdata1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    TEdata2

Accessing subnets behind mikrotik

Accessing subnets behind mikrotik

Re: Accessing subnet behind mikrotik

Re: Accessing subnet behind mikrotik

Re: Accessing subnet behind mikrotik

Re: Accessing subnets behind mikrotik

Re: Accessing subnets behind mikrotik

Re: Accessing subnets behind mikrotik

Re: Accessing subnets behind mikrotik

Re: Accessing subnets behind mikrotik

Re: Accessing subnets behind mikrotik

Re: Accessing subnets behind mikrotik

Re: Accessing subnets behind mikrotik

Re: Accessing subnets behind mikrotik

Re: Accessing subnets behind mikrotik

Re: Accessing subnets behind mikrotik

Re: Accessing subnets behind mikrotik

Who is online