Community discussions

MikroTik App
 
tonyd
newbie
Topic Author
Posts: 49
Joined: Fri Jul 20, 2012 3:31 pm

Route to 192.168.x.x Network - Not Routing?

Fri Jul 20, 2012 3:56 pm

Greetings,

I'm new to the Mikrotik world and trying to get my arms around the RouterOS from both the GUI and CLI side. But I have a specific problem/question. I cannot figure out why traffic is not being routed to a specific IP block/interface. The network is there, the route is there. I can confirm that the IP on the target network is pingable from the otherside back to the IP on the Mikrotik. From the Mikrotik using the ping tool, I can ping 192.168.1.185 using a src IP of 10.9.10.1. Setting the interface (eth3) to DHCP, it pulls DHCP. However, I cannot ping any other IP on the 192.168.1.0/24 network. Eth3 plugs into a switchport access port vlan 192. Plugging laptop directly into switchport, I can ping any IP on the 192.168.1.0/24 network. So I can stumped as to why I the traffic destined for the 192.168.1.0/24 network is not routing. Any help you folks can lend, would be mucho appreciated.

tonyd

Very basic network config:

No vlans, tunnels, etc.

Interfaces:
 	 	Name	Type	L2 MTU	Tx	Rx	Tx Packet (p/s)	Rx Packet (p/s)	Tx Drops	Rx Drops	Tx Errors	Rx Errors	 
D	R	ether1	Ethernet	1526	47.9 kbps	34.5 kbps	28	38	0	0	0	0	
D	R	ether2	Ethernet	1522	33.0 kbps	28.3 kbps	34	28	0	0	0	0	
D	R	ether3	Ethernet	1522	0 bps	0 bps	0	0	0	0	0	0	

IP -> Addresses
 	 	Address	Network	Interface	 
;;; Private NOC Internal
-D		10.9.10.1/23	10.9.10.0	ether2	
-D		10.22.10.0/24	10.22.10.0	ether2	
-	D	192.168.1.185/24	192.168.1.0	ether3	
;;; default configuration
-E	X	192.168.88.1/24	192.168.88.0	ether1	
;;; mtr.noc to cr1.esedo
-D		216.22.22.198/30	216.22.22.196	ether1	
;;; Internal NOC Network Publics
-D		216.22.23.1/29	216.22.23.0	ether2	
IP -> Routes
	 	Dst. Address	Gateway	Distance	Routing Mark	Pref. Source	 
-D	AS	0.0.0.0/0	216.22.22.197 reachable ether1	1			
-	DAC	10.9.10.0/23	ether2 reachable			10.9.10.1	
-	DAC	10.22.10.0/24	ether2 reachable			10.22.10.0	
-	DAC	192.168.1.0/24	ether3 reachable			192.168.1.185	
-	DAC	216.22.22.196/30	ether1 reachable			216.22.22.198	
-	DAC	216.22.23.200/29	ether2 reachable			216.22.23.0	
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Route to 192.168.x.x Network - Not Routing?

Tue Jul 24, 2012 7:14 pm

Remember not just to ask "does my source IP have a route to the target" but also "does the target IP have a route back to my source".

e.g. if you can ping the router's own IP on that subnet but nothing else on the subnet then look carefuylly at the reverse routing - not to mention ICMP filters etc. etc. ......
 
tonyd
newbie
Topic Author
Posts: 49
Joined: Fri Jul 20, 2012 3:31 pm

Re: Route to 192.168.x.x Network - Not Routing?

Wed Jul 25, 2012 2:34 am

Thanks CelticComms...

I believe the answer is that it does. From the Mikrotik's perspective; shown in the "Routes" list; both ways. Eth3 is simply connected to an access port on a vlan that is part of the 192.168.1.0/24 network. Question, is the reason I can ping ip addresses on the 192.168.1.0 network from the Mikrotik when "Not Using A Src IP" because it's using the assigned IP to that interface, i.e. eth3/192.168.1.185? However, when I use a "src" address, that being the gateway address on eth2/10.9.10.0/23 network, it fails because it doesn't have a route back? From my workstation on the 192.168.1.0/24 network I can ping 10.1.10.1.

Thank you again =)

root@tonyd-WorkStation:/home/tonyd# ifconfig
eth0      Link encap:Ethernet  HWaddr b8:ac:6f:84:f9:b3  
          inet addr:192.168.1.200  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::baac:6fff:fe84:f9b3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17011912 errors:0 dropped:168 overruns:0 frame:0
          TX packets:13298240 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14644293780 (14.6 GB)  TX bytes:1807564101 (1.8 GB)
          Interrupt:17 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:112811 errors:0 dropped:0 overruns:0 frame:0
          TX packets:112811 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:9927499 (9.9 MB)  TX bytes:9927499 (9.9 MB)

root@tonyd-WorkStation:/home/tonyd# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     *               255.255.255.0   U         0 0          0 eth0
link-local      *               255.255.0.0     U         0 0          0 eth0
default         pfsense.cor.com 0.0.0.0         UG        0 0          0 eth0
root@tonyd-WorkStation:/home/tonyd# traceroute 10.9.10.1
traceroute to 10.9.10.1 (10.9.10.1), 30 hops max, 60 byte packets
 1  pfsense.cor.company.net (192.168.1.55)  0.221 ms  0.220 ms  0.218 ms
 2  10.9.10.1 (10.9.10.1)  1.780 ms  1.838 ms  1.911 ms
root@tonyd-WorkStation:/home/tonyd# ping 10.9.10.1
PING 10.9.10.1 (10.9.10.1) 56(84) bytes of data.
64 bytes from 10.9.10.1: icmp_req=1 ttl=64 time=1.65 ms
64 bytes from 10.9.10.1: icmp_req=2 ttl=64 time=1.85 ms
64 bytes from 10.9.10.1: icmp_req=3 ttl=64 time=2.72 ms
64 bytes from 10.9.10.1: icmp_req=4 ttl=64 time=1.67 ms
64 bytes from 10.9.10.1: icmp_req=5 ttl=64 time=1.75 ms
64 bytes from 10.9.10.1: icmp_req=6 ttl=64 time=1.88 ms
^C
--- 10.9.10.1 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5008ms
rtt min/avg/max/mdev = 1.653/1.923/2.728/0.371 ms
From the Mikrotik ->
Screenshot-2.png
Using a src IP on eth2 (10.9.10.0/23 Network on eth2)
Screenshot-3.png
You do not have the required permissions to view the files attached to this post.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Route to 192.168.x.x Network - Not Routing?

Wed Jul 25, 2012 2:15 pm

Do you have any forwarding rules in /ip firewall?
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Route to 192.168.x.x Network - Not Routing?

Wed Jul 25, 2012 2:31 pm

Why is this traceroute using 192.168.1.55 as the gateway? I thought it was supposed to go through 192.168.1.1.
root@tonyd-WorkStation:/home/tonyd# traceroute 10.9.10.1
traceroute to 10.9.10.1 (10.9.10.1), 30 hops max, 60 byte packets
1 pfsense.cor.company.net (192.168.1.55) 0.221 ms 0.220 ms 0.218 ms
2 10.9.10.1 (10.9.10.1) 1.780 ms 1.838 ms 1.911 ms
edit: My bad. The router ip on that localnet is 192.168.1.185. Isn't that supposed to be the gateway?
 
tonyd
newbie
Topic Author
Posts: 49
Joined: Fri Jul 20, 2012 3:31 pm

Re: Route to 192.168.x.x Network - Not Routing?

Wed Jul 25, 2012 5:48 pm

@CelticComms - No IP/Firewall rules. I am NAT'ing the 10.9.10.0/23 network. The default GW for 0.0.0.0/0 is 216.22.22.197

@SurferTim - You're correct, it is the GW for the 10.9.10.0/23 network. I use Zentyal as my internal Gateway/Firewall. It's gateway to the world is 192.168.1.55. With respect to the 10.9.10.0/23 network, it's reachable at 192.168.1.185. It's a little strange I know. Basically, I acquired another local competitor ISP. They use Mikrotik; my network is Cisco exclusive. I have a direct microwave link into their core. So I defined a vlan to extend my internal to that core. I placed eth3 on that vlan, i.e. 192.168.1.0/24 network. My plan is to reconfigure that office's network but due to deadlines to migrate their entire topology away from IP blocks that did not come with purchase (ARIN Non-portal) I tried to make it as simple as possible. I simply wanted to route at their end at the Mikrotik between the two networks.

Thanks guys =)

tonyd
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Route to 192.168.x.x Network - Not Routing?

Wed Jul 25, 2012 7:23 pm

Perhaps a diagram would help.... This smells like a routing problem.
 
tonyd
newbie
Topic Author
Posts: 49
Joined: Fri Jul 20, 2012 3:31 pm

Re: Route to 192.168.x.x Network - Not Routing?

Wed Jul 25, 2012 7:32 pm

I'll put something together.... =)
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Route to 192.168.x.x Network - Not Routing?

Wed Jul 25, 2012 8:17 pm

Meantime you may want to have a look at the ether2 interface using Torch while you ping. It may show replies arriving which are not being processed which would be a good clue.
 
tonyd
newbie
Topic Author
Posts: 49
Joined: Fri Jul 20, 2012 3:31 pm

Re: Route to 192.168.x.x Network - Not Routing?

Wed Jul 25, 2012 10:21 pm

Please find the attached PDF Visio drawing. It's stripped down to just the key elements relative. I can ping the Mikrotik's Interoffice GW IP from the 192.168.1.0/24 network as mentioned. So I have a route back to the remote 10.9.10.0/23 network. The problem is I can't ping from the 10.9.10.0/23 network to the 192.168.1.0/24 network. Again, no firewall rules, filters, acls, etc. on the Mikrotic. I have attached a config.

Thanks =)

tonyd
[admin@sedo NOC] > export 
# jul/25/2012 12:05:47 by RouterOS 5.18
# software id = HRUR-CIN5
#
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1526 mac-address=00:0C:42:DF:64:CC mtu=1500 name=\
    ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1522 mac-address=\
    00:0C:42:DF:64:CD master-port=none mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1522 mac-address=\
    00:0C:42:DF:64:CE master-port=none mtu=1500 name=ether3 speed=100Mbps
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
/interface wireless security-profiles
set [ find default=yes ] authentication-types="" eap-methods=passthrough group-ciphers="" group-key-update=5m \
    interim-update=0s management-protection=disabled management-protection-key="" mode=none name=default \
    radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=\
    none static-algo-3=none static-key-0="" static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=none \
    static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=none tls-mode=\
    no-certificates unicast-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key=""
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=3d http-proxy=\
    0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default shared-users=1 status-autorefresh=1m \
    transparent-proxy=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
/ip pool
add name=dhcp_pool1 ranges=10.22.10.2-10.22.10.254
add name=dhcp_pool2 ranges=216.22.22.201-216.22.22.205
/ip dhcp-server
add address-pool=dhcp_pool2 authoritative=after-2sec-delay bootp-support=static disabled=no interface=ether2 lease-time=6h \
    name=dhcp1
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none stop-bits=1
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default remote-ipv6-prefix-pool=none use-compression=default \
    use-encryption=default use-ipv6=yes use-mpls=default use-vj-compression=default
set 1 change-tcp-mss=yes name=default-encryption only-one=default remote-ipv6-prefix-pool=none use-compression=default \
    use-encryption=yes use-ipv6=yes use-mpls=default use-vj-compression=default
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 \
    red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes disabled=no ignore-as-path-len=no name=default out-filter="" \
    redistribute-connected=no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no redistribute-static=no \
    router-id=0.0.0.0 routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never in-filter=ospf-in metric-bgp=auto metric-connected=20 \
    metric-default=1 metric-other-ospf=auto metric-rip=20 metric-static=20 name=default out-filter=ospf-out \
    redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no redistribute-rip=no redistribute-static=no \
    router-id=0.0.0.0
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=backbone type=default
/routing ospf-v3 instance
set [ find default=yes ] disabled=no distribute-default=never metric-bgp=auto metric-connected=20 metric-default=1 \
    metric-other-ospf=auto metric-rip=20 metric-static=20 name=default redistribute-bgp=no redistribute-connected=no \
    redistribute-other-ospf=no redistribute-rip=no redistribute-static=no router-id=0.0.0.0
/routing ospf-v3 area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=backbone type=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-password="" authentication-protocol=MD5 encryption-password="" \
    encryption-protocol=DES name=public read-access=yes security=none write-access=no
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=:: remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto \
    target=remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,!ftp,!write,!policy \
    skin=default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,!ftp,!policy \
    skin=default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api skin=\
    default
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=\
    disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60 \
    mac-address=FE:F4:3B:08:98:56 max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1460 \
    max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no keepalive-timeout=60 \
    max-mru=1500 max-mtu=1500 mrru=disabled port=443 verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=\
    300 frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 multiple-channels=no only-headers=no receive-errors=no \
    streaming-enabled=no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes interface=ether1 network=192.168.88.0
add address=216.22.23.198/30 comment="mtr.noc to cr1.esedo" disabled=no interface=ether1 network=216.22.23.196
add address=216.22.22.206/29 comment="Internal NOC Network Publics" disabled=no interface=ether2 network=216.22.22.200
add address=10.9.10.1/23 comment="Private NOC Internal" disabled=no interface=ether2 network=10.9.10.0
add address=10.22.10.0/24 disabled=yes interface=ether2 network=10.22.10.0
add address=192.168.1.185/24 disabled=no interface=ether3 network=192.168.1.0
/ip dhcp-client
add add-default-route=yes default-route-distance=0 disabled=yes host-name=mr1.noc interface=ether3 use-peer-dns=yes \
    use-peer-ntp=yes
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=10.22.10.0/24 dhcp-option="" dns-server=216.22.2.83,216.22.2.84 gateway=10.22.10.1 ntp-server="" wins-server=\
    ""
add address=216.22.22.200/29 dhcp-option="" dns-server=216.22.2.83,216.22.2.84 gateway=216.22.22.206 ntp-server="" \
    wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=""
/ip dns static
add address=192.168.88.1 disabled=no name=router ttl=1d
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall nat
add action=src-nat chain=srcnat disabled=no src-address=10.9.10.0/23 to-addresses=216.22.23.198
add action=dst-nat chain=dstnat disabled=no dst-address=216.22.22.201 dst-port=3389 protocol=tcp to-addresses=10.9.10.7 \
    to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=216.22.22.202 dst-port=3389 protocol=tcp to-addresses=10.9.10.8 \
    to-ports=3389
add action=src-nat chain=srcnat disabled=no src-address=10.22.10.0/24 to-addresses=216.22.23.198
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip neighbor discovery
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=no max-cache-size=none \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=\
    8080 serialize-connections=no src-address=0.0.0.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=216.22.23.197 scope=30 target-scope=10
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password="" read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=no advertise-mac-address=yes disabled=no hop-limit=unspecified interface=all \
    managed-address-configuration=no mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=\
    30m reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no lsr-id=0.0.0.0 path-vector-limit=255 \
    transport-address=0.0.0.0 use-explicit-null=no
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s multiplier=5
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m gateway-selection=no-gateway origination-interval=5s \
    preferred-gateway=0.0.0.0 timeout=1m ttl=50
/routing pim
set switch-to-spt=yes switch-to-spt-bytes=0 switch-to-spt-interval=1m40s
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 metric-default=1 metric-ospf=1 \
    metric-static=1 redistribute-bgp=no redistribute-connected=no redistribute-ospf=no redistribute-static=no \
    routing-table=main timeout-timer=3m update-timer=30s
/routing ripng
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 metric-default=1 metric-ospf=1 \
    metric-static=1 redistribute-bgp=no redistribute-connected=no redistribute-ospf=no redistribute-static=no \
    timeout-timer=3m update-timer=30s
/snmp
set contact="Jeff Dissinger" enabled=yes engine-id="" location="eSedona NOC" trap-community=public trap-generators="" \
    trap-target="" trap-version=1
/system clock
set time-zone-name=America/Phoenix
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=-07:00
/system console
set [ find port=serial0 ] channel=0 disabled=no port=serial0 term=vt102
/system gps
set channel=0 enabled=no set-system-time=no
/system health
set fan-mode=auto use-fan=main
/system identity
set name="eSedona NOC"
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=204.235.61.9 secondary-ntp=164.107.116.179
/system ntp server
set broadcast=no broadcast-addresses="" enabled=no manycast=yes multicast=no
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
/system routerboard settings
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=680MHz \
    enable-jumper-reset=yes enter-setup-on=any-key force-backup-booter=no silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 starttls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool graphing interface
add allow-address=0.0.0.0/0 disabled=no interface=ether1 store-on-disk=yes
/tool mac-server
set [ find default=yes ] disabled=no interface=all
/tool mac-server mac-winbox
set [ find default=yes ] disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""
/tool sniffer
set file-limit=1000KiB file-name="" filter-ip-address="" filter-ip-protocol="" filter-mac-address="" filter-mac-protocol=\
    "" filter-port="" filter-stream=yes interface=all memory-limit=100KiB memory-scroll=yes only-headers=no \
    streaming-enabled=no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-scale=10 test-id=0
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin parent=admin password="" paypal-accept-pending=no paypal-allowed=no \
    paypal-secure-response=no permissions=owner signup-allowed=no time-zone=-00:00
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no

You do not have the required permissions to view the files attached to this post.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Route to 192.168.x.x Network - Not Routing?

Thu Jul 26, 2012 1:48 pm

I use Zentyal as my internal Gateway/Firewall. It's gateway to the world is 192.168.1.55.
If the Zentyal is the gateway for the 192.168.1.x network, then I suspect the routing problem is there, not in the Mikrotik. When your computer sends the request for that ip, the request does not go to the Mikrotik. It is sent to the Zentyal.

Also, any request sent from a non-localnet ip to that network, the response will be returned to the Zentyal, not the Mikrotik, even if the request came from the Mikrotik.
 
tonyd
newbie
Topic Author
Posts: 49
Joined: Fri Jul 20, 2012 3:31 pm

Re: Route to 192.168.x.x Network - Not Routing?

Thu Jul 26, 2012 3:58 pm

EDIT: Small typo on my diagram. The ip on eth2 of the Mikrotik is 10.9.10.1, not 10.1.10.9.


@SurferTim - But vlan 192 does not traverse the Zentyal Firewall at all. Technically, eth3 is plugged directly into the 192.168.1.0 network my means of vlan 192. And since eth3 is on the same subnet, the last hop for traffic coming from the 10.9.10.0 network would be the eth3 interface, not the Zentyal's GW address of 192.168.1.55. Once it exits the eth3 interface destined for the 192.168.1.0 network, it becomes layer 2 because it's directly connected.

I believe the problem to be at the Mikrotik shown by this traceroute from the Mikritok eth2 10.9.10.1 network to the 192.168.1.200 (why host IP 0.0.0.0 when there is a route in the IP/Routes showing a route the the 192.168.1.0 network on interface eth3?):

Thank you =)
Screenshot.png
You do not have the required permissions to view the files attached to this post.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Route to 192.168.x.x Network - Not Routing?

Thu Jul 26, 2012 4:22 pm

I removed the dstnat stuff here.
/ip firewall nat
add action=src-nat chain=srcnat disabled=no src-address=10.9.10.0/23 to-addresses=216.22.23.198
add action=src-nat chain=srcnat disabled=no src-address=10.22.10.0/24 to-addresses=216.22.23.198
Maybe these are doing something strange on that 192.168.1.x net?

I use a srcnat or masquerade on an out-interface only if I plan on routing those ip networks internally. I don't know if that is your problem, because I avoid that situation. This will srcnat only when the packet goes out ether1.
/ip firewall nat
add action=src-nat chain=srcnat to-addresses=216.22.23.198 out-interface=ether1
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Route to 192.168.x.x Network - Not Routing?

Thu Jul 26, 2012 5:40 pm

I suggest *not* using the ping facility with set src address to debug this. Get a session on one of the workstations on the 10.9.10.0 network and run trace route from there. Why? Because traffic starting on the router itself doesn't follow exactly the same rule application sequence as traffic entering on an ether interface - could be adding confusion to a confusing situation.

This should be possible to find on a Teamviewer session if you want to try.
 
tonyd
newbie
Topic Author
Posts: 49
Joined: Fri Jul 20, 2012 3:31 pm

Re: Route to 192.168.x.x Network - Not Routing?

Fri Jul 27, 2012 12:42 am

Still no worky...

Thanks guys

@SurferTim - Made the suggested change to the NAT config on the 10.9.10.0 network
/ip firewall nat
add action=src-nat chain=srcnat disabled=no out-interface=ether1 to-addresses=216.19.25.198
@CelticComms -

From a pc on the 10.9.10.0 network (10.9.10.7) traceroute:
C:\Users\Brandon\tracert 192.168.1.200

Tracing route to 192.168.1.200 over a maximum of 30 hops

 1     <1 ms   <1 ms   <1 ms    10.9.10.1
 2	*	*	*	Request timed out.
 3	*	*	*	Request timed out.
 4	*	*	*	Request timed out.
 5	*	*	*	Request timed out.
 6	*	*	*	Request timed out.
 7	*	*	*	Request timed out.
 8	*	*	*	Request timed out.
 9	*	*	*	Request timed out.
10	*	*	*	Request timed out.
11	*	*	*	Request timed out.
12	*	*	*	Request timed out.
13	*	*	*	Request timed out.
14	*	*	*	Request timed out.
15	*	*	*	Request timed out.
16	*	*	*	Request timed out.
17	*	*	*	Request timed out.
18	*	*	*	Request timed out.
19	*	*	*	Request timed out.
20	*	*	*	Request timed out.
21	*	*	*	Request timed out.
22	*	*	*	Request timed out.
23	*	*	*	Request timed out.
24	*	*	*	Request timed out.
25	*	*	*	Request timed out.
26	*	*	*	Request timed out.
27	*	*	*	Request timed out.
28	*	*	*	Request timed out.
29	*	*	*	Request timed out.
30	*	*	*	Request timed out.

Trace complete.
And again
tonyd@WorkStation:# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr b8:ac:6f:84:f9:b3  
          inet addr:192.168.1.200  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::baac:6fff:fe84:f9b3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:21636888 errors:0 dropped:184 overruns:0 frame:0
          TX packets:16535781 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:19844334142 (19.8 GB)  TX bytes:2179612699 (2.1 GB)
          Interrupt:17 

tonyd@WorkStation:# ping 10.9.10.1
PING 10.9.10.1 (10.9.10.1) 56(84) bytes of data.
64 bytes from 10.9.10.1: icmp_req=1 ttl=64 time=1.82 ms
64 bytes from 10.9.10.1: icmp_req=2 ttl=64 time=1.78 ms
64 bytes from 10.9.10.1: icmp_req=3 ttl=64 time=2.80 ms
^C
--- 10.9.10.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.782/2.138/2.808/0.474 ms
tonyd@WorkStation:# traceroute 10.9.10.1
traceroute to 10.9.10.1 (10.9.10.1), 30 hops max, 60 byte packets
 1  10.9.10.1 (10.9.10.1)  1.940 ms  1.994 ms  2.068 ms
tonyd@WorkStation:# 
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Route to 192.168.x.x Network - Not Routing?

Fri Jul 27, 2012 2:54 pm

Can you ping 192.168.1.185 from the 10.9.10.0 network?

What does the workstation at 192.168.1.200 show as the ARP entry for 10.9.10.1? That trace route looks odd.
 
tonyd
newbie
Topic Author
Posts: 49
Joined: Fri Jul 20, 2012 3:31 pm

Re: Route to 192.168.x.x Network - Not Routing?

Mon Jul 30, 2012 12:04 am

I cannot ping 192.168.1.185 from the 10.9.10.0/23 Network

ARP from 192.168.1.200 host
root@WorkStation:/home/tonyd# arp 10.9.10.1
10.9.10.1 (10.9.10.1) -- no entry

root@WorkStation:/home/tonyd# arp 192.168.1.185
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.185            ether   00:0c:42:df:64:ce   C                     eth0
 
tonyd
newbie
Topic Author
Posts: 49
Joined: Fri Jul 20, 2012 3:31 pm

Re: Route to 192.168.x.x Network - Not Routing? - SOLVED

Tue Jul 31, 2012 10:05 pm

SOLVED: But don't understand why I had to configure this way to get it to work...

I had to NAT the 192.168.1.0/24 Network

I wish to thank you for your assistance. And if you can shed some light on why I had to NAT this private to private it would be appreciated.

tonyd
add action=src-nat chain=srcnat disabled=no dst-address=192.168.1.0/24 to-addresses=192.168.1.185
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Route to 192.168.x.x Network - Not Routing?

Wed Aug 01, 2012 6:31 pm

If I remember your overall system correctly I reckon this confirms that there is a routing issue - probably on the return path from 192.168.1.0/24 to the 10 network.

By NATing the traffic exiting 192.168.1.185 the return path is to 192.168.1.185 rather than directly to the 10 network.

btw - for that type of source NAT entry you can use action "Masquerade" and it will automatically use the (only) IP on that interface.
 
tonyd
newbie
Topic Author
Posts: 49
Joined: Fri Jul 20, 2012 3:31 pm

Re: Route to 192.168.x.x Network - Not Routing?

Wed Aug 01, 2012 7:11 pm

I here you, but don't see where the there is an issue with the return path. I can traceroute to the 10.9.10.1 network and the path is via the 192.168.1.185 interface. So the route from the 10.9.10.0 to the 192.168.1.0 and back would follow the same path.
It hits my 192.168.1.0 gateway. The gateway has a route to the 10.9.10.0 network that points to 192.168.1.185 and viola, reaches it's target.
traceroute to 10.9.10.1 (10.9.10.1), 30 hops max, 60 byte packets
1 pfsense.cor.company.net (192.168.1.55) 0.210 ms 0.206 ms 0.214 ms
2 10.9.10.1 (10.9.10.1) 9.977 ms 9.978 ms 9.974 ms

As I mentioned in my opening post, I'm new to Mikrotik, but have years of experience with Cisco, and with it, I have no problems. The situation, however, is that the Mikrotik must be used.

While I have this working, hack... I would like to understand why it's not working how it should using simple static routes.

tonyd

Who is online

Users browsing this forum: Bing [Bot], CGGXANNX, mkx and 51 guests