Community discussions

MikroTik App
 
mickeylm
newbie
Topic Author
Posts: 32
Joined: Sun Dec 23, 2012 7:28 pm
Location: Germany

Reaching only one PC in other subnet

Sun Dec 30, 2012 11:50 pm

This is my configuration:
RB750
------ether1 => WAN 198.168.1.2
------ether2 => LAN(1) 198.168.149.1
------ether3 => LAN(2) 10.10.10.1

LAN(1) on ether2 getting internet via ether1.
LAN(2) on ether3 getting internet via ether1.
LAN(1) on ether2 and LAN(2) on ether3 can't reach each other.

But I want to reach only one pc from LAN(1) on ether2 at LAN(2) on ether3.
The IP 192.168.149.112 should reach the IP 10.10.10.5

What is to do here to get this work?

Thanks a lot for help, best regards, Mike.
 
mixig
Member
Member
Posts: 315
Joined: Thu Oct 27, 2011 2:19 pm

Re: Reaching only one PC in other subnet

Mon Dec 31, 2012 11:57 am

lan1 and lan2 dont have communication between each other (i assume firewall is blocking that traffic), add this rules before that rule which is blocking LAN1 and LAN2:

/ip firewall filter
add action=accept chain=forward comment="" disabled=no dst-address=10.10.10.5 src-address=192.168.149.112
add action=accept chain=forward comment="" disabled=no dst-address=192.168.149.112 src-address=10.10.10.5
 
mickeylm
newbie
Topic Author
Posts: 32
Joined: Sun Dec 23, 2012 7:28 pm
Location: Germany

Re: Reaching only one PC in other subnet

Mon Dec 31, 2012 3:31 pm

I'm very sorry,
but unfortunately this doesn't work for me.
Maybe there is a problem with a missing route?
Is there any other solution to reach the 10.10.10.5 IP from 192.168.149.112 ?
At least I need access to the WLAN-AP on port 80 to administrate the AP via its webinterface.
Thanks, and best regards Mike.
 
User avatar
jager
Trainer
Trainer
Posts: 295
Joined: Mon Oct 31, 2005 2:44 am
Location: Germany
Contact:

Re: Reaching only one PC in other subnet

Mon Dec 31, 2012 3:49 pm

Make sure that the default gateway for the device with IP 192.168.149.112 is 198.168.149.1 and that the gateway for device using IP 10.10.10.5 is 10.10.10.1.
 
mickeylm
newbie
Topic Author
Posts: 32
Joined: Sun Dec 23, 2012 7:28 pm
Location: Germany

Re: Reaching only one PC in other subnet

Mon Dec 31, 2012 4:00 pm

Yes, these devices are configured with the gateway as you mentioned,
but it doesn't work with the forward-filter described above.
Thanks, and best regards Mike.
 
User avatar
jager
Trainer
Trainer
Posts: 295
Joined: Mon Oct 31, 2005 2:44 am
Location: Germany
Contact:

Re: Reaching only one PC in other subnet

Mon Dec 31, 2012 4:52 pm

Can you, please execute /ip firewall nat export and post here the result? I think you have misconfigured the masquerade.
 
mickeylm
newbie
Topic Author
Posts: 32
Joined: Sun Dec 23, 2012 7:28 pm
Location: Germany

Re: Reaching only one PC in other subnet

Mon Dec 31, 2012 5:40 pm

Here is my export of ip firewall nat:

add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes \
to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=\
ether1-WAN-gateway
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no src-address=\
10.10.10.0/24
add action=dst-nat chain=dstnat comment=VPN-Forwarding disabled=no dst-address=192.168.1.2 protocol=\
gre to-addresses=192.168.149.100
add action=dst-nat chain=dstnat comment=VPN-Forwarding disabled=no dst-address=192.168.1.2 dst-port=\
1723 protocol=tcp to-addresses=192.168.149.100
add action=src-nat chain=srcnat disabled=yes protocol=gre src-address=192.168.149.1 to-addresses=\
192.168.1.15
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=192.168.149.1 to-addresses=\
192.168.1.15 to-ports=0-65535
add action=masquerade chain=srcnat disabled=no src-address=192.168.10.0/24
add action=dst-nat chain=dstnat comment=FTP-Forwarding disabled=no dst-address=192.168.1.2 dst-port=21 \
protocol=tcp to-addresses=192.168.149.112
add action=dst-nat chain=dstnat comment=HTTP-Forwarding disabled=no dst-address=192.168.1.2 dst-port=\
80 protocol=tcp to-addresses=192.168.149.112
add action=dst-nat chain=dstnat comment=HTTPS-Forwarding disabled=no dst-address=192.168.1.2 dst-port=\
443 protocol=tcp to-addresses=192.168.149.112
add action=dst-nat chain=dstnat comment=HTTP-to-Squid-Proxy-Forwarding disabled=yes dst-address=\
192.168.1.2 dst-port=80 protocol=tcp to-addresses=192.168.149.112 to-ports=3128
 
User avatar
jager
Trainer
Trainer
Posts: 295
Joined: Mon Oct 31, 2005 2:44 am
Location: Germany
Contact:

Re: Reaching only one PC in other subnet

Mon Dec 31, 2012 6:36 pm

Instead of masquarade everything, set it by source IP address! This may help :)
 
mickeylm
newbie
Topic Author
Posts: 32
Joined: Sun Dec 23, 2012 7:28 pm
Location: Germany

Re: Reaching only one PC in other subnet

Mon Dec 31, 2012 6:53 pm

I'm afraid, I don't know what you mean exactly.
Could you please explain me exactly what I have to do here?
Thanks, and best regards, Mike.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Reaching only one PC in other subnet

Tue Jan 01, 2013 7:29 pm

If clients on those 2 LANs have their default gateway set to the Mikrotik device then by default the Mikrotik would be able to route traffic between the two LANs. The NAT tables are interesting but not sufficient information so please upload the output from /export compact so that we can see all the relevant entries.
 
mickeylm
newbie
Topic Author
Posts: 32
Joined: Sun Dec 23, 2012 7:28 pm
Location: Germany

Re: Reaching only one PC in other subnet

Tue Jan 01, 2013 9:16 pm

Ok, here is the output you want ...:

/interface ethernet
set 0 name=ether1-WAN-gateway speed=1Gbps
set 1 disabled=yes name=ether2-master-local
set 2 name=ether3-WLAN-hotspot speed=1Gbps
set 3 arp=proxy-arp name=ether4-LAN-office speed=1Gbps
set 4 disabled=yes name=ether5-LAN-dmz speed=1Gbps
/interface pptp-server
add disabled=yes name=pptp-server user=admin
/ip hotspot profile
set [ find default=yes ] login-by=http-chap
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dmz-dhcp ranges=192.168.2.10-192.168.2.254
add name=hotspot-dhcp ranges=10.10.10.11-10.10.10.254
add name=PPTP-dhcp ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=ether2-master-local name=default
add address-pool=dmz-dhcp disabled=no interface=ether5-LAN-dmz name=dmz-server
add address-pool=hotspot-dhcp disabled=no interface=ether3-WLAN-hotspot lease-time=1h name=\
hotspot-server
/ip hotspot
add address-pool=hotspot-dhcp disabled=no interface=ether3-WLAN-hotspot name=hotspot1
/ppp profile
set 0 dns-server=192.168.149.100 wins-server=192.168.149.100
add dns-server=192.168.149.100 local-address=PPTP-dhcp name="Profile 256k" remote-address=PPTP-dhcp \
wins-server=102.168.149.100
/interface pppoe-server server
add authentication=chap,mschap1,mschap2 default-profile="Profile 256k" interface=ether1-WAN-gateway \
service-name=PPTP
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes interface=ether2-master-local
add address=192.168.2.1/24 comment="dmz address" interface=ether5-LAN-dmz
add address=192.168.149.1/24 comment="office address" interface=ether4-LAN-office
add address=10.10.10.1/24 comment="hotspot network" interface=ether3-WLAN-hotspot
/ip dhcp-client
add comment="default configuration" disabled=no interface=ether1-WAN-gateway
/ip dhcp-server network
add address=10.10.10.0/24 comment="hotspot network" gateway=10.10.10.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=\
192.168.88.1
add address=192.168.149.0/24 dns-server=192.168.149.1 gateway=192.168.149.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=forward comment="Forward to WLAN-AP" disabled=yes dst-address=10.10.10.5 src-address=\
192.168.149.112
add chain=forward comment="Forward to WLAN-AP" disabled=yes dst-address=192.168.149.112 src-address=\
10.10.10.5
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment="VPN configuration" dst-port=1723 protocol=tcp
add chain=input comment="VPN configuration" protocol=gre
add action=drop chain=input comment="default configuration" in-interface=ether1-WAN-gateway
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes \
to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-WAN-gateway
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.10.10.0/24
add action=dst-nat chain=dstnat comment=VPN-Forwarding dst-address=192.168.1.2 protocol=gre \
to-addresses=192.168.149.100
add action=dst-nat chain=dstnat comment=VPN-Forwarding dst-address=192.168.1.2 dst-port=1723 protocol=\
tcp to-addresses=192.168.149.100
add action=src-nat chain=srcnat disabled=yes protocol=gre src-address=192.168.149.1 to-addresses=\
192.168.1.15
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=192.168.149.1 to-addresses=\
192.168.1.15 to-ports=0-65535
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=dst-nat chain=dstnat comment=FTP-Forwarding dst-address=192.168.1.2 dst-port=21 protocol=\
tcp to-addresses=192.168.149.112
add action=dst-nat chain=dstnat comment=HTTP-Forwarding dst-address=192.168.1.2 dst-port=80 protocol=\
tcp to-addresses=192.168.149.112
add action=dst-nat chain=dstnat comment=HTTPS-Forwarding dst-address=192.168.1.2 dst-port=443 \
protocol=tcp to-addresses=192.168.149.112
add action=dst-nat chain=dstnat comment=HTTP-to-Squid-Proxy-Forwarding disabled=yes dst-address=\
192.168.1.2 dst-port=80 protocol=tcp to-addresses=192.168.149.112 to-ports=3128
/ip hotspot user
add name=master password=master
/ip neighbor discovery
set ether1-WAN-gateway disabled=yes
set ether2-master-local disabled=no
set ether5-LAN-dmz disabled=no
/ppp secret
add disabled=yes local-address=192.168.149.11 name=User1 password=********** remote-address=\
192.168.149.12
add disabled=yes local-address=192.168.149.13 name=User2 password=********** remote-address=\
192.168.149.14
add disabled=yes local-address=192.168.149.15 name=User3 password=********** remote-address=\
192.168.149.16
/system logging
add action=disk disabled=yes prefix=fwl topics=!firewall
add action=disk prefix=hotspot topics=!hotspot
/tool mac-server
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-WLAN-hotspot
add disabled=no interface=ether4-LAN-office
add disabled=no interface=ether5-LAN-dmz
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-WLAN-hotspot
add interface=ether4-LAN-office
add interface=ether5-LAN-dmz
/tool sniffer
set filter-direction=any interface=ether1-WAN-gateway


I hope this helps to find a working solution.
Thanks and best regards, Mike.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Reaching only one PC in other subnet

Tue Jan 01, 2013 10:45 pm

It looks as if you have no effective forwarding filters which would mean that all forwarding is allowed. Hopefully there is a firewall between Ether1 and the internet otherwise you may want to establish forwarding rules!

If barred routing is not the problem then perhaps the various masquerade / NAT rules are causing issues. There are some rules which look suspiciously odd.

Can you try a trace route from 192.168.149.112 to both 10.10.10.5 and 10.10.10.1 and post the output(s).
 
mickeylm
newbie
Topic Author
Posts: 32
Joined: Sun Dec 23, 2012 7:28 pm
Location: Germany

Re: Reaching only one PC in other subnet

Tue Jan 01, 2013 11:50 pm

Yes, there is a firewall between ether1 and internet, and it is enabled.

Here are the output(s) and results of my trace route:

C:>tracert 10.10.10.5

Routenverfolgung zu 10.10.10.5 über maximal 30 Abschnitte

1 <1 ms <1 ms <1 ms 192.168.149.1
2 * * * Zeitüberschreitung der Anforderung.
3 * * * Zeitüberschreitung der Anforderung.
4 * * * Zeitüberschreitung der Anforderung.

C:>tracert 10.10.10.1

Routenverfolgung zu 10.10.10.1 über maximal 30 Abschnitte

1 <1 ms <1 ms <1 ms 10.10.10.1

Ablaufverfolgung beendet.


Thanks and best regards, Mike.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Reaching only one PC in other subnet

Wed Jan 02, 2013 12:36 am

What is the intent of this rule - and does the ping to 10.10.10.5 work if you disable the rule?
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.10.10.0/24
 
mickeylm
newbie
Topic Author
Posts: 32
Joined: Sun Dec 23, 2012 7:28 pm
Location: Germany

Re: Reaching only one PC in other subnet

Wed Jan 02, 2013 1:12 am

After disable the rule "masquerade hotspot network" a ping to 10.10.10.5 failed too.
This rule was created fully automatically while creating the "hotspot".
I have no idea what this rule should do :o
Thanks and best regards, Mike.
 
mickeylm
newbie
Topic Author
Posts: 32
Joined: Sun Dec 23, 2012 7:28 pm
Location: Germany

Re: Reaching only one PC in other subnet

Thu Jan 03, 2013 1:17 pm

Has anybody a goal-oriented idea?
Best regards, Mike.

Who is online

Users browsing this forum: No registered users and 40 guests