Community discussions

MikroTik App
 
mndeto
just joined
Topic Author
Posts: 1
Joined: Sat Sep 03, 2016 1:47 pm

ICMP Blocked in LAN

Sat Sep 03, 2016 5:50 pm

Hey

I recently configured a Mikrotik RB951Ui-2HND on my network. I use a Load Balancing Router to aggregate my links the i pass the link to a 172.16.0.0 network which serves as a WAN link for the Mikrotik which serves as the gateway for my 10.0.0.0/16 Network. I am able to ping all hosts on the 172.16.0.0 network but i cannot get any host on the 172.16.0.0 network to ping a host on the 10.0.0.0 network. II can only ping the gateway 10.0.0.1. I have checked my firewall rules and the only rule there is the masquerade for the WAN. what could be blocking the pings to the 10.0.0.0 network hosts.

I figured it must have somthing to do with the router since i can ping its gateway. Please help
 
pe1chl
Forum Guru
Forum Guru
Posts: 7176
Joined: Mon Jun 08, 2015 12:09 pm

Re: ICMP Blocked in LAN

Sat Sep 03, 2016 6:50 pm

When you want to do pure routing and want it to work both ways you must remove the masquerade
entry. It is for NAT routers, which of course work only one way (as NAT routers always do).
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1226
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: ICMP Blocked in LAN

Sat Sep 03, 2016 10:03 pm

Do your host on the 172.16.0.0 network have proper routes installed, telling them to reach the 10.0.0.0 network via a certain 172.16.0.x IP ?
Enable proxy ARP on your MT wan interface?
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: ICMP Blocked in LAN

Fri Sep 09, 2016 4:59 pm

This sounds like the filter rules > forward chain is your problem.
Or else it's a policy routing issue.

Filters:
10.0.0.1 is reached via the input chain since it's one of the router's IP addresses, and that's why that one address works.
Traffic from 172.16.x.x for the rest of 10.0.x.x will go through the FORWARD chain instead.

The default firewall configuration in Mikrotik basically allows LAN -> WAN but denies all others - when you add a second LAN network, the firewall probably doesn't know that this is also a LAN.
In general, whatever rule allows 10.0.x.x to go out should either...
a) be duplicated and also allow 172.16.x.x
b) if it matches using the src IP addresses, then modify the rule to use an address-list and put 10.0.0.0/16 and 172.16.0.0/16 in your address list.
c) if it matches using the in-interface, then modify it to use in-interface-list and put the two LAN interfaces into an address list (call the list "LAN-interfaces" or something obvious like that)
I like option C the best because you can change IP address ranges w/o needing to modify your firewall anymore, and if you add/move/change which interfaces are "lan" interfaces, then you just add/remove/change them in the interface list.

If it's policy-routing related, then you need to make sure that 10.0.0.0/16 and 172.16.0.0/16 are exempted from policy routing:
/ip route rule add action=lookup-only-in-table table=main dst-address=10.0.0.0/16
/ip route rule add action=lookup-only-in-table table=main dst-address=172.16.0.0/16
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
MATU
just joined
Posts: 13
Joined: Thu Apr 03, 2014 11:01 am

Re: ICMP Blocked in LAN

Fri Oct 30, 2020 5:55 am

This sounds like the filter rules > forward chain is your problem.
Or else it's a policy routing issue.

Filters:
10.0.0.1 is reached via the input chain since it's one of the router's IP addresses, and that's why that one address works.
Traffic from 172.16.x.x for the rest of 10.0.x.x will go through the FORWARD chain instead.

The default firewall configuration in Mikrotik basically allows LAN -> WAN but denies all others - when you add a second LAN network, the firewall probably doesn't know that this is also a LAN.
In general, whatever rule allows 10.0.x.x to go out should either...
a) be duplicated and also allow 172.16.x.x
b) if it matches using the src IP addresses, then modify the rule to use an address-list and put 10.0.0.0/16 and 172.16.0.0/16 in your address list.
c) if it matches using the in-interface, then modify it to use in-interface-list and put the two LAN interfaces into an address list (call the list "LAN-interfaces" or something obvious like that)
I like option C the best because you can change IP address ranges w/o needing to modify your firewall anymore, and if you add/move/change which interfaces are "lan" interfaces, then you just add/remove/change them in the interface list.

If it's policy-routing related, then you need to make sure that 10.0.0.0/16 and 172.16.0.0/16 are exempted from policy routing:
/ip route rule add action=lookup-only-in-table table=main dst-address=10.0.0.0/16
/ip route rule add action=lookup-only-in-table table=main dst-address=172.16.0.0/16
Boss!!
Works for me after suffering for so long!

Who is online

Users browsing this forum: No registered users and 22 guests