Hello!

I'm facing a problem and can't find a solution on the web.
I have a Mikrotik hap ac with latest firmware and updates. I configured seven networks (10.1.1.0/24 - 10.1.7.0/24), five of them access internet over VPN, two of them over eth1 and everything works fine. But there's one thing..
I can access all router's webinterfaces (10.1.1.1 - 10.1.7.1) from any network, but i can't ping them. I can't even ping e.g. router 10.1.1.1 from 10.1.1.0/24 network and so on. But i can access the webinterface, I can even access the webinterface of e.g. router 10.1.2.1 from 10.1.1.0/24 and so on.
I have a Raspberry Pi Owncloud-Server on 10.1.7.2 and can't access it via LAN - I can access it in 10.1.7.0/24 network only.
How is it possible that I can access all router's webinterfaces only but can't ping them and even can't access own devices in LAN? Is it because i use VPN on 10.1.1.0/24 and 10.1.7.0/24?
I tried traceroute but it never finishes. I tried ping 10.1.7.2 from the router with my Bridge interface from 10.1.1.0/24 network, but 100% loss. When i ping from router without a specific interface it's 0% loss.

Next thing is - but I think the reason of the problem is the same - I can't access the Owncloud-Server over internet as well.
The Cloud-Server listens on 10.1.7.2:80 and :443. I use the public IP of the router and forward port 4600 to 10.1.7.2:80 (4700 to 10.1.7.2:443).
Log:
dstnat: in:Bridge out:(unknown 0), src-mac ***, proto TCP (SYN), 10.1.1.195:46968->*public-router-ip*:4600, len 60

It seems the router doesn't know it's subnetworks, but all LAN devices get an IP from the router's DHCP servers. This seems just so weird to me..

Does anyone know what's the problem? I would really appreciate any tips! If you need logs of specific things please tell me.
Thanks!

RouterOS gives you many options how to make great things and also how to break something. Since you seem to have more than just basic config, without showing it, it could be endless guessing game. So I'd suggest to run "/export hide-sensitive" in Terminal and post the output.

RouterOS gives you many options how to make great things and also how to break something. Since you seem to have more than just basic config, without showing it, it could be endless guessing game. So I'd suggest to run "/export hide-sensitive" in Terminal and post the output.

Yes, it is a great device but I had to learn all these things on my own. I think that's why it's not working
Thanks for your offer! Here is the output and sorry for the names^^

[deleted sensitive info]

Those names are maybe a little distracting, but interesting.

I can explain why routing between LANs doesn't work. If you mark routing for packet, router will look where to send it only in given routing table, and yours have only default route and nothing for LANs. You can fix it with this: To connect to server using public address, read about hairpin NAT.

One thing I'm not sure about is ping. You don't block it with firewall, and I don't see anything else.

Those names are maybe a little distracting, but interesting.

I can explain why routing between LANs doesn't work. If you mark routing for packet, router will look where to send it only in given routing table, and yours have only default route and nothing for LANs. You can fix it with this:

Code: Select all

/ip route rule
add action=lookup-only-in-table dst-address=10.1.1.0/24 table=main
add action=lookup-only-in-table dst-address=10.1.2.0/24 table=main
...

To connect to server using public address, read about hairpin NAT.

One thing I'm not sure about is ping. You don't block it with firewall, and I don't see anything else.

oooooomg thank you sooooooooo much DDDDDDDDD The routing between LANs is working now and even the ping problem is solved, thank you!
I will look Hairpin NAT up, thanks for that hint!

Those names are maybe a little distracting, but interesting.

I can explain why routing between LANs doesn't work. If you mark routing for packet, router will look where to send it only in given routing table, and yours have only default route and nothing for LANs. You can fix it with this:

Code: Select all

/ip route rule
add action=lookup-only-in-table dst-address=10.1.1.0/24 table=main
add action=lookup-only-in-table dst-address=10.1.2.0/24 table=main
...

To connect to server using public address, read about hairpin NAT.

One thing I'm not sure about is ping. You don't block it with firewall, and I don't see anything else.

Just wanted to say, I already had the dstNAT rules enabled, but i didn't know that it's called Hairpin NAT. So external access is working too I spent the whole weekend trying to figure this out and now everything works like a charm, thank you so much

Added srcnat rule is the main hairpin NAT part. But I had another look and you don't need it when connecting to 10.1.7.2 using public address from 10.1.1.x, because that's two different networks and it works by default. But you'd need if if connecting from same 10.1.7.0/24 where the server is.

Btw, you know that you have no isolation between LANs, right? Not now and not before, at least not intentionally, not counting the routing mistake. Maybe you don't mind, just saying..

Added srcnat rule is the main hairpin NAT part. But I had another look and you don't need it when connecting to 10.1.7.2 using public address from 10.1.1.x, because that's two different networks and it works by default. But you'd need if if connecting from same 10.1.7.0/24 where the server is.

Btw, you know that you have no isolation between LANs, right? Not now and not before, at least not intentionally, not counting the routing mistake. Maybe you don't mind, just saying..

I just realised that it's not working on 10.1.7.0/24, so I'm already reading about Hairpin NAT^^

Do you mean firewall rules that block access between LANs e.g. 10.1.1.0/24 to 10.1.2.0/24? I made those rules but cut them out on my config because it looked confusing.

I mean that you have seven LANs and any of them can access anything in other six. It's not necessarily wrong, a "cosmetic" separation might be ok for you, depends on your requirements.