Community discussions

MikroTik App
 
fjabakhanji
just joined
Topic Author
Posts: 16
Joined: Fri Jan 31, 2014 9:43 pm

Static Route problem

Fri Jul 08, 2016 5:45 pm

 I have two networks 192.168.1.x (Gateway: 192.168.1.1 - RouterOS) and 192.168.21.x (Gateway: 192.168.21.1 - Cyberroam). I need to make them availavle to each other. They are physically apart. I setup WIFI link and put a Router OS in between. I setup the RouterOS (in between) to route traffic.I assigned ip addresses to the in-between RouterOS 192.168.1.5 and 192.168.21.3. Then, I setup a static route on cyberroam to route 192.168.1.x traffic thru 192.168.21.3. And did the same thing on the 192.168.1.1 RouterOS. When I traceroute on 192.168.21.x network to 192.168.1.x, it reaches 192.168.21.3 and gets lost (does not continue). However, when I traceroute on 192.168.1.1 network to 192.168.21.x, the route does not reach 192.168.1.5 and instead it goes out to the internet thru 192.168.1.1.
The gateway 192.168.1.1 RouterOS, is working to combine three WAN (failover - one of them is USB 3G adaptor) and three LAN networks. It works also as DHCP server.

Any suggestions why the gateway RouterOS 192.168.1.1 does not route properly to 192.168.21.x?

BR

Fawaz
 
noib
Member Candidate
Member Candidate
Posts: 291
Joined: Fri Jan 25, 2013 6:04 pm
Location: France
Contact:

Re: Static Route problem

Fri Jul 08, 2016 5:50 pm

You have multiple WANs on  192.168.1.1. If you are using firewall marking (like PCC), have you checked to NOT mark packets going to 192.168.21.x ? If they are marked by load balancer, they will be routed via one of your WANs, and that is exactly what you are describing.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Static Route problem

Fri Jul 08, 2016 6:13 pm

The easiest fix is using a route rule:

/ip route rule add dst=192.168.0.0/0 action=lookup-only-in-table table=main
 
fjabakhanji
just joined
Topic Author
Posts: 16
Joined: Fri Jan 31, 2014 9:43 pm

Re: Static Route problem

Thu Jul 21, 2016 10:53 pm

You have multiple WANs on  192.168.1.1. If you are using firewall marking (like PCC), have you checked to NOT mark packets going to 192.168.21.x ? If they are marked by load balancer, they will be routed via one of your WANs, and that is exactly what you are describing.
Thanks for your reply. Actually, I was away for some time so sorry for not feeding you back.
In fact, I don't have routing mark rules for the network 192.168.21.x. But I have done the routing for the LAN network to the corresponding WAN route via routing mark rules.
I also disabled all mark rules and the failover so that all LAN are routed thru the same WAN but this time the trace stopped at the gateway.
Actually, one more detail is that I don't use PPPoe. However, I route the traffic to the corresponding WAN router and the WAN interface of Mikrotik is DHCP client.
Any other suggestions?
Thanks
 
fjabakhanji
just joined
Topic Author
Posts: 16
Joined: Fri Jan 31, 2014 9:43 pm

Re: Static Route problem

Thu Jul 21, 2016 10:55 pm

The easiest fix is using a route rule:

/ip route rule add dst=192.168.0.0/0 action=lookup-only-in-table table=main
Thanks for your reply. Actually, I did that also but it did not work.
Please, let me know you have other idea to try.
BR
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Static Route problem

Thu Jul 21, 2016 11:24 pm

With the route rules in place, make sure that your firewall filter rules in the forward chain allow such communications.
 
fjabakhanji
just joined
Topic Author
Posts: 16
Joined: Fri Jan 31, 2014 9:43 pm

Re: Static Route problem

Thu Aug 18, 2016 1:22 pm

With the route rules in place, make sure that your firewall filter rules in the forward chain allow such communications.
Thanks for your help.

Actually, after testing and troubleshooting, it seems that I am doing routes in a wrong way.
Every route I have added is set to 0.0.0.0/0 in the destination address. I guess this override other routes including those for private address ones.

I guess I need to exclude the ranges of other routes when I setup the private ip routes. That's why it doesn't route to 192.168.21.0/24 in my case.

I also try to exclude the private ip address routes in the WAN route or even assign a range of IP in the destination address of the route but it did not accept it.

For example, 0.0.0.0/0 includes all IP addresses.
I need to exclude 192.168.21.0/24
Then, instead of 0.0.0.0/0 in the destination address, I need to enter the ranges:
0.0.0.0 – 192.167.255.255 & 192.169.0.0 – 255.255.255.255 either in one route or two.

Am I right with my conclusion?
How can I do it?

Thanks alot.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Static Route problem

Thu Aug 18, 2016 11:20 pm

The first rule of routing is the most specific route wins.

So, if you have three routes which match a destination:
0.0.0.0/0 -> ether1
192.168.0.0/16 -> ether2
192.168.3.12/32 -> pppoe14

Packets for 192.168.3.13 will go to ether2, but packets for 192.168.3.12 will go to pppoe14
Packets for 193.168.1.1 will go to ether1 (default GW)

Now - with policy routing, there is one more thing to consider - the route must also have the same routing mark as the packet.
Let's say that the first two routes above are in the main routing table, and the third (/32) route is in a routing table called "special"
If a packet comes along for 192.168.3.12 and it does NOT have a routing mark, then this packet will go to ether2, which is the most specific matching route in the main routing table.
If a packet comes along for 192.168.3.12 and it has "special" as a routing mark, then it will go to pppoe14.

What the IP route rules do (in my previous example) is instruct the router to ignore routing marks whenever the destination IP is within certain ranges.
All that does is ignore routing marks. It does not override the general rule of routing: most specific route wins.
So if you have 0.0.0.0/0 -> ether1 and 192.168.14.0/24 -> ether3, then this is the "exception" behavior that you're looking for. You don't need to (and in fact should not) break the 0.0.0.0/0 route up into chunks.
 
fjabakhanji
just joined
Topic Author
Posts: 16
Joined: Fri Jan 31, 2014 9:43 pm

Re: Static Route problem

Sat Sep 03, 2016 5:39 pm

Thanks alot for your detailed explanation.

Actually, I understood more about routing.

I did the necessary amendments (although we did before) and tested the scenario in the respect of Routing Mark rules. However, there is still something wrong.

In order to understand our routing table better, I attached a screenshot.

Please, let me know if you need more details.

Thanks in advance.

BR
You do not have the required permissions to view the files attached to this post.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Static Route problem

Sat Sep 03, 2016 7:10 pm

Do you have any routing rules installed too? If so, post them here.
Instead of a screenshot, though, do an export and paste them into your reply in a code block.

/ip route rule export compact

e.g.:
/ip route rule
add dst-address=192.168.0.0/16 action=lookup-only-in-table table=main
Again, I think your table is way more complicated than it needs to be.
If you only include my one example routing rule from this post, then that should fix everything for you.

The idea is simple - you only want to use policy routing for traffic that is going out to the Internet (0.0.0.0/0 routes) - anything specific to your internal network doesn't need policy - it just needs to go where it should. Therefore, this one routing rule will instruct the router to ignore policy for all 192.168.x.x addresses, and get that behavior.
 
zainamjed90
just joined
Posts: 9
Joined: Mon Aug 02, 2021 12:41 pm

Re: Static Route problem

Sun Sep 05, 2021 1:04 pm

Currently i am facing the same issue i have multiple site on which i have done static routing with the mikrotik router but when i do the PBR for 2 WAN far end cannot reach the 172.13.2.1/24,172.13.3.1/24 only the accessible ip series is 172.13.1.1/24 . If PBR work then static routing stop if static routing work PBR Stop working .

# sep/05/2021 14:56:04 by RouterOS 6.48.4

/interface ethernet
set [ find default-name=ether1 ] comment="Nayatel WAN" l2mtu=1596 \
    mac-address=48:8F:5A:A3:EA:2F
set [ find default-name=ether2 ] comment=LAN l2mtu=1596 mac-address=\
    48:8F:5A:A3:EA:30
set [ find default-name=ether3 ] comment="Nayatel CIR" l2mtu=1596 \
    mac-address=48:8F:5A:A3:EA:31
set [ find default-name=ether4 ] l2mtu=1596 mac-address=48:8F:5A:A3:EA:32
set [ find default-name=ether5 ] l2mtu=1596 mac-address=48:8F:5A:A3:EA:33
set [ find default-name=ether6 ] comment="NEXLINK DATA LINK HO"
set [ find default-name=ether7 ] comment="NEXLINK DATA LINK FIEDMIC"
set [ find default-name=ether8 ] comment="Wireless Air Fiber"
set [ find default-name=ether10 ] comment="FIEDMIC TOWER"
/interface vlan
add interface=ether8 name="GATWALA Data Link" vlan-id=90
add interface=ether6 name="Headoffice to Server Room Nexlink" vlan-id=50
add interface=ether8 name="OILMILL Data Link" vlan-id=80
add interface=ether7 name="SERVER ROOM TO FIEDMIC" vlan-id=40
add interface=ether8 name="SERVER ROOM TO HO" vlan-id=30
/interface ethernet switch port
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
add name=test
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/system logging action
set 1 disk-file-name=flash/log
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=WAN
/ip address
add address=103.55.X.X comment="NAYATEL CIR" interface=ether3 network=\
    103.55.X.X
add address=203.X.X.X comment="SERVER ROOM PC" interface=ether3 \
    network=203.X.X.X
add address=203.X.X.X interface=ether3 network=203.99.X.X
add address=203.X.X.X interface=ether3 network=203.99.X.X
add address=192.169.10.10/30 comment="FIEDMIC WIRELESS LINK" interface=\
    ether10 network=192.169.10.8
add address=192.169.10.13/30 comment="WIRELESS LINK HEADOFFICE" interface=\
    "SERVER ROOM TO HO" network=192.169.10.12
add address=203.X.X.X/29 comment="MIKROTIK ACCESS" interface=ether3 \
    network=203.X.X.X
add address=172.13.1.1/16 comment="SERVER ROOM LAN" interface=ether2 network=\
    172.13.0.0
add address=192.167.10.10/30 comment="data link nexlink to fiedmic" \
    interface="SERVER ROOM TO FIEDMIC" network=192.167.10.8
add address=192.166.10.13/30 comment="Gatwala Data Link" interface=\
    "GATWALA Data Link" network=192.166.10.12
add address=192.161.10.13/30 comment="Oil Mill Data Link" interface=\
    "OILMILL Data Link" network=192.161.10.12
add address=192.167.10.13/30 comment="DATA LINK NEXLINK TO HO" interface=\
    "Headoffice to Server Room Nexlink" network=192.167.10.12
add address=172.30.1.10/30 interface=ether1 network=172.30.1.8
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=172.13.22.11 list="Shared Users"
add address=172.13.3.1 list="Shared Users"
add address=172.13.3.4 list=CIR-Users
add address=172.13.3.2 list=CIR-Users
add address=172.13.3.5 list=CIR-Users
add address=172.13.4.1 list=CIR-Users
add address=172.13.4.2 list="Shared Users"
add address=172.13.2.4 list="Shared Users"
add address=172.13.2.1 list="Shared Users"
add address=172.13.2.2 list="Shared Users"
add address=172.13.2.3 list="Shared Users"
add address=172.13.2.5 list="Shared Users"
/ip firewall filter
add action=accept chain=input dst-port=8219 in-interface=ether3 protocol=tcp
add action=accept chain=input dst-port=81 in-interface=ether3 port="" \
    protocol=tcp
/ip firewall mangle
add action=accept chain=prerouting dst-address=172.12.0.0/16
add action=accept chain=prerouting dst-address=172.13.0.0/16
add action=accept chain=prerouting dst-address=172.14.0.0/16
add action=accept chain=prerouting dst-address=172.15.0.0/16
add action=accept chain=prerouting dst-address=172.16.0.0/16
add action=mark-connection chain=input in-interface=ether1 \
    new-connection-mark=Shared-Nayatel passthrough=yes
add action=mark-connection chain=input in-interface=ether3 \
    new-connection-mark=CIR-Nayatel passthrough=yes
add action=mark-routing chain=prerouting connection-mark=CIR-Nayatel \
    in-interface=ether2 new-routing-mark=TO_CIR-Nayatel passthrough=yes \
    src-address-list=CIR-Users
add action=mark-routing chain=prerouting connection-mark=Shared-Nayatel \
    in-interface=ether2 new-routing-mark=TO_Shared-Nayatel passthrough=yes \
    src-address-list="Shared Users"
add action=mark-routing chain=output connection-mark=CIR-Nayatel \
    new-routing-mark=TO_CIR-Nayatel passthrough=yes
add action=mark-routing chain=output connection-mark=Shared-Nayatel \
    new-routing-mark=TO_Shared-Nayatel passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.13.0.0/16
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether3
add action=src-nat chain=srcnat disabled=yes src-address=172.13.3.2 \
    to-addresses=203.X.X.X
add action=src-nat chain=srcnat disabled=yes src-address=172.13.3.12 \
    to-addresses=203.X.X.X
add action=src-nat chain=srcnat disabled=yes log=yes src-address=172.13.4.1 \
    to-addresses=203.X.X.X
add action=dst-nat chain=dstnat dst-address=203.X.X.X dst-port=3389 \
    protocol=tcp to-addresses=172.13.3.2 to-ports=3389
add action=dst-nat chain=dstnat dst-address=203.X.X.X dst-port=8100 \
    protocol=tcp to-addresses=172.13.3.2 to-ports=8100
add action=dst-nat chain=dstnat dst-address=203.X.X.X dst-port=1433 \
    protocol=tcp to-addresses=172.13.3.2 to-ports=1433
add action=dst-nat chain=dstnat dst-address=203.X.X.X dst-port=44503 \
    protocol=tcp to-addresses=172.13.3.2 to-ports=44053
add action=dst-nat chain=dstnat dst-address=203.X.X.X dst-port=3389 \
    protocol=tcp to-addresses=172.13.3.12 to-ports=3389
add action=dst-nat chain=dstnat dst-address=203.X.X.X dst-port=3389 \
    protocol=tcp to-addresses=172.13.4.1 to-ports=3389
add action=dst-nat chain=dstnat dst-address=203.X.X.X dst-port=40000 \
    protocol=tcp to-addresses=172.13.3.2 to-ports=40000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes ports=5060,5061,1720,2493
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=103.X.X.X routing-mark=TO_CIR-Nayatel
add distance=1 gateway=172.30.1.9 routing-mark=TO_Shared-Nayatel
add check-gateway=ping distance=1 gateway=103.X.X.X
add check-gateway=ping distance=2 gateway=172.30.1.9
add comment=Fiedmic distance=30 dst-address=172.12.0.0/16 gateway=\
    192.169.10.9
add comment="Fiedmic PC" disabled=yes distance=30 dst-address=172.12.2.0/24 \
    gateway=192.169.10.9
add comment="Fiedmic IP Phones" disabled=yes distance=30 dst-address=\
    172.12.5.0/24 gateway=192.169.10.9
add comment="Fiedmic Camera " disabled=yes distance=30 dst-address=\
    172.12.6.0/24 gateway=192.169.10.9
add comment="FIEDMIC Attedence Machine" disabled=yes distance=30 dst-address=\
    172.12.9.0/24 gateway=192.169.10.9
add distance=30 dst-address=172.14.1.0/24 gateway=192.169.10.14
add distance=30 dst-address=172.14.2.0/24 gateway=192.169.10.14
add distance=30 dst-address=172.14.4.0/24 gateway=192.169.10.14
add distance=30 dst-address=172.14.5.0/24 gateway=192.169.10.14
add distance=30 dst-address=172.14.6.0/24 gateway=192.169.10.14
add distance=30 dst-address=172.14.9.0/24 gateway=192.169.10.14
add distance=30 dst-address=172.14.10.0/24 gateway=192.169.10.14
add distance=30 dst-address=172.15.0.0/16 gateway=192.169.10.14
add check-gateway=ping distance=30 dst-address=172.16.0.0/16 gateway=\
    192.166.10.14
add distance=30 dst-address=192.161.10.12/30 gateway="OILMILL Data Link" \
    scope=10
add distance=30 dst-address=192.167.10.8/30 gateway="SERVER ROOM TO FIEDMIC" \
    scope=10
add distance=30 dst-address=192.167.10.12/30 gateway=\
    "Headoffice to Server Room Nexlink" scope=10
add distance=30 dst-address=192.169.10.8/30 gateway=ether10 scope=10
add distance=30 dst-address=192.169.10.12/30 gateway="SERVER ROOM TO HO" \
    scope=10
/ip route rule
add action=lookup-only-in-table dst-address=172.12.0.0/16 table=main
add action=lookup-only-in-table dst-address=172.15.0.0/16 table=main
add action=lookup-only-in-table dst-address=172.16.0.0/16 table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=81
set ssh disabled=yes
set api disabled=yes
set winbox port=8219
set api-ssl disabled=yes
/ip traffic-flow
set cache-entries=64k enabled=yes
/system clock
set time-zone-name=Asia/Karachi
/system identity
set name="Server ROOM Internet "

Who is online

Users browsing this forum: Bing [Bot], coffee1978, DanMos79, EsaqzpHot, icemending and 88 guests