I am using one mikrotik router. Two hosts connected to it.
mikrotik router point A - 192.168.12.6
mikrotik router point B - 192.168.110.3

Host 1 connected to Point A - 192.168.12.4
Host 2 connected to Point B - 192.168.110.4

have added route in Host 1 as :
ip route add 192.168.110.0/24 via 192.168.12.6

have added route in Host 2 as :
ip route add 192.168.12.0/24 via 192.168.110.3

Added the below policy in router :
ip firewall nat add chain=srcnat action=masquerade

I cant ping from host1 to host2?

pls help..

Firstly, do not masquerade between internal networks in your router. Masquerade/SrcNat is only needed for access to the public Internet, or for cases where you need to reach some network that you do not control, and it has no routing information on how to reach your actual IP addressing.

Since you control both networks, you do not need this.

Questions:
Do you have any kind of policy routing on your router? (mangle rules with action=mark-routing / or rules in the IP > Route > Rules section)
If no, then make sure that the firewall filter rules allow communication between the interfaces.
(easy check would be to add two rules to the beginning of the forward chain which simply accept all packets in-interface=PointA and another one which accepts in-interface=PointB
If your filter rules are not the problem, then make sure that interfaces (point A and point B) are not members of the same bridge / do not share a HW switch master (if you're using firmware version < 6.41)

If all of your router's interfaces are stand-alone (not bridged or switched together) then the router will forward traffic between them except where forbidden by the firewall filter rules. You've obviously set the correct routing in your test hosts. It sounds like this router is not the actual default GW router for your network in general, which means that you'd need to add special routing to every host on both sides of the router.

Hi

1. Do the two routers know about each other? Can you ping the other end from both sides from within the routers?
2. Are these the main routers on the respective networks?

Thanks for the quick response.
Expecting a fast response for this also.

Am only using one router. One mikrotik router with two interface. Two hosts are connected to it. I have specified the IP's.

Please find my reply inline:
?? Firstly, do not masquerade between internal networks in your router
My connection is like Host 1 connected to Point B of Router . Host 1 IP = 192.168.12.4 , IP of Router Point B = 192.168.12.6
Host 2 connected to Point D of Router . Host 2 IP = 192.168.110.4 , IP of Router Point D = 192.168.110.3

Previously I was not able to ping from Router point B to Host 2 . I tried the below command in router :
ping src-address=192.168.12.6 190.168.110.4
Not pingable.

After When i add the below policy in router , the ping is working ..
Added the below policy in router :
ip firewall nat add chain=srcnat action=masquerade

So that y i added the policy.

??Do you have any kind of policy routing on your router? (mangle rules with action=mark-routing / or rules in the IP > Route > Rules section)
No . Nothing

??If no, then make sure that the firewall filter rules allow communication between the interfaces.
(easy check would be to add two rules to the beginning of the forward chain which simply accept all packets in-interface=PointA and another one which accepts in-interface=PointB
If your filter rules are not the problem, then make sure that interfaces (point A and point B) are not members of the same bridge / do not share a HW switch master (if you're using firmware version < 6.41)

I will try adding policy.
Meanwhile could you please help me with the commands.
Also Please note that I have not added any bridge. Is there any need of bridging the interface ??
I have attached my connection image. Its a simple connection.
Could you please help me with the commands to forward packet inside router when i ping from host 1 to host2 .

Firstly, do not masquerade between internal networks in your router. Masquerade/SrcNat is only needed for access to the public Internet, or for cases where you need to reach some network that you do not control, and it has no routing information on how to reach your actual IP addressing.

Since you control both networks, you do not need this.

Questions:
Do you have any kind of policy routing on your router? (mangle rules with action=mark-routing / or rules in the IP > Route > Rules section)
If no, then make sure that the firewall filter rules allow communication between the interfaces.
(easy check would be to add two rules to the beginning of the forward chain which simply accept all packets in-interface=PointA and another one which accepts in-interface=PointB
If your filter rules are not the problem, then make sure that interfaces (point A and point B) are not members of the same bridge / do not share a HW switch master (if you're using firmware version < 6.41)

If all of your router's interfaces are stand-alone (not bridged or switched together) then the router will forward traffic between them except where forbidden by the firewall filter rules. You've obviously set the correct routing in your test hosts. It sounds like this router is not the actual default GW router for your network in general, which means that you'd need to add special routing to every host on both sides of the router.

I have posted the reply in the thread with the connection image. Kindly look and respond. Hoping for your earliest replies.
Thanks in advance,

Hi

1. Do the two routers know about each other? Can you ping the other end from both sides from within the routers?
2. Are these the main routers on the respective networks?

I am using only one router .
I have attached all the details with the conection image.
Please look and help me to proceed.

Delete firewall masq rule and disable firewalls on host 1 and 2. Is there an arp records in MikroTik router from these hosts? What traceroute says you?

Delete firewall masq rule and disable firewalls on host 1 and 2. Is there an arp records in MikroTik router from these hosts? What traceroute says you?

when i ping from host 1 to host 2 , in arp table of router i could see the ips of both the hosts..
when i traceroute from host1 , (traceroute 192.168.110.3 )
it is reaching only 192.168.12.6 .
Seems like packet forward is not happening inside router.

Meanwhile i will chek whether firewall is enabled in host and will disbale it if it is enabled.
Thanks for the reply.
Kindly respond with ur observations.

Delete firewall masq rule and disable firewalls on host 1 and 2. Is there an arp records in MikroTik router from these hosts? What traceroute says you?

when i ping from host 1 to host 2 , in arp table of router i could see the ips of both the hosts..
when i traceroute from host1 , (traceroute 192.168.110.3 )
it is reaching only 192.168.12.6 .
Seems like packet forward is not happening inside router.

Meanwhile i will chek whether firewall is enabled in host and will disbale it if it is enabled.
Thanks for the reply.
Kindly respond with ur observations.

Simply create the accept action for your traffic flow with forward chain and you will see, does it forwarded or not. If yes, problem on the host side. If not, problem is router firewall or first host firewall.

Delete firewall masq rule and disable firewalls on host 1 and 2. Is there an arp records in MikroTik router from these hosts? What traceroute says you?

when i ping from host 1 to host 2 , in arp table of router i could see the ips of both the hosts..
when i traceroute from host1 , (traceroute 192.168.110.3 )
it is reaching only 192.168.12.6 .
Seems like packet forward is not happening inside router.

Meanwhile i will chek whether firewall is enabled in host and will disbale it if it is enabled.
Thanks for the reply.
Kindly respond with ur observations.

Simply create the accept action for your traffic flow with forward chain and you will see, does it forwarded or not. If yes, problem on the host side. If not, problem is router firewall or first host firewall.

Please correct me if am wrong with the commands:
ip firewall filter add chain=forward action=accept in-interface=ether1
ip firewall filter add chain=forward action=accept in-interface=ether2
(ether1 and ether2 are the two interfaces of the Router)
I have added this . still not working.

Thanks for the reply.
Kindly respond with ur observations.

Delete firewall masq rule and disable firewalls on host 1 and 2. Is there an arp records in MikroTik router from these hosts? What traceroute says you?

when i ping from host 1 to host 2 , in arp table of router i could see the ips of both the hosts..
when i traceroute from host1 , (traceroute 192.168.110.3 )
it is reaching only 192.168.12.6 .
Seems like packet forward is not happening inside router.

Meanwhile i will chek whether firewall is enabled in host and will disbale it if it is enabled.
Thanks for the reply.
Kindly respond with ur observations.

Simply create the accept action for your traffic flow with forward chain and you will see, does it forwarded or not. If yes, problem on the host side. If not, problem is router firewall or first host firewall.

Please correct me if am wrong with the commands:
ip firewall filter add chain=forward action=accept in-interface=ether1
ip firewall filter add chain=forward action=accept in-interface=ether2
(ether1 and ether2 are the two interfaces of the Router)
I have added this . still not working.

Thanks for the reply.
Kindly respond with ur observations.

Don't select the interfaces, assign only source and destination IP. There must be only one rule.

Delete firewall masq rule and disable firewalls on host 1 and 2. Is there an arp records in MikroTik router from these hosts? What traceroute says you?

when i ping from host 1 to host 2 , in arp table of router i could see the ips of both the hosts..
when i traceroute from host1 , (traceroute 192.168.110.3 )
it is reaching only 192.168.12.6 .
Seems like packet forward is not happening inside router.

Meanwhile i will chek whether firewall is enabled in host and will disbale it if it is enabled.
Thanks for the reply.
Kindly respond with ur observations.

Simply create the accept action for your traffic flow with forward chain and you will see, does it forwarded or not. If yes, problem on the host side. If not, problem is router firewall or first host firewall.

Please correct me if am wrong with the commands:
ip firewall filter add chain=forward action=accept in-interface=ether1
ip firewall filter add chain=forward action=accept in-interface=ether2
(ether1 and ether2 are the two interfaces of the Router)
I have added this . still not working.

Thanks for the reply.
Kindly respond with ur observations.

Don't select the interfaces, assign only source and destination IP. There must be only one rule.

Thanks for the response.
So if am right , what you are saying is to add firewall policy only , right?
ip firewall filter add chain=forward action=accept src-address=192.168.12.6 dst-address=192.168.110.3
ip firewall filter add chain=forward action=accept src-address=192.168.110.3 dst-address=192.168.12.6

Is this fair?

when i ping from host 1 to host 2 , in arp table of router i could see the ips of both the hosts..
when i traceroute from host1 , (traceroute 192.168.110.3 )
it is reaching only 192.168.12.6 .
Seems like packet forward is not happening inside router.

Meanwhile i will chek whether firewall is enabled in host and will disbale it if it is enabled.
Thanks for the reply.
Kindly respond with ur observations.

Simply create the accept action for your traffic flow with forward chain and you will see, does it forwarded or not. If yes, problem on the host side. If not, problem is router firewall or first host firewall.

Please correct me if am wrong with the commands:
ip firewall filter add chain=forward action=accept in-interface=ether1
ip firewall filter add chain=forward action=accept in-interface=ether2
(ether1 and ether2 are the two interfaces of the Router)
I have added this . still not working.

Thanks for the reply.
Kindly respond with ur observations.

Don't select the interfaces, assign only source and destination IP. There must be only one rule.

Thanks for the response.
So if am right , what you are saying is to add firewall policy only , right?
ip firewall filter add chain=forward action=accept src-address=192.168.12.6 dst-address=192.168.110.3
ip firewall filter add chain=forward action=accept src-address=192.168.110.3 dst-address=192.168.12.6

Is this fair?

Yes, with these rules you can matching traffic in both directions.

Simply create the accept action for your traffic flow with forward chain and you will see, does it forwarded or not. If yes, problem on the host side. If not, problem is router firewall or first host firewall.

Please correct me if am wrong with the commands:
ip firewall filter add chain=forward action=accept in-interface=ether1
ip firewall filter add chain=forward action=accept in-interface=ether2
(ether1 and ether2 are the two interfaces of the Router)
I have added this . still not working.

Thanks for the reply.
Kindly respond with ur observations.

Don't select the interfaces, assign only source and destination IP. There must be only one rule.

Thanks for the response.
So if am right , what you are saying is to add firewall policy only , right?
ip firewall filter add chain=forward action=accept src-address=192.168.12.6 dst-address=192.168.110.3
ip firewall filter add chain=forward action=accept src-address=192.168.110.3 dst-address=192.168.12.6

Is this fair?

Yes, with these rules you can matching traffic in both directions.

I added the same firewall rule in the router.
Still i cant ping from host 1 to host2 .

Please correct me if am wrong with the commands:
ip firewall filter add chain=forward action=accept in-interface=ether1
ip firewall filter add chain=forward action=accept in-interface=ether2
(ether1 and ether2 are the two interfaces of the Router)
I have added this . still not working.

Thanks for the reply.
Kindly respond with ur observations.

Don't select the interfaces, assign only source and destination IP. There must be only one rule.

Thanks for the response.
So if am right , what you are saying is to add firewall policy only , right?
ip firewall filter add chain=forward action=accept src-address=192.168.12.6 dst-address=192.168.110.3
ip firewall filter add chain=forward action=accept src-address=192.168.110.3 dst-address=192.168.12.6

Is this fair?

Yes, with these rules you can matching traffic in both directions.

I added the same firewall rule in the router.
Still i cant ping from host 1 to host2 .

On which rule counters are ticking?

Don't select the interfaces, assign only source and destination IP. There must be only one rule.

Thanks for the response.
So if am right , what you are saying is to add firewall policy only , right?
ip firewall filter add chain=forward action=accept src-address=192.168.12.6 dst-address=192.168.110.3
ip firewall filter add chain=forward action=accept src-address=192.168.110.3 dst-address=192.168.12.6

Is this fair?

Yes, with these rules you can matching traffic in both directions.

I added the same firewall rule in the router.
Still i cant ping from host 1 to host2 .

On which rule counters are ticking?

when i ping from host1 to host2 and viceversa , i could see like both the counters in host1 and host 2 are incrementing.
Seems like packet inflow is happening but partially.
Still some missing is there.

So, answer is obvious. Some software blocks icmp requests or replies. Turn off your firewalls and so on o pc 1 and 2.

(Please look at the image attached for better understanding)
I Pinged from host1 to host2, ie from point A to point C.
I captured the packet at Point B(ie, router point 1) , I could see the source ip of Host1 and host2 there..
where as in the packet capture of pointD , i could see the ip of host2 and point D only.
What may be the problem , now??

So, answer is obvious. Some software blocks icmp requests or replies. Turn off your firewalls and so on o pc 1 and 2.

Could you please help me with the commands to forward packet between the router interfaces ..??

Thanks in advance,

So, answer is obvious. Some software blocks icmp requests or replies. Turn off your firewalls and so on o pc 1 and 2.

Could you please help me with the commands to forward packet between the router interfaces ..??

Thanks in advance,

The packets are forwarded. Point D drop it for some reason I do not know.

So, answer is obvious. Some software blocks icmp requests or replies. Turn off your firewalls and so on o pc 1 and 2.

Could you please help me with the commands to forward packet between the router interfaces ..??

Thanks in advance,

The packets are forwarded. Point D drop it for some reason I do not know.

Thanks for the response . One doubt.
When a packet reaches point B , it should be forwarded to point D.
For that i need to add route as below:
ip route add dst-address=192.168.110.0/24 src-address=192.168.12.6 gateway=192.168.110.3
ip route add dst-address=192.168.12.0/24 src-address=192.168.110.3 gateway=192.168.12.6

when am adding these , the gateway shows as unreachable.

What may be the reason. What can be done.

So, answer is obvious. Some software blocks icmp requests or replies. Turn off your firewalls and so on o pc 1 and 2.

Could you please help me with the commands to forward packet between the router interfaces ..??

Thanks in advance,

The packets are forwarded. Point D drop it for some reason I do not know.

Thanks for the response . One doubt.
When a packet reaches point B , it should be forwarded to point D.
For that i need to add route as below:
ip route add dst-address=192.168.110.0/24 src-address=192.168.12.6 gateway=192.168.110.3
ip route add dst-address=192.168.12.0/24 src-address=192.168.110.3 gateway=192.168.12.6

when am adding these , the gateway shows as unreachable.

What may be the reason. What can be done.

Did you even looked in routing table? IP - Routes - Routing List

Connected networks do not need routes, they are already known because they are on router. Write extra routes needs for networks which are not on your router only.

So, answer is obvious. Some software blocks icmp requests or replies. Turn off your firewalls and so on o pc 1 and 2.

Could you please help me with the commands to forward packet between the router interfaces ..??

Thanks in advance,

The packets are forwarded. Point D drop it for some reason I do not know.

Thanks for the response . One doubt.
When a packet reaches point B , it should be forwarded to point D.
For that i need to add route as below:
ip route add dst-address=192.168.110.0/24 src-address=192.168.12.6 gateway=192.168.110.3
ip route add dst-address=192.168.12.0/24 src-address=192.168.110.3 gateway=192.168.12.6

when am adding these , the gateway shows as unreachable.

What may be the reason. What can be done.

Did you even looked in routing table? IP - Routes - Routing List

Connected networks do not need routes, they are already known because they are on router. Write extra routes needs for networks which are not on your router only.

Thanks for the reply.
When I ping D from Host1 , I could see incoming packets on ether 1 .
ie , I pinged from Host 1 to PointD , i took the packet sniffer tool on ether 1 , in the source address filed i could see both the address of Host1 and PointD . But the ping is not successfull.