Community discussions

 
mtnewtimer
just joined
Topic Author
Posts: 5
Joined: Thu Jan 10, 2019 9:46 pm

Connecting another router to my MT

Thu Jan 10, 2019 9:51 pm

Hey Guys

Ive got a routing problem that has been perplexing me for months, wonder if anyone can help. I am a relative MT Newbie

About my MT and network environment:

- RB2011L
- Running 6.43 (Stable)
- Eth 9 is LAN with networks 192.168.1.0 - 192.168.6.0
- Eth6 is WAN to ISP
- Eth1 has a non-external but routable IP of xxx.xxx.xxx.233/29 and is ethernet connected to a ASUS RT87U wireless Router (see below)

The purpose of the RT87U is it does OVPN with a VPN service over UDP.

- The RT87U has a static WAN address of xxx.xxx.xxx.234 (incremental to the above) and does NAT for the 192.168.7.0 network. Note the xxx.xxx.xxx.233 address on eth1 on the MT serves as the Gateway for the ASUS router.

The problem:

Pinging the 192.168.1.0 network from a client that is connected to the ASUS router i.e. (192.168.7.xxx), works without issue due to static routing on the ASUS router and a firewall rule on the MT allowing the xxx.xxx.xxx.234 address into my MT LAN.

However, Pinging from the 192.168.1.0 network to any client on the ASUS Router does not work

Things I have tried:

- Obviously a static route entry in my MT:
a) xxx.xxx.xxx.232/29 GW:Eth1 pref source xxx.xxx.xxx.233
b) 192.168.7.0/24 GW:Eth1 no pref source

Pings I have tried to narrow down the problem:

- MT can ping xxx.xxx.xxx.234 (ASUS Router WAN Side)
- MT Cannot Ping xxx.xxx.xxx.233 eth1 port or gateway for Asus router
- MT can ping 192.168.7.0

Client on 192.168.1.0:

- Can Ping xxx.xxx.xxx.233 which is the MT eth1
- Cannot ping xxx.xxx.xxx.234
- Cannot ping 192.168.7.1

All firewalls have been disabled on the ASUS router


I hope this makes sense and would really appreciate any help

Thanks
 
User avatar
bramwittendorp
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Thu Jun 16, 2016 3:48 pm
Location: The Netherlands
Contact:

Re: Connecting another router to my MT

Fri Jan 11, 2019 8:48 pm

Are you sure the traffic isn't being blocked by the MikroTik? Maybe you could post the output of your firewall config here? (/ip firewall export).

Another issue I can think of is NAT, where traffic isn't being forwarded to the correct host.

Maybe perform an traceroute as well, to identify where traffic flow stops?
Bram - MikroTik enthusiast - MTCNA / MTCRE / MTCWE / MTCIPv6E
Don't be shy, share your /export hide-sensitive and make sure to read this.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1282
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Connecting another router to my MT

Fri Jan 11, 2019 9:12 pm

Hey

Few questions:
* "MT allowing the xxx.xxx.xxx.234 address into my MT LAN": does the asus do nat for traffic to Lan?
* "MT Cannot Ping xxx.xxx.xxx.233 eth1 port or gateway for Asus router": that's pining itself no?
 
mtnewtimer
just joined
Topic Author
Posts: 5
Joined: Thu Jan 10, 2019 9:46 pm

Re: Connecting another router to my MT

Sat Jan 12, 2019 11:54 am

Thanks guys

I am away for the weekend and will be back with my routers on Monday however to answer your questions:

- yes the asus is doing NAT for it’s traffic to LAN. When I get back I’ll try to disable

- the MT can ping xxx.xxx.xxx.234 which is the WAN address of the asus, but cannot ping itself xxx.xxx.xxx.233 (eth1).

Thanks all
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1282
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Connecting another router to my MT

Sat Jan 12, 2019 1:51 pm

hey

Theoretically it should be doable, but not sure what's possible configuration-wise on Asus. MT can do "anything"

* Asus needs to know how to reach 192.168.1 & 192.168.6
This means additional route entries for both networks pointing to ip of MT (xxx.xxx.xxx.233)
you need to disable NAT for these destination networks

* MT needs to know how to reach 192.168.7
this means additional route entry pointing to ip of Asus (xxx.xxx.xxx.234)
you need to disable NAT for this destination network if applicable

* adjust firewall rules on both
 
mtnewtimer
just joined
Topic Author
Posts: 5
Joined: Thu Jan 10, 2019 9:46 pm

Re: Connecting another router to my MT

Sat Jan 12, 2019 3:55 pm

Thank you, I have a feeling that disabling NAT on the Asus will work and I will confirm possibly tomorrow. Having said that if I disable NAT on the Asus this means I will have to allocate each client an “public” IP from my 233/29 range correct?

If so I don’t have many, is there a way round this?
 
mkx
Forum Guru
Forum Guru
Posts: 1812
Joined: Thu Mar 03, 2016 10:23 pm

Re: Connecting another router to my MT

Sat Jan 12, 2019 5:38 pm

What you need to do on Asus largely depends on what's between MT and Asus. If there's lots of routers that might have their own idea about what to do with passing packets, then you have to create a tunnel between Asus and MT. If the connection between Asus and MT is really transparent, then simply routing should do, no need for NATing anything on Asus.

The bottom line is this: if a device (i.e. Asus) performs NAT for whole subnet (i.e. it's not 1:1 NAT), then it is not possible to connect individual hosts in that subnet directly (i.e. using their "real" addresses), the only possibility is to establish port-forwarding.
BR,
Metod
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1282
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Connecting another router to my MT

Sat Jan 12, 2019 11:38 pm

Hence my "but not sure what's possible configuration-wise on Asus". Best solution would be if you could disable NAT if destination network is .1. or .6., and otherwise do nat.
 
mtnewtimer
just joined
Topic Author
Posts: 5
Joined: Thu Jan 10, 2019 9:46 pm

Re: Connecting another router to my MT

Tue Jan 15, 2019 1:52 pm

Thank you guys I am back now. Ive disabled NAT on the Asus and I would have thought that it should force me to give a different DHCP range rather than 192.168.7.0 but it didnt.

Just to confirm and a silly question I know, but if I am disabling NAT then I have to allocate routable "external IPs" correct? Which in my case would be xxx.xxx.xxx.235 - 238

Who is online

Users browsing this forum: No registered users and 27 guests