Community discussions

MikroTik App
 
karadvlpr
just joined
Topic Author
Posts: 2
Joined: Wed Sep 11, 2024 12:38 pm

Not Access with Static Route [PLEASE HELP]

Thu Sep 12, 2024 3:38 pm

Hi,
I have small business. You can see the basic topology at below. ISP put the these mikrotik to connect two site each other.

Image

I can access to FWA from FWB but can't access to FWB from FWA. I'm sharing each route table, pings and traceroutes at below.
Everything seems right to me except MikrotikB 192.168.1.1 pref-source. Is it necessary. What Should I do?

Mikrotik A:
Image
-
Image

MikrotikB:
Image
-
Image
 
jaclaz
Forum Guru
Forum Guru
Posts: 1621
Joined: Tue Oct 03, 2023 4:21 pm

Re: Not Access with Static Route [PLEASE HELP]  [SOLVED]

Thu Sep 12, 2024 4:36 pm

I think you inverted the screenshots or inverted the scheme/drawing addresses.

One router has 1 static route and two Dynamic/Automatic one:
AS 0.0.0.0/0 gateway=172.16.0.1 <- this sets the interface with ip address 172.16.0.1 as the gateway for ALL outbound traffic
DAC172.16.0.0/30 gateway=? <- this is automatically generated because of a /30 link between 172.16.0.1 and 172.16.0.2.
DAC 192.168.1.0/24 gateway=bridge <- this is automatically generated for all the /24 subnet connected to the bridge.

When you try pinging 192.168.88.2 on this the route used is the 0.0.0.0/0 one, and goes through 172.16.0.1.
This means that these routes belong to "Mikrotik B" ( the router that is NOT directly connected to the Public IP) and that to the bridge of this device it is connected the Firewall with address 192.168.1.2

The other router has 5 routes, which I cannot really understand, maybe you exaggerated when anonymizing them, anyway the one taken is clearly the
AS 192.168.1.0/24 gateway=172.16.0.2

So, the "outer" interface of the "Mikrotik B" (the router that is NOT directly connected to the Public IP) 172.16.0.2 is reached fine, but this router does not forward the packet to its bridge interface and thus cannot reach 192.168.1.2.

It seems like the issue is not with routes, but rather with firewall settings and/or interface list categorization of the interfaces.

Possibly on the Mikrotik A (the one connected to the Public IP) the sfp is connected to the internet and categorized as WAN, while both the bridge and the interface with address 172.16.0.1 are categorized as LAN, so the firewall rules allow incoming traffic on 172.16.0.1 to reach the bridge with address 192.168.88.1 and then the Firewall with address 192.168.88.2.
On the other one MikrotikB (the one NOT connected directly to the Public IP) the interface with address 172.16.0.2 is categorized as WAN and the bridge with address 192.168.0.1 is LAN, so the default or "normal" firewall rules will prevent incoming traffic through 172.16.0.2 to reach the bridge.

But there could be other reasons, no real way to know without the full configuration of both devices, you should follow the instructions in this post:
viewtopic.php?t=203686#p1051720
and post them.
 
karadvlpr
just joined
Topic Author
Posts: 2
Joined: Wed Sep 11, 2024 12:38 pm

Re: Not Access with Static Route [PLEASE HELP]

Fri Sep 13, 2024 12:18 pm

Thank you jaclaz. I checked and saw firewall filters after your informations.
There is the config which drop all connections incoming from WAN interface.
;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
I created a rule against that to allow my ipsec and ping packets. :D
I think you inverted the screenshots or inverted the scheme/drawing addresses.

One router has 1 static route and two Dynamic/Automatic one:
AS 0.0.0.0/0 gateway=172.16.0.1 <- this sets the interface with ip address 172.16.0.1 as the gateway for ALL outbound traffic
DAC172.16.0.0/30 gateway=? <- this is automatically generated because of a /30 link between 172.16.0.1 and 172.16.0.2.
DAC 192.168.1.0/24 gateway=bridge <- this is automatically generated for all the /24 subnet connected to the bridge.

When you try pinging 192.168.88.2 on this the route used is the 0.0.0.0/0 one, and goes through 172.16.0.1.
This means that these routes belong to "Mikrotik B" ( the router that is NOT directly connected to the Public IP) and that to the bridge of this device it is connected the Firewall with address 192.168.1.2

The other router has 5 routes, which I cannot really understand, maybe you exaggerated when anonymizing them, anyway the one taken is clearly the
AS 192.168.1.0/24 gateway=172.16.0.2

So, the "outer" interface of the "Mikrotik B" (the router that is NOT directly connected to the Public IP) 172.16.0.2 is reached fine, but this router does not forward the packet to its bridge interface and thus cannot reach 192.168.1.2.

It seems like the issue is not with routes, but rather with firewall settings and/or interface list categorization of the interfaces.

Possibly on the Mikrotik A (the one connected to the Public IP) the sfp is connected to the internet and categorized as WAN, while both the bridge and the interface with address 172.16.0.1 are categorized as LAN, so the firewall rules allow incoming traffic on 172.16.0.1 to reach the bridge with address 192.168.88.1 and then the Firewall with address 192.168.88.2.
On the other one MikrotikB (the one NOT connected directly to the Public IP) the interface with address 172.16.0.2 is categorized as WAN and the bridge with address 192.168.0.1 is LAN, so the default or "normal" firewall rules will prevent incoming traffic through 172.16.0.2 to reach the bridge.

But there could be other reasons, no real way to know without the full configuration of both devices, you should follow the instructions in this post:
viewtopic.php?t=203686#p1051720
and post them.

Who is online

Users browsing this forum: No registered users and 6 guests