Community discussions

MikroTik App
 
PedroC
just joined
Topic Author
Posts: 6
Joined: Wed Sep 14, 2022 2:01 pm

Ping network from other networks

Wed Sep 14, 2022 7:53 pm

I have the following network:

Router Teltonika 4G (192.168.16.1) < Internet > Router Teltonika 4G (192.168.20.1) < ethernet > Router Mikrotik (192.168.180.1)

I succesfully connected both teltonikas by VPN IPsec. I can ping network 16 from network 20 and vice-versa. I also can ping networks 16 and 20 from network 180. However I can't ping network 180 from networks 16 and 20. I talked with a technician and he said this is related to firewall, so I should disable or enable some rules. I still don't have success. Is firewall related with my problem? Or do I need to create new routes? Also should the mikrotik be connected to ipsec?

Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Ping network from other networks

Wed Sep 14, 2022 10:53 pm

Even if your issue is caused by a firewall, you should add some "accept" firewall rules rather than disabling some "drop" ones. Stay away from any further advice of that "technician" if IT security is your concern.

Having said that, it depends on how the "IPsec" tunnel between the Teltonika devices is set up and how the rest of the configuration of all three routers looks like. If bare IPsec, with traffic selectors, is configured, it may only accept packets between the .16. and .20. networks, and the Mikrotik router may src-nat the traffic from the .180. network to its own address in .20. But when a packet for .180. arrives to the .16. Teltonika, that router may not know that it should send the packet down the IPsec tunnel (a policy or a route may be missing), or the firewall on that Teltonika may not permit connections to .180. to be initiated from elsewhere, or the firewall on the .20. Teltonika may block this, or the firewall on the Mikrotik may be the reason...

In another words, post the configurations of all three devices if you want a useful advice. Do not use screenshots, at least for Mikrotik - see my automatic signature below on how to obtain a configuration export in textual form. Screenshots carry much smaller amount of information per pixel, cannot be searched, etc. I'm not familiar with the OpenWRT version running on Teltonika, but even there you should find everything in textual form in /etc/config, so you can post those files, of course with any usernames, passwords, and public IPs obfuscated before posting.
 
PedroC
just joined
Topic Author
Posts: 6
Joined: Wed Sep 14, 2022 2:01 pm

Re: Ping network from other networks

Thu Sep 15, 2022 11:57 am

Thank you for your help. In attachment is the mikrotik rsc file
You do not have the required permissions to view the files attached to this post.
 
PedroC
just joined
Topic Author
Posts: 6
Joined: Wed Sep 14, 2022 2:01 pm

Re: Ping network from other networks

Thu Sep 15, 2022 7:26 pm

I have other news: I'm able to ping 180 network gateway (180.1) from network 20 but can't ping the devices inside 180 network. however I can ping network 20 and 16 from one of the devices in network 180. Anyway, I'm also experiencing Destination host unreachable when I ping network 180 from network 16.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Ping network from other networks

Thu Sep 15, 2022 8:39 pm

I'm able to ping 180 network gateway (180.1) from network 20
This indicates that the .20. has a route to .180. via the address in .20. it assigns to the Mikrotik's DHCP client attached to ether1.

but can't ping the devices inside 180 network.
This together with the above suggests that the firewall filter on the Mikrotik itself accepts pings to Mikrotik's own IP addresses (chain input):
action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
but doesn't accepts ping requests to devices behind the Mikrotik (chain forward). This is normal in the default SOHO configuration where it is not expected that incoming requests received at WAN should be forwarder to the LAN side.

So the next step is to explain what the final topology and setup should be - we can convert the Mikrotik into a regular "LAN-only" router that is not directly connected to internet nor it plays any firewalling role, i.e. firewalling is provided by Teltonika - in that case, you can remove the NAT rules and firewall filter rules at least in chain forward. Or you want it to act as a firewall for the devices in .180. and you have to modify the firewall filter rules accordingly rather than removing them. By removing the NAT, you'll lose even the possibility to initiate connections from .180. to .16. until you fix the next problem.

Anyway, I'm also experiencing Destination host unreachable when I ping network 180 from network 16.
If this includes also .180.1, all the possibilities I've suggested before remain valid. It may be missing routes, it may be a missing IPsec policy, it may be a firewall on either Teltonika.

So either post the configuration files from both Teltonikas (naming them in such a way that the original file name is extended with the site distinguisher such as .16 and .20) here, or ask at some Teltonika or OpenWRT forum (where guys will ask for those configuration files too).
 
PedroC
just joined
Topic Author
Posts: 6
Joined: Wed Sep 14, 2022 2:01 pm

Re: Ping network from other networks

Mon Sep 19, 2022 12:07 pm

Here is the firewall configuration of network 16
You do not have the required permissions to view the files attached to this post.
 
PedroC
just joined
Topic Author
Posts: 6
Joined: Wed Sep 14, 2022 2:01 pm

Re: Ping network from other networks

Mon Sep 19, 2022 12:20 pm

Here is the firewall of the network 20
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Ping network from other networks

Mon Sep 19, 2022 1:32 pm

That's only the static parts of the firewalls; on the .20., there is a reference to import of rules that are dynamically created by the IPsec process. And the IPsec configuration itself is missing, so I don't know what the policies are. So post the IPsec configurations too (but obfuscate the keys and eventual other authentication tokens before posting!), and also the contents of /tmp/ipsec/firewall.sh at .20.
 
PedroC
just joined
Topic Author
Posts: 6
Joined: Wed Sep 14, 2022 2:01 pm

Re: Ping network from other networks

Tue Sep 20, 2022 1:09 pm

I was able to solve the issue. In Mikrotik I disabled two firewall rules that were dropping frames from lan and wan. On Teltonika 20 I had to create routes and activate a firewall rule (passthrough).
Now I can ping every network from any network.

Who is online

Users browsing this forum: Amazon [Bot], CGGXANNX, Kanzler and 70 guests