Community discussions

 
boneyard21
just joined
Topic Author
Posts: 7
Joined: Tue Jun 04, 2019 8:56 am

Static route between 2 routers,2 networks

Fri Jun 14, 2019 6:57 am

Hi everyone,

I try to setup a static route for 2 Lans communication.
Now, PC2 and R2 are able to reach PC1 and R1.
But PC1 is unable to reach PC2 and R2.
And R1 is able to reach R2, not reach PC2.
In addition, I have setup Qos for both network.
Eventhough I set it off, nothing changed.

Thank you for the advice.

R1

Code: Select all

/ip address
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
add address=aaa.bbb.ccc.127/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.128/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.129/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.130/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.131/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.132/24 interface=ether1 network=aaa.bbb.ccc.0
add address=172.16.1.1/30 interface=ether6 network=172.16.1.0
/ip firewall mangle
add action=accept chain=prerouting comment="Mark Connection & Routing" \
dst-address=192.168.10.0/24 in-interface=bridge
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether6 new-connection-mark=LAN_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=192.168.11.0/24 dst-address-type=!local in-interface=bridge \
new-connection-mark=LAN_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=LAN_conn \
dst-address=192.168.11.0/24 in-interface=bridge new-routing-mark=to_LAN \
passthrough=no
add action=mark-routing chain=output connection-mark=LAN_conn \
new-routing-mark=to_LAN passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=pppoe-out1 new-connection-mark=pppoe1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge new-connection-mark=\
pppoe1_conn passthrough=yes src-address-list=IP_topppoe1
add action=mark-routing chain=prerouting connection-mark=pppoe1_conn \
in-interface=bridge new-routing-mark=to_pppoe1 passthrough=no \
src-address-list=IP_topppoe1
add action=mark-routing chain=output connection-mark=pppoe1_conn \
new-routing-mark=to_pppoe1 passthrough=no
add action=mark-packet chain=forward comment="QoS Full Speed" \
dst-address-list=QoS-Full in-interface=pppoe-out1 new-packet-mark=\
QoS-FullSpeedDown passthrough=no
add action=mark-packet chain=forward dst-address-list=QoS-Full in-interface=\
pppoe-out2 new-packet-mark=QoS-FullSpeedDown passthrough=no
add action=mark-packet chain=forward new-packet-mark=QoS-FullSpeedUp \
out-interface=pppoe-out1 passthrough=no src-address-list=QoS-Full
add action=mark-packet chain=forward new-packet-mark=QoS-FullSpeedUp \
out-interface=pppoe-out2 passthrough=no src-address-list=QoS-Full
add action=mark-packet chain=forward comment="QoS limit" dst-address-list=\
QoS-limit in-interface=pppoe-out1 new-packet-mark=QoS-LimitDown75 \
passthrough=no
add action=mark-packet chain=forward new-packet-mark=QoS-LimitUp30 \
out-interface=pppoe-out1 passthrough=no src-address-list=QoS-limit
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. pppoe traffic" \
out-interface=pppoe-out1 src-address-list=IP_topppoe1
add action=masquerade chain=srcnat out-interface=pppoe-out2 src-address-list=\
IP_topppoe12
add action=masquerade chain=srcnat comment="NAT Loopback 192" dst-address=\
192.168.10.0/24 out-interface=bridge src-address=192.168.10.0/24
/ip route
add distance=10 gateway=pppoe-out1 routing-mark=to_pppoe1
add distance=1 dst-address=192.168.11.0/24 gateway=172.16.1.2 routing-mark=\
to_LAN
add distance=5 gateway=aaa.bbb.ccc.254
add distance=10 gateway=pppoe-out1
add distance=1 dst-address=192.168.11.0/24 gateway=172.16.1.2
R2

Code: Select all

/ip address
add address=192.168.11.1/24 interface=bridge network=192.168.11.0
add address=172.16.1.2/30 interface=ether6 network=172.16.1.0
add address=aaa.bbb.ccc.16/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.17/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.18/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.52/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.53/24 interface=ether1 network=aaa.bbb.ccc.0
add address=aaa.bbb.ccc.54/24 interface=ether1 network=aaa.bbb.ccc.0
/ip dhcp-server network
add address=192.168.11.0/24 gateway=192.168.11.1
/ip firewall mangle
add action=accept chain=prerouting comment="Mark Connection & Routing" \
dst-address=192.168.11.0/24 in-interface=bridge
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether6 new-connection-mark=LAN_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=192.168.10.0/24 dst-address-type=!local in-interface=bridge \
new-connection-mark=LAN_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=LAN_conn \
dst-address=192.168.10.0/24 in-interface=bridge new-routing-mark=to_LAN \
passthrough=no
add action=mark-routing chain=output connection-mark=LAN_conn \
new-routing-mark=to_LAN passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=pppoe-out1 new-connection-mark=pppoe1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge new-connection-mark=\
pppoe1_conn passthrough=yes src-address-list=IP_topppoe1
add action=mark-routing chain=prerouting connection-mark=pppoe1_conn \
in-interface=bridge new-routing-mark=to_pppoe1 passthrough=no \
src-address-list=IP_topppoe1
add action=mark-routing chain=output connection-mark=pppoe1_conn \
new-routing-mark=to_pppoe1 passthrough=no
add action=mark-packet chain=forward comment="QoS Full Speed" \
dst-address-list=QoS-Full in-interface=pppoe-out1 new-packet-mark=\
QoS-FullSpeedDown passthrough=no
add action=mark-packet chain=forward new-packet-mark=QoS-FullSpeedUp \
out-interface=pppoe-out1 passthrough=no src-address-list=QoS-Full
add action=mark-packet chain=forward comment="QoS limit" dst-address-list=\
QoS-limit in-interface=pppoe-out1 new-packet-mark=QoS-LimitDown75 \
passthrough=no
add action=mark-packet chain=forward new-packet-mark=QoS-LimitUp30 \
out-interface=pppoe-out1 passthrough=no src-address-list=QoS-limit
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. pppoe traffic" \
out-interface=pppoe-out1 src-address-list=IP_topppoe1
add action=masquerade chain=srcnat comment="NAT Loopback 192" dst-address=\
192.168.11.0/24 out-interface=bridge src-address=192.168.11.0/24
/ip route
add distance=1 dst-address=192.168.10.0/24 gateway=172.16.1.1 routing-mark=\
to_LAN
add distance=10 gateway=pppoe-out1 routing-mark=to_pppoe1
add distance=5 gateway=aaa.bbb.ccc.254
add distance=10 gateway=pppoe-out1
add distance=1 dst-address=192.168.10.0/24 gateway=172.16.1.1

You do not have the required permissions to view the files attached to this post.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1480
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Static route between 2 routers,2 networks

Fri Jun 14, 2019 10:56 am

Hi

You have two relevant routes on each router: one without mark and one with mark. So, whether it's marked or not routing should work.
Although the whole connection / routing marking for "to_LAN" looks unnecessary to me (in current context) -> one route entry WITHOUT mark should have been enough.

You'll need to check your firewall settings next I think.
 
boneyard21
just joined
Topic Author
Posts: 7
Joined: Tue Jun 04, 2019 8:56 am

Re: Static route between 2 routers,2 networks

Fri Jun 14, 2019 11:25 am

Hi

You have two relevant routes on each router: one without mark and one with mark. So, whether it's marked or not routing should work.
Although the whole connection / routing marking for "to_LAN" looks unnecessary to me (in current context) -> one route entry WITHOUT mark should have been enough.

You'll need to check your firewall settings next I think.
Thanks for your reply.
I have disable "to_LAN" form route list, but if I disable the the whole connection / routing marking from mangle, PC2 is unable to reach R1 and PC1.

Here is /ip firewall filter, both 2 routers are the same

Code: Select all

/ip firewall filter
add action=drop chain=input dst-port=21,22,23,80,1723,5000-5004,8291,9999,33391-33400 protocol=tcp \
src-address-list=ros_login5
add action=add-src-to-address-list address-list=ros_login5 \
address-list-timeout=none-static chain=input connection-state=new \
dst-port=21,22,23,80,1723,5000-5004,8291,9999,33391-33400 protocol=tcp \
src-address-list=ros_login4
add action=add-src-to-address-list address-list=ros_login4 \
address-list-timeout=3m chain=input connection-state=new dst-port=\
21,22,23,80,1723,5000-5004,8291,9999,33391-33400 protocol=tcp \
src-address-list=ros_login3
add action=add-src-to-address-list address-list=ros_login3 \
address-list-timeout=3m chain=input connection-state=new dst-port=\
21,22,23,80,1723,5000-5004,8291,9999,33391-33400 protocol=tcp \
src-address-list=ros_login2
add action=add-src-to-address-list address-list=ros_login2 \
address-list-timeout=3m chain=input connection-state=new dst-port=\
21,22,23,80,1723,5000-5004,8291,9999,33391-33400 protocol=tcp \
src-address-list=ros_login1
add action=add-src-to-address-list address-list=ros_login1 \
address-list-timeout=3m chain=input connection-state=new dst-port=\
21,22,23,80,1723,5000-5004,8291,9999,33391-33400 protocol=tcp \
src-address-list=!LanIP
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=21,22,23,25,80,110,443 protocol=tcp
add action=accept chain=forward dst-port=80,443 in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-port=80,443 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
add action=drop chain=input in-interface=pppoe-out1
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
 
mkx
Forum Guru
Forum Guru
Posts: 2252
Joined: Thu Mar 03, 2016 10:23 pm

Re: Static route between 2 routers,2 networks

Fri Jun 14, 2019 12:03 pm

My reply might not be very constructive, but never the less: your routing is overly complicated and your firewall rule set is not safe at all.

My suggestion: reset router to default (if it's a SOHO unit, else apply what's default firewall filter rule set on SOHO routers) and add simple static route for the other LAN. Adjust firewall filter rules as needed to have connectivity between both LANs (by default that will be blocked as ether6 port won't be member of neither LAN nor WAN interface lists.

After you get that working, add whatever you really need (e.g. QoS ... don't over complicate setup unless you really need something set up).
BR,
Metod
 
boneyard21
just joined
Topic Author
Posts: 7
Joined: Tue Jun 04, 2019 8:56 am

Re: Static route between 2 routers,2 networks

Fri Jun 14, 2019 12:24 pm

My reply might not be very constructive, but never the less: your routing is overly complicated and your firewall rule set is not safe at all.

My suggestion: reset router to default (if it's a SOHO unit, else apply what's default firewall filter rule set on SOHO routers) and add simple static route for the other LAN. Adjust firewall filter rules as needed to have connectivity between both LANs (by default that will be blocked as ether6 port won't be member of neither LAN nor WAN interface lists.

After you get that working, add whatever you really need (e.g. QoS ... don't over complicate setup unless you really need something set up).
Thanks for your reply.

I got your point. It is a good idea.
But I will keep trying before I find a time to do as your advice. :)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1480
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Static route between 2 routers,2 networks

Fri Jun 14, 2019 12:39 pm

Your firewall is allowing all which is not explicitly blocked. So that should be fine.
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
Are the firewalls same for both routers?
 
boneyard21
just joined
Topic Author
Posts: 7
Joined: Tue Jun 04, 2019 8:56 am

Re: Static route between 2 routers,2 networks

Fri Jun 14, 2019 12:50 pm

Your firewall is allowing all which is not explicitly blocked. So that should be fine.
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
Are the firewalls same for both routers?
Yes.
I have tried to disable all the rule in filter, the result is the same.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1480
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Static route between 2 routers,2 networks

Fri Jun 14, 2019 2:24 pm

the default gateways are set on both pc's?

try pinging one hop further at a time to discover where "connection breaks", from both ends.

Who is online

Users browsing this forum: Bing [Bot] and 44 guests