Hi,

I have a routed PTP (also using OSPF) setup that is as such :

site one:
Mikrotik router - 10.100.0.1/29
Ubiquiti radio - 10.100.0.2/29 - AP default gateway 10.100.0.1

site two:
Ubiquiti radio - 10.100.0.3/29 - Slave default gateway 10.100.0.1
Mikrotik router - 10.100.0.4/29

IP/routes creates a DAC that routes the subnet of 10.100.0.0/29 to the correct ethernet port on each router.

When I access the radios from upstream of site one, no problem. When I access the link from downstream of site two, I can not access either radio.
Both routers see both radios in neighbors. Both routers can ping both radios.

What am I missing, please.

Thanks.

What is client IP address when ping from downstream, suspect that radio does not have route to client ip hence sending the packet upstream via gateway instead of back to client device

Hi,

Thanks for answering.

This is a PTP shot to bring internet from one location to the next...client upstream and downstreem are on different subnets, even from each other...but both Mikrotiks are routed for all subnets involved...or so I thought. Internet is working at both ends, and all else seems ok...only problem with managing the radios in that subnet from downstream, past the slave end.

I just can't find where the packets are not being directed, properly.

Do the Mikrotiks have drop forward invalid firewall rules (included in the default configuration), and if so does the packet counter increase when you try to access from downstream of site two?

Hi,

Both routers have the drop invalid...couldn't count the traffic I may have been doing, as client is also causing counters, but I disabled slave end with no difference. Disabled master end and was able to access radios. What does this mean that I will change? The drop invalid is right, and needed, i believe.

Hi,

I think I have a fix, if it's right. I created an accept forward rule using the radio link's subnet before the drop invalid rule, and now can get in to manage this link.

Is there a problem that can be fixed, otherwise or is this the right way?

Thanks.

There are some cases where perfectly legitimate traffic is flagged as invalid - often where differing interfaces are used for ingress and egress, or following triangular routes as in your case. If you follow the path of packets during a conversation from PC to radio the routing is:
PC -> downstream tik -> radio
PC <- downstream tik <- upstream tik <- radio

The connection tracking on the upstream tik only sees the return traffic so the connection traffic state machine considers the traffic to be invalid. Depending on what role tik router has in your network solutions are to disable connection tracking (which disables stateful firewall functionality), or to add allow forward invalid firewall rules for specific traffic as you have done.

Hi,

Not wanting to disable the firewall, I will leave the allow forward subnet, as is.

Thanks for the insight.