Static Route, i can ping client but not gateway

Kataius · Thu Feb 29, 2024 5:51 pm

Hi everyone,
I have to configure a connection to a stove as in the diagram...
From RB50009 I can ping 192.168.120.150 (IP of the mAP in the stove network) and 192.168.0.110 (ip mAP in the LAN network)
From the mAP I can ping the RB 192.168.0.1 and I can ping the stove 192.168.120.1.
But from RB5009 I can't ping the stove (192.168.120.1)
(the stove acts as a dhcp server for the clients that connect to it)

Can anyone tell me where the error is?

Thanks

mAP CONFIG:

/interface bridge
add name=BR-LAN
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-ciphers=tkip mode=dynamic-keys name=\
    mcz supplicant-identity="" unicast-ciphers=tkip
add authentication-types=wpa2-psk mode=dynamic-keys name=bak \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] arp=local-proxy-arp country=italy disabled=no \
    distance=indoors frequency=2417 installation=indoor mode=\
    station-pseudobridge security-profile=mcz ssid=MCZ \
    wireless-protocol=802.11
add keepalive-frames=disabled mac-address=7A:9A:18:AD:FF:5B master-interface=\
    wlan1 multicast-buffering=disabled name=wlan2 security-profile=bak ssid=\
    MCZ-Bak wds-cost-range=1 wds-default-cost=1 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=BR-LAN interface=ether1
add bridge=BR-LAN interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add interface=ether1 list=LAN
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
/ip address
add address=192.168.0.110/24 interface=BR-LAN network=192.168.0.0
add address=192.168.120.150/24 interface=wlan1 network=192.168.120.0
/ip dhcp-relay
add dhcp-server=192.168.0.1 disabled=no interface=BR-LAN name=relay1
add dhcp-server=192.168.120.1 disabled=no interface=wlan1 name=relay2
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/system identity
set name="Mcz AP"
/system note
set show-at-login=no
/system ntp client servers
add address=0.it.pool.ntp.org
add address=1.it.pool.ntp.org
add address=2.it.pool.ntp.org
add address=3.it.pool.ntp.org

RB5009 CONFIG:

/container mounts
add dst=/opt/list name=list_pihole src=/usb1-part1/container_pihole/list
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/container_pihole/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
    /usb1-part1/container_pihole/dnsmasq
add dst=/etc/cron.d name=crono_pihole src=/usb1-part1/container_pihole/crono
/disk
set usb1 type=hardware
add parent=usb1 partition-number=1 partition-offset="1 048 576" \
    partition-size="500 104 200 704" type=partition
/interface bridge
add comment=Capsman name=BR-Capsman port-cost-mode=short priority=0x6000 \
    vlan-filtering=yes
add comment=PiHole name=BR-PiHole port-cost-mode=short
/interface veth
add address=192.168.55.55/25 gateway=192.168.55.1 gateway6="" name=veth1
/interface vlan
add comment=Casa interface=BR-Capsman mtu=1480 name=100-Casa vlan-id=100
add comment=Mamma interface=BR-Capsman mtu=1480 name=200-Mamma vlan-id=200
add comment=Guests interface=BR-Capsman mtu=1480 name=300-Guest vlan-id=300
add comment=Domus interface=BR-Capsman mtu=1480 name=400-Domus vlan-id=400
add comment=Control disabled=yes interface=BR-Capsman mtu=1480 name=\
    900-Control vlan-id=900
add comment=WAN interface=ether1 mtu=1480 name=provider-vlan vlan-id=999
/interface pppoe-client
add add-default-route=yes disabled=no interface=provider-vlan name=\
    provider-pppoe
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
/interface wifi channel
add band=2ghz-g disabled=no frequency=2437 name=silent width=20/40mhz-Ce
add band=2ghz-g disabled=no name=guest
add band=5ghz-ax disabled=no frequency=5200 name=wlan5_ghz skip-dfs-channels=\
    all width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2437 name=wlan2_channel6_main width=\
    20/40mhz
add band=2ghz-ax disabled=no frequency=2412 name=wlan2_channel1
add band=2ghz-ax disabled=no frequency=2462 name=wlan2_channel11
/interface wifi datapath
add bridge=BR-Capsman disabled=no name=Wifi_Mamma vlan-id=200
add bridge=BR-Capsman disabled=no name=Wifi_Guest vlan-id=300
add bridge=BR-Capsman disabled=no name=Wifi_Casa vlan-id=100
add bridge=BR-Capsman disabled=no name=Wifi_Domus
add bridge=BR-Capsman disabled=yes name=capmandp vlan-id=900
/interface wifi security
add authentication-types=wpa2-psk disabled=no group-encryption=ccmp name=home
add authentication-types=wpa2-psk disabled=no group-encryption=ccmp name=\
    guest
add authentication-types=wpa2-psk disabled=no name=silent
add authentication-types=wpa2-psk disabled=no name=service
/interface wifi configuration
add antenna-gain=2 country=Italy datapath=Wifi_Guest disabled=yes name=guest \
    security=guest ssid=Clochard
add country=Italy datapath=Wifi_Mamma disabled=no hide-ssid=yes mode=ap name=\
    silent security=silent ssid=silent
add channel=wlan2_channel11 country=Italy datapath=Wifi_Domus disabled=no \
    hide-ssid=no mode=ap name=studio_2ghz security=service ssid=\
    LimitService2G
add channel=wlan2_channel1 country=Italy datapath=Wifi_Domus disabled=no \
    hide-ssid=no mode=ap name=centro_2ghz security=service ssid=\
    LimitService2G
add channel=wlan2_channel6_main country=Italy datapath=Wifi_Domus disabled=no \
    hide-ssid=no mode=ap name=server_2ghz security=service ssid=\
    LimitService2G
add channel=wlan2_channel11 country=Italy datapath=Wifi_Domus disabled=no \
    hide-ssid=no mode=ap name=taverna_2ghz security=service ssid=\
    LimitService2G
add channel=wlan2_channel1 country=Italy datapath=Wifi_Domus disabled=no \
    hide-ssid=no mode=ap name=esterno_2ghz security=service ssid=\
    LimitService2G
add antenna-gain=2 country=Italy datapath=Wifi_Casa disabled=no mode=ap name=\
    home2G security=home ssid=HyperLimitless
add country=Italy datapath=Wifi_Domus disabled=no hide-ssid=no mode=ap name=\
    service5G security=service ssid=LimitService5G
add channel=wlan5_ghz country=Italy datapath=Wifi_Casa disabled=no mode=ap \
    name=home5G security=home ssid=HyperLimitless
/interface wifi
add configuration=service5G disabled=no name=wifi1 radio-mac=\
    48:A9:8A:0E:03:51
add configuration=home5G disabled=no mac-address=4A:A9:8A:0E:03:51 \
    master-interface=wifi1 name=wifi2
add configuration=service5G disabled=no name=wifi3 radio-mac=\
    48:A9:8A:BC:A5:24
add configuration=home5G disabled=no mac-address=4A:A9:8A:BC:A5:24 \
    master-interface=wifi3 name=wifi4
add configuration=service5G disabled=no name=wifi5 radio-mac=\
    48:A9:8A:0E:06:A8
add configuration=home5G disabled=no mac-address=4A:A9:8A:0E:06:A8 \
    master-interface=wifi5 name=wifi6
add configuration=service5G disabled=no name=wifi7 radio-mac=\
    48:A9:8A:0E:09:5D
add configuration=home5G disabled=no mac-address=4A:A9:8A:0E:09:5D \
    master-interface=wifi7 name=wifi8
add configuration=service5G disabled=no name=wifi9 radio-mac=\
    48:A9:8A:0E:06:47
add configuration=home5G disabled=no mac-address=4A:A9:8A:0E:06:47 \
    master-interface=wifi9 name=wifi10
add configuration=centro_2ghz disabled=no name=wifi11 radio-mac=\
    48:A9:8A:0E:06:A9
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:06:A9 \
    master-interface=wifi11 name=wifi12
add configuration=home2G disabled=no mac-address=4A:A9:8A:0E:06:AA \
    master-interface=wifi11 name=wifi13
add configuration=esterno_2ghz disabled=no name=wifi14 radio-mac=\
    48:A9:8A:0E:09:5E
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:09:5E \
    master-interface=wifi14 name=wifi15
add configuration=home2G disabled=no mac-address=4A:A9:8A:0E:09:5F \
    master-interface=wifi14 name=wifi16
add configuration=taverna_2ghz disabled=no name=wifi17 radio-mac=\
    48:A9:8A:0E:06:48
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:06:48 \
    master-interface=wifi17 name=wifi18
add configuration=home2G disabled=no mac-address=4A:A9:8A:0E:06:49 \
    master-interface=wifi17 name=wifi19
add configuration=studio_2ghz disabled=no name=wifi20 radio-mac=\
    48:A9:8A:0E:03:52
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:03:52 \
    master-interface=wifi20 name=wifi21
add configuration=home2G disabled=no mac-address=4A:A9:8A:0E:03:53 \
    master-interface=wifi20 name=wifi22
add configuration=server_2ghz disabled=no name=wifi23 radio-mac=\
    48:A9:8A:BC:A5:25
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:BC:A5:25 \
    master-interface=wifi23 name=wifi24
add configuration=home2G disabled=no mac-address=4A:A9:8A:BC:A5:26 \
    master-interface=wifi23 name=wifi25
add configuration=silent disabled=no mac-address=4A:A9:8A:BC:A5:27 \
    master-interface=wifi23 name=wifi26
/ip kid-control
add disabled=yes fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d \
    thu=0s-1d tue=0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=\
    0s-1d tur-thu=0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=MammaPool ranges=10.255.255.100-10.255.255.200
add name=GuestsPool ranges=172.16.0.2-172.16.15.254
add name=DomusPool ranges=192.168.240.100-192.168.240.200
add name=CasaPool ranges=192.168.0.100-192.168.0.200
add name=ControlPool ranges=10.10.0.100-10.10.0.200
/ip dhcp-server
add add-arp=yes address-pool=CasaPool interface=100-Casa lease-script="# When \
    \"1\" all DNS entries with IP address of DHCP lease are removed\r\
    \n:local dnsRemoveAllByIp \"1\"\r\
    \n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
    \n:local dnsRemoveAllByName \"1\"\r\
    \n# When \"1\" addition and removal of DNS entries is always done also for\
    \_non-FQDN hostname\r\
    \n:local dnsAlwaysNonfqdn \"1\"\r\
    \n# DNS domain to add after DHCP client hostname\r\
    \n:local dnsDomain \"lan\"\r\
    \n# DNS TTL to set for DNS entries\r\
    \n:local dnsTtl \"00:15:00\"\r\
    \n# Source of DHCP client hostname, can be \"lease-hostname\" or any other\
    \_lease attribute, like \"host-name\" or \"comment\"\r\
    \n:local leaseClientHostnameSource \"comment\"\r\
    \n\r\
    \n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientH\
    ostnameSource\"\r\
    \n:local leaseClientHostname\r\
    \n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
    \n  :set leaseClientHostname \$\"lease-hostname\"\r\
    \n} else={\r\
    \n  :set leaseClientHostname ([:pick \\\r\
    \n    [/ip dhcp-server lease print as-value where server=\"\$leaseServerNa\
    me\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
    \n    0]->\"\$leaseClientHostnameSource\")\r\
    \n}\r\
    \n:local leaseClientHostnameShort \"\$leaseClientHostname\"\r\
    \n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
    \n:if ([:len [\$dnsDomain]] > 0) do={\r\
    \n  :set leaseClientHostname \"\$leaseClientHostname.\$dnsDomain\"\r\
    \n  :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
    \n    :set leaseClientHostnames \"\$leaseClientHostname,\$leaseClientHostn\
    ameShort\"\r\
    \n  }\r\
    \n}\r\
    \n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
    \n  /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
    and address=\"\$leaseActIP\"]\r\
    \n}\r\
    \n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
    \n  :if (\$dnsRemoveAllByName = \"1\") do={\r\
    \n    /ip dns static remove [/ip dns static find comment=\"\$leaseComment\
    \" and name=\"\$h\"]\r\
    \n  }\r\
    \n  /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
    and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
    \n  :if (\$leaseBound = \"1\") do={\r\
    \n    :delay 1\r\
    \n    /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\
    \" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
    \n  }\r\
    \n}" lease-time=1d name=Casa_dhcp
add add-arp=yes address-pool=MammaPool bootp-support=none interface=200-Mamma \
    lease-time=1d name=Mamma_dchp relay=10.255.254.2 server-address=\
    10.255.254.1
add add-arp=yes address-pool=GuestsPool interface=300-Guest lease-time=12h \
    name=Guests_dhcp
add add-arp=yes address-pool=DomusPool interface=BR-Capsman lease-script="# Wh\
    en \"1\" all DNS entries with IP address of DHCP lease are removed\r\
    \n:local dnsRemoveAllByIp \"1\"\r\
    \n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
    \n:local dnsRemoveAllByName \"1\"\r\
    \n# When \"1\" addition and removal of DNS entries is always done also for\
    \_non-FQDN hostname\r\
    \n:local dnsAlwaysNonfqdn \"1\"\r\
    \n# DNS domain to add after DHCP client hostname\r\
    \n:local dnsDomain \"domus\"\r\
    \n# DNS TTL to set for DNS entries\r\
    \n:local dnsTtl \"00:15:00\"\r\
    \n# Source of DHCP client hostname, can be \"lease-hostname\" or any other\
    \_lease attribute, like \"host-name\" or \"comment\"\r\
    \n:local leaseClientHostnameSource \"comment\"\r\
    \n\r\
    \n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientH\
    ostnameSource\"\r\
    \n:local leaseClientHostname\r\
    \n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
    \n  :set leaseClientHostname \$\"lease-hostname\"\r\
    \n} else={\r\
    \n  :set leaseClientHostname ([:pick \\\r\
    \n    [/ip dhcp-server lease print as-value where server=\"\$leaseServerNa\
    me\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
    \n    0]->\"\$leaseClientHostnameSource\")\r\
    \n}\r\
    \n:local leaseClientHostnameShort \"\$leaseClientHostname\"\r\
    \n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
    \n:if ([:len [\$dnsDomain]] > 0) do={\r\
    \n  :set leaseClientHostname \"\$leaseClientHostname.\$dnsDomain\"\r\
    \n  :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
    \n    :set leaseClientHostnames \"\$leaseClientHostname,\$leaseClientHostn\
    ameShort\"\r\
    \n  }\r\
    \n}\r\
    \n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
    \n  /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
    and address=\"\$leaseActIP\"]\r\
    \n}\r\
    \n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
    \n  :if (\$dnsRemoveAllByName = \"1\") do={\r\
    \n    /ip dns static remove [/ip dns static find comment=\"\$leaseComment\
    \" and name=\"\$h\"]\r\
    \n  }\r\
    \n  /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
    and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
    \n  :if (\$leaseBound = \"1\") do={\r\
    \n    :delay 1\r\
    \n    /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\
    \" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
    \n  }\r\
    \n}" lease-time=1d name=Domus_dhcp
add add-arp=yes address-pool=ControlPool disabled=yes interface=BR-Capsman \
    lease-time=2w1d name=Control_dhcp
/container
add envlist=pihole_envs interface=veth1 mounts=\
    list_pihole,etc_pihole,dnsmasq_pihole,crono_pihole root-dir=\
    usb1-part1/pihole start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1-part1/pull
/container envs
add key=TZ name=pihole_envs value=Europe/Rome
add key=WEBPASSWORD name=pihole_envs value="PiholePass"
add key=DNSMASQ_USER name=pihole_envs value=root
add key=FTLCONF_LOCAL_IPV4 name=pihole_envs value=192.168.55.55
/interface bridge port
add bridge=BR-Capsman interface=sfp-sfpplus1 internal-path-cost=10 path-cost=\
    10
add bridge=BR-Capsman interface=ether8 internal-path-cost=10 path-cost=10
add bridge=BR-PiHole interface=veth1 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=BR-Capsman comment="Mamma VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
    vlan-ids=200
add bridge=BR-Capsman comment="Guest VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
    vlan-ids=300
add bridge=BR-Capsman comment="Domus VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
    vlan-ids=400
add bridge=BR-Capsman comment="Casa VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
    vlan-ids=100
# BR-Capsman not a bridge port
add bridge=BR-Capsman comment="Control VLAN" disabled=yes tagged=\
    BR-Capsman,sfp-sfpplus1 vlan-ids=900
/interface list member
add interface=provider-pppoe list=WAN
add interface=100-Casa list=LAN
add interface=provider-vlan list=WAN
add interface=200-Mamma list=LAN
add interface=300-Guest list=LAN
add interface=400-Domus list=LAN
add interface=100-Casa list=TRUSTED
add interface=400-Domus list=TRUSTED
add disabled=yes interface=900-Control list=LAN
add interface=BR-Capsman list=LAN
add interface=BR-PiHole list=LAN
/interface wifi access-list
add action=accept comment="Apple Device" disabled=no mac-address=\
    18:34:51:00:00:00 mac-address-mask=FF:FF:FF:00:00:00
/interface wifi capsman
set enabled=yes interfaces=BR-Capsman package-path="" \
    require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=service5G \
    name-format="" radio-mac=48:A9:8A:BC:A5:24 slave-configurations=home5G
add action=create-enabled disabled=no master-configuration=studio_2ghz \
    name-format="" radio-mac=48:A9:8A:0E:03:52 slave-configurations=\
    guest,home2G
add action=create-enabled disabled=no master-configuration=service5G \
    name-format="" radio-mac=48:A9:8A:0E:06:47 slave-configurations=home5G
add action=create-enabled disabled=no master-configuration=service5G \
    name-format="" radio-mac=48:A9:8A:0E:09:5D slave-configurations=home5G
add action=create-enabled disabled=no master-configuration=service5G \
    name-format="" radio-mac=48:A9:8A:0E:06:A8 slave-configurations=home5G
add action=create-enabled disabled=no master-configuration=esterno_2ghz \
    name-format="" radio-mac=48:A9:8A:0E:09:5E slave-configurations=\
    guest,home2G
add action=create-enabled disabled=no master-configuration=server_2ghz \
    name-format="" radio-mac=48:A9:8A:BC:A5:25 slave-configurations=\
    guest,home2G,silent
add action=create-enabled disabled=no master-configuration=service5G \
    name-format="" radio-mac=48:A9:8A:0E:03:51 slave-configurations=home5G \
    supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=centro_2ghz \
    name-format="" radio-mac=48:A9:8A:0E:06:A9 slave-configurations=\
    guest,home2G
add action=create-enabled disabled=no master-configuration=taverna_2ghz \
    name-format="" radio-mac=48:A9:8A:0E:06:48 slave-configurations=\
    guest,home2G
/ip address
add address=192.168.0.1/24 interface=100-Casa network=192.168.0.0
add address=172.16.0.1/20 interface=300-Guest network=172.16.0.0
add address=10.255.254.1/24 interface=200-Mamma network=10.255.254.0
add address=192.168.240.1/24 interface=BR-Capsman network=192.168.240.0
add address=192.168.55.1/25 interface=BR-PiHole network=192.168.55.0
add address=10.10.0.1/24 disabled=yes interface=BR-Capsman network=10.10.0.0
/ip dhcp-server lease
add address=192.168.0.110 client-id=1:78:9a:18:ad:ff:59 comment=MCZ-AP \
    mac-address=78:9A:18:AD:FF:59 server=Casa_dhcp
/ip dhcp-server network
add address=10.10.0.0/24 dns-none=yes gateway=10.10.0.1 netmask=24
add address=10.255.255.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.255.255.1 \
    netmask=24
add address=172.16.0.0/20 dns-server=1.1.1.3,1.0.0.3 gateway=172.16.0.1 \
    netmask=20
add address=192.168.0.0/24 dns-server=192.168.55.55 gateway=192.168.0.1 \
    netmask=24
add address=192.168.240.0/24 dns-server=192.168.55.55 gateway=192.168.240.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1m servers=1.1.1.1,1.0.0.1 \
    use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.0.0/24 comment="Casa NET" list=net_casa
add address=10.255.255.0/24 comment="Mamma NET" list=net_mamma
add address=172.16.0.0/20 comment="Guest NET" list=net_guest
add address=10.255.255.0/24 comment="Excluded from PiHole" list=excluded
add address=172.16.0.0/20 comment="Excluded from PiHole" list=excluded
add address=192.168.55.55 comment="Excluded from PiHole" list=excluded
add address=192.168.240.0/24 comment="Domus NET" list=net_domus
add address=10.10.0.0/24 comment="Excluded from PiHole" list=excluded
add address=192.168.240.10 comment="Excluded from PiHole" list=excluded
add address=192.168.0.0/24 comment="Filtered from PiHole" list=filtered
add address=192.168.240.0/24 comment="Filtered from PiHole" list=filtered
add address=10.10.0.0/24 comment="Control NET" list=net_control
add address=192.168.0.10 comment="Excluded from PiHole" list=excluded
add address=8.8.4.4 list=DNS-DOH
add address=8.8.8.8 list=DNS-DOH
add address=1.1.1.1 list=DNS-DOH
add address=1.0.0.1 list=DNS-DOH
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "ONLY allow trusted subnet full access to router services" \
    src-address-list=net_casa
add action=accept chain=input comment=PiHole dst-port=53,123 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment=PiHole dst-port=53 in-interface-list=\
    LAN protocol=tcp
add action=drop chain=input comment="DROP ALL ELSE"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="block internal DOH" dst-address-list=\
    DNS-DOH src-address-list=filtered
add action=drop chain=forward comment="BLOCK DOT" port=853 protocol=tcp \
    src-address-list=filtered
add action=drop chain=forward comment="BLOCK DOT" port=853 protocol=udp \
    src-address-list=filtered
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN src-address-list=!net_control
add action=accept chain=forward comment="allow access to ALL DomusNET" \
    dst-address-list=net_domus src-address-list=net_casa
add action=accept chain=forward comment="allow access to ALL ControlNET" \
    dst-address-list=net_control src-address-list=net_casa
add action=accept chain=forward comment="allow access to AP Mamma" \
    dst-address=10.255.254.2 src-address-list=net_casa
add action=accept chain=forward comment="allow access to MCZ" dst-address=\
    192.168.120.1 src-address-list=net_casa
add action=accept chain=forward comment="allow access to PiHOLE" dst-address=\
    192.168.55.55 in-interface-list=LAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="DROP ALL ELSE"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Pihole dst-port=53 in-interface-list=\
    LAN protocol=udp src-address-list=!excluded to-addresses=192.168.55.55
add action=dst-nat chain=dstnat comment=Pihole dst-port=53 in-interface-list=\
    LAN protocol=tcp src-address-list=!excluded to-addresses=192.168.55.55
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip route
add disabled=no dst-address=10.255.255.0/24 gateway=10.255.254.2 \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.120.0/24 gateway=192.168.0.110 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip upnp interfaces
add interface=provider-pppoe type=external
add interface=100-Casa type=internal
add interface=400-Domus type=internal
add interface=provider-vlan type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=RB
/system logging
set 2 disabled=yes
add action=echo disabled=yes topics=dhcp
add action=echo disabled=yes topics=dhcp
add disabled=yes topics=wireless
add action=echo disabled=yes topics=wireless
add action=remote disabled=yes topics=wireless
add disabled=yes prefix=dhcp topics=debug
add disabled=yes prefix=wireless topics=debug
add disabled=yes topics=wireless,debug,error,info,info
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes local-clock-stratum=1 manycast=yes use-local-clock=yes
/system ntp client servers
add address=time.cloudflare.com
/system scheduler
add disabled=yes interval=3w4d name="DOH Update" on-event=":global thefile \"\
    \"\r\
    \n{\r\
    \n    :local url        http://public-dns.info/nameservers-all.txt ;\r\
    \n    :local filesize   ([/tool fetch url=\$url as-value output=none]->\"d\
    ownloaded\")\r\
    \n    :local maxsize    64512 ; # is the maximum supported readable size o\
    f a block from a file\r\
    \n    :local start      0\r\
    \n    :local end        (\$maxsize - 1)\r\
    \n    :local partnumber (\$filesize / (\$maxsize / 1024))\r\
    \n    :local reminder   (\$filesize % (\$maxsize / 1024))\r\
    \n    :if (\$reminder > 0) do={ :set partnumber (\$partnumber + 1) }\r\
    \n    :for x from=1 to=\$partnumber step=1 do={\r\
    \n         :set thefile (\$thefile . ([/tool fetch url=\$url http-header-f\
    ield=\"Range: bytes=\$start-\$end\" as-value output=user]->\"data\"))\r\
    \n         :set start   (\$start + \$maxsize)\r\
    \n         :set end     (\$end   + \$maxsize)\r\
    \n    }\r\
    \n}\r\
    \n#:log info \"thefile=\$thefile\"\r\
    \n#/file remove [find where name=\"check.txt\"];\r\
    \n:execute \":put \\\$thefile\" file=check.txt;\r\
    \n\r\
    \n:global content value=\$thefile;\r\
    \n:local contentLen value=[:len \$content];\r\
    \n:local lineEnd value=0;\r\
    \n:local line value=\"\";\r\
    \n:local lastEnd value=0;\r\
    \n:local addressListName;\r\
    \n:set addressListName \"DNS-DOH\";\r\
    \n\r\
    \n:if (\$thefile != null) do={\r\
    \n  :log info \"There are some New DNS\"\r\
    \n  #/ip firewall address-list remove [/ip firewall address-list find list\
    =\$addressListName]\r\
    \n  :do {\r\
    \n      :set lineEnd [:find \$content \"\\n\" \$lastEnd ] ;\r\
    \n      :set line [:pick \$content \$lastEnd \$lineEnd] ;\r\
    \n      :set lastEnd ( \$lineEnd + 1 ) ;\r\
    \n      :local entry [:pick \$line 0 \$lineEnd ]\r\
    \n      :if (\$entry~\"^[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]\
    {1,3}\") do={\r\
    \n            :if ( [:len \$entry ] > 0 ) do={\r\
    \n                #:log info \"entry=\$entry\"\r\
    \n                /ip firewall address-list add list=\$addressListName add\
    ress=\$entry;\r\
    \n            }\r\
    \n      } \r\
    \n    } while=(\$lineEnd < \$contentLen);\r\
    \n  } else={\r\
    \n  :log info \"There no DNS in list\"\r\
    \n} " policy=ftp,read,write,policy,test,sniff start-date=2024-02-25 \
    start-time=02:00:00
/system script
add dont-require-permissions=no name=dot_address owner=RouterOS policy=\
    ftp,read,write,policy,test,sniff source=":global thefile \"\"\r\
    \n{\r\
    \n    :local url        http://public-dns.info/nameservers-all.txt ;\r\
    \n    :local filesize   ([/tool fetch url=\$url as-value output=none]->\"d\
    ownloaded\")\r\
    \n    :local maxsize    64512 ; # is the maximum supported readable size o\
    f a block from a file\r\
    \n    :local start      0\r\
    \n    :local end        (\$maxsize - 1)\r\
    \n    :local partnumber (\$filesize / (\$maxsize / 1024))\r\
    \n    :local reminder   (\$filesize % (\$maxsize / 1024))\r\
    \n    :if (\$reminder > 0) do={ :set partnumber (\$partnumber + 1) }\r\
    \n    :for x from=1 to=\$partnumber step=1 do={\r\
    \n         :set thefile (\$thefile . ([/tool fetch url=\$url http-header-f\
    ield=\"Range: bytes=\$start-\$end\" as-value output=user]->\"data\"))\r\
    \n         :set start   (\$start + \$maxsize)\r\
    \n         :set end     (\$end   + \$maxsize)\r\
    \n    }\r\
    \n}\r\
    \n#:log info \"thefile=\$thefile\"\r\
    \n#/file remove [find where name=\"check.txt\"];\r\
    \n:execute \":put \\\$thefile\" file=check.txt;\r\
    \n\r\
    \n:global content value=\$thefile;\r\
    \n:local contentLen value=[:len \$content];\r\
    \n:local lineEnd value=0;\r\
    \n:local line value=\"\";\r\
    \n:local lastEnd value=0;\r\
    \n:local addressListName;\r\
    \n:set addressListName \"DNS-DOH\";\r\
    \n\r\
    \n:if (\$thefile != null) do={\r\
    \n  :log info \"There are some New DNS\"\r\
    \n  #/ip firewall address-list remove [/ip firewall address-list find list\
    =\$addressListName]\r\
    \n  :do {\r\
    \n      :set lineEnd [:find \$content \"\\n\" \$lastEnd ] ;\r\
    \n      :set line [:pick \$content \$lastEnd \$lineEnd] ;\r\
    \n      :set lastEnd ( \$lineEnd + 1 ) ;\r\
    \n      :local entry [:pick \$line 0 \$lineEnd ]\r\
    \n      :if (\$entry~\"^[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]\
    {1,3}\") do={\r\
    \n            :if ( [:len \$entry ] > 0 ) do={\r\
    \n                #:log info \"entry=\$entry\"\r\
    \n                /ip firewall address-list add list=\$addressListName add\
    ress=\$entry;\r\
    \n            }\r\
    \n      } \r\
    \n    } while=(\$lineEnd < \$contentLen);\r\
    \n  } else={\r\
    \n  :log info \"There no DNS in list\"\r\
    \n} "

mkx · Thu Feb 29, 2024 8:49 pm

Does DHCP setup on stove include default route? If it does, what is it?

Kataius · Thu Feb 29, 2024 8:52 pm

Thanks for the replay,
The dhcp server of the stove is 192.168.120.0/24 gateway 192.168.120.1

mkx · Thu Feb 29, 2024 9:01 pm

And does the stove have default route set for its own use?

The point of my questions is my suspicion that stove (and the rest of devices in that subnet) doesn't know that it gas to use mAP as gateway to communicate with 192.168.0.0/24 (and also internet). Stove needs to be set with proper route config. Which should be included in DHCP server as well, it's a nuisance for other devices to use stove as default gateway if stove itself doesn't have (more direct) access to other networks.

I'd even stop using stove as DHCP server and delegate that duty to mAP ... if other devices in stove network don't somehow rely on stove to act as DHCP server (I don't see why they should, but the world is full of weird things).

jaclaz · Thu Feb 29, 2024 9:20 pm

As side questions, I see that you have 192.168.120.150 on the mAP on wlan1 set as static, so the DHCP is used only (through the mAP DHCP relay) to assign (if it works) an IP in the 192.168.120.0 range to one of the port of the RB5009?

And if I get this right the three devices (stove, mAP and RB5009) will be the only devices in the 192.168.120.0 range?

If this is the case wouldn't it be easier to set all of them static?

Kataius · Thu Feb 29, 2024 10:42 pm

The stove has its own dhcp server which cannot be touched. the stove works like a router, you connect to its ssid via its own wifi and control it from there. It doesn't go online alone. you connect to the stove and control it with its app. I would like to integrate it with my home automation server. everything is already possible now, I put a wifi antenna on the home automation server, I connect to the stove's SSID and control it directly on its gateway IP (192.168.120.1) Only I have to move the home automation server where it doesn't receive the wifi of the stove. I asked in the home automation server forum and they told me that they succeeded by connecting a device as "router, configured as WISP, Wan side is connected to the local WIFI of stove, the LAN side has a static IP of home lan. In router add a static route from ip of home to ip of stove gateway"

This post was translated with google because i'm not able to explain this in a good way. Sorry.

jaclaz · Fri Mar 01, 2024 12:17 am

Maybe then there is a translation/misunderstanding issue.
Whether the stove has a DHCP server or not, it does not matter.

You know the stove IP address, that one is not a "gateway" as it leads to nowhere, it is just the IP address of the stove, 192.168.120.1.

You have on the mAP a static IP address of 192.168.120.150 (thus you are ignoring whatever address the stove DHCP may lease) and you can connect to the stove just fine.
The people from the home automation forum told you that you need a router with WAN and LAN.

On the mAP you have on WAN static 192.168.120.150 and on LAN static 192.168.0.110.
Neither (evidently) come from DHCP.

So, what is the use of the DHCP relay(s)?

Then, since you have on the mAP a LAN and a WAN, it is the mAP that is the "gateway" to reach the stove on the WAN from the RB5009 (and you have that route on the RB5009 that looks fine).

add disabled=no distance=1 dst-address=192.168.120.0/24 gateway=192.168.0.110 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10

But it seems to me that it is missing a route on the mAP and the relative masquerade or srcnat to connect the LAN to the WAN.

patrikg · Fri Mar 01, 2024 10:18 am

And for correct routing with routers you need to provide the correct netmask.
Have you checked you have the correct netmask in all your devices.
It's so easy to forget this part.
In your diagram I am only can see one netmask /24

Kataius · Fri Mar 01, 2024 5:28 pm

Thanks for replaying.

With this firewall rulesi can ping and i can connect to stove and the mAP (192.168.120.1, 192.169.0.110).
But i can access to mAP only with mac address and i don't see it in winbox. Which are the rules set for an AP in mikrotik?

Thanks.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=LAN
add interface=wlan1 list=WAN

/ip neighbor discovery-settings
set discover-interface-list=LAN

jaclaz · Fri Mar 01, 2024 6:35 pm

Post the whole configuration of the mAP.

The relevant settings that may be missing (in your configuration or in the partial export you last posted) should be the ones listed here:
viewtopic.php?t=204919#p1058878

Additional to those there could be this one:

/ip neighbor discovery-settings
set discover-interface-list=LAN

but that one is fine on your posted snippet.

Besides the configuration, it is common enough that some particular installs of Windows 10 and 11 create issues with Winbox, particularly on laptops where manufactured installed software/utiliities may interfere, see:
viewtopic.php?t=205042#p1059252

mkx · Sat Mar 02, 2024 7:06 pm

The stove has its own dhcp server which cannot be touched. the stove works like a router, you connect to its ssid via its own wifi and control it from there. It doesn't go online alone. you connect to the stove and control it with its app. I would like to integrate it with my home automation server.

What you can do with mAP "partly" part of stove network is configure source NAT rule:

/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=192.168.120.0/24

This rule is a general rule which replaces src-address on every packet coming from subnet 192.168.0.0/24 with destination in stove subnet. Action masquerade uses appropriate IP address of device itself corresponding to egress interface (in your particular case it'll use 192.168.120.150). This causes stove to see source address being inside its own subnet and can thus reply without ever using a router/gateway. NAT device will undo SRC-NAT action on return traffic.
If mAP IP address is static, then you can set action=src-nat to-addresses=192.168.120.150 instead of action=masquerade, this may spare you a few problems (e.g. when home automation LAN interface on mAP trips, using masquerade will clear the NAT table, requiring all on-going connections to re-establish; using plain src-nat would not cause any problems with connections).

Setting a few "selector" properties (such as src-address) makes sure that NAT rule doesn't interfere with connections, made in other directions (e.g. http connection from another stove LAN member device towards internet). There are "many ways to skin a cat", so you can limit effectiveness of this rule to only connections which require such a treatment using other properties (my favourite would be in-interface/in-interface-list).

This allows you to use e.g. hone autonation LAN member device to start connection towards stove port 80 ... stove will see connection coming from mAP (the stove network member) and will be able to reply.
If you need to limit connectivity to forwarded services, you can do so in "firewall filter" configuration subtree. Firewall filter rules are evaluated earlier than src-nat, so filter rules will see original src-address (i.e. home automation LAN member original IP address).

Static Route, i can ping client but not gateway

Static Route, i can ping client but not gateway

Re: Static Route, i can ping client but not gateway

Re: Static Route, i can ping client but not gateway

Re: Static Route, i can ping client but not gateway

Re: Static Route, i can ping client but not gateway

Re: Static Route, i can ping client but not gateway

Re: Static Route, i can ping client but not gateway

Re: Static Route, i can ping client but not gateway

Re: Static Route, i can ping client but not gateway

Re: Static Route, i can ping client but not gateway

Re: Static Route, i can ping client but not gateway