Community discussions

MikroTik App
  4. RouterOS
  5. General

Subnet Routing Config Trouble

Post Reply
 
jlxl
just joined
Topic Author
Posts: 24
Joined: Fri Jun 01, 2007 7:25 pm

Subnet Routing Config Trouble

Wed Jul 16, 2008 11:20 pm

I feel dumb for asking this since it would seem simple enough. I have a small LAN that I was brought into that is an existing /24 network with ip addresses used up all over this space that I cannot change at this time to make subnetting easier. We are joining a new small dept to this LAN as a subnet by adding another router into the mix. Routes R1 and R2 are both mikrotik RB532's running ROS 3.10.

The R1 router is configured to use NAT (src-nat / masquerade).
R1 has ether1 going to the internet, ether2 going to a switch which goes to R2
The R2 router: I am trying to avoid double-natting. It has no firewall rules and no nat rules.
R2 has ether1 going to ether2 on R1 via the switch, and ether2 going to the new LAN subnet

A small pdf drawing is attached of the setup if it helps visualize.
subnet.pdf

I have static routes for R1 to the LAN on R2 and vice versa.
I can ping internally across subnets, but I cannot ping anything public from R2

R1 Routes
Code: Select all
 #      DST-ADDRESS        PREF-SRC        GATEWAY-STATE GATEWAY                 DISTANCE INTERFACE       
 0 ADS  0.0.0.0/0                          reachable     XX.XX.XX.1             0        ether1          
 1 A S  10.10.10.0/24                      reachable     192.168.1.3             1        ether2          
 2 ADC  XX.XX.XX.0/24     XX.XX.XX.XXX                                         0        ether1          
 3 ADC  192.168.1.0/24     192.168.1.1                                           0        ether2


R2 Routes
Code: Select all
 #      DST-ADDRESS        PREF-SRC        GATEWAY-STATE GATEWAY            DISTANCE INTERFACE   
 0 A S  0.0.0.0/32                         reachable     192.168.1.1        1        ether1      
 1 ADC  10.10.10.0/24     10.10.10.1                                       0        ether2  
 2 ADC  192.168.1.0/24     192.168.1.3                                      0        ether1
I am lacking something here, can this be done or am I an idiot? I appreciate any help anyone can give on getting this type of scenario to work. Thanks for your time,
You do not have the required permissions to view the files attached to this post.
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Subnet Routing Config Trouble

Thu Jul 17, 2008 1:32 am

In R1, what do you have in
/ip firewall filter
Anything there that would stop R2? It would be a forward rule maybe?
Top
 
jlxl
just joined
Topic Author
Posts: 24
Joined: Fri Jun 01, 2007 7:25 pm

Re: Subnet Routing Config Trouble

Thu Jul 17, 2008 3:28 am

This is the Firewall for router R1:
Code: Select all
[admin@CLYCLPTEST] > ip firewall filter pr
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Drop Public Broadcast Traffic
     chain=input action=drop dst-address-type=broadcast,multicast in-interface=ether1 

 1 X ;;; Disable Open Proxy
     chain=input action=drop src-address=0.0.0.0/0 in-interface=ether1 dst-port=8080 protocol=tcp 

 2   ;;; Allow Known Public Addresses
     chain=input action=accept src-address-list=Allow 

 3   ;;; Allow Established Connections
     chain=input action=accept connection-state=established 

 4   ;;; Allow Related Connections
     chain=input action=accept connection-state=related 

 5   ;;; Drop Invalid Connections
     chain=input action=drop connection-state=invalid 

 6   ;;; Allow Pings on all Interfaces
     chain=input action=accept protocol=icmp limit=5,5 

 7   ;;; Allow Lan
     chain=input action=accept in-interface=ether2 

 8   ;;; Allow Remote SSH
     chain=input action=accept in-interface=ether1 dst-port=22 protocol=tcp 

 9   ;;; Drop Everything Else
     chain=input action=drop 

10   ;;; Limit Single User Connections
     chain=forward action=drop protocol=tcp connection-limit=50,32 

11   ;;; Block Spamming
     chain=forward action=drop src-address-list=spammer dst-port=25 protocol=tcp 

12   ;;; Add Spam IP Addresses to a Block List
     chain=forward action=add-src-to-address-list address-list=spammer address-list-timeout=0s dst-port=25 protocol=tcp connection-limit=30,32 limit=50,5
Code: Select all
[admin@CLYCLPTEST] > ip firewall nat pr detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; NAT
     chain=srcnat action=masquerade 

 1 X ;;; Proxy
     chain=dstnat action=redirect to-ports=8080 dst-port=80 protocol=tcp
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Subnet Routing Config Trouble

Thu Jul 17, 2008 4:28 am

On your nat rules, the masquerade rule should have an interface entry
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1
Top
 
jlxl
just joined
Topic Author
Posts: 24
Joined: Fri Jun 01, 2007 7:25 pm

Re: Subnet Routing Config Trouble

Thu Jul 17, 2008 5:12 am

On R1, changed the outgoing interface to be ether1 for the masquerade nat rule.

Logged into R2 and tried to ping 64.233.167.104 (google) and still got a no route to host.
From R2 I can ping 192.168.1.1
From a pc behind R2 on the 10.10.10.0 LAN, I can ping 192.168.1.1 also, but nothing public (which I assumed)

So R2 traffic can get to the LAN default gateway on R1, but cannot get out past there. This doesn't make any sense to me at all as to why. To me, the R2 traffic should look like it's coming from 192.168.1.3 since it is directly connected and on the same subnet, so what is the problem. Apparently my lack of knowledge is one part of the equation....


Thanks for the help thus far, please keep the ideas coming.
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Subnet Routing Config Trouble

Fri Jul 18, 2008 12:08 am

Haven't talked IP addreses yet.
R1 ether2 interface should be assigned 192.168.1.1/24
R2 ether1 interface should be assigned 192.168.1.3/24
R2 ether2 interface should be assigned 10.10.10.1/24

And the part about looking like 192.168.1.3, no. Unless you srcnat or masquerade R2, then all maintain their original IP address to R1 ether2. Between R1 ether2 and R1 ether 1, they will be masqueraded. To the world, they will appear as the IP of R1 ether1. You are ok there. There is a gateway route in R1 for the 10.10.10.0/24 net. That would be the only set it would not know how to find.
Top
 
fearthewopr
just joined
Posts: 4
Joined: Thu Feb 16, 2006 11:18 pm

Re: Subnet Routing Config Trouble

Thu Aug 07, 2008 10:01 pm

any update to this? i having a very similar problem.
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Subnet Routing Config Trouble

Thu Aug 07, 2008 10:53 pm

I don't know about yours, but I think I spotted the challenge jlxl has.
It appears the default gateway route on R1 is not correct. That first line should be
0 A S 0.0.0.0/0 r x.x.x.x 1 ether1
The "0" after the gateway IP should be a "1". That "0" indicates a local interface. The default gateway should show a "1" under distance.
The gateway IP should be the one your ISP gave you with your IP/netmask and dns servers. Insure you did not assign the gateway IP to ether1 too.
Top
Post Reply

Who is online

Users browsing this forum: baragoon, junbr0, Tommy88 and 22 guests
  4. RouterOS
  5. General