Hey
I recently configured a Mikrotik RB951Ui-2HND on my network. I use a Load Balancing Router to aggregate my links the i pass the link to a 172.16.0.0 network which serves as a WAN link for the Mikrotik which serves as the gateway for my 10.0.0.0/16 Network. I am able to ping all hosts on the 172.16.0.0 network but i cannot get any host on the 172.16.0.0 network to ping a host on the 10.0.0.0 network. II can only ping the gateway 10.0.0.1. I have checked my firewall rules and the only rule there is the masquerade for the WAN. what could be blocking the pings to the 10.0.0.0 network hosts.
I figured it must have somthing to do with the router since i can ping its gateway. Please help
Re: ICMP Blocked in LAN
When you want to do pure routing and want it to work both ways you must remove the masquerade
entry. It is for NAT routers, which of course work only one way (as NAT routers always do).
entry. It is for NAT routers, which of course work only one way (as NAT routers always do).
Re: ICMP Blocked in LAN
Do your host on the 172.16.0.0 network have proper routes installed, telling them to reach the 10.0.0.0 network via a certain 172.16.0.x IP ?
Enable proxy ARP on your MT wan interface?
Enable proxy ARP on your MT wan interface?
Re: ICMP Blocked in LAN
This sounds like the filter rules > forward chain is your problem.
Or else it's a policy routing issue.
Filters:
10.0.0.1 is reached via the input chain since it's one of the router's IP addresses, and that's why that one address works.
Traffic from 172.16.x.x for the rest of 10.0.x.x will go through the FORWARD chain instead.
The default firewall configuration in Mikrotik basically allows LAN -> WAN but denies all others - when you add a second LAN network, the firewall probably doesn't know that this is also a LAN.
In general, whatever rule allows 10.0.x.x to go out should either...
a) be duplicated and also allow 172.16.x.x
b) if it matches using the src IP addresses, then modify the rule to use an address-list and put 10.0.0.0/16 and 172.16.0.0/16 in your address list.
c) if it matches using the in-interface, then modify it to use in-interface-list and put the two LAN interfaces into an address list (call the list "LAN-interfaces" or something obvious like that)
I like option C the best because you can change IP address ranges w/o needing to modify your firewall anymore, and if you add/move/change which interfaces are "lan" interfaces, then you just add/remove/change them in the interface list.
If it's policy-routing related, then you need to make sure that 10.0.0.0/16 and 172.16.0.0/16 are exempted from policy routing:
/ip route rule add action=lookup-only-in-table table=main dst-address=10.0.0.0/16
/ip route rule add action=lookup-only-in-table table=main dst-address=172.16.0.0/16
Or else it's a policy routing issue.
Filters:
10.0.0.1 is reached via the input chain since it's one of the router's IP addresses, and that's why that one address works.
Traffic from 172.16.x.x for the rest of 10.0.x.x will go through the FORWARD chain instead.
The default firewall configuration in Mikrotik basically allows LAN -> WAN but denies all others - when you add a second LAN network, the firewall probably doesn't know that this is also a LAN.
In general, whatever rule allows 10.0.x.x to go out should either...
a) be duplicated and also allow 172.16.x.x
b) if it matches using the src IP addresses, then modify the rule to use an address-list and put 10.0.0.0/16 and 172.16.0.0/16 in your address list.
c) if it matches using the in-interface, then modify it to use in-interface-list and put the two LAN interfaces into an address list (call the list "LAN-interfaces" or something obvious like that)
I like option C the best because you can change IP address ranges w/o needing to modify your firewall anymore, and if you add/move/change which interfaces are "lan" interfaces, then you just add/remove/change them in the interface list.
If it's policy-routing related, then you need to make sure that 10.0.0.0/16 and 172.16.0.0/16 are exempted from policy routing:
/ip route rule add action=lookup-only-in-table table=main dst-address=10.0.0.0/16
/ip route rule add action=lookup-only-in-table table=main dst-address=172.16.0.0/16
Re: ICMP Blocked in LAN
Boss!!This sounds like the filter rules > forward chain is your problem.
Or else it's a policy routing issue.
Filters:
10.0.0.1 is reached via the input chain since it's one of the router's IP addresses, and that's why that one address works.
Traffic from 172.16.x.x for the rest of 10.0.x.x will go through the FORWARD chain instead.
The default firewall configuration in Mikrotik basically allows LAN -> WAN but denies all others - when you add a second LAN network, the firewall probably doesn't know that this is also a LAN.
In general, whatever rule allows 10.0.x.x to go out should either...
a) be duplicated and also allow 172.16.x.x
b) if it matches using the src IP addresses, then modify the rule to use an address-list and put 10.0.0.0/16 and 172.16.0.0/16 in your address list.
c) if it matches using the in-interface, then modify it to use in-interface-list and put the two LAN interfaces into an address list (call the list "LAN-interfaces" or something obvious like that)
I like option C the best because you can change IP address ranges w/o needing to modify your firewall anymore, and if you add/move/change which interfaces are "lan" interfaces, then you just add/remove/change them in the interface list.
If it's policy-routing related, then you need to make sure that 10.0.0.0/16 and 172.16.0.0/16 are exempted from policy routing:
/ip route rule add action=lookup-only-in-table table=main dst-address=10.0.0.0/16
/ip route rule add action=lookup-only-in-table table=main dst-address=172.16.0.0/16
Works for me after suffering for so long!