MikroTik

Posted: **Mon Nov 02, 2015 10:44 pm**

Hello,

I have a router (RB2011UiAS-RM) who has static IP and DNS addresses and is able to connect to Internet without any issues (ping tests).

I tried to use default network (192.168.88.0) with a laptop to communicate with the other network and I wasn't able. I tried configurations of scope and target scope unsuccessfully.

I attach network flow.

any suggestions?

**edit [solved] post #10**

Posted: **Tue Nov 03, 2015 11:19 am**

Do you have srcnat active for the WAN interface?

Posted: **Tue Nov 03, 2015 11:41 am**

Hi,

Can you post your NAT rules?

You can do this using the terminal with the command:

ip firewall nat print

If you're not sure how to use the terminal then take a screen shot of the NAT config page: IP > Firewall > NAT.

Make sure you obscure any public IP info!

Posted: **Tue Nov 03, 2015 12:20 pm**

You need a masquerade rule and it is advisable to make dhcp server to provide all necessary ip settings to the lan connected devices.

Posted: **Tue Nov 03, 2015 1:25 pm**

/ip firewall nat src-address=192.168.88.0/24 action=masquerade out-interface=ether3 chain=src-nat

meaning
address incoming to router with address 192.168.88.0/24 will be source-nated
with technique masquerade (meaning it will use the outgoing address of interface) ether3.

Posted: **Tue Nov 03, 2015 4:34 pm**

Thanks for reply!

I currently have this conf:

[admin@MikroTik] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                      
 0   ;;; default configuration
     192.168.88.1/24    192.168.88.0    bridge-local                                                                                                                   
 1   200.200.200.88/24  200.200.200.0   ether3                                                                                                                         
[admin@MikroTik] > /interface print where running 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE         MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 2  RS ether3                              ether       1500  1598       4074 4C:5E:0C:43:91:95
 4  RS ether5                              ether       1500  1598       4074 4C:5E:0C:43:91:97
11  R  bridge-local                        bridge      1500  1598            4C:5E:0C:43:91:94
[admin@MikroTik] > /ip dns static print 
Flags: D - dynamic, X - disabled, R - regexp 
 #     NAME                                                     ADDRESS                                                                                    TTL         
 0     router                                                   192.168.88.1                                                                               1d          
[admin@MikroTik] > /ip dns print 
                servers: 200.200.200.250
        dynamic-servers: 
  allow-remote-requests: yes
    max-udp-packet-size: 4096
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 38KiB
[admin@MikroTik] > /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade out-interface=sfp1-gateway 

 1   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway 

 2   chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface=ether3

and from the router I'm able to do this:

[admin@MikroTik] > ping http://www.lufthansa.com
HOST                                     SIZE TTL TIME  STATUS                                                                                                         
172.229.169.118                            56  53 99ms 
172.229.169.118                            56  53 99ms 
172.229.169.118                            56  53 98ms

but from my laptop I got this:

# ping http://www.lufthansa.com
PING e2929.g.akamaiedge.net (172.229.169.118) 56(84) bytes of data.
From router (192.168.88.1): icmp_seq=2 Redirect Host(New nexthop: 200.200.200.250)
From router (192.168.88.1): icmp_seq=4 Redirect Host(New nexthop: 200.200.200.250)
From router (192.168.88.1): icmp_seq=6 Redirect Host(New nexthop: 200.200.200.250)

# nslookup http://www.lufthansa.com
Server:		192.168.88.1
Address:	192.168.88.1#53

Non-authoritative answer:
http://www.lufthansa.com	canonical name = lufthansa.com.edgekey.net.
lufthansa.com.edgekey.net	canonical name = lufthansa.com.edgekey.net.globalredir.akadns.net.
lufthansa.com.edgekey.net.globalredir.akadns.net	canonical name = e2929.g.akamaiedge.net.
Name:	e2929.g.akamaiedge.net
Address: 172.229.169.118

the browser in the laptop doesn't navigate, so, currently it's most related to a laptop misconfigure than the router, right?

Posted: **Fri Nov 06, 2015 10:24 am**

This looks like your routing is setup wrong, can you please post the output from

ip route print

?

Also, you have too many masquerade rules, you should only have the

chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface=ether3

one, the others need to be removed.

Posted: **Fri Nov 06, 2015 6:26 pm**

my

ip route print

is:

[admin@MikroTik] > /ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          200.200.200.250           1
 1 ADC  192.168.88.0/24    192.168.88.1    bridge-local              0
 2 ADC  200.200.200.0/24   200.200.200.88  bridge-local              0

about

/ip firewall nat

, when I deleted 0 and 1 I not even got the Redirect Host message when pinged

Posted: **Sat Nov 07, 2015 11:29 am**

my

ip route print

is:

[admin@MikroTik] > /ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          200.200.200.250           1
 1 ADC  192.168.88.0/24    192.168.88.1    bridge-local              0
 2 ADC  200.200.200.0/24   200.200.200.88  bridge-local              0

about

/ip firewall nat

, when I deleted 0 and 1 I not even got the Redirect Host message when pinged

I think part of the issue is that you public interface and private interface are on the same bridge.

Remove ether3 from bridge-local.
Then remove the public IP from bridge-local and add it to just ether3.

Posted: **Tue Nov 10, 2015 5:44 pm**

ok,now I have this:

[admin@MikroTik] /ip firewall nat> /ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  192.168.88.0/24    192.168.88.1    ether5                    0
 1 ADC  200.200.200.0/24   200.200.200.88  ether3                    0

[admin@MikroTik] /ip firewall nat> /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; default configuration
     chain=srcnat action=masquerade out-interface=sfp1-gateway 

 1 X ;;; default configuration
     chain=srcnat action=masquerade out-interface=ether1-gateway 

 2   chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface=ether3

note 0 and 1 are disabled in nat.

with this conf I'm still unable to see 200.200.200.0/24 from 192.168.88.0/24

any suggestion?

**update**

with above configuration and even with rules 0 and 1 enabled I am able to ping 200.200.200.0/24 from 192.168.88.0/24, so it seems that problem was that both interfaces were on the same bridge.

Despite above, I am not able to ping 8.8.8.8, so currently I only can connect to router's gateway and not beyond.

Posted: **Tue Nov 10, 2015 10:41 pm**

**solved** routing rule was needed

so, my config is:

[admin@MikroTik] /ip route> print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          200.200.200.250           1
 1 ADC  192.168.88.0/24    192.168.88.1    ether5                    0
 2 ADC  200.200.200.0/24   200.200.200.88  ether3                    0

[admin@MikroTik] /ip firewall nat> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; default configuration
     chain=srcnat action=masquerade out-interface=sfp1-gateway 

 1 X ;;; default configuration
     chain=srcnat action=masquerade out-interface=ether1-gateway 

 2   chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface=ether3

not sure if disable 0 and 1 is needed

[admin@MikroTik] /ip route> /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                      
 0 X ;;; default configuration
     192.168.88.1/24    192.168.88.0    bridge-local                                                                                                                   
 1   200.200.200.88/24  200.200.200.0   ether3                                                                                                                         
 2   192.168.88.1/24    192.168.88.0    ether5

thanks for your help!

MikroTik

[SOLVED]Default route to Internet

[SOLVED]Default route to Internet

Re: Default route to Internet

Re: Default route to Internet

Re: Default route to Internet

Re: Default route to Internet

Re: Default route to Internet

Re: Default route to Internet

Re: Default route to Internet

Re: Default route to Internet

[SOLVED] Re: Default route to Internet