Probably really messed this up, but it seems like there should be a way to make this work.
I wish to note right now that I am having to fix this remotely so a complete reset is not an option.
I have a main MK router (MK1), which is the router to the Internet and firewall. It hosts DHCP for internal 192.168.1.0/24. It's IP is 192.168.1.1
Another MK router (MK2) has a client IP of 192.168.1.154. But it too hosts DHCP for 192.168.88.0/24. It is connected to ETH10 on MK1.
Of course all client on the 88.0 network can access the 1.0 network no problem. But not visa versa.
It seems to me there should be a way to route traffic from the 1.0 network over to the 88.0 network. But so far I have not figured it out.
There is effectively pretty much no firewall on MK2 since it's not necessary. However, just to be certain that that wasn't an issue, I added a firewall rule to allow all traffic from 1.0 to 88.0, just as I have on MK1.
I've seen set ups on the web where there is a completely different subnet between the 2 MK's. But I don't think that'll be an option considering that I'm having to remote in.
Any advice that solves the issue would be greatly appreciated.
Re: route to another MK
Here's the routing tables. You see I created the 4th one, but, it no work....
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
2 ADC 192.168.1.0/24 192.168.1.1 bridge 0
3 ADC 192.168.23.0/24 192.168.23.1 bridge-guests 0
4 AS 192.168.88.0/24 192.168.1.154 2
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
2 ADC 192.168.1.0/24 192.168.1.1 bridge 0
3 ADC 192.168.23.0/24 192.168.23.1 bridge-guests 0
4 AS 192.168.88.0/24 192.168.1.154 2
Re: route to another MK
On MK1, it is a simple route:
On MK2, you will need to exclude 192.168.1.0/24 from the default src-nat rule (using dst-address=!192.168.1.0/24 or address list) or disable the scr-nat rule on MK2 and let MK1 handle all for both (the default src-nat rule on MK1 will work for both.)
Edit: I see you already have half of it!
Code: Select all
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.1.154Edit: I see you already have half of it!
Re: route to another MK
2frogs! Thank you so much for the reply.
On MK2 the NAT config is:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
But you're saying it should be:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade dst-address=!192.168.1.0/24 out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none
[admin@MikroTik] /ip firewall nat>
Doesn't seem to work.....
On MK2 the NAT config is:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
But you're saying it should be:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade dst-address=!192.168.1.0/24 out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none
[admin@MikroTik] /ip firewall nat>
Doesn't seem to work.....
Re: route to another MK
I then tried disabling src-nat, but that also isn't working....
Wait I'm just masquerading..... I should be doing something else, no?
Ok I changed it to:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none
1 chain=srcnat action=accept dst-address=!192.168.1.0/24 log=no log-prefix=""
Still not working.
Wait I'm just masquerading..... I should be doing something else, no?
Ok I changed it to:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none
1 chain=srcnat action=accept dst-address=!192.168.1.0/24 log=no log-prefix=""
Still not working.
Re: route to another MK
Do you still have the default filter rules on MK2? The last one for chain=forward is to drop every thing not dst-nat, so you would need to disable it or add an accept above it for the other network.
If you are still having issues, from terminal do /export hide-sensitive filename=myexport. You can download the myexport.rsc from each and use your favorite text editor to remove any other sensitve/personal information and post them in the code wrapper.
Code: Select all
/ip firewall filter
add chain=forward src-address=192.168.1.0/24 action=acceptRe: route to another MK
Here are the rules. You see the 3rd rule I would have hoped allowed anything from the other network.
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; winbox http
chain=input action=accept protocol=tcp src-address=192.168.1.0/24 dst-port=80 log=no log-prefix=""
3 chain=forward action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24 log=no log-prefix=""
4 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
6 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
7 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
10 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
11 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; winbox http
chain=input action=accept protocol=tcp src-address=192.168.1.0/24 dst-port=80 log=no log-prefix=""
3 chain=forward action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24 log=no log-prefix=""
4 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
6 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
7 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
10 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
11 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Re: route to another MK
You are routing to 192.168.88.0/24, but that filter rule is for traffic destined to 192.168.2.0/24. So which one are you trying to reach?
Re: route to another MK
I'll delete the 88.0 dst. But yeah, that's exactly what I need to reach from 1.0 network.
OMG! I had 2.0 in there. Now I see. I'm an idiot.....
OMG! I had 2.0 in there. Now I see. I'm an idiot.....
Re: route to another MK
OK, I think it's starting to work!
Thank you SO MUCH TWOFROGS!!!!!!!
How many times did I look at the rules and the 2 never set off an alarm!!!!
Thank you SO MUCH TWOFROGS!!!!!!!
How many times did I look at the rules and the 2 never set off an alarm!!!!