IP segment on a router after Mikrotik doesn't work
Posted: Mon Jun 02, 2014 4:32 pm
Good day all 
,
I have a question, hopefully can get some answers.
I setup a basic working unit with RB2011 (version 6.13) and I have another router (windows RRAS, VM, for my lab usage only) behind the mikrotik with different IP segment.
I already had a static route added into the RM2011, while i can ping the other segment from the mikrotik segment, i cannot do the same on the other side, i can only ping the mikrotik router itself but not the mikrotik segment. However ONLY 1 ip can get through, which i had no idea.
10.0.1.0/24 is the mikrotik segment
10.1.0.0/16 is the lab segment
After some checking, i noticed that the Filter Rules are blocking it as i have 1 Rule that drop INVALID, and another 1 that drop everything (lowest)
disabling either one doesnt work, however disabling both works.
and even after some testing, i found that i need to add a filter rule On Top of all the forward rules, even before the invalid and with Destination Address to the 10.1.0.0/16 segment only it works.
Questions:
1) While i already found the workaround, i am not sure if this is the correct way to do it. Anyone here can please tell me why packets from other IP segments are considered INVALID?
2) I have other IP segments, which are the PPTP server IP range, and 1 remote IP range (tunneled into the PPTP server), i setup last time and put in between the INVALID and DROP everything and it works, why?
3) please suggest me a better if there is any. (if i put the lag segment to the address list, any help?)
Below is the Filter Rules for reference, (only forwards)
7 chain=forward action=accept dst-address=10.1.0.0/16
8 ;;; Disallow weird packets
chain=forward action=drop connection-state=invalid in-interface=br.local
9 ;;; Allow LAN access to router and Internet
chain=forward action=accept connection-state=new
10 ;;; Allow connections that originated from LAN
chain=forward action=accept connection-state=established
11 ;;; Allow connections that originated from LAN
chain=forward action=accept connection-state=related
12 ;;; Allow NAT ports TCP - pppoe.unifi
chain=forward action=accept protocol=tcp in-interface=pppoe.unifi dst-port=443,3389,5000,5080,6690,7331,8080,9443,16883,27950,27952,27960,27965
13 ;;; Allow NAT ports UDP - pppoe.unifi
chain=forward action=accept protocol=udp in-interface=pppoe.unifi dst-port=27950,27952,27960,27965
14 X ;;; DMZ ports - pptp.vpnplant
chain=forward action=accept in-interface=pptp.vpnplant
15 ;;; DMZ ports - pptp.purevpn-my
chain=forward action=accept in-interface=pptp.purevpn-my
16 ;;; PPTP Server - Tunnels IP Range
chain=forward action=accept src-address=172.16.1.0/24
17 chain=forward action=accept src-address=10.0.10.0/24
18 ;;; Disallow anything from anywhere on any interface
chain=forward action=drop
Thank you very much in advance
,I have a question, hopefully can get some answers.
I setup a basic working unit with RB2011 (version 6.13) and I have another router (windows RRAS, VM, for my lab usage only) behind the mikrotik with different IP segment.
I already had a static route added into the RM2011, while i can ping the other segment from the mikrotik segment, i cannot do the same on the other side, i can only ping the mikrotik router itself but not the mikrotik segment. However ONLY 1 ip can get through, which i had no idea.
10.0.1.0/24 is the mikrotik segment
10.1.0.0/16 is the lab segment
After some checking, i noticed that the Filter Rules are blocking it as i have 1 Rule that drop INVALID, and another 1 that drop everything (lowest)
disabling either one doesnt work, however disabling both works.
and even after some testing, i found that i need to add a filter rule On Top of all the forward rules, even before the invalid and with Destination Address to the 10.1.0.0/16 segment only it works.
Questions:
1) While i already found the workaround, i am not sure if this is the correct way to do it. Anyone here can please tell me why packets from other IP segments are considered INVALID?
2) I have other IP segments, which are the PPTP server IP range, and 1 remote IP range (tunneled into the PPTP server), i setup last time and put in between the INVALID and DROP everything and it works, why?
3) please suggest me a better if there is any. (if i put the lag segment to the address list, any help?)
Below is the Filter Rules for reference, (only forwards)
7 chain=forward action=accept dst-address=10.1.0.0/16
8 ;;; Disallow weird packets
chain=forward action=drop connection-state=invalid in-interface=br.local
9 ;;; Allow LAN access to router and Internet
chain=forward action=accept connection-state=new
10 ;;; Allow connections that originated from LAN
chain=forward action=accept connection-state=established
11 ;;; Allow connections that originated from LAN
chain=forward action=accept connection-state=related
12 ;;; Allow NAT ports TCP - pppoe.unifi
chain=forward action=accept protocol=tcp in-interface=pppoe.unifi dst-port=443,3389,5000,5080,6690,7331,8080,9443,16883,27950,27952,27960,27965
13 ;;; Allow NAT ports UDP - pppoe.unifi
chain=forward action=accept protocol=udp in-interface=pppoe.unifi dst-port=27950,27952,27960,27965
14 X ;;; DMZ ports - pptp.vpnplant
chain=forward action=accept in-interface=pptp.vpnplant
15 ;;; DMZ ports - pptp.purevpn-my
chain=forward action=accept in-interface=pptp.purevpn-my
16 ;;; PPTP Server - Tunnels IP Range
chain=forward action=accept src-address=172.16.1.0/24
17 chain=forward action=accept src-address=10.0.10.0/24
18 ;;; Disallow anything from anywhere on any interface
chain=forward action=drop
Thank you very much in advance
~