RB750 GRRRR

[Subways81]

Hi All,

I dont know what im missing, hopefully someone here can help.

I have an Mikrotik RB750
ether 1 connects to my ADSL
ether 2 connects to my house - 192.168.1.0/24
ether 5 connects to my neighbour - 192.168.2.0/24

We can both access the internet, we can both ping both default gateways (ie 192.168.1.1 and 192.168.2.1) but for the life of me I cannot get either side to be able to ping devices on the opposite side (hope this makes sense)

I have disabled firewalls on all PCs, hoping this was the issue but it didnt help.

Also, tracert from say 192.168.1.5 to 192.168.2.5 will end at 192.168.1.1, I thought it would at least get to 192.168.2.1 since I can ping that gateway.

The default routes are there, only ether 1 is masqueraded and I have rate limited ether 5 to 1mbps
----------------------------------------------------------------
> ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=Interwebs

1 I chain=srcnat action=masquerade out-interface=FNBConnect

----------------------------------------------------------------
> ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
----------------------------------------------------------------
> ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 xxx.xxx.x.x 1
1 ADC xxx.xxx.x.x/32 xxx.xxx.xx.xxx Interwebs 0
2 ADC 192.168.1.0/24 192.168.1.1 ether2-Our-House 0
3 ADC 192.168.2.0/24 192.168.2.1 ether5-Neighbour 0
4 ADC 192.168.3.0/24 192.168.3.1 ether3 0


Any ideas?

 

[estiaanf]

Just add one masquerade rule - chain=srcnat action=masquerade out

Is both PC's in the different subnets gateway the RB750? in each individual range?

 

[estiaanf]

Instead of 2 Nat rules

 

[Pada]

By "opposite sides" do you imply that devices from the 192.168.1.0/24 subnet cannot contact/ping 192.168.2.0/24 devices, and vice versa?

Only IP Firewall Filter (forward) rules should apply there, besides basic routing.

Secondly, make sure that you don't have any interfaces set to SLAVE mode!

 

[Subways81]

Just add one masquerade rule - chain=srcnat action=masquerade out

Is both PC's in the different subnets gateway the RB750? in each individual range?

I was under the impression that I would need 2 Masquerade rules as I have 2 PPPOE connections, only one is active at a time but this way it makes it simple to switch back and forth.

By "opposite sides" do you imply that devices from the 192.168.1.0/24 subnet cannot contact/ping 192.168.2.0/24 devices, and vice versa?

Only IP Firewall Filter (forward) rules should apply there, besides basic routing.

Secondly, make sure that you don't have any interfaces set to SLAVE mode!

You are correct, devices from 192.168.1.0/24 cannot ping devices on 192.168.2.0/24 BUT devices from both sides CAN ping both 192.168.1.1 and 192.168.2.1

As far as I can see it should be working. Currently I have no active filters.

No interfaces in Slave or Master roles, factory switch config was completely removed.

 

[Pada]

I'd leave the masquerade rules as 2 separate rules, because that's how I also have mine for like 4 connections.

If the 192.168.1.0/24 devices cannot ping 192.168.2.0/24, then make sure that both devices' IP address configurations are correct.
eg. IP address = 192.168.1.x/24, subnet mask = 255.255.255.0, default gateway = 192.168.1.x for the 192.168.1.0/24 one
and IP address = 192.168.2.x/24, subnet mask = 255.255.255.0, default gateway = 192.168.2.x for the 192.168.2.0/24 one

If their IP addresses are correct and you still cannot ping each other, then all I can think of is that you have those interfaces bridged or in a master/slave configuration!

Also ensure that the Switch > Ports are all configured to use VLAN fallback, and that the Switch doesn't have "Switch All Ports" option selected.

If none of the above made any difference, then run the following: /export hide-sensitive
and then you can Email it to me or someone else to have a look at.

Lastly, make sure that you have the latest version of ROS 5 installed. v6 may also work I'd guess?

 

[Subways81]

I'd leave the masquerade rules as 2 separate rules, because that's how I also have mine for like 4 connections.

If the 192.168.1.0/24 devices cannot ping 192.168.2.0/24, then make sure that both devices' IP address configurations are correct.
eg. IP address = 192.168.1.x/24, subnet mask = 255.255.255.0, default gateway = 192.168.1.x for the 192.168.1.0/24 one
and IP address = 192.168.2.x/24, subnet mask = 255.255.255.0, default gateway = 192.168.2.x for the 192.168.2.0/24 one

All ip settings are correct, and issued by relevant DCHP scopes on the RB750

If their IP addresses are correct and you still cannot ping each other, then all I can think of is that you have those interfaces bridged or in a master/slave configuration!

No bridged interfaces and no Master or Slave ports

Also ensure that the Switch > Ports are all configured to use VLAN fallback, and that the Switch doesn't have "Switch All Ports" option selected.

All ports are configures with VLAN Fallback, "Switch All Ports" is not checked.

If none of the above made any difference, then run the following: /export hide-sensitive
and then you can Email it to me or someone else to have a look at.

Lastly, make sure that you have the latest version of ROS 5 installed. v6 may also work I'd guess?

Running on version 5.24.

Ill run the export and forward it to you, thanks for the help Pada, really appreciate it.

 

[Subways81]

Sorted, added another Masquerade, this time on ether 2. Can ping from the 192.168.2.0/24 to 1.0/24 networks now.

 

[estiaanf]

Thats exactly what the
chain=srcnat action=masquerade
would of done anycase