0

I have two local networks and a public one connected to my Mikrotik via VLAN. I want the local networks to see each other without any nat. So I have the following config on my Mikrotik. But the local networks can't see each other.

/ip address
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
add address=172.16.16.1/24 interface=vlan3 network=172.16.16.0
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!192.168.2.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat dst-address=!192.168.1.0/24 src-address=192.168.2.0/24
Hassan
  • 21
  • 3
  • Are the provided rules the complete set of FW rules. Have you tried removing the masquerade rules completly just as a test? – eKKiM Jan 28 '21 at 15:40
  • Do the computers in the LAN networks have the Mikrotik as gateway ? Or do they have routes installed to the other LAN network via the Mikrotik? – Benoit PHILIPPON Jan 29 '21 at 08:26
  • @eKKiM Yes. It is all of them. I need masquerade rules for connecting local networks to public network. – Hassan Jan 29 '21 at 19:42
  • @BenoitPHILIPPON Yes. All computers in LAN networks have the mikrotik as gateway. – Hassan Jan 29 '21 at 19:43
  • Can the computers ping each other (disable temporarily firewall on the computers to be sure that ping is not blocked) ? if not, what is the result of a "tracert -d" ? – Benoit PHILIPPON Jan 30 '21 at 09:37
  • @BenoitPHILIPPON no they can't. Also tracert failed like this (ping from 192.168.1.2 to 192.168.2.2): 1 1 ms 1 ms <1 ms 192.168.2.1 2 * * * Request timed out. – Hassan Feb 01 '21 at 17:32
  • Can computers on the same network ping each other, ie. 192.168.2.3 can ping 2.2 ? – Benoit PHILIPPON Feb 02 '21 at 07:18
  • @BenoitPHILIPPON , Yes, They can. even if I remove dst-address in masquerade rules, everythong works fine. – Hassan Feb 03 '21 at 11:04

0 Answers0