MIKROTIK - Two LANs connected with switch

Question

I have a very simple network. I have two LAN networks (192.168.2.0/24 and 192.168.3.0/24) connected via a router at each site and the routers are connected via a switch.

http://postimg.org/image/3y1uysszn/

The routers are MIKROTIK, the switch is some of the shelf equipment. I've set up all the routes, removed all the firewalls but I still can't ping from one PC to another. The strange thing is that when I use MIKROTIKs IP Scan tool, it finds all of the equipment, but when I try to ping lets say from PC at site 2, I can't get further than 172.30.2.222.

If I disable the bridge between LAN and WAN at site 2, I can (from the PC at site 2) ping to LAN IP: 192.168.3.50, which is at site 3. At the same time I can't ping to LAN IP: 192.168.2.1 from PC at site 3. If I reenable the bridge at site 2, I again can't get any further than 172.30.2.222 from site 2.

Does anyone have an idea what I am doing wrong? Is the PING somehow disabled in mikrotik routers?

Configuration:

[admin@ENG. SITE 3] >> /ip address export 
/ip address 
add address=192.168.3.1/24 comment="default configuration" interface=\ 
"ETH. 2 LAN" network=192.168.3.0 
add address=172.30.2.222/24 interface="ETH. 1 WAN" network=172.30.2.0 

[admin@ENG. SITE 3] >> ip route export 
/ip route 
add distance=1 gateway=172.30.2.221 add distance=1 dst-address=172.30.2.0/32 gateway="ETH. 1 WAN" 
add distance=1 dst-address=192.168.2.0/24 gateway="ETH. 1 WAN"

[admin@ENG. SITE 3] >> ip firewall export 
/ip firewall filter 
add chain=input comment="default configuration" disabled=yes protocol=icmp
add chain=input comment="default configuration" connection-state=established \ 
disabled=yes 
add chain=input comment="default configuration" connection-state=related \ 
disabled=yes 
add action=drop chain=input comment="default configuration" disabled=yes \ 
in-interface="ETH. 1 WAN"
add chain=forward comment="default configuration" connection-state=established \ 
disabled=yes 
add chain=forward comment="default configuration" connection-state=related \ 
disabled=yes 
add action=drop chain=forward comment="default configuration" connection-state=\ 
invalid disabled=yes 

/ip firewall nat 
add action=masquerade chain=srcnat comment="default configuration" \ 
out-interface="ETH. 1 WAN" 

[admin@ENG. SITE 2] > ip address export 
/ip address 
add address=192.168.2.1/24 comment="default configuration" interface "ETH. 2 LAN" network=192.168.2.0 
add address=172.30.2.221/24 interface="ETH. 1 WAN" network=172.30.221.0

[admin@ENG. SITE 2] > ip route export 
/ip route 
add disabled=yes distance=1 gateway=172.30.2.222 
add distance=1 dst-address=192.168.3.0/24 gateway="ETH. 1 WAN" 

[admin@ENG. SITE 2] > ip firewall export 
/ip firewall filter 
add chain=forward comment="default configuration" connection-state=e disabled=yes 
add chain=forward comment="default configuration" connection-state=r disabled=yes 
add action=drop chain=forward comment="default configuration" connec invalid disabled=yes 
/ip firewall nat 
add action=masquerade chain=srcnat comment="default configuration" \ 
out-interface="ETH. 1 WAN"

Please post your configuration. `/ip address export` `/ip route export` `/ip firewall export` — Cha0s, Jul 27 '15 at 18:23
What do you mean `If I disable the bridge between LAN and WAN at site 2`? Do you have the routers in bridged mode? If so, why? — joeqwerty, Jul 27 '15 at 19:00
First setting for SITE 2: http://postimg.org/image/76ew41ds1/ Second setting for SITE 3: http://postimg.org/image/4d28tn0rp/ Yes there is a bridge between WAN and LAN on each router. Did I make a mistake? Shouldn't there be a bridge? BR and thank you! — Gregor, Jul 28 '15 at 06:55
The whole config is kind of a mess. The static routes are wrong, the bridge is unnecessary. Please post the exports I asked so I can fix them for you and post a proper answer. — Cha0s, Jul 28 '15 at 10:48
[admin@ENG. SITE 3] >> /ip address export # jan/03/1970 02:59:39 by RouterOS 6.18 # software id = KTNN-I561 #/ip address add address=192.168.3.1/24 comment="default configuration" interface=\ "ETH. 2 LAN" network=192.168.3.0 add address=172.30.2.222/24 interface="ETH. 1 WAN" network=172.30.2.0 [admin@ENG. SITE 3] >> ip route export # jan/03/1970 03:00:08 by RouterOS 6.18 # software id = KTNN-I561 # /ip route add distance=1 gateway=172.30.2.221 add distance=1 dst-address=172.30.2.0/32 gateway="ETH. 1 WAN" add distance=1 dst-address=192.168.2.0/24 gateway="ETH. 1 WAN — Gregor, Jul 28 '15 at 13:58
[admin@ENG. SITE 3] >> ip firewall export # jan/03/1970 03:00:18 by RouterOS 6.18 # software id = KTNN-I561 # /ip firewall filter add chain=input comment="default configuration" disabled=yes protocol=icmp add chain=input comment="default configuration" connection-state=established \ disabled=yes add chain=input comment="default configuration" connection-state=related \ disabled=yes add action=drop chain=input comment="default configuration" disabled=yes \ in-interface="ETH. 1 WAN" — Gregor, Jul 28 '15 at 14:01
add chain=forward comment="default configuration" connection-state=established \ disabled=yes add chain=forward comment="default configuration" connection-state=related \ disabled=yes add action=drop chain=forward comment="default configuration" connection-state=\ invalid disabled=yes /ip firewall nat add action=masquerade chain=srcnat comment="default configuration" \ out-interface="ETH. 1 WAN" [admin@ENG. SITE 3] >> [admin@ENG. SITE 3] >> — Gregor, Jul 28 '15 at 14:02
[admin@ENG. SITE 2] > ip address export # jan/02/1970 00:03:27 by RouterOS 6.18 # software id = EGZ3-Z21P # /ip address add address=192.168.2.1/24 comment="default configuration" interface "ETH. 2 LAN" network=192.168.2.0 add address=172.30.2.221/24 interface="ETH. 1 WAN" network=172.30.2. — Gregor, Jul 28 '15 at 14:09
[admin@ENG. SITE 2] > ip route export # jan/02/1970 00:03:35 by RouterOS 6.18 # software id = EGZ3-Z21P # /ip route add disabled=yes distance=1 gateway=172.30.2.222 add distance=1 dst-address=192.168.3.0/24 gateway="ETH. 1 WAN" [admin@ENG. SITE 2] > ip firewall export # jan/02/1970 00:03:40 by RouterOS 6.18 # software id = EGZ3-Z21P — Gregor, Jul 28 '15 at 14:09
# /ip firewall filter add chain=forward comment="default configuration" connection-state=e disabled=yes add chain=forward comment="default configuration" connection-state=r disabled=yes add action=drop chain=forward comment="default configuration" connec invalid disabled=yes /ip firewall nat add action=masquerade chain=srcnat comment="default configuration" \ out-interface="ETH. 1 WAN" — Gregor, Jul 28 '15 at 14:09

score 0 · Accepted Answer · answered Jul 28 '15 at 15:02

0

Your static routes are invalid.

You need to delete all your static routes from both sites and add the following routes on each router:

Run on SITE2:
/ip route add dst-address=192.168.3.0/24 gateway=172.30.2.222

Run on SITE3:
/ip route add dst-address=192.168.2.0/24 gateway=172.30.2.221

Also the bridges are unnecessary so delete them too.
You sould also delete the masquerade rule in Firewall > NAT. You don't need that since you have static routes between the routers and both networks can reach each other.

The rest of the firewall rules look OK so enabling them shouldn't interfere.

answered Jul 28 '15 at 15:02

Cha0s

2,432
2
15
26

Perfect. Thank you. You've helped a lot!What if I wish to ping devices in the same LAN (lets say I have several layer 3 devices at SITE2). Do I need to use a bridge? – Gregor Jul 28 '15 at 18:00
You mean to bridge several ethernet ports on the mikrotik at site 2 so those ports act as a switch? You simply create the bridge, add the ethernet ports (not the 'wan' port) and you change the interface on the IP address 192.168.2.1/24 to the bridge instead of the ethernet port. – Cha0s Jul 28 '15 at 18:27
Yes I wish to bridge several ports (ports 2,3,4) so they can share UDP packets between them. At the same time, I have to be able to ping from SITE 2 to SITE 3. What about the setting with the master port for each port? I cant add several ports to a bridge, it says Port (SOMETHING) is already slave. – Gregor Jul 28 '15 at 19:12
Actually yes, that's a better solution (wire speed switching). Assuming `ETH. 2 LAN` is port 2, then on ports 3 and 4 you set the master port to `ETH. 2 LAN` and those 3 ports should work as a switch. You don't need to change the IP's interface I mentioned before with the bridge. – Cha0s Jul 28 '15 at 19:46
OK thanks. Unfortunately I have another problem. I have the following cofigurations on SITE (http://freetexthost.com/4d3spjypji) 1 and SITE 2 (http://freetexthost.com/qb2rz61gzj). I can ping anywhere including PC 192.168.2.30 from SITE 1, but I can't ping to the PC at SITE 1 (192.168.1.24) from SITE 2. Othervise I can ping from SITE 2 to internal LAN on SITE 1 (192.168.1.1). I really appreciate your help Cha0s!!! – Gregor Jul 28 '15 at 19:54
It was a windows firewall problem. I've left it ON on my work computer and it was causing problems. That's why I could ping my home computer (windows firewall turned off from start). Thank you for the help Cha0s. Best regards! – Gregor Jul 28 '15 at 20:35
How can I enable UDP port forwarding to a device on LAN SITE 1 (IP: 192.168.1.11, Port: 50011)? – Gregor Jul 29 '15 at 06:56
Better create a new question for this since it's a different issue :) – Cha0s Aug 03 '15 at 17:20

MIKROTIK - Two LANs connected with switch

1 Answers1