Answer the question
In order to leave comments, you need to log in
D
D
Dmitry Dobryshin2021-02-27 18:40:36
Dmitry Dobryshin, 2021-02-27 18:40:36
What is wrong with Mikrotik routing?
There is a network:
A Mikrotik router through which there is access to the Internet and everything that is directly connected to it gets this access. Network 192.168.10.0/24 And the second microtic, on which several networks are organized (192.168.1.0/24, 192.168.11.0/24, 192.168.99.0/24, 10.254.0.0/16). The second Mikrotik is connected to the first one, and received from it the IP address 192.168.10.49.
Why this is done, do not ask. The contractor with whom we concluded the contract instead of using the network of the first Mikrotik installed additional equipment and now, having only remote access through the first Mikrotik, I am trying to revive the contractor's network.
Route configuration of the first Mikrotik:
. Dst. Address Gateway Distance Pref. Source
AS 0.0.0.0/0 10.2.0.1 reachable ether1 1
DAC 10.2.0.0./19 ether1 reacable 0 10.2.7.136
AS 192.168.1.0/24 192.168.0.49 reachable bridge 1
DAC 192.168.10.0/24 bridge reachable 0 192.168.10.1
AS 192.168.11.0/24 192.168.0.49 reachable bridge 1
AS 192.168.99.0/24 192.168.0.49 reachable bridge 1Routing of the second Mikrotik:
. Dst. Address Gateway Distance Pref. Source
DS 0.0.0.0/0 192.168.10.1 unreachable 1
DAC 10.254.0.0/16 vlan102 reachable 0 10.254.0.1
DAC 192.168.1.0/24 vlan100 reachable 0 192.168.1.1
AS 192.168.10.0/24 ether6 reachable 1
DAC 192.168.11.0/24 vlan101 reacable 0 192.168.11.1
DAC 192.168.99.0/24 vlan99 reachable 0 192.168.99.1So, the question is - why does the first route through GW 192.168.10.1 ( DS 0.0.0.0/0 192.168.10.1 unreachable 1 ), which is obtained automatically and not available for change, not work? At the same time, from the terminal of the second Mikrotik, all the equipment of the network 192.168.10.0/24 is pinged, including 192.168.10.1. All members of the networks of the second Mikrotik from the network of the first Mikrotik are also available. What did I miss?
Oh yes. NAT.
First Mikrotik:
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN
ipsec-policy=out,none
Second Mikrotik:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether6 log=no log-prefix=""
1 chain=srcnat action=src-nat to-addresses=192.168.1.1
src-address=192.168.99.0/24 dst-address=192.168.1.0/24 log=no
log-prefix=""
2 chain=srcnat action=src-nat to-addresses=192.168.1.1
src-address=192.168.11.0 /24 dst-address=192.168.1.0/24 log=no
log-prefix=""
Upd. I need to release all the subnets of the second Mikrotik to the Internet. That is, make the DS route 0.0.0.0/0 192.168.10.1 active . Unfortunately, it is impossible to demolish vlans because of the equipment already configured on them and functioning well among themselves.
2 answer(s)
@Fenrir89
The second rule will not work, it will be more precise (I thought about dst nat), but why if it came from there anyway why change something, only spend resources on processing packets
And why are they for the internal network at all, in theory, masquerading is not needed
F
Fenrir89, 2021-02-27 @Fenrir89
Routing in Mikrotik takes matches by the smallest mask, so the /0 route has the lowest priority,
and everything flies to nat
1 chain=srcnat action=src-nat to-addresses=192.168.1.1
src-address=192.168.99.0/24 dst-address=192.168.1.0/24 log=no
log-prefix=""
2 chain=srcnat action=src -nat to-addresses=192.168.1.1
src-address=192.168.11.0/24 dst-address=192.168.1.0/24 log=no
log-prefix=""
The second rule will not work, it will be more precise (I thought about dst nat), but why if it came from there anyway why change something, only spend resources on processing packets
And why are they for the internal network at all, in theory, masquerading is not needed
Similar questions
D
delongeroman2020-12-13 23:52:39
How to correctly calculate the ethernet network configuration?
0Reply
D
E
P
D
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question