[Mikrotik] basic routing

Ty Featherling tyfeatherling at gmail.com
Wed Jun 13 18:15:50 CDT 2012


I started out that way. Adding the publics is the only thing that has fixed
it. I went ahead and deleted the NAT rule altogether but it made no
difference. I will reset the config and re-setup tomorrow to see if that
helps.

-Ty

On Wed, Jun 13, 2012 at 6:11 PM, Scott Reed <sreed at nwwnet.net> wrote:

> And either delete or enable/disable the NAT rule to see if it has a
> problem.
>
>
> On 6/13/2012 7:04 PM, Jeromie Reeves wrote:
>
>> No, It should not be required. I run my entire network on privates and
>> only put publics where I need them. You have
>> something fishy with the config. do you have 10.100.0.1 on the
>> upstream router? If so, get rid of the 207.235.20.16
>> IP and keep the 10.100.0.2 then default route over those for 0.0.0.0/0
>> and 207.235.23.0/26. should work fine. If not,
>> you still have something wrong in the config.  I find it best to
>> delete the default config even if disabled.
>>
>> On Wed, Jun 13, 2012 at 2:15 PM, Ty Featherling<tyfeatherling@**gmail.com<tyfeatherling at gmail.com>>
>>  wrote:
>>
>>> Ok I got it finally. I have 10.100.0.2 AND 207.235.20.16 on ether1. I
>>> have
>>> 207.235.23.1/26 on ether2. I have default route to 207.235.20.1 (edge).
>>> I
>>> have return route from edge for 207.235.23.0/26 to 10.100.0.2. My laptop
>>> with 207.235.23.3 connected to RB ether2 can get online now.
>>>
>>> Is a public necessary on the outbound interface of the RB in order to get
>>> online? I take it that it is and that is why it hasn't worked til now.
>>>
>>> -Ty
>>>
>>> On Wed, Jun 13, 2012 at 3:44 PM, Ty Featherling<tyfeatherling@**
>>> gmail.com <tyfeatherling at gmail.com>>wrote:
>>>
>>>  That is what I thought but when I look I see:
>>>>
>>>> /ip firewall nat
>>>> add action=masquerade chain=srcnat comment="default configuration"
>>>> disabled=yes out-interface=\
>>>>     ether1-gateway
>>>>
>>>> Is it just a bug and is somehow stuck in NAT even though disabled?
>>>>
>>>> Another example - when I ping from my machine behind the router the
>>>> failure is "Reply from 10.100.0.2: Destination host unreachable."
>>>>
>>>> -Ty
>>>>
>>>>
>>>> On Wed, Jun 13, 2012 at 1:59 PM, Scott Reed<sreed at nwwnet.net>  wrote:
>>>>
>>>>  The router with address 10.100.0.2 is doing NAT.  That is the only way
>>>>> I
>>>>> can see that you can have that address as the source on your outbound
>>>>> traffic.
>>>>>
>>>>>
>>>>> On 6/13/2012 2:43 PM, Ty Featherling wrote:
>>>>>
>>>>>  Okay, after putting out fires for a few days I am back at looking at
>>>>>> this
>>>>>> issue. What I have found is that traffic from me on the
>>>>>> 207.235.23.0/26subnet is leaving ether1 on the RB like it should but
>>>>>>
>>>>>> as a result is
>>>>>> leaving AS 10.100.0.2. Since that is a private address it is not
>>>>>> routable
>>>>>> beyond my edge. That makes sense. I replaced the private ips between
>>>>>> the
>>>>>> two routers with public addresses and while I do have connectivity
>>>>>> with
>>>>>> the
>>>>>> world that way, it is only because I am routed as the new public IP
>>>>>> assigned to the RB's ether1. NAT is NOT enabled. Can anyone verify my
>>>>>> thinking or explain what SHOULD be happening here?
>>>>>>
>>>>>> -Ty
>>>>>>
>>>>>> On Wed, Jun 6, 2012 at 9:02 PM, Ty Featherling<tyfeatherling@**gm**
>>>>>> ail.com <http://gmail.com><tyfeatherling at gmail.**com<tyfeatherling at gmail.com>
>>>>>> >
>>>>>>
>>>>>>> wrote:
>>>>>>>
>>>>>>  After checking routes that was the first thing I checked. I'm still
>>>>>>
>>>>>>> baffled.
>>>>>>>
>>>>>>> -Ty
>>>>>>> On Jun 6, 2012 8:34 PM, "Blake Covarrubias"<blake at beamspeed.****com<
>>>>>>> blake at beamspeed.com>>
>>>>>>>  wrote:
>>>>>>>
>>>>>>>  /ip firewall nat, to be precise. Otherwise, no.
>>>>>>>
>>>>>>>> --
>>>>>>>> Blake Covarrubias
>>>>>>>>
>>>>>>>> On Jun 6, 2012, at 4:31 PM, Ty Featherling wrote:
>>>>>>>>
>>>>>>>>  Would it be somewhere other than ip firewall?
>>>>>>>>
>>>>>>>>> -Ty
>>>>>>>>> On Jun 6, 2012 5:44 PM, "Butch Evans"<butche at butchevans.com>
>>>>>>>>>  wrote:
>>>>>>>>>
>>>>>>>>>  On Wed, 2012-06-06 at 11:50 -0500, Ty Featherling wrote:
>>>>>>>>>
>>>>>>>>>> I am trying to route my first tower with mikrotik. I have a
>>>>>>>>>>> private
>>>>>>>>>>>
>>>>>>>>>>>  /30
>>>>>>>>>>
>>>>>>>>> setup between my edge router and ether1 of the RB. I have a private
>>>>>>>>>
>>>>>>>>>> /24
>>>>>>>>>>
>>>>>>>>> setup for an ap and it's cpe on ether2. I have a subnet of public
>>>>>>>>>
>>>>>>>>>> addresses
>>>>>>>>>>
>>>>>>>>>>  to use for clients of this AP and the gateway for those is set
>>>>>>>>>>> as an
>>>>>>>>>>> address on ether2 as well. Default route is the gateway for
>>>>>>>>>>> ether1
>>>>>>>>>>>
>>>>>>>>>>>  which
>>>>>>>>>>
>>>>>>>>> is
>>>>>>>>>
>>>>>>>>>> our edge router. There is a route on the edge router routing that
>>>>>>>>>>>
>>>>>>>>>>>  subnet
>>>>>>>>>>
>>>>>>>>> of
>>>>>>>>>
>>>>>>>>>> publics back to the ether1 address of the RB. This all sounds
>>>>>>>>>>> right
>>>>>>>>>>> to
>>>>>>>>>>>
>>>>>>>>>>>  me.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This all sounds correct to me.  From a connected device on the lan
>>>>>>>>>> side
>>>>>>>>>> (the 207.235.23.0/26 block), you are able to ping everything
>>>>>>>>>> inside
>>>>>>>>>>
>>>>>>>>>>  your
>>>>>>>>> network, but not beyond that?  I'd doublecheck to ensure there is
>>>>>>>>> NOT
>>>>>>>>>
>>>>>>>>>> a
>>>>>>>>>> NAT rule in place on the MT that is causing this issue.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> ****************************************************************
>>>>>>>>>> ****
>>>>>>>>>> ********
>>>>>>>>>> * Butch Evans                * Professional Network Consultation
>>>>>>>>>>   *
>>>>>>>>>> * http://www.butchevans.com/ * Network Engineering
>>>>>>>>>>   *
>>>>>>>>>> * http://store.wispgear.net/ * Wired or Wireless Networks
>>>>>>>>>>    *
>>>>>>>>>> * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE!
>>>>>>>>>>    *
>>>>>>>>>> *          NOTE THE NEW PHONE NUMBER: 702-537-0979
>>>>>>>>>>   *
>>>>>>>>>> ****************************************************************
>>>>>>>>>> ****
>>>>>>>>>> ********
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ______________________________****_________________
>>>>>>>>>> Mikrotik mailing list
>>>>>>>>>> Mikrotik at mail.butchevans.com
>>>>>>>>>> http://www.butchevans.com/****mailman/listinfo/mikrotik<http://www.butchevans.com/**mailman/listinfo/mikrotik>
>>>>>>>>>> <http**://www.butchevans.com/mailman/**listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>>>>>>>>>> >
>>>>>>>>>>
>>>>>>>>>> Visit http://blog.butchevans.com/ for tutorials related to
>>>>>>>>>> Mikrotik
>>>>>>>>>> RouterOS
>>>>>>>>>>
>>>>>>>>>>  -------------- next part --------------
>>>>>>>>>>
>>>>>>>>> An HTML attachment was scrubbed...
>>>>>>>>> URL:<
>>>>>>>>>
>>>>>>>>>  http://www.butchevans.com/****pipermail/mikrotik/**<http://www.butchevans.com/**pipermail/mikrotik/**>
>>>>>>>> attachments/20120606/477593d7/****attachment.html<http://www.**
>>>>>>>> butchevans.com/pipermail/**mikrotik/attachments/20120606/**
>>>>>>>> 477593d7/attachment.html<http://www.butchevans.com/pipermail/mikrotik/attachments/20120606/477593d7/attachment.html>
>>>>>>>> >
>>>>>>>>
>>>>>>>>  ______________________________****_________________
>>>>>>>>> Mikrotik mailing list
>>>>>>>>> Mikrotik at mail.butchevans.com
>>>>>>>>> http://www.butchevans.com/****mailman/listinfo/mikrotik<http://www.butchevans.com/**mailman/listinfo/mikrotik>
>>>>>>>>> <http**://www.butchevans.com/mailman/**listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>>>>>>>>> >
>>>>>>>>>
>>>>>>>>> Visit http://blog.butchevans.com/ for tutorials related to
>>>>>>>>> Mikrotik
>>>>>>>>>
>>>>>>>>>  RouterOS
>>>>>>>>
>>>>>>>> ______________________________****_________________
>>>>>>>> Mikrotik mailing list
>>>>>>>> Mikrotik at mail.butchevans.com
>>>>>>>> http://www.butchevans.com/****mailman/listinfo/mikrotik<http://www.butchevans.com/**mailman/listinfo/mikrotik>
>>>>>>>> <http**://www.butchevans.com/mailman/**listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>>>>>>>> >
>>>>>>>>
>>>>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>>>>>>> RouterOS
>>>>>>>>
>>>>>>>>  -------------- next part --------------
>>>>>>>>
>>>>>>> An HTML attachment was scrubbed...
>>>>>> URL:<http://www.butchevans.****com/pipermail/mikrotik/**
>>>>>> attachments/20120613/330c7e92/****attachment.html<http://www.**
>>>>>> butchevans.com/pipermail/**mikrotik/attachments/20120613/**
>>>>>> 330c7e92/attachment.html<http://www.butchevans.com/pipermail/mikrotik/attachments/20120613/330c7e92/attachment.html>
>>>>>> >
>>>>>> ______________________________****_________________
>>>>>> Mikrotik mailing list
>>>>>> Mikrotik at mail.butchevans.com
>>>>>> http://www.butchevans.com/****mailman/listinfo/mikrotik<http://www.butchevans.com/**mailman/listinfo/mikrotik>
>>>>>> <http**://www.butchevans.com/mailman/**listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>>>>>> >
>>>>>>
>>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>>>>> RouterOS
>>>>>>
>>>>>>
>>>>>> -----
>>>>>> No virus found in this message.
>>>>>> Checked by AVG - www.avg.com
>>>>>> Version: 2012.0.2178 / Virus Database: 2433/5065 - Release Date:
>>>>>> 06/12/12
>>>>>>
>>>>>>
>>>>>>
>>>>>>  --
>>>>> Scott Reed
>>>>> Owner
>>>>> NewWays Networking, LLC
>>>>> Wireless Networking
>>>>> Network Design, Installation and Administration
>>>>>
>>>>>
>>>>>
>>>>> Mikrotik Advanced Certified
>>>>>
>>>>> www.nwwnet.net
>>>>> (765) 855-1060
>>>>> (765) 439-4253
>>>>> (855) 231-6239
>>>>>
>>>>>
>>>>> ______________________________****_________________
>>>>> Mikrotik mailing list
>>>>> Mikrotik at mail.butchevans.com
>>>>> http://www.butchevans.com/****mailman/listinfo/mikrotik<http://www.butchevans.com/**mailman/listinfo/mikrotik>
>>>>> <http**://www.butchevans.com/mailman/**listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>>>>> >
>>>>>
>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>>>> RouterOS
>>>>>
>>>>>
>>>>  -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL:<http://www.butchevans.**com/pipermail/mikrotik/**
>>> attachments/20120613/e6e1a8ee/**attachment.html<http://www.butchevans.com/pipermail/mikrotik/attachments/20120613/e6e1a8ee/attachment.html>
>>> >
>>> ______________________________**_________________
>>> Mikrotik mailing list
>>> Mikrotik at mail.butchevans.com
>>> http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>>>
>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>> RouterOS
>>>
>> ______________________________**_________________
>> Mikrotik mailing list
>> Mikrotik at mail.butchevans.com
>> http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>>
>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>> RouterOS
>>
>>
>> -----
>> No virus found in this message.
>> Checked by AVG - www.avg.com
>> Version: 2012.0.2178 / Virus Database: 2433/5065 - Release Date: 06/12/12
>>
>>
>>
>>
> --
> Scott Reed
> Owner
> NewWays Networking, LLC
> Wireless Networking
> Network Design, Installation and Administration
>
>
>
> Mikrotik Advanced Certified
>
> www.nwwnet.net
> (765) 855-1060
> (765) 439-4253
> (855) 231-6239
>
>
> ______________________________**_________________
> Mikrotik mailing list
> Mikrotik at mail.butchevans.com
> http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.butchevans.com/pipermail/mikrotik/attachments/20120613/322dcf4a/attachment.html>


More information about the Mikrotik mailing list