bryandj23
join:2002-08-15
Bay City, MI
| Mikrotik Noob - Gotta be missing something.
Hi all. I'm getting things set up for a new wisp venture, and I've reached a point where I'm stumped, and I believe Mikrotik is to blame (or my lack of Mikrotik knowledge). Here's my setup:
(Internet)
|
|
Pfsense -- Lan -- 192.168.200.1/24 - Office LAN
|
OPT
|----10.0.0.1/16 --- switch --- laptop (10.0.0.35)
|
mikrotik 10.0.0.10
The laptop also contains a wireless card, which is getting a 192.168.200.101 address via AP connected to LAN.
I've configured rules in PFsense to allow anything back and forth between LAN and OPT.
Now, the laptop can ping anything along 192.168.200.0/24, using either wired (10.0.0.35) or wireless (192.168). It CANNOT ping the mikrotik at 10.0.0.10.
Using winbox, I can ping 10.0.0.1 from the mikrotik, but CANNOT ping anything along 192.168.200.0/24. The fact that I can ping either pfsense interface on the laptop via either subnet makes me believe its something in the tik.
Add to this: Can't access Mikrotik (via ping or winbox) on the laptop when the laptop is connected wireless and has a 192.168.200.0/24 address. Once I hard wire the laptop to the switch, and give myself a 10.0.0.35 address, it works like a charm.
could something in mikrotik be preventing me from ping and winbox from a network outside of the mikrotik's eth interface??
Thanks much in advance!
PS: Funny part - pfsense logs show that pings are going through from LAN to OPT...after playing with it for two hours, I figured I needed a break |
|
Inssomniak
Premium
join:2005-04-06
Cayuga, ON | Probably silly question
But is the default gateway configured properly on the Mikrotik and your 192.168 network? |
|
bryandj23
join:2002-08-15
Bay City, MI | reply to bryandj23
The MikroTik does has its default route set to 10.0.0.1.
Should I need to define the 192.168.200.0/24 route on the Mikrotik, even though 10.0.0.1 knows how to reach the 192.168.200.0 network (both interfaces are on the same Pfsense box)? |
|
Inssomniak
Premium
join:2005-04-06
Cayuga, ON
| said by bryandj23  :The MikroTik does has its default route set to 10.0.0.1. Should I need to define the 192.168.200.0/24 route on the Mikrotik, even though 10.0.0.1 knows how to reach the 192.168.200.0 network (both interfaces are on the same Pfsense box)? I dont know much about anything about pfsense, Im thinking then a firewall between OPT and LAN? |
|
livewireless
join:2006-11-03
La Jolla, CA
| reply to bryandj23
All I can say is your in the right forum. I've had questions for support at MT and have not had any luck getting clear answers back from them. I think they've over sold and have 2 guys on support patrol.
I wish I'd not purchased their product even though it's solid if you want to climb the learning curve.
Pisses me off, I just bought a license and can't get responses from them. |
|
bryandj23
join:2002-08-15
Bay City, MI
| Yeah. In a sense I'd rather stick with what I know, but then again, with all the features that are available in Mikrotik, I might as well just get down and dirty with it.
That's why I think I'm missing something completely stupid; Mikrotik is so picky (not necessarily a bad thing), where I'm probably used to things being automatically configured "behind the scenes" on other platforms, that I'm just not quite getting the Mikrotik right. |
|
bryandj23
join:2002-08-15
Bay City, MI
| reply to Inssomniak
I had thought maybe the pfsense box was causing the issue, however within its logs I see that traffic is passing from LAN to OPT, so it leaves me a bit puzzled as to where my issue REALLY is.
I may also consider just running our core "wireless" network on a router seperate from our core "office" network. The original idea was to use one router, so that we could access AP's from the office. Also, since some of our servers (web, radius, dns) sit on the office network, I figured this way would be easier to go.
Having them each on their own router would probably alleviate this issue, then all I'd need are static routes between the two routers. |
|
Inssomniak
Premium
join:2005-04-06
Cayuga, ON
| said by bryandj23 :I had thought maybe the pfsense box was causing the issue, however within its logs I see that traffic is passing from LAN to OPT, so it leaves me a bit puzzled as to where my issue REALLY is. I may also consider just running our core "wireless" network on a router seperate from our core "office" network. The original idea was to use one router, so that we could access AP's from the office. Also, since some of our servers (web, radius, dns) sit on the office network, I figured this way would be easier to go. Having them each on their own router would probably alleviate this issue, then all I'd need are static routes between the two routers. Well.. All I can say is a mikrotik device that is without any firewall rules is a wide open device. If the routes exist, you can use winbox anywhere.
PF sense logs can indicate the traffic routing between the LAN and the OPT port, the further down the chain a firewall rule is dropping it? |
|
bryandj23
join:2002-08-15
Bay City, MI
| Yeah, I'm aware it's wide-open. Since we're still in testing phase, I'm trying to get the basic networking down before going back to lock things up.
I've read a pointer regarding outbound NAT in pfsense, but I don't think that should apply as of yet, since we don't have our WAN connection installed yet (that comes tomorrow, actually), and I'm only trying to route between LAN and OPT.
I'd think that my firewall rules in pfsense (basically saying to allow anything in from LAN to OPT and vice versa would cover it. |
|
Inssomniak
Premium
join:2005-04-06
Cayuga, ON
| Hmm, Im out of suggestions, although Im sure the problem lies with the pfsense rather than the Mikrotik. Im not familiar with it, so unless Im in front of one I cant say for sure.
Maybe its trying to NAT the traffic before it even knows where its going yet?
You could try disabling all NAT and see what happens. |
|
bryandj23
join:2002-08-15
Bay City, MI | reply to bryandj23
Thanks Insommniak. I appreciate it. |
|
bryandj23
join:2002-08-15
Bay City, MI
| reply to bryandj23
Ok, I still think my Mikrotik is the issue; here's why.
I've made some changes to my firewall rules on pfsense. On my lapop, I get a 192.168.200.101 address.
I plug another laptop (lap2) into the switch that is part of the 10.0.0.0/16 network.
From my laptop, I can ping lap2 which is at 10.0.0.5. I cannot ping the Mikrotik at 10.0.0.10.
If I plug my laptop into the 10.0/16 switch, I can ping the Mikrotik.
So....is it possible that the Mikrotik is saying "Hey, I'm getting a ping request, but it's from 192.168.200.101, which isn't part of my network, so screw them".
Actually, while typing that, I'm wondering if the Mikrotik needs to know the route to the 192.168.200/24 network; but then again, if its default route points to a gateway that contains both networks (pfsense), then pfsense should be doing it's job.
Sorry if I'm going around in circles here. I appreciate any help or advice! |
|
bryandj23
join:2002-08-15
Bay City, MI | reply to bryandj23
Got it!
For some reason the Mikrotik set its interfaces for /32 rather than /24.
Local part is working. Now I just gotta get internet to respond on that interface. |
|
spectrumhead
join:2009-05-03 | reply to bryandj23
Yes if you type just an IP address without CIDR notation it automatically does it /32 as far as I know.
Happy that you found your solution. |
|
Inssomniak
Premium
join:2005-04-06
Cayuga, ON
| said by spectrumhead :Yes if you type just an IP address without CIDR notation it automatically does it /32 as far as I know. Happy that you found your solution. Yes this is correct, assumes /32 if you dont type it on or add the network/broadcast |
|
