And traceroute 192.168.42.85 from 192.168.42.140
RUTX12-1 (192.168.42.1/25):
ip -4 route show:
default via 172.16.4.1 dev eth1 proto static src 172.16.4.111 metric 1
default dev qmimux1 proto static scope link src xx.xx.xx.xx metric 2
default dev qmimux0 proto static scope link src xx.xx.xx.xx metric 3
10.10.0.0/24 dev br-LAN_B proto static scope link metric 6
10.19.0.0/21 dev br-lan proto static scope link metric 4
xx.xx.xx.xx dev qmimux1 proto static scope link metric 2
xx.xx.xx.x dev qmimux0 proto static scope link metric 3
172.16.0.0/24 dev br-LAN_K proto static scope link metric 7
172.16.4.0/24 dev eth1 proto static scope link metric 1
192.168.42.0/25 dev br-ifLan2 proto kernel scope link src 192.168.42.1
ip -4 rule show:
0: from all lookup local
100: from all lookup 100
220: from all lookup 220
1001: from all iif eth1 lookup 1
1002: from all iif qmimux1 lookup 2
1003: from all iif qmimux0 lookup 3
2001: from all fwmark 0x100/0x3f00 lookup 1
2002: from all fwmark 0x200/0x3f00 lookup 2
2003: from all fwmark 0x300/0x3f00 lookup 3
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
3001: from all fwmark 0x100/0x3f00 unreachable
3002: from all fwmark 0x200/0x3f00 unreachable
3003: from all fwmark 0x300/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
iptables-save | grep -i ipsec:
-A zone_wan_postrouting -m policy --dir out --pol ipsec -m comment --comment “!fw3: Exclude-IPsec-from-NAT” -j ACCEPT
-A PREROUTING -d 192.168.42.128/25 -m comment --comment “mwan3 exception for ipsec” -j ACCEPT
-A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
-A OUTPUT -d 192.168.42.128/25 -m comment --comment “mwan3 exception for ipsec” -j ACCEPT
-A FORWARD -s 192.168.42.128/25 -d 192.168.42.0/25 -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.42.0/25 -d 192.168.42.128/25 -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -m comment --comment “!fw3: IPsec bypass for offloading” -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -m comment --comment “!fw3: IPsec bypass for offloading” -m policy --dir out --pol ipsec -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment “!fw3: Allow-IPSec-ESP” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m policy --dir in --pol ipsec -m comment --comment “!fw3: Allow-IPsec-Forward” -j ACCEPT
-A zone_wan_input -p esp -m comment --comment “!fw3: Allow-IPsec-ESP” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment “!fw3: Allow-IPsec-NAT-T” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 500 -m comment --comment “!fw3: Allow-IPsec-IKE” -j ACCEPT
iptables -n -L | grep -i ipsec:
ACCEPT all – 192.168.42.128/25 192.168.42.0/25 policy match dir in pol ipsec reqid 1 proto 50
ACCEPT all – 192.168.42.0/25 192.168.42.128/25 policy match dir out pol ipsec reqid 1 proto 50
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: IPsec bypass for offloading / policy match dir in pol ipsec
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 / !fw3: IPsec bypass for offloading / policy match dir out pol ipsec
zone_lan_dest_ACCEPT esp – 0.0.0.0/0 0.0.0.0/0 / !fw3: Allow-IPSec-ESP /
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec / !fw3: Allow-IPsec-Forward /
ACCEPT esp – 0.0.0.0/0 0.0.0.0/0 / !fw3: Allow-IPsec-ESP /
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 / !fw3: Allow-IPsec-NAT-T /
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:500 / !fw3: Allow-IPsec-IKE */
ip -4 route show table 220:
192.168.42.128/25 via 172.16.4.1 dev eth1 proto static src 192.168.42.1
RUTX12-2 (192.168.42.128/25):
ip -4 route show:
default dev qmimux0 proto static scope link src xx.xx.xx.xx
default dev qmimux0 proto static scope link src xx.xx.xx.xx metric 3
10.10.0.0/24 dev br-LAN_B proto static scope link src 10.10.0.1 metric 5
10.19.0.0/21 dev br-lan proto static scope link src 10.19.6.1 metric 7
xx.xx.xx.xx dev qmimux0 proto static scope link src xx.xx.xx.xx metric 3
172.16.0.0/24 dev br-LAN_K proto static scope link src 172.16.0.1 metric 4
192.168.42.128/25 dev br-ifLan1 proto kernel scope link src 192.168.42.129
ip -4 rule show:
0: from all lookup local
100: from all lookup 100
220: from all lookup 220
1003: from all iif qmimux0 lookup 3
2003: from all fwmark 0x300/0x3f00 lookup 3
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
3003: from all fwmark 0x300/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
iptables-save | grep -i ipsec:
-A zone_wan_postrouting -m policy --dir out --pol ipsec -m comment --comment “!fw3: Exclude-IPsec-from-NAT” -j ACCEPT
-A PREROUTING -d 192.168.42.0/25 -m comment --comment “mwan3 exception for ipsec” -j ACCEPT
-A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
-A OUTPUT -d 192.168.42.0/25 -m comment --comment “mwan3 exception for ipsec” -j ACCEPT
-A FORWARD -s 192.168.42.0/25 -d 192.168.42.128/25 -i qmimux0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.42.128/25 -d 192.168.42.0/25 -o qmimux0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -m comment --comment “!fw3: IPsec bypass for offloading” -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -m comment --comment “!fw3: IPsec bypass for offloading” -m policy --dir out --pol ipsec -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment “!fw3: Allow-IPSec-ESP” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m policy --dir in --pol ipsec -m comment --comment “!fw3: Allow-IPsec-Forward” -j ACCEPT
-A zone_wan_input -p esp -m comment --comment “!fw3: Allow-IPsec-ESP” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment “!fw3: Allow-IPsec-NAT-T” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 500 -m comment --comment “!fw3: Allow-IPsec-IKE” -j ACCEPT
iptables -n -L | grep -i ipsec:
ACCEPT all – 192.168.42.0/25 192.168.42.128/25 policy match dir in pol ipsec reqid 1 proto 50
ACCEPT all – 192.168.42.128/25 192.168.42.0/25 policy match dir out pol ipsec reqid 1 proto 50
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: IPsec bypass for offloading / policy match dir in pol ipsec
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 / !fw3: IPsec bypass for offloading / policy match dir out pol ipsec
zone_lan_dest_ACCEPT esp – 0.0.0.0/0 0.0.0.0/0 / !fw3: Allow-IPSec-ESP /
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec / !fw3: Allow-IPsec-Forward /
ACCEPT esp – 0.0.0.0/0 0.0.0.0/0 / !fw3: Allow-IPsec-ESP /
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 / !fw3: Allow-IPsec-NAT-T /
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:500 / !fw3: Allow-
ip -4 route show table 220:
192.168.42.0/25 via xx.xx.x.xx dev qmimux0 proto static src 192.168.42.129
To explain the setup further more:
- RUTX12-1 is behind a Mikrotik router got online via WAN
- RUTX12-2 (client on location) is online via LTE
I think the routing tables looking false to me. On RUTX12-2 - table 220 he wants connect via 192.168.42.0/25 to our external Mikrotik IP. Since both routers can see and ping everything, the error must be somewhere here.
PS C:\WINDOWS\system32> .\TRACERT.EXE 192.168.42.85
Routenverfolgung zu 192.168.42.85 über maximal 30 Hops
1 Allgemeiner Fehler.
Ablaufverfolgung beendet.
Sry, its German and a Windows Client, but it stops with an error.
I’ll be somewhat busy today I’ll test a similar config and keep you updated.
Are you sure that 192.168.42.85 replies to pings ? Have you tested from 192.168.42.1 ? From 192.168.42.129 ?
The routes look correct, or I have missed something.
From 192.168.42.140, can you ping 192.168.42.1 ?
I finaly solved the problem by adding a gateway to my windows client. It could only be the clients fault, since the routers spoke to everyone.
Thank you for your input on this matter.
This topic was automatically closed after 15 days. New replies are no longer allowed.