Community discussions

MikroTik App
 
cmorgan
just joined
Topic Author
Posts: 7
Joined: Tue Sep 01, 2015 11:23 am

Bit of routing advice needed.

Tue Sep 01, 2015 12:03 pm

If someone has time, I need a bit of advice as i'm having some problems with routing.

In brief, I have 2 networks connected together using a GRE tunnel (using RB750's at either end). The network on one end uses that same RB750 endpoint as the gateway to the WAN. The network on the other end uses a separate gateway for traffic. This gateway (172.16.1.3) is configured to route all traffic destined for the other network (10.1.0.0/16) to the next hop IP of the RB750 (172.16.1.1).

Here is a little diagram I made...
vpn-issue.png
Thats all well and good and I can see that traffic going down the GRE tunnel using Torch, but I believe the problem comes with the return traffic. Eg: I can RDP to a server on the other network when the gateway of the client is set to the RB750, but I cant RDP to that same server when the gateway is set to the main gateway (172.16.1.3). The same is true when RDPing from the 10.1.0.0/16 network to the other (it will only work if 172.16.1.1 is set as the gateway).

Does anyone have any ideas? I will be very grateful if you do!

Thanks
You do not have the required permissions to view the files attached to this post.
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 222
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Bit of routing advice needed.

Tue Sep 01, 2015 11:56 pm

Hi there.
Let me first confirm if i get your scenario correct:
Host with IP 172.16.1.10 can establish a RDP session to server with IP 10.1.0.1 only if its default gateway is set to 172.16.1.1?
And your issue is that when on same host default gateway is 172.16.1.3 you can not establish RDP session?

If i'm correct,in this case default route on client(172.16.1.10) is pointing to 172.16.1.3 and that router is not aware of 10.1.0.0 network, so session can not be established. There are 2 ways in front of you:
1. To create a static route on client PC (172.16.1.10)
route add 10.0.0.0 mask 255.0.0.0 172.16.1.1 metric 1(assuming its windows)
This will allow only this host to be able to get to 10.0.0.0 network ( and this is not preferred solution)
2. To add same static route on your firewall&gateway, and in this case all hosts from network 172.16.1.0 will be able to get to 10.1.0.0 network ( this is preferred solution)
From network 10.1.0.0 you should be able to access network 172.16.0.0 without any problems, and without configuring anything.
 
cmorgan
just joined
Topic Author
Posts: 7
Joined: Tue Sep 01, 2015 11:23 am

Re: Bit of routing advice needed.

Wed Sep 02, 2015 11:44 am

Hi blajah, thanks for replying.

The gateway on 172.16.1.3 already has a route published for 10.1.0.1 which is to send the traffic over to 172.16.1.1.
route1.PNG
Hopefully this helps,
Cheers
You do not have the required permissions to view the files attached to this post.
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 222
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Bit of routing advice needed.

Wed Sep 02, 2015 7:33 pm

Can you show me a trace from PC to server?
Edit
What's the default route on 172.16.1.1?
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: Bit of routing advice needed.

Wed Sep 02, 2015 8:25 pm

Since you have two gateways in the same subnet, i'm curious, is your firewall allowing ICMP redirects?
 
cmorgan
just joined
Topic Author
Posts: 7
Joined: Tue Sep 01, 2015 11:23 am

Re: Bit of routing advice needed.

Mon Sep 07, 2015 2:26 pm

Can you show me a trace from PC to server?
Edit
What's the default route on 172.16.1.1?
Dst= 0.0.0.0/0
Gateway= 172.16.1.3 (which WinBox is showing as reachable via ether1-lan)

As for ICMP redirects, I am not sure. Will it make a difference if they are allowed?
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 222
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Bit of routing advice needed.

Thu Sep 10, 2015 8:13 am

Hi,

yes, redirects will make a change. Can you post tracertoute from pc to server?
 
cmorgan
just joined
Topic Author
Posts: 7
Joined: Tue Sep 01, 2015 11:23 am

Re: Bit of routing advice needed.

Thu Sep 10, 2015 4:35 pm

Hi,

yes, redirects will make a change. Can you post tracertoute from pc to server?
I will post one as soon as I can. The other site is having an internet outage at the moment!
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Bit of routing advice needed.

Thu Sep 10, 2015 8:35 pm

You need a static route on the PPTP-Server. When dst-address=172.16.0.0/16 then route down pptp-interface.

Otherwise when a host on the 10.1.0.0 network replies to 172.16.0.0, the packet gets routed out the WAN instead of VPN. When you set your default gateway to 172.16.1.1, then packets will make it to 172.16.1.1 and get routed properly from there.

However, for a PPTP-Server, the PPTP interface is dynamic and is only present when there is a connection, so you can't route on it... So you have to create a static PPTP-Server interface, and for the 'user' field, specify the username that the 172.16 network is using. Now you can route on that static PPTP-Server interface.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Bit of routing advice needed.

Fri Sep 11, 2015 1:14 am

This gateway (172.16.1.3) is configured to route all traffic destined for the other network (10.1.0.0/16) to the next hop IP of the RB750 (172.16.1.1).
Can you verify that it's actually routing it like this? If you try to ping server from client (with 172.16.1.3 as gw), and you check what happens on the right RB (172.16.1.1), you should see packets going from 172.16.1.10 to 10.1.0.1, entering through LAN interface and leaving out through tunnel. Is it so?

Left side (10.x) network is ok, it does not care about remote gateway being one or the other, in both cases packet from 172.16.1.10 to 10.1.0.1 comes from tunnel and the reply goes back the same way. There's no difference here.
 
cmorgan
just joined
Topic Author
Posts: 7
Joined: Tue Sep 01, 2015 11:23 am

Re: Bit of routing advice needed.

Fri Sep 11, 2015 1:33 pm

Right sorted out the internet issue so I can run some tests.

First up is the IP settings of the client i'm testing with. (172.16.1.3 as gw)
1.PNG
Next up is a traceroute from the above machine to 10.1.0.1 (which is a domain controller, aptly named DC1) which resolves ok.
2.PNG
Finally, here is Torch (from 172.16.1.1) showing a ping from my machine routing correctly down the GRE tunnel. (For the record, the ping completes ok).
3.PNG
Again, I can't thank you all enough for your help so far!
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Bit of routing advice needed.

Fri Sep 11, 2015 7:04 pm

It looks to me like it's working as it should. Do you mean to say that RDP still does not work from 172.16.150.55 to 10.1.0.1? Because it seems to work from 172.16.1.34 to 10.1.0.1 (the other two entries in torch screenshot show traffic to RDP port going both ways).
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 222
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Bit of routing advice needed.

Fri Sep 11, 2015 9:11 pm

Just to make this clear, ping is ok, RDP is not? Are there any firewall rules on 192.168.1.1 which could produce this behavior?
 
cmorgan
just joined
Topic Author
Posts: 7
Joined: Tue Sep 01, 2015 11:23 am

Re: Bit of routing advice needed.

Mon Sep 21, 2015 10:29 am

Hi Guys, had the week off work so I am catching up on everything today!
It looks to me like it's working as it should. Do you mean to say that RDP still does not work from 172.16.150.55 to 10.1.0.1? Because it seems to work from 172.16.1.34 to 10.1.0.1 (the other two entries in torch screenshot show traffic to RDP port going both ways).
Yes, RDP (or WinBox as well for that matter) does not work from 172.16.150.55 unless the gateway is set to 172.16.1.1.

It is very, very confusing as to why it's not working.
Just to make this clear, ping is ok, RDP is not? Are there any firewall rules on 192.168.1.1 which could produce this behavior?
Also, yes. Ping is OK, RDP is not OK. There are no firewall rules on either RB750 except...
4.PNG
Initially opened it up to see if this was the issue.
As for 172.16.1.3, when the firewall was installed they configured the routing and rules to treat 10.1.0.0/16 as part of the trusted LAN zone.

EDIT: As an attempted 'hail mary' to try and fix it, I have lowered the MTU on both ends of the GRE tunnel from 1476 (or around that) to 1200. This has not worked.
You do not have the required permissions to view the files attached to this post.
 
cmorgan
just joined
Topic Author
Posts: 7
Joined: Tue Sep 01, 2015 11:23 am

Re: Bit of routing advice needed.

Thu Oct 29, 2015 11:40 am

I have fixed this in the end but it won't be ideal for everyone.
I added a fixed route to all the machines that needed to communicate over the link (around 6) so it wasn't a massive task.
Eg, for windows: route add 10.1.0.0 MASK 255.255.0.0 172.16.1.1

I thought I should post my fix just in case somebody comes across a similar issue in the future.
Cheers for everyone's input.

Who is online

Users browsing this forum: cmmike, kolinsmk, PBondurant, qatar2022 and 47 guests