Accessing 2 separate businesses on same ISP, same subnet, blocked.

techd00d · June 30, 2015, 4:06am

We are an MSP and exclusively use Mikrotik equipment for our internal network as well as client sites. We have a CRS in our office as our main router and a 2011 series at this specific client location. We are in a Verizon FIOS area and they use a /24 netmask. This client happens to only be a couple blocks away from us so their IP block got provisioned on the same subnet as ours. Because of this we have issues with them accessing our services, such as off site backup.

Their router is very basic. Minus our normal set of rules and some queues for them it is pretty much out of the box with quick setup. I have tried disabling all firewall, mangle, and nat rules other than the default masq. and the problem is the same.

Our end is a little more custom so I suspect if there is anything wrong, it is on our end. Our primary ISP and IP is on a different subnet from them and we and they can talk just fine via that IP. But the block we have that is on the same subnet as them is our failover connection. So during testing when we fail over, they can’t connect to us and I can’t ping them.

Is this a setup issue? Or an expected problem since verizon uses a /24 netmask?

If info is needed, what is the best way to export to post. Any command to mask sensitive info or is that manual? Never ran into an issue I wasn’t able to work through so not sure the easiest way to post configs securely.

pe1chl · June 30, 2015, 8:44am

When you are in the same subnet as your destination, there must be a link at L2 level.
You will have to find out if that is really there. When you ping the other address, do you get a valid ARP entry
in the ARP table with their IP and MAC address listed? If so, it likely is some setup issue at either end.
When not, the network is not transparent at L2 for this communication and either the /24 netmask is not correct
or they did not think that clients in the same subnet would ever want to communicate and have chosen a
configuration where that is impossible or difficult, just to make it easier for them to manage.

pants6000 · July 1, 2015, 5:00am

So it sounds like though you’re in the same same IP subnet, you don’t actually have a real L2 path between each other–it’s probably vlan-per-customer, and the routes are /32s pointed at q-in-q interfaces. As a result, your ARP requests for the “other side” go unheard.

If that’s the case, you’re doing everything right, and I’m not sure that you can fix it on your side…

On the provider’s side, “ip local proxy arp” on their customer vlan interfaces would fix it (assuming Cisco.)

You miiiiiiight be able to get it to work if on each side you put a static MAC entry in for the other side’s IP but using the MAC address of the provider’s default gateway. Maybe.