Hello guys, I made an account here because I tried everything and looked everywhere but nothing worked for me.
First, I’m quite a noob with network and english is not my first language, so please forgive me for any mistake on this post.
The scenario:
I have a bridge interface between two ports, ether2 and ether3 (ether1 is the connection to the internet).
This bridge has 4 subnet’s, Subnet A 10.0.0.0/26, Subnet B 10.0.0.64/26, Subnet C 10.0.0.128/26, and Subnet D 10.0.0.192/26.
The Firewall has all the defaults settings plus a few rules to drop packets like this:
drop A → B
drop B → A
drop A → D
drop D → A
drop B → D
And has the rules to allow like that:
allow A → C
allow C → A
In terms of static routes, the default is applied, meaning:
The problem:
For some reason, I can’t get to ping from a host on A to C or C to A, however I can ping from A to 10.0.0.64(gateway) and I from C to 10.0.0.0(gateway), what should I do to be able to ping from A to C and vice versa?
*I feel like is important to mention that all subnets have access to the internet and that access is working properly, and when I try to ping from A to C the rule on the firewall to allow the packets to go to C is incremented.
[quote=jujuol post_id=992714 time=1679988381 user_id=214740]
I haven’t seen anyone who can go directly from A to C and vice versa.
[/quote]
So, how can I separate devices in groups and still have then communicate with each other, because you see I can’t have A and B talking, but I need C host’s to be accessible by both.
Easy,
One bridge ( no dhcp on bridge )
All vlans with interface bridge
Forward chain last rule add action=drop chain=forward.
++++++++++++++++++++++++++++++++++++++++++
Then
rules above last rule are simple → only what you allow
allow all vlans to internet
allow A to C
allow C to A
NO rules required for static routes as they are all created automatically by vlan structure.
+++++++++++++++++++++++++++++++++++++++++++++
In terms of pinging subnets, means little in terms of security/traffic flow.
Each gateway IP is part of the router and is thus usually pingable however no data can flow between vlans.
I’ll give it a try as soon as I can.
But, can you explain to me why with only subnets I can’t make this work? Like, in my head having two different subnets and a router with static routes for both should be able to direct the traffic.
You can only use one subnet assigned to a bridge is my understanding. Once you want more then vlans is the way!
Alternatively you dont need a bridge and can assigne each etherport a subnet.
Its clean and simple to use vlans.
PS. I also find it very confusing to use /26 and all IP addresses seem like they are in the same subnet LOL.
Stick to /24 and it will work for sure… no need to get cute
Multiple subnets on an interface (a.k.a. multinetting) is perfectly valid, but not common.
Packets may be blocked by the firewall forward drop invalid rule as the packet is leaving the same interface it entered, or the devices you are pinging may not be responding - in particular Windows does not reply to pings from outside the local subnet.
Probably you broken all, setting 10.0.0.> 0 > (and > 64> ) as gateway of one address reserved for subnetting…
I didn’t set it, it was by default as I added the subnets…
And describing the configuration as a novella, instead of showing it as it is without fictionalizing it, doesn’t help…
And no need to be an ass, just ask for the config files.
I made it like that so anyone who wants to help can do it without the need to study a config file, just telling me what the issues could be and let me do the work of research.
Since it’s you asking for help, it’s you who has to worry about showing it, not the others begging you to ask for it.
The issue is: you do not have correctly configured the device… easy guess…
Probably if you had posted the configuration directly (since you already knew what I meant), I or anyone else on the forum could have already found the cause.
But of course, any OP STORY is pure conjecture, hearsay and usually wrong and the only thing that really counts is evidence aka the config.
Even harder is getting the true requirements. If I read one more time I cant ping between subnets, i will reply, THEN GO MARRY THE FUCKING SUBNETS, pinging has nothing to do with users and their data. Pinging is a tool NOT a requirement
Dude, I have to work, I don’t have access to my router 24/7. The config is on the post now.
Since it’s you asking for help, it’s you who has to worry about showing it, not the others begging you to ask for it.
It is not begging, is just having a proper human interaction like “hey, post the config” instead of this condescending crap
And describing the configuration as a novella, instead of showing it as it is without fictionalizing it, doesn’t help…
The issue is: you do not have correctly configured the device… easy guess…
Despite the sarcasm, that’s actually useful, one of my inner question was if it was possible to make that communication between subnets (I don’t work with infrastructure, my knowledge is from classes decades ago), I don’t expect anyone to work for me for free, I just want insights or ideas.
For whoever wants to give insight, I’ll be thankful, but I won’t idolize anyone.
The requirements are pretty much what I said, I want hosts on the first subnet to communicate freely with hosts on the third, nothing more than that.
When I said ping, it was because I tried to see subnet C hosts from a host on A (both with win10, and by “see” I mean see shared folders) and I could not, the ping in this case, also did not work.
one dhcp client enabled but without interface:
/ip dhcp-client
add disabled=no
add disabled=no interface=ether1-TorresTelecom
one nat wit the same problem (yes, is disabled, i can see…)
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=*6
add action=masquerade chain=srcnat out-interface=ether1-TorresTelecom
The info on both are damaged, that can cause unexpected behaviours…
Your Admin pool is one /28, the IP is one /29 and on the DHCP server network is one /30…
/ip pool
add name=pool-Admin ranges=10.10.10.2-10.10.10.6
/ip address
add address=10.10.10.1/29 comment=AdminNet interface=ether4-Admin network=10.10.10.0
/ip dhcp-server network
add address=10.10.10.0/30 comment=AdminNet dns-server=8.8.8.8,8.8.4.4 gateway=10.10.10.1
This network is not being used either, is kind of a backup network for a single machine in case I screw up the configs so much that I can't get access using the other ones, I'll remove it.
Routes are completely useless, just adding the IP to the bridge cause the creation of the corrected and needed routes.
/ip route
add distance=1 dst-address=10.0.0.0/26 gateway=bridge-ArchNet
add distance=1 dst-address=10.0.0.128/26 gateway=10.0.0.129
Yeah, I had 4, I tried some pretty weird things back then.
The pools I actually use, don't know if I am supposed though, like I use on the dhcp server to make machines that are supposed to be on each subnet get any IP from that pool.
