CCR-1036-8G-2S+ routing configuration problem

eramsr · June 26, 2017, 11:18am

Hello.

I am new user of Mikrotik router, We have bought device CCR-1036-8G-2S+.

INFO:
I have connected router from ether1 to ethernet wall socket, where DHCP server run.

I want to use ether2, ether3 and ether4 like switch to ethernet wall socket. And it works fine.
That I have configured etherned_bridge like bridge for ether1, ether2, ether3 and ether4 with DHCP client.
Router get DHCP configuration correctly and is accesable via assigned IP address. Assigned Ip is from subnet 192.168.6.0/24.

Next step, I have created local_bridge for ether5, ether6, ether7, ether8, sfp-sfpplus1 and sfp-sfpplus2 with dhcp server for subnet 192.168.1.0/24.

That, when I connected notebook via ethernet cable into ether8 port, ip address is assigned. I am able to open router web, ping itself, ping gateway (router) and ping router ip on subnet 192.168.6.0/24.

“ip address print” get:

Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.1.1/24     192.168.1.0     ether5
 1 D 192.168.6.105/24   192.168.6.0     ethernet_bridge

“ip router print” get:

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.6.1               1
 1 ADC  192.168.1.0/24     192.168.1.1     local_bridge              0
 2 ADC  192.168.6.0/24     192.168.6.105   ethernet_bridge           0

PROBLEM:
From computer on ether2, ether3 or ether4, I am able to access internet and company newtwork, but from computer on port from local_bridge, I am not able to access internet and company network. I am not able to ping DNS server assigned by DHCP client. I am able to ping router from PC, but ping from router web ping does not answer for PC Ip address (same for ping sources ethernet_bridge, local_bridge, ether8).

NOTE:
With another low cost router, easy configuration like switch only or one ethernet input and local network works fine.

ASK:
Please, are there somebody able to help me with configuration of router?

CONFIGURATION:
My configuration printed as text is bellow:

# jan/04/1970 21:02:43 by RouterOS 6.38.5
# software id = C7GH-7FWN
#
/interface bridge
add name=ethernet_bridge
add name=local_bridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=local_bridge name=local_dhcp
/interface bridge port
add bridge=ethernet_bridge interface=ether2
add bridge=ethernet_bridge interface=ether3
add bridge=ethernet_bridge interface=ether4
add bridge=local_bridge interface=ether5
add bridge=local_bridge interface=ether6
add bridge=local_bridge interface=ether7
add bridge=local_bridge interface=ether8
add bridge=local_bridge interface=sfp-sfpplus1
add bridge=local_bridge interface=sfp-sfpplus2
add bridge=ethernet_bridge interface=ether1
/interface bridge settings
set allow-fast-path=no
/ip address
add address=192.168.1.1/24 interface=ether5 network=192.168.1.0
/ip dhcp-client
add dhcp-options=clientid,clientid disabled=no interface=ethernet_bridge
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/system identity
set name="MikroTik router"

pukkita · June 26, 2017, 12:42pm

start by changing

/ip address
add address=192.168.1.1/24 interface=ether5 network=192.168.1.0

to

/ip address
add address=192.168.1.1/24 interface=local-bridge network=192.168.1.0

When you create a bridge and add ports to it, it’s the bridge itself which should be assigned IPs, DHCP server/clients, etc. In summary: you should forget about individual interfaces making up the bridge and work with the bridge itself.

PROBLEM:
From computer on ether2, ether3 or ether4, I am able to access internet and company newtwork, but from computer on port from local_bridge, I am not able to access internet and company network. I am not able to ping DNS server assigned by DHCP client. I am able to ping router from PC, but ping from router web ping does not answer for PC Ip address (same for ping sources ethernet_bridge, local_bridge, ether8).

Did you set a route on your internet router (192.168.6.1) to 192.168.1.0/24 via 192.168.6.105?

For routing between two routers to work both of them need proper routes towards each other.

What’s happening now is CCR routes everything not addressed to 192.168.1.0/24 to your internet router, 192.168.6.1. But your internet router receives traffic from 192.168.1.0/24 range, which unless it has an specific route towards it, will route via its default gateway, which most probably is its next hop torwards Internet, thus not being able to “reply” to the 192.168.1.0/24 host.

eramsr · June 26, 2017, 1:07pm

Hi pukkita.

I have tried this in past:

/ip address
add address=192.168.1.1/24 interface=local_bridge network=192.168.1.0

And it looks like connectivity loss with no access to router.
Now it looks better. After change, I still can ping a router. But still I can not ping my PC from router.

Did you set a route on your internet router (192.168.6.1) to 192.168.1.0/24 via 192.168.6.105?

For routing between two routers to work both of them need proper routes towards each other.

What’s happening now is CCR routes everything not addressed to 192.168.1.0/24 to your internet router, 192.168.6.1. But your internet router receives traffic from 192.168.1.0/24 range, which unless it has an specific route towards it, will route via its default gateway, which most probably is its next hop torwards Internet, thus not being able to “reply” to the 192.168.1.0/24 host.

I am going to try it, byt it will take same time. I do not have direct access to our internet router.
But it is litle confusing for me, that this two DHCP configuration works fine with low cost router via same internet router short time (days) ago.

For now, Thanks for your quick reply.

pukkita · June 26, 2017, 1:49pm

Most probably the low cost router is masquerading whatever leaves its WAN interface as coming out from 192.168.6.105.

Because of this the internet router thinks is talking with 192.168.6.105 he knows how to reach, and not the original 192.168.1.0/24 range IP address which it doesn’t.

If you don’t have access to the Internet router, you can do the same in the meanwhile until you can configure it, i.e. making the CCR to change the source address of everything going out ethernet_bridge as if it were requested by the CCR itself and not its 192.168.1.0/24 connected hosts.

To achieve that:

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24 out-interface=ethernet_bridge

Bear in mind you’ll be doing NAT two times to reach the internet (double nat). Best practice is keeping NAT to the minimum and absolutely required; this will keep you running until you can set proper routing.