Hi
Im currently running ros5.7 on both my rb411uahr and rb711g which are connected via a switch to my local network. I have an wireless interface on my rb711g that connects to a wug (wireless user group). This wug operates on the 172.18.0.0/16 subnet with static ip allocations. I have been allocated a /29 subnet to use for nodes on my network. Seen that I have more than 6 nodes, I’ve created Loop-Back interfaces on the rb711g (which connects to the wug) that src-nats and dst-nats all traffic on specific wug-ip’s to ip’s in my local network that I choose. Ie: 5 of my local network nodes wil have dedicated wug-ip’s (as seen from the wug side) and the other nodes will simply masq behind the rb711g wug ip.
The rb411uahr runs my internal network. On it, an wireless interface connects to my isp. I also have a hotspot running on this board. My local network is on the 192.168.0.0/24 subnet.
I have thus setup the routing and nat so that the 172.18.0.0/16 range in reachable to all local network nodes. I Also added walled-garden ip rules to allow 172.18.0.0/16 traffic to unauthenticated clients. But to my surprise, the hotspot somehow seems to interfere with this. If clients (on the local network) are unauthenticated, they cant seem to access (ping, http, etc) the 172.18.0.0/16 subnet. But from the two rb’s this subnet is reachable via many testing methods. Only once the hotspot is disabled are the clients able to reach the wug subnet. If they are authenticated on the other hand, the seem to be able to ping some addresses within the wug subnet some of the time. But the majority of the time the response is time-out. This is mostly the case with the network nodes that have ‘dedicated’ wug ip’s. In fact, I did most of the testing on my own pc (a dedicated wug ip node) and the above mentioned problems were all encountered. It is quite important that the hotspot still be active, but that nodes, and especially dedicated wug nodes, have access to the wug subnet.
Is the way I approached the ‘loop-back’ setup correct?
Can anyone please guide me as to where I went wrong in this or any config.
Setup on RB411UAHR:
[Jeandre@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.0.100/24 192.168.0.0 Local-Interface-Bridge
1 D X.X.X.X/32 X.X.X.X VodaCom_3G
[Jeandre@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 X S 0.0.0.0/0 192.168.0.1 3
1 A S 0.0.0.0/0 VodaCom_3G 2
2 ADC X.X.X.X X.X.X.X VodaCom_3G 0
3 A S 172.16.0.0/16 192.168.0.1 1
4 A S ;;; Route to CTWUG
172.18.0.0/16 192.168.0.101 1
5 ADC 192.168.0.0/24 192.168.0.100 Local-Interface... 0
[Jeandre@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Masquerade for VodaCom_3G Network - Translate private ip range to public ip address
chain=srcnat action=masquerade out-interface=VodaCom_3G
1 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
[Jeandre@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; Media-Center-Upload
chain=forward action=passthrough src-address-list=Media-Center dst-address-list=Local
1 X ;;; Media-Center-Download
chain=forward action=passthrough src-address-list=Local dst-address-list=Media-Center
2 X ;;; Jeandre-Upload
chain=forward action=passthrough src-address-list=Jeandre dst-address-list=Local
3 X ;;; Jeandre-Download
chain=forward action=passthrough src-address-list=Local dst-address-list=Jeandre
4 X ;;; Calvin-Upload
chain=forward action=passthrough src-address-list=Calvin dst-address-list=Local
5 X ;;; Calvin-Download
chain=forward action=passthrough src-address-list=Local dst-address-list=Calvin
6 X ;;; Elizabeth-Upload
chain=forward action=passthrough src-address-list=Elizabeth dst-address-list=Local
7 X ;;; Elizabeth-Download
chain=forward action=passthrough src-address-list=Local dst-address-list=Elizabeth
8 X ;;; Anthony-Upload
chain=forward action=passthrough src-address-list=Anthony dst-address-list=Local
9 X ;;; Anthony-Download
chain=forward action=passthrough src-address-list=Local dst-address-list=Anthony
10 X ;;; PlayStation-Upload
chain=forward action=passthrough src-address-list=PlayStation dst-address-list=Local
11 X ;;; PlayStation-Download
chain=forward action=passthrough src-address-list=Local dst-address-list=PlayStation
12 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
13 X ;;; VPN-Up#vpn-ul@54345133%7059774
chain=forward action=accept out-interface=(unknown)
14 X ;;; VPN-Down#vpn-dl@49095379%9514034
chain=forward action=accept in-interface=(unknown)
[Jeandre@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=prerouting action=mark-routing new-routing-mark=JeandreUCom passthrough=yes src-address-list=Jeandre dst-address-list=!Local
1 X ;;; VPN_UL#vpn@134842126%25187326
chain=forward action=accept out-interface=JeandresSTBviaVCom
2 X ;;; VPN_DL#vpn@179443019%41857469
chain=forward action=accept in-interface=JeandresSTBviaVCom
3 X ;;; CLIENT_UL#jeandre@0%0
chain=forward action=accept src-address-list=Jeandre out-interface=VodaCom_3G
4 X ;;; CLIENT_DL#jeandre@0%0
chain=forward action=accept dst-address-list=Jeandre in-interface=VodaCom_3G
5 X ;;; CLIENT_UL#lizzie@0%0
chain=forward action=accept src-address-list=Elizabeth out-interface=VodaCom_3G
6 X ;;; CLIENT_DL#lizzie@0%0
chain=forward action=accept dst-address-list=Elizabeth in-interface=VodaCom_3G
7 X ;;; CLIENT_UL#calvin@0%0
chain=forward action=accept src-address-list=Calvin out-interface=VodaCom_3G
8 X ;;; CLIENT_DL#calvin@0%0
chain=forward action=accept dst-address-list=Calvin in-interface=VodaCom_3G
9 X ;;; CLIENT_UL#tony@0%0
chain=forward action=accept src-address-list=Anthony out-interface=VodaCom_3G
10 X ;;; CLIENT_DL#tony@0%0
chain=forward action=accept dst-address-list=Anthony in-interface=VodaCom_3G
11 X ;;; CLIENT_UL#mediacenter@0%0
chain=forward action=accept src-address-list=Media-Center out-interface=VodaCom_3G
12 X ;;; CLIENT_DL#mediacenter@0%0
chain=forward action=accept dst-address-list=Media-Center in-interface=VodaCom_3G
13 X ;;; CLIENT_UL#playstation@0%0
chain=forward action=accept src-address-list=PlayStation out-interface=VodaCom_3G
14 X ;;; CLIENT_DL#playstation@0%0
chain=forward action=accept dst-address-list=PlayStation in-interface=VodaCom_3G
15 X ;;; CLIENT_UL#ipad@0%0
chain=forward action=accept src-address-list=iPad out-interface=VodaCom_3G
16 X ;;; CLIENT_DL#ipad@0%0
chain=forward action=accept dst-address-list=iPad in-interface=VodaCom_3G
17 X ;;; CLIENT_UL#guest@0%0
chain=forward action=accept src-address-list=Guest out-interface=VodaCom_3G
18 X ;;; CLIENT_DL#guest@0%0
chain=forward action=accept dst-address-list=Guest in-interface=VodaCom_3G
19 X ;;; STAT - Keep Disabled#95@00%1&0!day?0
chain=prerouting action=accept
[Jeandre@MikroTik] > interface bridge print
Flags: X - disabled, R - running
0 R ;;; Bridge Interface - To bridge lan and wifi to one network and ip range
name="Local-Interface-Bridge" mtu=1500 l2mtu=1526 arp=enabled mac-address=00:00:5E:80:00:01 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:0C:42:49:04:6C max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
[Jeandre@MikroTik] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 EtherNet_1 Local-Interface-Bridge 0x80 10 none
1 Marshal_Network_Wifi Local-Interface-Bridge 0x80 10 none
2 EoIP-JeandreSTB Local-Interface-Bridge 0x80 10 none
3 CTWUG-AP Local-Interface-Bridge 0x80 10 none
[Jeandre@MikroTik] > ip dhcp-server network print
# ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN
0 ;;; Network setup to allocate default gateway and dns server to clients
192.168.0.0/24 192.168.0.100
[Jeandre@MikroTik] > ip dhcp-server print
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 Marshall_Network_DHCP Local-Interface-Bridge Marshall_Network_Pool 3d yes
[Jeandre@MikroTik] > ip hotspot print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 Marshall-Network HP Local-Interface-Bridge Marshall-Network SP none
[Jeandre@MikroTik] > ip hotspot profile print
Flags: * - default
0 * name="Marshall-Network SP" hotspot-address=192.168.2.5 dns-name="hotspot.marshallnetwork" html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=mac,http-chap mac-auth-password="" split-user-domain=no use-radius=no
[Jeandre@MikroTik] > ip hotspot user profile print
Flags: * - default
0 * name="Marshall-Network UP" idle-timeout=20m keepalive-timeout=5m status-autorefresh=1m shared-users=unlimited transparent-proxy=no
[Jeandre@MikroTik] > ip hotspot walled-garden ip print
Flags: X - disabled, I - invalid
# SERVER PROTOCOL DST-HOST DST-ADDRESS DST-PORT ACTION
0 ;;; Access for users to access the internal network - Bypass usage counters
Marshall-Network HP 192.168.0.0/24 accept
1 ;;; Access for users to access CTWUG - Bypass usage counters
Marshall-Network HP 172.18.0.0/16 accept
2 ;;; Bypass for UCom Network
Marshall-Network HP 172.16.0.0/16 accept
3 X ;;; Access for users to access CTWUG - Bypass usage counters
172.18.55.1 accept
4 X ;;; Access for users to access CTWUG - Bypass usage counters
172.18.13.246 accept
[Jeandre@MikroTik] > ip hotspot walled-garden print
Flags: X - disabled, D - dynamic
# SERVER METHOD DST-HOST DST-PORT PATH ACTION HITS
0 D ;;; Access for users to access the internal network - Bypass usage counters
Marshal... allow 0
1 D ;;; Access for users to access CTWUG - Bypass usage counters
Marshal... allow 0
2 D ;;; Bypass for UCom Network
Marshal... allow 0
3 X ;;; place hotspot rules here
allow 0
[Jeandre@MikroTik] >
Setup on RB711G:
[Jeandre@ZioN_CPT] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.0.101/24 192.168.0.0 Ethernet
1 172.18.50.37/32 172.18.50.37 RB433-Loopback
2 172.18.50.33/32 172.18.50.33 Gene-Loopback
3 172.18.50.34/32 172.18.50.34 Jacques-Loopback
4 172.18.50.35/32 172.18.50.35 Jeandre-Loopback
5 172.18.50.36/32 172.18.50.36 MediaCenter-Loopback
6 172.18.50.38/32 172.18.50.254 CTWUG-Pluto
[Jeandre@ZioN_CPT] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 172.18.0.0/16 172.18.50.254 1
1 ADC 172.18.50.33/32 172.18.50.33 Gene-Loopback 0
2 ADC 172.18.50.34/32 172.18.50.34 Jacques-Loopback 0
3 ADC 172.18.50.35/32 172.18.50.35 Jeandre-Loopback 0
4 ADC 172.18.50.36/32 172.18.50.36 MediaCenter-Loo... 0
5 ADC 172.18.50.37/32 172.18.50.37 RB433-Loopback 0
6 ADC 172.18.50.254/32 172.18.50.38 CTWUG-Pluto 0
7 ADC 192.168.0.0/24 192.168.0.101 Ethernet 0
[Jeandre@ZioN_CPT] > interface bridge print
Flags: X - disabled, R - running
0 R name="Jeandre-Loopback" mtu=1500 l2mtu=65535 arp=enabled
0 R name="Jeandre-Loopback" mtu=1500 l2mtu=65535 arp=enabled
mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
1 R name="Gene-Loopback" mtu=1500 l2mtu=65535 arp=enabled
mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
2 R name="Jacques-Loopback" mtu=1500 l2mtu=65535 arp=enabled
mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
3 R name="MediaCenter-Loopback" mtu=1500 l2mtu=65535 arp=enabled
mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
4 R name="RB433-Loopback" mtu=1500 l2mtu=65535 arp=enabled
mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
[Jeandre@ZioN_CPT] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=drop dst-address-list=!WUG-Range in-interface=CTWUG-Pluto
[Jeandre@ZioN_CPT] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Jeandre - Out
chain=srcnat action=src-nat to-addresses=172.18.50.35 src-address=192.168.0.110 dst-address=172.18.0.0/16
1 ;;; Media Center - Out
chain=srcnat action=src-nat to-addresses=172.18.50.36 src-address=192.168.0.150 dst-address=172.18.0.0/16
2 ;;; Gene - Out
chain=srcnat action=src-nat to-addresses=172.18.50.33 src-address=192.168.0.210 dst-address=172.18.0.0/16
3 ;;; Jacques - Out
chain=srcnat action=src-nat to-addresses=172.18.50.34 src-address=192.168.0.220 dst-address=172.18.0.0/16
4 ;;; Marshall-Network RB - Out
chain=srcnat action=src-nat to-addresses=172.18.50.37 src-address=192.168.0.100 dst-address=172.18.0.0/16
5 ;;; Gene - In
chain=dstnat action=dst-nat to-addresses=192.168.0.210 src-address=172.18.0.0/16 dst-address=172.18.50.33
6 ;;; Jacques - In
chain=dstnat action=dst-nat to-addresses=192.168.0.220 src-address=172.18.0.0/16 dst-address=172.18.50.34
7 ;;; Jeandre - In
chain=dstnat action=dst-nat to-addresses=192.168.0.110 src-address=172.18.0.0/16 dst-address=172.18.50.35
8 ;;; Media Center - In
chain=dstnat action=dst-nat to-addresses=192.168.0.150 src-address=172.18.0.0/16 dst-address=172.18.50.36
9 ;;; Marshall-Network RB - In
chain=dstnat action=dst-nat to-addresses=192.168.0.100 src-address=172.18.0.0/16 dst-address=172.18.50.37
10 ;;; All Others Masq
chain=srcnat action=masquerade src-address-list=!Internal-WUG-IPs out-interface=CTWUG-Pluto
[Jeandre@ZioN_CPT] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
[Jeandre@ZioN_CPT] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R Ethernet ether 1500 1600 4076
1 R CTWUG-Pluto wlan 1500 2290
2 R Jeandre-Loopback bridge 1500 65535
3 R Gene-Loopback bridge 1500 65535
4 R Jacques-Loopback bridge 1500 65535
5 R MediaCenter-Loopback bridge 1500 65535
6 R RB433-Loopback bridge 1500 65535
[Jeandre@ZioN_CPT] >
As I mentioned above once nodes are authenticated they are able to ping address within the wug subnet some of the time and some of the time the cant. But they generaly cant seem to receive data, ie: http pages on the wug subnet cant load, and software such as chat clients cant connect.
This is the first time I encountered such varying network behaviour. I cant seem to see where I went wrong. Perhaps a fresh set of eyes could do the trick.
Thanks so much
Kind Regards
ZioN