Hello,
I’ve made thread some time earlier (http://forum.mikrotik.com/t/problem-with-vlan-routing/137753/1), but i seems i was out of my depth.
So i have simplified configuration, stripped those unused “public” vlans and setup somewhat testing enviroment.
Switch1, ether1 [S1E1] is uplink to Zyxel DHCP, which gives 10.10.30.x/24 adresses
Switch1, ether3 [S1E3] is only port in bridgePublic and is conected to [S3E1]
Switch3, ether2 [S3E2] is connected to synology, from where i test conectivity
On Switch1 all ports except ether3 are in bridge LAN
On Switch3 ports ether1-8 are bridged to bridgePublic
There is DHCP Server on Switch1, which gives out 10.10.32.x/24 adresses through bridgePublic with adress 10.10.32.1/24 (only port is S1E3)
So far I am getting 10.10.32.249/24 on S3E3, as expected, and a can ping 10.10.32.1
But whe i set up masquerade rule on S1
No need to begin a new post… we could continue there…
Well since no one know how your VLANs are configured, it is difficult to predict the problem…
Obviously it is not the Masquerade rule that does not work but something inside your VLANs…
You could export your configs with hide-sensitive and post it inside code tags…
Hello, I’ve stripped those VLANs to narrow the problem.
Only ones, that are there are those in bridgeLAN, and they function normally - getting adresses, comunicating with outide world, the whole shebang.
Can you draw a diagram of your network. It seems very confusing at the moment as its not clear to me what devices you have, and if they are acting as switches or routers.
“Masquerade not functioning” meaning : I can’t get from 10.10.32.x/24 subnet anywhere past Switch1, adresses aren’t NATed, the rule itself, if i log it, doesn’t get triggered
I can ping from NAS eth3 as far as 10.10.30.198 but not 10.10.30.1
Switch 1 does not need any Masquerade Rule to Ping 1.1.1.1 or any Public Address !!!
When switch 1 tries to reach 1.1.1.1 it will send the traffic to its default gateway 10.10.30.1 through ether 1 with IP 10.10.30.198. So 10.10.30.198 → 10.10.30.1.. Then the ISPs Router will nat the connection, reach 1.1.1.1 and when the reply comes back it will unNAT the connection and send it back to 10.10.30.198 with src address 1.1.1.1… So switch 1 will get a reply from the address it expected, so everything is fine…
This does not ofcorse happen when we try to reach 1.1.1.1 or 10.10.30.1 from switch 2. There we need the masquerade rule, because our ISP’s router does not know how to reach switch 2… (You could instead add a route on your ISP for the subnet 10.10.32.0./24 with Gateway 10.10.30.198)
Check the above cases and check your whole configuration again…
I think you’re not getting what i’m saying:
Of course switch1 can ping everything, no problem there.
Switch3 on the other hand…
“There we need the masquerade rule, because our ISP’s router does not know how to reach switch 2”, it’s switch 3, but thats just semantics
The rule is there
Agree with Zach. There is only one device you should be calling a switch. The first device is the primary router, the second device is acting a a router and the third device is acting purely a switch.
Personally I would ditch the zyxel unit, as I do not see what it adds to the mix, other than making your life difficult.
Also you seem to be concerned with traffic coming from the ISP getting back to the third device, that is destination NAT.
@Zach There we need the masquerade rule, because our ISP’s router does not know how to reach switch 2… (You could instead add a route on your ISP for the subnet 10.10.32.0./24 with Gateway 10.10.30.198) Do you mean the options are.
(1) On Secondary Router, create a routing from 10.10.32.1 to 10.30.1.198? or
(2) On Secondary Router create a masquerade rule
add chain=srcnat action=src-nat src-address=10.10.32.0/24 to-address=10.10.30.198 out-interface=bridgeLAN
@anav,
(1) That is not needed anyways, so no…
(2) Also even if you don’t specify the “to-address=10.10.30.198” the masquerade will see that the out interface is 10.10.30.198 so that will be the address that we will be masqueraded to anyways…
What i said is a little different… That even if we do not use masquerade at all we can still reach the internet but we must first let the ISPs router know where we are, or better where we are… Case 1, Secondary Router with No masquerade or Src-NAT: ping 1.1.1.1 Rersults to:
1.The secondary Router will send the Traffic to the ISPs Router through 10.10.30.198, ISP will perform NAT on its Side and reach 1.1.1.1, when the reply comes back from 1.1.1.1, ISP’s Router will perform reverse NAT (unNAT the connection), and the Secondary Router will receive it’s answer from 1.1.1.1 as it should. So success !!!
Case 2, Switch 10.10.32.3 with No masquerade or Src-NAT && Secondary Router with No masquerade or Src-NAT : ping 1.1.1.1 from the switch Results to:
The switch must have a default route to 10.10.32.1, our secondary Router, so it will send all the unknown traffic there… So after the switch sends the traffic to the Secondary Router, the Secondary router will send this unknown traffic to our ISP’s Router through it’s default route… So our ISP’s Router will receive a packet from 10.10.32.3,our Switch, and destination address 1.1.1.1. The ISP’s Router will NAT the connection reach the destination 1.1.1.1, perform reverse NAT again as soon as it gets the reply from 1.1.1.1, and it will try to reach 10.10.32.3 so that it sends the answer back from 1.1.1.1… But where is 10.10.32.3 ? ISP’s Router has no clue…! So our Switch will never get a responce! But if we add a route on the ISP’s Router for the subnet 10.10.32.0/24 with gateway 10.10.30.198, now the ISP’s Router knows how to reach 10.10.32.3 and it will successfully send the answer from 1.1.1.1. So success again !!!
So on both cases we could reach the Internet without any Masquerade Rule… I tried to explain it in simple words…
Ofcorse the easiest is to just add a masquerade rule on the Secondary Router and everything should/must work.. If it doesn’t something is wrong on the Secondary Router, or the Switch or anywhere else…
ip route add distance=1 dst-address=10.10.32.0/24 gateway=10.10.30.198
on Switch1 (Secondary router)
Tomorrow and see what i see, although we’re planning to isolate 10.10.30.x and 10.10.32.x sites in the future
Removing Zyxel is planned, but for now it’s a no-go, there is standing outsourcing contract.
What boggles me most is that i have, as i posted, pair of mikrotiks in another part of network set up fairy same, and they work!
Will post configs tommorow for you to exemine
@crucker what i ve suggested are working methods !!!
(1) Obviously there are more things going wrong with your configuration then!!!
(2) You dont read carefully my suggestions… That route must be added to your ISP not at the Mikrotik !!!
What boggles me most is that i have, as i posted, pair of mikrotiks in another part of network set up fairy same, and they work!
The fact that one Works and a different one doesn’t does not mean anything…
Reset totally the secondary router to no configuration… set an address to ether 1, 10.10.30.198/24, create a default route to 10.10.30.1. Open a terminal and see that you can ping 1.1.1.1
so, for 2)Sorry i misread, but as i said, i can’t touch the isp router (Zyxel)
As for total reset, i was saving that for last.
I’ll try, but there MUST be a bridge with other ports, not naked ether1. I’m just saying this up front, so i don’t get scolded when there isn’t one.
First attempt i can do is friday morning (holiday), so there won’t be updates since then.
If anyone else have any ideas, you are welcome to post.
@Zacharis
“The fact that one Works and a different one doesn’t does not mean anything…”
Bit undeterministic, isn’t it?
No…
Each Mikrotik can have totally different configuration.. So it does not say anything to me..
Also i do not understand why you can’t add a route on your ISP’s Router…
The fact that i said, only ether1, is so that you see it actually works.. So please just keep your config to only the absolutely basics… This will help you and not me…
I know how it works… If you keep adding and adding things that you don’t know what they do, most probably you will not make this simple setup work!
The whole setup is screwy.
Now that I think I understand it better here is what I suggest.
Only use the DHCP from the zyxel as the WANIP for the second device and not for any devices on device 2.
Thus S1E1 is a “WAN” input.
The second device will act fully as a router.
Then in the second device only need to create ONE bridge with two (or more vlans)
vlanA, is for the local devices on that switch/router
vlanB is for the third device switch only
Much better because on the second device you can create as many vlans as you wish and pass them down to the third device (purely acting as a switch) not just vlan B, if required.
@anav
Hello, your post has very little usable informations - is it posible for you to at least use the terminology in opening post [Zyxel, Switch1, Switch3]?
And, if it is not obvious:
I cannot mess with Zyxel
I need 10.10.30.x/24 network on Switch1 - there are devices with static adresses
10.10.32.x/24 won’t be necessary only on Switch3 - it should be a VLAN for Guest devices. I’ve stripped the vlans and made it only subnet on physical ports so it can be tuneable without any fuss.
Suspect you need to read up on configuring MT switches and you can do it two ways.
Use SWOS, which is not always intuitive or use ROUTER OS and use hardware offloading.
example is check out last code block in this post…
viewtopic.php?f=2&t=158824&p=780499#p780499
This is your post from last thread. Are you trying to help or just throwing ideas without any connection?
