Multiple NICs in RouterOS

skywerx · February 14, 2006, 9:41pm

I’m having a very strange issue and maybe someone can shed some light on this.
I’m running v2.9.8 on a PC based router with 2 NICs:

NIC 1 is configured with IP 10.10.4.100/23
NIC 2 is configured with IP 192.168.100.1/24

Both NICs are connected to a switch and I also have my laptop connected to the switch with an IP of 10.10.4.102. I can connect to the PC router with WinBox on NIC 1 ONLY when both network cables are plugged into the PC router. If I disconnect the network cable from NIC 2 (192.168.100.1), I can no longer connect to the router using WinBox through NIC 1 (10.10.4.100) which is on the same LAN as my laptop.

Why is this? Shouldn’t the interfaces be independent of each other? Can someone please give me a heads up on this…I’m going crazy. Maybe I’ve missed a step…

Thank You!!!

in4ni · February 14, 2006, 9:52pm

might want to check your subnet mask on the notebook a /23 should be 255.255.254.0

skywerx · February 14, 2006, 10:11pm

OK..I rebooted the router and everything seems to be working. Now another question…I’ve set up my static route (i.e. 0.0.0.0/0 GW 10.10.4.1) to point to the IP of an edge router (10.10.4.1), I then set my laptop up with a GW of 192.168.122.1. Shouldn’t the PC router send all traffic out the interface on the network as the edge router (in this case 10.10.4.100) based on the static route?

Thanks again…

cibernet · February 15, 2006, 12:23am

You have to masquerade la LAN, and why do you use MT if youre pointing to another router??

Regards..

Borage · February 15, 2006, 12:41am

And you have set a static route in the edge router too???

skywerx · February 15, 2006, 2:42pm

OK…I’ve put some diagrams together to help clarify what I’m trying to accomplish.
This diagram http://206.123.216.126/current.gif shows how we currently are doing NAT on a Cisco 3640 at a tower node. The tower node is linked via a Mikrotik 5GHz PTP at approx. 20 miles. The opposite end of the tower node serves wireless customers via numerous Trango AP’s. The customer routers (i.e. Linksys, D-Link) are configured with an IP such as 10.10.4.10 and a gateway of 10.10.4.1. These are then NAT’ed by the Cisco 3640 at the main tower node for any outbound Internet requests.

Here is my proposed configuration: http://206.123.216.126/proposed.gif. What I’m trying to accomplish with a PC based MikroTik router is network segmentation so that the customer gateway is moved closer to the AP. This way we can obviously minimize any issues (i.e. virus activity) at each subsequent AP. In other words, utilize the MikroTik routing functionality behind each AP BEFORE it’s sent through the PTP link and NAT’ed by the Cisco 3640.

I want to KEEP the NAT functionality on the 3640 BUT take some pressure of packet filtering off of the 3640 and focus it towards the MikroTik PC based routers.

Please see the above posts as to how I’m trying to configure the PC Based router. I seem to be having trouble with the fact that if I configure both NICs in the PC based router with IPs such as 10.10.4.100 and 10.10.4.111 (for test purposes) and create a default route of 0.0.0.0/0 GW 10.10.4.1, and I then configure my laptop with an IP like 10.10.4.10, I can NOT for the life of me get traffic to hit the 3640. Is this because the interfaces can NOT have IP’s on the same subnet?

Any HELP would be GREATLY appreciated!!!

sten · February 15, 2006, 4:50pm

I’m not sure i understand. Could this have anything to do with the little linux peculiarity of answering arp for all it’s active ip addresses regardless of which interface the arp query came in on? And if you have disable-running-check=no then when you unplug a cable the ip address on the corresponding ethernet nic would become inactive and thus unavailable?

confused

Borage · February 15, 2006, 5:05pm

Even since you provided the pictures, I still do not have a clue where the gateway with the IP address 192.168.122.1 is.

skywerx · February 15, 2006, 5:17pm

Disregard the GW IP of 192.168.122.1. This was for test purposes to see if I could get RouterOS to work with IP’s on different subnets. Sorry for the confusion.

The pictures show how it REALLY is/should be configured. The PC based router has 2 NICs and the IPs would be as follow (in my mind at least):

NIC 1 = 10.10.4.1
NIC 2 = 10.10.4.101

NIC 1 would be connected to a switch along with the Trango AP’s, and NIC 2 would be connected to the MikroTik PTP backhaul. Then per the default route, RouterOS would send all traffic out NIC 2 (10.10.4.101) AND because this interface is on the same LAN as 10.10.4.100, which would be Cisco 3640 per my proposed diagram, all traffic would ultimately be routed to the 3640 for NAT.

Currently the IP of 10.10.4.1 exists on the 3640 BUT I want it to exist on the PC based router which would make that the GW for the already configured customer routers.

Does that make sense?

skywerx · February 15, 2006, 10:52pm

Any ideas?

skywerx · February 16, 2006, 2:22pm

sten:

How do you get 'round disable-running-check=no in RouterOS

Thanks!

skywerx · February 16, 2006, 6:23pm

I’ll try to generalize this a bit.
I have two NICs in the PC based router, and they are assigned IP addresses on the same network/mask (which I know is invalid…but must happen). One is connected to a LAN switch and the other to a MikroTik PTP, which interface needs to have proxy-arp enabled so that the configuration is valid?

eflanery · February 16, 2006, 9:34pm

I really don’t understand what you beleive you will acomplish with this scheme, but…

IPs from within the same subnet CANNOT be used on distinct interfaces, the router will not have any way to determine the proper egress interface. Proxy arp will not get around that. Not only is it a bad idea, it simply won’t work without some byzantine hackery.

Never the less, here are a couple of byzantine hacks you could try if you are determined to set it up similar to what you describe… (not recomended)

You could split the subnet on the MT (i.e. if it is a /23 cut it into 2 /24s), and use one on each interface, and enable proxy arp on both interfaces. Then, so long as you keep the machines on either side within the appropriate /24, and configure them with a /23 netmask, they should be able to reach you. This is about the closest sort of semi-functional setup I can imagine to what you describe.

Another bad, but perhaps semi-workable, way would be to setup /32 addresses on the MT for every device on the two networks, assigned to the appropriate interface, and enable proxy arp on each interface.

But, rather than trying to come up with a bizzare way to re-invent the wheel, why not set things up “right”.

If you want to segment the network, then you should do it the normal routing way; as small as the setup appears to be, static routes would probably be easiest . If you don’t want to setup static routes on your routers, then explore OSPF, or even RIP.

If you only want to filter, then bridge the interfaces, and use the firewall.

Both of the above could probably be easily done on the MTs doing the radio link, without much extra load. If your main router is a 3640, and it is doing NAT (a very costly operation on Ciscos, especially small ones like the 3600 series), then I suspect you don’t move enough traffic to strain the procs on your existing MTs.

I don’t mean to sound condecending, and I wish you success. But with such an apparently simple network, I don’t understand why you are trying such an unusual approach.

Good luck,
–Eric