Now it won't route!

mike3 · October 27, 2014, 7:09am

Hi.

I mentioned here:

http://forum.mikrotik.com/t/how-do-you-slave-a-mikrotik-to-an-access-point/81792/1

about my problems with trying to get a MikroTik wireless router to work. Now that, as I mentioned, I got it to connect, it doesn’t want to route. Or, at least, it only routes in one direction.

The network setup:
Downstairs computers are hooked by wire to central wireless router/Ethernet hub thingy (D-Link).
Upstairs is a single computer hooked to the MikroTik via Ethernet.
Downstairs machines have dynamically assigned IP addresses from the D-Link device.
MikroTik’s IP is 192.168.88.1 on the Ethernet side, 192.168.0.254 on the wireless side. Upstairs machine is at 192.168.88.2.
D-Link is at 192.168.0.1. All clients, both wired and wireless, connected to it are on 192.168.0.x network.

The problem:
Now, I can connect to the 192.168.88.2 machine from the downstairs machines, but I cannot connect to the downstairs network from that machine! What is going on?

The tests:
The effects of a PING launched on the upstairs machine (trying to ping the D-Link):

PING 192.168.0.1 (192.168.0.1): 56 data bytes

----192.168.0.1 PING Statistics----
4 packets transmitted, 0 packets received, 100.0% packet loss

That’s it – nothing. I tried “ping -v” for “verbose”, zip. This is a really old turn-of-the-century SGI IRIX machine that I wanted to use for its sound hardware (got this box off ebay back in 2008 for $100 or something around that – used to be $20,000 or more new!). The point of the wireless network is to transfer sound recordings from the machine to downstairs.

Now PING from a downstairs machine (running Debian GNU/Linux) works OK:

PING 192.168.88.2 (192.168.88.2) 56(84) bytes of data.
64 bytes from 192.168.88.2: icmp_req=1 ttl=254 time=1.17 ms
64 bytes from 192.168.88.2: icmp_req=2 ttl=254 time=0.855 ms
64 bytes from 192.168.88.2: icmp_req=3 ttl=254 time=0.852 ms
64 bytes from 192.168.88.2: icmp_req=4 ttl=254 time=0.865 ms
^C
--- 192.168.88.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.852/0.935/1.171/0.140 ms

I can even ssh into the IRIX machine with “ssh 192.168.88.2”.

Traceroute from the SGI, trying to go to the D-Link:

traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 60 byte packets
 1  router (192.168.88.1)  1 ms  0 ms  0 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *

(I aborted it after 15)

Traceroute on the MikroTik using source addy 192.168.88.2, destination 192.168.0.1:

[admin@SOUTH] /tool> traceroute 192.168.0.1 src-address 192.168.88.2
 # ADDRESS                                 RT1   RT2   RT3   STATUS            
 1 0.0.0.0                                 0ms   0ms   0ms                     
 2 0.0.0.0                                 0ms   0ms   0ms                     
 3 0.0.0.0                                 0ms   0ms   0ms                     
 4 0.0.0.0                                 0ms   0ms   0ms

traceroute going the other way doesn’t seem to work either despite that I can connect in that direction – odd? Or am I just not using traceroute correctly?:

[admin@SOUTH] /tool> traceroute 192.168.88.2 src-address 192.168.0.1
 # ADDRESS                                 RT1   RT2   RT3   STATUS            
 1 0.0.0.0                                 0ms   0ms   0ms                     
 2 0.0.0.0                                 0ms   0ms   0ms                     
 3 0.0.0.0                                 0ms   0ms   0ms                     
 4 0.0.0.0                                 0ms   0ms   0ms

The routing table:

[admin@SOUTH] /tool> /ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.0.1               1
 1 ADC  192.168.0.0/24     192.168.0.254   wlan1                     0
 2 X S  192.168.0.0/24                     192.168.0.1               1
 3 ADC  192.168.88.0/24    192.168.88.1    ether1                    0

(I added routes #0 and #2 – with #0 alone it doesn’t work either, doesn’t matter if #2 is enabled or not)

Firewall has NO rules in it.

What could be going on? (And in case you ask – YES there is a route set up on the SGI: default route is to gateway 192.168.88.1, i.e. the MikroTik. I experimented with adding other routes as well with no luck.)

mike3 · October 31, 2014, 3:45am

Any ideas?

Also, in case you were wondering, the SGI does have a default route with gateway 192.168.88.1 (the MikroTik router).

jarda · October 31, 2014, 6:33am

Don’t you have nat in d-link? Switch it off. If there is no specific reason for having more subnets use only one bridged network.

mike3 · November 1, 2014, 2:23am

NAT cannot be turned off completely, apparently, with this D-Link. With regards to the MikroTik, is it possible to make it work with subnets? (I don’t want to mess around with bridge – I can easily screw up the Ethernet on the device with that and then I have to disassemble it to access its serial port and it’s just a big hassle)

jaytcsd · November 2, 2014, 8:56pm

Are you using the Mikrotik as the link from the Dlink AP to the upstairs PC? Ubiquity calls this station mode on their wireless gear, basically the same as a USB wifi adapter.

I’m no Mikrotik expert but I think you need the MT bridged from the wlan to the lan so the upstairs PC is on the same network as the Dlink.

Steve Gibson at grc.com recommends what you have to isolate a guest wifi AP from being able to see a private network.

jarda · November 2, 2014, 10:11pm

You can use more subnets and route between them. Making nat in inner network doesn’t make sense. Don’t understand why you need to disassemble mikrotik device.

mike3 · November 3, 2014, 12:35am

Yes, I am trying to use the MikroTik to route with subnets – that’s just it, it’s not, or, well, it’s only going in one direction. The MikroTik can “see” the other computers attached to the D-Link as it can ping them. Why can’t it route something sent out from the SGI to the D-Link network, i.e. from the 192.168.88.x network connected to the MikroTik ethernet to the 192.168.0.x wireless+Ethernet network managed by the D-Link AP, despite having a default route that goes right to the D-Link at 192.168.0.1?

And as for NAT – tell that to D-Link! Apparently, you cannot turn it off “completely” on this router. But I’m not sure if the NAT is really acting on the local network anyways or is just used when connecting to the Internet (that is, the NAT is only between the local network and the Internet, not between different parts of the local network). From the manual:

http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCAQFjAA&url=http%3A%2F%2Fwww.dlink.com%2F-%2Fmedia%2FConsumer_Products%2FDIR%2FDIR%2520655%2FManuels%2FDIR655B1manual070312v23pdf.pdf&ei=l9dWVKTCN5azyASgyYDoDw&usg=AFQjCNF3seJvzogLtIf8zqq6s1JmVlAidw&sig2=zl7WcIRiIgDZ19jxOo8dgg&bvm=bv.78677474,d.aWw
“In addition, this Xtreme NTM Router utilizes dual active firewalls (SPI and NAT) to prevent potential attacks from across the Internet.”

it looks like the NAT is only used to secure the Internet connection, and doesn’t have anything to do with the local network. And the problem I’m having is related to the local network.

As for why I need to keep disassembling it – well, that’s because of the enclosure it is in. It’s apparently this:

http://www.titanwirelessonline.com/Laird-DCE-7-Outdoor-Enclosure-p/en-al2c.htm

and there is no serial port hole on that thing.

jarda · November 3, 2014, 5:57am

Unfortunately this is not dlink support forum. I suggest to disconnect the dlink router from network and use some switch instead or flash open wrt or dd wrt into it to be able set bridging mode.

mike3 · November 3, 2014, 7:38am

I tried it using a computer as the wireless AP and it still will not route. So I think I can eliminate the D-Link as the problem. I really think the MikroTik is the problem. What could be wrong with it? Why would I need bridge mode if I consider it OK to use subnets? (From what I can tell, bridge makes them “look like” one network)

Shouldn’t one be able to do this with RouterOS? Why should I need to mess around with OpenWrt?

huntah · November 3, 2014, 8:50am

please post you config

export compact

it is difficult to know where the problem lies without a config.

mike3 · November 3, 2014, 10:54am

Here it is. The SSID is “FrostburgGateway” now because I have it set to connect directly to my downstairs computer (its WLAN interface has IP 192.168.1.1, running a wireless subnet 192.168.1.x), not to the D-Link, right now. Passwords are censored, of course:

# jan/01/1970 16:00:44 by RouterOS 5.26
# software id = LPA6-P2MA
#
/interface wireless
set 0 band=2ghz-b/g country="united states" disabled=no frequency=2427 l2mtu=\
    2290 mode=station-pseudobridge ssid=FrostburgGateway wireless-protocol=\
    802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=NoctiNet \
    unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key="*CENSORED*" \
    wpa2-pre-shared-key="*CENSORED*"
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether1
add address=192.168.1.254/24 interface=wlan1
/ip dhcp-client
add interface=wlan1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip neighbor discovery
set wlan1 disabled=yes
/ip route
add distance=1 gateway=192.168.1.1
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.1.1
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=SOUTH
/tool sniffer
set file-name=test

mike3 · November 7, 2014, 12:27pm

Any idea?

Caci99 · November 7, 2014, 1:06pm

So, to understand, you are using a RB411 with the only purpose of connecting a machine to the rest of the network.
You either configure the 411 in bridge transparent mode, which is the logical choice since the machine needs to be part of the network, or you configure 411 as router and it will route the two networks.

Now, on your config there is a bit of confusion. You have set wireless in station-psuedobridge, but that doesn’t seem to be the right one when you are trying to route two networks. The option here should be wireless set in station mode.
Then, on your first post you say that the IP of wireless is 192.168.0.254, but on your posted config it is 192.168.1.254. Also, you have a dhcp client on the wireless interface, you either assign a dynamic IP on the wireless (with dhcp client) or you assign it manually. If you use both it can cause problems.

mike3 · November 7, 2014, 2:24pm

Caci99:

So, to understand, you are using a RB411 with the only purpose of connecting a machine to the rest of the network.
You either configure the 411 in bridge transparent mode, which is the logical choice since the machine needs to be part of the network, or you configure 411 as router and it will route the two networks.

Now, on your config there is a bit of confusion. You have set wireless in station-psuedobridge, but that doesn’t seem to be the right one when you are trying to route two networks. The option here should be wireless set in station mode.
Then, on your first post you say that the IP of wireless is 192.168.0.254, but on your posted config it is 192.168.1.254. Also, you have a dhcp client on the wireless interface, you either assign a dynamic IP on the wireless (with dhcp client) or you assign it manually. If you use both it can cause problems.

Yes, you are right as to the purpose. Perhaps the bridge would be better, but I want to try router first (switching to quickset bridge mode causes the Ethernet to crash, requiring serial access, which, as I explained earlier, is a hassle).

The IP thing I explained earlier. 192.168.0.x is the wireless network managed by the D-Link. This is what I want to connect to. 192.168.1.x is a test network managed by my main computer. I changed to 192.168.1.x to try and eliminate the D-Link as the cause of the problems.

I’ll try pure station mode and see what that does, later.

mike3 · November 8, 2014, 2:05am

Just tried going from station-pseudobridge to station. Did not help.

mike3 · November 8, 2014, 2:40am

(I also removed the DHCP now but it was disabled. Anyways…)

UPDATE: I think I have found the solution.

The problem was really simple: it worked one way, but not the other. Actually, it may have been working both ways all along, even when it was set to the D-Link, but I was trying to ping the D-Link and wasn’t receiving a response. Why?

Simple: there was no reverse route going backwards from the downstairs D-Link back up to the MikroTik! Adding a reverse route on my downstairs machine lets it ping the downstairs machine, and so we now have bidirectional connectivity. Or, perhaps it was the other way around (I added a reverse route on the MikroTik while fussing and playing with it – not sure if that did anything) But the D-Link cannot be set to reverse route, because it only permits WAN routes for some reason. That’s a D-Link problem.

And the same goes when I had it connected at 192.168.1.x to my downstairs machine directly. Adding a reverse route going from 192.168.1.x network to 192.168.88.x through 192.168.1.254 (the MikroTik) on the downstairs machine enabled bidirectional connectivity.

I think the best option here would be to make it into a bridge, thereby allowing the SGI to transparently appear on the wireless network and dispensing with the need for a route on the D-Link. I’ll see how that goes…

mike3 · November 8, 2014, 3:37am

I’ve just finished the bridge configuration. It works great now.

Thanks for your help!