Only able to reach WebFig from some IPs

robertfoss · October 29, 2024, 10:40pm

Hey!

The desired outcome is to have the device act as a switch and serve WebFig on 10.31.157.3/28 on the mgmt vlan 433.

I’m partially successful in reaching the device, but only from some IPs. 10.31.157.1 can connect to WebFig, but 10.31.157.21 (which actually is a NAT-ing router, but that shouldn’t matter) cannot. Any device behind the 10.31.157.21 router is unable to access the switch at 10.31.157.3.

What makes this weird to me is that packets are received at 10.31.157.3, but connections are not being established and icmp packages are not replied to. At the same time the firewall is empty.

/export hide-sensitive compact
# jan/02/1970 06:15:51 by RouterOS 6.49.15
# software id = 2WEN-LN8I
#
# model = RB960PGS-PB
# serial number = HGK09WAVN56
/interface bridge
add admin-mac=D4:01:C3:D3:CD:8A auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=bridge.433 vlan-id=433
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set ip-forward=no send-redirects=no
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=1-4094
/interface list member
add interface=bridge list=LAN
add interface=bridge.433 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.31.157.3/25 interface=bridge.433 network=10.31.157.0
/ip firewall filter
add action=accept chain=input
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=0.0.0.0/0
set www-ssl address=0.0.0.0/0 certificate=local disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=both strong-crypto=yes
/system identity
set name=gub37-switch-s
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=bridge.433 filter-ip-address=10.31.157.21/32 filter-ip-protocol=tcp

/tool sniffer
set filter-interface=bridge.433 filter-ip-address=10.31.157.21/32 filter-ip-protocol=tcp
> /tool sniffer quick
INTERFACE  TIMENUM DIR SRC-MAC   DST-MAC   VLAN   SRC-ADDRESS DST-ADDRESS PROTOCOL   SIZE CPU FP 
bridge.433 3.382  1 <-  32:AD:4E:19:7B:95 D4:01:C3:D3:CD:8A10.31.157.21:35646  10.31.157.3:443 (https) ip:tcp   74   0 no 
bridge.433 3.632  2 <-  32:AD:4E:19:7B:95 D4:01:C3:D3:CD:8A10.31.157.21:35648  10.31.157.3:443 (https) ip:tcp   74   0 no 
bridge.433 4.41    3 <-  32:AD:4E:19:7B:95 D4:01:C3:D3:CD:8A10.31.157.21:35646  10.31.157.3:443 (https) ip:tcp   74   0 no 
bridge.433 4.666  4 <-  32:AD:4E:19:7B:95 D4:01:C3:D3:CD:8A10.31.157.21:35648  10.31.157.3:443 (https) ip:tcp   74   0 no 
bridge.433 5.434  5 <-  32:AD:4E:19:7B:95 D4:01:C3:D3:CD:8A10.31.157.21:35646  10.31.157.3:443 (https) ip:tcp   74   0 no 
bridge.433 5.691  6 <-  32:AD:4E:19:7B:95 D4:01:C3:D3:CD:8A10.31.157.21:35648  10.31.157.3:443 (https) ip:tcp   74   0 no 
bridge.433 6.459  7 <-  32:AD:4E:19:7B:95 D4:01:C3:D3:CD:8A10.31.157.21:35646  10.31.157.3:443 (https) ip:tcp   74   0 no 
bridge.433 6.714  8 <-  32:AD:4E:19:7B:95 D4:01:C3:D3:CD:8A10.31.157.21:35648  10.31.157.3:443 (https) ip:tcp   74   0 no 
bridge.433 7.482  9 <-  32:AD:4E:19:7B:95 D4:01:C3:D3:CD:8A10.31.157.21:35646  10.31.157.3:443 (https) ip:tcp   74   0 no 
bridge.433 7.737 10 <-  32:AD:4E:19:7B:95 D4:01:C3:D3:CD:8A10.31.157.21:35648  10.31.157.3:443 (https) ip:tcp   74   0 no 
bridge.433 8.508 11 <-  32:AD:4E:19:7B:95 D4:01:C3:D3:CD:8A10.31.157.21:35646  10.31.157.3:443 (https) ip:tcp   74   0 no 
bridge.433 8.762 12 <-  32:AD:4E:19:7B:95 D4:01:C3:D3:CD:8A10.31.157.21:35648  10.31.157.3:443 (https) ip:tcp   74   0 no

/ip firewall connection> print
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 # PROTOCOL SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT  ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS  ORIG-BYTES  REPL-BYTES
 0 SAC  tcp 10.31.157.1:44238  10.31.157.3:443  established 23h59m59s  5.1kbps 14.2kbps 21 20 6 833 12 103
 1 SAC  tcp 10.31.157.1:44288  10.31.157.3:443  close  4s  0bps  0bps 10 10 1 865 2 245
 2 SAC  tcp 10.31.157.1:44280  10.31.157.3:443  established 23h59m59s  9.3kbps 6.0kbps 48 57 17 090 20 397
 3 SAC  tcp 10.31.157.1:44264  10.31.157.3:443  close  3s  0bps  0bps 12 11 2 605 1 434
 4 SAC  tcp 10.31.157.1:60352  10.31.157.3:22   established 23h59m59s  8.8kbps 23.5kbps 895 814 57 041 244 208
 5 SAC  tcp 10.31.157.1:44248  10.31.157.3:443  close  3s  0bps  0bps 12 13 3 059 3 178
 6 S C  tcp 10.31.157.21:46242 10.31.157.3:443  syn-recv 4s  0bps 480bps 1 4  60  240
 7 S C  tcp 10.31.157.21:46254 10.31.157.3:443  syn-recv 4s  0bps 480bps 1 4  60  240

Here for example, connection 6 and 7 are not being established properly. It’s like the Syn is received but an Ack is never sent out.

mkx · October 30, 2024, 8:45am

My arithmetics says that 172.31.157.21/28 is outside of subnet 172.31.157.3/28 (which spans between .0 and .15, the first address being network address and the last being broadcast address).

Config says your device uses /25 netmask (which covers both mentioned addresses), but is the same netmask used on both devices (or rather on all devices members of management subnet)?

robertfoss · October 30, 2024, 9:41am

Ok, this makes some amount sense as an explanation for what I’m seeing. I’m not quite sure how to resolve my issue though. I was fiddling about and changing the /28 to a /25 for testing purposes. But I wasn’t seeing any difference.

# IP allocations
mgmt:  10.31.157.0/28
dhcp: 10.31.157.16/28

Let me explain the topology a bit better.

ap -> switch -> router1 -> router2 -> laptop

ap: 10.31.157.5/28 vlan433
switch: 10.31.157.3/28 vlan433
router1: 10.31.157.1/28 vlan433 & 10.31.157.17/28
router2: 10.31.157.21/28
laptop: 19.168.0.150/24

So router2 gets it’s IP through dhcp from the router1 inside the dhcp range ips.

From Laptop I can reach AP, and everything works ok, but I can’t connect to Switch. On AP I’m seeing this traffic.

ap # tcpdump -ni eth0.433
10:37:36.650697 IP 10.31.157.5.22 > 10.31.157.21.47054: Flags [P.], seq 32548676:32548864, ack 19621, win 1360
10:37:36.679607 IP 10.31.157.5.22 > 10.31.157.21.47054: Flags [P.], seq 32548676:32548864, ack 19621, win 1360
10:37:36.709710 IP 10.31.157.21.47054 > 10.31.157.5.22: Flags [.], ack 32548864, win 13170
10:37:36.759920 IP 10.31.157.5.22 > 10.31.157.21.47054: Flags [P.], seq 32548864:32549076, ack 19621, win 1360
10:37:36.760126 IP 10.31.157.5.22 > 10.31.157.21.47054: Flags [P.], seq 32549076:32549500, ack 19621, win 1360

mkx · October 30, 2024, 2:56pm

Based on the fact that router1 has 2 IP quite similar addresses I’d say that /28 is indeed the correct netmask. But: your laptop is in a completely different subnet than switch … and switch is missing any route which would allow it to communicate outside its IP subnet (e.g. setting a default route via GW 10.31.157.1 would probably do the trick).

robertfoss · October 30, 2024, 4:21pm

There already is a route in there (plus the default route for the default ip)

/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  10.31.157.0/25     10.31.157.3     bridge.433                0

I got the advice to compare with another operational Mikrotik device, and there was a missing route. With the below routing table it works!

/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          10.31.157.1               1
 1 ADC  10.31.157.0/28     10.31.157.3     bridge.433                0

Thanks for the help, I thoroughly appreciate it <3