Real DMZ on second IP range

bbrelih · August 29, 2021, 10:01am

Hi All,

I have WAN on ether1-gw with IP adress 176.76.242.175 and DMZ on bridge-dmz with different IP range 176.76.240.16/28.
I add IP adress 176.76.240.17/28 to address list for DMZ GW.
The route is added automatically to the route list (176.76.240.16/28, bridge-dmz, Pref.source 176.76.240.17).
I have two servers with static ip addresses in the IP range 176.76.240.16/28: 176.76.240.22 (server1) and 176.76.240.23 (server2) with GW 176.76.240.17.

When I try to ping from server1 to server2, I occasionally get an error:
From 176.76.240.17: icmp_seq=2103 Redirect Host (New nexthop: 176.76.240.22)

Anyone can explain to me where I am making a mistake.
Is the DMZ network and route set up correctly

BB

mkx · August 29, 2021, 10:17am

Since server1 and server2 are in the same IP subnet, they should communicate directly without any gateway. So first step would be to check IP settings (address, subnet mask) on both servers to verify they match intended use (error message shows that router is involved in at least some of ping exchange but it shouldn’t be).
Another thing would be to verify arp settings on router …

If you don’t get it working, post full text export of router configuration.

bbrelih · September 17, 2021, 5:22am

DMZ IP range 176.76.240.16/28 is on external IP addresses. It still doesn’t work.

BB

mkx · September 17, 2021, 5:43am

First off: are the two servers supposed to communicate with each other a) through firewall or b) are they allowed to communicate directly?

If it’s b), then they should be able to communicate even if they are connected to a dumb switch. Hence you should check if they have proper IP settings, specially the network mask (it should either be /28 or 255.255.255.240). Again: getting that next hop message indicates that server1 communicates with server2 via router. And that doesn’t have anything to do with router configuration.

If it’s a), then you’ll have to to redesign DMZ config a bit because in this case router should be handling all the traffic without issuing next hop ICMP packets … which again is result of using subnet mask, but in this case on the router.

anav · September 17, 2021, 11:32am

mkx stop guessing, its driving me crazy…
OP provide network diagram and the config
/export hide-sensitive file=anynameyouwish

mkx · September 17, 2021, 11:44am

Let me guess: you never liked guesswork?

rextended · September 17, 2021, 12:50pm

Someone needs a script for guessing???

mkx · September 17, 2021, 2:36pm

I guess we need a script for guessing indeed

@anav, feeling dizzy yet?

anav · September 17, 2021, 3:55pm

No actually I was doing something way more fun than reading your guesses LOL (taking care of my grand daughter)!
I still smell like baby poop.

mkx · September 17, 2021, 6:13pm

Oh the joys of (great)parenthood …

bbrelih · September 18, 2021, 2:19pm

mkx: Can I send you router configuration privately?

BB

anav · September 18, 2021, 4:36pm

MKX charges per character… the forum is free LOL
We like dirty laundry!!

bbrelih · September 18, 2021, 6:55pm

Here is my configuration (without firewall):

# sep/18/2021 15:27:30 by RouterOS 6.48.4
# software id = JXXW-XVN1
#
# model = 1100
# serial number = 2C6100147CF6E

/interface bridge
add fast-forward=no name=bridge-dmz
add name=bridge-dmz-interno
add name=bridge-gostje
add name=bridge-management
add name=bridge-trunk
add name=bridge-uporabniki
add name=loopback_ospf

/interface ethernet
set [ find default-name=ether1 ] name=ether1--t2-optika
set [ find default-name=ether2 ] name=ether2-b1-trunk
set [ find default-name=ether3 ] name=ether3-b1-trunk
set [ find default-name=ether4 ] name=ether4-b2-trunk
set [ find default-name=ether5 ] name=ether5-b2-trunk
set [ find default-name=ether6 ] name=ether6-gostje
set [ find default-name=ether7 ] name=ether7
set [ find default-name=ether8 ] name=ether8-uporabniki
set [ find default-name=ether10 ] name=ether10-telekom-optika
set [ find default-name=ether11 ] name=ether11-dmz
set [ find default-name=ether12 ] disabled=yes name=ether12-dmz
set [ find default-name=ether13 ] name=ether13-management

/interface bonding
add name=bonding1-trunk slaves=ether2-b1-trunk,ether3-b1-trunk transmit-hash-policy=layer-2-and-3
add name=bonding2-trunk slaves=ether4-b2-trunk,ether5-b2-trunk transmit-hash-policy=layer-2-and-3
	
/interface vlan
add interface=bridge-trunk name=vlan20-uporabniki vlan-id=20
add interface=bridge-trunk name=vlan41-dmz-interno vlan-id=41
add interface=bridge-trunk name=vlan80-gostje vlan-id=80
add interface=bridge-trunk name=vlan200-management vlan-id=200

/ip dhcp-server option
add code=46 name=netbios-node-type_PNode value="'2'"

/ip pool
add name=pool-manage ranges=172.100.200.100-172.100.200.120
add name=pool-gostje ranges=172.100.80.150-172.100.80.180
add name=pool-uporabniki ranges=172.100.20.200-172.100.20.240
add name=pool-dmz-interno ranges=172.100.41.200-172.100.41.210

/ip dhcp-server
add address-pool=pool-gostje authoritative=after-2sec-delay disabled=no \
    interface=bridge-gostje lease-time=2h name=gostje
add address-pool=pool-manage authoritative=after-2sec-delay disabled=no \
    interface=bridge-management lease-time=3d10m name=management
add address-pool=pool-uporabniki authoritative=after-2sec-delay disabled=no \
    interface=bridge-uporabniki lease-time=2d name=uporabniki
add address-pool=pool-dmz-interno authoritative=after-2sec-delay disabled=no \
    interface=bridge-dmz-interno lease-time=2d name=dmz-interno

/routing ospf instance
set [ find default=yes ] distribute-default=always-as-type-1 \
    redistribute-static=as-type-1 router-id=10.255.1.1

/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"

/interface bridge port
add bridge=bridge-management interface=vlan200-management
add bridge=bridge-trunk interface=bonding1-trunk
add bridge=bridge-trunk interface=bonding2-trunk
add bridge=bridge-uporabniki interface=vlan20-uporabniki
add bridge=bridge-uporabniki interface=ether8-uporabniki
add bridge=bridge-gostje interface=vlan80-gostje
add bridge=bridge-gostje interface=ether6-gostje
add bridge=bridge-management interface=ether13-management
add bridge=bridge-dmz-interno interface=vlan41-dmz-interno
add bridge=bridge-dmz interface=ether11-dmz
add bridge=bridge-dmz interface=ether12-dmz multicast-router=disabled

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/ip address
add address=10.255.1.1/24 interface=loopback_ospf network=10.255.1.0
add address=172.100.20.1/25 interface=bridge-uporabniki network=172.100.20.0
add address=172.100.20.129/25 interface=bridge-uporabniki network=172.100.20.128
add address=172.100.80.1/24 interface=bridge-gostje network=172.100.80.0
add address=172.100.200.1/24 interface=bridge-management network=172.100.200.0
add address=172.100.41.1/24 interface=bridge-dmz-interno network=172.100.41.0
add address=89.121.174.117/16 comment="T2 optika" interface=ether1--t2-optika network=89.121.0.0
add address=176.76.242.178/30 comment="Telekom optika" interface=ether10-telekom-optika network=176.76.242.176
add address=176.76.240.17/28 comment="Telekom optika dmz Gateway - public_ip" interface=bridge-dmz network=176.76.240.16

/ip dhcp-server network
add address=172.100.20.0/25 comment="ICT - uporabniki (NetBIOS over TCP/IP (\
    code 46) node type 2 (Peer2Peer) - PNode )" dhcp-option=\
    netbios-node-type_PNode dns-server=\
    172.100.20.101,172.100.20.106,172.91.20.104 domain=ict.users gateway=\
    172.100.20.1 netmask=25 wins-server=\
    172.100.20.101,172.100.20.106,172.91.20.104
add address=172.100.20.128/25 comment="ICT - uporabniki gostje" dns-server=\
    193.189.160.13,193.189.160.23,84.255.209.79,84.255.210.79 domain=\
    ict.guest gateway=172.100.20.129 netmask=25
add address=172.100.41.0/24 comment="ICT - dmz - interno" dhcp-option=\
    netbios-node-type_PNode dns-server=\
    172.100.20.101,172.100.20.106,172.91.20.104 domain=ict.dmz-interno \
    gateway=172.100.41.1 netmask=24 wins-server=\
    172.100.20.101,172.100.20.106,172.91.20.104
add address=172.100.80.0/24 comment="ICT - gostje" dns-server=\
    8.8.8.8,84.255.209.79,84.255.210.79 domain=ict.guest gateway=\
    172.100.80.1 netmask=24
add address=172.100.200.0/24 comment="ICT - management" dhcp-option=\
    netbios-node-type_PNode dns-server=\
    172.100.20.101,172.100.20.106,172.91.20.104 domain=ict.manage gateway=\
    172.100.200.1 netmask=24 wins-server=\
    172.100.20.101,172.100.20.106,172.91.20.104

/ip dns
set servers="193.189.160.13,193.189.160.23,84.255.209.79,84.255.210.79,8.8.8.8"

/routing filter
add action=discard chain=ospf-in prefix=10.99.21.0/25
add action=discard chain=ospf-out prefix=10.99.21.0/25

/routing ospf network
add area=backbone network=172.100.20.0/25
add area=backbone network=172.100.200.0/24

mkx · September 18, 2021, 7:35pm

So you have ether11 and ether12 bridged for the DMZ in question (and ether12 is actually disabled). I don’t see error which would force servers to communicate via gateway. Since router isn’t running DHCP server for that subnet I assume servers have IP settings configured manually. So I’m asking you (again) to tripple check settings on servers.
Since both servers are (obviously) connected to same router port (ether11), what is the topology of network between router and servers? Are servers virtual machines running off same hypervisor?

BTW, you’re using various 172.100.x.y subnets. I’m sure you’re aware these are not RFC 1918 addresses for private use. They are registered to Charter Communications Inc.

bbrelih · September 19, 2021, 6:54am

Ether12 is temporarily disabled. The router does not use DHCP for this subnet. The servers have manually configured IP settings.

The servers are virtualized and run on the same hypervisor.
The Hyperv server, where virtual systems run, is connected via a switch to the router’s ether11 interface.

DMZ subnet 176.76.240.16/28 is with an external provider (Telekom) - external IP addresses of Telekom.

mkx · September 19, 2021, 8:24am

So did you check network settings on virtual servers? Check network settings on vswitch as well, it should allow connectivity between vhosts.