Routing between hotspot running on vlan to regular subnet

undecided · July 20, 2014, 10:38am

Guys, having some trouble routing, I have a vlan(ether1) on subnet 10.12.1.0/22 which runs my hotspot, I then have subnet 172.16.0.0/16 for my private customers running directly on ether1. From my hotspot subnet I can ping my 172.16.1.254(gateway address) on the physcial interface but cannot ping anything else on the 172.16.0.0/16 subnet. I don’t have any forwarding rules blocking it..any idea? Do I need to create a mangle rule to mark packets from the 10.12.1.0 subnet destined for the 172.16.0.0 subnet?

See my filter/nat/mangle and route rules.

/ip firewall print
1 chain=input action=accept protocol=icmp in-interface=ether1
2 chain=input action=accept protocol=icmp in-interface=hotspot
3 chain=input action=accept connection-state=established in-interface=cyta6
4 chain=input action=accept connection-state=related in-interface=cyta6
5 chain=input action=accept connection-state=established in-interface=cyta7
6 chain=input action=accept connection-state=related in-interface=cyta7
7 chain=input action=accept connection-state=established in-interface=cyta8
8 chain=input action=accept connection-state=related in-interface=cyta8
9 chain=input action=accept connection-state=established in-interface=cyta9
10 chain=input action=accept connection-state=related in-interface=cyta9
11 ;;; drop invalid packets
chain=input action=drop connection-state=invalid
12 ;;; detect and drop port scan connections
chain=input action=drop protocol=tcp psd=21,3s,3,1
13 ;;; suppress DoS attack
chain=input action=tarpit protocol=tcp src-address-list=black_list
connection-limit=3,32
14 ;;; detect DoS attack
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1w1d connection-limit=10,32

Ip firewall Mangle

0 chain=prerouting action=accept dst-address=1.1.1.1/29 in-interface=ether1
1 chain=prerouting action=accept dst-address=1.1.1.1/29 in-interface=hotspot
2 chain=prerouting action=accept dst-address=2.2.2.2/30 in-interface=ether1
3 chain=prerouting action=accept dst-address=2.2.2.2/30 in-interface=hotspot
4 chain=prerouting action=accept dst-address=3.3.3.3/30 in-interface=ether1
5 chain=prerouting action=accept dst-address=3.3.3.3/30 in-interface=hotspot
6 chain=prerouting action=accept dst-address=4.4.4.4/30 in-interface=ether1
7 chain=prerouting action=accept dst-address=4.4.4.4/30 in-interface=hotspot
8 chain=prerouting action=mark-connection new-connection-mark=cyta6_conn passthrough=yes in-interface=cyta6
connection-mark=no-mark
9 chain=prerouting action=mark-connection new-connection-mark=cyta7_conn passthrough=yes in-interface=cyta7
connection-mark=no-mark
10 chain=prerouting action=mark-connection new-connection-mark=cyta8_conn passthrough=yes in-interface=cyta8
connection-mark=no-mark
11 chain=prerouting action=mark-connection new-connection-mark=cyta9_conn passthrough=yes in-interface=cyta9
connection-mark=no-mark
12 chain=prerouting action=mark-connection new-connection-mark=cyta6_conn passthrough=yes dst-address-type=!local
hotspot=“” in-interface=ether1 connection-mark=no-mark per-connection-classifier=src-address:4/0
13 chain=prerouting action=mark-connection new-connection-mark=cyta7_conn passthrough=yes dst-address-type=!local
hotspot=“” in-interface=ether1 connection-mark=no-mark per-connection-classifier=src-address:4/1
14 chain=prerouting action=mark-connection new-connection-mark=cyta8_conn passthrough=yes dst-address-type=!local
hotspot=“” in-interface=ether1 connection-mark=no-mark per-connection-classifier=src-address:4/2
15 chain=prerouting action=mark-connection new-connection-mark=cyta9_conn passthrough=yes dst-address-type=!local
hotspot=“” in-interface=ether1 connection-mark=no-mark per-connection-classifier=src-address:4/3
16 chain=prerouting action=mark-routing new-routing-mark=to_cyta6 passthrough=yes in-interface=ether1
connection-mark=cyta6_conn
17 chain=prerouting action=mark-routing new-routing-mark=to_cyta7 passthrough=yes in-interface=ether1
connection-mark=cyta7_conn
18 chain=prerouting action=mark-routing new-routing-mark=to_cyta8 passthrough=yes in-interface=ether1
connection-mark=cyta8_conn
19 chain=prerouting action=mark-routing new-routing-mark=to_cyta9 passthrough=yes in-interface=ether1
connection-mark=cyta9_conn
20 chain=prerouting action=mark-connection new-connection-mark=cyta6_conn passthrough=yes dst-address-type=!local
hotspot=auth in-interface=hotspot connection-mark=no-mark per-connection-classifier=src-address:4/0
21 chain=prerouting action=mark-connection new-connection-mark=cyta7_conn passthrough=yes dst-address-type=!local
hotspot=auth in-interface=hotspot connection-mark=no-mark per-connection-classifier=src-address:4/1
22 chain=prerouting action=mark-connection new-connection-mark=cyta8_conn passthrough=yes dst-address-type=!local
hotspot=auth in-interface=hotspot connection-mark=no-mark per-connection-classifier=src-address:4/2
23 chain=prerouting action=mark-connection new-connection-mark=cyta9_conn passthrough=yes dst-address-type=!local
hotspot=auth in-interface=hotspot connection-mark=no-mark per-connection-classifier=src-address:4/3
24 chain=prerouting action=mark-routing new-routing-mark=to_cyta6 passthrough=yes in-interface=hotspot
connection-mark=cyta6_conn
25 chain=prerouting action=mark-routing new-routing-mark=to_cyta7 passthrough=yes in-interface=hotspot
connection-mark=cyta7_conn
26 chain=prerouting action=mark-routing new-routing-mark=to_cyta8 passthrough=yes in-interface=hotspot
connection-mark=cyta8_conn
27 chain=prerouting action=mark-routing new-routing-mark=to_cyta9 passthrough=yes in-interface=hotspot
connection-mark=cyta9_conn
28 chain=output action=mark-routing new-routing-mark=to_cyta6 passthrough=yes hotspot=“” connection-mark=cyta6_conn
29 chain=output action=mark-routing new-routing-mark=to_cyta7 passthrough=yes hotspot=“” connection-mark=cyta7_conn
30 chain=output action=mark-routing new-routing-mark=to_cyta8 passthrough=yes hotspot=“” connection-mark=cyta8_conn
31 chain=output action=mark-routing new-routing-mark=to_cyta9 passthrough=yes hotspot=“” connection-mark=cyta9_conn

/ip firewall nat print
1 chain=pre-hotspot action=accept dst-address-type=!local hotspot=auth
85 chain=srcnat action=src-nat to-addresses=1.1.1.1 out-interface=cyta6
86 chain=srcnat action=masquerade to-addresses=2.2.2.2 out-interface=cyta7
87 chain=srcnat action=masquerade out-interface=cyta8
88 chain=srcnat action=masquerade out-interface=cyta9

/ip route print

0 A S 0.0.0.0/0 1.1.1.1 1
1 A S 0.0.0.0/0 2.2.2.2 1
2 A S 0.0.0.0/0 3.3.3.3 1
3 A S 0.0.0.0/0 4.4.4.4 1
4 A S 0.0.0.0/0 1.1.1.1 1
5 S 0.0.0.0/0 2.2.2.2 2
6 S 0.0.0.0/0 3.3.3.3 3
7 S 0.0.0.0/0 4.4.4.4 4
8 ADC 10.1.12.0/22 10.1.12.254 hotspot 0
9 ADC 1.1.1.1/29 1.1.1.2 cyta6 0
10 ADC 2.2.2.2/30 2.2.2.3 cyta7 0
11 ADC 3.3.3.3/30 3.3.3.4 cyta8 0
12 ADC 172.16.0.0/16 172.16.1.254 ether1 0
ether1
13 ADC 4.4.4.4/30 4.4.4.5 cyta9 0

undecided · July 30, 2014, 3:21pm

Anyone with anything I can try? or point me in a particular direction with this? thanks

skillful · July 30, 2014, 11:13pm

Yes.
Since you are using PCC and policy routing, you need to exclude packets destined for the 172.16.0.0/16 network from the 10.12.0.0/22 network from being policy routed outside your network.

Add these two mangle rules and place them above the PCC rules.

/ip firewall mangle
add action=mark-packet chain=prerouting dst-address=10.12.0.0/22 new-packet-mark=local passthrough=no src-address=172.16.0.0/16
add action=mark-packet chain=prerouting dst-address=172.16.0.0/16 new-packet-mark=local passthrough=no src-address=10.12.0.0/22

undecided · July 31, 2014, 3:38pm

Thats great. Thank for your help its much appreciated!