Routing between subnets does not work

mccowboy · January 17, 2020, 6:59am

Hi,

my network has problems with routing from one subnet to the others. The infrastructure consists of my router (RouterBOARD 750G r2) and a switch (Planet GSW-2404SF).
There are 6 subnets defined on the router:

192.168.10.0/24 on ether2-master-local # Servers
192.168.20.0/24 on ether3-slave-local # Wired clients
192.168.30.0/24 on ether4-slave-local # WIFI
192.168.40.0/24 on ether5-slave-local # Guests
192.168.50.0/24 on ether2-master-local # VPN Clients
192.168.88.0/24 on ether2-master-local # unused

The VLANs are:
VLAN id 1: on interface ether2-master-local
VLAN id 2: on interface ether3-slave-local
VLAN id 3: on interface ether4-slave-local
VLAN id 4: on interface ether5-slave-local

Interface ether1-gateway is connected to the ISP modem.

The switch has ports 1-4 connected to ether2-master-local, ether3-slave-local, ether4-slave-local and ether5-slave-local. The switch has those ports configured as “UnTag”.
My servers S1 and S2 are connected to the switch ports 6 and 9, they are marked as “Tag” on the switch and these ports are allowed to participate (send and receive packages) in VLANs 1-4. S1 and S2 have VMs that have up to 4 virtual network cards in the subnets:
192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24 and 192.168.40.0/24. On one of these servers there are DHCP and DNS installed and reachable via 192.168.10.116, 192.168.20.116, 192.168.30.116 and 192.168.40.116. And this is where the problems occur. Since a VPN client is on the same router port like the servers, the subnets 192.168.10.0/24 and 192.168.50.0/24 can both ping 192.168.10.116 successfully. But a client on one router-port cannot ping another client on another router-port, so 192.168.10.116 is not able to ping 192.168.20.117, 192.168.30.117 or 192.168.40.117 (my secondary DNS).

The config of my router is below. There are forwarding rules that imho should enable routing between the subnets, but this is where I am not sure, since I am not an expert.
Does anybody know why this does not work?

[admin@MorchlRouter02] > /export hide-sensitive 
# jan/17/2020 07:42:06 by RouterOS 6.28
# software id = NVLB-VW5R
#
/interface bridge
add mtu=1500 name=bridge-insecure protocol-mode=none
add admin-mac=D4:CA:6D:2F:68:BB auto-mac=no disabled=yes mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/interface ethernet switch port
set 1 vlan-mode=fallback
set 2 vlan-mode=fallback
set 3 vlan-mode=fallback
set 4 vlan-mode=fallback
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,aes-256-cbc,aes-128-ctr,aes-256-ctr lifetime=8h pfs-group=none
add auth-algorithms=md5,sha1,sha256,sha512 enc-algorithms=3des,aes-128-cbc,aes-192-cbc,aes-256-cbc,blowfish,twofish,aes-128-ctr,aes-192-ctr,aes-256-ctr name=morchl-proposal pfs-group=modp2048
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=morchl-vpn ranges=192.168.50.10-192.168.50.99
/ip dhcp-server
add address-pool=morchl-vpn disabled=no interface=ether1-gateway name=server1
/ip ipsec mode-config
add address-pool=morchl-vpn name=vpndhcp
/ppp profile
add change-tcp-mss=yes dns-server=192.168.10.116 local-address=192.168.50.1 name=morchl-l2tp remote-address=morchl-vpn use-encryption=required use-mpls=no
set 2 local-address=192.168.89.1 remote-address=vpn
/snmp community
add addresses=0.0.0.0/0 name=morchl write-access=yes
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface l2tp-server server
set authentication=mschap2 default-profile=morchl-l2tp enabled=yes use-ipsec=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether2-master-local network=192.168.88.0
add address=192.168.10.1/24 interface=ether2-master-local network=192.168.10.0
add address=192.168.20.1/24 interface=ether3-slave-local network=192.168.20.0
add address=192.168.30.1/24 interface=ether4-slave-local network=192.168.30.0
add address=192.168.40.1/24 interface=ether5-slave-local network=192.168.40.0
add address=192.168.50.1/32 interface=ether1-gateway network=192.168.50.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-relay
add dhcp-server=192.168.10.116 disabled=no interface=ether2-master-local local-address=192.168.10.1 name=relay1
add dhcp-server=192.168.20.116 disabled=no interface=ether3-slave-local local-address=192.168.20.1 name=relay2
add dhcp-server=192.168.30.116 disabled=no interface=ether4-slave-local local-address=192.168.30.1 name=relay3
add dhcp-server=192.168.40.116 disabled=no interface=ether5-slave-local local-address=192.168.40.1 name=relay4
/ip dhcp-server network
add address=192.168.50.1/32 dns-server=192.168.10.116 domain=morchl.home gateway=192.168.50.1
add address=192.168.88.0/24 comment="default configuration" gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.10.116
/ip dns static
add address=192.168.40.1 disabled=yes name=router
/ip firewall filter
add chain=input comment="default configuration" icmp-options=0 log=yes log-prefix="ICMP Log" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add chain=input comment=MORCHL-VPN connection-state=new dst-port=500,1701,4500,161 in-interface=ether1-gateway protocol=udp
add chain=input in-interface=ether1-gateway protocol=ipsec-esp
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward connection-state=established,related
add chain=forward in-interface=ether2-master-local
add chain=forward in-interface=ether3-slave-local
add chain=forward in-interface=ether4-slave-local
add chain=forward in-interface=ether5-slave-local
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp to-addresses=192.168.10.113
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip ipsec peer
add dh-group=modp2048 enc-algorithm=3des,aes-128,aes-192,aes-256,blowfish exchange-mode=main-l2tp generate-policy=port-override mode-config=vpndhcp
/ip ipsec policy
add dst-address=0.0.0.0/0 proposal=morchl-proposal src-address=0.0.0.0/0 template=yes
/ppp secret
add name=thisissecret profile=morchl-l2tp service=l2tp
/romon port
add disabled=no
/routing rip
set redistribute-ospf=yes
/snmp
set enabled=yes trap-community=thisissecret trap-generators=interfaces trap-interfaces=all trap-target=192.168.10.119 trap-version=3
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=MorchlRouter02
/system ntp client
set enabled=yes server-dns-names=0.pool.ntp.org
/system routerboard settings
set cpu-frequency=720MHz protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool sniffer
set streaming-server=255.255.255.255

ingdaka · January 17, 2020, 7:44am

First of all is that subnets are configured in slave interfaces! All interfaces are slave of bridge!

mccowboy · January 17, 2020, 9:23am

So you mean that I should remove the bridge (or at least disable it)?

Edit:
The bridge was now removed, the interfaces were renamed to omit the “master” or “slave” part and the two unused subnets 192.168.88.0/24, 192.168.89.0/24 were also removed:

[admin@MorchlRouter02] > /export hide-sensitive 
# jan/23/2020 06:23:10 by RouterOS 6.28
# software id = NVLB-VW5R
#
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-local
set [ find default-name=ether3 ] name=ether3-local
set [ find default-name=ether4 ] name=ether4-local
set [ find default-name=ether5 ] name=ether5-local
/ip neighbor discovery
set ether1-gateway discover=no
/interface ethernet switch port
set 1 vlan-mode=fallback
set 2 vlan-mode=fallback
set 3 vlan-mode=fallback
set 4 vlan-mode=fallback
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,aes-256-cbc,aes-128-ctr,aes-256-ctr lifetime=8h pfs-group=none
add auth-algorithms=md5,sha1,sha256,sha512 enc-algorithms=3des,aes-128-cbc,aes-192-cbc,aes-256-cbc,blowfish,twofish,aes-128-ctr,aes-192-ctr,aes-256-ctr name=morchl-proposal pfs-group=modp2048
/ip pool
add name=morchl-vpn ranges=192.168.50.10-192.168.50.99
/ip dhcp-server
add address-pool=morchl-vpn disabled=no interface=ether1-gateway name=server1
/ip ipsec mode-config
add address-pool=morchl-vpn name=vpndhcp
/ppp profile
add change-tcp-mss=yes dns-server=192.168.10.116 local-address=192.168.50.1 name=morchl-l2tp remote-address=morchl-vpn use-encryption=required use-mpls=no
/routing ospf instance
set [ find default=yes ] disabled=yes
/snmp community
add addresses=0.0.0.0/0 name=morchl write-access=yes
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface l2tp-server server
set authentication=mschap2 default-profile=morchl-l2tp enabled=yes use-ipsec=yes
/interface pptp-server server
set default-profile=default enabled=yes
/interface sstp-server server
set enabled=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether2-local network=192.168.88.0
add address=192.168.10.1/24 interface=ether2-local network=192.168.10.0
add address=192.168.20.1/24 interface=ether3-local network=192.168.20.0
add address=192.168.30.1/24 interface=ether4-local network=192.168.30.0
add address=192.168.40.1/24 interface=ether5-local network=192.168.40.0
add address=192.168.50.1/32 interface=ether1-gateway network=192.168.50.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-relay
add dhcp-server=192.168.10.116 disabled=no interface=ether2-local local-address=192.168.10.1 name=relay1
add dhcp-server=192.168.20.116 disabled=no interface=ether3-local local-address=192.168.20.1 name=relay2
add dhcp-server=192.168.30.116 disabled=no interface=ether4-local local-address=192.168.30.1 name=relay3
add dhcp-server=192.168.40.116 disabled=no interface=ether5-local local-address=192.168.40.1 name=relay4
/ip dhcp-server network
add address=192.168.50.1/32 dns-server=192.168.10.116 domain=morchl.home gateway=192.168.50.1
/ip dns
set allow-remote-requests=yes servers=192.168.10.116
/ip dns static
add address=192.168.40.1 disabled=yes name=router
/ip firewall filter
add chain=forward dst-address=192.168.40.0/24 in-interface=ether5-local
add chain=input comment="default configuration" icmp-options=0 log=yes log-prefix="ICMP Log" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add chain=input comment=MORCHL-VPN connection-state=new dst-port=500,1701,4500,161 in-interface=ether1-gateway protocol=udp
add chain=input in-interface=ether1-gateway protocol=ipsec-esp
add chain=forward connection-state=established,related
add chain=forward in-interface=ether2-local
add chain=forward in-interface=ether3-local
add chain=forward in-interface=ether4-local
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp to-addresses=192.168.10.113
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip ipsec peer
add dh-group=modp2048 enc-algorithm=3des,aes-128,aes-192,aes-256,blowfish exchange-mode=main-l2tp generate-policy=port-override mode-config=vpndhcp
/ip ipsec policy
add dst-address=0.0.0.0/0 proposal=morchl-proposal src-address=0.0.0.0/0 template=yes
/ppp secret
add name=thisissecret profile=morchl-l2tp service=l2tp
/romon port
add disabled=no
/routing rip
set redistribute-ospf=yes
/snmp
set enabled=yes trap-community=thisissecret trap-generators=interfaces trap-interfaces=all trap-target=192.168.10.119 trap-version=3
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=MorchlRouter02
/system ntp client
set enabled=yes server-dns-names=0.pool.ntp.org
/system routerboard settings
set cpu-frequency=720MHz protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-local
add interface=ether3-local
add interface=ether4-local
add interface=ether5-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-local
add interface=ether3-local
add interface=ether4-local
add interface=ether5-local
/tool sniffer
set streaming-server=255.255.255.255

Can anyone help? Routing still does not allow to ping 192.168.10.116 from interfaces ether3-local, ether4-local or ether5-local.