Routing issue

settecplus · September 2, 2022, 10:06am

I have I’m not able to solve it so I’m asking for help.

Consider a local office with two WAN connections.
One RB1100AHx with local IP 10.10.0.1/24 is connecting via L2TP/ipsec and through OSPF to remote locations on network 10.10.0.0/16. Another router (RB450) with local IP 192.168.1.1/24 provides internet to local PCs. Allowing those PCs to access the 10.10.0.0/x network should be an easy task but I don’t seem to be able to route packets to remote locations.
RB1100 bridge1 has IP 10.10.0.1/24 and 192.168.1.10/24, and bridge1 is in OSPF backbone, the Zabbix server located at 10.10.0.5 can in fact access remote locations via this bridge.
All PC under RB450 network can now access the RB1100AHx router, but they stop there and cannot reach any remote location.

Any suggestion?

mkx · September 2, 2022, 11:20am

Two things to check:

does RB450 know it has to forward packets targeting 10.10.0.0/16 (or multiple /24 subnets) via gateway 192.168.1.10?
does IPsec configuration on RB1100 allow forwarding traffic from 192.168.1.0/24 towards remote locations?

And last, but not least: do machines on remote locations allow connections from “alien” subnets? Windows firewall with default configuration doesn’t.

anav · September 2, 2022, 12:27pm

Your diagrams and stated architectures make little sense to me.
for example how can the RB1011 have two bridge1s ???

Which devices provides dhcp for the 192.168.1.0/24 network?

settecplus · September 2, 2022, 2:54pm

Thank you for the suggestion. RB450 has a static route to allow forwarding packets targeting 10.10.0.0/16. I need to double check the ipsec part but if I recall correctly it is ok.

you are correct, this is an after thought. Networks were developed separately and were intended to be kept separate in the beginning, it would make more sense just use the RB1100 for everything.
my fault, it has not two bridge1 but it has two addresses assigned to bridge1
the RB450

settecplus · September 6, 2022, 7:19am

This is not an issue because they are just aiming for routers and linux embedded devices.

I still can’t find a solution, firewall is not blocking anything yet I can’t seem to pass after the RB1100 router.

StubArea51 · September 6, 2022, 8:16am

If you post the output of

/ip route print

for each router, that would help narrow down where the problem is.

settecplus · September 6, 2022, 2:38pm

I made a few progresses but I have not solved it yet.
I assigned an IP in the range of addresses of RB1100AHx to bridge1 on RB450

/ip address
add address=10.10.0.3/24 interface=bridge1 network=10.10.0.0

ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          1.2.3.1		1
 1 A S  10.10.0.0/16                       10.10.0.1		1
 2 ADC  10.10.0.0/24		10.10.0.3	bridge1		0
 3 ADC  1.2.3.4/29		1.2.3.4		ether1-WAN	0
 4 ADC  192.168.1.0/24		192.168.1.1	bridge1		0

In this way RB450G can ping remote routers through RB1100AHx, but I stil cannot reach remotes from local PC connected to RB450G. 10.10.0.0/24 is allowed to forward chain.

RB1100AHx routes are complicated by OSPF, but since the RB450G itself is now able to reach remotes, this should not be the problem…

  ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          1.2.3.1		1
 1 ADC  10.0.0.0/32        10.0.0.0        br0 - loopback		0
 2 ADo  10.0.0.30/32                        10.255.255.222          110
 3 ADo  10.0.0.40/32                        10.255.255.230          110
 5 ADC  10.10.0.0/24       10.10.0.1       br1 - LAN                 0
6 ADo  10.10.30.0/24                       10.255.255.222          110
7 ADo  10.10.4.0/24                       10.255.255.230          110
...
xx ADC  1.2.3.4/29	1.2.3.5		ether1		0
xy A S  192.168.1.0/24	10.10.0.1	10.10.0.3                 1

StubArea51 · September 7, 2022, 1:36pm

Extending the subnet of one site to another isn’t really the best way to fix this and will cause long term issues.

If the 1100 is learning OSPF routes, that means there is another router (or more) involved. Can you post the /ip/route/print output of the routers that are the L3 gw for 10.10.30.0/24 and 10.10.40.0/24? If they aren’t MikroTik devices, then whatever command shows the routing table would be helpful.