My question is, currently I can ping and SSH to the cambium station from the hap but I cannot ping or ssh to the cambium from a device on the bridge1 network.
I checked the IP routes and it shows dynamic routes for each network on the correct gateway’s. IE to reach 169.254.1.0/30 > ether 5 reachable 192.168.1.0/24 > bridge 1 reachable. Which is why I guess I can ping and ssh from the router to the Cambium.
How come when a request from a device on the 192.168.1.0/24 network doesn’t get routed to the 196.254.1.0/30 network? I’m sure it’s simple routing 101 but I’m lost.
Thanks for the informative link. So I tried something else and set the cambium with a LAN address of 192.168.0.2/30 with the router 192.168.0.1/30, basically swapped out the subsets.
Again I can ping from the router but not from devices on the LAN network of 192.168.1.0/24. dynamic routes show that anything going to 192.168.0.0/30 goes to eth5.
I also tried something else which worked that was I put another hap in place of the cambium and matched the above network settings. Again I could ping/ssh from the router but not from devices connected to it, so I added a default route to the new hap back to the main router and bingo my devices on the main lan could ping/ssh into the new hap.
So how come the cambium won’t return traffic out of the interface that is connected and configured?
Just in case anyone was interested. Networking 101. For a device to send traffic it needs a place to send it. The backdoor network details for Cambium don’t have a gateway set, so it doesn’t know where to send traffic outside of it’s subnet.
If you haven’t figured out yet, the solution allowing you to access the Cambium configuration from other subnets is to use a srcnat rule on the Mikrotik: chain=srcnat action=src-nat out-interface=ether5 dst-address=169.254.1.1 to-addresses=169.254.1.2
The rule must be placed in such a way that it was not shadowed by other srcnat rules (placing it at the very top of the list should be safe).
What it does is that it makes a connection coming from anywhere seem to the Cambium as coming from the Mikrotik, so it doesn’t need any route/gateway to respond.