[SOLVED] Cannot ping/access device on secondary subnet!

gnettech · July 9, 2012, 10:49am

Hello everybody.
I’m trying to access the web interface of a TP-Link behind a Mikrotik (RouterBoard750) connected on Ether5. Microtik is connected to lan on Ether3. There is also an openVPN interface that i plan to use to access the web interface after deployment.

If i connect the TP-Link back-to-back with my computer, i can access it via 192.168.1.254:80 (i can also ping that IP).

Ether3 has one real IP Assigned (X.X.X.X)

I have assigned 2 IP Addresses on Ether5. 192.168.27.1/24 ( hotspot pool) and 192.168.1.1/32 (so that i can access the TP-Link).

I am able to access the Mikrotik via winbox on X.X.X.X . But when i try to ping 192.168.1.254 through the winbox’s ping, i get no response (timeout). ( i can ping 192.168.1.1 from the winbox)
But at the same time, the hotspot is working perfectly!

What am i doing wrong?

Here is the ip address print

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                      
 0   X.X.X.X/25   X.X.X.0     ether3                                                         
 1   192.168.27.1/24    192.168.27.0    ether5                                                         
 2 D 10.8.0.6/32        10.8.0.1        ovpn-out1                                                      
 3   192.168.1.1/32     192.168.1.0     ether5

and the ip route print

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          87.243.72.1               1
 1 ADC  10.8.0.1/32        10.8.0.6        ovpn-out1                 0
 2 ADS  Y.Y.Y.Y/32                    10.8.0.1                  1
 3 ADC  X.X.X.0/25     X.X.X.X   ether3                    0
 4 ADC  192.168.1.0/32     192.168.1.1     ether5                    0
 5 ADC  192.168.27.0/24    192.168.27.1    ether5                    0

CelticComms · July 9, 2012, 11:13am

You have 192.168.1.1/32 assigned to Ether5. It should be 192.168.1.1/24 assuming that you are using a class C network.

gnettech · July 9, 2012, 11:27am

Thanks for your reply,
That was my initial configuration but i’ve read somewhere in the forums that a secondary ip should be on /32. Never the less, that does not work either.

CelticComms · July 9, 2012, 11:32am

Are your filter rules allowing the ICMP responses on Ether5?

gnettech · July 9, 2012, 11:44am

I am able to ping 192.168.1.1 so i think there is no issue there.
I am also able to ping any IP/host via Ether3 and i do not have any firewall ICMP rules for ether3.

But in any case i’ve just tried to add both srcnat and dstnat icmp allow for ether5, still no reply

CelticComms · July 9, 2012, 12:23pm

You need the /24 address otherwise the static IP on that interface will not create a suitable routing entry indicating that other 192.168.1 hosts are available via that interface.

I suggest that you upload the current config via /export compact.

If you want me to look directly email or GTalk to CelticRouters@gmail.com .

gnettech · July 9, 2012, 12:54pm

I’ve uploaded the configuration file.

Due to security issues and the applied firewall on the entire company network, external network access to mikrotik has been disallowed by our security team, so i am unable to give you direct access to it. I’m sorry.

Thank you for your help
backup_dump.rsc (17.9 KB)

CelticComms · July 9, 2012, 1:19pm

Try a Trace Route from the router to the 192.168.1.254 address. Which address reports host unreachable?

gnettech · July 9, 2012, 1:24pm

[admin@MikroTik] /tool> traceroute 192.168.1.254
 # ADDRESS                                 RT1   RT2   RT3   STATUS       
 1 0.0.0.0                                 0ms   0ms   0ms                
 2 0.0.0.0                                 0ms   0ms   0ms

and goes on forever…

[admin@MikroTik] > ping 192.168.1.254
HOST                                     SIZE TTL TIME  STATUS                    
192.168.1.254                                           timeout                   
192.168.1.254                                           timeout

CelticComms · July 9, 2012, 1:47pm

You should see entries from 192.168.1.1 showing host unreachable if it was being routed correctly.

Try temporarily disabling the other address on the interface and double check that your routing table has an entry showing 192.168.1.0/24 available via that interface.

gnettech · July 10, 2012, 8:18am

I’ve disabled the 192.168.27.1/24 (hotspot pool) from that interface, and it’s route has been disabled too. 192.168.1.0/24 is the only route on ether5 and still the same output on ping and traceroute. no change..

gnettech · July 10, 2012, 9:26am

Amazingly enough i finally found a solution after reading numerous topics.

/ip hotspot ip-binding
add address=192.168.1.254 disabled=no mac-address=B0:48:7A:AA:65:82 server=server1
192.168.1.254 type=bypassed

I had already tried it once before but i did not enter the mac-address (due to laziness i guess).
But everything is ok now

Thanks CelticComms for your assistance.