I’m trying to test cross route communication for personal exploration.
Devices:
- Router: Mikrotik Rb2011
Windows PC (8.1) - 192.168.88.169
Aruba vpn gateway. - 192.168.99.199
- Port 1: Wan port to Fios internet
Port 2: connected to WinPC
Port 3: connected to Aruba gateway. (interface IP 192.168.99.1/24)
Ports 2-5, 7-10 and the wlan interface are bridged. (192.168.88.1/24)
This LAN bridge has an IP of 192.168.88.1 I also have a DHCP server on this bridge.
The Usual gateway settings 192.168.88.1 for this DHCP server as well.
I’ve configured the RB2011 port 6 to be on its own. (not apart of switch group or bridge of any kind). Gave the port its own IP address and DHCP server with a subnet of 192.168.99.1/24 (the primary Lan bridge network is on 192.168.88.1/24)
Since I have created the IP for the .99 network, I already have a DAC route setup. I can ping the router obviously at 192.168.99.1 from my pc on the primary LAN. I can see in the lease table the device on the .99 network. I can ping the device (an aruba gateway) from the router.
However, when I try to ping the aruba from my pc, I get no response. I have turned off my windows firewall (for testing) as well as any filter rules) If I set up a NAT rule (srcnat - masquerade) to the .99 network, I can ping from my pc.
Any particular reason why I can’t ping across route without a masquerade?
Your PC has address from 192.168.88.0/24 network but Aruba is in 192.168.99.0/24 network.
When Aruba receives non-masquaraded packet then it checks src address and sees 192.168.99.xxx. It does not know what to do with it so it sends it to Aruba’s GW to send it back to the source device. It does not know that it should be send to port from which it was received as it does not know that 192.168.88.0/24 is “behind” 192.168.99.1. If Aruba would have static route set for 192.168.88.0/24 to be send to 192.168.99.1 as GW then it is a chance for PC receive response from Aruba.
Masquarade makes PC to apear as haveing 192.168.99.1 address so Aruba knows that it is tha same subnet and it could answer to port from which it received packet. Packet flows back to 192.168.99.1 and router unmasquarades this “related” packet for original sender and sends it to PC.
I’m confused… so pardon me if I’m asking anything less than smart.
Say this was 2 routers instead of just the one…
PC1 - R1 ↔ R2 - PC2
If I set up static cross routes on each router, I can get this to work as expected. (Pc’s behind each router can communicate/ping one another).
Is masquerade the ‘right’ way to communicate back and fourth on the same router?
I’m trying to simulate PC1 - R1 - PC2 scenario where they’re broadcast domains are separate but they can still communicate without the need of vlans.
Is there a better way?
Thank you for the information so far.
There are no “less smart or more smart” questions. There is knoweldge we just do not know yet. 
The role of router is to pass packets from one lan to other…of course applying filter rules could also be router job but as name states it ROUTES packets. Filters are usable addition to the basic routing job.
Router should have routing table which lets him decide where the particular packets should go according to destination address. If it does not know what to do then it sends it to its gateway which is suspected to know more about “unknown” address. If GW does not know what to do then it sends it next “level up” and then this next router decides what to do…you will see it as “hops” in the result of traceroute.
Back to … I have added some numbers :
PC1 —192.168.99.0/24 — (192.168.99.254)R1 (10.1.1.1) <---- 10.1.1.0/24 -----> (10.1.1.2)R2(192.168.88.254) – 192.168.88.0/24 — PC2
R1 knows LAN subnet for PC1 and R2 knows LAN subnet of PC2
If you manually inform R1 that PC2 subnet belongs to R2
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=10.1.1.2
then R1 will send packets for 88 LAN directly to R2 send from PC1 . If such packet will arrive to R2 then it is send to PC2.
Response from PC2 goes to … default GW defined for lan card of PC2. Why ? 192.168.99.0/24 is not known for PC2 so it sends it to its GW which is supposed to be smarter and know what to do with this packet.
R2 sends it to … if there is no information that 192.168.99.0/24 is behind R1 then R2 sends it its default GW which should know what to do.
That is why you should have default route set if you have no direct route set.
/ip route
add distance=1 gateway=IP_of_default_GW
Without it unknown packets will “die” in the “last” router on the path.
When you masquarade packets then source address is hidden with router address and the routing is simpler as less knowledge about routrs is needed.
If subnets are located in the same router then routing table is automagically populated with dynamic information coming from address and masks and therefore routing is done internally and only unknown subnets need to be inserted into routing table.
The biggest trick is to inform all routers where particular subnet is located. It is job for RIP, BGP and administrators.
It is short story about routing. It does not cover all problems but it lighten you a bit.
Please do not blame me if there is some inexactness. It is not official manual
Thank you for taking the time to go over static routing.
As you can tell, I have set up the multiple subnets on one router for my test.
I still don’t know why I can’t cross communicate/ping through the subnets.
Guess I’ll test with 2 PC’s instead of the Aruba. I’ve been banging my head on the desk for 3 days with this.
Sent from my iPhone using Tapatalk
Set it on both routers. R1 needs to know what is behind R2 and R2 need to know what is behind R1.
Arubas default GW is not your router so if you do not masquarade local subnet in the router then Aruba does not know what to do and sends it “up” to GW which probably, if it has public IP, kills packets coming from private subnets to prevent public Internet from beeing flooded with “wild” packets.
You need to configure your router to send to Aruba packets which source will be known to Araba’a routing table and could be send back or configure static routing in Aruba.
As I think you have no access to Aruba so the easiest way is to masquarade packets on your router so Aruba sees them with WAN router address which is in the same lan segment as Aruba’s LAN so Aruba rersponds to these packets to LAN port and then your router makes magic and sends them do the originator.
Voila.
Tested this between 2 pc’s on different subnets (with firewall off) and it worked as expected.
Thank you!
I’ll pay it forward!