Routerboard “A” ip address = 192.168.0.1/24
Routerboard “B” ip address = 10.0.0.1/24
Windows client ip address = 192.168.0.100 plus 10.0.0.100 on same nic, default GW = 192.168.0.1
All hardware connected to the same switch
Destination network 10.10.10.0/24 is reachable through 10.0.0.1 routerboard
Windows machine asks routerboard “A” to reach 10.10.10.0 network : is it possible for routerboard “A” to tell windows machine to use routerboard “B” as gateway for that subnet routing ? how ?
This to avoid to setup static route on windows machine.
I’d add a 192.168.0.x/24 address to router B. From there, add a static route in Router A stating that 10.10.10.0/24 is reachable via Router B’s 192.168.0.x address.
So let’s say you put 192.168.0.2/24 on Router B, the static route on Router A would be:
dynamic routing, including the hosts (this is the original case for RIP, by the way) - yuck
routers handle it for the hosts - requires a common network between the routers.
So using option 3, router A will forward packets for 10.x.x.x/n to router B, but it will also send an ICMP redirect message to your workstations, so they will start sending packets directly to router B for that destination… this gets cached for a little while, and during that time, packets aren’t getting “bounced off of router A” anymore, either.
Both routers need to have addresses in a common network between them so they can reach each other. Even if they’re on the same layer 2 broadcast (i.e. same switch, on switches that are connected, on the same VLAN, etc), they won’t actually look for each other there because according to layer 3 (IP), they are not on the same network and will therefore need to use a gateway to reach each other.
This doesn’t mean that A or B need to be dual-IP-addresses on your LAN. You could actually plug a network cable directly between the routers, put a 10.255.255.0/30 network on that link, and put static routes that go across this link in stead of back out LAN interface to the other router.
local networks 192.168.1.0 and 192.168.100.0 are wired to the same switch and the windows/linux machines I cannot modify, have both subnets configured on same nic.
as 192.168.1.1 is the default gateway , how can I add a route without adding the static one on the machines , like asked previously ?
just tried to setup a “clone” in laboratory with 3 routerboard to simulate the two tunnels , the one with two eth connected to a swich also with a pc with dual ip subnets , it doesn’t work :
As the default gw is configured to 192.168.1.1, from pc i can ping 192.168.2.0 network but not the 192.168.101.0 one
If I configure a static route on pc to 192.168.101.0 through 192.168.100.1 it works, but I cannot add it in real environment.
Any hint ??
I’ve added a static route 192.168.101.0/24 through Eth2 (not its ip address) , Pref.Source 192.168.100.1
It works , but it’s a simple routing as the secondary ip address of pc nic is not involved (in fact it works as well if I delete the second IP address from pc nic) , neither the routerboard Eth2 ip address. Pratically, checking Ip-Firewall-Connections
the source address is always 192.168.10.1 (primary pc ip address) despite which remote network is reached.
If I add the static route on pc, the secondary address of pc is used to reach remote 192.168.101.0 network.
I really don’t know if this is the correct way to operate…
Yes it would be simpler, but they asked me to keep as separated as possible (also physically) the two networks for future splitting of customer PCs (despite that for now they are connected together at L2) probably two different switches …
If there is no alternative solution I’ll go temporarily for a single routerboard nic with two addresses…
Putting the second IP address on a second interface and plugging the second interface into the same switch will not break anything - so long as the ethernet switch ports aren’t bridged / switched at layer 2.
No routing needs to be played with for this.
IP will naturally find the right way to go between the networks.
You may need to modify or duplicate some rules in the firewall for this - but you’ll never need to open the ip > routes menu.
Just checked with both addresses on the same routerboard ethernet as well as two addresses on each different routerboard ethernet:
it seems I do need to add a static route (unless I’m wrong with something)
I still have to add 192.168.101.0/24 through Eth1 , Pref.Source 192.168.100.1 to have it working
Instead, the remote 192.168.2.0 is reachable with no routes from 192.168.1.0 (the one who have default gateway configured into pc)…
Are you using routing marks?
The standard behavior is to create a local route for connected networks.
So for example, in my router:
/ip address add address=1.1.1.1/24 interface=ether1
/ip address add address=2.2.2.1/24 interface=ether2
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC 1.1.1.0/24 1.1.1.1 ether1 0
1 ADC 2.2.2.0/24 2.2.2.1 ether2 0
ADC = Active, Dynamic, Connect.
You should see such routes every time you put an IP address onto an interface, and the interface is up. (running)
If you’re not seeing these at all, then there’s something terribly wrong.
If you’re seeing them without the A flag - Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
You should always see these ADC routes for every IP interface you have, except when the interface is down because it’s admin down / not connected to anything.
Seems like we might have some confusion on the IPSec side of things. IPSec != Routing.
When you configure your IPSec policies, you’re generally tunneling two subnets. Only the subnets defined in the IPSec policy are going to be able to communicate to each other.
192.168.1.0/24 will be able to communicate with 192.168.2.0/24 via your IPSec policy, however 192.168.1.0/24 will not be able to directly communicate with 192.168.101.0/24. This is because the source IPs won’t match the policy. When routing, the router isn’t going to change the source IP address unless you utilize NAT or some other means to change it.
In this scenario, if you have a PC that needs to be able to talk to all 4 subnets, it’s going to need the two local subnets assigned to it and it’s going to need a static route to know how to get to each remote subnet.
In other words, PC1 has 192.168.1.5 and 192.168.100.5 assigned to its NIC. Default gateway is 192.168.1.1. It will be able to communicate with 192.168.1.0/24, 192.168.100.0/24 and 192.168.2.0/24 natively because of local IP addresses. It will be able to communicate with 192.168.2.0/24 because the default gateway is the 192.168.1.0/24 network and that’s going to match your IPSec policy.
In order to communicate with 192.168.101.0/24, you’ll need a static route either on the PC or you’ll have to utilize NAT, because the 192.168.1.0/24 network won’t match the IPSec policy for the 192.168.101.0/24 policy.
The other way to simplify this would be to create an IPSec encrypted IPIP tunnel between your two routers (local network and remote network) and run a routing protocol between them. You’d then use firewall rules to control access. This might be the better path to take as it’s easier to implement if you have PCs that need to talk to multiple subnets.
Yes I’ve realized this just before to read your answer
In fact I need an IPSEC policy for each subnet “cross-connection”
Now I have two policies:
A---------C
|
B---------D
but I need two more if I want A—D and B—C (and relative firewall accept rules I suppose)
As you can see I’m not expert here…
So this bring me back to my first question :
With a single default gateway configured, PC1 (192.168.1.5) asks 192.168.1.1 “how to reach 192.168.101.0 ?”
I thought there was a way to give back an answser like “use your secondary address 192.168.100.5 and go through 192.168.100.1” (thus using the other tunnel)…
This is what happens with a static route on PC…
The other relevant thing in this scenario, it seems the machines (servers, nas) on 192.168.101.0 network will accept connections only from 192.168.100.0 network so no routing/nat should be possible
If no way, i’ll keep both tunnels separated and push pc maintainers to add static routes…
I don’t think you can do it with just static routes on the router because of the IPSec involvement. You’d either need additional IPSec policies as you stated, static routes on the PCs, or SRC-NAT rules to masquerade traffic.
On the communication issue with servers/devices on the .101.0/24 subnet - if these are Windows machines, check Windows firewall. You may need to explicitly allow the additional subnets in a firewall rule. If not Windows, there may be some ACL settings you can adjust to allow other subnets access.
And no worries - I’m not an expert either. I’ve just learned some via trial by fire and by asking questions.
With static routes on PCs all is working ok, now I meet a new problem:
How can I reach an HTTP server located in the 10.0.0.0 network from PC1 ???
PC1 can ping 192.168.101.200 dsl router but I cannot add a static route on pc (gw is not on same network answer)
If I set a static route on Routerboard A :
You’ll need to add the 10.0.0.0/24 destination to your IPSec policy on both RouterA and RouterB.
Furthermore, the router for 10.0.0.0/24 will need routes pointing back to DSL router and DSL router will need static routes for 192.168.1.0/24 and 192.168.100.0/24.
You’re reaching the point where you need to just make a tunnel between Router A and Router B (I recommend GRE) and then put a /30 on that tunnel with eg: 192.168.255.1/30 = router A, and 192.168.255.2/30 = router B.
Change the IPSec policy to select only for protocol = GRE with src/dst = router A and router B’s wan addresses.
(only make IPsec look for the tunnel packets)
Now you’ll be able to add/remove routes across the tunnel all day long w/o modifying the IPSec policy.
You might even consider slapping OSPF onto your routers so that routing is taken care of as well.
Make your life easier, man!
