I have the router configured to serve addresses via dhcp. I have a linux server which when given an address via dhcp works that is, I can ssh into the server without problems from my windows 11 pc.
However, if I give the server a static ip address of 192.168.3.2, I cannot ssh into the server from windows 11. My dhcp address pool is 192.168.88.1/24. I’ll be attaching the router configuration at the end of this message.
The strange thing is that I can connect via ssh to the server from a raspberry pi running on the dhcp segment.
What is happening here?
Note:
When I say cannot I mean that I am prompted for a password when I connect. I enter the password and eventually the system disconnects.
I did do a cable test across all ports and they are fine.
Which ssh client on windows machine are you using? Certain clients prompt for password even before they initiate connection attempt, others prompt for password during ssh connection handshake.
By all means do post configuration of your router, akso describe which interfaces are used to connect your windows and linux machines.
I’ve no idea when windows openssh client asks for password so I can’t tell when the connection actually fails. Based on configuration you provided I’m guessing it’s asking about password before starting the connection and that connection never actually establishes.
One of errors (ROS configuration checker tollerates it, but there were reports of weird problems, and fixing it helped) is this:
Since ether3 is port member of bridge, also the incriminated IP address should be set on bridge. If you expressly want to have 192.168.3.0/24 subnet on ether3 only, then remove ether3 from bridge.
BTW, is this a typo or you acually have it exactly as in your export?
Both subnets are on bridge, the bridge is in LAN list, there’s nothing in firewall blocking this traffic, it should work. If ssh doesn’t work, start with ping, to make sure routing is ok. Then there’s always packet sniffer, if you want to know exactly what’s happening.
Q1, Do you need 'B" on wifi settings- band=2ghz-b/g/n ? If not it is preferred to have band=2ghz-g/n
Q2. As alluded to there is something funny configured on your bridge… The commonly used idea of using your bridge to give out DHCP across all the ports is quite useful and standard. In this typical setup one IP address is allotted to the bridge (and pool/dhpc server etc.) and none directly to the interfaces.
Apparently there is nothing technically wrong in the setup below, but WHY have you done it so? Why have you elected to give the bridge multiple addresses and why did you elect to give ether3 its own address??
The answers may help to point out a better way of achieving desired requirements/functionality.
Overall, at least in the basic firewall rules you have, there should be nothing preventing access to use SSH within the LAN.
The two items that are suspect for me are
1 = The unusual bridge set-up - the likely culprit
2 = The extra fluffy FW rules used - (but only if one can positively rule out anything else - and would simply be a matter of disabling all raw rules and any rules not default in the basic set)
PL] No copy paste, that was exactly how the rule was. I am surprised the router accepted it. I have fixed that rule now. Thanks for flagging it.
I am happy if all the systems can talk to each other. I have done the segmentation for administrative convenience.
I disabled ingress filtering on ether 3. The ssh still is a problem.
What happens is that when I do
ssh pranav@192.168.3.2
I am asked for my password.
I type the password and then hit the enter key.
Nothing happens and eventually, I get a client loop disconnect.
Segragated for admin convenience is a non-answer it says nothing! Its not a reason or describes the underlying motive.
Requirements can be stated as:
What functionality do you need the USER to have or not have
What services should the user access or not access
What traffic flow should the user have or not have.
Now replace the word user with ADMIN and in this case
I need to separate/segment ports for the purpose of … ??
I need to split up the single subnet to do… ??
If you do not need vlans, which it appears not, and you wish to separate/control/monitor ports , why not. simply
subnet1 - ether2 subnet, pool and settings based on 192.168.88.1.0//24
subnet2 - ether3 subnet, pool and settings based on 192.168.30.0/24
subnet3 - ether4 subnet, pool and settings based on 192.168.40.0/24
This would be a logical or one approach if one wanted to SEGMENT something, however without clarity of purpose the config is guesswork.
What is this network actually? I see ether 2-3-4-5 connected to the bridge. This is one L2 broadcast domain. All devices will talk to each other over IP if in the same subnet. They will not use any of the router settings. Only ether1 will pass through firewall and do NAT and routing.
Giving ether2 and 3 it’s own IP address, is as explained, not actually going to happen. Slave interfaces do not accept IP adresses. (And if they do, then the outcome is unexpected, as it is actually used by the bridge)
So this is a single L2 LAN with independent subnets. If you want 2 devices in separate subnets to talk to each other they must use the router. You can enter the router as gateway. (Happens with DHCP, don’t forget it when using static IP address). But it will not work as expected. For a Cisco router I know that a “split horizon” is needed. I have not seen the equivalent in RouterOS.
What happens is that a router that has to forward the packet through the same interface as where it came from (the “bridge” in this case) will send a ICMP-redirect to the sender, telling the device to not come to this router again, but go directly to the next hop. The sender, if accepting redirects, will avoid the router for the next packets and fail.
To what I see from the network ether2 and ether3 should not be on the bridge! Then routing and firewall filtering will happen and continue as expected. Setting IP on ether2 and ether3 is correct then.
EDIT: in /IP settings there is an option to disable “Send Redirects” . [Like a Cisco “spilt horizon” but for all interfaces.] But I don’t think this is the setup you need.
.
I have a general lan at 192.168.88.1/24 which has devices like my desktop, my mobile phone, an amazon fire stick etc.
I have some IP cameras in the house. I have given them their own network segment at 192.168.2.1. I did this in the event that I had to make any specific firewall rules to allow access to the cameras from a VPN. As of now, this has not happened.
I have a NAS box and a Linux server. I wanted to give them their own segment. This is because I was experimenting with networking as a part of a home lab.
In essence:
I want to keep the cameras separate.
I need to have fixed IP addresses for the server and NAS box. If a dhcp lease is a simpler way of doing this, I am happy to ditch subnetting.
Suggesting
create three subnets (properly) (each has IP address, pool, dhcp server etc…)
192.168.88./24 - for house LAN
192.168.20.0/24 - for camera LAN
192.168.30.0/24 - for NAS LAN
Decide which port they need to come out of on the Router.
If you have a LAN that you want on more than one port make that selection your bridge selection.
So that the bridge gets the IP pool, address, server etc, and not the associated ports.
In this way at layer two you are separating the subnets appropriately.
One will still need via firewall rules to ensure the router will not route between lan segments.
Finally, any dhcp assigned lease can be turned into a static fixed lease very very easily, not to worry about that!
If the NAS and server (sharing the same subnet range) are on one ethernet port , then detach that ethernet from the bridge, and give it the required subnet IP address.
Using DHCP or not makes no difference, but don’t forget to set default ip route Gateway, and DNS server if done static. “static lease” for DHCP exists also.(*)
Be aware that broadcast discovery does not work over a router.
If everything is mixed up (eg. server and NAS on different etherrnet port, with some camera on random ethernet ports,) then using the router with “Send Redrects” disabled is a quick and dirty solution.
Quick because it will work, dirty because there is no real separation of the subnets. Clean solution then is to use VLAN, but then the devices must be VLAN aware (no problem for the server, and probably not for the NAS), cameras however could be more limited.
(*) To ditch subnetting. Let the server acquire a DHCP address. Go to “DHCP server/ Leases”, select the server lease, Click “Make Static” . Edit the address to a value you want to have. The sever will always get that address.
I am going to retain the camera segment. The problem there is that the ports are mixed with other stuff. However, I am happy to remove that port from the bridge and get routing rules in place.
I’ll put the server and NAS on static DHCP leases.
Again: it’s not a problem to have multiple IP addresses (and subnets) configured on same interface, in your case on bridge interface. The problem is the IP subnet configured on ether3. Given your mixture of devices connected to same physical port of router and that you don’t seem to be bothered about non-existing IP subnet separation on lower layers, then you really should change this:
Hi,
<snip /ip address set [ find address=“192.168.3.1/24” ] interface=bridge
Or you already did it but you still have problem described in your initial
PL] I did this so the segment 192.168.3.1/24 is now on the bridge interface. However, the problem is the same.
using the router with “Send Redrects” disabled is a quick and dirty solution.
because:
What happens is that a router that has to forward the packet through the same interface as where it came from (the “bridge” in this case) will send a ICMP-redirect to the sender, telling the device to not come to this router again, but go directly to the next hop. The sender, if accepting redirects, will avoid the router for the next packets and fail.
So MKX now you may start to appreciate my usual advice (past), when more green, to zoom right away to use vlans. A simple non vlan setup has turned into a quagmire of mucky muck. However I have learned that its more important to let you guys get dirty and perhaps help the op learn a bit more on subnets and non-vlan bridge setups, then to whisk the OP into happy land right away!
I don’t know how the IP route in MT works , and how some client react on redirects.
A more detailed and more correct wording…
"The subnet is used to determine what hosts are “assumed to be on link”. If a host wants to communicate with a host outside it’s subnet then (assuming there is nothing special in the host’s routing table) it will try and send the packet to it’s default gateway.
If the default gateway knows about all the subnets and is prepared to send packets back out on the same interface they came in through then communication will work fine. Otherwise things are going to break.
It’s about having multiple subnets on one LAN or not. If one splits multiple subnets over multiple ethernet ports or over multiple VLAN’s is the same avoidance of multiple subnets on one L2.
Using VLANs requires at least one edge port per VLAN, if client devices are not VLAN aware. In that case with just one router the same splitup happens if the ethernet port is taken of the bridge.
OP only mentioned a hAP ac2. Device interconnection is unknown. More edge ports could be created with a VLAN aware switch.
