Two indepenedent LANs to see their peers

matiaszon · Tue Feb 21, 2017 11:38 pm

Hi

I have two different LANs, with two independent DHCP servers, DNS and WANs. Generally they are just two separate networks as shown on the pic.
Now small description.

LAN A
Router/Gateway: RB hEX
A wlan1 - working as AP (RB912)

LAN B
Router/Gateway (RB433 with 2 radio cards)
WAN on ether1
B wlan1: AP
B wlan2: free to use as a client

Distance between A wlan1 and B wlan is about 40 meters.

Instead of configuring EoIP and putting whole traffic through even encrypted tunnel, I would prefer to connect both networks by using existing access point and client.

How to configure that in the easiest way?

Thanks

matiaszon · Fri Feb 24, 2017 2:41 pm

90 views and no reply...

Maybe my description is too short. OK, so here it is some more.

LAN A
RB750Gr3 - Router/Gateway (bridge 10.10.10.1 / WAN: IP from ISP)
ehter1 - WAN
ether2-master (ether3, ether4 & ether5 slave) - LAN
ether3 - connected to RB912 working as AP)

LAN B
RB433 - Router/Gateway (LAN: 192.168.83.1 / WAN: IP from ISP
ether1 - WAN
wlan1 - AP for LAN
wlan2 - free to use

I was thinking about assinging a different IP to one of free ether ports on RB750Gr3 and somehow to make a link with wlan2 on RB433. However, I still want this AP to be accessible for other devices as it used when I am in the garden.

Sob · Fri Feb 24, 2017 5:50 pm

Most simple way: Make sure that wlan2 on RB433 is independent interface (not part of bridge) and connect it as client to RB912 AP. Add DHCP client to it, and assuming RB912 is a simple transparent AP, you'll get 192.168.83.x/24 address on RB433's wlan2. RB433 will know automatically where 192.168.83.0/24 is, because it's part of it. Tell hEX about the other network and that's it:

/ip route add
dst-address=10.10.10.0/24 gateway=192.168.83.x

If you control both networks, it's perfectly ok. In case you'd need to have some filtering between them (not allow unlimited communication between all hosts), you can easily do it on RB433. If those were two independent network with two admins who don't necessarily have complete trust in each other and want to have complete control over filtering at their side, it could use some changes.

matiaszon · Sat Feb 25, 2017 12:58 pm

From which DHCP wlan2 should get the IP address? Assuming that:
* wlan2 from RB433 is connected to RB912 AP
* DHCP client is running on wlan2,
on 10.10.10.0/24 network (which RB912 is part of), I can see DHCP offered IP, but nothing is assigned. Anyway, if it would assign, that would be address from 10.10.10.0/24 not from 192.168.83.0/24 I believe...

I have control on both networks. It's mine and my parents' houses.

Wysłane z iPhone za pomocą Tapatalk

matiaszon · Sun Feb 26, 2017 8:55 pm

So I am getting closer, but still it's not what I would like to have.

I established radio connection (btw, the highest CCQ I can reach is 70-80% - ny ideas how to get better quality connection?) between RB912 AP and RB433 wlan2 client. I assigned the IP address manually to wlan2 10.10.10.254. Automatically RB433 made new route:

1 ADC  10.10.10.0/24      10.10.10.254    wlan2                     0

Peers in 192.168.83.0/24 network can access peers in 10.10.10.0/24 network. There is a reply on ping from a 192.168.83.2 device

XS2.ar2316.v4.0.4974.110823.1727# ping 10.10.10.7
PING 10.10.10.7 (10.10.10.7): 56 data bytes
64 bytes from 10.10.10.7: icmp_seq=1 ttl=63 time=3.9 ms
64 bytes from 10.10.10.7: icmp_seq=2 ttl=63 time=2.9 ms
64 bytes from 10.10.10.7: icmp_seq=3 ttl=63 time=3.4 ms
64 bytes from 10.10.10.7: icmp_seq=4 ttl=63 time=3.0 ms
64 bytes from 10.10.10.7: icmp_seq=5 ttl=63 time=3.4 ms
64 bytes from 10.10.10.7: icmp_seq=6 ttl=63 time=3.5 ms

I added a route on RB7500Gr3:

4 A S  192.168.83.0/24                    10.10.10.254              1

Now, devices in 192.168.83.0/24 reply on ping from 10.10.10.0/24 network

root@(none):~# ping 192.168.83.2
PING 192.168.83.2 (192.168.83.2): 56 data bytes
64 bytes from 192.168.83.2: seq=0 ttl=63 time=3.688 ms
64 bytes from 192.168.83.2: seq=1 ttl=63 time=2.813 ms
64 bytes from 192.168.83.2: seq=2 ttl=63 time=5.478 ms
64 bytes from 192.168.83.2: seq=3 ttl=63 time=2.770 ms
^C
--- 192.168.83.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 2.770/3.687/5.478 ms

Everything seems to be fine, but when I try to open a webinterface of 192.168.83.2 from for example 10.10.10.13 (basically any device in 10.10.10.0/24 network), it takes much, much more time, than for example I would be logged in via VPN directly to RB433.

Is there anything else I can do to speed up connection?

A small update:
seems like I can access only few peers in 192.168.83.0/24 from 10.10.10.0/24...

dgnevans · Sun Feb 26, 2017 9:20 pm

Does RB 912 have the routes to the necessary networks on it as well.

matiaszon · Sun Feb 26, 2017 11:46 pm

No, it does not have. What routes should it have? It is a part of 10.10.10.0/24 network (10.10.10.2) ether1 and wlan1 bridged connected with 10.10.10.1 on its ether5 (slave to ether2-master).

dgnevans · Mon Feb 27, 2017 8:52 am

Can you change Wlan2 to a station on the rb433 and test. I was going to suggest that you put route to 192 network on the RB912. But as it is just acting as an AP this should not be required.

matiaszon · Mon Feb 27, 2017 3:39 pm

wlan2 interface is already working as a station (client) of RB912 AP. I don't want to change RB912 into station mode if you wanted to ask that. I am using it as an AP when I am outside home, in the garden.

dgnevans · Mon Feb 27, 2017 4:04 pm

No Idont want you to change 912 to a station. Station is used as the client to connect to another AP.
Can you run a traceroute from each of your routers to the other router via the lan port and post the results.

matiaszon · Mon Feb 27, 2017 8:06 pm

Traceroute from my laptop 10.10.10.13:

>tracert 192.168.83.2

Tracing route to 192.168.83.2 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  10.10.10.1
  2     2 ms     1 ms     1 ms  10.10.10.254
  3     3 ms     6 ms     3 ms  192.168.83.2

Traceroute from 192.168.83.2:

XS2.ar2316.v4.0.4974.110823.1727# traceroute 10.10.10.7
traceroute to 10.10.10.7 (10.10.10.7), 30 hops max, 40 byte packets
 1  192.168.83.1 (192.168.83.1)  2.22 ms  1.809 ms  1.695 ms
 2  10.10.10.7 (10.10.10.7)  3.973 ms  4.13 ms  3.735 ms

Strange things are happening. Just after makieng traceroute I cannot ping the same host at all, or it has packets lost:

XS2.ar2316.v4.0.4974.110823.1727# ping 10.10.10.7
PING 10.10.10.7 (10.10.10.7): 56 data bytes
64 bytes from 10.10.10.7: icmp_seq=2 ttl=63 time=2.9 ms
64 bytes from 10.10.10.7: icmp_seq=3 ttl=63 time=2.8 ms
64 bytes from 10.10.10.7: icmp_seq=4 ttl=63 time=2.8 ms
64 bytes from 10.10.10.7: icmp_seq=5 ttl=63 time=3.0 ms

--- 10.10.10.7 ping statistics ---
6 packets transmitted, 4 packets received, 33% packet loss
round-trip min/avg/max = 2.8/2.8/3.0 ms

After that what I wrote here, I could reach anything from 10.10.10.0/24 from 192.168.83.2 device...

dgnevans · Mon Feb 27, 2017 10:37 pm

Are you running any firewall rules on your routers that are preventing inter lan communications.

matiaszon · Mon Feb 27, 2017 11:31 pm

Are you running any firewall rules on your routers that are preventing inter lan communications.

No internal rules on any of routers. Just simple NAT on incoming traffic from both WANs.

Wysłane z iPhone za pomocą Tapatalk

Sob · Tue Feb 28, 2017 12:10 am

Maybe you have bad connection (you already wrote about low CCQ), that could explain packet loss. What signal levels do you see?

matiaszon · Tue Feb 28, 2017 1:03 am

Well, it's not 100%, but have seen much worse connections working more flawlessly..

[admin@station1] > /interface wireless monitor wlan2 
status: connected-to-ess
channel: 2422/20/g
wireless-protocol: 802.11
tx-rate: 54Mbps
rx-rate: 36Mbps
ssid: MikroTikSSID
bssid: 6C:3B:6B:3D:D1:CC
radio-name: 6C3B6B3DD1CC
signal-strength: -80dBm
signal-strength-ch0: -80dBm
tx-signal-strength: -59dBm
tx-signal-strength-ch0: -59dBm
tx-signal-strength-ch1: -98dBm
noise-floor: -93dBm
signal-to-noise: 13dB
tx-ccq: 87%
rx-ccq: 68%
p-throughput: 29355
overall-tx-ccq: 87%
authenticated-clients: 1
current-distance: 1
wds-link: no
bridge: no
nstreme: no
framing-mode: none
routeros-version: 6.38.3
last-ip: 10.10.10.1
802.1x-port-enabled: yes
authentication-type: wpa2-psk
encryption: aes-ccm
group-encryption: aes-ccm
management-protection: no

The only thing that comes into my mind is, that this AP works very nice with my iPhone when I am like 300-400 m away from it. The AP is located on a roof of 2-storage house and a station is in the half of the height. The AP antenna is 9 dBi with a small base ground. Maybe it's just "too good" for that short distance???

But...

I left a ping process for a while from AP to station, and the result was 0% loss.

sent=1148 received=1148 packet-loss=0% min-rtt=0ms avg-rtt=2ms max-rtt=115ms

EDIT
OK, so I have chacked ping from RB433 (bridge: ether1+wlan1 = 192.168.83.1/24 and wlan2=10.10.10.254/24) to 10.10.10.0/24 and all devices are replying with no loss, but there was no reply when I try to ping from 192.168.83.2. Configuring masquarade on wlan2 resolved that problem. Now all devices from 10.10.10.0/24 reply IMMEDIATELY WTIH NO LAG when accessed from 192.168.83.2.

Still, communication in the other side is complicated, and of course I need it much more than what I achieved.

Maybe setting up an EoIP or something similar would be a better idea?

dgnevans · Tue Feb 28, 2017 8:12 am

What it sounds like is your traffic is being natted on the one router. Can you post your nat rules from each router.

matiaszon · Tue Feb 28, 2017 11:05 am

Here they are...
RB750Gr3

[admin@RB750Gr3 > /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 1    ;;; Maskarada WAN
      chain=srcnat action=masquerade out-interface=lte1 log=no log-prefix="" 

 2    ;;; QNAP WWW server
      chain=dstnat action=dst-nat to-addresses=10.10.10.6 to-ports=80 protocol=tcp in-interface=lte1 dst-port=80 log=no log-prefix="" 

 3    ;;; QNAP Asterisk
      chain=dstnat action=dst-nat to-addresses=10.10.10.6 to-ports=5060 protocol=udp in-interface=lte1 dst-port=5060 log=no log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=10.10.10.6 to-ports=5060 protocol=tcp in-interface=lte1 dst-port=5060 log=no log-prefix="" 

 5    ;;; futro OSCam
      chain=dstnat action=dst-nat to-addresses=10.10.10.5 to-ports=2502 protocol=tcp in-interface=lte1 dst-port=2502 log=no log-prefix="" 

 6    ;;; Vu+ Duo2 web interface
      chain=dstnat action=dst-nat to-addresses=10.10.10.7 to-ports=80 protocol=tcp in-interface=lte1 dst-port=50180 log=no log-prefix=""

RB433

[admin@RB433] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Masquarade WAN
      chain=srcnat action=masquerade out-interface=PPPoE log=no log-prefix="" 

 1    ;;; Masquarade wlan2
      chain=srcnat action=masquerade out-interface=wlan2 log=no log-prefix="" 

 2    ;;; Modem access
      chain=srcnat action=src-nat to-addresses=192.168.1.254 dst-address=192.168.1.1 out-interface=ether1 log=no 
      log-prefix="" 

 3    ;;; stb web interface
      chain=dstnat action=dst-nat to-addresses=192.168.83.10 to-ports=80 protocol=tcp in-interface=PPPoE 
      dst-port=50180 log=no log-prefix=""

Do you want to see filter rules too? Anyway, on RB750Gr3 there are only default rules for fasttrack and on RB433 drop rules for ftp and ssh brute force.

In my opinion the problem is with that on RB433 wlan2 behaves like WAN to 10.10.10.0/24 while on the other side, RB912 (access point) is connected to ether5 of RB750Gr3, which is bridged. I am thinking about unslaving ether5 port, assigning a different address either from 192.168.83.0/24 or completly different but the same pool as wlan2 of RB433 and RB912 (wlan2 and RB912 will be changed too then), and configure masquarade and route, and then ether5 will become a new WAN.

dgnevans · Tue Feb 28, 2017 1:02 pm

Can you post the export of your 912. There is no reason to masquerade the traffic between the two networks as long as you have routes on each router so they know where to send traffic..

matiaszon · Tue Feb 28, 2017 2:31 pm

Sorry, I am a newbie...

What do you want me to export?

EDIT
OK, I did export to file, and here it is what I got:

# feb/28/2017 13:33:13 by RouterOS 6.38.3
# software id = R2DT-MMRW
#
/interface bridge
add admin-mac=6C:3B:6B:3D:D1:CB auto-mac=no name=bridge-LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name="WPA WPA2" \
    supplicant-identity="" wpa-pre-shared-key=b3nt0nit wpa2-pre-shared-key=\
    b3nt0nit
/interface wireless
# managed by CAPsMAN
# channel: 2422/20-Ce/gn(0dBm), SSID: kaczkowo-dach, CAPsMAN forwarding
set [ find default-name=wlan1 ] antenna-gain=20 band=2ghz-g/n channel-width=\
    20/40mhz-Ce country=poland frequency=auto mode=ap-bridge rx-chains=0,1 \
    security-profile="WPA WPA2" ssid=kaczkowo-dach tx-chains=0,1 wps-mode=\
    disabled
/interface wireless nstreme
# managed by CAPsMAN
# channel: 2422/20-Ce/gn(0dBm), SSID: kaczkowo-dach, CAPsMAN forwarding
set wlan1 enable-polling=no
/interface bridge port
add bridge=bridge-LAN interface=ether1
/interface wireless cap
# 
set bridge=bridge-LAN caps-man-addresses=10.10.10.1 certificate=request \
    discovery-interfaces=bridge-LAN enabled=yes interfaces=wlan1 \
    lock-to-caps-man=yes
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=bridge-LAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=dach-AP
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes primary-ntp=10.10.10.1 secondary-ntp=80.50.231.226
/system routerboard settings
set init-delay=0s

dgnevans · Tue Feb 28, 2017 4:15 pm

Thanks
Maybe remove your security keys from that export.
Can you confirm that the lan port on the 912 and the wireless port on the 912 are bridged?

matiaszon · Mon Mar 06, 2017 12:57 am

Thanks for the advise, haven't checked exactly what it exported

Well... wlan is managed by CAPsMAN on RB750Gr3, and there is no physically wlan port in bridge on RB912.

I have added wlan to bridge and it didn't change anything.

dgnevans · Mon Mar 06, 2017 8:46 am

The things I am seeing and I might be reading this wrong. RB912 is acting as a router instead of a AP (wireless-bridge) to resolve this you would need to remove dhcp from the bridge. Bridge the wireless and Ethernet port that connects to the switch and main router. On Wlan2 you would need to remove the Nat statement from within firewall nat, I would also setup a static ip on this interface WLAN2.
Lastly you would need to make sure there is static routes pointing between the two locations. then this should all work. currently your are natting traffic and have mutiple routers inbetween each would need to have routes loaded which can be done but nat needs to be removed.

matiaszon · Mon Mar 06, 2017 1:17 pm

DHCP server is configured on RB740Gr3 and works fine for all devices connecting via any AP I have at home (3 of them actually). They get the IP address from 10.10.10.0/24 network and there is no problem with the communication within LAN. RB912 has no DHCP server at all. It has configured bridge, but until yesterday night there was only 1 ether port assigned to bridge. I have added wlan too, but there is no difference in working.

dgnevans · Mon Mar 06, 2017 6:48 pm

Ok I hope i have it now. you have RB750GR3 LAN A------ RB912 AP WLAN1 ----- RB433 WLAN2 STATION ------ RB433 LAN B
From my understanding and if I am wrong correct me. RB750 GR3 10.10.10.1 connects to RB912 and gives out dhcp. WLAN 2 on RB433 connects as a station to RB912.
If so instead of havind dhcp address on RB433 interface wlan2 I would configure a static ip on the 10.10.10.0/24. I would then exclude this from the DHCP on rb750. Lets say 10.10.10.254/24 I would then create ip route on RB750 GR3

add distance=1 dst-address=192.168.83.0/24 gateway=10.10.10.254

depending on your firewall rules you may need to add to each router at the top of your forward rules. this would allow forward traffic between the 2 lans.

add action=accept chain=forward comment="LAN Traffic" dst-address=10.10.10.0/24 src-address=192.168.83.0/24
add action=accept chain=forward comment="LAN Traffic" dst-address=192.168.83.0/24 src-address=10.10.10.0/24

matiaszon · Tue Mar 07, 2017 1:02 pm

Ok I hope i have it now. you have RB750GR3 LAN A------ RB912 AP WLAN1 ----- RB433 WLAN2 STATION ------ RB433 LAN B
From my understanding and if I am wrong correct me. RB750 GR3 10.10.10.1 connects to RB912 and gives out dhcp. WLAN 2 on RB433 connects as a station to RB912.
If so instead of havind dhcp address on RB433 interface wlan2 I would configure a static ip on the 10.10.10.0/24. I would then exclude this from the DHCP on rb750. Lets say 10.10.10.254/24 I would then create ip route on RB750 GR3
Code: Select all
add distance=1 dst-address=192.168.83.0/24 gateway=10.10.10.254

This is what I already have since few posts

depending on your firewall rules you may need to add to each router at the top of your forward rules. this would allow forward traffic between the 2 lans.
Code: Select all
add action=accept chain=forward comment="LAN Traffic" dst-address=10.10.10.0/24 src-address=192.168.83.0/24
add action=accept chain=forward comment="LAN Traffic" dst-address=192.168.83.0/24 src-address=10.10.10.0/24

And it seems, this is what I was missing!

Some peers are replying on ping, but can't access them via web intreface. However, I need to go there and check if they reply locally. Anyway, those which were I was able to log in slowly, now give access immediatelly!

Thanks for that!

matiaszon · Tue Mar 07, 2017 2:45 pm

Hmmm... Seems it's not the end

I have just figured out, that if I don't access too often 192.168.83.0/24 network, then none of the peers there reply. After I log in to RB433 and start pinging any host at 10.10.10.0/24 I can easily access the devices at 192.168.83.0/24 from 10.10.10.0/24... It's like the wireless connections between RB433 and RB912 is not keeping alive (both devices are showing they are linked)...

dgnevans · Tue Mar 07, 2017 4:30 pm

YOu could try changing from Station on Rb433 wlan2 to station-pseudobridge and see if that has an affect. Alternatively you could setup netwatch to ping a device on the otherside to see if that keeps link alive.

matiaszon · Tue Mar 07, 2017 6:05 pm

Thanks for your reply again.
I have set pseudobridge. Now will observe how it works.
Anyway, it looks promissing

matiaszon · Thu Mar 09, 2017 10:14 pm

Sorry for a little off topic, but if the connection between these subnets works fine now, is it much to do to make RB433 as a failover gateway for 10.10.10.0/24 and RB750Gr3 for 192.168.83.0/24?

dgnevans · Thu Mar 09, 2017 10:43 pm

It depends on what firewall rules you have etc etc. if the firewall rules allow both vlans out the connection it can be as simple as setting a second route 0.0.0.0/0 through the opposing router with a distance of 2. You can then setup check gateway on default route. you could also configure ospf and share default route. there are a number of options available.

matiaszon · Fri Mar 10, 2017 1:53 am

I made a quick test, by disabling DHCP client on ether1 (RB750Gr3) so it lost it's IP from ISP and defined a new gateway through 10.10.10.254 (wlan2 on RB433), created masquarade, and guess what... It works!

However, I am not that sure, if there is any masquarade on bridge-LAN (RB750Gr3) needed. Maybe some properly done rule on firewall would be more than enough? And I believe a script and some watchdog is needed, to swicth gateway automatically...

Edit:
Just found this video, and checked applied to my settings, and... it works! What I did:

removed out-interface from masquerade and now it looks like this:
Code: Select all
```
      chain=srcnat action=masquerade log=no log-prefix="" 
```
added new route through 10.10.10.254 with HIGHER DISTANCE (in the movie it is set up 10 but I did 5)
set up DNS manually, otherwise it won't get dynamically, and won't work

And it works in one way...