Community discussions

MikroTik App
 
bbrelih
just joined
Topic Author
Posts: 6
Joined: Sat Jan 06, 2018 12:53 pm

Real DMZ on second IP range

Sun Aug 29, 2021 1:01 pm

Hi All,

I have WAN on ether1-gw with IP adress 176.76.242.175 and DMZ on bridge-dmz with different IP range 176.76.240.16/28.
I add IP adress 176.76.240.17/28 to address list for DMZ GW.
The route is added automatically to the route list (176.76.240.16/28, bridge-dmz, Pref.source 176.76.240.17).
I have two servers with static ip addresses in the IP range 176.76.240.16/28: 176.76.240.22 (server1) and 176.76.240.23 (server2) with GW 176.76.240.17.

When I try to ping from server1 to server2, I occasionally get an error:
From 176.76.240.17: icmp_seq=2103 Redirect Host (New nexthop: 176.76.240.22)

Anyone can explain to me where I am making a mistake.
Is the DMZ network and route set up correctly

BB
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Real DMZ on second IP range

Sun Aug 29, 2021 1:17 pm

Since server1 and server2 are in the same IP subnet, they should communicate directly without any gateway. So first step would be to check IP settings (address, subnet mask) on both servers to verify they match intended use (error message shows that router is involved in at least some of ping exchange but it shouldn't be).
Another thing would be to verify arp settings on router ...

If you don't get it working, post full text export of router configuration.
 
bbrelih
just joined
Topic Author
Posts: 6
Joined: Sat Jan 06, 2018 12:53 pm

Re: Real DMZ on second IP range

Fri Sep 17, 2021 8:22 am

DMZ IP range 176.76.240.16/28 is on external IP addresses. It still doesn't work.

BB
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Real DMZ on second IP range

Fri Sep 17, 2021 8:43 am

First off: are the two servers supposed to communicate with each other a) through firewall or b) are they allowed to communicate directly?

If it's b), then they should be able to communicate even if they are connected to a dumb switch. Hence you should check if they have proper IP settings, specially the network mask (it should either be /28 or 255.255.255.240). Again: getting that next hop message indicates that server1 communicates with server2 via router. And that doesn't have anything to do with router configuration.

If it's a), then you'll have to to redesign DMZ config a bit because in this case router should be handling all the traffic without issuing next hop ICMP packets ... which again is result of using subnet mask, but in this case on the router.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Real DMZ on second IP range

Fri Sep 17, 2021 2:32 pm

mkx stop guessing, its driving me crazy..........
OP provide network diagram and the config
/export hide-sensitive file=anynameyouwish
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Real DMZ on second IP range

Fri Sep 17, 2021 2:44 pm

mkx stop guessing, its driving me crazy..........

Let me guess: you never liked guesswork? :-P
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Real DMZ on second IP range

Fri Sep 17, 2021 3:50 pm

Someone needs a script for guessing???
:lol: :lol: :lol:
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Real DMZ on second IP range

Fri Sep 17, 2021 5:36 pm

I guess we need a script for guessing indeed :wink:

@anav, feeling dizzy yet?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Real DMZ on second IP range

Fri Sep 17, 2021 6:55 pm

No actually I was doing something way more fun than reading your guesses LOL (taking care of my grand daughter)!
I still smell like baby poop. :-)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Real DMZ on second IP range

Fri Sep 17, 2021 9:13 pm

Oh the joys of (great)parenthood ...
 
bbrelih
just joined
Topic Author
Posts: 6
Joined: Sat Jan 06, 2018 12:53 pm

Re: Real DMZ on second IP range

Sat Sep 18, 2021 5:19 pm

mkx: Can I send you router configuration privately?

BB
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Real DMZ on second IP range

Sat Sep 18, 2021 7:36 pm

MKX charges per character.................. the forum is free LOL
We like dirty laundry!!
 
bbrelih
just joined
Topic Author
Posts: 6
Joined: Sat Jan 06, 2018 12:53 pm

Re: Real DMZ on second IP range

Sat Sep 18, 2021 9:55 pm

Here is my configuration (without firewall):
# sep/18/2021 15:27:30 by RouterOS 6.48.4
# software id = JXXW-XVN1
#
# model = 1100
# serial number = 2C6100147CF6E

/interface bridge
add fast-forward=no name=bridge-dmz
add name=bridge-dmz-interno
add name=bridge-gostje
add name=bridge-management
add name=bridge-trunk
add name=bridge-uporabniki
add name=loopback_ospf

/interface ethernet
set [ find default-name=ether1 ] name=ether1--t2-optika
set [ find default-name=ether2 ] name=ether2-b1-trunk
set [ find default-name=ether3 ] name=ether3-b1-trunk
set [ find default-name=ether4 ] name=ether4-b2-trunk
set [ find default-name=ether5 ] name=ether5-b2-trunk
set [ find default-name=ether6 ] name=ether6-gostje
set [ find default-name=ether7 ] name=ether7
set [ find default-name=ether8 ] name=ether8-uporabniki
set [ find default-name=ether10 ] name=ether10-telekom-optika
set [ find default-name=ether11 ] name=ether11-dmz
set [ find default-name=ether12 ] disabled=yes name=ether12-dmz
set [ find default-name=ether13 ] name=ether13-management

/interface bonding
add name=bonding1-trunk slaves=ether2-b1-trunk,ether3-b1-trunk transmit-hash-policy=layer-2-and-3
add name=bonding2-trunk slaves=ether4-b2-trunk,ether5-b2-trunk transmit-hash-policy=layer-2-and-3
	
/interface vlan
add interface=bridge-trunk name=vlan20-uporabniki vlan-id=20
add interface=bridge-trunk name=vlan41-dmz-interno vlan-id=41
add interface=bridge-trunk name=vlan80-gostje vlan-id=80
add interface=bridge-trunk name=vlan200-management vlan-id=200

/ip dhcp-server option
add code=46 name=netbios-node-type_PNode value="'2'"

/ip pool
add name=pool-manage ranges=172.100.200.100-172.100.200.120
add name=pool-gostje ranges=172.100.80.150-172.100.80.180
add name=pool-uporabniki ranges=172.100.20.200-172.100.20.240
add name=pool-dmz-interno ranges=172.100.41.200-172.100.41.210

/ip dhcp-server
add address-pool=pool-gostje authoritative=after-2sec-delay disabled=no \
    interface=bridge-gostje lease-time=2h name=gostje
add address-pool=pool-manage authoritative=after-2sec-delay disabled=no \
    interface=bridge-management lease-time=3d10m name=management
add address-pool=pool-uporabniki authoritative=after-2sec-delay disabled=no \
    interface=bridge-uporabniki lease-time=2d name=uporabniki
add address-pool=pool-dmz-interno authoritative=after-2sec-delay disabled=no \
    interface=bridge-dmz-interno lease-time=2d name=dmz-interno

/routing ospf instance
set [ find default=yes ] distribute-default=always-as-type-1 \
    redistribute-static=as-type-1 router-id=10.255.1.1

/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"

/interface bridge port
add bridge=bridge-management interface=vlan200-management
add bridge=bridge-trunk interface=bonding1-trunk
add bridge=bridge-trunk interface=bonding2-trunk
add bridge=bridge-uporabniki interface=vlan20-uporabniki
add bridge=bridge-uporabniki interface=ether8-uporabniki
add bridge=bridge-gostje interface=vlan80-gostje
add bridge=bridge-gostje interface=ether6-gostje
add bridge=bridge-management interface=ether13-management
add bridge=bridge-dmz-interno interface=vlan41-dmz-interno
add bridge=bridge-dmz interface=ether11-dmz
add bridge=bridge-dmz interface=ether12-dmz multicast-router=disabled

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/ip address
add address=10.255.1.1/24 interface=loopback_ospf network=10.255.1.0
add address=172.100.20.1/25 interface=bridge-uporabniki network=172.100.20.0
add address=172.100.20.129/25 interface=bridge-uporabniki network=172.100.20.128
add address=172.100.80.1/24 interface=bridge-gostje network=172.100.80.0
add address=172.100.200.1/24 interface=bridge-management network=172.100.200.0
add address=172.100.41.1/24 interface=bridge-dmz-interno network=172.100.41.0
add address=89.121.174.117/16 comment="T2 optika" interface=ether1--t2-optika network=89.121.0.0
add address=176.76.242.178/30 comment="Telekom optika" interface=ether10-telekom-optika network=176.76.242.176
add address=176.76.240.17/28 comment="Telekom optika dmz Gateway - public_ip" interface=bridge-dmz network=176.76.240.16

/ip dhcp-server network
add address=172.100.20.0/25 comment="ICT - uporabniki (NetBIOS over TCP/IP (\
    code 46) node type 2 (Peer2Peer) - PNode )" dhcp-option=\
    netbios-node-type_PNode dns-server=\
    172.100.20.101,172.100.20.106,172.91.20.104 domain=ict.users gateway=\
    172.100.20.1 netmask=25 wins-server=\
    172.100.20.101,172.100.20.106,172.91.20.104
add address=172.100.20.128/25 comment="ICT - uporabniki gostje" dns-server=\
    193.189.160.13,193.189.160.23,84.255.209.79,84.255.210.79 domain=\
    ict.guest gateway=172.100.20.129 netmask=25
add address=172.100.41.0/24 comment="ICT - dmz - interno" dhcp-option=\
    netbios-node-type_PNode dns-server=\
    172.100.20.101,172.100.20.106,172.91.20.104 domain=ict.dmz-interno \
    gateway=172.100.41.1 netmask=24 wins-server=\
    172.100.20.101,172.100.20.106,172.91.20.104
add address=172.100.80.0/24 comment="ICT - gostje" dns-server=\
    8.8.8.8,84.255.209.79,84.255.210.79 domain=ict.guest gateway=\
    172.100.80.1 netmask=24
add address=172.100.200.0/24 comment="ICT - management" dhcp-option=\
    netbios-node-type_PNode dns-server=\
    172.100.20.101,172.100.20.106,172.91.20.104 domain=ict.manage gateway=\
    172.100.200.1 netmask=24 wins-server=\
    172.100.20.101,172.100.20.106,172.91.20.104

/ip dns
set servers="193.189.160.13,193.189.160.23,84.255.209.79,84.255.210.79,8.8.8.8"

/routing filter
add action=discard chain=ospf-in prefix=10.99.21.0/25
add action=discard chain=ospf-out prefix=10.99.21.0/25

/routing ospf network
add area=backbone network=172.100.20.0/25
add area=backbone network=172.100.200.0/24

 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Real DMZ on second IP range

Sat Sep 18, 2021 10:35 pm

So you have ether11 and ether12 bridged for the DMZ in question (and ether12 is actually disabled). I don't see error which would force servers to communicate via gateway. Since router isn't running DHCP server for that subnet I assume servers have IP settings configured manually. So I'm asking you (again) to tripple check settings on servers.
Since both servers are (obviously) connected to same router port (ether11), what is the topology of network between router and servers? Are servers virtual machines running off same hypervisor?

BTW, you're using various 172.100.x.y subnets. I'm sure you're aware these are not RFC 1918 addresses for private use. They are registered to Charter Communications Inc.
 
bbrelih
just joined
Topic Author
Posts: 6
Joined: Sat Jan 06, 2018 12:53 pm

Re: Real DMZ on second IP range

Sun Sep 19, 2021 9:54 am

Ether12 is temporarily disabled. The router does not use DHCP for this subnet. The servers have manually configured IP settings.

The servers are virtualized and run on the same hypervisor.
The Hyperv server, where virtual systems run, is connected via a switch to the router's ether11 interface.

DMZ subnet 176.76.240.16/28 is with an external provider (Telekom) - external IP addresses of Telekom.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Real DMZ on second IP range

Sun Sep 19, 2021 11:24 am

So did you check network settings on virtual servers? Check network settings on vswitch as well, it should allow connectivity between vhosts.

Who is online

Users browsing this forum: ccrsxx, rolling and 34 guests