Community discussions

MUM Europe 2020
 
knut
just joined
Topic Author
Posts: 13
Joined: Tue May 18, 2010 12:50 pm

CRS125 does not route between subnets

Mon Mar 09, 2015 11:59 pm

I just got a new CRS125-24G-1S-RM, which i want to use for replacing my RB2011 + external lan switch
I have tried to configure the CRS in a similar way as the RB2011, and all interfaces, including lan, dmz, wan (isp) and sstp connection from a remote site are working perfectly on their own, but I am unable to route between them, and there is no internet connectivity, but the router gets public address and correct DNS from the isp.
After several hours of fault-finding, I reset the CRS to factory defaults and started over with a minimal configuration:

interfaces:
lan: ports 9..24 (ether-9-master-lan, ether-10..24-slave-lan)
dmz ports 3..8 (ether-3-master-lan-ether-4..8-slave-lan)
sfp port disabled

ip addresses:
lan: 192.168.10.1/24 network: 192.168.10.0 interface: ether-9-master-lan
dmz: 192.168.20.1/24 network: 192.168.20.0 interface: ether-3-master-dmz

dhcp servers are handing out addresses for both networks, including default GW
lan gw: 192.168.10.1
dmz gw: 192.168.20.1

No firewall is configured (yet!)

ip routelist shows two dynamic routes:
DAC 192.168.10.0/24 ether-9-master-lan reachable, pref source: 192.168.10.1
DAC 192.168.20.0/24 ether-3-master-dmz reachable, pref source: 192.168.20.1

tools ping can ping both interfaces (192.168.10.1 and 192.168.20.1)
tools ping can ping both pc's (192.168.10.199 and 192.168.20.199)
both pc's can ping both router interfaces (192.168.10.1 and 192.168.20.1)
pc1 cannot ping pc2 and pc2 cannot ping pc1.

CRS is running routeros 6.27.

I have configured at least 6 other mikrotiks, and never had this problem.
Are there any special settings for the CRS125 that I have missed?

Help anyone?!?
 
edgars
just joined
Posts: 10
Joined: Tue Feb 10, 2015 1:22 am
Location: London, UK

Tue Mar 10, 2015 4:50 am

Silly guess but check " ip settings print " if "ip-forward" is set to yes.
 
knut
just joined
Topic Author
Posts: 13
Joined: Tue May 18, 2010 12:50 pm

Re: CRS125 does not route between subnets

Tue Mar 10, 2015 10:04 am

Thanks for the reply!

/ip settings print
ip-forward: yes
send-redirects: yes
accept-source-route: no
accept-redirects: no
secure-redirects: yes
rp-filter: no
tcp-syncookies: no
max-arp-entries: 8192
arp-timeout: 30s
icmp-rate-limit: 10
icmp-rate-mask: 0x1818
allow-fast-path: yes

These are exactly the same settings as my working RB2011
Thanks anyway..

Knut
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: CRS125 does not route between subnets

Tue Mar 10, 2015 12:40 pm

Did you set the switch groups up as VLANs? Add the IP addresses to the VLAN interfaces? Add the CPU to the VLANs?
Michael Preissner
CISSP, CCSP, CEH, PMP
 
knut
just joined
Topic Author
Posts: 13
Joined: Tue May 18, 2010 12:50 pm

Re: CRS125 does not route between subnets

Tue Mar 10, 2015 1:20 pm

Hi,
No VLANs, just plain old physical LANs

Everything is configured in the same way as my long time functioning RB2011, but no routing between lan segments.
Note that router can ping both PCs and BOTH PCs can ping BOTH router interfaces. Also Torch can see icmp packets from PC1 and PC2 on both router interfaces.
Please also note that the router dynamically add valid, reachable routes to both LANs
-knut
 
Rudios
Forum Veteran
Forum Veteran
Posts: 966
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: CRS125 does not route between subnets

Tue Mar 10, 2015 1:32 pm

I vote for firewall issue on the PC's itself.
If 1 of the PC's can ping both IP addresses of the CRS, routing is ok.
Testing setup with: 2 x RB750UP | 2 x RB750GL | 1 x RB951G-2HnD | 1 x RB2011UiAS-IN
 
knut
just joined
Topic Author
Posts: 13
Joined: Tue May 18, 2010 12:50 pm

Re: CRS125 does not route between subnets

Tue Mar 10, 2015 2:00 pm

Both PCs have firewall turned off, please also note that the router (tools/ping) can ping both PCs, and tools/ipscan finds both PCs
-knut
 
edgars
just joined
Posts: 10
Joined: Tue Feb 10, 2015 1:22 am
Location: London, UK

Tue Mar 10, 2015 2:17 pm

Try to ssh from one PC to another to check TCP connectivity. Try manual ipconfig. Try different host pcs. Was curious and recreated same thing you got with my crs125 ros6.27 and Linux hosts - works perfect.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: CRS125 does not route between subnets

Tue Mar 10, 2015 2:41 pm

And the filter table > forwarding chain is empty in IP Firewall?

I just want to mention this as "food for thought" that the ability to ping to LAN2 from a host on LAN1 is governed by the input chain and not the forward chain and that pings between the CCR itself and any connected hosts is goverened by input / output chains, while host<>host is governed by forwarding chain..... It sounds like you already understand these basics, but sometimes a basic thing gets overlooked by accident.

If you're 100% positive that hosts are fine, forwarding rules are fine, ip forwarding is enabled, etc then it starts to sound like the hardware itself might have a problem.

Can you do a packet capture on a host in one LAN while trying to ping it from a host in the other? Do you even see the packets arriving at the target host?
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
knut
just joined
Topic Author
Posts: 13
Joined: Tue May 18, 2010 12:50 pm

Re: CRS125 does not route between subnets

Tue Mar 10, 2015 3:19 pm

Thank you all for your replies and suggestions.
Just to repeat some of the facts, the thread is getting long...

No firewall is configured (yet!) in router, it is totally open, and yes, I know about chains...

ip routelist shows two dynamic routes:
DAC 192.168.10.0/24 ether-9-master-lan reachable, pref source: 192.168.10.1
DAC 192.168.20.0/24 ether-3-master-dmz reachable, pref source: 192.168.20.1

tools ping can ping both interfaces (192.168.10.1 and 192.168.20.1)
tools ping can ping both pc's (192.168.10.199 and 192.168.20.199)
pc1 can ping both router interfaces (192.168.10.1 and 192.168.20.1)
pc2 can ping both router interfaces (192.168.10.1 and 192.168.20.1)
pc1 cannot ping pc2
pc2 cannot ping pc1.

tools torch can see icmp packets from pc1 on both router interfaces, and icmp packets from pc2 on both router interfaces.

In my initial complete config, including ISP on ehter1, sstp tunnel from remote site, firewall etc, all interfaces was up (including isp and sstp), but there was no connectivity either to internet or between lan's

I own and have configured 2xRB450G, 2xRB433, 1xRB750, 3xRB2011 and 2xSXT, and never have had any problems before.

For me it seems that the routing engine (CPU) does not receive packets, or that routing in some way is turned off.
I will check more things when I get home in the afternoon, including flushing arp-caches, rebooting everything and having a beer...

Meanwhile, I appreciate all suggestions from you.

-knut
 
User avatar
TrollMan
Member Candidate
Member Candidate
Posts: 168
Joined: Mon Apr 04, 2011 9:25 pm

Tue Mar 10, 2015 3:44 pm

Are you using routing marks? Yesterday I was adding another subnet and could not get it to work. But by not adding routing marks and traffic between subnets it works
 
knut
just joined
Topic Author
Posts: 13
Joined: Tue May 18, 2010 12:50 pm

Re: CRS125 does not route between subnets

Tue Mar 10, 2015 3:49 pm

no routing marks
 
inquiery
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Mon Oct 27, 2014 3:49 pm

Re: CRS125 does not route between subnets

Tue Mar 10, 2015 10:15 pm

I have been experiencing the same issue.
I use routing mark, but only for some specific traffic (pppoe related).

I have 2 subnets configured on the CRS125, but on the same port, port-13, and port-13 is the master port for ports-14..24. Lets say i have

192.168.1.0/24 on ether13 (router address is 192.168.1.1)
192.168.2.0/24 on ether13 (router address is 192.168.2.1)

And in the other hand, I have a separated subnet configures on wlan1

10.254.0.0/24 on wlan1 (router address is 10.254.0.1)


on my routing list, I have the 2 dynamic routes related to both subnets on ether13 and another for wlan1.
When I connect to wlan1 with a notebook for example, I can ping the CRS (on IP 10.0.0.1), I can ping 192.168.1.1 and 192.168.2.1, except I can't ping remote devices on any subnet.

Sometimes I can ping devices on one of those subnets, for example, I can ping a computer with address 192.168.1.10 connected on any port from ether13..ether24, but not any remote address from the subnet 192.168.2.0/24.

The only difference I could see between those subnets is that on the route list, I have some pppoe dynamic routes that goes in the middle of the routes, like this.

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          y.y.y.y                   1
 4  DC  10.254.0.0/24      10.254.0.1      wlan1                   255
 5 ADC  192.168.1.0/24     192.168.1.1     ether13                   0 <--- I can reach remote addres on this subnet
 6 ADC  x.x.x.x/32         10.x.x.x        <pppoe-xxxxxxxxxxx        0
 7 ADC  x.x.x.x/32         10.x.x.x        <pppoe-xxxxxxxxxxx        0
 8 ADC  x.x.x.x/32         10.x.x.x        <pppoe-xxxxxxxxxxx        0
19 ADC  192.168.2.0/24     192.168.2.1     ether13                   0 <-- but not on this
I think that, in my case, the dyanamic routes related to pppoe clientes are somehow getting in the way of my ability to reach 192.168.2.0/24 subnet, and since I can't confifure the order of the route list, I can't see a way to test that theory.

I'll be following this thread, and if I found out anything new, i'll post back here also.
 
TroyQ
newbie
Posts: 49
Joined: Thu Oct 20, 2016 10:02 pm

Re: CRS125 does not route between subnets

Thu Dec 15, 2016 4:03 pm

did you ever get this resolved? i now am stuck with the same problem

Who is online

Users browsing this forum: No registered users and 36 guests