Hi guys, I'm pulling my hair out as to why Mikrotik won't do this:
Two routers address as follows:
Router 1 172.24.24.24/24 ether 6
10.0.0.1/24 ether 8
Router 2 172.24.24.62/24 ether 1
10.0.0.2/24 ether 3
172.24.62.254/24 wlan1
Router 1 has a static route for 172.24.62.0/24 via 10.0.0.2.
Router 2 has a default route set to 172.24.24.24 back to Router one's ether 6 port.
This is because theres sperate links between these routers that I want to split upstream and downstream traffic accross.
The problem is wifi clients in 172.24.62.0/24 can not connect to the Internet. Router 1 is putting an entry in the ARP table without a mac address for wifi client 172.24.62.240 etc... and saying it's on port Ether 1. Why? It shouldnt be making ARP entries not connected directly to it full stop right? That's router 2's business not router 1's. Is this a bug in v6.43.4?
I think this is why it's not working. If I change the static route on Router 1 to 172.24.24.62 (Router 2) all works well. As soon as I change the static route for the wifi subnet to go to 10.0.0.2 via Ether 8 on Router 1 to Ether 3 on Router 2, traffic stops.
I just can't see why this won't work. I think thr issue is why Router 1 trying to make an ARP entry for an IP that doesn't belong to it at all. The IP is attached to a wifi client via Router 2's wlan1 interface.
Any ideas, apart from pulling the Mikrotiks out and installing dumb IP forwarding routers in the form of another router or machine?
Cheers,
Gavin.
Re: Asymmetric Routing
Hello,
A router will in some cases try to use ARP to resolve a remote IP if gateway for one of the routes is incorrectly set to an interface instead of an IP address. Double check your routes and make sure you don't have a route where gateway is incorrectly set to an interface name instead of an IP.
A router will in some cases try to use ARP to resolve a remote IP if gateway for one of the routes is incorrectly set to an interface instead of an IP address. Double check your routes and make sure you don't have a route where gateway is incorrectly set to an interface name instead of an IP.
-
-
kiwirock30
just joined
- Posts: 13
- Joined:
Re: Asymmetric Routing
Thanks for the reply. I've just checked again, the static route 172.24.62.0/24 on Router 1 is set to gateway 'IP address' 10.0.0.2. Reachable via ether 8.
So it should be working. The IP on Router 2 is 10.0.0.2/24 and the Router 1 IP is 10.0.0.1/24 both can ping each other.
Traffic should be reaching 172.24.24.24/24 on Router 1 ether 6 then should return out ether 8 to ether 3 on Router 2 @ 10.0.0.2 . But it won't. The moment I change the static route 172.24.62.0/24 on Router 1 to 172.24.24.62 everything works.
So I can't see why Router 1 is attempting an ARP lookup for an IP not on any of it's ports. But it's creating a macless entry and assigning it to the port the traffic came from. I think this is why it won't hop to 10.0.0.2 out Ether 8.
There is no firewall or nat on Router 2 either. The only nat is set on a pppoe outbound interface on Router 1. Local traffic and the second router are not touched. The only difference I can see is this pesky ARP entry that keeps coming back and associating to the source port it came from.
Otherwise this asymmetric route setup should be working. Router 1 is an rb2011ilsin, Router 2 an rb951ui2hnd. Both have the same firmware.
If I change the default route on Router 2 to gateway IP 10.0.0.1 it works. So that link is all good. But I want traffic from Router 2 to go to router 1 via 172.24.24.24 and come back on 10.0.0.2.
Hmmm. I would have thought while slightly unusual to setup asymmetrically, the Mikrotiks should be able to do this. It's just a matter of setting the static route for 172.24.62.0/24 to gateway IP 10.0.0.2.
So it should be working. The IP on Router 2 is 10.0.0.2/24 and the Router 1 IP is 10.0.0.1/24 both can ping each other.
Traffic should be reaching 172.24.24.24/24 on Router 1 ether 6 then should return out ether 8 to ether 3 on Router 2 @ 10.0.0.2 . But it won't. The moment I change the static route 172.24.62.0/24 on Router 1 to 172.24.24.62 everything works.
So I can't see why Router 1 is attempting an ARP lookup for an IP not on any of it's ports. But it's creating a macless entry and assigning it to the port the traffic came from. I think this is why it won't hop to 10.0.0.2 out Ether 8.
There is no firewall or nat on Router 2 either. The only nat is set on a pppoe outbound interface on Router 1. Local traffic and the second router are not touched. The only difference I can see is this pesky ARP entry that keeps coming back and associating to the source port it came from.
Otherwise this asymmetric route setup should be working. Router 1 is an rb2011ilsin, Router 2 an rb951ui2hnd. Both have the same firmware.
If I change the default route on Router 2 to gateway IP 10.0.0.1 it works. So that link is all good. But I want traffic from Router 2 to go to router 1 via 172.24.24.24 and come back on 10.0.0.2.
Hmmm. I would have thought while slightly unusual to setup asymmetrically, the Mikrotiks should be able to do this. It's just a matter of setting the static route for 172.24.62.0/24 to gateway IP 10.0.0.2.
Re: Asymmetric Routing
MikroTik does asymmetric routing and it is allowed by default. If it is not working, then you have manually done something to forbid asymmetric routing such as enabling reverse path filtering in IP->Settings, or you have something else screwed up.Hmmm. I would have thought while slightly unusual to setup asymmetrically, the Mikrotiks should be able to do this. It's just a matter of setting the static route for 172.24.62.0/24 to gateway IP 10.0.0.2.
The ARP entries appearing for remote routes does NOT happen out of the box. Are you absolutely positive that you have checked every single route under ip->route on both routers and not one route has the gateway set to the interface instead of the IP? You say you checked the route for that subnet 172.24.62.0/24 but as I said this problem can happen when *any* route on the device has the gateway set to the interface instead of the next hop IP.
ex. if you have a default route 0.0.0.0/0 set for next hop of an interface (ex. ether1) instead of an IP then the router will start trying to ARP every IP on the planet.
The only time you should have an interface name used as the gateway is for ppp interfaces like a pppoe client.
Re: Asymmetric Routing
Another thing to check - did you perhaps once have that 172.24.62.0/24 subnet set up directly on router1 and removed the IP but haven't rebooted since? Sometimes there can be strange issues caused by route caching when the cache isn't cleared properly.
-
-
kiwirock30
just joined
- Posts: 13
- Joined:
Re: Asymmetric Routing
This was only ever assigned to Router 2s wlan1 interface that I know off, as the IP reflects the frequency used on that device. Router 1 has only ever had static routes to the other router's wlan subnets.
RP filtering is set to no. I even checked DHCP for trying to add arp entries. That is also off. I went to check any bridge settings and there's none. Only routed ports have been used. Even disable the few firewall filter rules and nat on Router 1 pppoe interface and still no go.
I just tried to reverse the traffic flow by leaving Router 1 route for 172.24.62.0/24 nexthop 172.24.24.62. Then change default route on 2 to 10.0.0.1. This had success. Clients on Router 2 wlan now work. So I'm stumped as to why in reverse this wasn't working. I've tried again the original way... same - unsucessful. Rebooted, still no success.
It musy be a corrupt config. The ARP attempt doesn't happen when I try it the successful way around on the other inteface (link). So it has to be something corrupt on Router 1, I think. I checked for any policy routing on Router 1. Only 3 very specific IP addresses to be unreachable (so no Internet) but on a different subnet from another.. Router 3 AP.
I will try a config reset later on Router 1. For the time being it's working in the opposite traffic flow.
RP filtering is set to no. I even checked DHCP for trying to add arp entries. That is also off. I went to check any bridge settings and there's none. Only routed ports have been used. Even disable the few firewall filter rules and nat on Router 1 pppoe interface and still no go.
I just tried to reverse the traffic flow by leaving Router 1 route for 172.24.62.0/24 nexthop 172.24.24.62. Then change default route on 2 to 10.0.0.1. This had success. Clients on Router 2 wlan now work. So I'm stumped as to why in reverse this wasn't working. I've tried again the original way... same - unsucessful. Rebooted, still no success.
It musy be a corrupt config. The ARP attempt doesn't happen when I try it the successful way around on the other inteface (link). So it has to be something corrupt on Router 1, I think. I checked for any policy routing on Router 1. Only 3 very specific IP addresses to be unreachable (so no Internet) but on a different subnet from another.. Router 3 AP.
I will try a config reset later on Router 1. For the time being it's working in the opposite traffic flow.
Re: Asymmetric Routing
can you run /ip route export and paste the results? And the same for /ip route print?I will try a config reset later on Router 1. For the time being it's working in the opposite traffic flow.
-
-
kiwirock30
just joined
- Posts: 13
- Joined:
Re: Asymmetric Routing
I think I've finally tracked it down and appologise for wasting time. You were right it must be something else screwy and it was just not to do directly with routes.
I was using hostnames on the Internet when nothing was working. And pinging each router using IP from each router fine.
It appears to be something with Mikrotik's internal DNS server. I attempted to do the same thing with Router 3 and Router 1. The moment I set Router 1's return path to Router 3 over another port (using IP as next hop same as before) Internet stopped on Router 3 clients.
The IP used for DNS is on Router 1 on the ether 1 interface. It's getting requests for these on this port still even with my configuration but it's not replying via an alternate route so clients were all throwing a spat.
It's either confused as to which source IP it should be using, or was ignoring switching the firewall filters off (they were turned off in my testing but not removed) - or there's something else up with the DNS forwarder.
I know the DNS forwarder in Mikrotik accepts connections normally from different ports on the router as long as the source has a route to at least a port on the router the DNS resides on. But why it fails when sending back replies via an alternate route outside the IP assigned by DHCP for DNS I'm not sure. The interface IP in question on Router 1 that is assigned as DNS was is also constantly up so I didn't firgure this would be an issue.
But I'm very relieved I can isolate what was going on or not going on to be more precise. I over thought the problem since I was making more complex routing changes and completely forgot about DNS. I would not have thought this would throw the DNS forwarder in to disarray but this was the cause it seems.
I will be installing a seperate DNS forwarder on a machine instead or another Mikrotik router just for DNS caching (I think I have an older 750gl I can use for this). This will solve this. So if you setup asymmetric routes but use that router as a DNS forwarder as well, this is where things fall apart tsking alternate routes back. Why, I don't know but I can easily reproduce this.
Cheers for the input and hearing me thinking out loud over this. Again my appologies for taking up time but this maybe interesting issue for others to watxh out for with DNS on a Mikrotik Router.
Gavin.
I was using hostnames on the Internet when nothing was working. And pinging each router using IP from each router fine.
It appears to be something with Mikrotik's internal DNS server. I attempted to do the same thing with Router 3 and Router 1. The moment I set Router 1's return path to Router 3 over another port (using IP as next hop same as before) Internet stopped on Router 3 clients.
The IP used for DNS is on Router 1 on the ether 1 interface. It's getting requests for these on this port still even with my configuration but it's not replying via an alternate route so clients were all throwing a spat.
It's either confused as to which source IP it should be using, or was ignoring switching the firewall filters off (they were turned off in my testing but not removed) - or there's something else up with the DNS forwarder.
I know the DNS forwarder in Mikrotik accepts connections normally from different ports on the router as long as the source has a route to at least a port on the router the DNS resides on. But why it fails when sending back replies via an alternate route outside the IP assigned by DHCP for DNS I'm not sure. The interface IP in question on Router 1 that is assigned as DNS was is also constantly up so I didn't firgure this would be an issue.
But I'm very relieved I can isolate what was going on or not going on to be more precise. I over thought the problem since I was making more complex routing changes and completely forgot about DNS. I would not have thought this would throw the DNS forwarder in to disarray but this was the cause it seems.
I will be installing a seperate DNS forwarder on a machine instead or another Mikrotik router just for DNS caching (I think I have an older 750gl I can use for this). This will solve this. So if you setup asymmetric routes but use that router as a DNS forwarder as well, this is where things fall apart tsking alternate routes back. Why, I don't know but I can easily reproduce this.
Cheers for the input and hearing me thinking out loud over this. Again my appologies for taking up time but this maybe interesting issue for others to watxh out for with DNS on a Mikrotik Router.
Gavin.