Community discussions

MUM Europe 2020
 
kiwitinker
just joined
Topic Author
Posts: 2
Joined: Sun Nov 24, 2019 11:25 am

Routing mystery

Sun Nov 24, 2019 11:47 am

Hi there,
I have been trying to solve the following issue:
My network routing is OSPF based and works as expected. Now for a 'test' I need to have a single CPE to use a different gateway. There are two wireless hops and an Ethernet switch between them. To complicate matters: the gateway has a fixed IP address on its Ethernet side (192.168.1.254) while all the rest of the network uses a 10.x.x.x scheme. Normally I also use a l2tp tunnel between the CPE and its AP for data accounting, but we can loose this for the test if it helps.
Ideally I want automatic failover (to the current gateway of the 10.x.x.x network) should the new (test) gateway becomes unresponsive. The CPE does have a fixed IP address, so my guess is I need to setup some special routing in the mikrotik box that directly (via ethernet switch) connects to the new gateway, but so far I can not really get my head around the issue. Of course this is in a real life *live* network with other CPEs hanging off the same AP's ....

Any pointer welcome!
Cheers
PS If this is successful I might want to add more CPE's to use the new gateway - Think of it as load balancing - in a strange way.
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: Routing mystery

Tue Nov 26, 2019 11:35 pm

I'm not sure I understand you right. There is no problem to have several IP subnets in the same L2 network. So you can add 192.168.x.y/24 to an interface of another device connected to the same L2 newtork, or even as another address to the same interface on which you have the 10.a.b.c/m one, and that's it for both directions, except that you cannot use a dhcp server for both subnets simultaneously unless it would use static leases for individual client-ids.

I don't get the idea of a backup at all. The client device would have to have two routes configured, one via the 10.a.b.c gateway and another one via the 192.168.x.y one, and check the availability of both gateways by periodically pinging them, as the client's physical interface would be common for both. This is something a normal client PC cannot do, that's why VRRP has been invented, where even the MAC address migrates along with the IP address between the routers, so that the client devices wouldn't see any change at all when a new physical router becomes active.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
kiwitinker
just joined
Topic Author
Posts: 2
Joined: Sun Nov 24, 2019 11:25 am

Re: Routing mystery

Wed Nov 27, 2019 12:27 am

Hi Sindy,
Probably my bad in describing what I have/want. I'll try again: I want one CPE to be using a different gateway to the Internet.
I am aware of being able to have multiple IP addresses linked to an interface and yes that would be a way of achieving this, but what I am trying to avoid is to create two separate IP schemes. Ideally I would 'mark' packages at the CPE end which then get routed to the second gateway instead of going to the original - but routing marks only live inside the router. It does not have to be an automatic fail over either, though I might be able to achieve this with route cost/distance later.
As far as I know there is no easy way for a router to know where a package is originating from (Interfaces are NATed and they travel through other interim routers). If that could be determined, than a src-nat rule in the router marked X would be able to send this particular packet to the gateway. Here is a part of the network topography: Image
The CPE is marked with a red oval. Normally traffic is routed through the PtP link, but I want this particular one to go through the Gateway.
This is a test and other CPE may follow, hence my wish to keep config changes to a minimum.
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: Routing mystery

Sun Dec 01, 2019 8:20 pm

So if I get you right, you want traffic from a CPE somewhere deep in your network to be handled in a specific way on some border router. But the choice of this handling should be made already at the CPE itself and you are looking for a way to convey the information about the choice to the border element across the network path. For some reason, you cannot use the WAN IP address of the CPE as a basis to choose the handling on the border router itself (although you haven't mentioned any NAT on the intermediate elements on the path between the CPE and the border router).

The most straightforward, and most ugly, way is to misuse the DSCP field of the iP header to convey the information. In this case, you would use the mangle rules on the CPE to set the DSCP field of the packet rather than to assign a routing-mark to it.

Anything else requires some kind of tunneling. You can use a point-to-point tunnel from each such CPE to the border element (which means you'll have a dedicated virtual interface for each CPE at the border element) or, if your network is or can be made L2-transparent, you may use a network-wide VLAN where the CPEs would attach a /32 IP address to the correspoding /interface vlan and set its network parameter to an IP address which would be put up on the corresponding /interface vlan on the border element. In either case, the return path (from the border router to the CPE) can be the basic one, but in such case you must not use any restrictive rules in stateful firewalls on the intermediate elements (as these would see only one direction of each connection and block most traffic as invalid). With PtP tunnels, you could use the tunnels also as the backward routes to the CPEs but it would be a configuration nightmare.

With the VLAN approach you might be able to use the VLAN also for response traffic if you set the IP address at the border element side with a mask spanning all the CPE WAN addresses, put the VLAN interface into a VRF, and set arp=local-proxy-arp at the CPE's /interface vlan. This way, you could make the border router use the VLAN as a return path (using connection-mark and routing-mark matching the VRF one), as the CPEs would respond to the ARP requests received at the VLAN interface regarding an IP address assigned to another interface. But that's a speculation, I have never tested anything this wild.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: MSN [Bot] and 92 guests