Community discussions

MikroTik App
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Bridge "Distance" vs Static Route

Tue Aug 24, 2021 4:48 pm

Hi All

I'm finally at a point where I want to burn my many bridges and go the full routing route. The idea is to create all the server bindings and routes beforehand and then changing the remote side to no longer connect to the bridge (saving me from LOTS of driving). The issue is the bridge's dynamic route "Distance" is 0 whereas my static route's "Distance" is 1 so it essentially becomes unavailable until I kill the bridge which leaves me with considerable downtime.

Is there no way to alter the routing preference?

Thanks,
R
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Bridge "Distance" vs Static Route

Tue Aug 24, 2021 5:39 pm

You cannot manipulate the distance parameter of routes to "connected networks" that have been added dynamically, but you can prevent the L2 tunnel from interconnecting the bridges without driving to the remote site. Just copy the /ppp profile row you use for the remote client with a different name, unset the bridge value in the copy, and then set profile to the name of the copy on the /ppp secret row representing that remote device. The L3 tunnel will come up but the L2 one won't, as the landing bridge must be specified at both ends for it to come up. This works for all PPP-based protocols - I'm not sure about OpenVPN, but OpenVPN doesn't allow per-client choice between ip and ethernet anyway.

If it doesn't work, you just set the profile back to the original name and it comes back as it was before.
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: Bridge "Distance" vs Static Route

Wed Aug 25, 2021 1:03 pm

Thanks sindy

Seems I was having a blonde day yesterday and did sort of the same thing but just half-assed :roll:

Due to my OVPN setup up being ethernet I'm configuring a secondary SSTP connection to the main router (which in essence does the same thing as your secondary profile), but I messed up the routing on the remote side. Luckily I tested it on the closest site :lol:
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: Bridge "Distance" vs Static Route

Thu Sep 02, 2021 5:30 pm

Ok I'm having a rather strange "intermittent" issue with the routing. So I have a few incoming VPN connections and thus far I've tested a few. Some work (I can ping the router and the device behind the router) while others don't work (I can ping the router but not the device behind it, even though the remote router can ping the device connected to it). I've confirmed that the settings between the routers are exactly the same. Changed the the VPN profile on the main router so the connection no longer settles on a bridge and create static routes to the remote router's IP and the device connected to it. On the remote router I remove the ether 1 port from the bridge and change the profile (no bridge) and then set the static routes for the IP ranges it's should communicate with.

I know this is a bit of a vague question, but what could be causing this?

Thanks,
R
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: Bridge "Distance" vs Static Route

Thu Sep 02, 2021 8:04 pm

Oh and just to make it really interesting, then I get connections where I can ping the router and the device behind it from one server but when I use another identical server on the same network it is only able to ping the router and NOT the device behind it.

When doing a tracert the one server shows the complete path but the other stops at the remote router ... which makes no sense at all.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Bridge "Distance" vs Static Route

Thu Sep 02, 2021 8:14 pm

If the settings of the routers are "exactly the same", it should exclude a firewall issue.
So the next possibility is that the IP address assigned by the SSTP to the client fits into the subnet used at the affected router's LAN?
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: Bridge "Distance" vs Static Route

Tue Sep 21, 2021 10:33 am

If the settings of the routers are "exactly the same", it should exclude a firewall issue.
So the next possibility is that the IP address assigned by the SSTP to the client fits into the subnet used at the affected router's LAN?
Hi sindy

Sorry, struggling to find time to dig further into this. Been playing around the last few days with the "exactly the same" in mind as that might have been a little over exaggerated.

So I have 3 types of routers in the field, wAP, wAP ac and LtAP and with varying firmwares (none lower than 6.45.9, which for the LtAP is the highest it can go without the SIM card becoming inoperable).
So far the wAP and LtAP seems to work as expected. Once their SSTP connections are established and with the correct routing set I can ping both router and secondary device/s from anywhere on the network (main router, server 1, server 2 and my laptop which is VPN'ed to main router).
The wAP however is the problem child. I can ping the router from any device on the network but only certain devices on the main network can ping the secondary device/s (ie. router can, server 1 can't, server 2 can and my VPN'ed laptop can).

I have reconfigured the firewall on all the tested devices so far and they are 100% the same now. Only variances are the firmware but one of the routers running on the latest exhibits the same issue in any way so doubt it's firmware related.

As for the SSTP connection, it uses an IP pool/range that is not used anywhere else on the network.

Any ideas?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Bridge "Distance" vs Static Route

Tue Sep 21, 2021 10:28 pm

6.45.9, which for the LtAP is the highest it can go without the SIM card becoming inoperable
That's already weird alone. I'm running 6.47.10 in an LtAP and LTE works fine, so maybe some at-chat needs to be adjusted for the special needs of your MNO? Or maybe the LTE modem itself needs to get upgraded to make friends with newer RouterOS than 6.45.9. Oh, and don't try to upgrade the LTE modem while running anything older than 6.47 (or maybe one of the last 6.46.x, I don't remember where the last fix of the upgrade procedure has been added), I've broken my LTE modem that way last summer and had to RMA the whole LtAP-LTE kit.

Any ideas?
The only idea is sniffing on the problematic devices, to see how far the request gets (and whether it makes it to the remote router at all) and whether a response ever comes from the "secondary device". Maybe server1 has different routing table than server2? Or the secondary device has some route to server1 address that doesn't use the adjacent Mikrotik as a gateway? Sniffing will tell you which device has not forwarded the packet, and then we may concentrate on the configuration of that device.
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: Bridge "Distance" vs Static Route

Wed Sep 22, 2021 2:16 pm

Just tried converting another LtAP (considering all the last ones worked) and it's showing the same weirdness as the wAP now. I can ping the secondary device from my VPNd laptop but neither server 1 or 2 can ping it. I ran the packet sniffer for both scenarios (on the remote LTE router) and with the laptop test I can see the ICMP packets coming in and getting a reply. With the servers it comes in but there is never a response from the secondary device (tracert confirms this as it does hit the remote router but with no replies afterwards). The servers do not have any static routes that could mess with things, they simply have a gateway set which is a bridge on the main router.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Bridge "Distance" vs Static Route

Wed Sep 22, 2021 5:22 pm

So if I read you right, assuming that the secondary device is connected to ether1 of the LtAP, you can see the packets from server1 or server2 to arive via sstp-out1 and leave via ether1, but no responses to come back via ether1 from the secondary device? Or you can see the ping packet to only arrive to the remote router (so sniffed at the SSTP interface) but not at ether1?
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: Bridge "Distance" vs Static Route

Mon Sep 27, 2021 12:44 pm

The first one, I could see them leaving ether1.

So I just tested another 3 sites and they are all working 100% and the only thing I changed was adding ether1 into the LAN Interface list (assuming this would be related to the drop all !LAN rule).

And then #4 does exactly the same as the original problem, even with the above change.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Bridge "Distance" vs Static Route

Mon Sep 27, 2021 1:28 pm

Adding ether1 to interface list LAN should only change the behaviour if you didn't have the default "accept established" rule in the firewall. But if this was the reason, you would still see the response at ether1, the firewall would just not allow it to get further. So if you can see the request on ether1 but not the response, either something is wrong with routing at the connected device - maybe it has no default route so it is only able to respond to requests coming from the same subnet, or something may be wrong with the Mikrotik's response to the device's ARP request. If the device gets its IP configuration from the Mikrotik via DHCP, check the /ip dhcp-server network row for the presence (and correctness) of the gateway item.

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], Bing [Bot], EmuAGR and 77 guests