Ok.... Connect a 433's Ether1 port to a switch. Now connect two PC's to the switch.
Set up the 433 with Internet access, NATting, the usual.
Now assign two IP addresses to the 433's Ether1:
192.168.1.1/24
192.168.5.1/24
Assign 192.168.1.2/24 the first PC with .1 as the gateway.
Assign 192.168.5.2/24 the first PC with .1 as the gateway.
Both PC's can reach the Internet, no problem. They can also both ping 192.168.1.1 and 192.168.5.1.
The problem is that the PC with the IP of 192.168.1.2 can not ping the PC with the IP address of 192.168.5.2.
Please fix!!
Re: Routing problem
Works out of the box for me on an RB750G running 4.16. Have you verified that it works in older versions and is only broken in the beta?
Post the output of "/ip address print detail", "/ip route print detail", "/interface print", and "/ip firewall export".
Also check that host firewalls are off, or permitting ICMP - stupid as it sounds, half of the time that ping doesn't work the packets are going to the host fine and the host itself drops them. If I had ten bucks for every time I've done that I'd be retired.
Post the output of "/ip address print detail", "/ip route print detail", "/interface print", and "/ip firewall export".
Also check that host firewalls are off, or permitting ICMP - stupid as it sounds, half of the time that ping doesn't work the packets are going to the host fine and the host itself drops them. If I had ten bucks for every time I've done that I'd be retired.
Re: Routing problem
I actually tried it out on an RB433 on the latest beta.
The router - upgraded to 5.0rc9, system config reset. Only IP addresses were added.
Hooked up two laptops as 192.168.1.2 and 192.168.5.2. Pinged 192.168.1.2 from 192.168.5.2. Here a packet capture from 192.168.1.2:
Ping was successful on 192.168.5.2, of course.
The router - upgraded to 5.0rc9, system config reset. Only IP addresses were added.
Code: Select all
[admin@MikroTik] > /sys reso print
uptime: 9m26s
version: "5.0rc9"
free-memory: 51072KiB
total-memory: 62200KiB
cpu: "MIPS 24Kc V7.4"
cpu-count: 1
cpu-frequency: 300MHz
cpu-load: 1%
free-hdd-space: 33052KiB
total-hdd-space: 61440KiB
write-sect-since-reboot: 1858
write-sect-total: 210822
bad-blocks: 0%
architecture-name: "mipsbe"
board-name: "RB433"
platform: "MikroTik"
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.1.1/24 192.168.1.0 ether1
1 192.168.5.1/24 192.168.5.0 ether1
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC 192.168.1.0/24 192.168.1.1 ether1 0
1 ADC 192.168.5.0/24 192.168.5.1 ether1 0
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R ether1 ether 1500 1526
1 ether2 ether 1500 1522
2 ether3 ether 1500 1522
3 X wlan1 wlan 1500
[admin@MikroTik] > Code: Select all
sh-3.2# ifconfig en0 | grep "inet[^6]"
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
sh-3.2# tcpdump -n -c 4 -i en0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:40:46.678655 IP 192.168.5.2 > 192.168.1.2: ICMP echo request, id 1, seq 15, length 40
18:40:46.678721 IP 192.168.1.2 > 192.168.5.2: ICMP echo reply, id 1, seq 15, length 40
18:40:46.678892 IP 192.168.1.1 > 192.168.1.2: ICMP redirect 192.168.5.2 to host 192.168.5.2, length 68
18:40:47.691046 IP 192.168.5.2 > 192.168.1.2: ICMP echo request, id 1, seq 16, length 40
4 packets captured
9 packets received by filter
0 packets dropped by kernel
sh-3.2#Re: Routing problem
I appreciate the prompt replies.
This was actually handed to me by a coworker - I'll get an export of the config and see what's up.
This was actually handed to me by a coworker - I'll get an export of the config and see what's up.
Re: Routing problem
Turns out there is a catch.
Hotspot is configured on the interface with a source address specifying one of the networks. Even when the hotspot is disabled it seems to block the routing.
I have a Mikrotik set up to stand in for one of the computers - 192.168.5.2. I get this strange error when trying to ping:
192.168.5.1 92 byte redirect host (5:1) time=11 ms
Hotspot is configured on the interface with a source address specifying one of the networks. Even when the hotspot is disabled it seems to block the routing.
I have a Mikrotik set up to stand in for one of the computers - 192.168.5.2. I get this strange error when trying to ping:
192.168.5.1 92 byte redirect host (5:1) time=11 ms
Re: Routing problem
When the Hotspot is disabled all the NAT and filter rules dynamically created should go away. You can confirm that by "print all" - when all Hotspots are disabled there should be no dynamic rules shown. If it still doesn't work you've got a different problem as it works for me on a clean 4.x and 5.x.
Hotspots work entirely by merit of filter and NAT rules. Off the top of my head I don't see why any of them would prevent what you're trying from working, unless you've got any IP pools configured as Universal NAT can break end to end connectivity. I'll try and check tomorrow - no promises, though.
The redirect is normal on any Linux kernel (and, in fact, many routers). Redirects on some platforms are sent whenever a packet is hair pinned back out the same interface. The host will ignore it as the host it is being redirected to isn't in its routing table. If you want to prevent them filter them in the output chain.
Secondary IP addresses are downright ugly, anyway.
Hotspots work entirely by merit of filter and NAT rules. Off the top of my head I don't see why any of them would prevent what you're trying from working, unless you've got any IP pools configured as Universal NAT can break end to end connectivity. I'll try and check tomorrow - no promises, though.
The redirect is normal on any Linux kernel (and, in fact, many routers). Redirects on some platforms are sent whenever a packet is hair pinned back out the same interface. The host will ignore it as the host it is being redirected to isn't in its routing table. If you want to prevent them filter them in the output chain.
Secondary IP addresses are downright ugly, anyway.
Re: Routing problem
I agree that secondary addresses are ugly... But we need a network for the wireless devices that both allows users to log in and allows management of the radios if the router is not working. Usually in our setup the customers get a 192.168.x.x and the devices get a 10.x.x.x.
The 10-nets are routed centrally for remote management, but their internet access is blocked.
I'm open for suggestions if anyone knows a better way.
The 10-nets are routed centrally for remote management, but their internet access is blocked.
I'm open for suggestions if anyone knows a better way.
Re: Routing problem
Without knowing more about the exact network layout it sounds like VLANs would be a good idea - a management VLAN, and a customer data VLAN.
Still, though - did you test further? Do all the dynamic filter/NAT rules disappear when you turn off all the Hotspot instances? They do for me on 4.16, I can't test that on a 5.x right now, though. Once those rules are gone the Hotspot can't interfere anymore. Does routing work at that point? If no, it's not the Hotspot at fault.
Still, though - did you test further? Do all the dynamic filter/NAT rules disappear when you turn off all the Hotspot instances? They do for me on 4.16, I can't test that on a 5.x right now, though. Once those rules are gone the Hotspot can't interfere anymore. Does routing work at that point? If no, it's not the Hotspot at fault.
Code: Select all
[admin@DNC-RB1100-Instant] > :put [:len [/ip fire fil find dynamic]]
16
[admin@DNC-RB1100-Instant] > :put [:len [/ip fire nat find dynamic]]
16
[admin@DNC-RB1100-Instant] > /ip hot {dis [f]}
[admin@DNC-RB1100-Instant] > :put [:len [/ip fire fil find dynamic]]
0
[admin@DNC-RB1100-Instant] > :put [:len [/ip fire nat find dynamic]]
0
[admin@DNC-RB1100-Instant] > /ip hot {en [f]}
[admin@DNC-RB1100-Instant] >Re: Routing problem
I can't recreate your issue even with a Hotspot added to the scenario.
Similar setup to yesterday. I changed the inside 192.168.1.1/24 network to 192.168.2.1/24 as this is at home where I'm putting the 433 on my network that already is 192.168.1.0/24. Add a DHCP client to ether2 as the WAN interface, enable the caching DNS resolver for the Hotspot to work.
And a minimalist Hotspot with a test user:
And some basic NAT out the ether2 interface, plus showing there are no firewall filters other than the dynamics:
The users are logged in:
And ping works between them. Here a tcpdump from the .2.2 machine. Redirects, but as discussed above you'll have to filter those manually or ignore them as they are expected.
You have something explicitly blocking this if it isn't working, because it works out of the box. Post your config, I guess.
Similar setup to yesterday. I changed the inside 192.168.1.1/24 network to 192.168.2.1/24 as this is at home where I'm putting the 433 on my network that already is 192.168.1.0/24. Add a DHCP client to ether2 as the WAN interface, enable the caching DNS resolver for the Hotspot to work.
Code: Select all
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R ether1 ether 1500 1526
1 R ether2 ether 1500 1522
2 ether3 ether 1500 1522
3 X wlan1 wlan 1500
[admin@MikroTik] > /ip dhcp-client print
Flags: X - disabled, I - invalid
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 ether2 yes yes bound 192.168.1.251/24
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.2.1/24 192.168.2.0 ether1
1 192.168.5.1/24 192.168.5.0 ether1
2 D 192.168.1.251/24 192.168.1.0 ether2
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.1.1 1
1 ADC 192.168.1.0/24 192.168.1.251 ether2 0
2 ADC 192.168.2.0/24 192.168.2.1 ether1 0
3 ADC 192.168.5.0/24 192.168.5.1 ether1 0
[admin@MikroTik] > /ip dns print
servers: 8.8.8.8,8.8.4.4
allow-remote-requests: yes
max-udp-packet-size: 512
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 33KiB
[admin@MikroTik] > Code: Select all
[admin@MikroTik] > /ip hotspot export
# jan/01/2002 01:10:16 by RouterOS 5.0rc9
# software id = 17IE-V2WQ
#
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=\
default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot
add disabled=no idle-timeout=5m interface=ether1 keepalive-timeout=none name=hotspot1 \
profile=default
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=\
unlimited status-autorefresh=1m transparent-proxy=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add disabled=no name=test password=test profile=default
[admin@MikroTik] > Code: Select all
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 chain=srcnat action=masquerade out-interface=ether2
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
[admin@MikroTik] >
Code: Select all
[admin@MikroTik] >/ip hotspot active print
Flags: R - radius, B - blocked
# USER ADDRESS UPTIME SESSION-TIME-LEFT IDLE-TIMEOUT
0 test 192.168.2.2 4m11s
1 test 192.168.5.2 2m47s
[admin@MikroTik] >Code: Select all
sh-3.2# tcpdump -c 8 -n -i en0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:35:43.259587 IP 192.168.5.2 > 192.168.2.2: ICMP echo request, id 1, seq 12, length 40
19:35:43.259646 IP 192.168.2.2 > 192.168.5.2: ICMP echo reply, id 1, seq 12, length 40
19:35:43.259998 IP 192.168.2.1 > 192.168.2.2: ICMP redirect 192.168.5.2 to host 192.168.5.2, length 68
19:35:44.271145 IP 192.168.5.2 > 192.168.2.2: ICMP echo request, id 1, seq 13, length 40
19:35:44.271218 IP 192.168.2.2 > 192.168.5.2: ICMP echo reply, id 1, seq 13, length 40
19:35:44.271549 IP 192.168.2.1 > 192.168.2.2: ICMP redirect 192.168.5.2 to host 192.168.5.2, length 68
19:35:45.285556 IP 192.168.5.2 > 192.168.2.2: ICMP echo request, id 1, seq 14, length 40
19:35:45.285625 IP 192.168.2.2 > 192.168.5.2: ICMP echo reply, id 1, seq 14, length 40
8 packets captured
19 packets received by filter
0 packets dropped by kernel
sh-3.2# ifconfig en0 | grep "inet[^6]"
inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255
sh-3.2#