Routerboard "A" ip address = 192.168.0.1/24
Routerboard "B" ip address = 10.0.0.1/24
Windows client ip address = 192.168.0.100 plus 10.0.0.100 on same nic, default GW = 192.168.0.1
All hardware connected to the same switch

Destination network 10.10.10.0/24 is reachable through 10.0.0.1 routerboard

Windows machine asks routerboard "A" to reach 10.10.10.0 network : is it possible for routerboard "A" to tell windows machine to use routerboard "B" as gateway for that subnet routing ? how ?
This to avoid to setup static route on windows machine.

Thank you

Via a static route, yes.

I'd add a 192.168.0.x/24 address to router B. From there, add a static route in Router A stating that 10.10.10.0/24 is reachable via Router B's 192.168.0.x address.

So let's say you put 192.168.0.2/24 on Router B, the static route on Router A would be:

/ip route add dst-address=10.10.10.0/24 gateway=192.168.0.2

Thank you for answering,

Is it necessary to add the 192.168 class to routerboard "B" ?
Is it because the static route need to be on the same class ?

Nutshell - your options are:
1) static routes in every host
2) dynamic routing, including the hosts (this is the original case for RIP, by the way) - yuck
3) routers handle it for the hosts - requires a common network between the routers.

So using option 3, router A will forward packets for 10.x.x.x/n to router B, but it will also send an ICMP redirect message to your workstations, so they will start sending packets directly to router B for that destination... this gets cached for a little while, and during that time, packets aren't getting "bounced off of router A" anymore, either.

Both routers need to have addresses in a common network between them so they can reach each other. Even if they're on the same layer 2 broadcast (i.e. same switch, on switches that are connected, on the same VLAN, etc), they won't actually look for each other there because according to layer 3 (IP), they are not on the same network and will therefore need to use a gateway to reach each other.

This doesn't mean that A or B need to be dual-IP-addresses on your LAN. You could actually plug a network cable directly between the routers, put a 10.255.255.0/30 network on that link, and put static routes that go across this link in stead of back out LAN interface to the other router.

Yeah, cable between routers option works great ! (double IP address works as well) , Thank you.

This remind me of another scenario i'll have to manage :

What if routerboard A and B would be the same machine ??

Pratically I have eth1=192.168.1.1 and eth2=192.168.100.1 on a single routerboard each of this is IPSEC tunneled to two remote sites :

192.168.1.0/24----192.168.1.1-------------ipsec------------------192.168.2.0/24
192.168.100.0/24----192.168.100.1----- ipsec------------------192.168.101.0/24

local networks 192.168.1.0 and 192.168.100.0 are wired to the same switch and the windows/linux machines I cannot modify, have both subnets configured on same nic.

as 192.168.1.1 is the default gateway , how can I add a route without adding the static one on the machines , like asked previously ?

This remind me of another scenario i'll have to manage :

What if routerboard A and B would be the same machine ??

Pratically I have eth1=192.168.1.1 and eth2=192.168.100.1 on a single routerboard each of this is IPSEC tunneled to two remote sites :

192.168.1.0/24----192.168.1.1-------------ipsec------------------192.168.2.0/24
192.168.100.0/24----192.168.100.1----- ipsec------------------192.168.101.0/24

local networks 192.168.1.0 and 192.168.100.0 are wired to the same switch and the windows/linux machines I cannot modify, have both subnets configured on same nic.

as 192.168.1.1 is the default gateway , how can I add a route without adding the static one on the machines , like asked previously ?

In this scenario you wouldn't need any additional configuration because the single router has a route to each destination already.

just tried to setup a "clone" in laboratory with 3 routerboard to simulate the two tunnels , the one with two eth connected to a swich also with a pc with dual ip subnets , it doesn't work :
As the default gw is configured to 192.168.1.1, from pc i can ping 192.168.2.0 network but not the 192.168.101.0 one
If I configure a static route on pc to 192.168.101.0 through 192.168.100.1 it works, but I cannot add it in real environment.
Any hint ??

Some progress

I've added a static route 192.168.101.0/24 through Eth2 (not its ip address) , Pref.Source 192.168.100.1

It works , but it's a simple routing as the secondary ip address of pc nic is not involved (in fact it works as well if I delete the second IP address from pc nic) , neither the routerboard Eth2 ip address. Pratically, checking Ip-Firewall-Connections
the source address is always 192.168.10.1 (primary pc ip address) despite which remote network is reached.
If I add the static route on pc, the secondary address of pc is used to reach remote 192.168.101.0 network.

I really don't know if this is the correct way to operate.....

no no no - you're making this entirely more complicated than it needs to be.

If the two networks are running on the same switch, then whichever port on the Mikrotik is the lan port, just put two IP addresses on it.

Done.

no no no - you're making this entirely more complicated than it needs to be.

If the two networks are running on the same switch, then whichever port on the Mikrotik is the lan port, just put two IP addresses on it.

Done.

Yes it would be simpler, but they asked me to keep as separated as possible (also physically) the two networks for future splitting of customer PCs (despite that for now they are connected together at L2) probably two different switches ....

If there is no alternative solution I'll go temporarily for a single routerboard nic with two addresses....

Yes it would be simpler, but they asked me to keep as separated as possible (also physically) the two networks for future splitting of customer PCs (despite that for now they are connected together at L2) probably two different switches ....

If there is no alternative solution I'll go temporarily for a single routerboard nic with two addresses....

Putting the second IP address on a second interface and plugging the second interface into the same switch will not break anything - so long as the ethernet switch ports aren't bridged / switched at layer 2.
No routing needs to be played with for this.
IP will naturally find the right way to go between the networks.

You may need to modify or duplicate some rules in the firewall for this - but you'll never need to open the ip > routes menu.

No routing needs to be played with for this.
IP will naturally find the right way to go between the networks.

You may need to modify or duplicate some rules in the firewall for this - but you'll never need to open the ip > routes menu.

Just checked with both addresses on the same routerboard ethernet as well as two addresses on each different routerboard ethernet:
it seems I do need to add a static route (unless I'm wrong with something)

I still have to add 192.168.101.0/24 through Eth1 , Pref.Source 192.168.100.1 to have it working

Instead, the remote 192.168.2.0 is reachable with no routes from 192.168.1.0 (the one who have default gateway configured into pc)......

Are you using routing marks?
The standard behavior is to create a local route for connected networks.
So for example, in my router:
ADC = Active, Dynamic, Connect.
You should see such routes every time you put an IP address onto an interface, and the interface is up. (running)
If you're not seeing these at all, then there's something terribly wrong.
If you're seeing them without the A flag - Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC 1.1.1.0/24 1.1.1.1 ether1 0
1 ADC 2.2.2.0/24 2.2.2.1 ether2 0

You should always see these ADC routes for every IP interface you have, except when the interface is down because it's admin down / not connected to anything.

Seems like we might have some confusion on the IPSec side of things. IPSec != Routing.

When you configure your IPSec policies, you're generally tunneling two subnets. Only the subnets defined in the IPSec policy are going to be able to communicate to each other.

192.168.1.0/24 will be able to communicate with 192.168.2.0/24 via your IPSec policy, however 192.168.1.0/24 will not be able to directly communicate with 192.168.101.0/24. This is because the source IPs won't match the policy. When routing, the router isn't going to change the source IP address unless you utilize NAT or some other means to change it.

In this scenario, if you have a PC that needs to be able to talk to all 4 subnets, it's going to need the two local subnets assigned to it and it's going to need a static route to know how to get to each remote subnet.

In other words, PC1 has 192.168.1.5 and 192.168.100.5 assigned to its NIC. Default gateway is 192.168.1.1. It will be able to communicate with 192.168.1.0/24, 192.168.100.0/24 and 192.168.2.0/24 natively because of local IP addresses. It will be able to communicate with 192.168.2.0/24 because the default gateway is the 192.168.1.0/24 network and that's going to match your IPSec policy.

In order to communicate with 192.168.101.0/24, you'll need a static route either on the PC or you'll have to utilize NAT, because the 192.168.1.0/24 network won't match the IPSec policy for the 192.168.101.0/24 policy.

The other way to simplify this would be to create an IPSec encrypted IPIP tunnel between your two routers (local network and remote network) and run a routing protocol between them. You'd then use firewall rules to control access. This might be the better path to take as it's easier to implement if you have PCs that need to talk to multiple subnets.

Yes I've realized this just before to read your answer
In fact I need an IPSEC policy for each subnet "cross-connection"

Now I have two policies:

A---------C
|
B---------D

but I need two more if I want A---D and B---C (and relative firewall accept rules I suppose)

As you can see I'm not expert here...

So this bring me back to my first question :
With a single default gateway configured, PC1 (192.168.1.5) asks 192.168.1.1 "how to reach 192.168.101.0 ?"
I thought there was a way to give back an answser like "use your secondary address 192.168.100.5 and go through 192.168.100.1" (thus using the other tunnel)....
This is what happens with a static route on PC......

The other relevant thing in this scenario, it seems the machines (servers, nas) on 192.168.101.0 network will accept connections only from 192.168.100.0 network so no routing/nat should be possible

If no way, i'll keep both tunnels separated and push pc maintainers to add static routes...

I don't think you can do it with just static routes on the router because of the IPSec involvement. You'd either need additional IPSec policies as you stated, static routes on the PCs, or SRC-NAT rules to masquerade traffic.

On the communication issue with servers/devices on the .101.0/24 subnet - if these are Windows machines, check Windows firewall. You may need to explicitly allow the additional subnets in a firewall rule. If not Windows, there may be some ACL settings you can adjust to allow other subnets access.

And no worries - I'm not an expert either. I've just learned some via trial by fire and by asking questions.

I've drawn a diagram to make things easier..


With static routes on PCs all is working ok, now I meet a new problem:
How can I reach an HTTP server located in the 10.0.0.0 network from PC1 ???

PC1 can ping 192.168.101.200 dsl router but I cannot add a static route on pc (gw is not on same network answer)
If I set a static route on Routerboard A :

/ip route add dst-address=10.0.0.0/24 gateway=192.168.101.200

I get 192.168.101.200 unreachable (despite I can ping 192.168.101.200 with source ip 192.168.100.1 from routerboard A console)

any (further) help please ?

You'll need to add the 10.0.0.0/24 destination to your IPSec policy on both RouterA and RouterB.
Furthermore, the router for 10.0.0.0/24 will need routes pointing back to DSL router and DSL router will need static routes for 192.168.1.0/24 and 192.168.100.0/24.

You're reaching the point where you need to just make a tunnel between Router A and Router B (I recommend GRE) and then put a /30 on that tunnel with eg: 192.168.255.1/30 = router A, and 192.168.255.2/30 = router B.
Change the IPSec policy to select only for protocol = GRE with src/dst = router A and router B's wan addresses.
(only make IPsec look for the tunnel packets)

Now you'll be able to add/remove routes across the tunnel all day long w/o modifying the IPSec policy.
You might even consider slapping OSPF onto your routers so that routing is taken care of as well.
Make your life easier, man!

Thanks,
I was reading for different type of tunnels just now....

So , with just the simple IPSEC, is a new policy needed for every new subnet I need to manage ??

Then you suggest the use of GRE over IPSEC support, so a tunnel interface is added and I can manage all my routes upon , isn't it ?

Thanks,
I was reading for different type of tunnels just now....

So , with just the simple IPSEC, is a new policy needed for every new subnet I need to manage ??

Then you suggest the use of GRE over IPSEC support, so a tunnel interface is added and I can manage all my routes upon , isn't it ?

Yes to all points. It sounds like you understand what's going on.
You'll find that to be so much easier to manage.

Simple IPSec is just a set of rules to scramble packets with a specific set of source/destination pairs. The scrambled packet is then forwarded to a pre-determined address, where the packet is de-scrambled and continues to be forwarded. There is no "IPSec" interface - that was the thing that completely confused me about IPSec for quite a long time. (and continues to annoy me to this day)

Yeah....up and running easily with gre over ipsec....
But I suppose I need a manual static route for any subnet to manage through the other end of the tunnel (at least I had to do so...)

Yeah....up and running easily with gre over ipsec....
But I suppose I need a manual static route for any subnet to manage through the other end of the tunnel (at least I had to do so...)

GRE is just the tunnel. You either do like you did with static routes from there, or use a routing protocol like RIP or OSPF.

And if you use RIP, then go sit in the corner until you're sorry for what you've done!


j/k RIP does have its place - a very unique, limited, specialized place....

And if you use RIP, then go sit in the corner until you're sorry for what you've done!


j/k RIP does have its place - a very unique, limited, specialized place....

Haha. I use it internally because my network isn't big enough nor has enough routers for me to justify OSPF. It was dead simple to implement and with some carefully planned route prefixes, works perfect for my needs (which was just a means of redistributing static routes).

Haha. I use it internally because my network isn't big enough nor has enough routers for me to justify OSPF. It was dead simple to implement and with some carefully planned route prefixes, works perfect for my needs (which was just a means of redistributing static routes).

Yep. RIP is just fine on networks that are fairly small and fairly stable.

Just implemented RIP.....amazing....

Another problem (i hope the last one..)




DSL Router has a static route 192.168.1.0/24 via 192.168.2.1
From Routerboard A terminal, I can ping the 20.0.0.0 network
From PC1 I CANNOT ping 20.0.0.0 network despite the 20.0.0.0 route is on the route list (gw 10.0.0.2 reachable gre-tunnel1) learned via RIP

I have to manually add a static route 10.0.0.0/30 via 192.168.2.1 into DSL router to allow PC1 to ping 20.0.0.0 network
Is there a way to avoid this ?? (real DSLrouter is managed by ISP provider who don't want to modify config.)

I have to manually add a static route 10.0.0.0/30 via 192.168.2.1 into DSL router to allow PC1 to ping 20.0.0.0 network
Is there a way to avoid this ?? (real DSLrouter is managed by ISP provider who don't want to modify config.)

DSL Router needs to participate in RIP also.
The reason you can ping from terminal of A, but not PC1 is that when you ping from A, the source IP will be the interface the pings leave the router by - which is 10.0.0.1, and as you stated, you've added a route for that. DSL router needs a static route to PC1 - I'm not sure if the diagram has a typo - 192.168.5.1? shouldn't that be 192.168.1.5?

Either/or - the DSL router needs to know that PC1's IP lies beyond router B.

Just contacted ISP , it says RIPv2 should be enabled
This is ok as I just tried to enable RIP in my dummy DSL router and all is reachable now !!!
(yes, pc1 address is 192.168.1.5... )

Thank you