Community discussions

MikroTik App
 
slimprize
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Unable to ssh to my server when I use a static ip address

Thu Jan 27, 2022 6:03 am

Hi all,

I am running the following router.
routerboard: yes
board-name: hAP ac^2
model: RBD52G-5HacD2HnD

firmware-type: ipq4000L
factory-firmware: 6.44
current-firmware: 7.1.1
upgrade-firmware: 7.1.1

I have the router configured to serve addresses via dhcp. I have a linux server which when given an address via dhcp works that is, I can ssh into the server without problems from my windows 11 pc.

However, if I give the server a static ip address of 192.168.3.2, I cannot ssh into the server from windows 11. My dhcp address pool is 192.168.88.1/24. I'll be attaching the router configuration at the end of this message.
The strange thing is that I can connect via ssh to the server from a raspberry pi running on the dhcp segment.

What is happening here?
Note:
When I say cannot I mean that I am prompted for a password when I connect. I enter the password and eventually the system disconnects.

I did do a cable test across all ports and they are fine.

Pranav
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11485
Joined: Thu Mar 03, 2016 10:23 pm

Re: Unable to ssh to my server when I use a static ip address

Thu Jan 27, 2022 8:29 am

Which ssh client on windows machine are you using? Certain clients prompt for password even before they initiate connection attempt, others prompt for password during ssh connection handshake.

By all means do post configuration of your router, akso describe which interfaces are used to connect your windows and linux machines.
 
slimprize
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Unable to ssh to my server when I use a static ip address

Thu Jan 27, 2022 8:48 am

Hi,

I am using the windows 11 open ssh client. I have also tried putty with the same results.

See the attachment for the configuration. If it does not come through this time, I'll post the configuration in my message.

The windows client is in the 192.168.88.1/24 range and the linux server is in the 192.168.3.1/24 range.
Pranav
rconfig.rsc
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11485
Joined: Thu Mar 03, 2016 10:23 pm

Re: Unable to ssh to my server when I use a static ip address

Thu Jan 27, 2022 12:07 pm

I've no idea when windows openssh client asks for password so I can't tell when the connection actually fails. Based on configuration you provided I'm guessing it's asking about password before starting the connection and that connection never actually establishes.

One of errors (ROS configuration checker tollerates it, but there were reports of weird problems, and fixing it helped) is this:
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
...
/ip address
add address=192.168.3.1/24 interface=ether3 network=192.168.3.0
Since ether3 is port member of bridge, also the incriminated IP address should be set on bridge. If you expressly want to have 192.168.3.0/24 subnet on ether3 only, then remove ether3 from bridge.


BTW, is this a typo or you acually have it exactly as in your export?
/ip firewall nat
add chain="chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53 to-address=192.168.881 comment=Make Mikrotik preferred dns server"
This rule should be marked as invalid (to-address is missing a dot).
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Unable to ssh to my server when I use a static ip address

Thu Jan 27, 2022 2:20 pm

Both subnets are on bridge, the bridge is in LAN list, there's nothing in firewall blocking this traffic, it should work. If ssh doesn't work, start with ping, to make sure routing is ok. Then there's always packet sniffer, if you want to know exactly what's happening.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to ssh to my server when I use a static ip address

Thu Jan 27, 2022 2:50 pm

Q1, Do you need 'B" on wifi settings- band=2ghz-b/g/n ? If not it is preferred to have band=2ghz-g/n

Q2. As alluded to there is something funny configured on your bridge....... The commonly used idea of using your bridge to give out DHCP across all the ports is quite useful and standard. In this typical setup one IP address is allotted to the bridge (and pool/dhpc server etc.) and none directly to the interfaces.
Apparently there is nothing technically wrong in the setup below, but WHY have you done it so? Why have you elected to give the bridge multiple addresses and why did you elect to give ether3 its own address??
The answers may help to point out a better way of achieving desired requirements/functionality.

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0

add address=192.168.2.1/24 interface=bridge network=192.168.2.0
add address=192.168.3.1/24 interface=ether3 network=192.168.3.0
add address=192.168.1.2/24 disabled=yes interface=ether1 network=192.168.1.0 {remove not required}
add address=192.168.5.6/24 interface=bridge network=192.168.5.0


Overall, at least in the basic firewall rules you have, there should be nothing preventing access to use SSH within the LAN.
The two items that are suspect for me are
1 = The unusual bridge set-up - the likely culprit
2 = The extra fluffy FW rules used - (but only if one can positively rule out anything else - and would simply be a matter of disabling all raw rules and any rules not default in the basic set)
 
slimprize
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Unable to ssh to my server when I use a static ip address

Thu Jan 27, 2022 3:13 pm

Hi,
<snip /ip firewall nat
add chain="chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53 to-address=192.168.881 comment=Make Mikrotik preferred dns server"

PL] No copy paste, that was exactly how the rule was. I am surprised the router accepted it. I have fixed that rule now. Thanks for flagging it.

I am happy if all the systems can talk to each other. I have done the segmentation for administrative convenience.

I disabled ingress filtering on ether 3. The ssh still is a problem.

What happens is that when I do
ssh pranav@192.168.3.2
I am asked for my password.
I type the password and then hit the enter key.
Nothing happens and eventually, I get a client loop disconnect.

Pranav
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to ssh to my server when I use a static ip address

Thu Jan 27, 2022 4:06 pm

Segragated for admin convenience is a non-answer it says nothing! Its not a reason or describes the underlying motive.

Requirements can be stated as:
What functionality do you need the USER to have or not have
What services should the user access or not access
What traffic flow should the user have or not have.

Now replace the word user with ADMIN and in this case
I need to separate/segment ports for the purpose of ............. ??
I need to split up the single subnet to do............. ??

If you do not need vlans, which it appears not, and you wish to separate/control/monitor ports , why not. simply
subnet1 - ether2 subnet, pool and settings based on 192.168.88.1.0//24
subnet2 - ether3 subnet, pool and settings based on 192.168.30.0/24
subnet3 - ether4 subnet, pool and settings based on 192.168.40.0/24

This would be a logical or one approach if one wanted to SEGMENT something, however without clarity of purpose the config is guesswork.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2985
Joined: Mon Apr 08, 2019 1:16 am

Re: Unable to ssh to my server when I use a static ip address

Thu Jan 27, 2022 4:25 pm

What is this network actually? I see ether 2-3-4-5 connected to the bridge. This is one L2 broadcast domain. All devices will talk to each other over IP if in the same subnet. They will not use any of the router settings. Only ether1 will pass through firewall and do NAT and routing.

Giving ether2 and 3 it's own IP address, is as explained, not actually going to happen. Slave interfaces do not accept IP adresses. (And if they do, then the outcome is unexpected, as it is actually used by the bridge)

So this is a single L2 LAN with independent subnets. If you want 2 devices in separate subnets to talk to each other they must use the router. You can enter the router as gateway. (Happens with DHCP, don't forget it when using static IP address). But it will not work as expected. For a Cisco router I know that a "split horizon" is needed. I have not seen the equivalent in RouterOS.

What happens is that a router that has to forward the packet through the same interface as where it came from (the "bridge" in this case) will send a ICMP-redirect to the sender, telling the device to not come to this router again, but go directly to the next hop. The sender, if accepting redirects, will avoid the router for the next packets and fail.

To what I see from the network ether2 and ether3 should not be on the bridge! Then routing and firewall filtering will happen and continue as expected. Setting IP on ether2 and ether3 is correct then.

EDIT: in /IP settings there is an option to disable "Send Redirects" . [Like a Cisco "spilt horizon" but for all interfaces.] But I don't think this is the setup you need.
.
Klembord-2.jpg
You do not have the required permissions to view the files attached to this post.
 
slimprize
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Unable to ssh to my server when I use a static ip address

Thu Jan 27, 2022 6:51 pm

Hi all,

Thanks for your comments and questions.

In terms of the purpose of my setup:
1. I have a general lan at 192.168.88.1/24 which has devices like my desktop, my mobile phone, an amazon fire stick etc.
2. I have some IP cameras in the house. I have given them their own network segment at 192.168.2.1. I did this in the event that I had to make any specific firewall rules to allow access to the cameras from a VPN. As of now, this has not happened.
3. I have a NAS box and a Linux server. I wanted to give them their own segment. This is because I was experimenting with networking as a part of a home lab.

In essence:
1. I want to keep the cameras separate.
2. I need to have fixed IP addresses for the server and NAS box. If a dhcp lease is a simpler way of doing this, I am happy to ditch subnetting.

Pranav
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to ssh to my server when I use a static ip address

Thu Jan 27, 2022 7:10 pm

Suggesting
create three subnets (properly) (each has IP address, pool, dhcp server etc.....)
192.168.88./24 - for house LAN
192.168.20.0/24 - for camera LAN
192.168.30.0/24 - for NAS LAN

Decide which port they need to come out of on the Router.
If you have a LAN that you want on more than one port make that selection your bridge selection.
So that the bridge gets the IP pool, address, server etc, and not the associated ports.

In this way at layer two you are separating the subnets appropriately.
One will still need via firewall rules to ensure the router will not route between lan segments.
Finally, any dhcp assigned lease can be turned into a static fixed lease very very easily, not to worry about that!
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2985
Joined: Mon Apr 08, 2019 1:16 am

Re: Unable to ssh to my server when I use a static ip address

Thu Jan 27, 2022 7:12 pm

If the NAS and server (sharing the same subnet range) are on one ethernet port , then detach that ethernet from the bridge, and give it the required subnet IP address.
Using DHCP or not makes no difference, but don't forget to set default ip route Gateway, and DNS server if done static. "static lease" for DHCP exists also.(*)
Be aware that broadcast discovery does not work over a router.

If everything is mixed up (eg. server and NAS on different etherrnet port, with some camera on random ethernet ports,) then using the router with "Send Redrects" disabled is a quick and dirty solution.
Quick because it will work, dirty because there is no real separation of the subnets. Clean solution then is to use VLAN, but then the devices must be VLAN aware (no problem for the server, and probably not for the NAS), cameras however could be more limited.

(*) To ditch subnetting. Let the server acquire a DHCP address. Go to "DHCP server/ Leases", select the server lease, Click "Make Static" . Edit the address to a value you want to have. The sever will always get that address.
 
slimprize
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Unable to ssh to my server when I use a static ip address

Fri Jan 28, 2022 1:58 am

Hi all,

Many thanks for your suggestions and comments.
1. I am going to retain the camera segment. The problem there is that the ports are mixed with other stuff. However, I am happy to remove that port from the bridge and get routing rules in place.
2. I'll put the server and NAS on static DHCP leases.

Pranav
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11485
Joined: Thu Mar 03, 2016 10:23 pm

Re: Unable to ssh to my server when I use a static ip address

Fri Jan 28, 2022 12:04 pm

Again: it's not a problem to have multiple IP addresses (and subnets) configured on same interface, in your case on bridge interface. The problem is the IP subnet configured on ether3. Given your mixture of devices connected to same physical port of router and that you don't seem to be bothered about non-existing IP subnet separation on lower layers, then you really should change this:

/ip address
add address=192.168.3.1/24 interface=ether3bridge network=192.168.3.0
e.g. run this command:
/ip address set [ find address="192.168.3.1/24" ] interface=bridge

Or you already did it but you still have problem described in your initial post?
 
slimprize
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Unable to ssh to my server when I use a static ip address

Fri Jan 28, 2022 1:04 pm

Hi,
<snip /ip address set [ find address="192.168.3.1/24" ] interface=bridge

Or you already did it but you still have problem described in your initial
PL] I did this so the segment 192.168.3.1/24 is now on the bridge interface. However, the problem is the same.

Pranav
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2985
Joined: Mon Apr 08, 2019 1:16 am

Re: Unable to ssh to my server when I use a static ip address

Fri Jan 28, 2022 1:37 pm

For inter-subnet communication on the same LAN
using the router with "Send Redrects" disabled is a quick and dirty solution.
because:
What happens is that a router that has to forward the packet through the same interface as where it came from (the "bridge" in this case) will send a ICMP-redirect to the sender, telling the device to not come to this router again, but go directly to the next hop. The sender, if accepting redirects, will avoid the router for the next packets and fail.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to ssh to my server when I use a static ip address

Fri Jan 28, 2022 1:45 pm

So MKX now you may start to appreciate my usual advice (past), when more green, to zoom right away to use vlans. A simple non vlan setup has turned into a quagmire of mucky muck. However I have learned that its more important to let you guys get dirty and perhaps help the op learn a bit more on subnets and non-vlan bridge setups, then to whisk the OP into happy land right away! :-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19177
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unable to ssh to my server when I use a static ip address

Fri Jan 28, 2022 1:46 pm

edit: damn duplicate.
Last edited by anav on Fri Jan 28, 2022 5:22 pm, edited 2 times in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Unable to ssh to my server when I use a static ip address

Fri Jan 28, 2022 4:32 pm

Redirect shouldn't cause this, because target will be outside of device's subnet, so it will still be reachable only via default gateway.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2985
Joined: Mon Apr 08, 2019 1:16 am

Re: Unable to ssh to my server when I use a static ip address

Fri Jan 28, 2022 6:25 pm

I don't know how the IP route in MT works , and how some client react on redirects.

A more detailed and more correct wording.....

"The subnet is used to determine what hosts are "assumed to be on link". If a host wants to communicate with a host outside it's subnet then (assuming there is nothing special in the host's routing table) it will try and send the packet to it's default gateway.

If the default gateway knows about all the subnets and is prepared to send packets back out on the same interface they came in through then communication will work fine. Otherwise things are going to break.

When the default gateway notices that it is sending a packet back out the way it came in it may send ICMP redirect packets to inform the host that it can send the packet by a more direct route. The sending host may or may not take notice of said redirect."
Source: https://networkengineering.stackexchang ... e-same-lan

It's about having multiple subnets on one LAN or not. If one splits multiple subnets over multiple ethernet ports or over multiple VLAN's is the same avoidance of multiple subnets on one L2.
Using VLANs requires at least one edge port per VLAN, if client devices are not VLAN aware. In that case with just one router the same splitup happens if the ethernet port is taken of the bridge.
OP only mentioned a hAP ac2. Device interconnection is unknown. More edge ports could be created with a VLAN aware switch.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Unable to ssh to my server when I use a static ip address

Fri Jan 28, 2022 7:11 pm

It's basically correct, but router doesn't really know what subnet the connected device uses. For example, extreme case, device can have just point to point address (in RouterOS terms: /ip address add interface=xx address=192.168.88.20/32 network=192.168.88.1), so the only directly reachable address is 192.168.88.1. But router can have 192.168.88.1/24, so much bigger network. And it will work, they can communicate with each other. But if 192.168.88.20 tries to contact 192.168.88.140, for router it will be the same subnet, so it will send redirect. But device will ignore it, because it has no idea where to look for 192.168.88.140.

And same here, as router sees it, packet from 192.168.88.x to 192.168.3.x will have same incoming and outgoing interface, so it will send redirect. But if source device has only 192.168.88.x/24, it doesn't know where 192.168.3.x is, it still has to use default gateway to reach it.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11485
Joined: Thu Mar 03, 2016 10:23 pm

Re: Unable to ssh to my server when I use a static ip address

Fri Jan 28, 2022 9:18 pm

To add to two previous posts: ICMP redirect comes handy when there are multiple routers on the same subnet as normal devices, connecting to different other networks. Main router will have a number of static routes. Client devices will normally have single default route configured, so when a client sends packet targeting network connected via one of "auxiliary" routers, main router will send packet to the correct "auxiliary" router and ICMP redirect to the client device. In this case better gateway will be in same IP subnet as client and client will be able to send subsequent packets directly to "auxiliary" router. If it has accept-redirects (or similar setting) enabled.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2985
Joined: Mon Apr 08, 2019 1:16 am

Re: Unable to ssh to my server when I use a static ip address

Fri Jan 28, 2022 9:25 pm

OK I have to cleanup something here, don't want to get @mkx and @Sob nervous .... a little test to see how this is implemented in ROS.

Setup:
hAP ac Lite : LAN network 192.168.85.0/24. Is router and DHCP server. Bridge is LAN and holds ether ports 1-4 (5 is unused WAN here)
in port 2 (on bridge)- PC Gets IP address 192.168.85.95 via DHCP. Gateway and DNS set to 192.168.85.1 by DHCP
in port 3 (on bridge)- mAP Lite as device. Has IP 192.168.86.1, route in mAP for 192.168.85.0/24 is added and set via 192.168.86.2 ! (note: mAP had a default route via WLAN to internet!)

On hAP ether3 manual IP address 192.168.86.2 is added. (I know, it should be added to "bridge", just checking my previous statement that the bridge is picking this up as extra IP address for the bridge anyway, wrong way of doing it, but so common)

Redirect packet is seen! Redirects to different subnet. However it should not be there (??) as a redirect should only be sent when the next hop is in the same subnet.
Klembord-3.jpg
.
.
Klembord-2.jpg
Redirect is still seen after disabling redirect in IP/settings (but not after reboot so far)

Check with WinBox (why not). WinBox sees both devices via MAC.
hAP reachable via 192.168.85.1
mAP reachable via 192.168.86.1 (waw)
"Tracert" on PC shows the path with 192.168.85.1 as first hop.

Ether3 taken off bridge: mAP is now not visible via MAC. Reachable via 192.168.86.1 as expected (after adding ether3 to the LAN interface list, as the default MT firewall was loaded)

Experiment conclusion:
- MT router allows sending packet through same interface where it came from
- redirect is sent as enabled, but it redirects to different subnet (?)
- Windows 10 PC not disturbed by the redirect and continues

Conclusions: all setups work (on/off bridge). Cannot reproduce OP's problem with W10 PC and Routerboard in separate subnet on same L2,
and .... Cisco split-horizon is indeed actually for avoiding router loops
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Unable to ssh to my server when I use a static ip address

Fri Jan 28, 2022 9:53 pm

It seems that for RouterOS it's just:

- if incoming and outgoing interface is the same => send redirect

It may seem wrong, but not necessarily. As I wrote, router can't really know what subnet (mask) source device has, or if it has two or more. So it sends redirect and device must decide if it's able to reach the new nexthop directly or not.
 
slimprize
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Unable to ssh to my server when I use a static ip address

Sat Jan 29, 2022 2:08 am

Hi all,

I do not have any vlan aware switches hence have not set them up. As for other devices on the network, let me describe the setup.
1. There is a DSL modem router which is operating in bridge mode. This is a device given to me by my internet service provider. It has a fiber cable coming in. This is connected to ether1. I connect to my ISP via pppoe.
2. Ports ether 2 through ether 5 have the client devices. Wireless is also enabled.
3. On ether 4, there is a netgear router connected which is setup as a wireless access point. That router has the amazon firestick and a bunch of other client devices like mobile phones.
5. We have a power over ether net 16 port switch connected to that netgear router mentioned in point 4. This switch has the IP cameras.
6. I have 2 more layer 2 switches connected to the primary mikrotik router, one switch is used to connect the NAS boix and 2 raspberry pi devices.
7. There is another mikrotik router which again is being used as a wireless access point in my bedroom which connects to one of these switches.

So yes, my bridge could be a mess but I doubt that is the source of my problem with my Linux server not letting me connect via SSH when it has a static IP address.

If the problem is not with my networking setup, it could be something with Linux but I cannot think what.

Pranav
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2985
Joined: Mon Apr 08, 2019 1:16 am

Re: Unable to ssh to my server when I use a static ip address

Sat Jan 29, 2022 2:02 pm

- are all gateways (routes) defined correctly when setting manual IP addresses? Gateway IP in same subnet.
- disconnected ethernet ports from the bridge need also to be in the LAN interface list, just as the bridge is. (/interface list member)
 
slimprize
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: Unable to ssh to my server when I use a static ip address

Sun Jan 30, 2022 12:10 pm

Hi,

The gateways are defined correctly. However, so far, I have not removed any ports from the bridge.

Pranav
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11485
Joined: Thu Mar 03, 2016 10:23 pm

Re: Unable to ssh to my server when I use a static ip address

Sun Jan 30, 2022 2:24 pm

Do you have any firewall running on linux host? Do verify, some distributions come with firewall enabled by default. If yes, review firewall settings. If not, run wireshark on server and verify that ssh connection attempts do arrive at server and see how the connection handshake proceeds. I know that ssh payload is encrypted, but the TCP layer should still telly you some. Also verify sshd config, it is possible to limit connections in that configuration.

Who is online

Users browsing this forum: Bing [Bot], Seekport [Bot] and 31 guests