Community discussions

MikroTik App
 
settecplus
newbie
Topic Author
Posts: 28
Joined: Tue Oct 30, 2012 12:03 pm

Routing issue

Fri Sep 02, 2022 1:06 pm

I have I'm not able to solve it so I'm asking for help.

Consider a local office with two WAN connections.
One RB1100AHx with local IP 10.10.0.1/24 is connecting via L2TP/ipsec and through OSPF to remote locations on network 10.10.0.0/16. Another router (RB450) with local IP 192.168.1.1/24 provides internet to local PCs. Allowing those PCs to access the 10.10.0.0/x network should be an easy task but I don't seem to be able to route packets to remote locations.
RB1100 bridge1 has IP 10.10.0.1/24 and 192.168.1.10/24, and bridge1 is in OSPF backbone, the Zabbix server located at 10.10.0.5 can in fact access remote locations via this bridge.
All PC under RB450 network can now access the RB1100AHx router, but they stop there and cannot reach any remote location.

Any suggestion?
network.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Routing issue

Fri Sep 02, 2022 2:20 pm

Two things to check:
  • does RB450 know it has to forward packets targeting 10.10.0.0/16 (or multiple /24 subnets) via gateway 192.168.1.10?
  • does IPsec configuration on RB1100 allow forwarding traffic from 192.168.1.0/24 towards remote locations?

And last, but not least: do machines on remote locations allow connections from "alien" subnets? Windows firewall with default configuration doesn't.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing issue

Fri Sep 02, 2022 3:27 pm

Your diagrams and stated architectures make little sense to me.
for example how can the RB1011 have two bridge1s ???

Which devices provides dhcp for the 192.168.1.0/24 network?
 
settecplus
newbie
Topic Author
Posts: 28
Joined: Tue Oct 30, 2012 12:03 pm

Re: Routing issue

Fri Sep 02, 2022 5:54 pm

  • does RB450 know it has to forward packets targeting 10.10.0.0/16 (or multiple /24 subnets) via gateway 192.168.1.10?
  • does IPsec configuration on RB1100 allow forwarding traffic from 192.168.1.0/24 towards remote locations?

Thank you for the suggestion. RB450 has a static route to allow forwarding packets targeting 10.10.0.0/16. I need to double check the ipsec part but if I recall correctly it is ok.


Your diagrams and stated architectures make little sense to me.
for example how can the RB1011 have two bridge1s ???

Which devices provides dhcp for the 192.168.1.0/24 network?

1) you are correct, this is an after thought. Networks were developed separately and were intended to be kept separate in the beginning, it would make more sense just use the RB1100 for everything.
2) my fault, it has not two bridge1 but it has two addresses assigned to bridge1
3) the RB450
 
settecplus
newbie
Topic Author
Posts: 28
Joined: Tue Oct 30, 2012 12:03 pm

Re: Routing issue

Tue Sep 06, 2022 10:19 am

And last, but not least: do machines on remote locations allow connections from "alien" subnets? Windows firewall with default configuration doesn't.
This is not an issue because they are just aiming for routers and linux embedded devices.

I still can't find a solution, firewall is not blocking anything yet I can't seem to pass after the RB1100 router.
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: Routing issue

Tue Sep 06, 2022 11:16 am

If you post the output of

/ip route print

for each router, that would help narrow down where the problem is.
 
settecplus
newbie
Topic Author
Posts: 28
Joined: Tue Oct 30, 2012 12:03 pm

Re: Routing issue

Tue Sep 06, 2022 5:38 pm

I made a few progresses but I have not solved it yet.
I assigned an IP in the range of addresses of RB1100AHx to bridge1 on RB450
/ip address
add address=10.10.0.3/24 interface=bridge1 network=10.10.0.0

ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          1.2.3.1		1
 1 A S  10.10.0.0/16                       10.10.0.1		1
 2 ADC  10.10.0.0/24		10.10.0.3	bridge1		0
 3 ADC  1.2.3.4/29		1.2.3.4		ether1-WAN	0
 4 ADC  192.168.1.0/24		192.168.1.1	bridge1		0
In this way RB450G can ping remote routers through RB1100AHx, but I stil cannot reach remotes from local PC connected to RB450G. 10.10.0.0/24 is allowed to forward chain.

RB1100AHx routes are complicated by OSPF, but since the RB450G itself is now able to reach remotes, this should not be the problem...
  ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          1.2.3.1		1
 1 ADC  10.0.0.0/32        10.0.0.0        br0 - loopback		0
 2 ADo  10.0.0.30/32                        10.255.255.222          110
 3 ADo  10.0.0.40/32                        10.255.255.230          110
 5 ADC  10.10.0.0/24       10.10.0.1       br1 - LAN                 0
6 ADo  10.10.30.0/24                       10.255.255.222          110
7 ADo  10.10.4.0/24                       10.255.255.230          110
...
xx ADC  1.2.3.4/29	1.2.3.5		ether1		0
xy A S  192.168.1.0/24	10.10.0.1	10.10.0.3                 1
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: Routing issue

Wed Sep 07, 2022 4:36 pm

Extending the subnet of one site to another isn't really the best way to fix this and will cause long term issues.

If the 1100 is learning OSPF routes, that means there is another router (or more) involved. Can you post the /ip/route/print output of the routers that are the L3 gw for 10.10.30.0/24 and 10.10.40.0/24? If they aren't MikroTik devices, then whatever command shows the routing table would be helpful.

Who is online

Users browsing this forum: No registered users and 25 guests