Community discussions

MikroTik App
 
rodrigolnl
just joined
Topic Author
Posts: 15
Joined: Sat Mar 25, 2023 4:02 pm

Can't ping between subnets on the same bridge

Sat Mar 25, 2023 5:23 pm

Hello guys, I made an account here because I tried everything and looked everywhere but nothing worked for me.

First, I'm quite a noob with network and english is not my first language, so please forgive me for any mistake on this post.

The scenario:
I have a bridge interface between two ports, ether2 and ether3 (ether1 is the connection to the internet).
This bridge has 4 subnet's, Subnet A 10.0.0.0/26, Subnet B 10.0.0.64/26, Subnet C 10.0.0.128/26, and Subnet D 10.0.0.192/26.
The Firewall has all the defaults settings plus a few rules to drop packets like this:
  • drop A -> B
  • drop B -> A
  • drop A -> D
  • drop D -> A
  • drop B -> D
And has the rules to allow like that:
  • allow A -> C
  • allow C -> A

In terms of static routes, the default is applied, meaning:
  • dst address: 10.0.0.0/26 | | gateway:bridge | | pref source: 10.0.0.1
  • dst address: 10.0.0.64/26 | | gateway:bridge | | pref source: 10.0.0.65
  • dst address: 10.0.0.128/26 | | gateway:bridge | | pref source: 10.0.0.129
  • dst address: 10.0.0.192/26 | | gateway:bridge | | pref source: 10.0.0.193
Plus I added, just to be sure:
  • dst address: 10.0.0.0/26 | | gateway:bridge
  • dst address: 10.0.0.128/26 | | gateway:bridge

The problem:
For some reason, I can't get to ping from a host on A to C or C to A, however I can ping from A to 10.0.0.64(gateway) and I from C to 10.0.0.0(gateway), what should I do to be able to ping from A to C and vice versa?

*I feel like is important to mention that all subnets have access to the internet and that access is working properly, and when I try to ping from A to C the rule on the firewall to allow the packets to go to C is incremented.

**edited with config file,
config.rsc
You do not have the required permissions to view the files attached to this post.
Last edited by rodrigolnl on Thu Mar 30, 2023 1:26 am, edited 1 time in total.
 
rodrigolnl
just joined
Topic Author
Posts: 15
Joined: Sat Mar 25, 2023 4:02 pm

Re: Can't ping between subnets on the same bridge

Wed Mar 29, 2023 6:19 pm

I haven't seen anyone who can go directly from A to C and vice versa.
So, how can I separate devices in groups and still have then communicate with each other, because you see I can't have A and B talking, but I need C host's to be accessible by both.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't ping between subnets on the same bridge

Wed Mar 29, 2023 6:48 pm

Easy,
One bridge ( no dhcp on bridge )
All vlans with interface bridge
Forward chain last rule
add action=drop chain=forward.
++++++++++++++++++++++++++++++++++++++++++

Then
rules above last rule are simple --> only what you allow
allow all vlans to internet
allow A to C
allow C to A

NO rules required for static routes as they are all created automatically by vlan structure.

+++++++++++++++++++++++++++++++++++++++++++++

In terms of pinging subnets, means little in terms of security/traffic flow.
Each gateway IP is part of the router and is thus usually pingable however no data can flow between vlans.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can't ping between subnets on the same bridge

Wed Mar 29, 2023 6:56 pm

however I can ping from A to 10.0.0.64(gateway) and I from C to 10.0.0.0(gateway)
Probably you broken all, setting 10.0.0.0 (and 64) as gateway of one address reserved for subnetting...

And describing the configuration as a novella, instead of showing it as it is without fictionalizing it, doesn't help...
 
rodrigolnl
just joined
Topic Author
Posts: 15
Joined: Sat Mar 25, 2023 4:02 pm

Re: Can't ping between subnets on the same bridge

Wed Mar 29, 2023 6:57 pm

Easy,
One bridge ( no dhcp on bridge )
All vlans with interface bridge
Forward chain last rule
add action=drop chain=forward.
++++++++++++++++++++++++++++++++++++++++++

Then
rules above last rule are simple --> only what you allow
allow all vlans to internet
allow A to C
allow C to A

NO rules required for static routes as they are all created automatically by vlan structure.

+++++++++++++++++++++++++++++++++++++++++++++

In terms of pinging subnets, means little in terms of security/traffic flow.
Each gateway IP is part of the router and is thus usually pingable however no data can flow between vlans.
I'll give it a try as soon as I can.
But, can you explain to me why with only subnets I can't make this work? Like, in my head having two different subnets and a router with static routes for both should be able to direct the traffic.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't ping between subnets on the same bridge

Wed Mar 29, 2023 7:15 pm

1. You can only use one subnet assigned to a bridge is my understanding. Once you want more then vlans is the way!

2. Alternatively you dont need a bridge and can assigne each etherport a subnet.

Its clean and simple to use vlans.

PS. I also find it very confusing to use /26 and all IP addresses seem like they are in the same subnet LOL.
Stick to /24 and it will work for sure.......... no need to get cute
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Can't ping between subnets on the same bridge

Wed Mar 29, 2023 7:30 pm

Multiple subnets on an interface (a.k.a. multinetting) is perfectly valid, but not common.

Packets may be blocked by the firewall forward drop invalid rule as the packet is leaving the same interface it entered, or the devices you are pinging may not be responding - in particular Windows does not reply to pings from outside the local subnet.
 
rodrigolnl
just joined
Topic Author
Posts: 15
Joined: Sat Mar 25, 2023 4:02 pm

Re: Can't ping between subnets on the same bridge

Wed Mar 29, 2023 8:12 pm

l
Probably you broken all, setting 10.0.0.0 (and 64) as gateway of one address reserved for subnetting...
I didn't set it, it was by default as I added the subnets...

And describing the configuration as a novella, instead of showing it as it is without fictionalizing it, doesn't help...
And no need to be an ass, just ask for the config files.
I made it like that so anyone who wants to help can do it without the need to study a config file, just telling me what the issues could be and let me do the work of research.
 
rodrigolnl
just joined
Topic Author
Posts: 15
Joined: Sat Mar 25, 2023 4:02 pm

Re: Can't ping between subnets on the same bridge

Wed Mar 29, 2023 8:16 pm

1. You can only use one subnet assigned to a bridge is my understanding. Once you want more then vlans is the way!

2. Alternatively you dont need a bridge and can assigne each etherport a subnet.

Its clean and simple to use vlans.

PS. I also find it very confusing to use /26 and all IP addresses seem like they are in the same subnet LOL.
Stick to /24 and it will work for sure.......... no need to get cute
I'll definitely try it with vlans, is just that when I first configured it, I was having a difficult time setting the vlans properly
 
rodrigolnl
just joined
Topic Author
Posts: 15
Joined: Sat Mar 25, 2023 4:02 pm

Re: Can't ping between subnets on the same bridge

Wed Mar 29, 2023 8:18 pm

Multiple subnets on an interface (a.k.a. multinetting) is perfectly valid, but not common.

Packets may be blocked by the firewall forward drop invalid rule as the packet is leaving the same interface it entered, or the devices you are pinging may not be responding - in particular Windows does not reply to pings from outside the local subnet.
I think you may be into something, I was using two windows hosts, I'll try on linux. And I'll look more into my firewall rules. Thank you.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 1:10 am

3 posts and no config....

And describing the configuration as a novella, instead of showing it as it is without fictionalizing it, doesn't help...

And no need to be an ass, just ask for the config files.
Since it's you asking for help, it's you who has to worry about showing it, not the others begging you to ask for it.

just telling me what the issues could be and let me do the work of research.
The issue is: you do not have correctly configured the device... easy guess...

Probably if you had posted the configuration directly (since you already knew what I meant),
I or anyone else on the forum could have already found the cause.
Last edited by rextended on Thu Mar 30, 2023 1:20 am, edited 3 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 1:18 am

But of course, any OP STORY is pure conjecture, hearsay and usually wrong and the only thing that really counts is evidence aka the config.
Even harder is getting the true requirements. If I read one more time I cant ping between subnets, i will reply, THEN GO MARRY THE FUCKING SUBNETS, pinging has nothing to do with users and their data. Pinging is a tool NOT a requirement
 
rodrigolnl
just joined
Topic Author
Posts: 15
Joined: Sat Mar 25, 2023 4:02 pm

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 1:48 am

3 posts and no config....
Dude, I have to work, I don't have access to my router 24/7. The config is on the post now.

Since it's you asking for help, it's you who has to worry about showing it, not the others begging you to ask for it.
It is not begging, is just having a proper human interaction like "hey, post the config" instead of this condescending crap
And describing the configuration as a novella, instead of showing it as it is without fictionalizing it, doesn't help...

The issue is: you do not have correctly configured the device... easy guess...
Despite the sarcasm, that's actually useful, one of my inner question was if it was possible to make that communication between subnets (I don't work with infrastructure, my knowledge is from classes decades ago), I don't expect anyone to work for me for free, I just want insights or ideas.


For whoever wants to give insight, I'll be thankful, but I won't idolize anyone.
 
rodrigolnl
just joined
Topic Author
Posts: 15
Joined: Sat Mar 25, 2023 4:02 pm

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 1:54 am

But of course, any OP STORY is pure conjecture, hearsay and usually wrong and the only thing that really counts is evidence aka the config.
Even harder is getting the true requirements. If I read one more time I cant ping between subnets, i will reply, THEN GO MARRY THE FUCKING SUBNETS, pinging has nothing to do with users and their data. Pinging is a tool NOT a requirement
The requirements are pretty much what I said, I want hosts on the first subnet to communicate freely with hosts on the third, nothing more than that.
When I said ping, it was because I tried to see subnet C hosts from a host on A (both with win10, and by "see" I mean see shared folders) and I could not, the ping in this case, also did not work.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 2:08 am

You have two things on your config broken:

one dhcp client enabled but without interface:
/ip dhcp-client
add disabled=no
add disabled=no interface=ether1-TorresTelecom

one nat wit the same problem (yes, is disabled, i can see...)
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=*6
add action=masquerade chain=srcnat out-interface=ether1-TorresTelecom
Last edited by rextended on Thu Mar 30, 2023 2:12 am, edited 2 times in total.
 
rodrigolnl
just joined
Topic Author
Posts: 15
Joined: Sat Mar 25, 2023 4:02 pm

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 2:11 am

You have two things on your config broken:

one dhcp client enabled but without interface:
/ip dhcp-client
add disabled=no
add disabled=no interface=ether1-TorresTelecom

one nat wit the same problem (yes, is disabled, i can see...)
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=*6
add action=masquerade chain=srcnat out-interface=ether1-TorresTelecom

I'm reading the rest...
The dhcp client was for a previous second internet connection that for the time being is disabled, winbox is showing as "stopped" to me.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 2:13 am

The info on both are damaged, that can cause unexpected behaviours....


Your Admin pool is one /28, the IP is one /29 and on the DHCP server network is one /30....
/ip pool
add name=pool-Admin ranges=10.10.10.2-10.10.10.6
/ip address
add address=10.10.10.1/29 comment=AdminNet interface=ether4-Admin network=10.10.10.0
/ip dhcp-server network
add address=10.10.10.0/30 comment=AdminNet dns-server=8.8.8.8,8.8.4.4 gateway=10.10.10.1
Last edited by rextended on Thu Mar 30, 2023 2:22 am, edited 1 time in total.
 
rodrigolnl
just joined
Topic Author
Posts: 15
Joined: Sat Mar 25, 2023 4:02 pm

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 2:19 am

The info on both are damaged, that can cause unexpected behaviours....


Your Admin pool is one /28, the IP is one /29 and on the DHCP server network is one /30....
/ip pool
add name=pool-Admin ranges=10.10.10.2-10.10.10.6
/ip address
add address=10.10.10.1/29 comment=AdminNet interface=ether4-Admin network=10.10.10.0
/ip dhcp-server network
add address=10.10.10.0/30 comment=AdminNet dns-server=8.8.8.8,8.8.4.4 gateway=10.10.10.1


I'm reading the rest...
This network is not being used either, is kind of a backup network for a single machine in case I screw up the configs so much that I can't get access using the other ones, I'll remove it.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 2:22 am

Since you have only one dhcp server, all this is useless. Probably you have 4 DHCP servers on the past?

/ip dhcp-server network
add address=10.0.0.0/26 comment=RodrigoNet dns-server=8.8.8.8,8.8.4.4 gateway=10.0.0.1
add address=10.0.0.64/26 comment=JonathaNet dns-server=8.8.8.8,8.8.4.4 gateway=10.0.0.65
add address=10.0.0.128/26 comment=SharedNet dns-server=8.8.8.8,8.8.4.4 gateway=10.0.0.129

/ip pool
add name=pool-RodrigoNet ranges=10.0.0.2-10.0.0.62
add name=pool-JonathaNet ranges=10.0.0.66-10.0.0.126
add name=pool-SharedNet ranges=10.0.0.130-10.0.0.190


Routes are completely useless, just adding the IP to the bridge cause the creation of the corrected and needed routes.
/ip route
add distance=1 dst-address=10.0.0.0/26 gateway=bridge-ArchNet
add distance=1 dst-address=10.0.0.128/26 gateway=10.0.0.129
Last edited by rextended on Thu Mar 30, 2023 2:29 am, edited 1 time in total.
 
rodrigolnl
just joined
Topic Author
Posts: 15
Joined: Sat Mar 25, 2023 4:02 pm

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 2:28 am

Since you have only one dhcp server, all this is useless. Probably you have 4 DHCP servers on the past?

/ip dhcp-server network
add address=10.0.0.0/26 comment=RodrigoNet dns-server=8.8.8.8,8.8.4.4 gateway=10.0.0.1
add address=10.0.0.64/26 comment=JonathaNet dns-server=8.8.8.8,8.8.4.4 gateway=10.0.0.65
add address=10.0.0.128/26 comment=SharedNet dns-server=8.8.8.8,8.8.4.4 gateway=10.0.0.129

/ip pool
add name=pool-RodrigoNet ranges=10.0.0.2-10.0.0.62
add name=pool-JonathaNet ranges=10.0.0.66-10.0.0.126
add name=pool-SharedNet ranges=10.0.0.130-10.0.0.190


I'm reading the rest

Yeah, I had 4, I tried some pretty weird things back then.
The pools I actually use, don't know if I am supposed though, like I use on the dhcp server to make machines that are supposed to be on each subnet get any IP from that pool.
Sem título.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 2:32 am

The networks and the pools on my previous post are completely unused.

The devices on that IPs intervals have all fixed IP?
Must have as gateway the corresponding IP (and correct subnet mask) for each subnet


Now I'm reading the firewall part, no more note on other config, if you do not remove some routing or other ip settings from the export.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 2:34 am

/ip firewall filter
add action=accept chain=input comment=Loopback dst-address=10.0.0.1

????

Loopback is 127.0.0.1, not matter what your config on any point of your router.
 
rodrigolnl
just joined
Topic Author
Posts: 15
Joined: Sat Mar 25, 2023 4:02 pm

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 2:37 am

The networks and the pools on my previous post are completely unused.

The devices on that IPs intervals have all fixed IP?
Must have as gateway the corresponding IP (and correct subnet mask) for each subnet


Now I'm reading the firewall part, no more note on other config, if you do not remove some routing or other ip settings from the export.
They have fixed IP, I'll send a full image of my leases. But in short I set my DHCP Server to serve GuestNet addresses, and the devices that I know and want in a specific network I go into "leases" and set them to a different pool or a static IP from that subnet if I need it.
Sem título.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 2:45 am

Ok, now is clear.


From your firewall rules
Drop B<-A
Accept C<-A
Drop D<-A
Drop A<-B
Accept C<-B
Drop D<-B
Drop A<-D
Drop C<-D
Drop B<-D
Accept A<-C
Accept B<-C
Drop D<-C
Actually is allowed A<->C and B<->C
 
rodrigolnl
just joined
Topic Author
Posts: 15
Joined: Sat Mar 25, 2023 4:02 pm

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 2:52 am

moderator action
But I already have independent rules for A->C and C->A, how do I make a bidirectional rule? I thought I needed a rule for sending and another for receiving.
Last edited by BartoszP on Sat Apr 01, 2023 11:40 am, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart, save network traffic
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 2:56 am

I have reported what is possible, you already have 2 rules for each: X<-Y Y<-X (can't be used less)

What IP you get from LTE or the DHCP Client?
Some IP on 10.0.0.0/8 range... ?



I do not see any reason (except firewall on win10 machines) that prevent correctly configured device to communicate.
Configured with VLANs or on this way, on Windows you can't see PC not on same ip pool, regardless router config.
For see shares you must use something like \\10.0.0.55\ path on explorer, not machine name or "network" on explorer,
and the machine must be set as "private network", not "public" or "business" (i do not know how are the precise names on english),
because non-private block ping and network shares, on "business" the shares for default are allowed only on local subnet.

It's late, I read what you or others write, tomorrow.
 
rodrigolnl
just joined
Topic Author
Posts: 15
Joined: Sat Mar 25, 2023 4:02 pm

Re: Can't ping between subnets on the same bridge

Thu Mar 30, 2023 3:14 am

moderator action

Provider ip is 192.168.0.0/24 (private ip).
Later I'll try some linux devices and also see how my windows firewalls are set on those machines, honestly it skipped my mind that windows firewall could be acting different than what I'm used to since the hosts are technically in different networks.
Last edited by BartoszP on Sat Apr 01, 2023 11:40 am, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart, save network traffic

Who is online

Users browsing this forum: korg and 102 guests