Community discussions

MikroTik App
 
hsd75
just joined
Topic Author
Posts: 8
Joined: Sun Jul 29, 2018 11:54 pm

issue with 2 IP on one interface

Sat Dec 03, 2022 10:40 am

Hello,

I need help to understand.
On one interface, I have a DHCP address given by the ISP and a fixed IP to access the adminstration of the box (ONT).
ping.png
here the route table
ping 2.PNG
and when I ping from my interface, in some case, I obtain this result.
ping 1.PNG
Can anyone think of a way to do this?
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: issue with 2 IP on one interface

Sat Dec 03, 2022 12:59 pm

Most probably it's your SRC-NAT settings. Default config has construct something like this:
add chain=srcnat action=masquerade out-interface-list=WAN

Which works fine if WAN interface has only one IP address set. In your case (with two IP addresses) you have to create different SRC-NAT rule:
add chain=srcnat action=src-nat to-addresses=<IP given by ONT> out-interface=vlan-internet

There's gotcha: as IP address is given by DHCP, it can change. This problem can only be overcome if actual intetnet is passed via different interface than management. Your diagram mentiobs vlan-internet ... does management work via same tagged VLAN or via something else? Does ONT have multiple "LAN" interfaces (in this case you could connect two ports, on router use them individualky one with DHCP client for internet and the other with static IP address for management). There are many possibilities, which one is feasible depends on details.

Edit: yet another possibility: routes are set in a way that allows default route via management IP address. So we do need more details, preferably post textual export of router's config ... complete one.
 
hsd75
just joined
Topic Author
Posts: 8
Joined: Sun Jul 29, 2018 11:54 pm

Re: issue with 2 IP on one interface

Sun Dec 04, 2022 10:33 am

Thanks for your answer but unfortunately, it doesn't work.
In fact my problem only appears when the priority of the default route (vlan-internet) changes. I put this mechanism to have 4G fail-over. If I can't ping the IP 8.8.4.4 through the vlan-internet interface, I increase the priority of the vlan-internet route to be higher than that of my 4G connection.
Everything works perfectly if I remove the 192.168.4.1 address on the vlan-internet interface. No possibility to use 2 ports and I want to access the ONT box to retrieve the metrics.
Below is my configuration. Thanks for any help.
/interface bridge
add name=bridge
add name=bridge-guest
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wireless
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(17dBm), SSID: xxxx, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: xxxx, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add interface=ether1 name=vlan-internet vlan-id=100
/caps-man datapath
add arp=enabled bridge=bridge client-to-client-forwarding=yes l2mtu=1600 \
    local-forwarding=yes mtu=1500 name=datapath-xxxx
add arp=disabled bridge=bridge-guest l2mtu=1600 mtu=1500 name=datapath-GUEST
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-xxxx
add authentication-types=wpa2-psk encryption=aes-ccm name=security-GUEST
/caps-man configuration
add country=france datapath=datapath-xxxx mode=ap name=cfg-xxxx security=\
    security-xxxx ssid=xxxx
add country=france datapath=datapath-GUEST name=cfg-GUEST security=\
    security-GUEST ssid=xxxx_Guest
/caps-man interface
add configuration=cfg-xxxx datapath=datapath-xxxx disabled=no l2mtu=1600 \
    mac-address=2C:C8:1B:59:A0:A8 master-interface=none mtu=0 name=\
    xxxx-cap-couloir-2.4GHz radio-mac=2C:C8:1B:59:A0:A8 radio-name=\
    2CC81B59A0A8
add configuration=cfg-xxxx datapath=datapath-xxxx disabled=no l2mtu=1600 \
    mac-address=2C:C8:1B:59:A0:A9 master-interface=none mtu=0 name=\
    xxxx-cap-couloir-5GHz radio-mac=2C:C8:1B:59:A0:A9 radio-name=2CC81B59A0A9
add configuration=cfg-GUEST disabled=no l2mtu=1600 mac-address=\
    2E:C8:1B:59:A0:A8 master-interface=xxxx-cap-couloir-2.4GHz mtu=0 name=\
    xxxx-cap-couloir-guest-2.4GHz radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg-xxxx datapath=datapath-xxxx disabled=no l2mtu=1600 \
    mac-address=18:FD:74:60:83:B5 master-interface=none mtu=0 name=\
    xxxx-cap-ext-2.4GHz radio-mac=18:FD:74:60:83:B5 radio-name=18FD746083B5
add configuration=cfg-xxxx datapath=datapath-xxxx disabled=no l2mtu=1600 \
    mac-address=18:FD:74:60:83:B6 master-interface=none mtu=0 name=\
    xxxx-cap-ext-5GHz radio-mac=18:FD:74:60:83:B6 radio-name=18FD746083B6
add configuration=cfg-GUEST disabled=no l2mtu=1600 mac-address=\
    1A:FD:74:60:83:B5 master-interface=xxxx-cap-ext-2.4GHz mtu=0 name=\
    xxxx-cap-ext-guest-2.4GHz radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg-xxxx datapath=datapath-xxxx disabled=no l2mtu=1600 \
    mac-address=2C:C8:1B:59:A0:88 master-interface=none mtu=0 name=\
    xxxx-cap-garage-2.4GHz radio-mac=2C:C8:1B:59:A0:88 radio-name=\
    2CC81B59A088
add configuration=cfg-xxxx datapath=datapath-xxxx disabled=no l2mtu=1600 \
    mac-address=2C:C8:1B:59:A0:89 master-interface=none mtu=0 name=\
    xxxx-cap-garage-5GHz radio-mac=2C:C8:1B:59:A0:89 radio-name=2CC81B59A089
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] apn=orange authentication=pap \
    default-route-distance=10 ip-type=ipv4 name=Orange use-network-apn=no \
    use-peer-dns=no user=orange
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=vendor-class-identifier value="'neufbox_NB6V_xxxxxxxx'"
/ip ipsec peer
add address=v.xxxx.xxx exchange-mode=ike2 name="peer vpn.ike2.xxxx"
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256 name="profile vpn.ike2.xxxx"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=\
    aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=8h pfs-group=none
/ip pool
add name=dhcp-pool-xxxx ranges=192.168.10.50-192.168.10.100
add name=dhcp-pool-guest ranges=192.168.12.50-192.168.12.100
/ip dhcp-server
add add-arp=yes address-pool=dhcp-pool-xxxx interface=bridge name=dhcp-srv-xxxx
add address-pool=dhcp-pool-guest interface=bridge-guest name=dhcp-srv-guest
/routing table
add disabled=no fib name=ONT
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no interface=\
    xxxx-cap-ext-5GHz signal-range=-120..-70 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=\
    xxxx-cap-ext-2.4GHz signal-range=-120..-70 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=\
    suggest-same-version
/caps-man provisioning
add action=create-enabled master-configuration=cfg-xxxx
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether1
add bridge=bridge ingress-filtering=no interface=wlan1
add bridge=bridge ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
add interface=bridge list=LAN
add interface=lte1 list=WAN
add interface=vlan-internet list=WAN
add interface=ether1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireless cap
# 
set bridge=bridge caps-man-addresses=192.168.10.1 certificate=request \
    enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
add address=192.168.12.1/24 interface=bridge-guest network=192.168.12.0
add address=192.168.4.1/24 comment=ipont interface=vlan-internet network=\
    192.168.4.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add add-default-route=no comment=isp1 dhcp-options=\
    hostname,clientid,vendor-class-identifier interface=vlan-internet script="\
    #affecte la gateway sur la route speciale pour le failover a chaque change\
    ment d'IP\r\
    \n# /system scheduler set VERIFY-FTTH disabled=yes\r\
    \n#:delay 5s\r\
    \n:global gw [/ip route get [find vrf-interface=vlan-internet] value-name=\
    gateway];\r\
    \n/ip\" route set [find comment=\"isp1\"] gateway=\$gw;\r\
    \n#/system scheduler set VERIFY-FTTH disabled=no\r\
    \n /ip cloud force-update" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.10.0/24 caps-manager=192.168.10.1 dns-server=\
    192.168.10.1,1.1.1.1 domain=xxxx.local gateway=192.168.10.1 netmask=24 \
    ntp-server=192.168.10.1
add address=192.168.12.0/24 dns-server=1.1.1.1,1.0.0.1 domain=guest.local \
    gateway=192.168.12.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=87.225.75.208 list=block
add address=185.189.112.96 list=block
add address=95.70.58.91 list=block
add address=95.70.87.131 list=block
add address=92.37.143.160 list=block
add address=27.0.0.0/8 list=block
add address=185.104.184.106 list=block
add address=92.37.236.194 list=block
add address=192.168.1.0/24 comment="LAN Network" list=ournetwork
add address=95.70.121.30 list=block
add address=185.104.184.143 list=block
add address=95.70.57.104 list=block
add address=27.122.14.81 list=block
add address=173.245.48.0/20 list=cloudflare
add address=103.21.244.0/22 list=cloudflare
add address=103.22.200.0/22 list=cloudflare
add address=103.31.4.0/22 list=cloudflare
add address=141.101.64.0/18 list=cloudflare
add address=108.162.192.0/18 list=cloudflare
add address=190.93.240.0/20 list=cloudflare
add address=188.114.96.0/20 list=cloudflare
add address=197.234.240.0/22 list=cloudflare
add address=198.41.128.0/17 list=cloudflare
add address=162.158.0.0/15 list=cloudflare
add address=104.16.0.0/13 list=cloudflare
add address=172.64.0.0/13 list=cloudflare
add address=131.0.72.0/22 list=cloudflare
add address=104.24.0.0/14 list=cloudflare
add address=23.88.41.31 list=BetterUptime
add address=3.220.166.35 list=BetterUptime
add address=45.33.100.21 list=BetterUptime
add address=45.56.78.139 list=BetterUptime
add address=45.79.47.102 list=BetterUptime
add address=168.119.96.54 list=BetterUptime
add address=168.119.90.223 list=BetterUptime
add address=168.119.96.203 list=BetterUptime
add address=54.243.207.163 list=BetterUptime
add address=74.207.228.249 list=BetterUptime
add address=95.216.117.142 list=BetterUptime
add address=139.162.109.252 list=BetterUptime
add address=172.104.109.161 list=BetterUptime
add address=172.105.173.108 list=BetterUptime
add address=172.105.190.118 list=BetterUptime
add address=172.105.206.169 list=BetterUptime
add address=116.202.157.36 list=BetterUptime
add address=116.202.33.182 list=BetterUptime
add address=172.105.169.250 list=BetterUptime
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="CAP to CAPsMAN" dst-port=5246,5247 \
    in-interface-list=!WAN protocol=udp
add action=accept chain=input disabled=yes log-prefix="nn  " src-address=\
    10.0.88.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.10.0/24 \
    log-prefix="nn  " src-address=10.0.88.0/24
add action=accept chain=input src-address=10.0.88.0/24
add action=accept chain=input comment=";;;conf for router from other site" \
    src-address=192.168.1.0/24
add action=accept chain=input " src-address=192.168.100.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.10.0/24
add action=accept chain=srcnat dst-address=192.168.100.0/24 src-address=\
    192.168.10.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=xxxx.xxx.xxxx generate-policy=\
    port-strict mode-config=request-only my-id=user-fqdn:xxxx@xxxx.xxx peer=\
    "peer vpn.ike2.xxxx" remote-id=fqdn:v.xxxx.xxx
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=10.0.88.0/24
add dst-address=192.168.1.0/24 level=unique peer="peer vpn.ike2.xxxx" \
    src-address=192.168.10.0/24 tunnel=yes
add dst-address=192.168.100.0/24 level=unique peer="peer vpn.ike2.xxxx" \
    src-address=192.168.10.0/24 tunnel=yes
add dst-address=192.168.1.0/24 level=unique peer="peer vpn.ike2.xxxx" \
    src-address=192.168.4.0/24 tunnel=yes
/ip route
add comment=isp1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    vlan-internet pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="betteruptime heartbeat" disabled=no distance=1 dst-address=\
    172.66.41.22/32 gateway=lte1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.66.42.234/32 gateway=lte1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/snmp
set contact=sd@xxxx.xxx enabled=yes location=xxxx trap-version=2
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=xxxx-ROUTER01
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=216.239.35.8
add address=time.google.com
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
add address=137.74.194.70
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=3m name=BETTERUPTIME-HEARTBEAT on-event=BETTERUPTIME-HEARTBEAT \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=00:00:00
add interval=15s name=FAILOVER-4G on-event=FAILOVER-4G policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=00:00:00
/system script
add dont-require-permissions=no name=FAILOVER-4G owner=root policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    script test liason principale\r\
    \n:global mode;\r\
    \n\r\
    \n:local number1 \"+33xxxxxxxxx\";\r\
    \n:local iptest1 \"8.8.4.4\";\r\
    \n:local date;\r\
    \n:local time;\r\
    \n:set date [/system clock get date];\r\
    \n:set time [/system clock get time];\r\
    \n\r\
    \n:local MSGUP \"\$date \$time Liaison FTTH OK!\";\r\
    \n:local MSGDOWN \"\$date \$time Liaison FTTH DOWN!\";\r\
    \n\r\
    \n:local result [/ping \$iptest1 count=4 interface=vlan-internet interval=\
    2];\r\
    \n\r\
    \n:if (\$result > 1  && \$mode != \"SFR\")   do={\r\
    \n            /ip route set [find comment=\"isp1\"] distance=1;\r\
    \n\t\t\t:set mode \"SFR\";\r\
    \n\t\t\t/ip address disable [find comment=\"ipont\"];\r\
    \n            delay 10;\r\
    \n            /ip address enable [find comment=\"ipont\"];\r\
    \n\t\t\t/tool sms send port=lte1 phone-number=\$number1 message=\$MSGUP;\r\
    \n\t\t\t/log warning \"Good: Liaison FTTH UP\";\r\
    \n}\r\
    \n:if (\$result = 0 && \$mode != \"4G\")  do={\r\
    \n\t\t\t/ip route set [find comment=\"isp1\"] distance=100;\r\
    \n\t\t\t:set mode \"4G\";\r\
    \n\t\t\t/tool sms send port=lte1 phone-number=\$number1 message=\$MSGDOWN;\
    \r\
    \n\t\t\tlog error \"ERROR: Liaison FTTH DOWN\";\r\
    \n}"
add dont-require-permissions=no name=BETTERUPTIME-HEARTBEAT owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="/tool fetch url=\"https://betteruptime.com/api/v1/heartbeat/xxxxxxxxxxx keep-result=no"
/tool sms
set port=lte1 receive-enabled=yes
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: issue with 2 IP on one interface

Sun Dec 04, 2022 6:43 pm

First thing: I'd disable all of "detect internet" crap ... it's known to occasionally cause problems.

Next: you created vlan interface off ether1 ... and later added ether1 as bridge port. This is not right. Do you actually have to add ether1 as bridge port?

I'm still sceptical if you can get this working with internet address and ONT management on same (logical) interface, in your case it's vlan-internet. Do you have to use tagged VLAN to access ONT management?
 
hsd75
just joined
Topic Author
Posts: 8
Joined: Sun Jul 29, 2018 11:54 pm

Re: issue with 2 IP on one interface

Mon Dec 05, 2022 1:42 am

I disabled internet detection.
For the ether on the bridge, you're right. I need to review this. I'm doing it later because I'm not on site and I don't want to lose access (I'm using a VPN).
Below is the diagram of my implementation.
My problem is that I only have one cable between the two buildings and the router and the fiber are not in the same.
The ONT does not directly give an internet address but in 10.xxx.xxx.xxx.
site.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: issue with 2 IP on one interface

Mon Dec 05, 2022 2:52 pm

OK. So what's VLAN status of port on Switch2 connecting to ONT? I guess its untagged.

As I wrote before: when "main" IP address is dynamic, it's hard to make src-nat "sticky". So I'm really hoping that disabling detect-internet does the trick. If it doesn't, please check (in depth) running values of /ip address and [/i]/ip route[/i] (use print detail command which shows running values, not the configured ones) to check actual state of router when it's not working according to requirements.
 
hsd75
just joined
Topic Author
Posts: 8
Joined: Sun Jul 29, 2018 11:54 pm

Re: issue with 2 IP on one interface

Sat Dec 17, 2022 11:18 am

Hello,

Well, here I am. I turned "dectect internet off" but it didn't change anything.
Here is a more detailed diagram to understand what I did.
It works except for the problem I exposed. It's true, I'm not sure I did this correctly. Thanks in advance for your insight.
network1.drawio.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: issue with 2 IP on one interface

Sat Dec 17, 2022 4:47 pm

I don't know why exactly you're seeing default route to misbehave the way you explained. I still think you should do the route troubleshooting I mentioned previously.

And I still think that the way you're using ether1 (half way between stand-alone interface and bridge port) is wrong and could cause problems you're seeing. I suggest you to redesign router to work with single VLAN-enabled bridge. And my personal belief is that when starting to go with VLANs, all network infrstructure should be VLAN-only (meaning all switch-switch traffic, switch-AP and router-switch traffic should be tagged), only ports connecting end devices should be untagged (access) ports. It makes things simpler to configure because no "VLAN" needs special treatment.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: issue with 2 IP on one interface

Sat Dec 17, 2022 4:59 pm

While reading your previous posts another question popped in my mind: the default route, is it set by DHCP client?
It seems odd to see it using interface as gateway, I've always seen it set upstream router's IP address as gateway. I can imagine that when gateway is set to interface and interface has multiple IP addresses set, auto-selection may select wrong source address because there's no other hint to help it make better guess. If gateway is set to IP address, then router will know to select source IP address matching destination best.

[edit] I see that dhcp-client has "add-default-route=no" ... I guess it expkains why default route seems odd. Try letting DHCP client to set default route and only fiddle with priority values for the LTE fall-back.

Who is online

Users browsing this forum: Bing [Bot], godel0914, onnyloh and 97 guests