Here's a puzzle, to me. I tried to divide traffic leaving the CPE into internal network traffic (anything 10.0.0.0/16 - unaccounted) and external traffic (everything else, accounted by RADIUS) to the internet, but everything is going out over the PPPoE connection. This is the configuration:

[admin@Brian] > interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R pppoe-out1 pppoe-out 0 0 1480
2 R wlan1 wlan 0 0 1500

[admin@Brian] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.3.2.1/24 10.3.2.0 10.3.2.255 ether1
1 10.0.3.2/32 10.0.3.0 10.0.3.255 wlan1
2 D 10.100.3.2/32 10.100.3.1 0.0.0.0 pppoe-out1

[admin@Brian] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=pppoe-out1 dst-address=0.0.0.0/0 action=masquerade

1 chain=srcnat out-interface=wlan1 dst-address=10.0.0.0/8 action=masquerade

[admin@Brian] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 ADC 10.0.3.0/32 10.0.3.2 wlan1
1 S 10.0.0.0/16 u 10.0.3.2
2 ADC 10.3.2.0/24 10.3.2.1 ether1
3 ADC 10.100.3.1/32 10.100.3.2 pppoe-out1
4 AD 0.0.0.0/0 r 10.100.3.1 1 pppoe-out1
[admin@Brian] >

Attempting to set up a route 10.0.0.0/16 > 10.0.3.2 creates an 'unknown interface' report in Winbox.

Can anyone see the error of my ways 'cos I'm damned if I can?

Try Beta3. It supports interface based routing.

/Henrik

Thanks, but at the moment I'd rather find out why this isn't working.

SweetSunday,

It looks like you have overlapping routes...

0 ADC 10.0.3.0/32 10.0.3.2 wlan1
1 S 10.0.0.0/16 u 10.0.3.2

Check out the above. 10.0.0.0/16 is part of 10.0.3.0/32 also.

Matt

OK, it gets worse. Much worse.

That 10.0.3.0 only had a /32 network id in terminal. In Winbox it had no netmask, just the 10.0.3.0 network and 10.0.3.255 broadcast definitions.

So I gave it a /24 in Winbox which put it right in Terminal too, and IP route accepted 10.0.0.0/16 with a gateway of 10.0.3.2 as wlan 1. But then I lost contact completely with my 10.0.1.0/24 and 10.0.2.0/24 subnets. So I wrote them is as static routes and this happened:

[admin@Brian] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 A S 10.0.1.0/24 r 10.0.3.2 wlan1
1 A S 10.0.2.0/24 r 10.0.3.2 wlan1
2 ADC 10.0.3.0/24 10.0.3.2 wlan1
3 ADC 10.3.2.0/24 10.3.2.1 ether1
4 ADC 10.100.3.1/32 10.100.3.2 pppoe-out1
5 AD 0.0.0.0/0 r 10.100.3.1 1 pppoe-out1
[admin@Brian] > tool traceroute 10.0.1.30
ADDRESS STATUS
1 10.0.3.2 timeout timeout 946ms host unreachable
2 10.0.3.2 timeout timeout 947ms host unreachable
3 10.0.3.2 timeout timeout 983ms host unreachable
4 0.0.0.0 timeout timeout timeout
[admin@Brian] >

Surely the networks 10.0.x.0 should be covered by a single route 10.0.0.0/16 >10.0.3.2?

SweetSunday,

Post your /ip addr print

Matt

Herewith:

[admin@Brian] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.3.2.1/24 10.3.2.0 10.3.2.255 ether1
1 10.0.3.2/24 10.0.3.0 10.0.3.255 wlan1
2 D 10.100.3.2/32 10.100.3.1 0.0.0.0 pppoe-out1
[admin@Brian] >

Odder and odder - the ppp-pool at the AP this connects to has a range 10.100.3.100 - 10.100.3.199 so where could pppoe-out1 be getting 10.100.3.2 from?

The router at 10.0.3.2 must also have the route in order to reply.
Be sure you can ping from the 10.0.3.0/24 subnet to 10.100.3.1.

1 chain=srcnat out-interface=wlan1 dst-address=10.0.0.0/8 action=masquerade

10.0.0.0/8 is including 10.3.2.1 too. You are NATing the router itself if i am right... Why do you use NAT?

Smith asks:

"Why do you use NAT?"

I don't know. I'm trying to reverse engineer a network I didn't set up."

Smith also asks;

"You are NATing the router itself if i am right... "

There's no natting on the router itself, just on the clients. I believe the idea was to split local traffic (10.x.x.x) from Internet traffic (0.0.0.0/0) routing the latter over PPPoE for accounting but local traffic by wlan to avoid accounting it as it wasn't required. But everything is going over the PPPoE interface including 10.x.x.x traffic.

tgrand writes:

"Be sure you can ping from the 10.0.3.0/24 subnet to 10.100.3.1."

No problem. In traceroute it's a single hop.

Can you post "system export" here. You can omit any data that you don't want us to see, but keep the addresses and routing intact.
I need system export from both MT.
Thank you.

Herewith:

The AP

[admin@west] system> export
# apr/20/2007 09:08:32 by RouterOS 2.9.40
# software id = TBFR-3TT
#
/ system logging
add topics=info prefix="" action=memory disabled=no
add topics=error prefix="" action=memory disabled=no
add topics=warning prefix="" action=memory disabled=no
add topics=critical prefix="" action=echo disabled=no
add topics=wireless,debug prefix="" action=memory disabled=no
/ system logging action
set memory name="memory" target=memory memory-lines=100 memory-stop-on-full=no
set disk name="disk" target=disk disk-lines=100 disk-stop-on-full=no
set echo name="echo" target=echo remember=yes
set remote name="remote" target=remote remote=0.0.0.0:514
add name="action1" target=memory memory-lines=100 memory-stop-on-full=no
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 \
check-interval=1d user=""
/ system clock manual
set time-zone=+00:00 dst-delta=+00:00 dst-start="jan/01/1970 00:00:00" \
dst-end="jan/01/1970 00:00:00"
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes \
no-ping-delay=5m automatic-supout=yes auto-send-supout=no
/ system console
add port=serial0 term="" disabled=no
/ system identity
set name="west"
/ system note
set show-at-login=yes note=""
/ system ntp server
set enabled=yes broadcast=no multicast=no manycast=no
/ system ntp client
set enabled=yes mode=unicast primary-ntp=10.0.0.33 secondary-ntp=203.109.252.7
/ system routerboard settings
set baud-rate=115200 boot-delay=1s boot-device=nand-if-fail-then-ethernet \
enter-setup-on=any-key cpu-mode=power-save memory-test=no \
cpu-frequency=264MHz boot-protocol=bootp enable-jumper-reset=yes
[admin@west] system>

[admin@west].>.interface.print
Flags:.X.-.disabled,.D.-.dynamic,.R.-.running.
.#....NAME...................TYPE......RX-RATE..TX-RATE....MTU..
.0.X..;;;.West.Ether
......ether1.......................ether............0..........0..........1500.
.1..R.;;;.Client.to.gateway
......wlan1........................wlan.............0..........0..........1500.
.2..R.;;;.AP.for.networkBs
......wlan2........................wlan.............0..........0..........1500.
.3....;;;.AP.for.access.to.Barbara
......wlan3........................wlan.............0..........0..........1500.
.4..R.;;;.Local.traffic
......vlan3........................vlan.............0..........0..........1500.
.5..R.;;;.Internet.traffic
......vlan103......................vlan.............0..........0..........1500.
.6.X..pppoe-barbara.......pppoe-out........0..........0.........
.7.DR.<pppoe-ben>......pppoe-in.........0..........0..........1480.
.8.DR.<pppoe-billy>.....pppoe-in.........0..........0..........1480.
.9.DR.<pppoe-brian>...pppoe-in.........0..........0..........1480.

[admin@west].>.ip.address.print
Flags:.X.-.disabled,.I.-.invalid,.D.-.dynamic.
.#...ADDRESS......NETWORK....BROADCAST..INTERFACE.....
.0...10.0.3.1/24........10.0.3.0........10.0.3.255......wlan2.........
.1...10.0.0.34/28.......10.0.0.32.......10.0.0.47.......vlan3.........
.2...10.100.0.34/28...10.100.0.32...10.100.0.47.....vlan103.......
.3...10.3.6.1/24........10.3.6.0........10.3.6.255......wlan3.........
.4...10.0.10.1/24......10.0.10.0.......10.0.10.255.....ether1........
.5.D.10.100.3.1/32...10.100.3.8......0.0.0.0.........<pppoe-ben>
.6.D.10.100.3.1/32...10.100.3.4......0.0.0.0.........<pppoe-billy>
.7.D.10.100.3.1/32...10.100.3.2......0.0.0.0.........<pppoe-brian>..

[admin@west].>.ip.route.print
Flags:.X.-.disabled,.A.-.active,.D.-.dynamic,.
C.-.connect,.S.-.static,.r.-.rip,.b.-.bgp,.o.-.ospf.
.#.....DST-ADDRESS...PREF-SRC.G.GATEWAY...DIS.INTERFACE.....
.0.ADo.10.0.0.16/28.......................r.10.0.0.33...........vlan3.........
.1.ADC.10.0.0.32/28.......10.0.0.34.............................vlan3.........
.2..Do.10.0.0.32/28......
.3.ADo.10.0.1.0/24........................r.10.0.0.33...........vlan3.........
.4.ADo.10.0.2.0/24........................r.10.0.0.33...........vlan3.........
.5.ADC.10.0.3.0/24........10.0.3.1..............................wlan2.........
.6..DC.10.0.10.0/24.......10.0.10.1.............................ether1........
.7.ADC.10.3.6.0/24........10.3.6.1..............................wlan3.........
.8.ADo.10.100.0.16/28.....................r.10.0.0.33...........vlan3.........
.9.ADC.10.100.0.32/28.....10.100.0.34........................vlan103.......
10..Do.10.100.0.32/28.....................r.10.0.0.33...........vlan3.........
11.ADo.10.100.1.10/32.....................r.10.0.0.33...........vlan3.........
12.ADo.10.100.1.20/32.....................r.10.0.0.33...........vlan3.........
13.ADo.10.100.1.30/32.....................r.10.0.0.33...........vlan3.........
14.ADo.10.100.2.2/32......................r.10.0.0.33...........vlan3.........
15.ADC.10.100.3.2/32......10.100.3.1....................<pppoe-brian>..
16.ADC.10.100.3.4/32......10.100.3.1....................<pppoe-billy>
17.ADC.10.100.3.8/32......10.100.3.1....................<pppoe-ben>
18.ADo.172.17.0.1/32......................r.10.0.0.33...........vlan3.........
19.A.S.0.0.0.0/0..........................r.10.100.0.33.........vlan103......

[admin@west].interface>.pppoe-server.server.print
Flags:.X.-.disabled.
.0...service-name="Bs".interface=wlan2.max-mtu=1480.max-mru=1480.
.....authentication=pap,chap.keepalive-timeout=10.one-session-per-host=yes.
.....max-sessions=0.default-profile=B.

.1...service-name="barbara".interface=wlan3.max-mtu=1480.max-mru=1480.
.....authentication=pap.keepalive-timeout=10.one-session-per-host=yes.
.....max-sessions=0.default-profile=B
[admin@west].interface>.

A client:

[admin@Brian] > system export
# apr/20/2007 09:11:51 by RouterOS 2.9.40
# software id = KNAD-3TT
#
/ system ntp server
set enabled=yes broadcast=no multicast=no manycast=no
/ system ntp client
set enabled=yes mode=unicast primary-ntp=10.0.3.1 secondary-ntp=10.0.0.33
/ system routerboard settings
set baud-rate=115200 boot-delay=1s boot-device=nand-if-fail-then-ethernet \
enter-setup-on=any-key cpu-mode=power-save memory-test=no \
cpu-frequency=175MHz boot-protocol=bootp enable-jumper-reset=yes
/ system logging
add topics=info prefix="" action=memory disabled=no
add topics=error prefix="" action=memory disabled=no
add topics=warning prefix="" action=memory disabled=no
add topics=critical prefix="" action=echo disabled=no
/ system logging action
set memory name="memory" target=memory memory-lines=100 memory-stop-on-full=no
set disk name="disk" target=disk disk-lines=100 disk-stop-on-full=no
set echo name="echo" target=echo remember=yes
set remote name="remote" target=remote remote=0.0.0.0:514
/ system upgrade upgrade-package-source
add address=10.0.3.1 user="admin" password="xxxx"
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 \
check-interval=1d user=""
/ system clock manual
set time-zone=+00:00 dst-delta=+00:00 dst-start="jan/01/1970 00:00:00" \
dst-end="jan/01/1970 00:00:00"
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes \
no-ping-delay=5m automatic-supout=no auto-send-supout=no
/ system console
add port=serial0 term="" disabled=no
/ system identity
set name="Brian"
/ system note
set show-at-login=yes note=""

[[admin@Brian].>.interface.print
Flags:.X.-.disabled,.D.-.dynamic,.R.-.running.
.#....NAME............TYPE......RX-RATE...TX-RATE.MTU..
.0..R.ether1............ether.........0..........0..........1500.
.1..R.pppoe-out1...pppoe-out....0..........0..........1480.
.2..R.wlan1.............wlan..........0..........0..........1500.

[admin@Brian].>.ip.address.print
Flags:.X.-.disabled,.I.-.invalid,.D.-.dynamic.
.#...ADDRESS....NETWORK....BROADCAST..INTERFACE.
.0...10.3.2.1/24........10.3.2.0.....10.3.2.255......ether1....
.1...10.0.3.2/24........10.0.3.0....10.0.3.255......wlan1.....
.2.D.10.100.3.2/32...10.100.3.1...0.0.0.0.........pppoe-out1

[admin@Brian].>.ip.route.print
Flags:.X.-.disabled,.A.-.active,.D.-.dynamic,.
C.-.connect,.S.-.static,.r.-.rip,.b.-.bgp,.o.-.ospf.
.#.DST-ADDRESS....PREF-SRC...G.GATEWAY..DISTANCE.INTERFACE.
.0.ADC.10.0.3.0/24........10.0.3.2...................................wlan1.....
.1.ADC.10.3.2.0/24........10.3.2.1...................................ether1....
.2.ADC.10.100.3.1/32....10.100.3.2...............................pppoe-out1
.3.AD..0.0.0.0/0..........................r.10.100.3.1......1........pppoe-out1

[admin@Brian].ip.firewall.nat>.print
Flags:.X.-.disabled,.I.-.invalid,.D.-.dynamic.
.0...chain=srcnat.out-interface=pppoe-out1.dst-address=0.0.0.0/0.
.....action=masquerade.

.1...chain=srcnat.out-interface=wlan1.dst-address=10.0.0.0/16.action=masquerade.
[admin@Brian].ip.firewall.nat>.

i see some ospf routes but i can't find ospf setup anywhere? :not sure:

Smith wrote:

"i can't find ospf setup anywhere?"

Neither can I, but then I don't know what I'm looking for. However it doesn't seem to be set up on any of the three routers in the system but clearly is working. Terminal in all three routers reports:

[admin@xxx] routing> ospf print
router-id: 0.0.0.0
distribute-default: never
redistribute-connected: as-type-1
redistribute-static: no
redistribute-rip: no
redistribute-bgp: no
metric-default: 1
metric-connected: 20
metric-static: 20
metric-rip: 20
metric-bgp: 20
[admin@xxx] routing>


I don't even know why we have OSPF - we don't have any alternate routes anywhere and the network is small enough to manage statically.

What do I need to look for to locate OSPF?


edit: typo

routing ospf export

Here's a more focussed example of the problem.

Brian's CPE has three interfaces:

1. ether (10.3.2.1/24) to his PC
2. wlan 1 (10.0.3.2)
3. pppoe-out (10.100.3.2)

He has two firewall filter rules:
1. Anything to 10.0.0.0/8 src-nat=masquerade>wlan1
2. Anything else src-nar=masquerade>pppoe-out

The AP has five interfaces:
1. wlan2 (10.0.3.1/24)
2. pppoe-Brian (10.100.3.1/32)
3. ether (10.0.10.1/24)
4. VLAN3 (10.0.0.34/28)
5. VLAN103 (10.100.0.34/28)

Connected to ether is an SME server (10.0.10.10). When Brian logs on to the server it reports the last log-in - from him - came from 10.100.3.1 and NOT 10.0.3.2 as per Brian's firewall filter.

The AP's complete routing table is set out above.

I just can't see the error, even though it is a mess.

As requested:

[[admin@Brian] > routing ospf export
# apr/21/2007 10:41:55 by RouterOS 2.9.40
# software id = KNAD-3TT
#
/ routing ospf
set router-id=0.0.0.0 distribute-default=never redistribute-connected=no \
redistribute-static=no redistribute-rip=no redistribute-bgp=no \
metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 \
metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate \
authentication=none prefix-list-import="" prefix-list-export="" \
disabled=no
[admin@Brian] >


[admin@west] > routing ospf export
# apr/21/2007 10:35:17 by RouterOS 2.9.40
# software id = TBFR-3TT
#
/ routing ospf
set router-id=0.0.0.0 distribute-default=never \
redistribute-connected=as-type-1 redistribute-static=no \
redistribute-rip=no redistribute-bgp=no metric-default=1 \
metric-connected=20 metric-static=20 metric-rip=20 metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate \
authentication=none prefix-list-import="" prefix-list-export="" \
disabled=no
add area-id=10.0.0.0 name="backhaul" type=default \
translator-role=translate-candidate authentication=none default-cost=1 \
prefix-list-import="" prefix-list-export="" disabled=no
/ routing ospf network
add network=10.0.0.32/28 area=backhaul disabled=no
[admin@west] >

[admin@gateway] > routing ospf export
# apr/21/2007 10:36:56 by RouterOS 2.9.40
# software id = HFCR-3TT
#
/ routing ospf
set router-id=0.0.0.0 distribute-default=never \
redistribute-connected=as-type-1 redistribute-static=no \
redistribute-rip=no redistribute-bgp=no metric-default=1 \
metric-connected=20 metric-static=20 metric-rip=20 metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate \
authentication=none prefix-list-import="" prefix-list-export="" \
disabled=no
add area-id=10.0.0.0 name="backhaul" type=default \
translator-role=translate-candidate authentication=none default-cost=1 \
prefix-list-import="" prefix-list-export="" disabled=no
/ routing ospf network
add network=10.0.0.32/28 area=backhaul disabled=no
add network=10.0.0.16/28 area=backhaul disabled=no
[admin@gateway] >

I've put up a schematic of the whole network at:

http://img403.imageshack.us/img403/6310 ... estno6.jpg


edit: Brian export instead of print

It is late here in my timezone (1am). But you can disable those ospf networks and then route everything staticaly, like you wanted.

routing ospf export
print

you will get list of networks that were added to ospf redistribution

then use remove command to remove those networks

remove item id

after that you can set up everything staticaly.

I think your main problem was ospf interference with your static routes...