Getting crazy with routes within subnets

elpeter · Thu Apr 25, 2019 5:29 pm

Hi all,

I'm new to networking and not so new to IT. I'm having so much trouble trying to reach one subnet from another... let me explain the "Frankenstein" that I have.

Mikrotik router (hEX S) connected to Internet through SFP+
Main net is 192.168.0.0

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                        
 0   192.168.0.1/24     192.168.0.0     ether2-MasterGreen                                                                               
 1   192.168.2.1/24     192.168.2.0     ether2-MasterGreen                                                                               
 2   192.168.5.1/30     192.168.5.0     ether3-AsusAP                                                                                    
 3 X 192.168.1.2/24     192.168.1.0     ether1-Router                                                                                    
 4   192.168.1.2/24     192.168.1.0     sfp1                                                                                             
 5   10.108.89.224/10   10.64.0.0       vlan3                                                                                            
 6 D 88.1.136.189/32    192.168.144.1   pppoe-out1                                                                                       
 7 D 10.23.12.28/19     10.23.0.0       vlan3                                                                                            
 8   192.168.122.10/24  192.168.122.0   ether2-MasterGreen

Asus ADSL Router (RT-AC68U) configured as router mode only to have WiFi managed by it on subnet 192.168.5.0.

Getting struggle trying to connect from a computer on lan 192.168.0.0 to a computer on lan 192.168.5.0. Not sure if it's a route issue or an issue on the Asus router not allowing traffic from "WAN" to LAN.

Here's the Mikrotik's routes list.

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 X S  0.0.0.0/0                          192.168.0.50              1
 1 X S  0.0.0.0/0                          192.168.0.50              1
 2 X S  0.0.0.0/0                          192.168.0.50              1
 3 ADS  0.0.0.0/0                          pppoe-out1                1
 4 X S  0.0.0.0/0                          255.255.255.255         255
 5 X S  0.0.0.0/0                          255.255.255.255         255
 6   S  0.0.0.0/0                          255.255.255.255         255
 7 X S  0.0.0.0/0                          255.255.255.255         255
 8 ADC  10.23.0.0/19       10.23.12.28     vlan3                     0
 9 ADr  10.31.255.128/27                   10.23.0.1               120
10 ADC  10.64.0.0/10       10.108.89.224   vlan3                     0
11 ADC  192.168.0.0/24     192.168.0.1     bridgeMain                0
12 ADC  192.168.1.0/24     192.168.1.2     bridgeMain                0
13 ADC  192.168.2.0/24     192.168.2.1     bridgeMain                0
15 ADC  192.168.5.0/30     192.168.5.1     bridgeMain                0
17 ADC  192.168.122.0/24   192.168.122.10  bridgeMain                0
18 ADC  192.168.144.1/32   xx.xx.xx.xx    pppoe-out1                0

BTW, wifi is working as expected, has access to every host on 192.168.5.0 lan and on 192.168.0.0 also and of course access to Internet.

Any help will be truly appreciated.

Thanks in advance from a complete newbie.

anav · Thu Apr 25, 2019 7:25 pm

Two things get configs up and runnning faster.
1- diagram especially for complicated setup (this does not appear to be the case).
2- post your config, there are too many linkages to look at any one aspect in isolation.

/export hide-sensitive file=yourconfigapr25

In your case its probably the forward chain firewall setup but will reserve judgement until we see the config.

elpeter · Thu Apr 25, 2019 9:37 pm

Thanks anav for getting back to me.

I'll try to make a diagram of the network.

In the meantime, here's my exported config.

Thanks!!!

EDIT:
I finally have it working!! I started from installing dd-wrt on my Asus to see if I could manage something different within it. By starters I could set the Asus into Router mode instead of Gateway one. But the key was that in the Mikrotik I added to the ETH port the first IP in the subnet 5 range so the Mikrotik itself created the rule to 192.168.5.0/24 using the MT IP as gateway... wrong!! the gateway must've been the IP on the Asus WAN interface. So I deleted the IP address in the Mikrotik, created the route to 192.168.5.0/24 with GW the WAN Ip from the Asus and bang!! It worked like a charm

Now I just want to know as a matter of learning how could I get everything working isolating the networks, taking the Asus Eth port out of the Bridge. I guess that should be possible but really have no idea how to make it work

elpeter · Fri Apr 26, 2019 10:31 am

Here's my network schema

Pethernet.png

mkx · Fri Apr 26, 2019 5:50 pm

Now that we can see what you want to achieve, post full config from RB (/export hide-sensitive and redact public IP address and SSSID/PSK) ... and we might give some advice.

anav · Fri Apr 26, 2019 6:36 pm

Concur, still waiting for config.

elpeter · Sat Apr 27, 2019 12:51 pm

Apologies I deleted it due to the changes I mentioned.

Here you go.

Thanks!!

yourconfigapr25.rsc

mkx · Sat Apr 27, 2019 1:54 pm

Your network chart is missing some data. For example, what is Asus WAN IP address? I guess 192.168.0.2. Which is not OK if you really want to control traffic berween 192.168.5.0/24 to everywhere else (right now, you probably have a routing triangle where devices on 192.168.0.0/24 use MT to send traffic towards 192.168.5.0/24, while return traffic flows from Asus directly to devicey bypassing MT).

You have to introduce another subnet just to connect Asus and MT ... preferably also remove ether3 from common bridge on MT (if ether3 is exclusively used to connect Asus). A /30 network will do (assuming Asus can candle it).

#remove ether from bridgeMain
/ip address
add interface=ether3-AsusAP address=182.168.13.1/30 #Asus will have 192.168.13.2/30
/ip route
add dst-address=192.168.5.9/24 gateway=192.168.13.2  #remove existing route towards same subnet

On Asus, set 192.168.13.1 as default gateway.

Then you configure firewall rules to control what 192.168.5.0/24 can do. The "routing subnet" doesn't affect these rules at all.

anav · Sat Apr 27, 2019 5:12 pm

As usual disagree with MKX!

There is no need for double nat and two routers in the same network.
There is all the reason in the world to keep it simple and use
MT for routing/dhcp
Asus for WIFI
VLANS for separation of users (normal/guests) for wired and wireless.

The problem I see is that the RT-AC68U is not vlan capable.
It appears that one could possibly program it in the CLI on Merlin build but I cannot find any definitive third party site that
reflects its part of their build ??????

mkx · Sat Apr 27, 2019 10:32 pm

There is no need for double nat and two routers in the same network.

Where in my previous post did you notice NAT? The whole post is about routing.

elpeter · Sat Apr 27, 2019 10:40 pm

Thanks both for getting back to me now I'm even more confused

MKX,
You're right the WAN IP for the Asus is 192.168.0.2, sorry forgot to mention that. What would be the new subnet purpose for? I mean I already have the 5 subnet just to isolate Wifi subnet from cable lan. Also I'm not sure if I would be able to get everything working within the FW and different subnets I'm quite new at this and a bit confused on how to make network works... I guess I need a lot of reading to do yet...

Anav,
What you mentioned will be ideal but again my lack of knowledge won't allow me to do so. BTW the DD-WRT in the Asus allows me to configure Vlans as far as I can see but again no idea how to achieve it.

Thanks for reading me!

mkx · Sat Apr 27, 2019 10:54 pm

What would be the new subnet purpose for?

Its purpose is to force traffic between 192.168.5.0/24 and 192.168.0.0/24 through firewall on RB ... to really have control over it. Which you can't do properly if Asus' WAN IP address is in 192.168.0.0/24.

On the other hand it would make lots of sense if you used Asus to simply bridge AP with ethernet (meaning you'd connect RB to LAN ethernet port on Asus). Then you'd disable DHCP server on Asus, configure RB's ether3 with IP address from 192.168.5.0/24, run DHCP server with appropriate address pool and rest of settings (gateway, DNS server, ...) for that subnet on RB.
This setup would give full control over 192.168.5.0/24 connectivity outwards without having the additional subnet I wrote about in my previous post.

No need to play with VLANs if you can dedicate ethernet port on RB for ASUS and its clients.

elpeter · Sun Apr 28, 2019 1:25 am

Thanks MKX,

I think I understood it but not able to make it work... Here's what I done so far:

#remove ether from bridgeMain
/ip address
add interface=ether3-AsusAP address=192.168.15.1/30 #Asus will have 192.168.15.2/30
/ip route
add dst-address=192.168.5.0/24 gateway=192.168.15.2 #remove existing route towards same subnet

Asus AP:
WAN:
IP: 192.168.15.2/30
GW: 192.168.15.1
DNS: 192.168.0.50 (Not sure if this will work but my DNS is on that server)

LAN:
IP: 192.168.5.1/24
GW: 192.168.0.1
DNS: 192.168.0.50

DHCP Forwarded to 192.168.0.1

But this configuration doesn't work, the wifi clients does not have any IP from DHCP and if I set it manually hey don't reach internet.

Which routes should I create over the AsusAP to both get Internet and to reach both subnets 0 and 5?

What am I missing?

Thanks for your time, appreciate it.

mkx · Sun Apr 28, 2019 11:53 am

Try to run DHCP server for 192.168.5.0/24 on Asus.

Rethink your firewall rules to see if some might be blocking internet access from 192.168.5.0/24. Make sure your src-nat rules cover that subnet.

Set default route on Asus (target 0.0.0.0/0) to use gateway 192.168.15.1 (I'm not sure current setting translates to that).

Try to ping Asus from MT and from some other subnet to verify routing on both MT and Asus (assuming firewall on Asus is turned off).

elpeter · Mon Apr 29, 2019 9:17 pm

It's finally working!!

Thanks MKX for your support.

There were a couple of problems, first, the dhcp from the mikrotik was missing the option for relay, and after that the dhcp on the Asus needed to be forwarded to 192.168.15.1 after that, everything worked like a charm and now I have the control over routes and everything.

Thanks!!!!

Getting crazy with routes within subnets [SOLVED]

Getting crazy with routes within subnets

Re: Getting crazy with routes within subnets

Re: Getting crazy with routes within subnets

Re: Getting crazy with routes within subnets

Re: Getting crazy with routes within subnets

Re: Getting crazy with routes within subnets

Re: Getting crazy with routes within subnets

Re: Getting crazy with routes within subnets [SOLVED]

Re: Getting crazy with routes within subnets

Re: Getting crazy with routes within subnets

Re: Getting crazy with routes within subnets

Re: Getting crazy with routes within subnets

Re: Getting crazy with routes within subnets

Re: Getting crazy with routes within subnets

Re: Getting crazy with routes within subnets

Who is online