Page 1 of 1

Please help. Two interfaces not able to see each other.

Posted: Thu Dec 22, 2016 11:42 am
by TroyQ
Hi Everyone, I hope someone can help me, I have been trying to figure this out for two days. I have dhcp running on two ports for two networks. But they need to be able to see each other for server purposes. They unfortunately have to have seperate ip ranges for security reasons. How can I get interface 3 and 5 to talk?

Here is my current setup: Internet access is not a problem or needed here,the first network is on its own and working fine. Its the other two I need to get working together.

# dec/22/2016 11:30:42 by RouterOS 6.37.3
# software id = ZYPM-RMMD
#
/interface bridge
add name="Admin Network Bridge"
/interface ethernet
set [ find default-name=ether2 ] comment="Replica Server"
set [ find default-name=ether3 ] comment=Klas35
set [ find default-name=ether5 ] comment=Klas26
/ip neighbor discovery
set ether2 comment="Replica Server"
set ether3 comment=Klas35
set ether5 comment=Klas26
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Klas35_pool ranges=192.168.50.100-192.168.50.200
add name=Klas26_pool ranges=192.168.49.100-192.168.49.200
/ip dhcp-server
add add-arp=yes address-pool=Klas35_pool always-broadcast=yes disabled=no \
interface=ether3 lease-time=2d name=Klas35_DHCP
add add-arp=yes address-pool=Klas26_pool always-broadcast=yes disabled=no \
interface=ether5 lease-time=2d name=Klas26_DHCP
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge="Admin Network Bridge" interface=sfp1
add bridge="Admin Network Bridge" interface=ether1
add bridge="Admin Network Bridge" interface=ether4
add bridge="Admin Network Bridge" interface=ether6
add bridge="Admin Network Bridge" interface=ether23
add bridge="Admin Network Bridge" interface=ether24
add bridge="Admin Network Bridge" interface=ether21
add bridge="Admin Network Bridge" interface=ether7
add bridge="Admin Network Bridge" interface=ether8
add bridge="Admin Network Bridge" interface=ether9
add bridge="Admin Network Bridge" interface=ether10
add bridge="Admin Network Bridge" interface=ether22
add bridge="Admin Network Bridge" interface=ether20
add bridge="Admin Network Bridge" interface=ether19
add bridge="Admin Network Bridge" interface=ether11
add bridge="Admin Network Bridge" interface=ether12
add bridge="Admin Network Bridge" interface=ether13
add bridge="Admin Network Bridge" interface=ether14
add bridge="Admin Network Bridge" interface=ether15
add bridge="Admin Network Bridge" interface=ether16
add bridge="Admin Network Bridge" interface=ether17
add bridge="Admin Network Bridge" interface=ether18
add bridge="Admin Network Bridge" interface=ether2
/ip address
add address=10.80.8.8/24 interface="Admin Network Bridge" network=10.80.8.0
add address=192.168.50.254/24 interface=ether3 network=192.168.50.0
add address=192.168.49.254/24 interface=ether5 network=192.168.49.0
/ip dhcp-relay
add dhcp-server=192.168.0.1 disabled=no interface=sfp1 name=relay1
/ip dhcp-server network
add address=192.168.49.0/24 dns-server=192.168.50.1,192.168.49.254 gateway=\
192.168.49.254 netmask=22
add address=192.168.50.0/24 dns-server=192.168.50.1,192.168.50.254 gateway=\
192.168.50.254 netmask=22
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=forward protocol=icmp src-address=192.168.50.0/24
add action=accept chain=forward protocol=icmp src-address=192.168.49.0/24
add action=accept chain=forward protocol=icmp src-address=192.168.48.0/24
add action=accept chain=forward dst-address=192.168.49.0/24 src-address=\
192.168.50.0/24
add action=accept chain=forward dst-address=192.168.50.0/24 src-address=\
192.168.49.0/24
/ip route
add distance=1 gateway=10.80.8.1
add distance=1 dst-address=192.168.50.0/24 gateway=192.168.50.254
/lcd interface pages
set 1 interfaces=ether13,ether14,ether15,ether16
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="K18 C Brink"

Re: Please help. Two interfaces not able to see each other.

Posted: Thu Dec 22, 2016 11:55 am
by cdiedrich
Your netmasks in the two networks don't match.
Your address on the interface states that it's a /24 network, the DHCP is telling the clients, it's a /22 network. In a /22 both are in the same subnet, so they won't use a gateway.
Adjust it in /ip dhcp-server network to be /24 and it should work.

An aside:
From the amount of interfaces I assume you have a CRS-series Switch.
You don't need to add all the interfaces to the admin bridge seperately - this will reliably max out your CPU when there's significant traffic.
It's enough to add one ethernet interface and set all the others to this as master port, so you have a hardware switch for this network.
Additionally, if you want the two networks to be fully routed, you don't need the icmp accept rules in the forward chain.

-Chris

Re: Please help. Two interfaces not able to see each other.

Posted: Thu Dec 22, 2016 12:13 pm
by TroyQ
Your netmasks in the two networks don't match.
Your address on the interface states that it's a /24 network, the DHCP is telling the clients, it's a /22 network. In a /22 both are in the same subnet, so they won't use a gateway.
Adjust it in /ip dhcp-server network to be /24 and it should work.

An aside:
From the amount of interfaces I assume you have a CRS-series Switch.
You don't need to add all the interfaces to the admin bridge seperately - this will reliably max out your CPU when there's significant traffic.
It's enough to add one ethernet interface and set all the others to this as master port, so you have a hardware switch for this network.
Additionally, if you want the two networks to be fully routed, you don't need the icmp accept rules in the forward chain.

-Chris
Thanks I will make the changes and test it now. I was hoping that the server would be able to see all the pc's of the network if it uses subnet /22. AND for the pc's to be able to access the server using the dns name (MyServer.local) instead of using the ip address. That is the reason I used subnet 22...is there a way to use subnet 22 on both interfaces and have the pc's be able to see each other? I can limit their interaction with other drop rules if that is possible.
Thanks for your help so far

Re: Please help. Two interfaces not able to see each other.

Posted: Thu Dec 22, 2016 12:47 pm
by TroyQ
OK, here is my new config: But the only thing that has changed is that I can now ping the mikrotik from both sides to both mikrotik addresses...49.254 and 50.254 from either network. I cannot acces the server from 49.0/24 or ping either networks pc's....

# dec/22/2016 12:44:17 by RouterOS 6.37.3
# software id = ZYPM-RMMD
#
/interface ethernet
set [ find default-name=ether3 ] comment=Klas35
set [ find default-name=ether5 ] comment=Klas26
set [ find default-name=sfp1 ] comment="MasterPort To Admin Network"
/ip neighbor discovery
set ether3 comment=Klas35
set ether5 comment=Klas26
set sfp1 comment="MasterPort To Admin Network"
/interface ethernet
set [ find default-name=ether1 ] master-port=sfp1
set [ find default-name=ether2 ] comment="Replica Server" master-port=sfp1
set [ find default-name=ether4 ] master-port=sfp1
set [ find default-name=ether6 ] master-port=sfp1
set [ find default-name=ether7 ] master-port=sfp1
set [ find default-name=ether8 ] master-port=sfp1
set [ find default-name=ether9 ] master-port=sfp1
set [ find default-name=ether10 ] master-port=sfp1
set [ find default-name=ether11 ] master-port=sfp1
set [ find default-name=ether12 ] master-port=sfp1
set [ find default-name=ether13 ] master-port=sfp1
set [ find default-name=ether14 ] master-port=sfp1
set [ find default-name=ether15 ] master-port=sfp1
set [ find default-name=ether16 ] master-port=sfp1
set [ find default-name=ether17 ] master-port=sfp1
set [ find default-name=ether18 ] master-port=sfp1
set [ find default-name=ether19 ] master-port=sfp1
set [ find default-name=ether20 ] master-port=sfp1
set [ find default-name=ether21 ] master-port=sfp1
set [ find default-name=ether22 ] master-port=sfp1
set [ find default-name=ether23 ] master-port=sfp1
set [ find default-name=ether24 ] master-port=sfp1
/ip neighbor discovery
set ether2 comment="Replica Server"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Klas35_pool ranges=192.168.50.100-192.168.50.200
add name=Klas26_pool ranges=192.168.49.100-192.168.49.200
/ip dhcp-server
add add-arp=yes address-pool=Klas35_pool always-broadcast=yes disabled=no \
interface=ether3 lease-time=2d name=Klas35_DHCP
add add-arp=yes address-pool=Klas26_pool always-broadcast=yes disabled=no \
interface=ether5 lease-time=2d name=Klas26_DHCP
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=10.80.8.8/24 interface=sfp1 network=10.80.8.0
add address=192.168.50.254/24 interface=ether3 network=192.168.50.0
add address=192.168.49.254/24 interface=ether5 network=192.168.49.0
/ip dhcp-server network
add address=192.168.49.0/24 dns-server=192.168.50.1,192.168.49.254 gateway=\
192.168.49.254
add address=192.168.50.0/24 dns-server=192.168.50.1,192.168.50.254 gateway=\
192.168.50.254
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=forward dst-address=192.168.49.0/24 src-address=\
192.168.50.0/24
add action=accept chain=forward dst-address=192.168.50.0/24 src-address=\
192.168.49.0/24
/ip route
add distance=1 gateway=10.80.8.1
/lcd interface pages
set 1 interfaces=ether13,ether14,ether15,ether16
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="K18 C Brink"

Re: Please help. Two interfaces not able to see each other.

Posted: Thu Dec 22, 2016 12:57 pm
by cdiedrich
OK, here is my new config: But the only thing that has changed is that I can now ping the mikrotik from both sides to both mikrotik addresses...49.254 and 50.254 from either network. I cannot acces the server from 49.0/24 or ping either networks pc's....
I see you have 10.80.8.1 configured as default gateway.
Is it possible that all the machines in the 10.80.8.0/24 network have 10.80.8.1 configured as default gateway?
In this case, they are sending their replies to requests from your 192.168.49.0/24 and 192.168.50.0/24 networks to their default gateway whicch seems to be unaware of those.
Either add static routes to 10.80.8.1 pointing for those two networks to 10.80.8.8 or give all machines these static routes.
-Chris

Re: Please help. Two interfaces not able to see each other.

Posted: Sat Dec 24, 2016 11:22 am
by TroyQ
Hi Chris, sorry for only getting back to you now. Holiday season and all keeping me busy.

The 10.80.8.1 gateway is another mikrotik with its own network. No physical pc's on the network has a 10.80...address. Only the mikrotiks.
Also the 10.80.8.1 network will not be accessed from my 192.168.49/50... range. That gateway is set for the other ports on the mikrotik that are mastered to sfp1.

Thanks
TroyQ