Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
New Member
Posts: 1
Registered: ‎04-20-2017

EdgeMAX Router Question - Basic Routing

Hello all,

 

I am trying to figure out what is going on with this network a friend of my has called me on. He has an EdgeMax router with a few VLANs and a few networks attached to the router. All are a subset of the 192.168.x.x range.

My first question is, by default, does the EdgeMAX route between directly connected networks with no special config?

I have a setup of this:

Router - 192.168.0.1

Voice - eth2 - 192.168.2.1

Guest Wireless VLAN - eth 7.51 - 192.168.5.1

 

At the moment I am not concerned about the guest being able to get anywhere other than the Internet. However, users on the 192.168.0.0 network cannot ping anything on the 192.168.2.0 network other than the router at 192.168.2.1.

 

Any thoughts on how to get this working?

 

Thank you!

New Member
Posts: 4
Registered: ‎04-21-2017

Re: EdgeMAX Router Question - Basic Routing

Hey,

 

got the same issue: Can't talk from the 10.10.10.0/24 on eth2 to my public /29 net on switch0 (eth1 and eth3).

 

So I would appreciate as well if someone has an idea of how to fix it Man Happy

 

Greetings,

Gregor

Regular Member
Posts: 384
Registered: ‎01-26-2015
Kudos: 122
Solutions: 31

Re: EdgeMAX Router Question - Basic Routing

Yep, an EdgeRouter does route out of the box. As long as there is no firewall blocking traffic, the ER will forward the traffic to the target interface/subnet.

 

Routing is not the only thing that matters when you try to connect to devices on another subnet. Sure, first of all the device has to know where to send the reply. Without a specific route at the device itself, it will send the reply to its default gateway. If the ER is the gateway, everything is fine. However, if the default gateway happen to be another router (e.g. the ISPs modem router), this router needs a route to the remote subnet (gateway = ER) or it will simply drop all traffic as private subnets won't be routed via WAN.

 

So much for the routing. Now you'll have to check the device's firewall. By default the windows firewall will block any incoming traffic from unknown subnets. Example: A windows computer at 192.168.1.123 receives a connection request from 192.168.2.234. That's not in the local subnet --> block.

You have to either add the remote subnet to the trusted networks or implement SNAT/masquerade on the ER port (windows thinks, the local ER ip tries to connect => allow). I'd recommend adding the remote subnet. Open the windows firewall, navigate to the inbound rules, look for the rule you want to modify or add a new one and set the "scope" to match on the remote subnets.

New Member
Posts: 4
Registered: ‎04-21-2017

Re: EdgeMAX Router Question - Basic Routing

I got two ubuntu server, so ping is not blocked at the machine itself.

Thus the ER is the gateway for both the private and public subnet. The server in the 10.10.10.0/24 has the ER as 10.10.10.1 as default gateway, and the ER detected the public subnet and created a route by itself.
But it's not working and I don't have any idea why.

The server in the private subnet reaches everything in the internet (like 8.8.8.8), and the server in the public subnet is reachable from the internet. But not from the private subnet at the same router...
Regular Member
Posts: 384
Registered: ‎01-26-2015
Kudos: 122
Solutions: 31

Re: EdgeMAX Router Question - Basic Routing

Hm.. ok.. try this:

 

 

1) traceroute from both sides and see if the packets take the right path.

2) Start the packet capture in the ER GUI and match on icmp protocol.

3) tcpdump at the servers, match on icmp as well ( tcpdump -v icmp )

 

tcpdump happens before iptables apply so you should see the echo requests in any case - if they get forwarded properly by the ER.

Highlighted
New Member
Posts: 4
Registered: ‎04-21-2017

Re: EdgeMAX Router Question - Basic Routing

Thank you very much for your tips for troubleshooting the problem.
With the tcpdump I discovered that the web server gets the icmp requests, but does not reply (probably because the requests comes from a private address?).

So now I need to get in contact with some linux administrators.

But again thanks alot for your help Man Happy

Greetings
Gregor
Established Member
Posts: 1,135
Registered: ‎08-06-2015
Kudos: 449
Solutions: 58

Re: EdgeMAX Router Question - Basic Routing

Would you be able to post a sanitized config (inside a code or spoiler block here to keep formatting)?

 

Yes a router knows how to reach any directly-connected network without any additional configuration.  If something is not working as expected the first place to start is checking the configuration then go from there.

Regular Member
Posts: 384
Registered: ‎01-26-2015
Kudos: 122
Solutions: 31

Re: EdgeMAX Router Question - Basic Routing


Dachantenne wrote:
With the tcpdump I discovered that the web server gets the icmp requests, but does not reply (probably because the requests comes from a private address?).

Does the server reply to local pings then?

 

You mentioned the server "is reachable from the internet". A ping from WAN would be replied by the router itself so I guess you forwarded port 80 or so for a webserver? If so, try to access the web page from the remote subnet instead of a ping. Maybe the server blocks pings but the webserver (or whatever service you tried from the internet) might work fine from the other subnet as well.

 

Check the iptables for any blocking rules:

 

sudo iptables -L INPUT
Established Member
Posts: 1,135
Registered: ‎08-06-2015
Kudos: 449
Solutions: 58

Re: EdgeMAX Router Question - Basic Routing

Really - posting a sanitized config is the best place to start, for both posters with an issue.  

 

There's no need to start by looking at the underlying ipfilter configuration since that is all managed by the edgeos configuration.  You wouldn't be able to make any changes to the ipfilter rules or groups directly and would need to map back to the edgeos configuration anyway.

 

Posting a sanitized config is the standard starting point when requesting such help in these forums.

Regular Member
Posts: 384
Registered: ‎01-26-2015
Kudos: 122
Solutions: 31

Re: EdgeMAX Router Question - Basic Routing

@waterside: Beware, there are two users reporting problems in this thread @deca2499 who started the topic and @Dachantenne who kinda hijacked it. My posts refer to @Dachantenne and the proposed iptables command was ment to be entered at the linux server, not the ER.

 

However, I agree with you that messing around with iptables on an EdgeRouter can be problematic. Modifying iptables in EdgeOS directly can have unexpected results and can only be advised against.

New Member
Posts: 4
Registered: ‎04-21-2017

Re: EdgeMAX Router Question - Basic Routing

Ok now I really found the solution, and sorry for stealing the thread, but I think deca2499 got a very similar issue and maybe my solution works for him:
The server with the public IP got the icmp requests from 10.10.10.15, and tried to reply. But because of RFC 1918 a reply to a private address isn't working well.
So I just set up a source NAT for everything coming from 10.10.10.0/24 on the interface with the public network and now it works fine.

So @deca2499 you may try the following:
Lets say you configured 192.168.0.0 on eth1 and - as you said - 192.168.2.0 on eth2.
Now configure source NAT for these two interfaces:
First rule:
Source: 192.168.0.0
Translation: masquerade to eth2

Second rule:
Source: 192.168.2.0
Translation: masquerade to eth1

It worked for me in this way and probably it does to you too Man Happy
Established Member
Posts: 1,135
Registered: ‎08-06-2015
Kudos: 449
Solutions: 58

Re: EdgeMAX Router Question - Basic Routing

Configuring NAT is standard part of working with RFC1918 space that needs to communicate with public routable internet.  The KB articles have several examples, and the builtin wizards configure this by default.

 

Again - this is where posting a sanitized config is important.

 

Oh - and you would not configure NAT for communication within private network space.

 

 

Regular Member
Posts: 384
Registered: ‎01-26-2015
Kudos: 122
Solutions: 31

Re: EdgeMAX Router Question - Basic Routing

NAT between private networks is usually a bad idea because it makes the network more complex without any benefits - except from the fact that you dont need to bother about proper routing Man Wink

As @waterside said, post your config.
Reply