New Member
Posts: 4
Registered: ‎02-10-2019

ER-X SFP possible routing issue between two LAN

Hello all - I've an Edgerouter-X SFP on which I've some issues with traffic between subnetworks, specifically I can't reach the primary LAN network from the secondary LAN network (but the other way around works fine). The router is set up with

 

(1) a WAN connection on interface eth0 via PPPoE

(2) a primary LAN network 10.0.0.0/24 on switch0 with ports eth2 and eth3 bound to it

(3) a secondary LAN network 10.0.10.0/24 on eth1

 

as well as a tertiary LAN for a server 192.168.1.0/24 on eth4 and a Wi-Fi guest VLAN with ID 20 as 10.0.20.0/24 (out of scope for this issue).

 

Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         -                                 u/u                              
eth0.6       -                                 u/u  Internet (PPPoE)            
eth1         10.0.10.1/24                      u/u  LAN Secondary               
eth2         -                                 u/u  Local                       
eth3         -                                 u/u  Local                       
eth4         192.168.1.1/24                    u/u  Local                       
eth5         -                                 u/D                              
lo           127.0.0.1/8                       u/u                              
             ::1/128                                                            
pppoe0       80.28.137.143                     u/u                              
switch0      10.0.0.1/24                       u/u  LAN Primary                 
switch0.20   10.0.20.1/24                      u/u  Guest VLAN 

The routing table looks as follows: 

 

IP Route Table for VRF "default"                                                
K    *> 0.0.0.0/0 [0/0] via pppoe0                                              
C    *> 10.0.0.0/24 is directly connected, switch0                              
C    *> 10.0.10.0/24 is directly connected, eth1                                
C    *> 10.0.20.0/24 is directly connected, switch0.20                          
C    *> 80.28.137.143/32 is directly connected, pppoe0                          
C    *> 80.58.67.181/32 is directly connected, pppoe0                           
C    *> 127.0.0.0/8 is directly connected, lo                                   
C    *> 192.168.1.0/24 is directly connected, eth4  

Both primary and secondary LAN networks have a DCHP server set up which assigns an IP from a .100 to .130 pool and sets gateway and DNS to respectively 10.0.0.1 for primary and 10.0.10.1 for secondary LAN.

 

With my laptop connected physically to the secondary LAN for example the adapter is configured via DHCP as 

 

Ethernet adapter Ethernet 5:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : ASIX AX88179 USB 3.0 to Gigabit Ethernet Adapter
   Physical Address. . . . . . . . . : 00-0E-C6-DB-87-4E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::f5e9:e287:e6ab:b52d%21(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.10.101(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : domingo, 10 de febrero de 2019 12:43:40
   Lease Expires . . . . . . . . . . : lunes, 11 de febrero de 2019 12:43:40
   Default Gateway . . . . . . . . . : 10.0.10.1
   DNS Servers . . . . . . . . . . . : 10.0.10.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Thus connected to the secondary LAN I can ping both hosts on the 10.0.10.0 network and hosts on the primary 10.0.0.0 network. 

 

When I connect my laptop physically or via Wi-Fi to the primary LAN it is configured via DHCP as follows

 

Ethernet adapter Ethernet 5:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : ASIX AX88179 USB 3.0 to Gigabit Ethernet Adapter
   Physical Address. . . . . . . . . : 00-0E-C6-DB-87-4E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::f5e9:e287:e6ab:b52d%21(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.0.103(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : domingo, 10 de febrero de 2019 13:03:05
   Lease Expires . . . . . . . . . . : lunes, 11 de febrero de 2019 13:03:04
   Default Gateway . . . . . . . . . : 10.0.0.1
   DHCP Server . . . . . . . . . . . : 10.0.0.1
   DNS Servers . . . . . . . . . . . : 10.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

When connected thus to the primary LAN I cannot reach any hosts on the secondary 10.0.10.0 network except the router interface IP for the secondary network (10.0.10.1). I'm unable to reach any other host on the secondary network.

 

There are no firewall rules in place at all (removed them all for testing) and Windows Firewall has been disabled as well. 

 

I'm all out of ideas what could be the issue here and any help would be greatly appreciated. TIA. 

SuperUser
Posts: 8,493
Registered: ‎01-05-2012
Kudos: 2239
Solutions: 1132

Re: ER-X SFP possible routing issue between two LAN

Can you post the config ?

New Member
Posts: 4
Registered: ‎02-10-2019

Re: ER-X SFP possible routing issue between two LAN

Of course. Apologies for not doing so in the first place. config.boot as below,  minus login and port forwarding rules.

 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        duplex auto
        speed auto
        vif 6 {
            description "Internet (PPPoE)"
            pppoe 0 {
                default-route auto
                firewall {
                    in {
                        name WAN_IN
                    }
                    local {
                        name WAN_LOCAL
                    }
                }
                mtu 1492
                name-server auto
            }
        }
    }
    ethernet eth1 {
        address 10.0.10.1/24
        description "LAN Secondary"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        address 192.168.1.1/24
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 10.0.0.1/24
        description "LAN Primary"
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            vlan-aware disable
        }
        vif 20 {
            address 10.0.20.1/24
            description "Guest VLAN"
            mtu 1500
        }
    }
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name GUEST.DHCP {
            authoritative disable
            subnet 10.0.20.0/24 {
                default-router 10.0.20.1
                dns-server 10.0.20.1
                lease 86400
                start 10.0.20.100 {
                    stop 10.0.20.120
                }
            }
        }
        shared-network-name LAN1 {
            authoritative enable
            subnet 10.0.10.0/24 {
                default-router 10.0.10.1
                dns-server 10.0.10.1
                lease 86400
                start 10.0.10.100 {
                    stop 10.0.10.130
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 10.0.0.0/24 {
                default-router 10.0.0.1
                dns-server 10.0.0.1
                lease 86400
                start 10.0.0.100 {
                    stop 10.0.0.130
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface pppoe0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.8.5142457.181120.1809 */
SuperUser
Posts: 8,493
Registered: ‎01-05-2012
Kudos: 2239
Solutions: 1132

Re: ER-X SFP possible routing issue between two LAN

Assuming that in the primary lan there is the host 10.0.0.10, if on the edgerouter you issue

Spoiler
sudo tcpdump -ni switch0 host 10.0.0.10 and icmp

Then, from an host on the secondary lan, you ping 10.0.0.10, do you see something in the tcpdump output ? Some devices won't allow connections from remote/public networks.
How do you use eth3 and eth4, what devices are hooked up on 'em?
Cheers,
jonatha

New Member
Posts: 4
Registered: ‎02-10-2019

Re: ER-X SFP possible routing issue between two LAN

Thanks for such a quick reply, much appreciated. While doing your troubleshooting steps I discovered that the devices on the secondary network which I was trying to reach from the primary network didn't have their gateway set, so the traffic got dropped at device level. So - I wasted both your time and mine with such a very basic mistake... Terribly sorry.

 

Thanks again,

 

Regards,

 

Maarten

 

 

SuperUser
Posts: 8,493
Registered: ‎01-05-2012
Kudos: 2239
Solutions: 1132

Re: ER-X SFP possible routing issue between two LAN

"specifically I can't reach the primary LAN network from the secondary LAN network (but the other way around works fine)"

A device without the default-gateway, won't be able to talk with different networks, nor to connect, but not even to respond (unlsess some NAT rules, but doesn't seem the case here).... Odd that you were able to ping a device, in a different network and without the default-gateway set, and get the responses, anyway, if now it works... Man Happy
Cheers,
jonatha

New Member
Posts: 4
Registered: ‎02-10-2019

Re: ER-X SFP possible routing issue between two LAN

"specifically I can't reach the primary LAN network from the secondary LAN network (but the other way around works fine)"

That was me going too fast and reporting all wrong. That should have read that "I'm unable to reach the secondary LAN hosts from the primary network" or in reverse. The other way around (reaching out to a host on the primary network from a host on the secondary network appeared to be working well as I was using my laptop as host on the secondary network and that did have its gateway properly set through DHCP. I never tried it from one of the secondary LAN devices that I was trying to reach from the primary LAN (if I had I would have probably found the root cause sooner...).