one subnet unreachable from one subnet

one subnet unreachable from one subnet

one subnet unreachable from one subnet
one subnet unreachable from one subnet
2024-09-04 11:16:59
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.4.2

Dear Community!

 

I have some strange behavior on a multi-site environment with 2x ER8411, 2x ER7206, OC200, some APs and some SG and TL switches...

Basically relevant for the problem are three sites:

 

Site 1, my location, everything is "fine" here:

ER8411; 2xWAN (Cable+LTE), 4xLANs (VLAN 1: 192.168.11.1/24; VLAN200: 192.168.200.1/23; VLAN101 192.168.101.1/24; VLAN102: 192.168.102.1/25

"unmanaged" and (non Omada managed) switches, VLANs work fine here

OC200 (WAN reachable, Ports forwarded)

VLAN1 is my Office LAN with servers, printers, clients, VLAN200 is my IoT Stuff and NAS, home WiFi, Cameras and one IP-phone, VLAN101 is a customer preparation LAN, where I set up customers computers, VLAN102 is Guest WiFi.

 

Site 2. main Office - where the problem shows up

ER8411; 2WAN (xDSL+Fibre), 3 LANs (VLAN 10: 192.168.0.1/24, VLAN 4: 192.168.4.1/24, VLAN5 192.168.5.1/24)
This site is on the list for switch upgrades and better segmentation.  

T1600G-28PS v3, T1500G-10PS v2, T1500G10MPS v2 and a bunch of dumb PoE desktop switches for Wifi- and telephony power distribution.

VLAN10 is the Main Network with everything mixed together

1-10 GW+Switches
11-40 WiFi Clients
41-60 IoT Stuff
60-80 Printers
81-100 Servers (windows PDC), NAS, etc.
101-128 Clients
129+130 reserved
131-172 telephony
173-254 reserverd

The other 2 are not yet used

 

Site 3. Remote Backup-Cellar

ER7206v1: 2WAN (Fibre+LTE), 4 LANS (VLAN152: 192.168.23.1/24, VLAN15: 10.230.112.241/28, VLAN23 192.168.6.1/24, VLAN231: 192.168.55.1/24

SG2210MP V4.2 uplinked on port 8 (all VLANs),
Port 1: A Windows Server in VLAN 23: 192.168.6.10, DC, backup target
Port 5: An important (but not configurable) management device in VLAN15 10.230.112.242
Port 6: PoE Linked EAP610 Outdoor doing Wifi for Cameras and my smartphone, when I am on that site (WiFi VLAN231)…. That simple

There are three other sites (home offices), that don’t have any trouble at all.

NO ACLs, no individual routing (neither on devices nor in omada) no other problems currently.

It is all about that 10.230.112.242 device. A micro-computer for managing power, heating and cooling of the building, accessed via VNC (heating/cooling) and Web (power regulation).

I cannot reach it from where it is needed most: The 192.168.0.1/24 network at site 2.

I can reach it from any other subnet and from 192.168.0.xx, I can ping the 10.230.112.241 gateway, but not that single device…

VPN tunnels are all the same: All networks on both ends

There are tunnels between all sites:

Site1

Tunnel to Site2:
192.168.11.0/24<>192.168.0.0/24

Tunnel to Site3:
192.168.11.0/24<>192.168.6.0/24; 192.168.23.0/24; 10.230.112.240/28

(and Site4, Site5, Site6 (10.124.1.0/25, I mention it because it’s a class A/25 network that works pretty well))

Site2

Tunnel to Site1:
192.168.0.0/24<>192.168.11.0/24

Tunnel to Site3:
192.168.0.0/24<>192.168.6.0/24; 192.168.23.0/24; 10.230.112.240/28

(and Site4, Site5, Site6 (10.124.1.0/25))

Site3

Tunnel to Site1:
192.168.6.0/24; 192.168.23.0/24; 10.230.112.240/28 <>192.168.11.0/24

Tunnel to Site2:
192.168.6.0/24; 192.168.23.0/24; 10.230.112.240/28 <>192.168.0.0/24

No other Tunnels, the Home offices don’t need access here

I tried accessing the device from 192.168.6.0 and 192.168.23.0 (both same site) and 192.168.11.0 (Site 1) and it works. From the 192.168.0.0 subnet I can ping the GW at 10.230.112.241 (which is the 7206 that reports omada control on Port80), but not the device @242.

 

 

ANY IDEAS ANYONE?

I know I miss something, but I can't see what. So any help, hint, etc. is very much appreciated! Thank you!

 

 

  0      
  0      
#1
Options
12 Reply
Re:one subnet unreachable from one subnet
2024-09-06 02:36:24

Hi @Wienumgebung 

Thanks for posting in our business forum.

Configs look okay to me. I briefly looked through them.

Multiple site to site, we have a guide as well. If you want to examine it again, you can search this on our forum.

 

I see that you cannot access from Site 2 to Site 3, I got a question, what does it look like in tracert?

Have you compared the traceroute between the working and non-working sites?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#2
Options
Re:one subnet unreachable from one subnet
2024-09-06 06:15:21

  @Clive_A Thanks for your reply!

 

(sorry for german ping/tracert output)

 

is there an option (I never found one) to enable ICMP replies on Omada?

 

tracert from Site 1:

 

Routenverfolgung zu heizung.xxxxxxx.local [10.230.112.242]
über maximal 30 Hops:

  1    <1 ms    <1 ms    <1 ms  192.168.11.1
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4     9 ms     *       10 ms  heizung.hausverwaltung.local [10.230.112.242]

Ablaufverfolgung beendet.

 

 

tracert from Site 2:


Routenverfolgung zu heizung.xxxxxxx.local [10.230.112.242]
über maximal 30 Hops:

  1    <1 ms    <1 ms    <1 ms  192.168.0.1
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4     *        *        *     Zeitüberschreitung der Anforderung.
  5     *        *        *     Zeitüberschreitung der Anforderung.
  6     *        *        *     Zeitüberschreitung der Anforderung.
  7     *        *        *     Zeitüberschreitung der Anforderung.
  8     *        *        *     Zeitüberschreitung der Anforderung.
  9     *        *        *     Zeitüberschreitung der Anforderung.
 10     *        *        *     Zeitüberschreitung der Anforderung.
 11     *        *        *     Zeitüberschreitung der Anforderung.
 12     *        *        *     Zeitüberschreitung der Anforderung.
 13     *        *        *     Zeitüberschreitung der Anforderung.
 14     *        *        *     Zeitüberschreitung der Anforderung.
 15     *        *        *     Zeitüberschreitung der Anforderung.
 16     *        *        *     Zeitüberschreitung der Anforderung.
 17     *        *        *     Zeitüberschreitung der Anforderung.
 18     *        *        *     Zeitüberschreitung der Anforderung.
 19     *        *        *     Zeitüberschreitung der Anforderung.
 20     *        *        *     Zeitüberschreitung der Anforderung.
 21     *        *        *     Zeitüberschreitung der Anforderung.
 22     *        *        *     Zeitüberschreitung der Anforderung.
 23     *        *        *     Zeitüberschreitung der Anforderung.
 24     *        *        *     Zeitüberschreitung der Anforderung.
 25     *        *        *     Zeitüberschreitung der Anforderung.
 26     *        *        *     Zeitüberschreitung der Anforderung.
 27     *        *        *     Zeitüberschreitung der Anforderung.
 28     *        *        *     Zeitüberschreitung der Anforderung.
 29     *        *        *     Zeitüberschreitung der Anforderung.
 30     *        *        *     Zeitüberschreitung der Anforderung.

Ablaufverfolgung beendet.

 

Site 2 omada Gateway routing table:

ID

DESTINATION IP/SUBNETS

NEXT HOP

INTERFACE

METRIC

1 0.0.0.0 / 0 wanip1 WAN/LAN5 0
2 0.0.0.0 / 0 wanip2 WAN/LAN4 0
3 1.1.1.1 wanip1 WAN/LAN5 0
4 8.8.8.8 wanip1 WAN/LAN5 0
5 wanip2 / 29 0.0.0.0 WAN/LAN4 0
6 wanip1 / 30 0.0.0.0 WAN/LAN5 0
7 192.168.0.0 / 24 0.0.0.0 Default 0
8 192.168.4.0 / 24 0.0.0.0 VL4RESTRICT 0
9 192.168.5.0 / 24 0.0.0.0 VL5GUEST 0

 

Site3 routing table:

ID

DESTINATION IP/SUBNETS

NEXT HOP

INTERFACE

METRIC

1 0.0.0.0 / 0 WANIP WAN 0
2 1.1.1.1 WANIP WAN 0
3 8.8.8.8 WANIP WAN 0
4 WANIP / 24 0.0.0.0 WAN 0
5 WANIP / 24 0.0.0.0 WAN 0
6 10.230.112.240 / 28 0.0.0.0 HEIZUNG 0
7 192.168.6.0 / 24 0.0.0.0 Default 0
8 192.168.55.0 / 24 0.0.0.0 Wifi23 0

 

I already tried to switch the management vlan on site 3 to the 10.230.112.240 VLAN to have the switches address there 10.230.112.243 as another gateway, but that doesn't do anything ofcourse :)

 

....

After re-configuring site 3 on Wednesday evening (including resetting and forgetting Gateway and Switch, using new VLAN IDs and Names), another problem occurred, I'm not sure if it may be related to the network or be a device-problem.

 

from where it is reachable, I can no longer connect to my device @10.230.112.242 via VNC and have a >50% loss on pings..

 

Ping wird ausgeführt für heizung.xxxxxxx.local [10.230.112.242] mit 32 Bytes Daten:
Antwort von 10.230.112.242: Bytes=32 Zeit=13ms TTL=62
Antwort von 10.230.112.242: Bytes=32 Zeit=13ms TTL=62
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=13ms TTL=62
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=15ms TTL=62
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=13ms TTL=62
Antwort von 10.230.112.242: Bytes=32 Zeit=16ms TTL=62
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=15ms TTL=62
Antwort von 10.230.112.242: Bytes=32 Zeit=9ms TTL=62
Antwort von 10.230.112.242: Bytes=32 Zeit=12ms TTL=62
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=11ms TTL=62

Ping-Statistik für 10.230.112.242:
    Pakete: Gesendet = 21, Empfangen = 10, Verloren = 11
    (52% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 9ms, Maximum = 16ms, Mittelwert = 13ms

 

This isn't my only multi-site network, but my "first" and oldest. I was originally setup in 2006 with three Ciscos ASA5505, later with TL-ER6210 that were replaced with the 8411s, 7206s and the oc200 this year after establishing omada on site1 last year. 

  0  
  0  
#3
Options
Re:one subnet unreachable from one subnet
2024-09-09 04:06:07

Hi @Wienumgebung 

Thanks for posting in our business forum.

Wienumgebung wrote

  @Clive_A Thanks for your reply!

 

(sorry for german ping/tracert output)

 

is there an option (I never found one) to enable ICMP replies on Omada?

 

tracert from Site 1:

 

Routenverfolgung zu heizung.xxxxxxx.local [10.230.112.242]
über maximal 30 Hops:

  1    <1 ms    <1 ms    <1 ms  192.168.11.1
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4     9 ms     *       10 ms  heizung.hausverwaltung.local [10.230.112.242]

Ablaufverfolgung beendet.

 

 

tracert from Site 2:


Routenverfolgung zu heizung.xxxxxxx.local [10.230.112.242]
über maximal 30 Hops:

  1    <1 ms    <1 ms    <1 ms  192.168.0.1
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4     *        *        *     Zeitüberschreitung der Anforderung.
  5     *        *        *     Zeitüberschreitung der Anforderung.
  6     *        *        *     Zeitüberschreitung der Anforderung.
  7     *        *        *     Zeitüberschreitung der Anforderung.
  8     *        *        *     Zeitüberschreitung der Anforderung.
  9     *        *        *     Zeitüberschreitung der Anforderung.
 10     *        *        *     Zeitüberschreitung der Anforderung.
 11     *        *        *     Zeitüberschreitung der Anforderung.
 12     *        *        *     Zeitüberschreitung der Anforderung.
 13     *        *        *     Zeitüberschreitung der Anforderung.
 14     *        *        *     Zeitüberschreitung der Anforderung.
 15     *        *        *     Zeitüberschreitung der Anforderung.
 16     *        *        *     Zeitüberschreitung der Anforderung.
 17     *        *        *     Zeitüberschreitung der Anforderung.
 18     *        *        *     Zeitüberschreitung der Anforderung.
 19     *        *        *     Zeitüberschreitung der Anforderung.
 20     *        *        *     Zeitüberschreitung der Anforderung.
 21     *        *        *     Zeitüberschreitung der Anforderung.
 22     *        *        *     Zeitüberschreitung der Anforderung.
 23     *        *        *     Zeitüberschreitung der Anforderung.
 24     *        *        *     Zeitüberschreitung der Anforderung.
 25     *        *        *     Zeitüberschreitung der Anforderung.
 26     *        *        *     Zeitüberschreitung der Anforderung.
 27     *        *        *     Zeitüberschreitung der Anforderung.
 28     *        *        *     Zeitüberschreitung der Anforderung.
 29     *        *        *     Zeitüberschreitung der Anforderung.
 30     *        *        *     Zeitüberschreitung der Anforderung.

Ablaufverfolgung beendet.

 

Site 2 omada Gateway routing table:

ID

DESTINATION IP/SUBNETS

NEXT HOP

INTERFACE

METRIC

1 0.0.0.0 / 0 wanip1 WAN/LAN5 0
2 0.0.0.0 / 0 wanip2 WAN/LAN4 0
3 1.1.1.1 wanip1 WAN/LAN5 0
4 8.8.8.8 wanip1 WAN/LAN5 0
5 wanip2 / 29 0.0.0.0 WAN/LAN4 0
6 wanip1 / 30 0.0.0.0 WAN/LAN5 0
7 192.168.0.0 / 24 0.0.0.0 Default 0
8 192.168.4.0 / 24 0.0.0.0 VL4RESTRICT 0
9 192.168.5.0 / 24 0.0.0.0 VL5GUEST 0

 

Site3 routing table:

ID

DESTINATION IP/SUBNETS

NEXT HOP

INTERFACE

METRIC

1 0.0.0.0 / 0 WANIP WAN 0
2 1.1.1.1 WANIP WAN 0
3 8.8.8.8 WANIP WAN 0
4 WANIP / 24 0.0.0.0 WAN 0
5 WANIP / 24 0.0.0.0 WAN 0
6 10.230.112.240 / 28 0.0.0.0 HEIZUNG 0
7 192.168.6.0 / 24 0.0.0.0 Default 0
8 192.168.55.0 / 24 0.0.0.0 Wifi23 0

 

I already tried to switch the management vlan on site 3 to the 10.230.112.240 VLAN to have the switches address there 10.230.112.243 as another gateway, but that doesn't do anything ofcourse :)

 

....

After re-configuring site 3 on Wednesday evening (including resetting and forgetting Gateway and Switch, using new VLAN IDs and Names), another problem occurred, I'm not sure if it may be related to the network or be a device-problem.

 

from where it is reachable, I can no longer connect to my device @10.230.112.242 via VNC and have a >50% loss on pings..

 

Ping wird ausgeführt für heizung.xxxxxxx.local [10.230.112.242] mit 32 Bytes Daten:
Antwort von 10.230.112.242: Bytes=32 Zeit=13ms TTL=62
Antwort von 10.230.112.242: Bytes=32 Zeit=13ms TTL=62
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=13ms TTL=62
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=15ms TTL=62
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=13ms TTL=62
Antwort von 10.230.112.242: Bytes=32 Zeit=16ms TTL=62
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=15ms TTL=62
Antwort von 10.230.112.242: Bytes=32 Zeit=9ms TTL=62
Antwort von 10.230.112.242: Bytes=32 Zeit=12ms TTL=62
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=11ms TTL=62

Ping-Statistik für 10.230.112.242:
    Pakete: Gesendet = 21, Empfangen = 10, Verloren = 11
    (52% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 9ms, Maximum = 16ms, Mittelwert = 13ms

 

This isn't my only multi-site network, but my "first" and oldest. I was originally setup in 2006 with three Ciscos ASA5505, later with TL-ER6210 that were replaced with the 8411s, 7206s and the oc200 this year after establishing omada on site1 last year. 

Site 2 is getting a public IP on the WAN interface which is used for the IPsec as well?

About the working S1 and S3, routing table?

If this does not work, is there anything different from the IPsec config? Try to reconfigure the IPsec between S2 and S3?

 

The high loss is happening between the S2 and S3?

 

Avoid any overlap subnet in all the sites.

If this does not go well, I need a full picture of your network. Diagram with IPs specified. Routing tables, and IPsec configuration screenshots.

 

Please mosaic your sensitive information. Here is a list of information considered sensitive:

1. Public IP address on your WAN if your WAN is.

2. Real MAC address of your device.

3. Your personal information including address, domain name, and credentials.

For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:one subnet unreachable from one subnet
2024-09-09 11:15:07

  @Clive_A 

 

Thank you!

 

All sites have WAN IPs on all connected WAN interfaces. Only Site 1 and 2 have two WAN connections.

Site 1 ER8411 WAN Ports are SFP+WAN1 (static via DHCP 81.x.x.x/30) and WAN/LAN4 (static DHCP 192.168.1.3/24 LTE Backup behind NAT)

Site 2 ER8411 WAN Ports are WAN/LAN4 (static manual 178.x.x.x/29) and WAN/LAN5 (static DHCP 212.x.x.x/30). SFP unused

Site 3 ER7206 WAN Port is WAN (static DHCP 212.x.x.x/24), SFP unused

 

Site1 Routing Table:

1 0.0.0.0 / 0 SiteOneWANIP SFP+ WAN1 0
2 0.0.0.0 / 0 192.168.1.1 WAN/LAN4 0
3 1.1.1.1 SiteOneWANIP SFP+ WAN1 0
4 8.8.8.8 SiteOneWANIP SFP+ WAN1 0
5 10.1.1.2 0.0.0.0 tun_server0 0
6 SiteOneWANIP_network / 24 0.0.0.0 SFP+ WAN1 0
7 192.168.1.0 / 24 (LTE BACKUP) 0.0.0.0 WAN/LAN4 0
8 192.168.1.1 (LTE BACKUP) 0.0.0.0 WAN/LAN4 0
9 192.168.11.0 / 24  0.0.0.0 Default 0
10 192.168.101.0 / 24 0.0.0.0 SAN 0
11 192.168.200.0 / 23 0.0.0.0 EXT200 0

 

I already tried to re setup the S2<>S3 Tunnel, switched initiator/responder sides...

Here is the configs:

Site3 <> Site1, working

 

 

Site 3 <> Site 2 trouble to just the 10.230.x.x. subnet

 

 

VLANS on Site 3 -  "Heizung" is predefined by that office buildings central heating manufactor and can't be changed. The central heating has a LAN Port that is connected to the Switch (when onsite I already tried to connect it to a router LAN Port with the vlan mapped):

 

There are only 3 stationary clients on that Site: A backup server (192.168.6.10 on the default VLAN 152; domain controller, DNS, WAN-ISCSI Target for Backup), an IP-cam on Wifi (192.168.55.3 on VLAN 231) and that central heating management interface (10.230.112.242 on VLAN 241, error-log on webserver and VNC schematics display )

 

 

Connected to the following omada devices:

 

Router: ER7206

Switch SG2210MP v4.20, given 10.230.112.243 in VLAN 241

(both Gateway @10.230.112.241 and "SwitchGW" @ 10.230.112.243 are reach and pingable from all VLANs (including the Site2 192.168.0.0 network)

 

 

 

 

 

there are no overlapping ip ranges. OC200 is located @Site1, default VLAN.

 

The high loss is happening everywhere in Omada Setup.

 

On the weekend I tried to revert the setup to the old config (R600VPN on site 3, with only the 10.230.112.240/28 default VLAN and only one low security tunnel to Site 2, so server, no camera). There it works... ~12-15 ms ping... 

That makes me believe its not a hardware fault on the device.

 

global overview:

Sites 4 and 5 are omada ER605 based home offices, there is a 6th, non Omada remote site with tunnels to site 1 and 2 (site6 local 10.124.1.0/24 working as well...) 

  0  
  0  
#5
Options
Re:one subnet unreachable from one subnet
2024-09-09 11:29:53

Maybe that helps:

Switch running config site 3, I just moved its management IF back to the default VLAN:

 

 

!SG2210MP

#

vlan 152

#

vlan 231

#

vlan 241

#

#

#

#

#

#

#

#

#

#

#

#

#

#

#

#

#

#

#

#

#

hostname "PoE Switch SRS15"

location ""

contact-info ""

ip management-vlan 152

ip fallback 192.168.6.2 255.255.255.0 192.168.6.1

#

#

system-time ntp UTC+01:00 time.google.com  12    

no system-time dst

#

sdm prefer omada

#

jumbo-size 9216

#

no protocol-vlan template 1

 

no protocol-vlan template 1

 

no protocol-vlan template 1

 

no protocol-vlan template 1

 

no protocol-vlan template 1

 

#

no dot1x handshake

#

user name XXX privilege admin secret XXXXXXXXXXXXXX

no service reset-disable

#

#

#

#

#

#

#

#

no ip ssh server

#

#

spanning-tree max-hops 40

#

no snmp-server

#

ip http server

#

ip igmp snooping

no voice vlan oui 00:01:E3

no voice vlan oui 00:03:6B

no voice vlan oui 00:12:43

no voice vlan oui 00:0F:E2

no voice vlan oui 00:60:B9

no voice vlan oui 00:D0:1E

no voice vlan oui 00:E0:75

no voice vlan oui 00:E0:BB

no voice vlan oui 00:04:0D

no voice vlan oui 00:1B:4F

no voice vlan oui 00:04:13

#

lldp

#

ipv6 routing

ip route 0.0.0.0 0.0.0.0 192.168.6.1

#

time-range "1388556280"

  holiday include

  periodic start 00:15 end 24:00 day-of-the-week 1,2,3,4,5,6,7

#

time-range "915383525"

  holiday include

  periodic start 00:00 end 24:00 day-of-the-week 1

  periodic start 00:00 end 24:00 day-of-the-week 2

  periodic start 00:00 end 23:45 day-of-the-week 3

  periodic start 00:00 end 24:00 day-of-the-week 4

  periodic start 00:00 end 24:00 day-of-the-week 5

  periodic start 00:00 end 24:00 day-of-the-week 6

  periodic start 00:00 end 24:00 day-of-the-week 7

#

#

#

#

#

profile ip id 363386247 ip 0.0.0.0/0

profile ipv6 id 1 ipv6 ::/0

profile network id 1678934789 vid 152 ip 192.168.6.1/24

profile network id 473337714 vid 241 ip 10.230.112.241/28

profile network id 140731644 vid 231 ip 192.168.55.1/24

 

#

access-list mac mode blacklist

access-list ip mode blacklist

access-list combine mode blacklist

access-list ipv6 mode blacklist

access-list packet-content mode blacklist

#

#

#

#

no boot autoinstall auto-save

no boot autoinstall auto-reboot

#

auto-voip

#

#

#

#

no controller cloud-based

cloud-firmware upgrade auto-check

interface vlan 1

  ip address-alloc dhcp

  no ipv6 enable

#

interface vlan 152

  ip address-alloc dhcp

  no ipv6 enable

#

interface vlan 241

  ip address-alloc dhcp

  no ipv6 enable

#

interface gigabitEthernet 1/0/1

  switchport general allowed vlan 152 untagged

  switchport general allowed vlan 231,241 tagged

  switchport pvid 152

  no switchport general allowed vlan 1

 

  lldp med-status

  loopback-detection config process-mode port-based recovery-mode auto

  loopback-detection

#

interface gigabitEthernet 1/0/2

  switchport general allowed vlan 152 untagged

  switchport pvid 152

  no switchport general allowed vlan 1

 

  lldp med-status

  loopback-detection config process-mode port-based recovery-mode auto

  loopback-detection

#

interface gigabitEthernet 1/0/3

  switchport general allowed vlan 152 untagged

  switchport general allowed vlan 231,241 tagged

  switchport pvid 152

  no switchport general allowed vlan 1

 

  lldp med-status

  loopback-detection config process-mode port-based recovery-mode auto

  loopback-detection

#

interface gigabitEthernet 1/0/4

  switchport general allowed vlan 241 untagged

  switchport pvid 241

  no switchport general allowed vlan 1

 

  lldp med-status

  power inline supply disable

#

interface gigabitEthernet 1/0/5

  switchport general allowed vlan 152 untagged

  switchport general allowed vlan 231,241 tagged

  switchport pvid 152

  no switchport general allowed vlan 1

 

  lldp med-status

  loopback-detection config process-mode port-based recovery-mode auto

  loopback-detection

#

interface gigabitEthernet 1/0/6

  switchport general allowed vlan 152 untagged

  switchport general allowed vlan 231,241 tagged

  switchport pvid 152

  no switchport general allowed vlan 1

 

  lldp med-status

  loopback-detection config process-mode port-based recovery-mode auto

  loopback-detection

#

interface gigabitEthernet 1/0/7

  switchport general allowed vlan 152 untagged

  switchport general allowed vlan 231,241 tagged

  switchport pvid 152

  no switchport general allowed vlan 1

 

  lldp med-status

  loopback-detection config process-mode port-based recovery-mode auto

  loopback-detection

#

interface gigabitEthernet 1/0/8

  switchport general allowed vlan 152 untagged

  switchport general allowed vlan 231,241 tagged

  switchport pvid 152

  no switchport general allowed vlan 1

 

  lldp med-status

  loopback-detection config process-mode port-based recovery-mode auto

  loopback-detection

#

interface gigabitEthernet 1/0/9

  switchport general allowed vlan 152 untagged

  switchport general allowed vlan 231,241 tagged

  switchport pvid 152

  no switchport general allowed vlan 1

 

  lldp med-status

  loopback-detection config process-mode port-based recovery-mode auto

  loopback-detection

#

interface gigabitEthernet 1/0/10

  switchport general allowed vlan 152 untagged

  switchport general allowed vlan 231,241 tagged

  switchport pvid 152

  no switchport general allowed vlan 1

 

  lldp med-status

  loopback-detection config process-mode port-based recovery-mode auto

  loopback-detection

#

ip igmp snooping vlan-config 152

ip igmp snooping vlan-config 152 ltime 1

end

 

  0  
  0  
#6
Options
Re:one subnet unreachable from one subnet
2024-09-10 07:24:40

Hi @Wienumgebung 

Thanks for posting in our business forum.

Config-ly there is no issue I can find.

What is the device of .242? Can you specify it?

For the entire subnet of 192.168.0.1/24, none can ping it? Even if the router 192.168.0.1 cannot access the .242?

Let me put my thoughts here.

It should not be a VLAN issue or IPsec problem. The tunnel is up and others can access it. It should be perfectly fine. No issues.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#7
Options
Re:one subnet unreachable from one subnet
2024-09-10 12:46:39

  @Clive_A 

 

The device @242 is an industry PC running an unknown Linux Distribution. It is the diagnostic interface for the building-management (heating, cooling, water, power of a large office building). For us it offers Logs on website @port80 and VNC redirection to its touchscreen (info and error management). It is preconfigured to 10.230.112.242/28 with 10.230.112.241 to be the only/default gateway.

 

The building is ~3 hours away from me and has 500Mbit symmetrical Internet access, so we swapped the old R600VPN for the ER7206, added a PoE Switch and an Accesspoint, and brought a server (192.168.6.10 @default VLAN) there for backup that btw. works perfectly fine.

 

Between Site 2 192.168.0.x and Site 3 192.168.6.x we have around 1-4ms ping. The same for the GW 10.230.112.241 or when I configured the switch as 243 in that vlan.

But not a single ping got throug to 242.

From all other mapped subnets I a least get the pings with high loss...

But I dont think there are two seperate problems, but one very mysterious:

1.) The "denial" for the 192.168.0.0 subnet

2.) the high loss from anywhere into the 10.230.112.240/28 subnet. 

They stick togeter:

I just tried the following: Configured the switch again to have an interface in the 240/28 vlan with IP 252. I get through 1 single ping from any VPN-mapped subnet. Each for every client. Not a second one, so I am starting to thing of the switch (or its either subnet or ip routing) to be "troublemaker" (but I tried 242 on a router port too without any better result last week).

 

Site1:

192.168.11.178 ping to switch -n 20:

Ping wird ausgeführt für 10.230.112.252 mit 32 Bytes Daten:
Antwort von 10.230.112.252: Bytes=32 Zeit=18ms TTL=62
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 10.230.112.252:
    Pakete: Gesendet = 20, Empfangen = 1, Verloren = 19
    (95% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 18ms, Maximum = 18ms, Mittelwert = 18ms

---

192.168.11.178 tracert 10.230.112.252

Routenverfolgung zu 10.230.112.252 über maximal 30 Hops

  1     1 ms     1 ms    <1 ms  192.168.11.1
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4    19 ms     *        *     10.230.112.252
  5     *        *        *     Zeitüberschreitung der Anforderung.
  6     *        *        *     Zeitüberschreitung der Anforderung.
  7     *        *        *     Zeitüberschreitung der Anforderung.
  8     *        *        *     Zeitüberschreitung der Anforderung.
  9     *        *        *     Zeitüberschreitung der Anforderung.
 10     *        *        *     Zeitüberschreitung der Anforderung.
 11     *        *        *     Zeitüberschreitung der Anforderung.
 12     *        *        *     Zeitüberschreitung der Anforderung.
 13     *        *        *     Zeitüberschreitung der Anforderung.
 14     *        *        *     Zeitüberschreitung der Anforderung.
 15     *        *        *     Zeitüberschreitung der Anforderung.
 16     *        *        *     Zeitüberschreitung der Anforderung.
 17     *        *        *     Zeitüberschreitung der Anforderung.
 18     *        *        *     Zeitüberschreitung der Anforderung.
 19     *        *        *     Zeitüberschreitung der Anforderung.
 20     *        *        *     Zeitüberschreitung der Anforderung.
 21     *        *        *     Zeitüberschreitung der Anforderung.
 22     *        *        *     Zeitüberschreitung der Anforderung.
 23     *        *        *     Zeitüberschreitung der Anforderung.
 24     *        *        *     Zeitüberschreitung der Anforderung.
 25     *        *        *     Zeitüberschreitung der Anforderung.
 26     *        *        *     Zeitüberschreitung der Anforderung.
 27     *        *        *     Zeitüberschreitung der Anforderung.
 28     *        *        *     Zeitüberschreitung der Anforderung.
 29     *        *        *     Zeitüberschreitung der Anforderung.
 30     *        *        *     Zeitüberschreitung der Anforderung.

Ablaufverfolgung beendet.

 

 

192.168.11.178 ping to gateway -n 20:

Ping wird ausgeführt für 10.230.112.241 mit 32 Bytes Daten:
Antwort von 10.230.112.241: Bytes=32 Zeit=13ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=13ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=13ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=13ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=12ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=12ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=15ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=14ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=15ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=12ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=10ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=9ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=8ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=12ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=8ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=11ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=9ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=12ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=8ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=12ms TTL=62

Ping-Statistik für 10.230.112.241:
    Pakete: Gesendet = 20, Empfangen = 20, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 8ms, Maximum = 15ms, Mittelwert = 11ms

No loss, normal VPN latency

---

192.168.11.178 tracert 10.230.112.241

Routenverfolgung zu 10.230.112.241 über maximal 30 Hops

  1     1 ms    <1 ms    <1 ms  192.168.11.1
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4    17 ms    15 ms    14 ms  10.230.112.241

Ablaufverfolgung beendet.

 

192.168.11.178 ping to device -n 20:

Ping wird ausgeführt für 10.230.112.242 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=12ms TTL=62
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=19ms TTL=62
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=11ms TTL=62
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=9ms TTL=62
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=11ms TTL=62
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=12ms TTL=62
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=16ms TTL=62

Ping-Statistik für 10.230.112.242:
    Pakete: Gesendet = 20, Empfangen = 7, Verloren = 13
    (65% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 9ms, Maximum = 19ms, Mittelwert = 12ms

...heavy loss

---

192.168.11.178 tracert 10.230.112.242

Routenverfolgung zu heizung.hausverwaltung.local [10.230.112.242]
über maximal 30 Hops:

  1    <1 ms    <1 ms    <1 ms  192.168.11.1
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4    12 ms     *        9 ms  heizung.hausverwaltung.local [10.230.112.242]

Ablaufverfolgung beendet.

 

Site 2:

 

192.168.0.86 ping to switch -n 20:

Ping wird ausgeführt für 10.230.112.252 mit 32 Bytes Daten:
Antwort von 10.230.112.252: Bytes=32 Zeit=9ms TTL=62
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 10.230.112.252:
    Pakete: Gesendet = 20, Empfangen = 1, Verloren = 19
    (95% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 9ms, Maximum = 9ms, Mittelwert = 9ms

---

192.168.0.86 tracert 10.230.112.252

Routenverfolgung zu 10.230.112.252 über maximal 30 Hops

  1    <1 ms    <1 ms    <1 ms  192.168.0.1
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4     5 ms     *        *     10.230.112.252
  5     *        *        *     Zeitüberschreitung der Anforderung.
  6     *        *        *     Zeitüberschreitung der Anforderung.
  7     *        *        *     Zeitüberschreitung der Anforderung.
  8     *        *        *     Zeitüberschreitung der Anforderung.
  9     *        *        *     Zeitüberschreitung der Anforderung.
 10     *        *        *     Zeitüberschreitung der Anforderung.
 11     *        *        *     Zeitüberschreitung der Anforderung.
 12     *        *        *     Zeitüberschreitung der Anforderung.
 13     *        *        *     Zeitüberschreitung der Anforderung.
 14     *        *        *     Zeitüberschreitung der Anforderung.
 15     *        *        *     Zeitüberschreitung der Anforderung.
 16     *        *        *     Zeitüberschreitung der Anforderung.
 17     *        *        *     Zeitüberschreitung der Anforderung.
 18     *        *        *     Zeitüberschreitung der Anforderung.
 19     *        *        *     Zeitüberschreitung der Anforderung.
 20     *        *        *     Zeitüberschreitung der Anforderung.
 21     *        *        *     Zeitüberschreitung der Anforderung.
 22     *        *        *     Zeitüberschreitung der Anforderung.
 23     *        *        *     Zeitüberschreitung der Anforderung.
 24     *        *        *     Zeitüberschreitung der Anforderung.
 25     *        *        *     Zeitüberschreitung der Anforderung.
 26     *        *        *     Zeitüberschreitung der Anforderung.
 27     *        *        *     Zeitüberschreitung der Anforderung.
 28     *        *        *     Zeitüberschreitung der Anforderung.
 29     *        *        *     Zeitüberschreitung der Anforderung.
 30     *        *        *     Zeitüberschreitung der Anforderung.

Ablaufverfolgung beendet.

WHAT IS HAPPENING HERE?

 

192.168.0.86 ping to gateway -t:

Ping wird ausgeführt für 10.230.112.241 mit 32 Bytes Daten:
Antwort von 10.230.112.241: Bytes=32 Zeit=3ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=3ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=4ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=3ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=3ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=3ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=3ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=3ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=3ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=2ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=4ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=4ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=4ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=4ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=3ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=3ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=4ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=4ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=3ms TTL=62
Antwort von 10.230.112.241: Bytes=32 Zeit=4ms TTL=62

Ping-Statistik für 10.230.112.241:
    Pakete: Gesendet = 20, Empfangen = 20, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 2ms, Maximum = 4ms, Mittelwert = 3ms

---

192.168.0.86 tracert 10.230.112.241

Routenverfolgung zu 10.230.112.241 über maximal 30 Hops

  1    <1 ms    <1 ms    <1 ms  192.168.0.1
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4     3 ms     3 ms     3 ms  10.230.112.241

Ablaufverfolgung beendet.

 

192.168.0.86 ping to device -n 20:

Ping wird ausgeführt für 10.230.112.242 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 10.230.112.242:
    Pakete: Gesendet = 20, Empfangen = 0, Verloren = 20
    (100% Verlust)

---

192.168.0.86 tracert 10.230.112.242

Routenverfolgung zu heizung.hausverwaltung.local [10.230.112.242]
über maximal 30 Hops:

  1    <1 ms    <1 ms    <1 ms  192.168.0.1
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4     *        *        *     Zeitüberschreitung der Anforderung.
  5     *        *        *     Zeitüberschreitung der Anforderung.
  6     *        *        *     Zeitüberschreitung der Anforderung.
  7     *        *        *     Zeitüberschreitung der Anforderung.
  8     *        *        *     Zeitüberschreitung der Anforderung.
  9     *        *        *     Zeitüberschreitung der Anforderung.
 10     *        *        *     Zeitüberschreitung der Anforderung.
 11     *        *        *     Zeitüberschreitung der Anforderung.
 12     *        *        *     Zeitüberschreitung der Anforderung.
 13     *        *        *     Zeitüberschreitung der Anforderung.
 14     *        *        *     Zeitüberschreitung der Anforderung.
 15     *        *        *     Zeitüberschreitung der Anforderung.
 16     *        *        *     Zeitüberschreitung der Anforderung.
 17     *        *        *     Zeitüberschreitung der Anforderung.
 18     *        *        *     Zeitüberschreitung der Anforderung.
 19     *        *        *     Zeitüberschreitung der Anforderung.
 20     *        *        *     Zeitüberschreitung der Anforderung.
 21     *        *        *     Zeitüberschreitung der Anforderung.
 22     *        *        *     Zeitüberschreitung der Anforderung.
 23     *        *        *     Zeitüberschreitung der Anforderung.
 24     *        *        *     Zeitüberschreitung der Anforderung.
 25     *        *        *     Zeitüberschreitung der Anforderung.
 26     *        *        *     Zeitüberschreitung der Anforderung.
 27     *        *        *     Zeitüberschreitung der Anforderung.
 28     *        *        *     Zeitüberschreitung der Anforderung.
 29     *        *        *     Zeitüberschreitung der Anforderung.
 30     *        *        *     Zeitüberschreitung der Anforderung.

Ablaufverfolgung beendet.

 

Site 3:

 

"locally" 192.168.6.10 ping to switch -n 20:

Ping wird ausgeführt für 10.230.112.252 mit 32 Bytes Daten:
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=4ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=2ms TTL=64
Antwort von 10.230.112.252: Bytes=32 Zeit=3ms TTL=64

Ping-Statistik für 10.230.112.252:
    Pakete: Gesendet = 20, Empfangen = 20, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 2ms, Maximum = 4ms, Mittelwert = 2ms

---

192.168.6.10 tracert 10.230.112.252

Routenverfolgung zu 10.230.112.252 über maximal 30 Hops

  1    <1 ms    <1 ms    <1 ms  192.168.6.1
  2     2 ms     2 ms     2 ms  10.230.112.252

Ablaufverfolgung beendet.

 

Ping locally 192.168.6.10 to gateway -n 20:

Ping wird ausgeführt für 10.230.112.241 mit 32 Bytes Daten:
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit=1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit=1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.230.112.241: Bytes=32 Zeit<1ms TTL=64

Ping-Statistik für 10.230.112.241:
    Pakete: Gesendet = 20, Empfangen = 20, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 0ms, Maximum = 1ms, Mittelwert = 0ms

---

192.168.6.10 tracert 10.230.112.241

Routenverfolgung zu 10.230.112.241 über maximal 30 Hops

  1    <1 ms    <1 ms    <1 ms  10.230.112.241

Ablaufverfolgung beendet.

 

Ping locally 192.168.6.10 to device -n 20:

Ping wird ausgeführt für 10.230.112.242 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=1ms TTL=63
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=1ms TTL=63
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=1ms TTL=63
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Antwort von 10.230.112.242: Bytes=32 Zeit=1ms TTL=63
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 10.230.112.242:
    Pakete: Gesendet = 20, Empfangen = 4, Verloren = 16
    (80% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 1ms, Maximum = 1ms, Mittelwert = 1ms

----

192.168.6.10 tracert 10.230.112.242

Routenverfolgung zu heizung.xxx.yyy [10.230.112.242]
über maximal 30 Hops:

  1    <1 ms    <1 ms    <1 ms  192.168.6.1
  2     1 ms     *        1 ms  heizung.xxx.yyy[10.230.112.242]

Ablaufverfolgung beendet.

 

 

 

So I took a look at the switches routing table:

 

and the gateways routing table:

 

and start to guess, the switches routing table may be the problem...

The "static route" (1st line) was added before omada adoption to be able to adopt it at all. It could be removed in "device>Config>static routes", the other 2 routes are set automatically. with enabling the interface for the vlan

When I deactivate it for the HEIZUNG 241 VLAN (subnet 10.230.112.240/28) I have no other ping target in that network, status, we had yesterday

When I deactive it for the default vlan, I will no longer be able to manage the switch, right?

When I remove or deactivate the static route to the router, I will also no longer be able to manage the switch, right?

would a manual "return" route on the gateway to the switches IP help?

 

AND, what I just founf with a few minutes latency:

 

The "firewall" didn't seem to like that many pings:) So maybe I should deactivate  "Stationary Source TCP SYN Flood" and run the pings again?

  

  0  
  0  
#8
Options
Re:one subnet unreachable from one subnet
2024-09-10 16:17:17

I created a new vlan 23 "management" and put the switch and AP there, a matching switch profile (Native 23 untagged 23, all others tagged), mapped that to the uplink ports (router and AP) and set routers pvid to 23, set vlan23 as switches management VLAN and disabled its interfaces to the other 3 vlans.

 

I also reconfigured the tunnel (site2<>site3) to site2's other WAN Port (completely different provider) to see if that changes anything in this strange behaviour. Tried disabling the other WAN Port at site2 (I thought maybe "Application Optimized Routing", Link Backup or load balancing would interfere on site2) 

 

But that, sadly, didn't change anything at all.
Maybe loss and reachability are differnt problems after all.

 

Loss feels like a defective port, but doesn't happen with the R600VPN, maybe some misguided VLAN tags somewhere?

Blocking from the 192.168.0.0 subnet totally feels like a missing route. 

  0  
  0  
#9
Options
Re:one subnet unreachable from one subnet
2024-09-11 01:20:40 - last edited 2024-09-11 06:12:52

Hi @Wienumgebung 

Thanks for posting in our business forum.

Wienumgebung wrote

I created a new vlan 23 "management" and put the switch and AP there, a matching switch profile (Native 23 untagged 23, all others tagged), mapped that to the uplink ports (router and AP) and set routers pvid to 23, set vlan23 as switches management VLAN and disabled its interfaces to the other 3 vlans.

 

I also reconfigured the tunnel (site2<>site3) to site2's other WAN Port (completely different provider) to see if that changes anything in this strange behaviour. Tried disabling the other WAN Port at site2 (I thought maybe "Application Optimized Routing", Link Backup or load balancing would interfere on site2) 

 

But that, sadly, didn't change anything at all.
Maybe loss and reachability are differnt problems after all.

 

Loss feels like a defective port, but doesn't happen with the R600VPN, maybe some misguided VLAN tags somewhere?

Blocking from the 192.168.0.0 subnet totally feels like a missing route. 

I have experienced user cases where VLAN is misconfigured and this can cause a connection problem. But as now you mentioned other subnets from sites can access the LINUX machine, it would be strange that only one site cannot.

But that's under the context of third-party routers. Not a gonna be a problem with the VLAN interface you've created on the Omada router.

 

Can you tell me if you can use this LINXU to ping 192.168.0.1? If you can ping it, but not vice versa, it could be a VLAN issue.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#10
Options
Re:one subnet unreachable from one subnet
2024-09-11 09:41:27

  @Clive_A 

 

Thank you so much for your help!!!

 

No, unfortunately I can't do anything "useful" with the machine. Besides setting air- and water temperatures, checking voltages and acknowledge error reports, I can't do anything. On the "system status" it tells me "B&R Diagnostics Manager" ETH01:10.230.112.242/255.255.255.240, GW:10.230.112.241, there is no "admin login" or any access to a console or terminal. There is a service ulitity available, but that also can't connect.

 

btw. this is the ping / tracert output from the switch (the device is directly connected to port 4):

 

Output for the device: 192.168.23.2 

Pinging 10.230.112.242 with 32 bytes of data :

Reply from 10.230.112.242 : bytes=32 time<16ms TTL=63

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Reply from 10.230.112.242 : bytes=32 time<16ms TTL=63

Request timed out.

Reply from 10.230.112.242 : bytes=32 time<16ms TTL=63

Request timed out.

Request timed out.

Request timed out.

Reply from 10.230.112.242 : bytes=32 time<16ms TTL=63

Request timed out.

Request timed out.

Reply from 10.230.112.242 : bytes=32 time<16ms TTL=63

Request timed out.

Request timed out.

Reply from 10.230.112.242 : bytes=32 time<16ms TTL=63

Request timed out.

Request timed out.

Ping statistics for 10.230.112.242:

Packets: Sent = 20 , Received = 6 , Lost = 14 (70% loss)

Approximate round trip times in milli-seconds:

Minimum = 0ms , Maximum = 0ms , Average = 0ms

 

Tracing route to 10.230.112.242 over a maximum of 20 hops

 

1 192.168.23.1 20 ms 1 ms 1 ms

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

11 * * * Request timed out.

12 * * * Request timed out.

13 * * * Request timed out.

14 * * * Request timed out.

15 * * * Request timed out.

16 10.230.112.242 1 ms 255ms 1 ms

Trace complete.

 

 

The next steps, when I am at site 3 again, I will try the following:

.) configure a NIC on my notebook to be 10.230.112.245 and try to connect directly and on a spare switch port configured for that vlan to check again if the loss is a NIC or a switch issue. I can try to ping to the 192.168.0.0/24 net, try to access the device, etc.

.) have the R600 with me and use it as a standalone router between the 192.168.6.0/24 and the 10.230.112.240/28 subnet (the lan is configured on the R600, WAN would get 192.168.6.4 and when I'm right I just need a route on Omada that points 6.4 as gateway to that subnet and change the omada vlan subnet temporary to another range e.g. 10.231.112.240/28)... That could help to see if the denial for the 192.168.0.0/24 subnet is related to the sites vlan/routing config.

.) Try to connect the device to a router port with assigned PVID again

 

see if I can ping my notebook from Site2 

 

Do you have any other suggestions, ideas what to try, what to bring,... for my next trip there?

.) Notebook with 2 nics,

.) old R600 router (should be fine, I have a bunch of 6120s as well),

.) new patch cables (the device only has a 100Mbit NIC, so 1m Cat.5 FTP, used now, should be more than fine, but I'll bring Cat.6 S-FTP),

.) ???

 

and one additional question:

is there a chance / option to have the omada devices (tunnel endpoints) tell their ip / reply on echo in traceroute? 

  0  
  0  
#11
Options