[solved] Static route is not working

For days I have been trying to set one from a local network (family) to a printer in another local network (net). I use LUCI for that.

The only thing I find is "Network / static routes" and it looks very simple.

Under interface: family
Under Destination: IP of the printer
Under IP4 mask 255.255.255.255
Under IP gateway: since I have already tried the default GW of famaly and lan
Under route type I already tried all entries

I can not ping the printer and can not call the web frontend. I have already extended the network mask on the printer to 255.255.0.0.

Is there anything else to do at the firewall?

Please be more descriptive. Or illustrate

Here is some additional information.

The system
Modell: LeMaker Banana Pi
Architektur. ARMv7 Processor rev 4 (v7l)
Firmware Version: OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152)

WAN runs over a USB interface. The local networks are set up via vlan.
Both local networks (lan and family) come to the Internet

I suspect that this information will not continue. What information do you need?

We need some more information about the network. How are the router connected, IPs and so on. A picture/drawing of the network would be nice.

Parts of /etc/config/network

config interface 'WAN' # works fine
option ifname 'eth1' # the USB-interface
option proto 'dhcp'

config interface 'family'
option proto 'static'
option ifname 'eth0.3'
option netmask '255.255.255.0'
option ipaddr '192.168.103.254'
option delegate '0'

config interface 'lan'
option type 'bridge' # There was a bridge in the OpenWRT image. Can I delete this line?
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
option ip6assign '60' # I do not need an ip6. Can I delete this line?
option dns '192.168.100.66 192.168.100.141' # internal DNS
option delegate '0'

config route
option interface 'family'
option target '192.168.100.104'
option type 'anycast' # I tried all types
option gateway '192.168.100.1' # or I need 192.168.103.254???

IP of the printer 192.168.100.104

The PC from which I want to access the printer is connected to family and gets its IP from dhcp.

You're using 802.1q VLAN tags (subinterfaces), on a device with a single Ethernet socket. Is it connected to a VLAN-aware switch?

The problem isn't your routing table (both subnets are "connected" directly to the router, so no extra routing definitions are required). The problem is - at a guess - that you're using VLAN tags on equipment which might not be VLAN-aware.

Yes, I use vlan. But all devices (here the PC and the printer) are connected to untagged-posts, that means the switch removes the tags from the devices. The devices get nothing from it, that there is a vlan, only the router, of course.

I could not understand your answer.

It's easy enough to test. If all devices are on the same physical L1/L2 network, and you're confident that all VLAN tags get stripped, then you can carry out a test from a single computer.

From a computer in the subnet 192.168.100.0/24, ping the router (192.168.100.1). Does it respond?

Now reconfigure that same computer to give it an IP address in 192.168.103.0/24. For example, 192.168.103.250 (if that address isn't used by anything else). Don't change any cabling or other connections. Simply change the IP address on the computer.

Now ping the router's address in that subnet (192.168.103.254). Does it respond?

The test:
Everyone is hanging on a physical net
IP of the printer is 192.168.100.104

Test1
PC has 192.168.100.114/24 GW 192.168.100.1: all ping go (to 192.168.100.1 own GW, 192.168.100.104 (printer), 192.168.103.254 (foreign GW), Internet)

Test2
PC has 192.168.103.114/24: GW 192.168.103.254: no ping goes. This seems to me local, because the gateway is not reachable.

Have I implemented your test correctly?

with 192.168.103.144/16 and GW 192.168.1.1 all ping works.

Sorry with 192.168.103.114/16 and GW 192.168.100.1 all ping works.

It would. The /16 mask puts both addresses in the same subnet.

However, the fact that 192.168.103.114/24 cannot ping 192.168.103.254 indicates a possible VLAN segregation (or something else preventing the traffic from reaching the router). At the moment the subnet 192.168.103.0/24 is on VLAN 3 (eth0.3). If you adjust your computer's NIC driver to specifically tag the interface for VLAN 3, does that change the result of the test?

If you draw a diagram of your network, it may help you to work out what routing you need, what firewall rules you need, and what VLANs (if any) you need.

For routing, all any device ever knows is its next hop. Anything beyond the next hop is outside the routing calculation. "I need to reach address X. My next hop is address Y." And then the device with the address Y does the same calculation. "I need to reach address X. My next hop is address Z." And so on.

this can not be done because the switch-port only accept untagged packets. I tried it anyway and received the expected result: no network connection.

I do not know how to draw this. The question seems simple: there are two networks (192.168.100.0/24 and 192.168.103.0/24). On the IP 192.168.100.104 you should be able to access from 192.168.103.0/24. Is the routing I sent really OK? Do you still need firewall rules?

Pencil and paper. Or pen and paper, if you don't have a pencil to hand.

Map out what you're trying to achieve, then break it down step by step.

Solution found:

Error1: man have to specify the gateway from the target net (192.168.100.1) for the static route. I used the gateway of the source network (192.168.103.254).

Error2: I had changed the network mask of the printer to 255.255.0.0 during debugging. If the printer wants to send a packet to 192.168.103.0/24 the packet will not go to the router and can not be delivered.

Thank you for your help!

1 Like

Mystery solved. Glad it's working now.