Hi,
Attached to my home office network I have three subnets, call them 172.17.217.0/28 which is directly attached to the Z1 inside interface. Z1 is 172.17.217.1 and is the default gateway.
Secondary subnets 172.17.1.0/24 and 172.17.88.0/24 are reached via a separate device 172.17.217.2. So that device is on the local "inside" LAN alongside the Z1 and routes to 172.17.1.0/24 and 172.17.88.0/24 are configured on the Z1 under "Teleworker Gateway" / "Addressing and VLANs" / "Routing" / "Static Routes" with (obviously) 172.17.217.2 as "Next hop IP". Both routes are Enabled and active "Always".
All this worked correctly when configured. However recently the Z1 failed and was replaced with a Z3, and now they do not work. Trace from a host on the inside LAN times out after 172.17.217.1 the default gateway.
Any ideas would be appreciated in case I've fat fingered something, before I raise a Meraki support case.
Thanks, Tony S
Have you rebooted the other device in case it's ARP table still has the MAC address of the Z1?
Thanks, I don't think I have. It's been a couple of weeks so I wouldn't expect it to hang onto the old ARP entry that long. It's not Meraki or even Cisco device and I don't know the ARP timeout. But checking just now it has no ARP entry for anything on 172.17.217.0
Can you ping 172.17.217.2 from the mx interface 172.17.217.1
Or the other way around
Yes can ping either way. When the Z3 is switched on of course.
@TonySmith if there is no ARP entry for the Z3 then no traffic can flow. Is the port definitely up and does the Z3 have an ARP entry for the other device? Are both set to auto negotiate and have they negotiated the same speed and duplex?
Sorry I should have mentioned the Z3 is only powered on when I'm working, not all the time. I was just checking there wasn't a stale ARP entry stuck for 217.2.
Just looking at the dashboard I see .2 listed as a "client" with its 217.2 address, and some traffic was registered when the Z3 was online yesterday.
Have you got any L3 firewall rules?
No custom rules, only the default inbound "deny any any" and outbound "permit any any".
This begs a few questions ..
1. Do these rules work differently with a Z3 vs a Z1?
2. Do they apply to traffic between hosts on the LAN ports?
3. And if so, which direction is considered "inbound" and which "outbound"?
I should add that if I add the route into the PC then it works. So traffic between PC and 217.2 isn't being blocked by the Z3.
1. Do these rules work differently with a Z3 vs a Z1?
There is no difference. Z3 and Z1 would work the same
2. Do they apply to traffic between hosts on the LAN ports?
Only if you have firewall rules configured. As you check there is no additional firewall configured.
I reckon you may take a packet capture via the dashboard Network-wide-->packet capture page. You may select the LAN interface and check the output if MX did forward the packet out while you testing the route. Or you may open a support case and call in for live troubleshooting
Thanks. I had a brief chance to troubleshoot and actually the route to 172.17.88.0 works, I wouldn't swear I fully tested that before as I might have assumed that if one route worked then so would the other.
Doing a network wide packet capture for ping to 172.17.1.1 shows the packets being received but no answer.
But that's the same taking a capture for ping to 172.17.88.1 which does work, only the ping request is seen, I guess because the reply comes direct from the Mikrotik on 217.2 to my PC 217.10.