1 wan 2 subnet problems

enklom · November 9, 2012, 10:29am

hi guys

i am having trouble accessing on diferent network

eth1 wan
eth2 lan1
eth3 lan 2

lan1 192.168.0.0
lan2 10.10.10.0

lan 1 masquarade out interface wan
lan2 masquarade out interface wan

route print

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 isp address 1
1 ADC 10.10.10.0/24 10.10.10.1 lan2 0
2 ADC 192.168.0.0/24 192.168.0.1 lan1 0
3 ADC isp isp wan 0

internet is working fine on both subnet
my question is how do i allow in local network that only ip adress 192.168.0.200 from lan1 can access on lan 2 and that the complete lan 2 can access only on that ip in lan1 ?

os version 5.11

skillful · November 9, 2012, 11:47am

Create two rules in IP Firewall Filter.

/ip firewall filter
add action=drop chain=forward in-interface=lan1 out-interface=lan2 src-address=!192.168.0.200
add action=drop chain=forward dst-address=!192.168.0.200 in-interface=lan2 out-interface=lan1

Just copy and paste the above codes into a terminal window. Be mindful of the ! sign before the IP address.

enklom · November 9, 2012, 11:51am

first of all thank you my friend for this rules, ok i will do that

by the way
can you explain to me friend what that mark means “!”
i see it before and google it but never find out what is serve for, posible you can help me ?

enklom · November 9, 2012, 12:12pm

Hmmm, dont work...
cannot ping cannot access shares, from mikrotik i can ping both subnet

do i need some bridge or route rule for this 2 subnet with that rule top maybe?

\

here is complete configuration
route print

DST-ADDRESS PREF-SRC GATEWAY DISTANC

0 A S 0.0.0.0/0 ...isp 1
1 ADC 10.10.10.0/24 10.10.10.1 lan2 0
2 ADC 192.168.0.0/24 192.168.0.1 lan1 0
3 ADC .../* ... Wan 0

nat

lan1 masquearada out wan and the src address 192.168.0.1/24
lan2 masquearada out wan and the src address 10.10.10.0/24

filter rules

all p2p drop

with our without below rule i still cannot make things work

/ip firewall filter
add action=drop chain=forward in-interface=lan1 out-interface=lan2 src-address=!192.168.0.200
add action=drop chain=forward dst-address=!192.168.0.200 in-interface=lan2 out-interface=lan1

skillful · November 9, 2012, 1:10pm

“!” means not. Therefore “!192.168.0.200” mean “not 192.168.0.200”

Your English is not very clear. If I understand you properly, you are trying to restrict access to lan2 from lan1 to only host 192.168.0.200. And also allow all hosts on lan2 to access only host 192.168.0.200 on lan1. Am I correct?

Please paste the output of the following codes:

/ip address print
/ip route print
/ip firewall filter print
/ip firewall nat print

enklom · November 9, 2012, 1:28pm

Yes you are corect. I only want from lan1 to alow ip addres 192.168.0.200 to access on lan2 network and from lan2 network all users can access on lan1 only ip 192.168.0.200 (the 192.168.0.200 is server and he must server request for some application on both networks lan1 and lan2), sory for bad english, here is requested information…

Address print

 #   ADDRESS            NETWORK         INTERFAC 
0   ;;; ISP
     *.*.*.*/**           *.*.*.*             ISP                                                       
 1   ;;; LAN1
     192.168.0.1/24     192.168.0.0       LAN1                                                 
 2   ;;; LAN2
     10.10.10.1/29      10.10.10.0          LAN2

route print

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                                   *.*.*.*                  1
 1 ADC  10.10.10.0/29      10.10.10.1          LAN2                   0
 2 ADC  192.168.0.0/24     192.168.0.1        LAN1                   0
 3 ADC  *.*.*.*/**  *.*.*.*                      ISP                     0

firewall print

 0   ;;; P2P drop
     chain=forward action=drop p2p=all-p2p dst-address=0.0.0.0/0 

 1   ;;; torrent sites
     chain=forward action=drop src-address=0.0.0.0 
     dst-address-list=torent_sites 

 2 ;;; not valid connections
     chain=input action=drop connection-state=invalid 

 3  ;;; 
     chain=input action=drop connection-state=new in-interface=ISP 

 4   ;;; 
     chain=input action=accept connection-state=established 

 5   ;;; 
     chain=input action=accept connection-state=related 

 6 X chain=input action=accept in-interface=LAN1 

 7 X chain=input action=accept in-interface=LAN2 

 8 X chain=output action=accept connection-state=established protocol=icmp

Nat print

 0   ;;; LAN1
     chain=srcnat action=masquerade src-address=192.168.0.0/24 
     out-interface=ISP 

 1   ;;; LAN2
     chain=srcnat action=masquerade src-address=10.10.10.0/29 
     out-interface=ISP

skillful · November 9, 2012, 1:53pm

You setup looks okay.

Since you can ping both lans from the mikrotik router then I suspect there might be a firewall on host 192.168.0.200 blocking traffic originating from outside its subnet. To test this assumption, source nat all packets from lan2 to lan1 and see if you can connect to 192.168.0.200 from lan2.

/ip firewall nat add chain=srcnat action=masquerade src-address=10.10.10.0/29

If you can connect to 192.168.0.200 from lan2 after implementing the rule above, then there is a firewall on 192.168.0.200 blocking traffic from outside its subnet.

enklom · November 9, 2012, 2:01pm

i can connect with above rule
the only firewall is mikrotik

what should i do ?

skillful · November 9, 2012, 2:16pm

You need to modify the firewall on host 192.168.0.200 to allow packets from 10.10.10.0/29.

Or

Use the scr-nat rule I gave you about to deceive host 192.168.0.200 into accepting packets from 10.10.10.0/29 believing that it is coming from 192.168.0.1, The down side of this is that host 192.168.0.200 see all packets coming from 10.10.10.0/29 as coming from 192.168.0.1.

enklom · November 9, 2012, 2:31pm

hm… but how to modify the firewall on host 192.168.0.200 there is no firewall on him… the only firewall is mikrotik

Use the scr-nat rule I gave you about to deceive host 192.168.0.200 into accepting packets from 10.10.10.0/29 believing that it is coming from 192.168.0.1, The down side of this is that host 192.168.0.200 see all packets coming from 10.10.10.0/29 as coming from 192.168.0.1.

ok, how to put him in firewall rule to alow only to access host 192.168.0.200, i mean is this will gonna work ?

/ip firewall nat add chain=srcnat action=masquerade src-address=10.10.10.0/29

trust me, i am so confused right now

skillful · November 9, 2012, 3:03pm

Yea, there is a firewall on host 192.168.0.200. If it is a Linux box, then the firewall is in the iptables. Modify it to allow 10.10.10.0/29.

If it is a windows box, then the windows firewall or AV firewall is activated. Deactivate it or modify it to allow 10.10.10.0/29.

enklom:

ok, how to put him in firewall rule to alow only to access host 192.168.0.200, i mean is this will gonna work ?
/ip firewall nat add chain=srcnat action=masquerade src-address=10.10.10.0/29
trust me, i am so confused right now

The rule can be further restricted to nat only packets destined for 192.168.0.200

/ip firewall nat add chain=srcnat action=masquerade src-address=10.10.10.0/29 dst-address=192.168.0.200

Then add rules to block any other communication between lan1 and lan2

/ip firewall filter
add action=drop chain=forward in-interface=LAN1 out-interface=LAN2 src-address=!192.168.0.200
add action=drop chain=forward dst-address=!192.168.0.200 in-interface=LAN2 out-interface=LAN1

enklom · November 13, 2012, 10:08am

Ok something is definitly not good here. I tried that and nothing happened.
So i restart to fabric mikrotik settings and add only this settings:

Address print

 #   ADDRESS            NETWORK         INTERFAC
0   ;;; ISP
     *.*.*.*/**           *.*.*.*             ISP                                                       
 1   ;;; LAN1
     192.168.0.1/24     192.168.0.0       LAN1                                                 
 2   ;;; LAN2
     10.10.10.1/29      10.10.10.0          LAN2

Route print

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                                   *.*.*.*                  1
 1 ADC  10.10.10.0/29      10.10.10.1          LAN2                   0
 2 ADC  192.168.0.0/24     192.168.0.1        LAN1                   0
 3 ADC  *.*.*.*/**  *.*.*.*                      ISP                     0

Nat print

 0   ;;; LAN1
     chain=srcnat action=masquerade src-address=192.168.0.0/24
     out-interface=ISP

 1   ;;; LAN2
     chain=srcnat action=masquerade src-address=10.10.10.0/29
     out-interface=ISP

The internet is working on both lan1 (eth2) and lan2 (eth3). But, with this setting i cannot access from lan1 to lan2 and from lan2 to lan1.

@skillful my friend those commands top dont work, i am so confused mate. And i did disabled everthing from antivirus to default firewall… so frustrated…

Is there some simple command for connecting lan1 and lan2 together, and then, filter firewall rule that users from lan2 can only access ip address 192.168.0.200 in lan1

enklom · November 13, 2012, 10:17am

Maybe i need to add ip route for this 2 lan ?

1 wan 2 subnet problems

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

do i need some bridge or route rule for this 2 subnet with that rule top maybe? \

DST-ADDRESS PREF-SRC GATEWAY DISTANC

do i need some bridge or route rule for this 2 subnet with that rule top maybe?

\