2 different networks

MrDanteZ · December 30, 2021, 3:18pm

Hello all,

Im pretty new to RouterOS, I have managed to configure successfully some mangle rules and traffic shaping before, simple queues too. Now im dealing with a problem that I dont even know how to google. I have 2 networks in my office: 192.168.254.x and 192.168.2.x, I want to connect 2 ethernet cables to my mikrotik RB750Gr3(one from each network) and make a new network for example: 10.10.10.x which im going to connect to with my PC. I want to be able to be in both networks(connect to web configurations devices in both networks and servers) but I dont want the networks to “see” each other. Both networks have their own gateway, i want to use 192.168.2.1 that is the faster connection. Appreciate the help!

anav · December 31, 2021, 12:37pm

You can accomplish what you want already via firewall rules.

It sounds rather simple.
You have two office networks A, B connected to the router on lets say ports 2,3
You want to be able to reach into both networks at any time

Where are you located ( on office network A, B, a different network?) and which port??
If you need to create another subnet just do it.
Then you use firewall rules to establish what traffic is allowed.

What have I missed in your intentions??

MrDanteZ · December 31, 2021, 6:46pm

Im not in any existing network, i want to be in port 3 creating a new subnet. Here is the diagram, my knowledge is not high enough to understand it exactly as it is.

anav · December 31, 2021, 9:14pm

Yes that is very easy to do…

MrDanteZ · January 1, 2022, 12:06am

So, how do I do this? Can you explain it or give me the links for tutorials on this? Thank you very much

anav · January 1, 2022, 12:11am

If you want to use all vlans, this article is good.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Sob · January 1, 2022, 12:40am

Don’t invent anything (relatively) complicated like VLANs. Simply configure router the same way you’d configure it for connecting to internet (DHCP client on WAN, DHCP server on LAN). WAN port in this case is where you have your primary 192.168.2.x network. When you have this, add another DHCP client on the port connected to 192.168.254.x, but do not let it add default gateway. Then tweak the firewall a bit (if you have default one, just add the second port to WAN interface list). And that’s it.

MrDanteZ · January 1, 2022, 11:40am

So, I set up 2 WAN, ether1 and ether2 with DHCP client, ether3 on bridge with DHCP server 10.10.10.x. It seems to be working, Im not sure which Gateway im using. Where to find that? Also, I want a guest network on ether4 using gateway from ether2 and another network on ether5 using gateway from ether1. How do I configure this?

Sob · January 1, 2022, 7:04pm

If you configured second DHCP client to not add gateway, as I wrote, you have only one (check IP->Routes).

As for the new requirements, it will be easier to get rid of DHCP and use static config (I assume you can get IP address from each network that’s not included in their DHCP range). Basic config is this (RouterOS v6, if you have v7, it’s slightly different):

/ip address
add interface=ether1 address=192.168.2.X/24
add interface=ether2 address=192.168.254.Y/24
add interface=ether4 address=10.10.11.1/24
add interface=ether5 address=10.10.12.1/24
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=net1
add dst-address=0.0.0.0/0 gateway=192.168.254.1 routing-mark=net2
/ip route rule
add interface=ether4 action=lookup table=net2
add interface=ether5 action=lookup table=net1

And you also need to add DHCP servers on ether4 and ether5 (I’m too lazy to write their configs, but you know how to do that). With this, everything including guests will be hidden behind your router and only 192.168.2.X and 192.168.254.Y will be visible in other networks.

Another way would be to have guests connected directly to upstream networks, so there wouldn’t be 10.10.11.0/24 and 10.10.12.0/24, and they would get 192.168.2.x / 192.168.254.x from upstream DHCP.

Edit: fixed invalid addresses, in case someone finds it later

MrDanteZ · January 2, 2022, 9:38am

First of all, thanks a lot for the time you are spending helping me. I have used the configuration, ether4 gives DHCP normally-gateway isnt woking(i dont have internet connection) ether5 doesnt even give out IP adress. What should I look for to find the problem?

Sob · January 2, 2022, 11:00am

You have small config, so there aren’t many places where mistakes can be hiding. But if you don’t see any, it’s probably best to export your config using:

/export hide-sensitive file=myconfig

And then take content of myconfig.rsc and post it here in code tags.

MrDanteZ · January 2, 2022, 3:15pm

Here you go

# jan/02/2022 17:13:40 by RouterOS 6.49.2
# software id = 538P-SQ8Z
#
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac=C4:AD:34:92:5A:A8 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.254.200-192.168.254.254
add name=dhcp_pool2 ranges=254.254.254.50-254.254.254.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=ether4 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=ether5 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf disabled=yes interface=ether4
add bridge=bridge comment=defconf disabled=yes interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.1.233/24 interface=ether1 network=192.168.1.0
add address=192.168.2.50/24 interface=ether2 network=192.168.2.0
add address=192.168.254.0/24 interface=ether4 network=192.168.254.0
add address=254.254.254.0/24 interface=ether5 network=254.254.254.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.254.0/24 dns-server=192.168.1.1,192.168.2.1 gateway=\
    192.168.254.0
add address=254.254.254.0/24 dns-server=192.168.1.1,192.168.2.1 gateway=\
    254.254.254.0
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.2.1 routing-mark=net1
add distance=1 gateway=192.168.1.1 routing-mark=net2
add distance=1 gateway=192.168.2.1
/ip route rule
add interface=ether4 table=net2
add interface=ether5 table=net1
/system clock
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The networks are 192.168.2.x and 192.168.1.x, im trying to create a guest 254.254.254.x using gateway 192.168.2.1 and another one 192.168.254.x using gateway 192.168.1.1

Sob · January 2, 2022, 4:05pm

Don’t be overly creative, 254.254.254.0/24 is not valid private subnet, everything from 240.0.0.0 up is reserved and some devices may not like it.

Other than that, both addresses on ether4 and ether5 are invalid, they end with 0 and that’s actually subnet address. But I see it’s my fault, because I had zeros in my config too (I swear I don’t know how that happened ), sorry. So change that to 1 and also update gateways given out by DHCP servers.

And to isolate the two networks, remove this:

/ip firewall filter
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

and instead add this:

/ip firewall filter
add chain=forward in-interface-list=LAN out-interface-list=WAN action=accept
add chain=forward in-interface=ether4 out-interface=ether1 action=accept
add chain=forward in-interface=ether5 out-interface=ether2 action=accept
add chain=forward connection-nat-state=dstnat action=accept
add chain=forward action=reject reject-with=reject-with=icmp-admin-prohibited

In case you want to limit guests even more and don’t allow them to access upstream network, you can use e.g.:

/ip firewall filter
add chain=forward in-interface=ether5 out-interface=ether2 dst-address=!192.168.0.0/16 action=accept

Sob · January 2, 2022, 4:12pm

Oops, another mistake, the last rule would block access to DNS, so it would have to be expanded to first allow DNS and then block the rest:

/ip firewall filter
add chain=forward in-interface=ether5 out-interface=ether2 dst-address=192.168.2.1 protocol=udp dst-port=53 action=accept
add chain=forward in-interface=ether5 out-interface=ether2 dst-address=192.168.2.1 protocol=tcp dst-port=53 action=accept
add chain=forward in-interface=ether5 out-interface=ether2 dst-address=!192.168.0.0/16 action=accept