I bought a RouterBoard 750 hEX Lite, because we have 2 different families in our house with 2 ISPs and would like to share a network printer.
We cannot change very much within the configuration of the 2 different routers from our ISPs.
But perhaps it is possible that we don’t need to share our internet connections while sharing one network printer.
So I started to make some tests and this is my rotten configuration so far:
Just for the purpose of explanation:
Physical Port1 is LAN1 for Family 1 (connected to various computers from Family 1)
Physical Port2 is WAN1 for Family 1 (connected to the router from Family 1 ISP)
Physical Port3 is LAN2 for Family 2 (connected to various computers from Family 2)
Physical Port4 is WAN2 for Family 2 (connected to the router from Family 2 ISP)
Physical Port5 is LAN3 for shared Network-Printer
If I disable the static route with Routing Mark “LAN3” and Dst. Address 0.0.0.0/0 then I can ping the network printer from LAN1 and LAN2 and reverse. I also can’t ping between LAN1 and LAN2 as expected. And I even can traceroute a public URL and see the correct hops. But I have no internet access from LAN3!
Aside from that it seems not possible to access a network share in LAN3 with the name of the computer. I have to enter \192.168.5.xxx to access the network share. This might be a problem because I would like to install the printer via it’s node name and not via it’s IP.
If I enable the static route with Routing Mark “LAN3” and Dst. Address 0.0.0.0/0 then I can’t ping between the subnets any more, but I have internet access from LAN3.
Perhaps you can tell me how I can get everything to run?
My first thought would have been to try some VRF setup but this has also some drawbacks which can be non trivial to solve.
So I came up with another design : just reroute whats coming from the 2 families LANs and NOT going to your printer network to their respective internet gateway.
Basically :
You can of course add whatever firewall rules you prefer to prevent any unauthorized forwarding, but I don’t see how unauthorized forwarding could happen here.
Regarding your node name issue, you could add a static DNS entry but I don’t know if your windows computer will use that instead of netbios name resolution.
/ip dns static add address=xxxxx name=yyy
Another way which would allow for netbios would involve playing with bridges and bridge firewalls.
But it would also add some drawbacks that could lead to real havoc.
many thanks for your help. Your configuration looks like a clever solution and today I had some time to try your configuration - the LAN-Access works good, but I have no internet access from both familiy LANs and I don’t know why. When I PING a WWW host the IP don’t gets resolved.
I just resetted the router without default config, connected via WinBox with MAC and imported your configuration in a terminal.
But I also have another problem…our 2 main computers are notebooks with Windows 7, which are used in different environments(when I drive to my parents for example) and because of this we use DHCP on these computers. The shared printer is connected with static IPv4, but uses SMB to store scanned files to different shared folder on different computers(e.g. “\notebook1\scanfiles”). So I need to find a way how I can resolve these network paths from within LAN3 to our computers with DHCP in LAN1 and LAN2. Is this possible and do you have an idea how I can manage this with the RouterBoard?
Many thanks to you, for your help and yor working suggestion, but still SMB only works when I use fixed IPs instead of Hostnames.
Perhaps my aims are not possible with separate subnets? I suppose that SMB uses something like Broadcasts, which shouldn’t be forwarded to other subnets, right?
In this case I probably have to use fixed IPs in the “alternate configuration” tab in Windows 7 to use the scanner at home and dynamic IPs in other locations.
Or I assign a lease statically, either based on the MAC-Address or the Hostname…
I allready noticed that I specified only 1 DNS Server(192.168.2.1) and in case of disconnecting this router I also have no internet access inside LAN3. So I added 8.8.8.8 to all DHCP Networks.
Do you know how this works, where does the printer get this name (“notebook1”) from?
Just out of curiosity, lets call it scouting for ideas for plan C, but it may be dead end. By “cannot change very much” you mean:
a) you can’t change anything
b) you can change some things; specifically I’d be interested in ability to add static route within LAN
These settings are configured inside the web-interface of the printer. You can choose SMB in a configuration tab and provide a networkpath, a username and a password. There are other protocols available like FTP, FTPS, NetWare IPX/SPX and NetWare TCP/IP.
Answer b) is correct. I have access to the routers, but I can only change basic stuff like LAN-IP or DHCP-Range, but there is no way to add a static route.
I hear this term the first time, but isn’t this technique used for accessing internal ressources using a public IP?
Since I have no filter rules in the mikrotik firewall and my clients in subnet LAN1 can access their shares using hostnames and my clients in subnet LAN3 can access the shares in LAN1 using IPs, I thought the problem may be associated with broadcast domains.
Try to add static DNS record pointing to notebook:
/ip dns static
add address=192.168.x.x name=notebook1
Then make the printer use router as DNS server. If it won’t work, try to use some FQDN, e.g. notebook1.lan (and then \notebook1.lan\scanfiles). If you succeed with any of these, add DHCP reservation for notebook1 to keep its address static.
well, you could try to add 2 mangle rules:
chain prerouting src address {your lan’s 1 subnet (192.168.1.0/24)} dst address {your printer address (192.168.5.x)} action accept
chain prerouting src address {your lan’s 2 subnet (192.168.3.0/24)} dst address {your printer address (192.168.5.x)} action accept
before the other prerouting chains
but you will also need to add a route to one gateway with no routing marks or make one as default (with no marks) and mark only the other to other isp gateway
if you choose to mark one route then you will need one mangle rule for printer only
