Access LAN B from LAN A, but not LAN A from LAN B

I have two LANs, LAN A and LAN B. LAN A is connected to a router which connects to the WAN (internet). LAN B is in-house only. I would like to be able to access LAN B from LAN A. But I also do NOT want LAN B to have access to LAN A.

I have tried this:

Added a router and connected LAN B to the WAN side, then connected LAN A to the LAN side of the router. I statically configured the IP of the WAN side of the router to the same range as LAN B, and the IP of the LAN side of the router to the same range as LAN A: WAN IP is statically configured to 192.168.1.222/24, and the LAN IP to 192.168.0.222/24. (I verified neither address is in use.)

LAN A uses an address range of 192.168.0.0-255/24; LAN B uses and address range of 192.168.1.0-255/24.

I am able to connect to the router from the LAN side, but if I ping 192.168.1.255 I get no pingbacks. I verified the ethernet connections are correct. I am not using DHCP on the new router, and have the IP set manually in my test computer. NAT is turned on in the new router.

Folks on another forum tell me that this should be able to work, but I just now thought of a consideration: In my computer I have to choose a gateway. If I have chosen the router connecting to the internet as the gateway, then I would not be able to access stuff on the WAN side of the other router, and vice-versa. Like I can only use one or the other, no?

Some direction on this would be very much appreciated.
Thanks.

Why do you have two routers? Just use one router and configure VLANs and a firewall. There seems to be a lot missing here…

You could set it up like this:
https://wiki.mikrotik.com/Manual:Simple_Static_Routing

In that example, Router2 needs not an additional route because there is a gateway set (that automatically means 0.0.0.0/0 i.e. “everything” is reachable through it), i.e. the “upstream” route includes LAN1 destinations, but you need an added “return” route on Router1 to make LAN2 reachable from LAN1.

If I get it right, your LAN A is LAN2 in the example and LAN B is LAN 1.

192.168.1.255 is the broadcast address, are you really sure it is pingable?

Anyway, the best thing to do would be to post the configuration of the two routers involved, following this:
http://forum.mikrotik.com/t/forum-rules/173010/1

or at least (again for both routers) the output of:

/ip address print

and

/ip route print

VLANS are not required, although much more flexible and recommended if you run out of ports and need to send multiple subnets out a port to a switch or access point etc..

IP address
assign subnetA to ether2
assign subnetB to ether3
assign both to interface list=LAN

Then in forward chain firewall rules…
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN src-address=!SubnetB
add action=accept chain=forward comment=“usersA to usersB” in-interface=ether2 src-address=subnetA out-interface=ether3 dst-address=subnetB
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”

Now you could replace the one rule with a simpler rule, but if you have other subnets its more flexible/encompassing…
add action=accept chain=forward comment=“internet traffic” in-interface=ether2 out-interface-list=WAN

Here is the output

[admin@RouterOS] > /ip address print 

Flags: X - disabled, I - invalid, D - dynamic 

 #   ADDRESS            NETWORK         INTERFACE                                                                                                 

 0   ;;; defconf

     192.168.0.222/23   192.168.0.0     bridge                                                                                                    

 1   192.168.1.222/23   192.168.0.0     ether1                                                                                                    

[admin@RouterOS] > /ip route print 

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 

B - blackhole, U - unreachable, P - prohibit 

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE

 0   S  0.0.0.0/0                          192.168.1.222             1

 1 ADC  192.168.0.0/23     192.168.0.222   bridge                    0

                                           ether1            

[admin@RouterOS] >

More to come…

Sorry for the late reply btw, and thank you for all of the replies. When I posted I got a message saying my post needed Admin approval and I have been waiting for that all day, then finally went into my profile, searched my post and found I had replies. I will look over your kind replies and report back.

Oh yes:

On Macos pinging 192.168.1.255 sends out a broadcast ping, and normally you get return pings from several or all devices on the network.

Regard “the two routers”, the router being used for the internet is provided by the ISP and I don’t have access to its configuration. Perhaps I need to add another router downstream of it?

Ah, ok, MacOS Is - as often happens - doing things its own way, AFAIK in Windows It Is not allowed and on Linux you need to add the -b switch.
I now understand better your setup, the first router, the ISP one, is conceptually not really a router, in the sense that being not configurable (if not for some basic settings) It Is functionally more like an unmanaged switch connected to a modem that provides access to the internet.
As I see It - but I may well be wrong - It would be easier to further “demote” it to “pure” modem and make the Mikrotik the “main” router, i.e. have both LAN A and LAN B connected to it, as anav already suggested.
Depending on the type of connection, It may be possible to set the ISP router in bridge mode, but this is a later step.
Another question, why are you using a /23 network?
Do you really need more than 254 IP addresses?
The suggested topology would be:

Internet
        ^
        |
  ISP device 
                ^
                |
LAN A -> Mikrotik <- LAN B

Would the above be possible or are there any problems with the physical placement of devices or with cabling?

Before I forget, which exact Mikrotik router are you using?

Here is my config:

# jan/02/1970 00:03:27 by RouterOS 6.48.6
# software id = 6GWF-84KG
#
# model = RB750Gr3
# serial number = HCT085P12MB
/interface bridge
add admin-mac=18:FD:74:56:2B:6D auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.222/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.1.222/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.222 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.222 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.1.222
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Just wondering why it says /interface bridge when I have router mode selected in the web UI.

Using Routerboard hEX.

I used /23 thinking that since one LAN was 192.168.0 and the other was 192.168.1, I would need to open up the other bit. I have since updated my config using /24.

Well, the topology is not ideal as it defeats one of my goals. I currently have both LANs in two separate locations. A single trunk line runs between the locations joining the networks as separate networks via Tp-link smart switches on each end setting up vlans. All of the LAN B devices (cameras) I wish to connect to are at what I’ll call the “satellite” location. My hope was that by placing one router at the satellite location and merging LAN B with LAN A there, I could then eliminate the extra switches and VLAN setup, and just have LAN A from the satellite location to the main location, as I would now be able to connect to the LAN B devices from LAN A, and eliminate the vlan config and smart switches. The ISP device is at the main location, which is where internet comes in.

HOWEVER - for the sake of just starting simple so I can at least get an understanding, I am happy to start first with the topology you are suggesting.

Regarding the ISP modem/router (or whatever you think it actually is) getting the config changed might be a bit problematic. Could I still use the topology you are suggesting without changing anything in the ISP device?

And if so, how do I need to configure the hEX router? EDIT - I looks like Anav already answered this - if I can figure out what all of that means :-/

As you may have already guessed, I’m very green with all of this stuff, so my ideas about things may be way off.

btw, thanks for you reply.

Thanks, I appreciate the guidance. I understand about 1% of what is going on here, and wonder how this could be done using the web UI. I would just be copy-pasting stuff not really knowing what it is doing. Nevertheless, I’m wondering, are all those commands listed all that I would need to do? Or are you assuming other things are done also?

Just to clarify, the ISP device and internet comes into the main location btw. I edited my previous response to reflect this.

Well, you have a pretty much sane (largely default) configuration, it is just a matter to learn a few things as also your intended final configuration (per anav’s post) is pretty much standard.

You now have:

1. a single ethernet port (ether1) self-standing and added as WAN to the interface list
2. a bridge interface (think of it as a dumb switch, it can be considered a meta-interface containing physical ports) grouping together the other 4 ethernet ports marked as LAN in the interface list
   This is the default and replicates how most common routers work, a single port connected to “outside” and all the other in a switch (often the physical ports are blue for the WAN and yellow for the LAN).

From your posted config:

/interface bridge
add admin-mac=18:FD:74:56:2B:6D auto-mac=no comment=defconf name=bridge
...
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5

You have two configured interface lists and the two (for the moment) interfaces assigned to them:

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
...
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

Configuring a Mikrotik router can be done both by CLI and GUI, it largely depends on what one finds more familiar with, in any case, knowing a few basic CLI commands like export and print allows to better communicate on the forum and to check what has been done in GUI, 99.999% of things can be done in GUI (only dome new-new features may be initially accessible only from CLI, but you won’t need them).

You need to remove two interfaces, ether2 and ether3 from the bridge and then assign them to interface list LAN.
The assign to them the two addresses you already assigned, respectively, to ether1 and to the bridge, for the moment disable the IP addresses you have (as opposed to removing them):

This:

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.222/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.1.222/24 interface=ether1 network=192.168.1.0

should become:

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=myconf interface=ether2 list=LAN
add comment=myconf interface=ether3 list=LAN
/ip address
add address=192.168.0.222/24 disabled=yes comment=defconf interface=bridge network=192.168.0.0 
add address=192.168.1.222/24 disabled=yes interface=ether1 network=192.168.1.0
add address=192.168.0.222/24 comment=myconf interface=ether2 network=192.168.0.0 
add address=192.168.1.222/24 comment=myconf interface=ether3 network=192.168.1.0

To disable an interface in CLI, use the command print to get the number of the interface, then issue command disable , in GUI you use the red cross (easier).
Now your current firewall rules, if you check them you will see that they are grouped into two groups, one with chain input and one with chain forward:
The ones in chain input should not be touched for the moment

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
------------------------------------------------------------------------------------------------------------------------------
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

The ones in forward need to have a few changes, as a general rule for a beginner, in case a rule should be removed, I would not delete any existing firewall rule with comment “defconf”, but rather disable them if not needed.

anav’s suggesterd rules, commented:

add action=fasttrack-connection chain=forward connection-state=established,related > ← already present in defconf
add action=accept chain=forward connection-state=established,related,untracked > ← already present in defconf
add action=drop chain=forward connection-state=invalid > ← already present in defconf
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN src-address=!SubnetB ← this will later provide access to internet only to LAN A
add action=accept chain=forward comment=“usersA to usersB” in-interface=ether2 src-address=subnetA out-interface=ether3 dst-address=subnetB ← this is the key rule that allows LAN A to talk to LAN B
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat ← this and the following rule should replace the last two rules in defconf
add action=drop chain=forward comment=“Drop all else” ← see above, the logic is “inverted”, instead of dropping not dstnatted, here we forward dstnatted and then drop everything else

In the above SubnetB should be replaced by 192.168.1.0 and subnetA by 192.168.0.0

See if you can “digest” and understand the above, if you have questions or doubts ask them, then we will go to next steps.
Even if we later change idea/topology, trying to make the above changes will be anyway an useful exercise to make you more familiar with ROS.

To better understand, the solution anav suggested is for the topology on the right, whilst you would prefer the one of the left, correct?
It shouldn’t be particularly difficult to transform the one into the other.

Hi Jaclaz, so the switch and LANA would be on the same private LAN subnet ( provided by the isp modem router) as the HEX?

If this is the case then all users on LANB will be able to reach LANA.
With sourcenat outgoing, all LANB user traffic would appear to come from router itself, so return traffic is not a problem.
How do you propose any traffic originated at LANA reaches LANB, if that is a requirement?? ( if there is no static route capability on ISP modem router )?


In his opening statement he wanted LanA to access LanB not the other way round, so is the diagram backwards?

I have no idea, I am just trying to understand the exact requirements and provide some expanded/explained context of your suggestions, so that even an absolute beginner (as the OP clearly is) can understand and replicate them. (my role is only that of a friendly, slightly more familiar with Ros, beginner).
Since your proposed approach has no VLANs, I am confident that I can understand it and explain it, should VLANs be actually needed, they will go wOOOOsh when flying right over my head.

To me the original idea of having only one /23 larger subnet didn’t seem that bad (there won’t be anymore a LAN A and a LAN B, but a whole LAN C larger subnet, everyone can talk to everyone else, until you add some limits in the Mikrotik firewall applied to the bridge, it should be possible), but also having - as the OP initially attempted to do - having Lan B on the LAN side and LAN A on the WAN side of the Mikrotik (with srcnat masquerade between them) didn’t seem too bad.

If the latter approach is used, there must be some way to punch a hole in the firewall so that packets coming from WAN but from addresses belonging to LAN A can reach LAN B, or not?

Let’s try to better understand the requirements, in the meantime the OP should have become more familiar with the commands and the jargon.

From what I understand the current situation is just the one in the attached drawing, the connection to the Mikrotik router could be from one of the (if there are any) LAN ports of the ISP router or to one of the ports of the LAN A switch, the Mikrotik could be either at the LAN A location, near the ISP router (and thus the connection between the two places would already belong to “LAN B”) or moved to the LAN B location (and thus the connection between the two places would belong to “LAN A”) .

I think all these three solutions should be possible.
Personally I would prefer #3, as the Mikrotik right after the ISP router should allow more control and security, even if the ISP router cannot be put in bridge mode and there will be double NAT.

Unfortunately, I do not have permission to view your attachments, apparently because I am a new user. If this forum has private messaging, perhaps you could PM me* and I can give you my email address? I would like to view those.

*Hopefully the forum will allow me to recieve PMs?

Well, really weird, after I posted the above message, when the page refreshed the attachments showed up.

Yes, these look exactly like what I was thinking of. I will work with the code and instructions you gave me in an experimental environment and try to get a handle on the nuts and bolts. It may take me some time to work through this, in between other duties.