Adding a second /24 network troubles

I don’t know if I’m just clowning or if my brain is tapped out of networking things by the time I finish by day job… but I want to add a second /24 range in addition to my 10.172.12.0/24 range. I’ve posted my config below in an attempt to add 10.172.13.0/24 but have not had luck getting the new range to connect to the network when assigning an IP to a device from that range. These 2 ranges should also communicate with each other. This new /24 is just to ease organization of devices and is not being used as a supplement for network segregation which is an entirely separate project I’ll get to eventually when I have time.

[admin@MikroTik] > export hide-sensitive 
# sep/10/2024 22:26:38 by RouterOS 7.8
# model = RB5009UG+S+
/interface bridge
add admin-mac=78:9A:18:CB:16:E5 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=EX3400-SFP
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] name=sgs
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp1 ranges=10.172.12.0/24
add name=dhcp2 ranges=10.172.13.0/24
/ip dhcp-server
add address-pool=dhcp1 interface=bridge lease-time=6h name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=EX3400-SFP
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set secure-redirects=no send-redirects=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.172.12.1/24 comment=defconf interface=bridge network=10.172.12.0
add address=10.172.13.1/24 interface=bridge network=10.172.13.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.172.12.0/24 comment=defconf dns-server=10.172.12.1 gateway=10.172.12.1
add address=10.172.13.0/24 comment=defconf dns-server=10.172.12.1 gateway=10.172.12.1
/ip dns
set allow-remote-requests=yes query-server-timeout=3s servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=10.172.12.0/24 list=allowed_to_router
add address=10.172.13.0/24 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" in-interface=ether1 protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" disabled=yes in-interface=ether1 port=2201 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=ether1
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new \
    in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether1 out-interface-list=WAN
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp
/ip firewall service-port
set irc disabled=no
set rtsp disabled=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2201
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/New_York
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=east.us.ntp.org
add address=time.cloudflare.com
/system scheduler
add interval=5m name=ddns_cloudflare on-event="/system script run ddns_cloudflare" policy=read,write,test start-time=startup
/system script
[REDACTED]
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Any reason why you are not using 10.172.12.0/23 ?

So I did try just changing the /24 to a /23 before this and it didn't work either. After thinking I prefer this method I'm currently troubleshooting though as I'd prefer not to just keep expanding to a /22 /21 etc and would rather just deploy additional /24s when I want a new subnet to whatever I decide to put/organize in my network.

I can see one problem:

/ip dhcp-server network
add address=10.172.13.0/24 comment=defconf dns-server=10.172.12.1 > gateway=10.172.12.1

In principle, gateway address has to be within device’s subnet … so when using 10.172.13.0/24, gw address should be e.g. 10.172.13.1.
Mind that DNS server address can be anything, it’s perfectly fine for DNS traffic be routed to another subnet … although if you’re offering router’s own DNS service to clients, you could se DNS server address to “router’s native address” as well.


And a question: why these two NAT rules?

/ip firewall nat
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp

And a flaw (I guess due to you trying to figure out the new subnet):

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none > out-interface=ether1 > out-interface-list=WAN

No need to use out-interface, out-interface-list works just fine (and your WAN interface list membership is correct).

Thanks for the reply! So, I certainly overlooked having the gateway as 10.172.12.1 and fixed that. I also corrected the flaw. I was taking a second look through my config and noticed I didn’t have the port I was using associated to the bridge port… typically I’d just run everything off the EX3400 switch I have but since I’m new to Mikrotik I’ve been having an issue setting up VLANs and remote access to it.. ( More like I’ve been delaying actually setting up my GNS3 lab to figure it out instead of breaking the network to troubleshoot it again…lol ) Any who, I was able to connect after all the above changes.

As for those two NAT rules - It’s been a while since I set this up but if I remember correctly (and I can certainly test this..) without those DNS breaks and nothing resolves.

Thanks again for the reply and help!

From context of device config posted these rules are useless … the TCP rule has potential to rewrite dst-port but actually doesn’t (it acts on ports with destination port 53 and rewrites destination port to 53 …) while the UDP rule simply does nothing.

The only use case of these two rules that I can identify is to circumvent this rule:

add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new \
    in-interface=ether1

And if that’s intention, then you better construct an appropriate allow rule instead of this ugly hack.

Looking more intensely at your firewall rules I’m getting at conclusion that I don’t particularly like them. I’m recommending you to have a look at default setup (execute /system/default-configuration/print inside a pretty wide terminal window), scroll down to the /ip firewall section) and do something about your current setup. When going to CHR (which comes with empty default config) you’ll need something solid to build on.

Maybe this post will be relevant to your situation:
http://forum.mikrotik.com/t/two-dhcp-server-on-one-interface/159709/1

Just had a chance to check and ya those rules weren’t doing anything. Might have been a hack to another issue I’ve since resolved… one step at a time learning this vendor!

I followed the First Time Config guide for the current FW but appears that guide misses some stuff the default config comes with?? Either way - will add it to the to-do list.

Reading the default firewall at glance it essentially from what I kind of know… reads as any basic home router firewall? Which outside of like 1 or 2 small changes the default firewall almost would just drop fine into my setup. Appreciate the guidance, certainly would like to have the basic groundwork setup for my firewall before I move forward with some other projects here in the coming week(s).