Allow LAN to LAN routes

RouterOS Beginner Basics
1

Hello,

This is the first time I’m playing with MikroTik and I need help.

I have the following diagram:

ISP Router (ISP ip/29) → MikroTik (10.10.10.0/24) → Eero Mesh (192.168.4.0/22)

I want to make bi-directional connection between my MikroTik to Eero’s network. So far I have add routes addresses for 4.0/22 network and I can only ping/ssh from Mikrotik to eero
Not the other way around.

How do I accomplish this setup?

Here:

jan/20/2021 18:23:52 by RouterOS 6.48

/interface bridge

add admin-mac=B8:69:F4:9F:CC:8D auto-mac=no comment=defconf name=bridge

/interface list

add comment=defconf name=WAN

add comment=defconf name=LAN

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

/ip pool

add name=“LAN MGMT POOL” ranges=10.10.10.10-10.10.10.19

add comment=“LAN HANDOUTS” name=“LAN HANDOUTS” ranges=10.10.10.10-10.10.10.200

/ip dhcp-server

add address-pool=“LAN MGMT POOL” bootp-support=dynamic disabled=no interface=bridge lease-time=1d10m name=“LAN DHCP”

/user group

set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp

/interface bridge port

add bridge=bridge comment=defconf hw=no interface=ether2

add bridge=bridge comment=defconf hw=no interface=ether3

add bridge=bridge comment=defconf hw=no interface=ether4

add bridge=bridge comment=defconf hw=no interface=ether5

add bridge=bridge comment=defconf hw=no interface=sfp-sfpplus1

add interface=ether6

add interface=ether7

add interface=ether8

/ip neighbor discovery-settings

set discover-interface-list=all

/interface list member

add comment=LAN interface=bridge list=LAN

add comment=WAN interface=ether1 list=WAN

/ip address

add address=10.10.10.1/24 comment=“LAN Addresses” interface=ether2 network=10.10.10.0

/ip cloud

set ddns-enabled=yes

/ip dhcp-client

add comment=defconf disabled=no interface=ether1 use-peer-dns=no

/ip dhcp-server lease

add address=10.10.10.2 client-id=ff:eb:d3:74:d8:0:1:0:1:26:bc:51:a3:b8:27:eb:d3:74:d8 comment=PiHole mac-address=B8:27:EB:D3:74:D8 server=“LAN DHCP”

add address=10.10.10.3 comment=“EERO 1” mac-address=74:B6:B6:A1:37:C0 server=“LAN DHCP”

/ip dhcp-server network

add address=10.10.10.0/24 comment=LAN dns-server=10.10.10.2 domain=lan gateway=10.10.10.1 netmask=24

/ip dns

set allow-remote-requests=yes servers=10.10.10.2,0.0.0.0,94.140.14.140,94.140.14.141

/ip dns static

add address=10.10.10.1 name=router.lan

add address=10.10.10.2 comment=“raspberrypi with pihole” name=raspberrypi

/ip firewall filter

add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked

add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid

add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp

add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN

add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec

add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related

add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked

add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid

add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat

add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN

add action=accept chain=dstnat dst-address=192.168.4.0/22 in-interface=all-ethernet

/ip route

add comment=“Eero Network” distance=1 dst-address=192.168.4.0/22 gateway=bridge

/ip ssh

set allow-none-crypto=yes forwarding-enabled=remote

/system clock

set time-zone-name=America/Toronto

/tool mac-server

set allowed-interface-list=LAN

/tool mac-server mac-winbox

set allowed-interface-list=LAN

Please help.

2

Hi,

Do you really need to have 2 separated networks ?
If you only have 1 router and 3 Eero Mesh on your network (with other devices like wireless clients connected to it), maybe it would be easier for you to only have 1 network to manage ?
And then having the router on the 192.168.4.0/22 network, or the opposite, the mesh network on the 10.10.10.0/24 ?

If not, it is possible to communicate between your networks but you have to specify route to get access to 192.168.4.0/22 from 10.10.10.0/24 and route to 10.10.10.0/24 from 192.168.4.0/24, but does Eero Mesh have routing capabilities ? You need L3 fonctionnalities to accomplish this.

3

I would agree, configure the EeroMesh device that has a wired connection simply as an access point, an let the MT handle the router functions.