I am pretty new to MikroTik (and with fire-walling + routing in general) and have been tasked with setting up a MikroTik CCR2116 for a guest network. Part of my task is to only allow dhcp addresses to reach the gateway & the internet using both the firewall and the routing table. The firewall portion went smoothly, however I can’t figure out how to accomplish the same thing using routes.
I was hoping there would be a source address field so I could do something like the following:
add disabled=no distance=1 src-address=192.168.1.0/24 dst-address=0.0.0.0/0 gateway=64.x.x.x pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
If that were the case only ip addresses in the 192.168.1.0 network could use the default route. Am I missing a routing option the accomplishes the same thing?
only one subnet with DHCP can reach the internet and no other?
You need a static route 0.0.0.0/0 with gateway 64.x.x.x and two rules in firewall - first, which forbids traffic to WAN and above that a second one, which allows (accepts) 192.168.1.0/24 to WAN. You didn’t mentioned NAT, I believe you are aware that you need it.
you have few public IP addresses and one of the subnets with DHCP should reach the internet throught a specific public IP?
You have to mark the packets from 192.168.1.0/24, put then into a “new” routing table and add a static route 0.0.0.0/0 with gateway 64.x.x.x - route only for “new” routing table. I did something like that in the past, but I am not so familiar with it to describe every detail, I don’t remember where you point out the public IP address, but you should find out looking for “mikrotik mangle”.
If it is another task you have to be more precise in your description.
I’m confused, what do you mean assigned to a task on a NOT plugNplay router, with not a trivial problem and on a subject matter you admit you have no knowledge about.
Is this heaven and god asked for any angel to help with his IT woes?
Now if you are a volunteer guy at a non-profit, that makes much more sense!!
But somehow I hardly think a non-profit would be using a CCR2116…
What you need is a much simpler CCR1009 router and I will gladly switch out with you.
I will even pre-configure the CCR1009 for your needs.
++++++++++++++++++++++++++++++++++++++++++++
The requirements are poorly stated, and is the expected mumbo jumbo of being stated in half config speak.
Ditch the config speak and focus on explaining.
a. identify the user(s)/device(s) and groups of users/devices including admin
b. identify what traffic flow they should have
c. identify what traffic flow they should not have.
Another guess:
3) You need to configure a guest hotspot which is isolated from your production network and goes out throught your main gateway router to the internet?
Why dont you stop playing guessing games Gremlin… or do you enjoy whackamole.
Musing about some solution, without seeing the full config, aka little context of the config or any real understanding the requirements is dumb!!
Unless your that good of course. There are some here that are annoyingly so.
I am working for about 8 years in an environment where you hear “do this!” and no one wants to go throught details, so I have to think about “everything” myself (this doesn’t mean only network administering things, other “systems” like CCTV, network infrastructure, access control, alarm and bunch of other sh*t). Maybe I’m dumb or maybe it’s some next level thinking I got used to it, my brain works like that this days, my annoyingness was left behind years ago
Thanks for the response! Sorry I’m getting back to you late.
Yes, I only want addresses in my dhcp range to reach the internet. I do have nat set up and working. I can do this if I use the firewall but haven’t figured out how to achieve the same thing using routing.
I haven’t tried marking packets, but that sounds like it might work. I’ll try implementing that and get back to you.
“Another guess:
3) You need to configure a guest hotspot which is isolated from your production network and goes out throught your main gateway router to the internet?”
That is exactly what I am trying to do, sorry that wasn’t properly communicated.
If you will provide more information I could be more precise.
Are you configuring a separate router for the guest network? If so, how is it connected to ISP - directly or throught your main gateway?
Are you configuring your main gateway to act also as a hotspot?
In both cases, you should configure a dedicated VLAN for guest network (whole VLAN, not choose IP range from your production network), which will guarantee network separation (this plus firewall rule) and in src-nat translate IP to Guest_Network_WAN_IP.
I don’t know your infrastructure, but if you have a switch somewhere in-between guest computer - your router and you will go into “dedicated IP range from production network”… The guests will see devices in production network and nothing will help you deal with it - any mangling, any rules!
Just a short offtop.