[Beginner] Two subnets see each other without firewall; virtual IP

RouterOS Beginner Basics
1

Hello, I have two VLANs with two subnets - 192.168.0 (0) and 192.168.1 (1).
I have printer in 0 and configured firewall rules so that printer can be accessed from 1.
However today I noticed that I can ping IPs in 0 from 1 which I shouldn’t. I tried to disable that firewall rule for printer and it still could be pinged from 1. How? I can also access my webserver running on 0.24 from subnet 1 even it’s not routed nor forwarded to that subnet. What can be set wrong?
(I cannot ping 0.20, 0.23, but I can ping 0.21, 0.22, 0.24 even while firewall allow rule is only for 0.21).
I also noticed that Bytes and Packets in that firewall rule are constantly 0, so it’s going somehow around that rule.

I hope you understand my problem. I can try to explain better if you’d want to.

And second question - how can I make virtual IP 192.168.1.25 and route smart TV from 192.168.0.25 to that? Android app for that is hard coded to search only it’s own subnet, so I need to make that TV on 0.25 be visible also on 1.25

2

Router tries to route everything it knows how, give it two or more connected subnets and it will route between them automatically.

And it would be much more useful, if you posted what you’ve actually done in terms of config, because now we can only guess. You can do:

/export hide-sensitive file=my_config

and then post the content of resulting file here in code tag.

3

Thank you for reply! Well, I thought that two subnets are separated by default. What a news for me

Here is my config, I only removed a lot of port forwards (like webserver, game server etc.)
There is also that firewall and NAT setting what I tried to make Smart TV visible in second subnet.

Btw. I am not Miktotik pro, I was setting it by reading some internet tips & tutorials - I have interest in IT and networking, so I am learning like this :slight_smile: So there can be a lot of mistakes.

# sep/04/2018 20:21:16 by RouterOS 6.40.4
# software id = ZWC4-Z69D
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 6F1207E05CB9
/interface bridge
add admin-mac=64:D1:54:97:81:25 auto-mac=no comment=defconf name=bridge
add name=bridge_vlan10
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=admin_pass supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=guest_pass \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge name=wlan1_2g \
    security-profile=admin_pass ssid="WiFi - admin" \
    wireless-protocol=802.11
add disabled=no mac-address=66:D1:54:97:81:2B master-interface=wlan1_2g name=\
    wlan1_guest security-profile=guest_pass ssid="WiFi" vlan-id=10 \
    vlan-mode=use-tag wds-default-bridge=bridge wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
    ap-bridge name=wlan2_5g security-profile=admin_pass ssid=\
    "WiFi - admin" wireless-protocol=802.11
/interface vlan
add interface=wlan1_guest name=vlan10 vlan-id=10
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=bridge_vlan10 lease-time=5m \
    name=dhcp1
/queue simple
add max-limit=6M/6M name=guest_limit target=192.168.1.0/24
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1_2g
add bridge=bridge comment=defconf interface=wlan2_5g
add bridge=bridge_vlan10 interface=wlan1_guest
add bridge=bridge_vlan10 interface=vlan10
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2-master network=\
    192.168.0.0
add address=10.62.66.33/24 interface=ether1 network=10.62.66.0
add address=192.168.1.1/24 interface=bridge_vlan10 network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.0.21 client-id=1:d8:49:2f:ca:5b:77 comment=\
    "Canon Printer" mac-address=D8:49:2F:CA:5B:77 server=defconf
add address=192.168.0.20 always-broadcast=yes client-id=1:4c:cc:6a:7:5:a8 \
    comment="TheSpixxyQ PC" mac-address=4C:CC:6A:07:05:A8 server=defconf
add address=192.168.0.23 always-broadcast=yes client-id=1:30:7:4d:ab:f0:ac \
    comment="Galaxy S8" mac-address=30:07:4D:AB:F0:AC server=defconf
add address=192.168.0.24 comment="Server Ubuntu" mac-address=\
    DC:0E:A1:B4:EE:9C server=defconf
add address=192.168.0.22 comment="Raspberry Pi" mac-address=B8:27:EB:15:C1:A8 \
    server=defconf
add address=192.168.0.25 client-id=1:cc:6e:a4:58:d2:5b comment="Samsung TV" \
    mac-address=CC:6E:A4:58:D2:5B server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.0.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=forward dst-address-list=192.168.1.0/24 \
    src-address-list=192.168.0.0/24
add action=accept chain=forward comment="share printer between vlans" \
    dst-address-list=192.168.1.0/24 src-address-list=192.168.0.21/32
add action=accept chain=forward dst-address-list=192.168.0.21/32 \
    src-address-list=192.168.1.0/24
add action=accept chain=forward comment="share tv between vlans" \
    dst-address-list=192.168.1.0/24 src-address-list=192.168.0.25/32 \
    src-address-type=""
add action=accept chain=forward dst-address-list=192.168.0.25/32 \
    dst-address-type="" src-address-list=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.1.25 \
    to-addresses=192.168.0.25
add action=src-nat chain=srcnat disabled=yes src-address=192.168.0.25 \
    to-addresses=192.168.1.25
/ip route
add distance=1 gateway=10.62.66.1
/system clock
set time-zone-name=Europe/Prague
/system ntp client
set enabled=yes primary-ntp=65.182.224.60 secondary-ntp=216.129.110.22
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
4

  1. Options src/dst-address-list expect name of list defined in “/ip firewall address-list”, so in your case it would be e.g. list named “192.168.1.0/24” and you have no such thing. If you want to use address/network directly, you want src/dst-address option. In other words, most of your rules in forward chain currently don’t do anything.

  2. Order of rules matters. So even if you fix 1), then e.g. this won’t be good:

add action=drop   chain=forward dst-address=192.168.1.0/24 src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=192.168.0.21/32

because anything from 192.168.1.0/24 to 192.168.0.21 won’t ever get to second rule, it will be blocked by first one. Move the drop rule to the end of chain.

  1. When allowing access from one subnet to specific devices in another, you need to allow only this direction. Reply packets will be allowed automatically by accept rule for connection-state=established at the beginning.

  2. Unless you plan to extend vlan 10 to other devices in network, you can get rid of it completely and use wlan1_guest interface directly.

  3. Dstnat for TV currently can’t work, because other devices in .1 subnet will expect .1.25 to be reachable directly, i.e. they will send APR request… and get not reply, because there’s no .1.25. Just add this address to router:

/ip address
add address=192.168.1.25/24 interface=bridge_vlan10

It would be also good to exclude .25 from dhcp pool.

5

Thank you! It works now, but I can only ping that TV, I cannot cast to it nor connect from Android remote application, it says that TV has to be connected on the same network.
I read some ChromeCast forums and they said that there should be enabled UPnP, multicast and IGMP. Can this be that issue? How can I do that?

6

You should upgrade your device to 6.40.9 or 6.42.7
You are at risk with this old version.

7

I’m affraid I won’t help you with this. So far I managed to live without needing to do anything extra related to multicast, so I don’t really know much about it.

8

Thank you, I upgraded.

Well, that’s bad, but thank you. I hope somebody with multicast knowledge will find this thread