Hi, i have a problem whit a configuration in my RB4011iGS+RM, i have a Bridge whit two networks, 192.168.2.0/24 and 192.168.1.0/24. My problem is that i have internet by the network 192.168.2.0/24 but the network 192.168.1.0/24 haven’t internet. what is the problem?.

Sorry my english is bad. in spanish:
Hola, tengo un problema con la configuracion en mi RB4011iGS+RM, yo tengo configurado un BRIDGE con dos redes, 192.168.2.0/24 y 192.168.1.0/24. mi problema es que solo tengo salida a internet por la red 192.168.2.0/24 pero la red 192.168.1.0/24 no tiene internet. ¿Cual es el problema?

Esta es la configuración

[XXX@RB4011iGS+RM] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; SALIDA_INT_CLIENTE
192.168.2.1/24 192.168.2.0 BR_LAN
1 ;;; WAN INTERNET
XXX.XXX.XXX.XXX/29 XXX.XXX.XXX.XXX sfp-sfpplus1
2 ;;; GESTION ANTENAS
192.168.1.1/24 192.168.1.0 BR_LAN

“BR_LAN is the name of the Bridge interface”

[XXX@RB4011iGS+RM] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client

15 chain=srcnat action=masquerade src-address=192.168.1.0/24
out-interface=sfp-sfpplus1 log=no log-prefix=“”

16 chain=srcnat action=masquerade src-address=192.168.2.0/24
out-interface=sfp-sfpplus1 log=no log-prefix=“”

[XXXX@RB4011iGS+RM] > interface bridge print
Flags: X - disabled, R - running
0 R name=“BR_LAN” mtu=auto actual-mtu=1500 l2mtu=1522 arp=enabled arp-timeout=auto mac-address=4C:5E:0C:DA:5B:8E protocol-mode=rstp fast-forward=yes igmp-snooping=no
auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no

Always export the complete configuration (see my automatic signature right below for a howto), as the mistake is always in the part of the configuration which you don’t show because you think it is not important.

My wild guess is that you haven’t configured a row in /ip dhcp-server network for the 192.168.1.0/24, so the clients in that network do not get the gateway and DNS server addresses.

Hola Senor
Please post config
/export hide-sensitive file=yourconfigtoday (any name will do).

It will show up in your files in winbox, simply download to your desktop open with notepad+++ and then paste here in a post.
Note. Use the black square symbol above with white square brackets (same line as the Bold Italics underline but to the right) to put your config in a code type format.

Hi Sindy, the clients on the 192.168.0.1/24 network use static IP so I don’t have a DHCP server configured for them,

In that case, any of (the gateway IP, the netmask, the DNS server) may be wrong in the manual IP configuration of the clients (I guess it is not the case, I’m just trying to list all possible reasons), or some firewall rules may be blocking the traffic, or some bridge rules, or some routes may be wrong, or there may be an IPsec policy stealing the packets from 192.168.1.0, or some rules before the action=masquerade ones in dstnat chain may prevent the packets from getting masqueraded… There’s so many things which may hide in the part of the configuration you wrongly assume to be unrelated

So as you don’t want anyone else to show you the exact place in your configuration, run /tool sniffer quick ip-address=9.9.9.9 on the Tik, and start pinging 9.9.9.9 from one of the clients in 192.168.1.0/24. If everything worked, you would see the echo request to come via etherX or wlanX and via bridge (as this way you sniff on both the member port of the bridge and on the bridge) with a source address of 192.168.1.?, and then leave through sfp1 with the source address of the WAN. Then, you would see the responses to come back via sfp1 towards the WAN IP, and to be forwarded via bridge and then etherX or wlanX with the destination address of 192.168.1.?. Depending on where this ideal picture breaks, you can look into bridge rules, ip firewall rules, routing rules, routes, ipsec policies…

Esta configurado tu regla de NAT para las 2 redes?..
Exporta la configuracion para poder ayudar mejor..

Is your NAT rule made for both of your networks?
Export your config to better help

Hi Sandy, this is the config.

/interface bridge
add name=BR_LAN
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no l2mtu=1522 mac-address=
4C:5E:0C:DA:5B:8F name=ETH1
set [ find default-name=ether2 ] advertise=
10M-full,100M-full,1000M-full,10000M-full auto-negotiation=no comment=
“CONEXION ABEL RICARDO” l2mtu=1522 name=ETH2 speed=100Mbps
set [ find default-name=ether3 ] advertise=100M-full comment=
“CONEXION SWITCH 1” l2mtu=1522 mac-address=4C:5E:0C:DA:5B:91 name=ETH3
speed=100Mbps
set [ find default-name=ether4 ] l2mtu=1522 mac-address=4C:5E:0C:DA:5B:8E
name=ETH4 speed=100Mbps
set [ find default-name=ether5 ] l2mtu=1522 mac-address=4C:5E:0C:62:21:60
name=ETH5 speed=100Mbps
set [ find default-name=ether6 ] auto-negotiation=no disabled=yes l2mtu=1598
mac-address=4C:5E:0C:75:7F:B7 name=ETH6 speed=100Mbps
set [ find default-name=ether7 ] disabled=yes l2mtu=1598 mac-address=
4C:5E:0C:75:7F:B6 name=ETH7 speed=100Mbps
set [ find default-name=ether8 ] disabled=yes l2mtu=1598 mac-address=
4C:5E:0C:75:7F:B5 name=ETH8 speed=100Mbps
set [ find default-name=ether9 ] auto-negotiation=no comment=“CONEXION TORRE”
l2mtu=1598 name=ETH9
set [ find default-name=ether10 ] auto-negotiation=no comment=“CONEXION SALA”
name=ETH10 poe-out=off speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] comment=“WAN UFINET” speed=1Gbps
/interface ethernet switch
set 0 name=switch2
set 1 name=switch1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=auto
set 6 default-vlan-id=auto
set 7 default-vlan-id=auto
set 8 default-vlan-id=auto
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=RB450G_R&M
/ip firewall layer7-protocol
add name=FACEBOOK regexp=“^.+(facebook.com).$"
add name=Speedtest regexp="^.+(speedtest.net).$”
/ip hotspot profile
set [ find default=yes ] login-by=mac,http-chap,mac-cookie
add hotspot-address=192.168.2.1 login-by=mac,http-chap,mac-cookie name=
hsprof1
/ip hotspot user profile
set [ find default=yes ] keepalive-timeout=1d
add name=uprof1 transparent-proxy=yes
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=R&M_DCHP ranges=192.168.2.3-192.168.2.253
add name=VPN ranges=192.168.200.2-192.168.200.4
/ip dhcp-server
add address-pool=R&M_DCHP authoritative=after-2sec-delay disabled=no
interface=BR_LAN lease-time=1h name=dhcp1
/ip hotspot
add address-pool=R&M_DCHP disabled=no idle-timeout=2m interface=BR_LAN name=
hotspot1
/ip hotspot user profile
add address-pool=R&M_DCHP name=“1 Dia” rate-limit=3M/3M session-timeout=
23h59m transparent-proxy=yes
add address-pool=R&M_DCHP name=“1 Semana” rate-limit=3M/3M session-timeout=
5d23h59m59s transparent-proxy=yes
add address-pool=R&M_DCHP name=“1 Hora” rate-limit=3M/3M session-timeout=1h
transparent-proxy=yes
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU
up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US
up-port=1700
/port
set 0 baud-rate=auto
/ppp profile
set *0 local-address=192.168.200.1 remote-address=VPN
/interface bridge port
add bridge=BR_LAN interface=ETH10
add bridge=BR_LAN interface=ETH9
add bridge=BR_LAN interface=ETH4
add bridge=BR_LAN interface=ETH2
add bridge=BR_LAN interface=ETH3
add bridge=BR_LAN interface=ETH5
/ip neighbor discovery-settings
set discover-interface-list=all
/interface detect-internet
set detect-interface-list=all
/interface list member
add list=discover
add interface=ETH4 list=discover
add interface=ETH1 list=discover
add interface=ETH3 list=discover
add list=discover
add list=discover
add interface=ETH5 list=discover
add list=discover
add list=discover
add list=discover
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.2.1/24 comment=SALIDA_INT_CLIENTE interface=BR_LAN
network=192.168.2.0
add address=138.186.23.166/30 comment=“WAN” interface=sfp-sfpplus1
network=138.186.23.164
add address=192.168.1.1/24 comment=“GESTION ANTENAS” interface=BR_LAN
network=192.168.1.0
/ip dhcp-server network
add address=192.168.2.0/24 comment=“hotspot network” dns-server=192.168.2.1
gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=drop chain=input comment=“Bloqueo webproxy externo” dst-port=8080
in-interface=ETH1 protocol=tcp
add action=drop chain=input comment=“Bloqueo DNS cache externo” dst-port=53
in-interface=ETH1 protocol=udp
/ip firewall mangle
add action=mark-connection chain=prerouting comment=ICMP disabled=yes
new-connection-mark=ICMP_Conn passthrough=no protocol=icmp
add action=mark-packet chain=prerouting connection-mark=ICMP_Conn disabled=
yes new-packet-mark=ICMP_A passthrough=no
add action=mark-connection chain=prerouting comment=DNS disabled=yes
new-connection-mark=DNS_Conn passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS_Conn disabled=yes
new-packet-mark=DNS_A passthrough=no
add action=mark-connection chain=prerouting comment=FACEBOOK disabled=yes
layer7-protocol=FACEBOOK new-connection-mark=Facebook_Conn passthrough=
yes
add action=mark-packet chain=prerouting connection-mark=Facebook_Conn
disabled=yes new-packet-mark=Facebook_A passthrough=no
add action=mark-connection chain=prerouting comment=QUIC disabled=yes
new-connection-mark=Quic_Conn passthrough=yes port=443 protocol=udp
add action=mark-packet chain=prerouting connection-mark=Quic_Conn disabled=
yes new-packet-mark=Quic_A passthrough=no
add action=mark-connection chain=prerouting comment=WEB disabled=yes
new-connection-mark=Web_Conn passthrough=yes port=80,443 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=Web_Conn disabled=yes
new-packet-mark=Web_A passthrough=no
add action=mark-connection chain=prerouting comment=RESTO disabled=yes
new-connection-mark=Resto_Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Resto_Conn disabled=
yes new-packet-mark=Resto_A passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1 src-address=
192.168.1.0/24
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1 src-address=
192.168.2.0/24
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1 src-address=
192.168.200.2-192.168.200.4
/ip hotspot ip-binding
add address=192.168.1.2-192.168.1.254 comment=“GESTION ANTENAS” server=
hotspot1 type=bypassed
/ip route
add distance=1 gateway=138.186.23.165
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=1788
set ssh disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
set enabled=yes primary-ntp=40.119.6.228 secondary-ntp=13.65.245.138
/system ntp server
set multicast=yes
/system resource irq rps
set ETH4 disabled=no
set ETH1 disabled=no
set ETH2 disabled=no
set ETH3 disabled=no
set ETH5 disabled=no
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool e-mail
set address=74.125.141.108 from=rymcommunications@gmail.com port=587
start-tls=yes user=rymcommunications
/tool graphing interface
add
add
/tool graphing queue
add
/tool graphing resource
add
/tool romon
set enabled=yes
/tool user-manager database
set db-path=user-manager

Hola si claro, las dos redes están configuradas para salida a internet, si asigno una de las dos a una interfaz individual me da internet por las dos redes, sin embargo cuando asigno las dos redes a la BRIDGE solo me da internet por la red 192.168.2.0/24. aqui esta la configuracion.

/interface bridge
add name=BR_LAN
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no l2mtu=1522 mac-address=
4C:5E:0C:DA:5B:8F name=ETH1
set [ find default-name=ether2 ] advertise=
10M-full,100M-full,1000M-full,10000M-full auto-negotiation=no comment=
“CONEXION ABEL RICARDO” l2mtu=1522 name=ETH2 speed=100Mbps
set [ find default-name=ether3 ] advertise=100M-full comment=
“CONEXION SWITCH 1” l2mtu=1522 mac-address=4C:5E:0C:DA:5B:91 name=ETH3
speed=100Mbps
set [ find default-name=ether4 ] l2mtu=1522 mac-address=4C:5E:0C:DA:5B:8E
name=ETH4 speed=100Mbps
set [ find default-name=ether5 ] l2mtu=1522 mac-address=4C:5E:0C:62:21:60
name=ETH5 speed=100Mbps
set [ find default-name=ether6 ] auto-negotiation=no disabled=yes l2mtu=1598
mac-address=4C:5E:0C:75:7F:B7 name=ETH6 speed=100Mbps
set [ find default-name=ether7 ] disabled=yes l2mtu=1598 mac-address=
4C:5E:0C:75:7F:B6 name=ETH7 speed=100Mbps
set [ find default-name=ether8 ] disabled=yes l2mtu=1598 mac-address=
4C:5E:0C:75:7F:B5 name=ETH8 speed=100Mbps
set [ find default-name=ether9 ] auto-negotiation=no comment=“CONEXION TORRE”
l2mtu=1598 name=ETH9
set [ find default-name=ether10 ] auto-negotiation=no comment=“CONEXION SALA”
name=ETH10 poe-out=off speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] comment=“WAN UFINET” speed=1Gbps
/interface ethernet switch
set 0 name=switch2
set 1 name=switch1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=auto
set 6 default-vlan-id=auto
set 7 default-vlan-id=auto
set 8 default-vlan-id=auto
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=RB450G_R&M
/ip firewall layer7-protocol
add name=FACEBOOK regexp=“^.+(facebook.com).$"
add name=Speedtest regexp="^.+(speedtest.net).$”
/ip hotspot profile
set [ find default=yes ] login-by=mac,http-chap,mac-cookie
add hotspot-address=192.168.2.1 login-by=mac,http-chap,mac-cookie name=
hsprof1
/ip hotspot user profile
set [ find default=yes ] keepalive-timeout=1d
add name=uprof1 transparent-proxy=yes
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=R&M_DCHP ranges=192.168.2.3-192.168.2.253
add name=VPN ranges=192.168.200.2-192.168.200.4
/ip dhcp-server
add address-pool=R&M_DCHP authoritative=after-2sec-delay disabled=no
interface=BR_LAN lease-time=1h name=dhcp1
/ip hotspot
add address-pool=R&M_DCHP disabled=no idle-timeout=2m interface=BR_LAN name=
hotspot1
/ip hotspot user profile
add address-pool=R&M_DCHP name=“1 Dia” rate-limit=3M/3M session-timeout=
23h59m transparent-proxy=yes
add address-pool=R&M_DCHP name=“1 Semana” rate-limit=3M/3M session-timeout=
5d23h59m59s transparent-proxy=yes
add address-pool=R&M_DCHP name=“1 Hora” rate-limit=3M/3M session-timeout=1h
transparent-proxy=yes
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU
up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US
up-port=1700
/port
set 0 baud-rate=auto
/ppp profile
set *0 local-address=192.168.200.1 remote-address=VPN
/interface bridge port
add bridge=BR_LAN interface=ETH10
add bridge=BR_LAN interface=ETH9
add bridge=BR_LAN interface=ETH4
add bridge=BR_LAN interface=ETH2
add bridge=BR_LAN interface=ETH3
add bridge=BR_LAN interface=ETH5
/ip neighbor discovery-settings
set discover-interface-list=all
/interface detect-internet
set detect-interface-list=all
/interface list member
add list=discover
add interface=ETH4 list=discover
add interface=ETH1 list=discover
add interface=ETH3 list=discover
add list=discover
add list=discover
add interface=ETH5 list=discover
add list=discover
add list=discover
add list=discover
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.2.1/24 comment=SALIDA_INT_CLIENTE interface=BR_LAN
network=192.168.2.0
add address=138.186.23.166/30 comment=“WAN” interface=sfp-sfpplus1
network=138.186.23.164
add address=192.168.1.1/24 comment=“GESTION ANTENAS” interface=BR_LAN
network=192.168.1.0
/ip dhcp-server network
add address=192.168.2.0/24 comment=“hotspot network” dns-server=192.168.2.1
gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=drop chain=input comment=“Bloqueo webproxy externo” dst-port=8080
in-interface=ETH1 protocol=tcp
add action=drop chain=input comment=“Bloqueo DNS cache externo” dst-port=53
in-interface=ETH1 protocol=udp
/ip firewall mangle
add action=mark-connection chain=prerouting comment=ICMP disabled=yes
new-connection-mark=ICMP_Conn passthrough=no protocol=icmp
add action=mark-packet chain=prerouting connection-mark=ICMP_Conn disabled=
yes new-packet-mark=ICMP_A passthrough=no
add action=mark-connection chain=prerouting comment=DNS disabled=yes
new-connection-mark=DNS_Conn passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS_Conn disabled=yes
new-packet-mark=DNS_A passthrough=no
add action=mark-connection chain=prerouting comment=FACEBOOK disabled=yes
layer7-protocol=FACEBOOK new-connection-mark=Facebook_Conn passthrough=
yes
add action=mark-packet chain=prerouting connection-mark=Facebook_Conn
disabled=yes new-packet-mark=Facebook_A passthrough=no
add action=mark-connection chain=prerouting comment=QUIC disabled=yes
new-connection-mark=Quic_Conn passthrough=yes port=443 protocol=udp
add action=mark-packet chain=prerouting connection-mark=Quic_Conn disabled=
yes new-packet-mark=Quic_A passthrough=no
add action=mark-connection chain=prerouting comment=WEB disabled=yes
new-connection-mark=Web_Conn passthrough=yes port=80,443 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=Web_Conn disabled=yes
new-packet-mark=Web_A passthrough=no
add action=mark-connection chain=prerouting comment=RESTO disabled=yes
new-connection-mark=Resto_Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Resto_Conn disabled=
yes new-packet-mark=Resto_A passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1 src-address=
192.168.1.0/24
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1 src-address=
192.168.2.0/24
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1 src-address=
192.168.200.2-192.168.200.4
/ip hotspot ip-binding
add address=192.168.1.2-192.168.1.254 comment=“GESTION ANTENAS” server=
hotspot1 type=bypassed
/ip route
add distance=1 gateway=138.186.23.165
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=1788
set ssh disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
set enabled=yes primary-ntp=40.119.6.228 secondary-ntp=13.65.245.138
/system ntp server
set multicast=yes
/system resource irq rps
set ETH4 disabled=no
set ETH1 disabled=no
set ETH2 disabled=no
set ETH3 disabled=no
set ETH5 disabled=no
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool e-mail
set address=74.125.141.108 from=rymcommunications@gmail.com port=587
start-tls=yes user=rymcommunications
/tool graphing interface
add
add
/tool graphing queue
add
/tool graphing resource
add
/tool romon
set enabled=yes
/tool user-manager database
set db-path=user-manager

No need to post the configuration twice

I cannot see anything except that you use hotspot on the bridge, and although you’ve set the exception for 192.168.1.2-192.168.1.254, it may not work as you expect. Check the firewall rules dynamically created by the hotspot. I never use the hotspot functionality so I do not feel competent to advise on it.

Other than that, your firewall is terribly leaky.

What do you advise me to improve the firewall?

See this recent post on the same subject. Ask related questions here if any remain.

Specifically for your setup, PPTP is a parody on a VPN these days (the security mechanisms used are far too weak). Clients which support PPTP also support L2TP over IPsec and although the setup is equally simple at both ends (Tik and the Windows/Android/MacOS client), the level of security is much higher.

Hi Sandy, at this moment the 192.168.1.0/24 network has access to the internet but I have not made any changes to the configuration