Good day,
I have 2 Bridges configured:
MAIN_HOUSE bridge: ether 1-2 are bridged on Subnet 192.168.1.0/24 (with Mikrotik static IP at 192.168.1.10).
Ether1 is connected to a switch which connects many computers and a Router (192.168.1.20) that is the Internet gateway and the DHCP server for the subnet with a pool between 192.168.1.25-192.168.1.75
Ether2 is connected to a Wifi Router 192.168.1.21 that is configured as a simple relay. (All computers in range are connected to that wifi)
GUEST bridge: ether 3-5 are bridged on Subnet 192.168.88.0/24 (with Mikrotik static IP at 192.168.88.1).
Mikrotik is the DHCP server and Hotspot for this subnet with a pool between 192.168.88.50-192.168.88.254
Ether5 is connected to a Wifi Router that is given an IP DHCP by mikrotik (currently 192.168.88.248) and that is configured as a simple relay. (All guests connects through that)
The hotspot profile uprofile1 limits all connections to 512K/512K DOWN/UP respectively and 200MB renewable each 23h.
WHAT WORKS: The hotspot works for my guests, my internet works for all my house and guests computers!
WHAT I WANT: I want my subnet 192.168.1.0/24 to be able to ping and connect to 192.168.88.0/24. However, 192.168.88.0/24 should not be able to ping 192.168.1.0/24.
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth
2 D chain=input action=jump jump-target=hs-input hotspot=from-client
3 D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875
4 D chain=hs-input action=jump jump-target=pre-hs-input
5 D chain=hs-input action=accept protocol=udp dst-port=64872
6 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875
7 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth
8 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp
9 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited
10 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
11 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough log=no log-prefix=""
12 chain=forward action=accept src-address=192.168.88.0/24 dst-address=192.168.1.0/24 connection-state=established,related
13 chain=forward action=drop src-address=192.168.88.0/24 dst-address=192.168.1.0/24 connection-state=invalid,new
14 chain=input src-address=192.168.88.0/24 dst-address=192.168.1.10
15 chain=forward action=accept src-address=192.168.1.0/24 dst-address=192.168.88.0/24 connection-state=invalid,established,related,new
*RULES 12-15 were inserted to be able to allow traffic for 192.168.1.0/24 → 192.168.88.0/24 and block it on the other way
[admin@MikroTik] > /ip route print
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.1.20 1
1 ADC 192.168.1.0/24 192.168.1.10 MAIN_HOUSE 0
2 ADC 192.168.88.0/24 192.168.88.1 GUEST 0
Now, WHAT IS FUNNY AND DOESN’T WORK AS EXPECTED:
-My mikrotik can’t ping it’s own host on the 88.0/24 subnet:
[admin@MikroTik] /ip hotspot host> print
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER IDLE-TIMEOUT
0 H 24:A4:3C:FC:DD:CC 192.168.88.248 192.168.88.248 hotspot1 5m
[admin@MikroTik] > ping 192.168.88.248
SEQ HOST SIZE TTL TIME STATUS
0 192.168.88.248 timeout
1 192.168.88.248 timeout
sent=2 received=0 packet-loss=100%
-My computer (192.168.1.29) can ping 192.168.1.10 but can’t ping 192.168.88.1
-My computer’s: “tracert 192.168.88.1” goes out on my internet router gateway! And tries to find 192.168.88.1 on my ISP’s network!
Where am I going wrong?