I have the following scenario that I cannot figure out how to make it work.
What I need to do is to connect both LAN 1 and LAN 2 so devices on each network can see each other, and also be able to enter to both router configuration from any side.
These are 2 RB951G-2HnD in the same building. The second router on the right is partially working as an AP extension of the network runing on the router 1 (LAN 1) on the left, and partially as an independent router with the 2nd ISP and LAN 2 configured on it.
Router 1 on the left
IP adress: 192.168.0.0/24
Gateway: 192.168.0.1
DHCP enabled
Wifi SSID: WIFI-NET-A
Router 2 on the right (Port 2 and 3)
IP address: 192.168.0.2
Gateway: 192.168.0.1
DHCP disabled.
Wifi SSID: WIFI-NET-A
Router 2 on the right (Port 4 and 5)
IP address: 192.168.100.0/24
Gateway:192.168.100.1
DHCP enabled.
Wifi SSID: WIFI-NET-B
I have this setup because Ive run some applications in LAN1 and LAN 2 that need to have a different public IP.
To set up a VPN tunnel between two routers, you need one of the following:
at least one of them has a public IP address on its WAN interface (or on a router through which it is connected to internet, and that router must support port forwarding)
both have global IPv6 addresses
the NATs of both ISPs preserve source ports of outgoing UDP connections unless there is a conflict with an already existing connection
a third router somewhere on a public IP address (a virtual one in a datacenter will do)
The choice of a VPN protocol to use for setting up a tunnel between the routers depends on this information.
Bridging two remote LANs is in general a bad idea, what are the reasons preventing you from routing between them instead? For bridging, you can use EoIP or L2TP with MLPPP and BCP. With RouterOS 7, you can use also VxLAN.
Wireguard will allow that and is a relatively easy VPN to implement but as sindy says, you need at least one that has a reachable public IP, or an ISP modem/router with a reachable public IP but in that case the ISP modem/router must have a port forwarding capablity to your mikrotik behind it (if thats the setup).
I interpreted the question / diagram more literally than the previous 3 posts.
So can you please explain if these two routers are in the same building and what looks like a wire connecting LAN 1 of the two routers is a physical cat 5 link.
Because if that’s the case, then I don’t think that any sort of VPN is the best solution.
Also provide at least the make and model of the two routers involved. You have a fine diagram (although knowing what ports connected the routers should be specified)
In fact, you should refer to the following and heed the advice if you want good advice.
If these routers are in close proximity with a wired connection between them, can you explain why you want two local subnets (192.168.0.0/24 and 192.168.100.0/24)? BTW, if you ever do plan to use VPN, I would avoid both of those subnets for my internal lans, but especially the 192.168.1.0/24 subnet as it is probably used by over 50% of all home routers, because it is the default, and most user’s won’t change the defaults. See Default Router IP Address List For Common Wireless Router Brands
In fact, can you tell us the real problem you are trying to solve, and what lead you to ask the question, which seems to me to be of the XY_problem sort.
These are 2 RB951G-2HnD in the same building. The second router on the right is partially working as an AP extension of the network runing on the router 1 (LAN 1) on the left, and partially as an independent router with the 2nd ISP and LAN 2 configured on it.
So
Router 1 on the left
IP adress: 192.168.0.0/24
Gateway: 192.168.0.1
DHCP enabled
Wifi SSID: WIFI-NET-A
Router 2 on the right (Port 2 and 3)
IP address: 192.168.0.2
Gateway: 192.168.0.1
DHCP disabled.
Wifi SSID: WIFI-NET-A
Router 2 on the right (Port 4 and 5)
IP address: 192.168.100.0/24
Gateway:192.168.100.1
DHCP enabled.
Wifi SSID: WIFI-NET-B
I have this setup because Ive run some applications in LAN1 and LAN 2 that need to have a different public IP.
It seems the minimum necessary to achieve your goal would be a static route to 192.168.100.0/24 on the left RB951G and a static route to 192.168.0.0/24 on the right RB951G. And possibly some adjustments to the RB951 firewalls.
Also be aware that if you have windows clients, you may need to adjust the windows firewall as well, to allow access from the specific “foreign” subnet (the easy thing may be to just allow all of 192.168.0.0/16)
But if you need more help than the above, for anyone to give you good advice, you will need to post sanitized configs of the Left and Right routers (remove S/N and use /export hide-sensitive file=) See MikroTik Backup and Restore Procedure (the Text Config Backup section) for example, but use “hide-sensitive”, and then edit the output to remove your S/N before posting). Most users here won’t play 20 questions to try to extract info, they have more interesting things to do with their free time. Most users here are not MikroTik employee’s (only the ones with Red handles are).
Stab in the dark, but why not just create a second bridge on Router Two and give the bridge a manually chosen IP address on the 192.168.0.0/24 subnet (but outside the dhcp pool) and set statically in the lease (bridgeIPaddress=192.168.0.x). Anything attached to associated bridge ports would be in effect attached to router1.
So as stated the issue becomes how do LAN2 folks reach LAN1 and vice versa.
In this way any traffic originating on one side or the other will be allowed to traverse subnets at Router 2.
You will need the exact same rules on Router 1 but flip the addresses.
In terms of routing, since Router 2 already has both subnets identified on its schema it needs less instruction.
However router 1 has no knowledge of LAN2 on router two and thus need to know where to send this traffic originating on LAN1 from behind Router1 and any return traffic
add dst=192.168.100.0/24 gateway=bridgeIPaddress[/color]
As @anav notes in post #9, since the right router already has an interface with an ip address in 192.168.0.0/24, it will also have a connected route to 192.168.0.0/24); therefore you won’t need to add a static route from the right router for 192.168.0.0/24. If the only dhcp server for 192.168.0.0/24 is on the left router, and if it advertises 192.168.0.1 as the gateway, then devices that get an address from it will use the left router to access the internet.
Note that a PC directly connected to the right router will still go through the left router to get to the 192.168.100.0/24 subnet, for at least the initial connection. If the left router sends icmp redirects to the client, informing it there is a more direct route, and the client trusts and accepts the redirects, then most traffic after the initial connection won’t have to bounce off the left router. I have never tried, but you may be able to use dhcp options 121 and 249 to configure static routes on the clients.
MPLS (/VPLS) is a complex world, with many possibilities.
Here we only use an extreme minimal set ! And this it is really simple.
This VPLS tunnel is documented in the “RouterOS by Example” books, Stephen Disher. And demonstrated in https://www.wirelessinfo.be/mikrotik-point-to-point-link-eoip-vs-mpls/
But this both are for ROS6 MPLS.The ROS7 “MPLS Reference” and “MPLS Case Studies” for ROS7 in Help are just empty!
So let me try to transfer those exemples in “RouterOS by example” to ROS7 menu in WinBox, porting the defaults from ROS6, which are not visibly filled in in ROS7 (but could be the same), just to have the same or identical settings for this MPLS/VPLS tunnel.
Near End of Tunnel (AP)
1. In WinBox, begin by clicking the MPLS button. First you must turn LDP on by
clicking the LDP Settings button and enabling LDP.
translates to ROS7 : Create LDP Instance .
LSR ID = AP IP address
Path Vector Limit = 255
Hop Limit = 255
2. On the LDP interface tab click the plus sign. Select the interface on which we will create the
tunnel, in this case wlan1 and the transport IP address which is the wlan1 IP of this
router, 10.0.0.1 and click OK.
translates to:
On the LDP interface tab click the plus sign. Select the interface on which we will create the
tunnel, in this case wlan1 and the transport IP address which is the wlan1 IP of this
router, 10.0.0.1 , set Hello Interval to 00:00:05, Hold Time to 00:00:15, tick the "Accept Dynamic Neighbors" and and click OK.
Attention: "Accept Dynamic Neighbors" is default not ticked in ROS7.
The rest is unchanged:
3. In WinBox, click the MPLS button and select the VPLS submenu button and on the
VPLS tab click the plus sign. Set the Remote Peer to the IP address of the remote end’s
wlan1 interface, in this example, 10.0.0.2. Set the VPLS ID to the default of 0:0 and
click OK.
4. Create a new bridge interface by clicking the Bridge button and the plus sign and OK.
5. On the bridge ports tab, click the plus sign and add the LAN interface, in this case
ether1. Click the plus sign again and add the vpls1 interface you just created and click
OK.
Far End of Tunnel (station)
1. In WinBox, begin by clicking the MPLS button. First you must turn LDP on by
clicking the LDP Settings button and enabling LDP.
With the same translations for ROS7
1 Create LDP Instance .
LSR ID = AP IP address
Path Vector Limit = 255
Hop Limit = 255
2. On the LDP interface tab click the plus sign. Select the interface on which we will create the
tunnel, in this case wlan1 and the transport IP address which is the public IP of this
router, 10.0.0.2 and click OK.
Same translation as before for ROS7:
On the LDP interface tab click the plus sign. Select the interface on which we will create the
tunnel, in this case wlan1 and the transport IP address which is the wlan1 IP of this
router, 10.0.0.2 , set Hello Interval to 00:00:05, Hold Time to 00:00:15, tick the "Accept Dynamic Neighbors" and and click OK.
Attention: "Accept Dynamic Neighbors" is default not ticked in ROS7.
The rest is again unchanged:
3. In WinBox, click the VPLS button and on the VPLS tab click the plus sign. Set the
Remote Peer to the IP address of the remote end’s public interface, in this example
10.0.0.1. Set the VPLS ID to the default of 0:0 and click OK.
4. Create a new bridge interface by clicking the Bridge button and the plus sign and OK.
5. On the bridge ports tab, click the plus sign and add the LAN interface, in this case,
ether1. Click the plus sign again and add the vpls1 interface you just created and click OK.
The two LANS are now bridged using VPLS. To confirm that LDP is running, click the MPLS
button and then the LDP Neighbor tab. You should see the other end of the tunnel displayed.
To confirm that the VPLS tunnel is running, click the Interfaces button, double click the new
VPLS interface, and check the status tab. You should see a display of the tunnel details.
I have a project with exactly the same wiring diagram. Only the distance between the offices is much greater.
I have configured redundancy in case of failure of any ISP, both offices will access the Internet through the remaining provider. And in case of failure of the direct line between the offices, a VPN tunnel through the Internet will be used.
You do not write that it does not work now.
From the description it is clear only that, as written above, there must be a route on router 1 to the network of router 2.
/ip route
add distance=1 dst-address=192.168.100.0/24 gateway=192.168.0.2 pref-src=192.168.0.1
Then the networks are available and you can connect to any router from any LAN by its IP
If after adding the route you will not have access to routers from different LANs, post the configs.
