Connect 2 Mikrotik Router network with Ethernet Cable

thomasni · November 15, 2021, 2:03pm

I have 2 Mikrotik Routers running 2 separate networks with individual internet connections in the same building. Now I want to connect them with an ethernet cable to give access vice versa to specific network resources on their IP ranges (printers, NAS, IP Cams and Home automation servers with UDP communication). I should be flexibel in the future to add and remove easily then access to certain IP adresses, I guess through firewall rules. How do I configure this step by step?

One Mikrotik router is a RB2011UiAS on 192.168.88.1 running the network 192.168.88.0/24 with Dhcp range 192.168.88.60-200.
The other Mikrotik router is a RB750GR-3 on 192.168.91.1 running the network 192.168.91.0/24 with Dhcp range 192.168.91.60-200.
WAN interface is on both ETH1. i would like to connect the networks through ETH2 of each Router.

Thanks, Thomas

spynappels · November 15, 2021, 3:03pm

At it’s most basic, this is simply a case of connecting the two ether2 interfaces with a cat5/6 cable, setting an IP address in the same subnet on either end of the cable, and sticking some routes in each. Using a /30 address somewhere in the 10.x.x.x Class A would allow you to make it look different enough to make sense when you’re looking at the IP addresses on both ends.

For example, if you use 10.0.0.0/30 as the PtP subnet, router 1 would have 10.0.0.1/30 on ether2 and router 2 would have 10.0.0.2/30 on it’s ether 2.
From that point it’s a case of setting static routes to the other LAN subnet through the remote IP on the PtP link and firewalling approriately.

This may not have explained it very well, let me know if I should try again.

holvoetn · November 15, 2021, 3:05pm

I was writing a post in more or less the same style.
So yeah, that’s how I would do it too.

mkx · November 15, 2021, 4:33pm

From aesthetics point of view I like to avoid inventing routing subbet when only a few routers are in question.

As per suggestion by @spynappels config on router1 (the one with LAN subnet 192.168.88.0/24) would look like this:

/ip address
add interface=ether2 address=10.0.0.1/30
/ip route
add dst-address=192.168.91.0/24 gateway=10.0.0.2

and similar on router2 (replace the addresses with appropriate values for router2).

Now the un-aesthetic part: if host in 192.168.88.0/24 does traceroute towards 192.168.91.0/24, it sees:

traceroute to 192.168.91.100, 64 hops max
  1   192.168.88.1  0.416ms  0.288ms  0.247ms
  2   10.0.0.2  6.890ms  7.098ms  6.552ms
  3   192.168.91.100  6.989ms  6.666ms  6.551ms

and if run in oposite direction

traceroute to 192.168.88.100, 64 hops max
  1   192.168.91.1  0.416ms  0.288ms  0.247ms
  2   10.0.0.1  6.890ms  7.098ms  6.552ms
  3   192.168.88.100  6.989ms  6.666ms  6.551ms

Another possibility is to configure the inter-router connection in point-to.point manner:

/ip address
add interface=ether2 address=192.168.88.1/32 network=192.168.91.1  # network address is actually IP address of link peer
/ip route
add dst-address=192.168.91.0/24 gateway=192.168.91.1

and similarly on router2.

In this case traceroute looks like this:

traceroute to 192.168.91.100, 64 hops max
  1   192.168.88.1  0.416ms  0.288ms  0.247ms
  2   192.168.91.1  6.890ms  7.098ms  6.552ms
  3   192.168.91.100  6.989ms  6.666ms  6.551ms

Similarly IP address of router1 shows in reverse traceroute.

The suggestion above becomes unpractical if there are more than 2 routers connected to “routing network” (e.g. there’s a switch, connecting router1, router2, router3, …) because each router would need separate route config lines for each of neighbours.

anav · November 15, 2021, 5:49pm

To be clear then, and to answer the final bit.
for firewall rules.

do we state
allow source-address=192.168.88.0/24 dst-address=192.168.91.0/24 on theRB750G
allow source-address=192.168.91.0/24 dst-address=192.168.88.0/24 on the RB2011

or on both do we state
allow source-address=10.0.0.0/30 dst-address=192.168.91.0/24 on the RB750G
allow source-address=10.0.0.0/30 dst-address=192.168.88.0/24 on the RB2011

mkx · November 15, 2021, 6:01pm

Yes. This way or another we actually have to deal with both directions. Default firewall (with ultimate rule dropping all from WAN unless dst-nated) will allow inter-LAN so we would need drop rules if traffic is not allowed in full extent. Unless we add ether2 to WAN interface list (bad idea since it’ll cause to SRC-NAT that traffic).
So basically firewall rules highly depend on context and is impossible to tell correct rules without knowing the rest of rules (each and every one).

No.

anav · November 15, 2021, 7:19pm

Captain obvious
Of course I was assuming drop all rule at the end of the forward chain, otherwise default rules do not prevent any LAN to LAN traffic at layer 3.

My question strictly pertained to the use or NON use of 10.0.0.0/30 and as noted, its (transparent).

spynappels · November 15, 2021, 7:29pm

If we did any sort of src-nat we’d need to reference the 10.x.x.x IPs in the Firewall rules, but with just plain routing it’s not required as the src addresses are the “other” LAN subnet in each case.

k6ccc · November 15, 2021, 7:29pm

I did the same thing for several years. One RB40111GS+ (router 1 - an RG750Gr3 until recently) had internet from my cable and also served about a half dozen different LANs (all 192.168.1xx.yyy). and a RB750r2 (router 2) had internet from my DSL and served about a half dozen LANs (all 192.168.2xx.yyy). I had port 5 on both routers directly connected with a LAN used only for that one connection. Firewall prevented normal devices from using that link. However specific IP addresses (in a an address list named Privileged) on each side were allowed to use that link to get to LANs on the other router.

Here are some code extracts of what I did. Obviously lots of allow firewall rules left out…
From Router 1:

/interface ethernet
set [ find default-name=ether5 ] comment="Router to Router tie" name=\
    "E05 to Router 2" speed=100Mbps
    
/ip address
add address=192.168.211.251/24 interface="E05 to Router 2" network=\
    192.168.211.0

/ip route
add distance=1 dst-address=192.168.201.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.202.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.203.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.204.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.205.0/24 gateway=192.168.211.252
add comment="Defaut E682 address range" distance=1 dst-address=\
    192.168.206.0/24 gateway=192.168.211.252

/ip firewall filter 
add action=accept chain=forward comment=\
    "Allow privileged PCs access to .211 LAN" out-interface=\
    "E05 to Router 2" src-address-list=Privileged
add action=drop chain=forward comment=\
    "Drop any forward packets that get this far"

And from Router 2:

/interface ethernet
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
    ".211 Router to router tie" name="E5 to Router 1"

/ip address
add address=192.168.211.252/24 interface="E5 to Router 1" network=\
    192.168.211.0
/ip route
add distance=1 dst-address=192.168.101.0/24 gateway=192.168.211.251
add distance=1 dst-address=192.168.102.0/24 gateway=192.168.211.251
add distance=1 dst-address=192.168.103.0/24 gateway=192.168.211.251
add distance=1 dst-address=192.168.104.0/24 gateway=192.168.211.251
add distance=1 dst-address=192.168.105.0/24 gateway=192.168.211.251
add distance=1 dst-address=192.168.106.0/24 gateway=192.168.211.251

/ip firewall filter 
add action=accept chain=forward comment=\
    "Allow privileged PCs access to .211 LAN" out-interface="E5 to Router 1" \
    src-address-list=Privileged
add action=drop chain=forward comment=\
    "Drop any forward packets that get this far"

A couple months ago the DSL got replaced with fiber, and the RB750Gr3 got replaced with the RB4011iGS+, and the two routers were combined into one - but the functionality is still almost as if it was two routers (thanks to several people on this forum for getting that working right)…
.