Connecting two networks on the same interface

aronfunk · September 9, 2010, 5:48pm

I have a mikrotik 450g, that i need to run to run 2 networks over one cable going into the switch. I need to to use 192.168.1.xx and 192.168.3.xx. The 192.168.1.xx and the 192.168.3.xx need to talk to each other. I have the internet coming in on ether1, and the cable going to the switch on ether2. I have 192.168.1.1/24 and 192.168.3.1/24 assigned to ether2, the internet works on both of them, but i can’t network between them. Somebody please help!

Aron

kazanova · September 9, 2010, 9:30pm

they already talk to each other same interface

aronfunk · September 16, 2010, 10:43pm

actually, they don’t ping each other, that is why i posted my problem…

fewi · September 16, 2010, 11:00pm

/ip address print
/ip route print
/ip firewall export

ditonet · September 16, 2010, 11:05pm

Hi,

You can’t ping each other because these PCs are in two DIFFERENT subnets.
Follow fewi’s advice and export your addresses, routes and firewall rules.

Regards, Grzegorz.

aronfunk · September 17, 2010, 12:28am

[admin@Crescent Point] > ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
 0   192.168.1.1/24     192.168.1.0     192.168.1.255   bridge1                
 1   71.17.9.86/24      71.17.9.0       71.17.9.255     ether1                 
 2   192.168.3.1/24     192.168.3.0     192.168.3.255   bridge1                

[admin@Crescent Point] > ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          71.17.9.254        1       
 1 ADC  71.17.9.0/24       71.17.9.86      ether1             0       
 2 ADC  192.168.1.0/24     192.168.1.1     bridge1            0       
 3   S  192.168.1.0/24     192.168.3.1     bridge1            1       
 4 ADC  192.168.3.0/24     192.168.3.1     bridge1            0       
 5   S  192.168.3.0/24     192.168.1.1     bridge1            1       

[admin@Crescent Point] > ip firewall export
# dec/31/2001 21:05:10 by RouterOS 4.11
# software id = 7W2J-LRG7
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input comment="" connection-state=new \
    disabled=yes dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=yes dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=yes dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=yes dst-port=22 protocol=tcp
add action=drop chain=input comment="" disabled=yes dst-port=21 protocol=tcp \
    src-address-list=ftp_blacklist
add action=accept chain=output comment="" content="530 Login incorrect" \
    disabled=yes dst-limit=1/1m,3,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output comment="" content=\
    "530 Login incorrect" disabled=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    ether1
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=71.17.9.86 \
    dst-port=3389 protocol=tcp to-addresses=192.168.3.50 to-ports=3389
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

In the firewall i had brute force blocking rules, but they are disabled right now, and one port forward for a remote desktop connection
I have one pc with address 192.168.1.209 from dhcp pool, and one pc with address 192.168.3.50 assigned manually, with the internet working on both of them.
I tried also setting up routes, but it always said the 3.1 and the 1.1 gateways were unreachable when i used the ip, so i tried using the bridge as the gateway, but to no avail.
I can also ping the 3.1 and the 1.1 gateways from either pc, they just won’t talk to each other

Thanks again,
Aron Funk

fewi · September 17, 2010, 1:02am

Remove those static routes. They aren’t hurting because they’re inactive, but they’re wrong and unnecessary.

Nothing in that would prevent traffic from flowing as such. But you didn’t mention you were bridging things. First of all, why are you bridging? What other ports on the router are used, and what for?

Also, post the output of “/interface bridge export”.

aronfunk · September 17, 2010, 1:31am

I was using a bridge because i thought i had to, scrapped the bridge, it all works with the ip’s on ether 2. I kinda feel dumb now for all that…

fewi · September 17, 2010, 2:55am

If I had a dime for every time I felt that way I’d be posting this from my diamond encrusted jacuzzi.
Glad it’s working.

AlexBelikov · June 26, 2012, 4:32pm

Hi

Can somebody point me please what was the solution? I have almost the same issue and don’t know how to fix it.

I have following internal networks:

192.168.88.0/24 (bridge → switch0 → eth2-eth5). WLAN1 is not a part of bridge any more.
192.168.99.0/24 wlan1

I want my wifi devices could ping and connect to wired devices and vise versa. Will appreciate any help.

The reason I removed wlan1 from bridge is that I have IPTV and I have to use IGMP proxy in order to watch iptv on my internal desktop. I tried to use switch0 or eth2 (which is master port) as downstream of IGMP proxy, but it was not working. IPTV works only if my downstream interface is bridge. As wlan1 was one of the ports of my bridge, it was getting all of multicast traffic when some IPTV channel was played on wired desktop. Once I start watching any IPTV channel, all my wifi devices get disconnected. The wifi connection restored only when I turn off IPTV.

I decided to take wlan1 out of the bridge and put it into an other network. Now both wired and wireless devices can access internet though the router, IPTV can be played on any wired device, wifi devices stay connected but wifi devices can’t see/ping wired devices and vise versa.

I know that there’s one more way to solve is with help of bridge filter rules (so both ethernet and wifi interfaces are in bridge and there are some filtering rules disallowing multicast traffic to break the wifi connections).

I’ll appreciate any help in way 1 or 2. I think way 2 is simpler, but I’m really curious to know how to enable traffic routing between 2 interfaces using Mikrotik router.

Thank you

TroyQ · November 2, 2016, 10:30am

I have the same problem, two networks connected to ether 1, and other ports ether 2-24 are bridged for the dhcp. If i add ether 1 to my bridge it brakes my dhcp clients (dhcp on 2nd network has its own dhcp server and no i cannot change either networks ip because they both have servers. I need both networks on ether 1 to talk to each other though please help