Hello.
I need some help as my knowledge about networks tells me that this is possible but I dont know how.
I have 2 networks at home (well actually 3, but third one is irrelevant in this case):
hap ac2 eth1-4 + wifi “home” vlan1, ip pool 192.168.1.0/24 - some basic home devices like notebooks, phones, tv
hap ac2 eth5 + wifi “iot” vlan 10, ip pool 192.168.10.0/24 - iot devices like wifi switches, sensors, xiaomi gateway, home assistant hosted on raspberrypi
Everything works fine, my notebook uses wired connection to home network and wireless connection to IoT network so I can access raspberry directly via 192.168.10.x address. Problem is when I try to access RPI from my phone which is connected to my home network, it is not possible unless I reconnect to second network.
I know there is possible to do some “door” (called nating I believe) between networks but I am not sure how does it work. Is it more like creating alias in one network pointing to destination in another (so for example I reserve 192.168.1.20 and tell router to forward internally all traffic from that IP to 192.168.10.20) or more like poining a gateway which will be used for all requests (so for example i set somehow 192.168.10.1 as gateway for all requests made from 192.168.1.0/24 to 192.168.10.0/24). I found this: https://networkengineering.stackexchange.com/questions/10360/mikrotik-joining-two-subnets and it is pretty understandable for me, but this is about two physically separated networks, what when I want do it within one router.
Your alias thing would be dstnat, but that’s not the right solution. Why can’t you connect from phone (which is in 192.168.1.x subnet) directly to 192.168.10.x? If both subnets are on same router, it will be happy to route packets between them, it’s what routers do. As long as you don’t prevent it with firewall filters or some creative misconfiguration.
Well that would require changing mask from /24 to /16 isn’t it? With /24 I can access only IPs withing range x.x.x.1-254, right?
And those networks are separated for a reason. If some chinesse hackers sitting 20 meters underground have backdoor on some of their iot devices I don’t want them to have access from iot network to home network and for example dig through my photos stored on NAS.
No, mask is fine. With /24 (or generally any subnet), you can directly connect to devices in same subnet. But with the help of router working as gateway, you can connect anywhere else. That’s how you connected to this forum, for example.
If you’re trying to say that you isolated iot network just by not giving some devices default gateway, then bad news, you really didn’t. It’s not very likely that those devices will be guessing what the gateway is and trying to get out that way. But if they did, they could succeed.
If you want to block something, that’s what firewall filter is for. And with stateful firewall, you can do thing like allow access from subnet A to subnet B, but not the other way.
No, I separated it via different bridges, vlan assignments and generally with a lot of help from this forum so I hope it is done correctly. At least all tested connection tries between them (smb, ping, apps discovering devices in network) failed.
So back to post number one, when I type IoT IP being connected to home network it is unreachable, how to do that nating thing?
Seems You were right. It should work since begining. Traffic between networks was blocked by this:
So I created address list called iot, added there all hosts form home network which should be able to access raspberrypi in iot network and added it as exception for above. Now it works.
