Dual Router Home Setup Help Needed

RouterOS Beginner Basics
1

Hi Everyone, i am hoping to get some guidance on something which should be quite simple but I just could not figure it out. You can consider me a beginner in network routing configuration.

My apartment has a 4 ports hub provided for the unit.
From my ISP modem, i connected it to my Mikrotik hap ac3 router WAN port on port 1.
I have another router - “ROG Rapture GT-AX6000” connected to port 2 of Mikrotik.
This ROG router is used to serve Wireless and other smart devices for my home.
For port 3 of my Mikrotik, I connected it to my personal PC located in another room which is considerably far from my ROG router.
The 2 remaining ports are unused.

This is a very simplistic diagram of how my home network is currently being connected.
nw.png
I did some initial basic configuration to get internet working for both 192.168.88.0/24 and 192,168.86.0/24 network.
However, from my PC ‘192.168.88.253’, i could not reach my ROG router on 192.168.88.252 or 192.168.86.1.
I can only access my ROG web management portal by connecting to the wireless network or directly plugging into the port interface by ethernet cable.

I have added a firewall rule to allow the traffic to flow from 192.168.88.0/24 → 192.168.86.1 but it does not work.
Do I need to configure a VLAN for this to work? Or should I define some add some specific routing rule?

What I want to achieve:
To be able to connect from 192.168.88.253 to my ROG router management page.
To allow specific devices in the network 192.168.86.0/24 to be able to connect to 192.168.88.0/24 as I plan on setting up a NAS server on this network range.


The below is the configuration export.

# 2024-09-07 17:14:53 by RouterOS 7.15.3
# software id = 7
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] comment="TV Port"
set [ find default-name=ether3 ] comment="Study Room Port"
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country= .mode=ap .ssid=MikroTik disabled=\
    no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=\
    yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country= .mode=ap .ssid=MikroTik disabled=\
    no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=\
    yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.86.1 interface=ether2 network=192.168.86.1
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="To Asus ROG mgmt" dst-address=\
    192.168.86.1 dst-address-type="" layer7-protocol="" src-address=\
    192.168.88.0/24 src-address-type=""
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

I think a line must be drawn somewhere, between “same network” and “other network”.

If your PC has 192.168.88.253, i.e. belongs to network 192.168.88..0/24, and the bridge on the Mikrotik is

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.86.1 interface=ether2 network=192.168.86.1

you should be able to connect to any address in the range 192.168.88.1-192.168.88.254 from that PC.

The second address in the above is meaningless. once an ether port is added to a bridge, it “loses dignity”, you should add the address to the bridge, additionally (don’t worry it happens to everyone) you accidentally set that address as a /32 (if you omit the /24 in the interface address RoS assumes that to be a /32 and - as a matter of fact - sets the network to 192.168.86.1 instead of 192.168.86.0)


So you should correct the second entry:

/ip address
add address=192.168.86.1/24 interface=bridge network=192.168.86.0

BUT you posted in your diagram that it is the ROG that has 192.168.86.1, so you should verify and change the address to another one.


Once you have done the above, post the output of:

/ip route print

And then we will see if there are other things to fix/correct.

3

I have corrected the address and also re-assigned it to the bridge interface.
Thanks for pointing it out.

My ROG router was first setup for my home. So for my other home devices, they use the IP address range of 192.168.86.0/24.
If I understand you correctly, even though my ROG router is in the network range of 192.168.86.0.24, this information is only something my ROG router is aware of.
So if I don’t define this network range in Mikrotik, Mikrotik has no idea how and where to route addresses in this network range.
Am i getting it right?

Anyway, I tried again to connect but it didn’t work so I think the routing needs to be fixed.
Another weird thing is, I tried to ping my router “192.168.88.252” from my PC(.253) but could not reach it. Even though both devices are on the same network.
Could it be some kind of router setting that I need to verify on my ROG as well?

Output of the route print below:

[admin_0415b@MikroTik] > ip route print 
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS      GATEWAY       DISTANCE
DAd 0.0.0.0/0        175.156.64.1         1
DAc 175.156.64.0/18  ether1               0
DAc 192.168.86.0/24  bridge               0
DAc 192.168.88.0/24  bridge               0
4

Yes and no, if the devices are on a same network (let’s say like in your case in a same /24) communication between them happens (should happen) at L2 level (switching/bridging) if the networks are different the communication happens (should happen) at L3 level (routing) or however some specific settings are needed.

Let’s see your routes (these essentially tell us what the MIkrotik router “knows” about the environment connected to it), all your routes are Dynamic, either “inherited” from DHCP or implicitly derived form connection:

[admin_0415b@MikroTik] > ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 175.156.64.1 1
DAc 175.156.64.0/18 ether1 0
DAc 192.168.86.0/24 bridge 0
DAc 192.168.88.0/24 bridge 0

So the MIkrotik knows where to find (on which interfaces) the internet through your ISP modem/router and the two networks 192.168.88.0 and 192.168.88.0.

There is something queer going on, regardless of anything else, you have two devices, a PC with 192.168.88.253/24 address (do re-check it, if it is windows run ipconfig /all and - for the sake of the test - disable other interfaces the PC might have) and a device with 192.168.88.1/24 (the Mikrotik) they should be able to “see” each other, the connection should be fine, as the 192.168.88.253 is .(seemingly) assigned by the DHCP running on 192.168.88.1.
Is the connection between the PC and the Mikrotik cabled or wireless?

I cannot see anything terribly “wrong” in your current setup, the only (irrelevant) conceptual little mistake is that of calling single ether ports in a bridge different names/destinations, once ether2 and ether3 are added to a bridge, they are ports of the bridge (think of Borgs :open_mouth: , they have been assimilated :wink: ), they can be exchanged at will.

Your firewall (both filter and nat) is pretty much defconf, the only rule you added:

add action=accept chain=forward comment=“To Asus ROG mgmt” dst-address=
192.168.86.1 dst-address-type=“” layer7-protocol=“” src-address=
192.168.88.0/24 src-address-type=“”

may (or may not) be part of the problem in any case, you can disable it for the sake of testing.

I would try setting on the PC network card a couple of static IP’s, the IP pool on the Mikrotik:

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254

leaves “free” 192.168.88.1-192.168.88.9 (minus 192.168.88.1 for “self”) so, a good choice could be 192.168.88.8/255.255.255.0.
Depending on the settings of the ROG, add one in the 192.168.86.x/255.255.255.0 range.

If you are running windows, try disabling (temporarily) the firewall.

Then try pinging not only from the PC to the Mikrotik and the ROG, but also from the Mikrotik and the ROG to the PC.

I didn’t understand if you have internet working on the PC in your current configuration, if yes, try also a trace/traceroute to 8.8.8.8 (say) from both the PC and the Mikrotik.

5

My PC has internet and it’s getting connected via Mikrotik directly via ethernet cable.

From my PC (192.168.88.253) connected to Mikrotik (192.168.88.1):
PC can ping to Mikrotik (192.168.88.253 → 192.168.88.1)
PC can ping to ROG (192.168.88.253 → 192.168.86.1)
PC cannot ping to 192.168.88.252 (ROG’s WAN IP)

Pinging 192.168.88.1 with 32 bytes of data:
Reply from 192.168.88.1: bytes=32 time<1ms TTL=64
Reply from 192.168.88.1: bytes=32 time<1ms TTL=64
Reply from 192.168.88.1: bytes=32 time<1ms TTL=64
Reply from 192.168.88.1: bytes=32 time<1ms TTL=64

Pinging 192.168.86.1 with 32 bytes of data:
Reply from 192.168.86.1: bytes=32 time<1ms TTL=64
Reply from 192.168.86.1: bytes=32 time<1ms TTL=64
Reply from 192.168.86.1: bytes=32 time<1ms TTL=64
Reply from 192.168.86.1: bytes=32 time<1ms TTL=64

Pinging 192.168.88.252 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.88.252:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

From Mikrotik, it can ping the ROG.
However, Mikrotik could not ping to the PC.

[admin_0415b@MikroTik] > ping 192.168.88.253 
 
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                                                                                                                                                                                                                                         
    0 192.168.88.253                                               timeout                                                                                                                                                                                                                                                                                                                                                        
    1 192.168.88.253                                               timeout                                                                                                                                                                                                                                                                                                                                                        
    2 192.168.88.253                                               timeout                                                                                                                                                                                                                                                                                                                                                        
    3 192.168.88.253                                               timeout                                                                                                                                                                                                                                                                                                                                                        
    4 192.168.88.253                                               timeout                                                                                                                                                                                                                                                                                                                                                        
    5 192.168.88.253                                               timeout                                                                                                                                                                                                                                                                                                                                                        
    6 192.168.88.253                                               timeout                                                                                                                                                                                                                                                                                                                                                        
    sent=7 received=0 packet-loss=100% 
    
    [admin_0415b@MikroTik] > ping 192.168.86.1 
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                                                                                                                                                                                                                                         
    0 192.168.86.1                               56  64 246us     
    1 192.168.86.1                               56  64 155us     
    2 192.168.86.1                               56  64 174us     
    3 192.168.86.1                               56  64 184us     
    4 192.168.86.1                               56  64 149us     
    5 192.168.86.1                               56  64 170us     
    6 192.168.86.1                               56  64 172us     
    sent=7 received=7 packet-loss=0% min-rtt=149us avg-rtt=178us max-rtt=246us 
 
[admin_0415b@MikroTik] > ping 192.168.88.252 
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                                                                                                                                                                                                                                         
    0 192.168.88.252                                               timeout                                                                                                                                                                                                                                                                                                                                                        
    1 192.168.88.252                                               timeout                                                                                                                                                                                                                                                                                                                                                        
    2 192.168.88.252                                               timeout                                                                                                                                                                                                                                                                                                                                                        
    3 192.168.88.252                                               timeout                                                                                                                                                                                                                                                                                                                                                        
    4 192.168.88.252                                               timeout                                                                                                                                                                                                                                                                                                                                                        
    sent=5 received=0 packet-loss=100%

From my ROG, it can reach Mikrotik by ping. (192.168.86.1 → 192.168.88.1)
But it cannot reach my PC by ping which is kind of expected. (192.168.86.1 -x-> 192.168.88.253)

For your advice on configuring the dhcp host range, I have also seen videos of it being recommended.
I guess that is a good practice to have and I will apply it too.
However, I don’t really understand how it would resolve the current issue.
I did an ipconfig /all and the PC is assigned 192.168.88.253 by Mikrotik:

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection (2) I219-V
   Physical Address. . . . . . . . . : <removed>
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::c184:7767:33b5:e773%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.88.253(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, 9 September 2024 11:29:39 pm
   Lease Expires . . . . . . . . . . : Tuesday, 10 September 2024 12:24:31 am
   Default Gateway . . . . . . . . . : 192.168.88.1
   DHCP Server . . . . . . . . . . . : 192.168.88.1
   DHCPv6 IAID . . . . . . . . . . . : 598765247
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B0-4B-8B-64-6E-69-78-A3-7D
   DNS Servers . . . . . . . . . . . : 192.168.88.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

I could not understand why my PC could ping to 192.168.86.1 but could not access the web UI.

I realized upon logging into my ROG router that its assigned WAN IP is 192.168.88.252.
After more digging on the ROG setting, I stumbled upon the remote access config: [Enable Web Access From WAN] → This is set to No.
If I set it to Yes, it seems to allow me to access the page via [https://192.168.88.252].
And I was able to access it from my PC via 192.168.88.252 after that.
I am guessing because ROG sees 192.168.88.0/24 as WAN and since it’s not LAN, it would not allow any web UI access.

I still could not figure out why I have the ping issues though.
Could it because I did not define the route on both ROG and Mikrotik?

6

In modern windows, the default is to NOT replay to pings, so, unless you change that setting, pinging will result in timeout, but even if the error/result is the same it is not like your PC Is not reachable from the Mikrotik, simply the PC does not respond.
192.168.86.x and 192.168.88.x are two different networks (as they are both /24).
The Mikrotik can see both because it has on the bridge two addresses belonging to the one and the other.
What you report seems to me normal in your setup/configuration, It Is entirely possible that the Rog doesn’t reply to pings to what is now its WAN side (just like Windows does by default even on LAN side).