Since serveral Days i try to get this task done, but till now without success…
I have two separate Internet Connections, one for our Company Network and the other for a private flat.
Booth Networks have a Fritzbox as Internet Gateway and DHCP Server
Now i need an access from the private Network in the flat to one device at the company.
I have a RB2011 in the company, which is the capsman for the wireless installation and is connected with eth1 to the Company Network.
On this Router i connected eth2 to the private Network in the flat.
What is the best way to get access from the “private” Network to the “company” Network?
Should i use two different bridges and route between these or what is the best way?
This is the Setup i have till now:
Company Network:
Gateway: 192.168.200.1
Device to have access: 192.168.200.32
eth1 is on Bridge1 and bridge1 has the address 192.168.200.44
Private Network in the flat:
Gateway: 192.168.0.1
eth2 is on Bridge2 and bridge2 has the address 192.168.0.53
Maybee someone can give me a tip, how to get it running.
This is an interesting problem which probably has multiple solutions.
Since you know what port the flat info is coming on.
Suggest create a vlan for that info lets say vlan24
Such that on the main router
create vlan 24, add it to the same bridge as everything else (one bridge) via bridge ports below
interface for the vlan is the ether2
Not sure how to identify it properly such that it accepts traffic on the flat subnet however.
My assumption is that you simply dont need DHCP service on the vlans so sufficient just to identify it to ether2.
/bridge ports
add bridge interface=ether2 accept only priority and untagged frames pvid=24
/bridge vlan
add bridge tagged=bridge untagged=ether2 (port connected to flat) vlan-ids=24
I think what will happen is any traffic coming from the flat on etherport 2 will be assigned vlan tags of 24 and when sending the traffic back to the flat, the tags will be stripped by the router.
By virtue of being on a vlan with nowhere else to go you have layer 2 covered in terms of access/crosstalk.
For layer 3 control, one should be able to use firewall rules.
a. allowing traffic
b. stopping traffic
If you use the preferred last rule in the forward chain
add chain=forward action=drop (all layer 3 traffic between subnets and vlans is stopped cold, which is good and only means we need to add rules above this last rule to allow permitted traffic).
Like
add chain=forward action=accept in-interface=vlan24 out-interface=bridge dst-address=192.168.200.32
[add source-address= if only a single device/user in the flat needs access]
[add source-address-list= if multiple devices/users in the flat need access]
[add destination port(s) to narrow down scope of access if applicable which is also is better security]
I do not know if this will work, nor have I tried it. Suggest to see if others respond, either supporting the idea, or laughing their arses off at how clunky and wrong this approach may be.
Since the subnets used in both networks (company and flat) apparently do not overlap, and you don’t need things like an IP phone in a company’s VoIP VLAN physically connected to the router in the flat, there is no point in creating an additional bridge - you can attach the IP configuration to ether2 directly as all the traffic between company and flat will be routed. And the 2011 is not a CPU throughput champion, so insertion of a bridge or even VLANs between ether2 and the L3 processing is just an unnecessary waste of CPU.
The rest is a task for the IP firewall as @anav suggests. I personally prefer the “drop everything, allow just intended exceptions” approach over the “allow everything, drop just intended exceptions” one, and this preference of mine is in step with how the default firewall rules look like. But your firewall rules on the 2011 may be based on the default ones of quite an old RouterOS version, or even created from scratch, so if you need a suggestion what particular rules to add to your actual firewall, follow the hint in my automatic signature below.
I did want to avoid the vlan scenario but I didnt know how to handle the different subnet on the company router without adding dhcp and all the associated junk.
The vlan seemed clean/harmless and easy.
Are you saying that you simply add etherport2 to the bridge as another bridge port entry? and treat the flat subnet in the firewall rules?
You may need to add the ip address of the private subnet on the company router but not sure,
Th reason I am hesitant is not knowing your bridge structure so I dont think this would work if your bridge gives out DHCP addresses.
I also question why your bridges have exact IP addresses, I find that equally confusing.
/ip address
add address=192.168.0.90/24 interface=ether2
If I understand you right, you have 2 Fritz Boxes with 2 subnets. 1 for the company and 1 private.
Now you want a routing between the private and company LAN and vice versa?
A RB2011 is connected to both networks?
Just add a static route for the private LAN into Fritzbox-Company (192.168.200.1) pointing to RB2011 (192.168.200.44):
Network: 192.168.0.0
SNM: 255.255.255.0
GTWY: 192.168.200.44
A second static route for the company LAN into Fritzbox-Private (192.168.0.1) pointing as well to RB2011 (192.168.0.53):
Network: 192.168.200.0
SNM: 255.255.255.0
GTWY: 192.168.0.53
For ETH2 is no additional bridge is needed. That costs only CPU…
I will try to build it with one bridge and give the ports the addresses. My concern was that the Fritzbox in the company will give IPs to the devices in the flat and vice versa. Or does the firewall block the dhcp process?
At this point there are no firewall rules on the RB, it only is the capsman on the company network for 5 APs.
The tip from @Guscht sounds also logical to me, because the fritz is also the dns.
Sorry for my maybee stupid questions, i am only an electrican…
The so called Company is an old Sawmill with an small hydroelectric power station, in this building there are now several storage areas. From time to time i modernize components from the controller of the power station, and the last step was to integrate a measuring device for the generated power.
The Owner of the old Sawmill lives in the house next to the sawmill and is an old man. Because of this and because i have an storage server running in the company network i don´t wanted to interconnect the two networks directly together.
Sorry for maybe misleading you. The thing which may not be obvious to you is that an IP configuration may be attached directly to an ethernet port, it is not mandatory that it was attached to a bridge.
So when I said you don’t need multiple bridges, I didn’t mean that you should bridge together the “company” LAN with the “flat” LAN by connecting both to interfaces of the same bridge of the 2011. The actual idea was that the ether2 of the 2011 would be removed from the bridge, so the 2011 would route, not bridge, the traffic between the two LANs. Hence DHCP servers of the two Fritzboxes will not be visible for each other’s DHCP clients. And unless/until you add routes to both Fritzboxes or to the two devices in different networks that need to talk to each other, also no other traffic will flow between the two LANs.
Next - if I get you right, that owner should be able to watch the generator parameters? If so, what is the protocol between the two devices - e.g. does the measurement device have a web interface and the owner would use a browser on a PC or phone to open it? Or must the PC run some application to retrieve the information from the measurement device? The reason why I ask is that if this connection is simple enough, you may not need to add any routes to the Fritzboxes nor the two devices, as the 2011 may impersonate the measurement device to the web browser in the flat network, and the web browser to the measurement device in the company network. So instead of adding routes to Fritzboxes, you would add just a single src-nat and a single dst-nat rule at the 2011.
The device has an web interface. At this time i have only one bridge, which has ether1 an the different capsman interfaces in ports.
So when i understand you right i do not add ether2 to any bridge and have just to add a single src-nat and a single dst-nat rule at the 2011 and nothing at the fritz boxes?
I use Winbox so maybee the spelling is not 100% right:
i will give the address 192.168.0.53 to ether2
next i will add a address list 192.168.0.1 - 192.168.0.254 and give it the name “flat”
I go to NAT and add the 1. Rule:
chain=srcnat ,action=masquerade, in-interface=ether2, out-interface=bridge1, dst-address=192.168.200.32, src. address list=flat, protocol is tcp and destination port is 80
I create a 2. Rule: add chain=dstnat dst-address=192.168.0.53 action=dst-nat \ to-addresses=192.168.200.32
That’s what I had in mind. Just one point regarding the above, in chain srcnat, you cannot refer to in-interface (no idea why), but you can refer to src-address=192.168.0.0/24 instead to restrict the rule to traffic coming from the “flat” subnet.
You may want to add a filter rule chain=input in-interface=ether2 action=drop to make sure that the 2011 cannot be accidentally configured from the “flat” LAN.
The only change i had to make was leaving the “in-interface” blank because i got an error message when its configured.
The funny thing now is that the webpage from the measurement device on one webpage were you can look at the waveform of current and voltage refreshes maybee 20 times a second, instead of every second, but this i think is a firmware issue of the siemens pac3220?
It sounds as and indication that you haven’t removed ether2 from the bridge, which would be wrong as you would be still bridging together the two LANs, which is exactly what you wanted to avoid. What does /interface bridge port print show?
Does that differ when you access the PAC from the “company” subnet vs. when you access it from the “flat” subnet?
Thanks a lot for helping me out!