I have set up my Microtik router with 2 subnets, like this, each subnet with its own DHCP server and gateway IP. I want to have the security cameras and the 3Com switch they are connected to on their own subnet on ether-5.
The router automatically created a static route between the two subnets. This mostly worked with a few strange exceptions which I thought maybe you could comment on. The cameras and the 3Com switch picked up their IP addresses, and I did some testing from PCs connected to each individual subnet.
From machine B:
- full Internet access
- full access to cameras including video feed
- full access to 3Com web interface
- cameras and 3Com respond to pings
From machine A:
- full Internet access
- access to camera web interfaces but no video
- no access to 3Com web interface
- cameras but not 3Com respond to pings
From both A & B using external IP, i.e. going through router NAT and port forwarding:
- full access to cameras including video feed
- full access to 3Com web interface
I don’t understand why I can connect to the cameras’ web interfaces but not get the video stream (Hikvision browser plugin). And why do the cameras but not the switch respond to connections from the other subnet? I cannot find any setting in the switch that blocks connections from outside its own subnet.
Please have a look at my configuration and let me know where I missed something.
[admin@VL-RTR] > /ip dhcp-server print
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 default bridge-local default-dhcp 42w6d
1 NVR ether5-NVR NVR 3d
[admin@VL-RTR] > /ip pool print
# NAME RANGES
0 default-dhcp 192.168.2.100-192.168.2.149
1 NVR 192.168.10.20-192.168.10.50
[admin@VL-RTR] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R ether1-gateway ether 1500 1598 4074
1 RS ether2 ether 1500 1598 4074
2 S ether3 ether 1500 1598 4074
3 S ether4 ether 1500 1598 4074
4 ether5-NVR ether 1500 1598 4074
5 ether6 ether 1500 1598 2028
6 S ether7 ether 1500 1598 2028
7 S ether8 ether 1500 1598 2028
8 S ether9 ether 1500 1598 2028
9 S ether10 ether 1500 1598 2028
10 sfp1 ether 1500 1598 4074
11 R bridge-local bridge 1500 1598
[admin@VL-RTR] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.2.1/24 192.168.2.0 bridge-local
1 D <external ip removed> /22 176.10.208.0 ether1-gateway
2 192.168.10.1/24 192.168.10.0 ether5-NVR
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 176.10.208.1 1
1 DS 0.0.0.0/0 176.10.208.1 1
2 ADC 176.10.208.0/22 <external ip removed> ether1-gateway 0
3 ADC 192.168.2.0/24 192.168.2.1 bridge-local 0
4 DC 192.168.10.0/24 192.168.10.1 ether5-NVR 255
[admin@VL-RTR] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0
out-interface=ether1-gateway
11 chain=srcnat action=masquerade src-address-list=LocalNet
dst-address-list=LocalNet out-interface=bridge-local