Help needed with design

49er · March 5, 2018, 12:43pm

I have 2 locations (2 buildings.
Both have a gateway to internet with a firwall.
I want to connect both buildings (with mikrotik) wireless so not over internet.
I likt that both buildings use their own internet gateway.
In building 1 is a DNS and DHCP server that I want to use in both buildings.

What is good to do?
Help me with network design.

jarda · March 5, 2018, 5:58pm

Just bridge two ports of router a and b, having an ip from site a on port of router b. Set the routes of internal ip networks towards. Condition is to have different and not overlapping network address ranges on both sides.

49er · March 16, 2018, 9:50am

Hi,

Thanks for your reply,
It is just a little time ago but I’m working on it now.

If I want to use your answere in this concept:
https://wiki.mikrotik.com/wiki/Transparently_Bridge_two_Networks

Can you tell me how to do this?

CZFan · March 16, 2018, 12:13pm

This is to extend a wireless network, i.e. without the need to run a network cable to 2nd AP.

I suspect the 2 buildings are on different subnets? If so, then you can’t use this method and must do as per @jarda.

If they are on the same subnet, then you have a much bigger project on your hands

49er · March 16, 2018, 1:10pm

Hi, thanks a lot for your answere.
What I want is as follow.
We have two buildings (separated 200 meters from each other) Mikrotik works great to get a wireless link between these buildings.
We want on both buildings different subnets
Building 1 172.16.0.0/21
Building 2 172.17.0.0/21
But in building 1 is the fileserver and DNS server we want to use in both buildings.
Both buildings have there own gateway.

Hope this make some sense.

mkx · March 16, 2018, 1:37pm

Assuming you don’t want to change existing LAN layout in both buildings too much, and that there will be some kind of ethernet-transparent wireless equipment used for the wireless link between the buildings, then here’s what you can do:

ISP building 1 <-> GW1 (172.16.0.1) <--> LAN1
                                     \-----> (172.16.1.42) RB1 (192.168.88.1) -\
                                                                                > wireless connection
                                     /-----> (172.17.1.42) RB2 (192.168.88.2) -/
ISP building 2 <-> GW2 (172.17.0.1) <--> LAN2

You need to configure a few static routes:

on GW1 you need to set route to 172.17.0.0/21 with GW address of RB1 (172.16.1.42)
on GW2 you need to set route to 172.16.0.0/21 with GW address of RB2 (172.17.1.42)
on RB1 you need to set route to 172.17.0.0/21 with GW address of RB2 (192.168.88.2)
on RB2 you need to set route to 172.16.0.0/21 with GW address of RB1 (192.168.88.1)

And I guess that’s it. If you don’t have any FW rules on any of RBs, then devices from both LANs (172.16.0.0/21 and 172.17.0.0/21) should be able to connect each other on IP layer … some basic services (e.g. DHCP) can not work across routers, but I’m sure you already knew that.

If you’ll use RBs to do the wireless link themselves (e.g. NV2 or similar), then configuration on the RBs will be slightly different, configuration on other network equipment will be the same.

If you want to filter traffic between both subnets, then you can set IP firewall filters on either RB. For sake of lower traffic over wireless link between buildings it would be better do drop traffic on “near” RB … e.g. if you don’t want to allow, say, http connections from clients in 172.16.0.0/21 to servers in 172.17.0.0/21, then you’d set drop action on RB1:

/ip firewall filter
add action=drop chain=forward comment="no HTTP towards building 2" dst-port=80 protocol=tcp dst-address=172.17.0.0/21

.
You could put just the same filter on RB2, however dropped packets would have passed the wireless link already.

49er · March 16, 2018, 2:05pm

Thanks a lot.

Yes I know that DHCP is not working for the 2 buildings (but that is ok.)

But I need a little help with the configuration of the RB SXT 5AC devices wich I use for the Wireless link between the buildings.
On building 1 172.16.0.0/21 is also split in VLANs
On Building 2 172.17.0.0/21 is also split in VLANS
Think I must use WDS-bridge on the RB’s?
Set one as Bridte and the other as Station-client
Add IP addresses to the Bridge interfaces of both RB’s
Add IP address to the ether1 interfaces of both RB’s?
Is that right?

mkx · March 16, 2018, 5:15pm

That’s how I imagined it could be done.

You mentioned VLANs on both sides. That actually complicates setup because from RB’s point of view, you need to route each VLAN separately. It would be easier if you added dedicated connecton between GW1 and RB1 (either physical connection or separate VLAN) and still do all the routing between VLANs in building1 and complete building2 on your existing GW1 … and the same in building2. Specially so if your VLAN subnets really have adjacent network addresses which can be covered by single netmask. Routing table would be much simpler, specially as most of routing table needs to be implemented on all 4 routers.
If the above is not possible to do, you can add all needed VLANs to respective RBs, together with appropriate static routes on both GWs. And be extra careful not to introduce some routing between VLANs which should not be routed.