Just got my brand new RouterBOARD 1200. Now trying to configure it for my LAN. I need my LAN to look, like
1 ethernet port: WAN – static IP from my ISP
LAN1 192.168.0.0/24 + Internet (NAT from port1)
LAN1 192.168.1.0/24
LAN1 192.168.2.0/24 + Internet (NAT from port1)
LAN1 192.168.3.0/24 + Internet (NAT from port1)
Forward to that port everything from WAN port (it has two IPs from ISP)
So, what I did. I named my ethernet ports, then used setup for my all 1-5 needs (don’t know what to do for the 6th issue). Then I used that article http://wiki.mikrotik.com/wiki/NAT_Tutorial So, now I do have internet for my #2. I used the same idea for #4 and #5, but not Internet there.
Here I’ll show my configs:
My ip address (brushed from ISP, but it’s there with default gw)
other configs
So, if any additional info is needed, I will give it. What’s wrong with the current one? So, as I said, everything is working (DHCP and Internet for NAT at port 1 → from WAN to OFFICE: ethernet1 to ethernet2 physically) But is fails with others. And what do I do for #6?
They way you want to set up port #6 may or may not work. You unfortunately blanked out your public IP address. How many IPs are on the WAN subnet? Are ALL of those IPs yours, or is it a shared network with other users? Are those two IPs on port 6 from that subnet, or are they routed to your via the WAN subnet?
If it is a shared network you cannot directly assign IPs from the WAN subnet to other ports. You’ll have to NAT (which you’re sort of alluding to with saying you want to port forward - if you had the public IPs directly on port 6 you wouldn’t need to port forward).
So please elaborate on that point some more.
On a side note, you’re using the CLI. Why are you posting screenshots? Just use “export” and “print” commands and copy and paste them to here. That’s far more readable than screenshots, and much easier to do.
They all work, get IP via DHCP, have Internet via eth1. But, they all can ping each other! So, PC with IP 192.168.0.5/24 can reach 192.168.3.8/24
I supposed, that I got puzzled with my net masking arithmetics, so I gave to my eth2-eth4 addresses from different private networks (10.0.0.0/8, 172.168.0.0/12 and 192.168.0.0/24) But! They still remained pingable. This all seems very strange. Is it ok? Or some ports (it’s group 1 or something) work as a switch?
How is that strange? It’s a router. Of course it routes between connected networks. The Internet beyond eth1 is just another connected network. If you want to drop that you can do so in the IP firewall filters.
Yep. It must be my fault. I thought that Microtik acts a bit more different from so to say “simple” router, and inter-port routing must be configured by hands.
A little mark up: it did not work =( I’ve just VPNed to my mikrotik, got 192.168.1.4/24 address, and I can easily ping 0.0/24, 2.0/24 and 3.0/24 subnetworks. So in rules I have:
So, I have 192.168.1.4/24 IP and I still ping my 192.168.2.1/24 IP…
p.s. sorry for screenshots, still did not get, how I can get info about my configs remotely (via SSH) and export them.
Just dont have direct access to Routerboard now, so tried this weird kind of testing. Sorry for that. Will test that later, and write down results here.
You can test via the VPN, that’s a perfectly fine test. You just can’t ping an IP address assigned to the router itself, you have to ping an IP address connected to the router - because your firewall filter rules are allowing pings to the router itself.
Yep, but nobody but me can access my router for now. So I personally have to connect some PC to my router networks (the router is not in production now, it’s in stage of heavy configuration =) ). So I’ll try to reach it as soon as it’s possible and finish that process
So, today I finally reached my hardware and thank you fewi, it all worked, as I needed. But! I got one more task to solve.
So, what I needed – to have a VPN connection to my MicroTik, so I could use my 192.168.1.0/24 network. First, I configured my VPN, got my 192.168.1.8/24 address, and could ping 192.168.1.1/24 (ethernet1) address. But, I could not ping my PCs, connected to my 192.168.1.0/network. As read through manuals, I had to use some kind of arp-proxy for my ethernet1(192.168.1.0/24 network) and it had to work, but, alas. It did not. + I read, that there were some issues with that, so I did something stupid (maybe) and created a VPN to 192.168.10.0/24 network (non existing) and then made masquerade for this connection. Yep, it’s stupid, but it worked for now (I put my board to “production” today)
So, finaly, what is my issue: with that masquerading I can ping with my VPN connection ANY of my subnetworks (so I can access 192.168.0.0/24…192.168.3.0/24). That’s not, what I need. I need to have access ONLY to my 192.168.1.0/24 network.
Here are my configs:
*ether3 is my 192.168.1.0/24 network
Actually, what I tried to do – create Drop filter, like the one above. something like
It did not. + I read, that there were some issues with that, so I did something stupid (maybe) and created a VPN to 192.168.10.0/24 network (non existing) and then made masquerade for this connection. Yep, it’s stupid, but it worked for now (I put my board to “production” today)
That’s not stupid at all. That’s the right solution. VPN space should be separate from any physical interfaces.
So you now have VPN connections on 192.168.10.0/24, and you want that VPN IP space to only be able to reach 192.168.1.0/24, but not any other directly connected networks?
First, remove the 192.168.10.0/24 masquerade rule you made. You don’t need it. Your VPN client will end up on the router anyway, which will create a /32 route for the VPN client in its routing table. So the router knows how to reach the client VPN IP. The other networks use the router as their default gateway for IPs not on themselves, which the VPN IP isn’t. Ergo, the router can route all that traffic without NAT.
Expanding on the firewall rules I wrote out a few days ago, this would be the combined rule set to disallow all networks from talking to one another, and allow the VPN on 192.168.10.0/24 to talk to 192.168.1.0/24 but not other networks:
So, now I am trying to close these inter inner ports communication (so now even 192.168.0.1, 192.168.2.1 and others wont be accessible). As it was said above, I tried to use iinner rule for dropping. What I did:
And one more issue (yep, I googled for it, but did not find the proper way to do that). What I need – is to ban some Devices, that get connected to my 192.168.0.0/24 network via wifi (via DHCP). Can you point me the right way to do that?
