HEX Lite for Different Subnets

ddrums95 · August 15, 2024, 12:35pm

Hello everyone,

I have tried getting this right the whole day with no success and would appreciate any assistance.

I have a network setup as follows (I have attached a diagram as well):

I have Network A which consists of a number of devices with static IPs 192.168.0.X and Network B which consists of a number of devices with static IPs 192.168.10.X.

I would like to be able for one particular device on network A to communicate with a particular device on Network B. They should not be able to communicate with other devices on the opposite network. Network A will be connected to Port 4 and Network B will be connected to Port 5. Ports1-3 are not really relevant since they are not used. I do not care about internet/WAN in this scenario.

How would one go about it?

I have tried setting it up as follows, but this does not work - I do not even know if this is the correct way/technique:

/ip address
add interface=ether4 address=192.168.0.254/24
add interface=ether2 address=192.168.10.254/24

/ip firewall address-list
add address=192.168.0.30/24 comment="LAN" list=local_LAN
add address=192.168.10.10/24 comment="LAN2" list=local_LAN
/ip firewall filter
add action=accept chain=forward comment="allow traffic between local LANs" src-address-list=local_LAN dst-address-list=local_LAN

I would want to allow only access to certain ports on the devices at a later stage but currently, I cannot even ping any of the other devices.

Thank you in advance.

Best regards,
Darius
Screenshot 2024-08-15 141707.png

anav · August 15, 2024, 6:23pm

/ip firewall filter
Forward chain
{ default rules to keep }
add action=fasttrack chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{ admin rules }
add chain=forward action=accept comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept src-adddress=192.168.0.X dst-address=192.168.10.Y
add chain=forward action=accept comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
add chain=forward action=drop comment=“drop all else”

ddrums95 · August 20, 2024, 5:47am

Thank you for your comment. Unfortunately, the device connected to ether5 (192.168.0.30) cannot ping/communicate to the device on eter4 (192.168.10.10). It is as if they do not “see” each other. Any ideas of what I am doing wrong? I just want to be able to let data flow from one subnet on ether4 to another different subnet on ether5 and vice versa.

Thanks in advance.

jaclaz · August 20, 2024, 7:45am

Let’s divide the thing in two:

succeed in pinging from one network to the other (and viceversa)
limit communications to between only two devices, one on each network

Your scheme and description is about ether4 (192.168.0.x) and ether5 (192.168.10.x).
The snippet of configuration you posted is about ether4 and ether2 .
Check interfaces/configuration.

Then post your configuration, possibly the whole configuration, with sensible data masked/edited.

Post also output of:

/ip route print

Since (for the moment) you are within LAN, you can temporarily disable the firewall filter rules (all of them).

The approach should be correct, as it seems similar to/derived from:
http://forum.mikrotik.com/t/join-two-subnets/121298/1
but the devil is in the details.

Is it not - by any chance - that the involved ports are part of a bridge?

ddrums95 · August 20, 2024, 2:06pm

Hi jaciaz,

you are correct, I made a mistake in the code snippet I posted to the forum - sorry about that.

I have removed ether4 and ether5 from the bridge and inputted the following (similar to the post you’ve linked):

/ip address
add address=192.168.0.254/24 interface=ether4 network=192.168.0.0   
add address=192.168.10.254/24 interface=ether5 network=192.168.10.0   
/ip firewall filter  
add action=accept chain=forward comment="allow traffic between LAN and LAN2" src-address=192.168.0.0/24 dst-address=192.168.10.0/24
add action=accept chain=forward comment="allow traffic between LAN and LAN2 (reverse direction)" src-address=192.168.10.0/24 dst-address=192.168.0.0/24

My route table is:

/ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  192.168.0.0/24     192.168.0.254   ether4                    0
 1 ADC  192.168.10.0/24    192.168.10.254  ether5                    0
 2 ADC  192.168.88.0/24    192.168.88.1    bridge                    0

Where to go from here? Obviously, the devices on each network are not able to see one another as they are on different subnets. Is dst-NAT something I should consider?

Thank you for your time and assistance.

Regards,
Darius

jaclaz · August 20, 2024, 3:25pm

So, you have the (dynamic) routes alright.
It should work, unless there is something else in firewall (or somewhere else) blocking the connection.
As mentioned in the linked to thread/post by mkx.
You can try disabling (temporarily) all the firewall rules.
But which devices are at IP’s 192.168.0.30 and 192.168.10.10?
Only as an example modern Windows firewall default settings prevent replying to pinging:
https://activedirectorypro.com/allow-ping-windows-firewall/

ddrums95 · August 23, 2024, 9:57am

Thank you everyone. I came right with your steps and help.

Much appreciated.

Darius