My question is probably one that has been answered before, BUT I hate to ask, but I needed to know…

I have a symatec Gateway firewall, connected to a RB 532a which is transparently bridged to another RB 333, bot as AP, WDS mode, and then another RB 150 connected as station WDS to that 333 in WDS bridge. This works for what we have to do at the three locations becuase we know each other and access to the same subnet is not a problem.

What I want to do with the RB 150 on two ethernet ports is have them assign DHCP ( I can figure this out) Not on the same subnet as the rest of my WLAN/LAN enviroment, and ensure that access to my subnet is not allowed from those two ethernet ports.

Basically the wireless networks, are from my house, to my brothers house and his shop. The last RB is at one of my rental properties, and I was going to provide internet to the tenants, which I do not want them to be able to access my subnet, but still have internet access. I also do not want these two ethernet ports to have connection to each other so that the upstairs and downstairs tenants networks stay seperate.

I have a genral idea, basically start with adding DHCP to ether 1 and 2, get them to assign different subnets, ensure they are not bridged with my WLAN card… But I would like to make sure, and avoid the trial and error process, which is what I resort to most times. Good way to learn

Right now I have ether 1 set to a ip the same as on my own subnet that I use. There is no ip on the WLAN1. Do I need to assign a ip to the wireless on my subnet, and then say 192.168.0.1 as ETHER 1? ( My subnet is 10.10.10.X)

Thanks in advance.

In the future I may need to forward ports for video/audio in msn messenger, VOIP etc.
In the near future I will be getting the RB 493AH to act as my firewall and drop the symantec, and probably be able to do Ether over IP or VLAN from the ether port to ether port across the existing Wlan enviroment.

That should be pretty easy.
/ip firewall filter
add chain=forward action=drop src-address=10.0.0.0/24 dst-address=10.0.1.0/24

This drops any packets from the 10.0.0.0/24 net to the 10.0.1.0/24 net. You should not be able to see the other way either, because this normally blocks both the request and response packets.

If you want to block the connection one-way, you can add “connection-state=new”

/ip firewall filter
add chain=forward action=drop src-address=10.0.0.0/24 dst-address=10.0.1.0/24 connection-state=new

So I thought I knew what I was doing… I got the DHCP to work properly, assign 192.168.1.X Range gate way, and dns is set to .1.1 Ether 2 adress is set to .1

The computers get an IP address, but no routing to internet, actually I cant even ping 192.168.1.1 from the computer connected to the ether 2 port.

Maybey my stup description could be clearer?

At my house I have a symatec firewall, on 10.10.10.1 assigning in that range. I have a RB532A connected via ether 1, acting as a AP Bridge WDS mode, connected wirelessley to a RB333 in AP Bridge WDS mode. This second location has ether 1 to a switch in this building.

I then have a RB 153 connecting as STATION WDS to that RB333. Ether1 I want to leave on the same LAN and is working with Ether 1 and WLAN1 in a Bridge.

I however at this location ( Location 3 ) want ether 2 and ether 3 seperate from my lan of 10.10.10.X and also seperate from each other. ie ether 2 is 192.16.1.1, and ether 3 is 192.168.2.1.

The reason is that I will have ether 1 for my stuff at this location, and ethers 2 and 3 to provide just internet access to two different tenants at this location.

Thanks for any more help you can be.

Me so sad… Ive been fooling around and can’t get this set up to work… I get the DHCP to assign ip’s on the ther port I need, but does not allow internet access, which is hte important part. The good part is that the rest of the network is not visable from the ether side which is what I wanted. Just no internet access.

Is this possible when the wireless link is Bridged WDS?
Does the WLAN interface need an IP? ( assuming one that is on the same subnet of the rest of the private lan) ?

Thanks again for anyone that can help.

Hi BobcatGuy,

Got your PM. I think it will be a two part cure. One will be routing your new ip subnets to the core router. If you want to maintain security on the rest of your net, you will not be able to nat them anywhere except there.

The other will be using the firewall filter to block access to your private net.

Your other subnets are all 10.x.x.x ? No other 192.168.x.x nets except your guests you wish to isolate from your private net, correct?

If you can please show me from the “Location 3” router:
/ip route print
and
/ip firewall nat print

BTW, I am not a big fan of bridges, especially the WDS kind. They are a bit slow for my needs.
I use the CLI because the output is what I need to troubleshoot. But feel free to use Winbox to modify your settings. The CLI-to-Winbox translation is normally pretty straight forward.

EDIT: If this is all you are blocking (just these ip sets) , it may be simpler that that. Maybe a nat and firewall filter rule in the “Location 3” router.

10.10.10.1 is NOT a mikrotik device ( But will be in a bit, Going to order a 493AH) This is a symantec gateway 360
10.10.10.0/24 is my Private LAN space
192.168.1.1 is Ether 2 On the rental place ( Ether 3 will be for basement, I can figure out this after ether 2 is working)
My dhcp pool range is 192.168.1.100 - 192.168.1.110
10.10.10.5 is Ether 1 Address. WLAN - Sam has no IP but is where this RB gets its internet from.

I wanted to keep Ether 1 for my use at that site, Ether 2 is Upstairs, Ether 3 Downstairs.
Ether 2 Cannot see Ether 1 or 3, and Ether 3 cannot see ether 1 or 2. I have no use to connect to ether 2 or 3 from my bridged ether 1.

I would also like to not allow access to the MT device from ether 2 and 3.



[admin@Rental] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE

0 A S 0.0.0.0/0 reachable 10.10.10.1 1 My Bridge
1 S 0.0.0.0/0 reachable 10.10.10.1 1 My Bridge
2 ADC 10.10.10.0/24 10.10.10.5 0 My Bridge
3 ADC 192.168.1.0/32 192.168.1.1 0 Ether 2 - Main Floor
[admin@Rental] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=192.168.1.100-192.168.1.110 out-interface=WLAN - Sam
[admin@Rental] >

Here is a challenge:
0 chain=srcnat action=masquerade src-address=192.168.1.100-192.168.1.110 out-interface=WLAN - Sam
I think you need to change the interface on this to out-interface=“My Bridge” (or the interface assigned the local ip).
If there is no IP assignment on ‘WLAN - Sam’, then there will be no ip assignment on the srcnat.

What do you want?

1. Security ? → use firewall filters
2. Invisibility ? → use mangle ex:.

/ ip firewall mangle add action=change-ttl chain=prerouting disabled=no new-ttl=increment:1

• rule disabled

C:\>tracert 10.86.90.129 -d

Tracing route to 10.86.90.129 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.86.89.129
  2     9 ms     8 ms     1 ms  10.86.87.109
  3    14 ms     1 ms     1 ms  10.86.90.129

Trace complete.

• rule enabled

C:\>tracert 10.86.90.129 -d

Tracing route to 10.86.90.129 over a maximum of 30 hops

  1     1 ms    <1 ms     1 ms  10.86.87.109
  2     2 ms     1 ms     1 ms  10.86.90.129

Trace complete.

hav fan

World peace. What do you want?

My apology to the MT crew. This is outside the scope of this forum. But I could not resist.

The funny thing was I was just trying that when I was at that house.

I tried changing the Out interface to Ether 1 ( this has the 10.10.10.5 ip) I also tried to set it to the bridge, named My bridge ( Its the only one I have) I was assuming if I set it to ether1 with the 10.10.10.5 IP that since it is listed as a port on my bridge it would work, but nope, so I tried the Bridge too,a nd that don’t work.

I also tried under the advanced section to use "Out Bridge Port to the “My Bridge” and ether 1.
I tried Masquarade, accept, passthrough under action.

I even tried to do a NAT rule under the Bridge tab, with the similar settings.

In my head I pretty much understand the meanings, and the logical outcome of the settings, I can’t say that I am perfect, just novice. In my head it is supposed to work, but it doesn’t.

What REALLY confuses me, is that when the note book got assigned the IP I could not ping 192.168.1.1 ( Ether2) it was connected via cat 5 direct to ether2

Dumb question, but it might be valid… I set in the DHCP that the DNS servers were that of My isp, I however also tried 10.10.10.1 main firewall, and 192.168.1.1 ether2 I only tried the ISP’s dns since I read it in some post to try that.

Do I need to do anything on the symantec firewall? Since the connection ends up being natted 2 times, would this be an issue? ( i did at a route for 192.168.1.0 to use gateway 10.10.10.5 Metric 2 which allows me to get to 192.168.1.1 (ether2) from the 10.10.10.X side, thought it would help, it didn;t with the internet portion.

If I assign an IP to the WLAN - Sam would this make things easier?

Should I drop this whole setup and change it to routed network? I originally did the bridge since I wanted to keep all of our computers on the same subnet.

I’m open to ideas from the pro’s.

Thanks again.

Hi BobcatGuy,

Let’s try a different approach. What srcnat or masquerade do you have in the main router. Maybe you could remove the masquerade in this router and use the masquerade in the core router. With the WDS bridge, it should only need the one.

the router/firewall that is conneted to the ISP Cable is not a mikrotik, it is a symantec gateway security 360.

In testing, I ended up adding a route for 192.168.1.0 with gateway of 10.10.10.5 this is ether1 ( RB153 at rental house)
Ether 2 is not bridged to ether 1. I was just thinking that I could bridge it and then make tell this RB to drop all data to the 10.10.10.X range from ether 2 as to not allow ether 2 users access to my lan.

I can access that RB from my lan by going to 192.168.1.1 so the route works.

I still wanted to keep the 10.10.10.x range invisible to ether 2 at the rental.


However, if it is bridged, what is stopping my symantec from assigning Ip’s over that ether 2 since it is bridged, ( Again, IF I add ether 2 to the bridge ports, it is not right now)

At the end of the day, is it easier to change the topology of the network to a routed one?

If all works now except blocking the localnets, then this should keep the 192.168.xx net out of any 10.x.x.x net

/ip firewall filter
add chain=forward action=drop src-address=192.168.0.0/16 dst-address=10.0.0.0/8

All 192.168.x.x addresses will not be able to access any address starting with 10.

umm ya.. Its been a while since I’ve got back to my project of free internet for the tenants.. If you see the basement of this house, it is all under construction, wires hanging from the roof. I’m sitting on a pail with the note book, trying to “fix” this issue…

The dhcp, and scrnat, firewall rules were correct… BUT the one thing I forgot, which I cannot understand why this stops it from working… I had the IP on ether 2 set to 192.168.1.1, DHCP settings had that in there, and dns, etc.. BUt still never worked.. What did I miss?

Assigned ip to ether2 as 192.168.1.1 not 192.168.1.1/24 It needed the /24 in there to work. Why? beyond me, but at least someone else might find this read interesting, and laugh, that I spent so much time on it

Thank you everyone for your help.

When in doubt, trial and error. ha ha