How to allow LAN - LAN connection

cakriwut · May 5, 2016, 12:39am

Hi all,

This is newbie questions, I have RB951G and try to setup 2 private LANs

LAN1 192.168.2.0/24 (WLAN + Port 2, bridge),
LAN2 192.168.3.0//24 (Port 3)

WAN is on port 1.

Problem:

I can not ping/traceroute access services from LAN1 => LAN2, or LAN2 => LAN1

What I want to achieve:

Allow LAN1 => LAN2, or LAN2 => LAN1 accessing each other services
Allow port forward from WAN to service in LAN2 (for example http/80)

I hope someone can enlighten me. Thanks

Best regards,

Riwut L

This is my settings

[admin@redmond] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                       
 0   ;;; default configuration
     192.168.2.1/24     192.168.2.0     ether2-LAN                                                                      
 1   192.168.3.1/24     192.168.3.0     ether5-TO-DLINK-Bridge                                                          
 2   192.168.2.254/24   192.168.2.0     bridge-local                                                                    
 3 XI 192.168.0.2/24     192.168.0.0     bridge-segment-3                                                                
 4 D 116.88.61.222/24   116.88.61.0     ether1-Public-1                                                                 
[admin@redmond] >

Firewall

[admin@redmond] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 1    ;;; default configuration - Accepts ICMP
      chain=input action=accept protocol=icmp in-interface=bridge-local log=no log-prefix="" 

 2    ;;; default configuration - Accepts Established / Related Input
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 3    chain=input action=accept in-interface=ether5-TO-DLINK-Bridge log=no log-prefix="" 

 4    chain=input action=accept in-interface=bridge-local log=no log-prefix="" 

 5    ;;; default - DROP input
      chain=input action=drop log=yes log-prefix="Input Drop" 

 6    ;;; FastTrack Established/Related Forward
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 7    ;;; default configuration - Foward Related/Established
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 8    ;;; Forward LAN >> WAN
      chain=forward action=accept out-interface=ether1-Public-1 log=no log-prefix="" 

 9    ;;; default - DROP Forward Invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

10    ;;; default configuration - Drop Any Into GW
      chain=input action=drop in-interface=ether1-Public-1 log=no log-prefix="" 

11    ;;; DROP BOGON
      chain=forward action=drop src-address-list=Bogon log=no log-prefix="" 

12    ;;; DROP FORWARD 
      chain=forward action=drop log=no log-prefix=""

Nat

[admin@redmond] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0 XI  chain=srcnat action=masquerade protocol=tcp out-interface=ether1-Public-1 dst-port=53 connection-mark=USA-Limite>
      log=no log-prefix="" 

 1 XI  chain=srcnat action=masquerade protocol=udp out-interface=ether1-Public-1 dst-port=53 connection-mark=USA-Limite>
      log=no log-prefix="" 

 2    ;;; UnLocator DNS for HULU, NetFlix 
      chain=dstnat action=dst-nat to-addresses=54.251.190.247 to-ports=53 protocol=tcp dst-port=53 
      connection-mark=USA-Limited log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=54.251.190.247 to-ports=53 protocol=udp dst-port=53 
      connection-mark=USA-Limited log=no log-prefix="" 

 4 XI  chain=dstnat action=accept protocol=tcp src-address=192.168.3.10 dst-port=80 log=no log-prefix="loh" 

 5 XI  chain=srcnat action=masquerade protocol=tcp out-interface=ether1-Public-1 dst-port=53 connection-mark=USA-Limite>
      log=no log-prefix="" 

 6 XI  chain=srcnat action=masquerade protocol=udp out-interface=ether1-Public-1 dst-port=53 connection-mark=USA-Limite>
      log=no log-prefix="" 

 7 XI  ;;; UnLocator DNS for HULU, NetFlix - bypass Web Proxy
      chain=srcnat action=masquerade connection-mark=via_unlocator_conn log=no log-prefix="" 

 8    ;;; Transparent proxy DNS 
      chain=dstnat action=dst-nat to-addresses=192.168.2.1 to-ports=53 protocol=tcp dst-port=53 log=yes 
      log-prefix="DNSREQ" 

 9    chain=dstnat action=dst-nat to-addresses=192.168.2.1 to-ports=53 protocol=udp dst-port=53 log=yes 
      log-prefix="DNSREQ" 

10 XI  chain=srcnat action=masquerade src-address-list=no-web-proxy log=no log-prefix="" 

11 XI  ;;; Transparent HTTP proxy
      chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80 connection-mark=bypass_local_proxy log=no 
      log-prefix="" 

12 XI  chain=dstnat action=dst-nat to-addresses=192.168.3.10 to-ports=8080 protocol=tcp in-interface=bridge-local 
      dst-port=80 connection-mark=TProxy_Target log=no log-prefix="" 

13 XI  ;;; Masquerade for others - via MitraisVPN 
      chain=srcnat action=masquerade out-interface=pptp-out-mitrais out-bridge-port=ether3-LAN log=no log-prefix="" 

14 XI  ;;; Masquerade for others - via VPNBook
      chain=srcnat action=masquerade out-interface=VPNGate-OVPN log=no log-prefix="" 

15 XI  chain=srcnat action=masquerade out-interface=SuperVPN-Germany log=no log-prefix="" 

16    ;;; Masquerade for others - via Default Provider
      chain=srcnat action=masquerade out-interface=ether1-Public-1 log=no log-prefix=""

Mangle

[admin@redmond] /ip firewall> mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting 

 3 XI  ;;; Mark traffic via unlocator
      chain=prerouting action=add-dst-to-address-list protocol=tcp address-list=no-web-proxy address-list-timeout=0s 
      layer7-protocol=WhiteList dst-port=80 log=no log-prefix="" 

 4 XI  chain=prerouting action=accept protocol=tcp src-address=192.168.2.107 in-interface=bridge-local log=yes 
      log-prefix="tracking" 

 5    chain=prerouting action=mark-connection new-connection-mark=USA-Limited passthrough=yes protocol=tcp 
      dst-address=8.8.8.8 dst-port=53 log=no log-prefix="dns88" 

 6    chain=prerouting action=mark-connection new-connection-mark=USA-Limited passthrough=yes protocol=udp 
      dst-address=8.8.8.8 dst-port=53 log=no log-prefix="dns88" 

 7    chain=prerouting action=mark-connection new-connection-mark=USA-Limited passthrough=yes protocol=tcp 
      dst-address=8.8.4.4 dst-port=53 log=no log-prefix="dns88" 

 8    chain=prerouting action=mark-connection new-connection-mark=USA-Limited passthrough=yes protocol=udp 
      dst-address=8.8.4.4 dst-port=53 log=no log-prefix="dns88" 

 9    chain=prerouting action=mark-connection new-connection-mark=USA-Limited passthrough=no protocol=tcp 
      src-address=192.168.3.10 dst-port=53 log=yes log-prefix="se" 

10    chain=prerouting action=mark-connection new-connection-mark=USA-Limited passthrough=yes protocol=tcp 
      layer7-protocol=USA-Limited-L7 dst-port=53 log=no log-prefix="" 

11    chain=prerouting action=mark-connection new-connection-mark=USA-Limited passthrough=no protocol=udp 
      src-address=192.168.3.10 dst-port=53 log=yes log-prefix="se" 

12    chain=prerouting action=mark-connection new-connection-mark=USA-Limited passthrough=yes protocol=udp 
      layer7-protocol=USA-Limited-L7 dst-port=53 log=no log-prefix="" 

13 XI  chain=prerouting action=mark-connection new-connection-mark=gameport passthrough=yes protocol=tcp 
      dst-port=5222-5228 log=no log-prefix="" 

14 XI  chain=prerouting action=mark-connection new-connection-mark=gameport passthrough=yes protocol=udp dst-port=17003 
      log=no log-prefix="" 

15 XI  ;;; Mitrais DNS
      chain=prerouting action=mark-routing new-routing-mark=via-Mitrais-VPN passthrough=yes protocol=tcp 
      layer7-protocol=Mitrais route dst-port=53 log=no log-prefix="" 

16 XI  chain=prerouting action=mark-routing new-routing-mark=via-Mitrais-VPN passthrough=yes protocol=udp 
      layer7-protocol=Mitrais route dst-port=53 log=no log-prefix="" 

17 XI  chain=prerouting action=mark-routing new-routing-mark=VPNBook-Routing passthrough=yes log=no lo

18 XI  chain=prerouting action=mark-connection new-connection-mark=Youtube-Conn passthrough=yes layer7
      log=no log-prefix="" 

19 XI  ;;; Cache HIT
      chain=output action=mark-packet new-packet-mark=cache-hits passthrough=no dscp=4 log=no log-pref

20    chain=prerouting action=mark-routing new-routing-mark=viaProxy passthrough=yes protocol=tcp 
      in-interface=bridge-local dst-port=80 log=no log-prefix="" 

21    chain=prerouting action=mark-routing new-routing-mark=viaProxy passthrough=yes protocol=tcp 
      in-interface=bridge-segment-3 dst-port=80 log=no log-prefix="" 

22 XI  chain=prerouting action=mark-routing new-routing-mark=viaProxy passthrough=yes protocol=tcp 
      in-interface=bridge-local dst-port=443 log=no log-prefix="" 

23 XI  chain=prerouting action=mark-routing new-routing-mark=viaProxy passthrough=yes protocol=tcp 
      in-interface=bridge-segment-3 dst-port=443 log=no log-prefix="" 

24    chain=prerouting action=mark-connection new-connection-mark=TProxy_Target passthrough=yes protoc
      log=no log-prefix=""

samsung172 · May 5, 2016, 11:52am

you have a ;

Forward LAN >> WAN
chain=forward action=accept out-interface=ether1-Public-1 log=no log-prefix=“”

you need a
; Forward LAN1 >> LAN2
chain=forward action=accept out-interface=LAN-1 log=no log-prefix=“”

and

Forward LAN2 >> LAN1
chain=forward action=accept out-interface=LAN-2 log=no log-prefix=“”

cakriwut · May 5, 2016, 1:57pm

Thanks you save my day.