how to allow only registered MAC addresses to get an IP from DHCP or connect via LAN?

Hi,
I got a problem with static IP/MAC.
I have 3 WiFi access points with MAC filter conencted via LAN to my microtik ccr1009 for about 40 allowed MAC’s foleterd at the AP level
The mikrotik acts as DHCP server for the whole network.
I have one bridge that covers eth2-5 and WAN on eth1.
Works well.

Now I would like to block the mikrotik to lease IP addresses to unregistered MAC addresses.
I did convert all MAC’s to static in the DHCP lease table.
But when I put the ARP rule in the DHCP settings, the bridge stops connecting to the WAN - no internet! WiFI devices do connect but then say “no internet” …
Setting ARP back to enabled some devices do not link to the static registered address but open a new dynamic one on side of the registered one ----

I tried also setting ARP to replay-only in the inteface table but no conenction at all ..
PRobably something is wrong in my WAN-LAN passage, btu I cannot figure it out!
Thanks for any help!
Guido

DHCP server Address Pool = “static-only” ?

Yes.
pool is from .180 to .229
all DHCP leases are static.
ARP shows connections

If I put static-only on bridge and take my (mac registered) phone WIFI connection, id does not work any more. As soon as it goes off, it cannot go on again: i.e. it connects, but says “cannot get an IP address”
Now te MAC of the phone is normally on the list.
Even more weired: if I switch back to the pool it gets a DC connection on DIFFERENT numer as the registered one and I have two times the same MAC on the list.

I also took the DC connection on lease list, made them static and changed the IP from .195 to .185. When I swith wifi on the phone on, it comes up again as .195 in DC .
If I go to static-only, it does no connect any more.
By the way in ARP a D line with MAC and .195 remains on also if I switch the phone off. Coming back it stays there and does not connect asl ong as static-only is on the DHCP bridge line

I’m confused. It’s probably me needing very clear information. Sorry for the many questions.

But when I put the ARP rule > in the DHCP settings >

Is this setting “Add ARP for Leases” in the DHCP server ?

the bridge stops connecting to the WAN

Don’t get it. How is your connection to the WAN set up? Routing+NAT via a non bridged interface with DHCP client? No ??

Setting ARP back to enabled some devices do not link to the static registered address but open a new dynamic one on side of the registered one ----

“Enabled” is an ARP setting of the interface, not the DHCP server this time
That might be the real problem … static MAC addresses are not used/recognised for some reason.

I tried also setting ARP to replay-only in the inteface table but no conenction at all

“Reply-only” is again an ARP setting of an interface (the bridge). Want to control the DHCP no? Or do you want to allow traffic via ARP entries?

ARP shows connections

ARP shows ARP table entries, not DHCP leases nor connections ( wifi registrations). Check the list you want to use. Should be the DHCP lease list for DHCP.

If I put static-only on bridge

Static-only should be on the DHCP server, not on the bridge (I found no such thing on the bridge) Where did you find this?

if I switch back to the pool it gets a DC connection on DIFFERENT numer as the > registered one > and I have two times the same MAC on the list.

Sounds like something is different in your static entry for the MAC address, therefor you just get a dynamic IP address.

Registered one

, you mean your ARP entry again, or the DHCP lease, or the wifi registered entry ???

Please do not mix interface settings for ARP, DHCP server settings and wifi access-list settings. You should only tweak the DHCP server to be static-only.as pool. That static pool is the DHCP lease table. Reply-only ARP entries is only after you have the DHCP correct, if you still need this.
One thing that is known to sometimes interfere with the DHCP server on a bridge is the STP (spanning tree protocol) protocol mode of the bridge. To exclude that one set the STP protocol mode to “none” on the bridge.. By default it is in RSTP.

I think that I am making some mess, probably beacause I I still do not understand well how LAN linkes to WAN.

Just to make clear my actual settings:
Interfaces:
eth1 renamed WLAN1 on Ethernet
bridge1 → bridge
eth2 to 5 → ethernet
eth6 → ethernet
eth7 → ethernet

Interface List:
all LAN except WLAN1 (eth1) on WAN

rest default settings

Bridge:
bridge1 with ARP enabled, STP I changed from RSTP to NONE, status root bridge

in IP
→ addresses: 0.254/24 on eth2 (to get 0.254 for the router LAN side. Actualy I do not understand it well, I originally used only the eth2 port with no bridge for the whole LAN. But it would not bridge to the WAN port, so i put a bridge to connect eth2-5 and am using all this ports. I would prefer to give a specific IP to each port, but don’t know how to do it. Should I put bridge1 in the address field here?
→ similarly I did configure eth7 on a second LAN with .1.0/24, with a bridge2 setting … (talks to WAN ok, I would like in the future figure out a way to be able to see it from a specific client from the bridge1 side, but for now this has to wait.)

DHCP SERVER
→ DHCP → dhcp1/ bridge1/ ARP static only
→ DHCP lease: enabled–> sees al atteched devices and give new IPs, change to all_static: remains connected to the active de vices but stops giving out IP to a newly connected one as the cellphone, also having the cellphone’s MAC in the static DHCP lease table …

→ dhcp address pool from -180-229


The cabled LAN client computer (fixed .0.2 IP) goes on internet ok wih all_static in the DHCP server. But when I try to connect the cellphone via DHCP, it does not get the IP address.
when I switch back from DHCP-SERVER -->ARP static only to ARP enabled it gets a dynamic IP -195 (in the pool) and not the -183 that is in the static lease table. The weird thing is that it gets ALWAYS -195, also after reboot, as a dynamic IP. If I cancel the line, it makes a new dynamic entry on -195!


How is your connection to the WAN set up? Routing+NAT via a non bridged interface with DHCP client? No ??
–>mmm .. here you got me. I tried something but it did not work so all back to default. At this point:
WAN is on eth1 as default,
no NAT rules for now
in the bridges table WAN appears as disabled but since it was working I did not touch anything for now …

Setting ARP back to enabled some devices do not link to the static registered address but open a new dynamic one on side of the registered one ----
“Enabled” is an ARP setting of the interface, not the DHCP server this time
–>OK, all back to enabled for now.

That might be the real problem … static MAC addresses are not used/recognised for some reason.
I tried also setting ARP to replay-only in the inteface table but no conenction at all
“Reply-only” is again an ARP setting of an interface (the bridge). Want to control the DHCP no? Or do you want to allow traffic via ARP entries?

The idea is to assign specific IPs to specific MACs for devices linked to the LAN which do not allow a static IP (certain videocams specifically). This gives me the possibility to reach them through NAT from the outside directly.

Static-only should be on the DHCP server - OK
, not on the bridge (I found no such thing on the bridge) Where did you find this? → was an error, I actually tried to put relay-only.

if I switch back to the pool it gets a DC connection on DIFFERENT numer as the registered one and I have two times the same MAC on the list.
Sounds like something is different in your static entry for the MAC address, therefor you just get a dynamic IP address.

Please do not mix interface settings for ARP, DHCP server settings and wifi access-list settings. You should only tweak the DHCP server to be static-only.as pool. That static pool is the DHCP lease table. Reply-only ARP entries is only after you have the DHCP correct, if you still need this.
→ in fact I tried to make static the ARP entries which I had already made static in th eDHCP table, but was a mess.

One thing that is known to sometimes interfere with the DHCP server on a bridge is the STP (spanning tree protocol) protocol mode of the bridge. To exclude that one set the STP protocol mode to “none” on the bridge.. By default it is in RSTP.

I put STP … now LAN–>WAN remains connected also if I put static-only on the DHCP table, but stil the cellphone connects in it’s strange way.

Excuse me - I understand that I am mixing up a lot of things, but up to now I used only D-Links as routers and APs and do not know al the tricks of the real thing. I switched to a real router as the data flow just could not be handled any more with my general public style devices. I have about 30 domotic devices (all with DHCP) and 10 Cams (4 with dynamic IP) running on the system …

Hi Guido, this might take some steps to clean up. I’ll be back to assist where needed (and with many more questions) .

Just one general remark: to do what you want around only giving specific IP addresses to your known devices, is very easy. You only have to set “static-only” in the DHCP server, and make a list of static leases. There is NO ARP manipulation or ARP table setting or ARP settings on interfaces involved, and the DHCP relay is not used.

Only this: DHCP address pool on “static-only”. Don’t touch the ARP settings, leave them all on their default.

https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server#General

And one more: the IP address for ether2 should be on the bridge, not on ether2 (as ether2 now is a slave interface or bridge port)

Thanks very much!

So I cleared some stuff.
At this point:

bridge1 → eth2, eth3, eth4, eth5
bridge2 ..> eth7

IP → addresses → x1.x2.0.254/24 / .0.0 / bridge1
→ y1.y2.0.254/16 / .0.0 / bridge2
→ 192.168.0.100/24 / 192.168.0.0 / WLAN1 (eth1 is set as DC 192.168.0.100 connected to the internal 192.168.0.1 port of the ISP router with IP from the DHCP of the ISP modem)

IP → DHCP → bridge1 → static-only
bridge2 → dchp_pool2

IP → Pool → dhcp_pool1 → (not used)
dhcp_pool2 → y1.y2.1.002-y1.y2.1.220

IP → Routes →

As the problema was with the cellphone, which is abilitated on all 4 AP’s MAC filter, but does only connect as DC and not as S, I did put a static addres outside the pool range in it and this seams to work now

For the routes table I am studying the book, is still a mess, but it works so one thing at a time …
Thanks very much

Ok Guido, well done.

More questions: your x1.x2 and y1.y2 are supposed to be private IP addresses. (these are normally not public IP addresses you have registered and payed for)
This list of IP addresses is well known. (10, 172.16, 192.168) I hope your x1.x2 and y1.y2 are NOT 192.168, because then we have a conflict with the WAN interface

(Just a liittle detail if you are studying MKT docs. “WLAN1” is the default name for the wifi/wireless interface. The name has absolutly no influence but it might be confusing)

The connection between eth1 (WLAN1) , bridge1 and bridge2 is via routing. This needs different and non-overlapping subnets.
eth1: 192.168.0.0/24
bridge1 x1.x2.0.0/24
bridge2 y1.y2.0.0/16

Normally eth1 will have a DHCP client, that will set the address (192.168.0.100) and the default route and default DNS
If using static IP , don’t forget to set the default route (route 0.0.0.0/0 gateway 192.168.0.1) and the DNS server yourselves
This subnet cannot be part of the LAN side. So x1.x2 and y1.y2 cannot be 192.168.

As the ISP router does not know about y1.Y2 and x1.x2 as far as I know, we have to use NAT (masquerading) for all traffic going out the MKT WAN port. This way only 192.168.0.100 is used with the ISP router.

If the default firewall rules are still there , then this existing rule solves all this. It will do masquerade for all traffic going out the WAN interface list
eth1/WLAN1 must be member of the WAN interface list
bridge1, bridge2 and ether8 should be member of the LAN interface list
as both lists are used in the default config in several places



Or in “terminal” export style … (taken from a default config)

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN


Between bridge1, bridge2 and eth8 we have routing without NAT. But x1.x2 and y1.y2 cannot be equal or overlap.

Thanks a lot!

• so first I changed WLAN1 to eth1-WAN.

• x and y are private internal IP’s and not overlapping and not in 192.168.0.0/16 - ( actually here I have a problem: as most new devices come with a 192.168.0.0/16 configuration, i.e. anything between 0 and 254 in the 3 and 4 position, when i wonat to configure them the system is not seeing them. Now I plug them in a dynamic IP client portable computer, and change the IP to a network IP of mine, unplug and plug it to the network. But this is lousy, so I am lookng for a way to see the reset IP of new devices in the 192.168.0.1-192.168.254.254 range from my network. I though of putting 192.168.0.0/16 on port eth7, but that goes in conflict).

• now DHCP devices have their MAC-IP table and link well, it works. Unknown devices link in the free IP space of the pool (I have 5 or 6 free in the 180-229 range). As numbers under 180 and over 230 are already taken and to avoid to have to reconfigure the devices, is there a way to split the pool? DHCP server allows for only one pool in the slot and I cannot add a second dhcp server on the bridge1.

So good.

Now to routing. First, I made a mess: finding eth1-WAN in the bridge → ports list as inactive. I found that was weired and activated it and — no internet any more! Going around in the forum and mikrotik papers I found that the problem was that activating eth1-WAN in the bridge it became a Slave and slave ports cannot link outside. I inactivated it back and could see my 192.168.0.1 ISP modem again!

My routes list has six enties:
DAC / x1.x2.0.0/24 / bridge1 reachable / x1.x2.0.254
DAC / y1.y2.0.0/16 / bridge2 reachable / y1.y2.0.254
DAC / 192.168.0.0/24 / eth1-WAN reachable / 192.168.0.101
and that I understand
but then there are
AS / 0.0.0.0/0 / 192.168.0.1 reachable eth1-WAN / -
S / 0.0.0.0/0 / eth1-reachable / 192.168.0.100
DS/ 0.0.0.0/0 / 192.168.0.1 reachable eth1-WAN / -
The last DS entry is really strange … but I cannot work on it as it is classified dynamic.
the one before, static only, probably is a leftover as it points to the .100 IP, which was the client number the eth1 had before from my ISP modem. Both are blue. Non connected. But I fear cancelling them, as last time internet contact stopped …

Normally eth1 will have a DHCP client, that will set the address (192.168.0.100) and the default route and default DNS
If using static IP , don’t forget to set the default route (route 0.0.0.0/0 gateway 192.168.0.1) and the DNS server yourselves
-In fact that was the problem when I tired to close DHCP from the ISP modem and set my WAN IP as static.

Now with this configuration when I tried to ftp from x1.x2.0.2 to y1.y2.0.220 and it worked well, I could download a file. But after exiting the ftp and switching off and on the connection, x does not ping y any more. Y pings x. nmap form x sees only the MKT interface at y1.y2.0.254 . ARP shows the .220 as DC. ???
Both go to the net.


As for NAT there is only one default route there now. eth1-WAN is part of the WAN interface and bridge 1 and bridge 2 of the LAN one. (I have no eth8 port on th eCCR, but one combo and one SFP, which are left alone for now).

The NAT entry in Firewall is as you showed it, with only Action=masquerade, Chain=srcnat, OutInt=WAN entry.

Here I would like to configure my ISP modem as port-port mapping on the 192.168.0.101 and then configure all NAT rules on the MKT. src and dest are out and in ip/port or viceversa?

That’s all for now .. 2 Mikrotik books from amazon arrived today!
thanks and stay well
Guido

OK , clear now

though of putting 192.168.0.0/16 on port eth7, but that goes in conflict).

Yes, part of that range is already on eth1.-WAN. 192.168.0.0/24 is first part of 192.168.0.0/16
No overlapping subnets allowed.
You would normally use 192.168.x.0/24 as your local internal private subnets. I don’t know where you found “your” private IP addresses (Only 10.0.0.0/8 could be the source, as you want to use subnets as large as /16)
Your idea of having 192.168.0.0/16 as subnet to capture default IP addresses from new devices looks strange to me.

.

, is there a way to split the pool? DHCP server allows for only one pool in the slot and I cannot add a second dhcp server on the bridge1.

Yes one DHCP server, one pool is also what I find. But a pool can have multiple ranges. (Use that little down arrow to add more ranges at the right side of Addresses field, as many times as needed)
You even have “next pool” to extend the list.

from the wiki:

next-pool (name) - when address is acquired from pool that has no free addresses, and next-pool property is set to another pool, then next IP address will be acquired from next-pool
ranges (IP address) - IP address list of non-overlapping IP address ranges in form of: from1-to1,from2-to2,…,fromN-toN. For example, 10.0.0.1-10.0.0.27,10.0.0.32-10.0.0.47

activating eth1-WAN in the bridge it became a Slave and slave ports cannot link outside. I inactivated it back and could see my 192.168.0.1 ISP modem again!

Don’t add eth1 to bridge1 , unless you want ONE subnet from the ISP router, and in that case the Mikrotik router cannot have a DHCP server.
You either “bridge” (or switch as the other name) a network or you “route” between networks.
It’s not only the slave thing that hits you, you just connected everything on that bridge1 directly to the ISP router as one network (and a network with 2 conflicting DHCP servers)
You also lose the NAT, and the firewall protection.
To answer one of your older questions:
If you want different subnets on ether2 to ether5 , just disconnect them from the bridge , and give them their own non-overlapping IP address and DHCP server and pool. The given IP address must be used as gateway address by the DHCP clients.in that subnet. (There is no need for a bridge, e.g. you could do it without bridge2, as there is only one port used)

My routes list has six enties:
DAC / x1.x2.0.0/24 / bridge1 reachable / x1.x2.0.254
DAC / y1.y2.0.0/16 / bridge2 reachable / y1.y2.0.254
DAC / 192.168.0.0/24 / eth1-WAN reachable / 192.168.0.101
and that I understand
but then there are
AS / 0.0.0.0/0 / 192.168.0.1 reachable eth1-WAN / -
S / 0.0.0.0/0 / eth1-reachable / 192.168.0.100
DS/ 0.0.0.0/0 / 192.168.0.1 reachable eth1-WAN / -
The last DS entry is really strange … but I cannot work on it as it is classified dynamic.
the one before, static only, probably is a leftover as it points to the .100 IP, which was the client number the eth1 had before from my ISP modem. Both are blue. Non connected. But I fear cancelling them, as last time internet contact stopped …

Seems fairly correct. Probably some old static routes are in there, and they compete with the dynamic, (= obtained via DHCP/un-editable), routes. The static “S / 0.0.0.0/0 / eth1-reachable / 192.168.0.100” seems wrong, it’s not pointing to the correct gateway. The distance is a very important parameter to define which routes will be used, but you did not give that information.

Now with this configuration when I tried to ftp from x1.x2.0.2 to y1.y2.0.220 and it worked well, I could download a file. But after exiting the ftp and switching off and on the connection, x does not ping y any more. Y pings x. nmap form x sees only the MKT interface at y1.y2.0.254 . ARP shows the .220 as DC. ???
Both go to the net.

ARP is not the tool to use to verify if something is working or not. An ARP entry is very dynamic, it is there a short while, after an ARP request has been sent out. If it is not there for an IP address, then an ARP request will automatically be sent out. Use “traceroute” to find the path of the routing. That route “DAC / y1.y2.0.0/16 / bridge2 reachable / y1.y2.0.254” should have been taken, with distance 0, so highest priority. Also the reverse route must be correct. That means that the client 220 should have picked up the IP address of bridge2 as it’s gateway, I think it was y1.y2.0.254 . If things fail start pinging from the Mikrotik router. Potential problems are router priority (distances), and one of the clients not receiving the DHCP addresses, or receiving the wrongly defined values.

Here I would like to configure my ISP modem as port-port mapping on the 192.168.0.101 and then configure all NAT rules on the MKT. src and dest are out and in ip/port or viceversa?

What is the 192.168.0.101 ??? 1= ISP router , 100= Mikrotik router . Well the Mikrotik could use multiple addresses on its eth1, but this might not be necessary here. See the wiki for exemples, like this : https://wiki.mikrotik.com/wiki/How_to_link_Public_addresses_to_Local_ones
You have double NAT in your setup. So you have to do this in the ISP router and in the Mikrotik router.
If you cannot work with double-NAT then either the ISP router or the Mikrotik must be used in bridge mode. Both scenario’s need full access to the ISP routers settings to have control as you like.

Here of course is another scenario possible, depending on your usage and security requirements. Lets place 192.168.0.101 on the WAN side of the Mikrotik. Then all LAN devices can connect to it, but the 192.168.0.101 cannot connect to the LAN, except for what is allowed by explicit firewall rules. The ISP router will allow some access to 192.168.0.101 from Internet. This is one form of a DMZ setup. (It could also be in a separate branch of the LAN with firewall rules.

Setting 192.168.0.1 to the WAN side, could be done with an external switch or just … an internal software switch in the Mikrotik.(CCR1009 has no switch hardware https://i.mt.lv/cdn/rb_files/CCR1009-7G-1C-PC-180514153007.png. It’s also a very capable router)

• make bridge Bridge_WAN
• DHCP client on bridge Bridge_WAN
• interface Bridge_WAN in the “WAN” interface list
• interface eth1 port on bridge_WAN (disabling previous settings on eth1)
• eth7 (or other free ethernet port) as port on bridge Bridge_WAN. Device 192.168.0.101 connected to this ethernet port

You would normally use 192.168.x.0/24 as your local internal private subnets. I don’t know where you found “your” private IP addresses (Only 10.0.0.0/8 could be the source, as you want to use subnets as large as /16)
→ my ISP router allows only to change 3rd and 4th IP values, so I have to maintain 192.168.0.0/16 for the connection ISP-router–>MKT. Since overlapping is not possible I have to use other numbers with the LAN. But that’s fine, since I already have other subnet numbers and don’t want to remap them all.

Your idea of having 192.168.0.0/16 as subnet to capture default IP addresses from new devices looks strange to me.
→ About all new devices come with a default address in the 192.168.0.0/16 range (f.e a range extender has 192.168.1.1, another 192.168.1.10, a camera comes with 192.168.0.50 another with 192.168.0.10, the MKT with 192.168.88.1 …). This IP’s are not recognized inside my LAN, in fact MKT conects via MAC, and other devices have their client apps, which use to be WIndows … I have no windows machine in my net, no apple either, only Linux. FOrtunately winbox runs under wine, that’s GREAT! So waht I need is a way to find the new default devices with nmap, reach them and change IP to get them in my LAN.

split pool:
→ great, didn’t give attention to second line possibility!

–>Now I put eth1-WAN direct on eth1
eth2-eth5 on bridge 2
eth6 without a bridge
eth7 on bridge 2 – it’s only one port, but it works now. I can see ISP and internet as well as bridge1 form bridge2. I tried to connect direct, but stopped working. One thing I cannot understand: I con connect from a bridge1 computer x1.x2.0.2 to a bridge2 computer y1.y2.0.220 with ftp, but when I ping it or look up site nmap, no devices in bridge2 are visible form bridge1, but x1.x2.0.2 is visible from y1.y2.0.220 ???

To the routes list: so which I can cancel? I am tried to leave the 3 DAC ones, but am not shure …
DAC routes have distance 0, the three others 1.
I now have one more to eth6, direct connected without bridge, an nothing attached to it for now, it gives DC / z1.z2.0.0/24 / eth6 unreacable / ditance 255, which is correct.
Which should I cancel to clean up the stuff?


The MKT is now on .0.101 as I played with the ISP router trying if I could give a static IP to the MKT. When I went back to dynamic it stayed on 192.168.0.101
I did put the masquerade rule as you told me ant got internet back. OK.

Now I need to accesso internal LAN devices from the outside. I normally used a NAT virtual server port forwardin scheme, so f.e. if I call the public IP:2000 it went to the internal camera x1.x2.0.40:service_port, if I call port 2001 it goes to camera on x1.x2.0.41:service_port and so on.
The besst thing would be to make the ISP router just a stupid pass-through bridge, but have to find out how to do this. Unfortunately the Huawei B315s I have servicing ISP access has poor configuration, not very logic. DHCP also for the LAN is sitting in the WLAN section, as I do not use the WIFI on this router it took some time to find it!. For now I just put all my virtual server port forwarding rules in it as usual.
At this point I have also a DDNS running on the ISP router to give me a name address.

On the MKT I tried to add this rule
IP–>firewall–>NAT–>a. General–>Chain:dstnat / Protocol:6 tcp / dstport: 2000
b. Action → action: dstnat / To address: x1.x2.0.40 / to Port: 3000 (service_port set on the camera)
(excuse me, I made a screenshot but don’t know ho to attach it …)

Then I tried to connect and probably there is the same bug that lets me connect form y-LAN to x-LAN but not viceversa.
When i start from the y1.y2.0.220 computer both the call to name_DDNS_address:2000 and ALL the calls to 192.168.0.101:2000, 0.254:2000 (not existing), 0.100:2000(not exixting) etc went right through to the x1.x2.0.40:3000 camera.
But if I call name_ DDNS_address or 192.168.0.101:2000, from the X-LAN x1.x2.0.2 computer, nothing connects !!!

So first probably it would be correct to just add all services in this way, right?
And then I have to figure out why y–>x and y–>192.168 works, but x–>y not. Strange also that from the x_LAN I can normally reach both 192.168.0.1 (ISP router) and 192.168.0.101 (MKT eth1 interface), but not the 192.168.0.220 computer or the port forwarding rule.



*************** ??? this I don’t get!
Setting 192.168.0.1 to the WAN side, could be done with an external switch or just … an internal software switch in the Mikrotik.(CCR1009 has no switch hardware https://i.mt.lv/cdn/rb_files/CCR1009-7G … 153007.png. It’s also a very capable router)

• make bridge Bridge_WAN
• DHCP client on bridge Bridge_WAN
• interface Bridge_WAN in the “WAN” interface list
• interface eth1 port on bridge_WAN (disabling previous settings on eth1)
• eth7 (or other free ethernet port) as port on bridge Bridge_WAN. Device 192.168.0.101 connected to this ethernet port

What I usually do is set the 3th parameter to some higher value (eg 250) , and use 192.168.250.0/24 as WAN network connection. This leaves me quite some /24 or even /20 subnets for my LAN side.Then you could even use 192.168.0.0/17 as your broad subnet (192.168.0.0 till 192.168.127.255 as range), without overlap. You will catch most of the devices.
Using something else than the 192.168 / 172.16-31 / 10 official private IP rarnges might give you some problems one day

• One thing I cannot understand: I con connect from a bridge1 computer x1.x2.0.2 to a bridge2 computer y1.y2.0.220 with ftp, but when I ping it or look up site nmap, no devices in bridge2 are visible form bridge1, but x1.x2.0.2 is visible from y1.y2.0.220 ???

Very strange. You can FTP to y1.y2.0.220 but cannot PING to the same device!!? Can you ping from the MKT itself (MKT PING tool).
Something in your firewall that denies access??? Are bridge1 and bridge2 both in the LAN interface list?
“nmap” not able to scan IP addresses and ports in y1.y2 ??? What do the firewall counters indicate?
The fact that you can FTP is extremely strange. (But ‘active’ FTP opens a connection in the reverse direction)
The fact that you can see it in the opposite direction points again to a non-LAN interface list membership. Default rules will deny forwarding in that case. (they use the interface lists)
Check your firewall for rules and also for NAT rules (e.g. dst-nat should only happen for WAN incoming connections)

To the routes list: so which I can cancel? I am tried to leave the 3 DAC ones, but am not shure …
DAC routes have distance 0, the three others 1.
I now have one more to eth6, direct connected without bridge, an nothing attached to it for now, it gives DC / z1.z2.0.0/24 / eth6 unreacable / ditance 255, which is correct.
Which should I cancel to clean up the stuff?

The D dynamic routes cannot be modified. They come from other actions like C= directly connnected network, and S=static from DHCP
‘A’ means they are active
The second one , which is only S can be removed.
The first one is when you don’t use DHCP and is the same as the DHCP route (=redundant, can be disabled or removed, or set to a higher distance)

The MKT is now on .0.101 as I played with the ISP router trying if I could give a static IP to the MKT. When I went back to dynamic it stayed on 192.168.0.101
I did put the masquerade rule as you told me ant got internet back. OK.

OK. No second device. The ISP router will remember this value for the lease-timeout time
If nothing is in its lease table, it will honor the IP address proposal from the client if the IP address is free and in the allowed range.
This explains the 101 choice.

Now I need to accesso internal LAN devices from the outside. I normally used a NAT virtual server port forwardin scheme, so f.e. if I call the public IP:2000 it went to the internal camera x1.x2.0.40:service_port, if I call port 2001 it goes to camera on x1.x2.0.41:service_port and so on.
The besst thing would be to make the ISP router just a stupid pass-through bridge, but have to find out how to do this. Unfortunately the Huawei B315s I have servicing ISP access has poor configuration, not very logic. DHCP also for the LAN is sitting in the WLAN section, as I do not use the WIFI on this router it took some time to find it!. For now I just put all my virtual server port forwarding rules in it as usual.
At this point I have also a DDNS running on the ISP router to give me a name address.

On the MKT I tried to add this rule
IP–>firewall–>NAT–>a. General–>Chain:dstnat / Protocol:6 tcp / dstport: 2000
b. Action → action: dstnat / To address: x1.x2.0.40 / to Port: 3000 (service_port set on the camera)
(excuse me, I made a screenshot but don’t know ho to attach it …)

OK follow the wiki.mikrotik.com on how to set dstnat ports to forward packets to the destination IP and port needed.
Make sure to specify the incoming interface or interface list in those NAT rules!
I’ll have a check later on the B315s from Huawei, to find out what can be done. Simple home gateway devices sometimes have a simple “DMZ-host” definition forwarding just everything left undefined to that IP address. Having the B315s as bridge would be nice, and give the public IP address to eth1 on the MKT. But this is unlikely to be possible.

Just one extra hint: every Mikrotik device has a DDNS defined (IP cloud) for free.

Screen shots can be attached as attachements (tab below the submit button) , and tick the “place inline” if appropriate. Use some tool to trim the screenshot first and save it as file (I use XnView). “Preview” will show you how it looks.

Then I tried to connect and probably there is the same bug that lets me connect form y-LAN to x-LAN but not viceversa.
When i start from the y1.y2.0.220 computer both the call to name_DDNS_address:2000 and ALL the calls to 192.168.0.101:2000, 0.254:2000 (not existing), 0.100:2000(not exixting) etc went right through to the x1.x2.0.40:3000 camera.
But if I call name_ DDNS_address or 192.168.0.101:2000, from the X-LAN x1.x2.0.2 computer, nothing connects !!!

again I suspect that your dstnat rule is working where it should not

So first probably it would be correct to just add all services in this way, right?
And then I have to figure out why y–>x and y–>192.168 works, but x–>y not. Strange also that from the x_LAN I can normally reach both 192.168.0.1 (ISP router) and 192.168.0.101 (MKT eth1 interface), but not the 192.168.0.220 computer or the port forwarding rule.

You need HAIRPIN NAT if you want to use the WAN IP address from the LAN side with dstnat forwarding. Read exemples of HAIRPIN NAT in the wiki !

*************** ??? this I don’t get!
Setting 192.168.0.1 to the WAN side, could be done with an external switch or just … an internal software switch in the Mikrotik.(CCR1009 has no switch hardware > https://i.mt.lv/cdn/rb_files/CCR1009-7G > … 153007.png. It’s also a very capable router)

• make bridge Bridge_WAN
• DHCP client on bridge Bridge_WAN
• interface Bridge_WAN in the “WAN” interface list
• interface eth1 port on bridge_WAN (disabling previous settings on eth1)
• eth7 (or other free ethernet port) as port on bridge Bridge_WAN. Device 192.168.0.101 connected to this ethernet port

---

Forget this: I thought you had a server that needed to have public access. You don’t have this.

One final remark: Internet will nmap scan your ports! You will not detect this (they do it slowly) , but ‘they’ will know about your ports and port forwarding, and might abuse it.
Please consider using a VPN to your Mikrotik (with encryprion and credential checks), and then access your camera’s and devices through that VPN.
Mikrotik has many possible VPN protocols. Don’t leave ports open to the internet, if not secured by some encrypted credentials.

What I found. The B315s does not have a switch mode. So you are stuck with the “Virtual Server” setting. Manuals are very short and Quick Setup style. Difficult to find out what exactly is under “DMZ setting”. But hey, it might be what you are looking for … read between the lines, and send everything to the MKT.

8. Is DMZ Enabled on your Huawei B315s-22 router?
DMZ is an ‘open all ports’ rule. On most routers, this rule simply overrides port forwarding rules. You may want to disable DMZ and give it another go.

If you use “Virtual Server” you might limit the source IP address, to make it a little bit less open.
For these guys … but the source IP address filter is maybe not in all models. https://openmyip.com/Huawei-B315s-22-router-setup
Shodan has servers located around the world that crawl the Internet 24/7 to provide the latest Internet intelligence.
https://www.theinvestigators.co.nz/news/shodan-the-scariest-search-engine-in-the-world/
(The search engine for people looking for “open” camera’s etc.)

→ ok, the option to put the WAN frm Huawei to MKT at 192.168.250.0/24s could be a good thing, that should work and leave me with enough 3rd value 0-127 IP’s for the inside (192.168.0.0/17) to get new devices. For the LAN there are the usual 10.x.x.x values, so I can leave them on bridge1 and use this for bridge2 or direct on the eth6, to be used only for new device checking.

→ I did not put in any NAT rules except the masquerade line you told me and the dst-nat rules to the internal ports. In fact the whole thing makes no sense at all, cannot figure it out. loopback from bridge 2 to 1 works but back no, that’s wrong, but works for ftp server on bridge2 from bridge 1, but not for ping or nmap is weired. As I told, only nat rules are

1. action: masquerade / Chain: srcnat / OutInterface List: WAN
2. action: dst-nat / Chain: dstnat / Protocol: (6)tcp / DstPort: 2000 / ToAddress (internal address) / To Port 3000
   ???

→ .0.101 yes. But now I wil l try to put the huawei on .250.1 with a DHCP pool from .250.100 to 250.200. Than way I will have to change the MKT IP address to 192.168.250.100. Prefix on Huawei can be 24 at that point and 192.168.0.0/17 on eth1-WAN of the MKT, right?

→ Just one extra hint: every Mikrotik device has a DDNS defined (IP cloud) for free. - great, I have one paid no-ip account, but a free cloud is great! I see it, it gives out its own DNS names, right? But for now I have a problem. I still have to work it out with the ISP, as I changed it lately, at this point I have a dynamic non public IP, so it is not reacable form outside, I cannot test the thing. This takes me to another point you addressed: making a VPN. This in effect would be the best way to go, now that I am working the whole net over. Survaillance is not so critical, so open ports has done well up to now, but putting it all on a VPN would be better. One question: if I configure a VPN on the mikrotik and read it form a cliento form outside, can sis resole the non-publication of the IP as you know? ISP’s like fastweb are natting their nets and cannot give out dunamic public IP’s (I don’t have fastweb, but the problem is diffuse). CAn I go around this with a VPN? I have no experience with VPNs …
IP filtering from outside would be a problem as I link to the surveillance cameras also from my cellphone h24 and phones have no fixed IPs …
So only solution is as you say a VPN.

For the Huawei at this point I would prefer for now a DMZ all through solution, as 1. only one router should handle security (MKT), 2. no other deivices differnet from the MKT will attach to this intermediate WAN with the Huawei, 3. I probably will switch to fiber soon and at this point it should go directly to the SFP port anyway and the huawei goes somewhere else.

So I have to do some work in remapping huawei and eth1-WAN, will see if I succed in messing it all up …

1. I set up as you suggested, with 192.168.200.1 on the huawei and DHCP with a .200.100 to the eth1 port.
   Than I did put a 192.168.0.0/17 subnet on eth6.
   I changed al DHCP etc etc numbers but since internet failed, I went through the quick setup and all started over again.
   Now I can ping bridge1, bridge2, eth6 and eth1 all. Fine.
   One question: in the quick setup winbox allows only for one subnet, and it gives me by default the eth6 values of the 192.168.0.0/17 subnet. bridge 1 and bridge2 are not visible. But it allows only for one and it works, so I left it alone.

2. I went into IP clound and activated DDNS, works, fine.

3. Then I tried VPN setup. VPN enabled on quick setup with MKT DDNS (great) and usr/pwd.
   Than PPP, profile, on VPN profiles i did put a new IP in the .200 subnet (.200.7) and as address vpn choosen from the pulldown menu, as DNS server the eth1 interface .200.100 and finally under secrets usr/pwd/default-encryption
   First I tried to connect form LAN side, from smartphone connected to one of the AP’s on bridge1 subnet. (10.x.x.x not 192.168.x.x.)
   Does not connect.
   Then I tried to change subnet for the VPN access IP (as suggested in a MKT tutorial), put it on 192.168.190.1. No connection. Stuck.

By the way, can I have two VPN’s one for inside, one through the router? To put one on a bridge1 IP and one form the outside on a eth1 IP?

Make sure for your nr 2 NAT rules they only work when they should; so you must specify the eth1 interface or WAN interface list in those rules as a condition. Or even better specify the destination address as filter (see all of this, even the video: http://forum.mikrotik.com/t/hairpin-nat-routing/127862/1 , but remember you have a static IP address (192.168.200.100) not a dynamic WAN as in the video, so you may stop at 3/4 of the video session, you don’t need that DDNS address list trick.

→ .0.101 yes. But now I wil l try to put the huawei on .250.1 with a DHCP pool from .250.100 to 250.200. Than way I will have to change the MKT IP address to 192.168.250.100. Prefix on Huawei can be 24 at that point and 192.168.0.0/17 on eth1-WAN of the MKT, right?

Yes. Even the DHCP on the MKT will change everything automatically. If you do use static IP on eth1, check the default route as well

→ Just one extra hint: every Mikrotik device has a DDNS defined (IP cloud) for free. - great, I have one paid no-ip account, but a free cloud is great! I see it, it gives out its own DNS names, right? But for now I have a problem. I still have to work it out with the ISP, as I changed it lately, at this point I have a dynamic non public IP, so it is not reacable form outside, I cannot test the thing. This takes me to another point you addressed: making a VPN. This in effect would be the best way to go, now that I am working the whole net over. Survaillance is not so critical, so open ports has done well up to now, but putting it all on a VPN would be better. One question: if I configure a VPN on the mikrotik and read it form a cliento form outside, can sis resole the non-publication of the IP as you know? ISP’s like fastweb are natting their nets and cannot give out dunamic public IP’s (I don’t have fastweb, but the problem is diffuse). CAn I go around this with a VPN? I have no experience with VPNs …

Incoming connections are not possible with NAT444 or CGNAT subscriptions. This is even so with 4G modem connections to the Huawei or MKT SXT LTEKIT, or even satelitte connections

“Anything requiring incoming connections is broken. While this already was the case with regular NAT, end users could usually still set up port forwarding on their NAT router. CGNAT makes this impossible. This means no web servers can be hosted here, and IP Phones cannot receive incoming calls by default either.”
Info comes from: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

You are sitting deep into NAT, I even have an extra load-balancers layer for multiple connections.
Solution out of that is using “STUN, TURN and ICE; NAT traversal protocols”. You can read a lot about this on the internet.
I prefer not to use a (payed) TURN service, but run my own. The only thing I needed was a Mikrotik hAP Lite behind a single NAT modem (e.g. reachable via port forwarding)
Then I let the deeply hidden MKT make a SSTP VPN tunnel to that hAP Lite , using the MKT DDNS name of the hAP Lite. (SSTP has proven to be the fastest recovering VPN when the load-balancer shifts the connection)
On the road I make a VPN to that hAP Lite, what leads me to the hidden MKT router. There I am in the LAN, as I use masquerade in the VPN, so everything else on the LAN is directly connected.
I travel with a little mAP Lite , but cannot guarantee to be reachable at all hotspots from the deeply NATted MKT. So then I use the mAP Lite to SSTP VPN tot the hAP Lite.
The mAP Lite is the key device to have full access to the complex LAN from any hotspot in the world (The hAP Lite @home is my TURN server)
You might consider a public TURN server. (Teamview, Logmein, GotomyPC, etc, but needs a bit of study to make the MKT connection)

IP filtering from outside would be a problem as I link to the surveillance cameras also from my cellphone h24 and phones have no fixed IPs …
So only solution is as you say a VPN.

Yes the VPN connnection is a LAN connection (actually you get an IP address from the LAN). From there you can do everything as if you were local

For the Huawei at this point I would prefer for now a DMZ all through solution, as 1. only one router should handle security (MKT), 2. no other deivices differnet from the MKT will attach to this intermediate WAN with the Huawei, 3. I probably will switch to fiber soon and at this point it should go directly to the SFP port anyway and the huawei goes somewhere else.

So I have to do some work in remapping huawei and eth1-WAN, will see if I succed in messing it all up … >

DMZ seems logical choice.

Quick setup is very good for the initial simple setup. You set what you can. Then you go to the other Winbox or webfig or Terminal settings, but NEVER go back to Quick setup. It might partly erase your detailed settings. Quick setup is not made for a setup with even a little bit of complexity or customisation.

3. Then I tried VPN setup. VPN enabled on quick setup with MKT DDNS (great) and usr/pwd.
   Than PPP, profile, on VPN profiles i did put a new IP in the .200 subnet (.200.7) and as address vpn choosen from the pulldown menu, as DNS server the eth1 interface .200.100 and finally under secrets usr/pwd/default-encryption
   First I tried to connect form LAN side, from smartphone connected to one of the AP’s on bridge1 subnet. (10.x.x.x not 192.168.x.x.)
   Does not connect.
   Then I tried to change subnet for the VPN access IP (as suggested in a MKT tutorial), put it on 192.168.190.1. No connection. Stuck.

By the way, can I have two VPN’s one for inside, one through the router? To put one on a bridge1 IP and one form the outside on a eth1 IP?

I think you confuse things. PPP on the WAN side is for connecting to the ISP via PPPoE. This is not the VPN you need. You are not the VPN server (you are NOT reachable through CGNAT) , but the VPN client (you connect with the MKT router to a VPN server on the Internet)
The VPN you need is an extra virtual interface. It is just one extra LAN interface. Routing will be created automatically. The other side has to have the profile, IP addresses and do the NAT masquerade.

Huhhh lot of stuyff, will study tomorrow. But attachment jpg says “You have no permissione to see this file” …

you must be logged in to see attachments !?