What is the recommended way to set the router’s own static DNS A record (router.lan from default config), when the router has two LAN interfaces/subnets. When I add its second LAN IP with the same DNS name, the problem is that the DNS reply responds with both IP addresses, but the communication between the two LAN interfaces/subnets is blocked using the firewall. So if the client only respects the first IP from the DNS reply the communication fails. RouterOS does not seem two support true Split-Horizon DNS, so the only way seems to use different names, like router.lan1 for subnet 1 and router.lan2 for subnet 2?
What you would like is to have a DNS server that responds to queries coming from different sources (e.g. addresses, in your case interfaces) differently. (Or multiple DNS server instances.) You have quite correctly identified that Mikrotiks don’t support this.
Mikrotiks however have what’s called a weak host model (as do all Linuxes without heavily altered networking configuration.) This means that the router is happy to respond on any of its addresses. So e.g. if you have one subnet A where the router is 192.168.88.1/24 and another (b) where it’s 192.168.90.1/24, devices on B can contact the router on 192.168.88.1 just fine.
So just provide one of the addresses to everyone. Now of course it has become a firewall question.
Simply allow access that you want based on interfaces. For SSH:
add chain=input action=accept protocol=tcp dst-port=22 in-interface=vlanA
add chain=input action=accept protocol=tcp dst-port=22 in-interface=vlanB
(You can of course use interface lists, etc.)
Note that this has nothing to do with blocking communication between subnets, so this works if you e.g. have:
add chain=forward action=drop in-interface=vlanA out-interface=vlanB
add chain=forward action=drop in-interface=vlanA out-interface=vlanB
or other forward rules in effect. (Not that I would agree that the examples for forward would be good practice, it’s just an illustration of the point.)
Hope this helps.
Thanks for the clarification, I completely missed the point that the router itself is still reachable from all subnets because of the input chain