Port 1 is obviously connected to the internet. Port 2 to 4 is connected to a secondary router to segment my internal network and Port 5 is connected to a PC that I have put it for server (security cameras and IPP).
Today I disabled the NAT on the secondary routers to avoid the annoying double NAT and also to have more control to have visible who passes through the internal network.
But it has seemed some problems that personally is a pain in the ass. For example my mikrotik LAN is 192.168.8.0/29 and one of my secondary networks is 192.168.2.0/27 and the server is located at 192.168.8.5.
From the mikrotik I can ping 192.168.8.5 BUT I CANNOT PING MY PC CONNECTED FROM THE SECONDARY ROUTER THOUGH I HAVE CONFIGURED THE ROUTES.
And the weirdest thing of all is that after a while it pings and then after a while it kind of crashes again. I want the service to always be available and not to have that kind of thing.
Any ideas? I already tried using firewall and static routes.
You do not need a secondary router to segment yournetwork.
Simply create as many vlans as you need and attach them to the bridge.
one for home/trusted
one for servers
one for iot
one for guests
etc…
You have four ports to distribute the vlans.
If you have more ports required to ensure all devices get internet then use a managed switch where appropriate and send several vlans down a single port to the managed switch and then distribute the more ports as required to devices at the switch.
Some things will help in your planning.
a. a network diagram
b. user requirements
identify all the devices/users including admin
identify the traffic they require to perform
Provide the config as requested, and then from the above, a coherent config can be developed.
# oct/08/2024 16:21:02 by RouterOS 6.49.17
# software id = XXXX-XXXX
#
# model = RB750Gr3
# serial number = XXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf dhcp-snooping=yes \
igmp-snooping=yes max-message-age=15s membership-interval=5m \
multicast-querier=yes name=bridge priority=0 querier-interval=3m45s \
startup-query-count=3 transmit-hold-count=5
/interface vlan
add interface=ether1 name=1_INTERNET_B_VID_XXXX vlan-id=XXXX
/interface ethernet switch port
set 0 default-vlan-id=XXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add interface=bridge name=defconf
/interface bridge filter
add action=accept chain=forward in-interface=ether2 out-interface=ether2
add action=accept chain=forward in-interface=ether3 out-interface=ether3
add action=accept chain=forward in-interface=ether4 out-interface=ether4
add action=accept chain=forward in-interface=ether5 out-interface=ether5
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set arp-timeout=30m secure-redirects=no send-redirects=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.8.1/29 comment=defconf interface=bridge network=\
192.168.8.0
/ip arp
add address=192.168.8.5 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.8.4 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.8.3 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.8.2 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-client
add disabled=no interface=1_INTERNET_B_VID_XXXX use-peer-dns=no
/ip dhcp-server network
add address=192.168.8.0/29 comment=defconf dns-server=192.168.8.1 gateway=\
192.168.8.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=2w max-concurrent-queries=200 \
max-concurrent-tcp-sessions=50 query-server-timeout=3s \
query-total-timeout=15s servers=9.9.9.9,149.112.112.9
/ip dns static
add address=192.168.88.1 comment=defconf disabled=yes name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Accept all only brigde" \
in-interface-list=LAN out-interface-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=1_INTERNET_B_VID_XXXX
/ip route
add distance=1 dst-address=192.168.2.0/26 gateway=192.168.8.2
add distance=1 dst-address=192.168.3.0/27 gateway=192.168.8.3
add distance=1 dst-address=192.168.4.0/26 gateway=192.168.8.4
/ip service
set telnet disabled=yes
set www address=192.168.8.5/32,192.168.2.12/32
set winbox address=192.168.8.5/32,192.168.2.12/32
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
/routing rip
set redistribute-static=yes
/system clock
set time-zone-name=America/Lima
/system clock manual
set time-zone=-05:00
/system ntp client
set enabled=yes primary-ntp=168.181.126.108 server-dns-names=""
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=test11 filter-interface=bridge filter-ip-address=192.168.2.9/32 \
filter-port=ipp,http
Let us explain the scenario. The mikrotik is replacing the job of a router/modem given by the fiber optic internet provider (sometimes they suck and don’t give you full control).
The LAN address of the mikrotik is 192.168.8.0/29 where the router address is 192.168.8.1. And then it is connected to other routers to create other networks. 192.168.8.2 belongs to a TP link Archer C80 router that gives internet and Wi-Fi to my home; and the LAN address is 192.168.2.0/26. Then there is a TP-Link Archer c58hp router for the office area where there is a wifi security camera; it has the address 192.168.8.3 inside the mikrotik and its LAN address is 192.168.3.0/27. Then another router that has the LAN address 192.168.4.0/26 and within the mikrotik network it has 192.168.8.4; this one I have extended to my brother’s network at home. And finally 192.168.8.5 is reserved for a Linux computer that is receiving the recordings from the security cameras (RTSP) and connected to a printer (IPP).
I have recently disabled the NAT function of the secondary routers so that it does not do the double NAT anymore. But some strange things have happened as I am going to show in the following screenshots
Here i can do ping to my server normally
But here mark a timeout to ping to my PC (192.168.2.12)
Well, it’s going to sound kind of silly. But I think I figured out how to solve my problem. I remembered some of my theory that I took in my networking course. It turns out that the “brigde” that mikrotik has is more thought out when connecting to other switches, access points, etc. But between routers, let’s say not at all, so I decided to remove the interfaces I use to connect to the other routers from the brigde set. And yes, now it works normally.
