inter connect two subnets

engragy · January 2, 2025, 7:26am

hello everyone
i have setup my routerboard ( RB750Gr3 ) to have two subnets ( 172.16.160.0/23, 172.16.190.0/24 ) and they both have internet and everything is working as expected, but i need to have a pihole server in the first subnet like 172.16.160.5 and so i need people within second subnet (172.16.190.0/24) to have access to it, also i have five AccessPoints within the second subnet (172.16.190.11 - 172.16.190.15) that i need to access to them from first subnet to be able to manage them from any where.

please advise, here is my configurations

# jan/02/2025 09:05:11 by RouterOS 6.49.8
# software id = A4PX-PAXU
#
# model = RB750Gr3
# serial number = HF8090A499H
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=lan-16-pool ranges=172.16.160.50-172.16.161.254
add name=dhcp_pool5 ranges=172.16.190.50-172.16.190.254
/ip dhcp-server
add address-pool=lan-16-pool disabled=no interface=ether2 name=lan-16-dhcp
add address-pool=dhcp_pool5 disabled=no interface=ether3 name=lan-19-dhcp
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
/ip address
add address=172.16.160.1/23 interface=ether2 network=172.16.160.0
add address=172.16.190.1/24 interface=ether3 network=172.16.190.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.160.0/23 dns-server=172.16.160.1 gateway=172.16.160.1
add address=172.16.190.0/24 dns-server=172.16.190.1 gateway=172.16.190.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="enable interconnect lan subnets"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set www disabled=yes
/system clock
set time-zone-name=Africa/Cairo
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

rplant · January 2, 2025, 10:10am

Hi,

The 2 subnets should already be connected, you don’t need the add action=accept chain=forward comment=“enable interconnect lan subnets” rule.

You should be able to connect to the various devices in the other subnet.
There may be a couple of issues.

You may be expecting to see these devices because they advertise themselves by some means.
They will not show up across the network boundary.

But you should be still able to connect to their IP address.
If they use mdns (maybe ssdp) to advertise, you could try the recent mdns repeater functionality.

/ip dns
set mdns-repeat-ifaces=ether2, ether3

Another possibility is to get the dhcp server to assign static ip addresses to the devices.
(And then perhaps give them suitable static names in dns)

The devices may disallow being connected too from another subnet.
In this case you could use source nat rules to make your client look like it is in the devices network.

/ip firewall nat
add action=masquerade chain=srcnat comment=“ether2 to ether3”
src-address=172.16.160.0/24 out-interface=ether3
add action=masquerade chain=srcnat comment=“ether3 to ether2”
src-address=172.16.190.0/24 out-interface=ether2

anav · January 2, 2025, 2:17pm

Clearly the OP wants some degree of separation between the subnets and a way of accessing the APs from a management perspective.
I am of course leaning towards vlans to do so.

Before going down any path, are these smart or dumb APs… ( brand and model )