Mask traffic from one network to another

enlightside · October 19, 2023, 9:51am

Hello everybody.

I need some help. Got myself in situation where i’ve got a mikrotik RB3011UiAS with present configuration as it shown below:

# oct/19/2023 15:38:31 by RouterOS 7.3.1
# software id = 6FLE-AH4Y
#
# model = RB3011UiAS
# serial number = xxxxxxxx
/interface bridge
add name="lanbridge"
add name=dhcpbridge
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
/interface list
add name=local
add name=WAN
add name=LAN
/ip pool
add name=New-DHCP ranges=10.10.116.2-10.10.117.254
/ip dhcp-server
add address-pool=New-DHCP interface=dhcpbridge name=dhcp1 \
    server-address=10.10.116.1
/port
set 0 name=serial0
/interface bridge port
add bridge="lanbridge" interface=ether3
add bridge="lanbridge" interface=ether2
add bridge="lanbridge" interface=ether4
add bridge="lanbridge" interface=ether7
add bridge="lanbridge" interface=ether8
add bridge="lanbridge" interface=ether9
add bridge="lanbridge" interface=ether10
add bridge="lanbridge" interface=sfp1
add bridge=dhcpbridge interface=ether6 pvid=2 trusted=yes
/ip settings
set accept-source-route=yes
/ipv6 settings
set disable-ipv6=yes forward=no
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface="lanbridge" list=local
add interface=dhcpbridge list=local
add interface=WAN1 list=WAN
add interface="lanbridge" list=LAN
add interface=dhcpbridge list=LAN
/ip address
add address=xxx.xxx.xxx.xxx/xx comment=WAN interface=WAN1 network=\
    xxx.xxx.xxx.xxx
add address=10.10.15.150/22 comment=LAN interface="lanbridge" network=\
    10.10.12.0
add address=10.10.116.1/23 comment=New-LAN interface=dhcpbridge network=\
    10.10.116.0
/ip dhcp-server network
add address=10.10.116.0/23 dns-server=8.8.8.8,1.1.1.1 gateway=\
    10.10.116.1
/ip dns
set servers=8.8.8.8,1.1.1.1,10.10.15.1,10.10.15.6
/ip firewall filter
add action=accept chain=forward comment="Show fasttrack counters"
add action=accept chain=input comment=\
    "Defconf: accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="Defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="LAN enable" in-interface-list=LAN
add action=accept chain=input comment="DNS 53/udp" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="DNS 53/tcp" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=\
    "Defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop all not in chains above" disabled=\
    yes
add action=fasttrack-connection chain=forward comment="Defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Defconf: accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Defconf: drop invalid" \
    connection-state=invalid disabled=yes
/ip firewall mangle
add action=change-mss chain=postrouting new-mss=clamp-to-pmtu out-interface=\
    all-ppp passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=src-nat chain=srcnat comment="Access to Internet from Local" \
    out-interface=WAN1 to-addresses=xxx.xxx.xxx.xxx
/ip firewall raw
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=xxx.xxx.xxx.xxx pref-src=0.0.0.0 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

What I need is mask all traffic from network 10.10.116.0/23 to 10.10.12.0/22 as it comes from gw 10.10.15.150.
Yeah, I know how it looks, but that’s i’ve got – previous admins using static addresses on all devices connect to that mikrotik, and gw for that network is 10.10.15.150. There’s some external IPs from actually this network 10.10.12.0/22 where I need to save an access.

Right now assuming there’s a printer with ip 10.10.12.190 and i can ping it from network 10.10.116.0/23, I can access it’s web interface without any problem.
But some services i cant access from network 10.10.116.0/23 and i think there’s some rules to accept traffic only from network 10.10.12.0/22 on that service.
And most cruel is that network is now working and i cant just purge all configuration to zero and start from scratch.

Any ideas?

Looking forward to answer any questions further.

kraal · October 19, 2023, 10:45am

add a drop rule (forward) with src-address=10.10.116.0/23, dst-address=10.10.12.0/22 and in-interface=lanbridge ? (I’m gambling)

enlightside · October 19, 2023, 10:51am

Can’t catch logic with it… Maybe more explaining?

anav · October 19, 2023, 2:43pm

The config lacks logic you have a pvid port but no vlans defined ???
It appears you want two subnets, be advised you have only identified one subnet fully???
Instead of using two bridges its actually more normal to simply use
a. bridge for one subnet and the majority of ports
b. second subnet just for a single port

OP what I prefer
two vlans, single bridge, bridge does no dhcp etc…