Hai,
First of all I’m a new to Mikrotik, so I need your help guys.
My problem is (see the diagram) I want to give access the hotspot client (192.168.5.0/24) to the intranet server (192.168.4.2/24), how do that ?
help me with step by step clue .. script is not necessary but if you don’t mine, I appreciate that.
Thanx
They would automatically have access to that network, since both networks are directly connected to the router. If they don’t then there’s something specifically blocking it in your configuration.
Sorry I don’t give you a complete info about my network, so I upload another picture for more clearer information.
and this is my RB settings, I’m using PCC load balancing, all my traffic is heading to the INTERNET.
ping to 192.168.5.254 from 192.168.4.2 - CONNECTED
ping to 192.168.4.2 from 192.168.5.254 - DISCONNECTED
INTERFACE
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R ether-1-speedy ether 1500 1524 1524
1 R ether-2-speedy ether 1500 1524 1524
2 R ether-3-speedy ether 1500 1524 1524
3 R ether-4-wired ether 1500 1524 1524
4 R ether-5-wireless ether 1500 1524 1524
IP ADDRESS
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.1.2/24 192.168.1.0 ether-1-speedy
1 192.168.2.2/24 192.168.2.0 ether-2-speedy
2 192.168.3.2/24 192.168.3.0 ether-3-speedy
3 192.168.4.1/24 192.168.4.0 ether-4-wired
4 192.168.5.254/24 192.168.5.0 ether-5-wireless
Route Print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=192.168.1.1 gateway-status=192.168.1.1 reachable ether-1-speedy check-gateway=ping distance=1 scope=30 target-scope=10
routing-mark=to_Ether-1-Speedy
1 A S dst-address=0.0.0.0/0 gateway=192.168.2.1 gateway-status=192.168.2.1 reachable ether-2-speedy check-gateway=ping distance=1 scope=30 target-scope=10
routing-mark=to_Ether-2-Speedy
2 A S dst-address=0.0.0.0/0 gateway=192.168.3.1 gateway-status=192.168.3.1 reachable ether-3-speedy check-gateway=ping distance=1 scope=30 target-scope=10
routing-mark=to_Ether-3-Speedy
3 A S dst-address=0.0.0.0/0 gateway=192.168.1.1 gateway-status=192.168.1.1 reachable ether-1-speedy check-gateway=ping distance=1 scope=30 target-scope=10
4 S dst-address=0.0.0.0/0 gateway=192.168.2.1 gateway-status=192.168.2.1 reachable ether-2-speedy check-gateway=ping distance=2 scope=30 target-scope=10
5 S dst-address=0.0.0.0/0 gateway=192.168.3.1 gateway-status=192.168.3.1 reachable ether-3-speedy check-gateway=ping distance=3 scope=30 target-scope=10
6 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.2 gateway=ether-1-speedy gateway-status=ether-1-speedy reachable distance=0 scope=10
7 ADC dst-address=192.168.2.0/24 pref-src=192.168.2.2 gateway=ether-2-speedy gateway-status=ether-2-speedy reachable distance=0 scope=10
8 ADC dst-address=192.168.3.0/24 pref-src=192.168.3.2 gateway=ether-3-speedy gateway-status=ether-3-speedy reachable distance=0 scope=10
9 ADC dst-address=192.168.4.0/24 pref-src=192.168.4.1 gateway=ether-4-wired gateway-status=ether-4-wired reachable distance=0 scope=10
10 ADC dst-address=192.168.5.0/24 pref-src=192.168.5.254 gateway=ether-5-wireless gateway-status=ether-5-wireless reachable distance=0 scope=10
FIREWALL
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
/ip firewall mangle
add action=mark-connection chain=input disabled=no in-interface=ether-1-speedy new-connection-mark=Ether-1-Speedy_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=ether-2-speedy new-connection-mark=Ether-2-Speedy_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=ether-3-speedy new-connection-mark=Ether-3-Speedy_conn passthrough=yes
add action=mark-routing chain=output connection-mark=Ether-1-Speedy_conn disabled=no new-routing-mark=to_Ether-1-Speedy passthrough=yes
add action=mark-routing chain=output connection-mark=Ether-2-Speedy_conn disabled=no new-routing-mark=to_Ether-2-Speedy passthrough=yes
add action=mark-routing chain=output connection-mark=Ether-3-Speedy_conn disabled=no new-routing-mark=to_Ether-3-Speedy passthrough=yes
add action=accept chain=prerouting disabled=no dst-address=192.168.1.0/24 in-interface=ether-4-wired
add action=accept chain=prerouting disabled=no dst-address=192.168.2.0/24 in-interface=ether-4-wired
add action=accept chain=prerouting disabled=no dst-address=192.168.3.0/24 in-interface=ether-4-wired
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=ether-4-wired new-connection-mark=Ether-1-Speedy_conn passthrough=yes \
per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=ether-4-wired new-connection-mark=Ether-2-Speedy_conn passthrough=yes \
per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=ether-4-wired new-connection-mark=Ether-3-Speedy_conn passthrough=yes \
per-connection-classifier=both-addresses:3/2
add action=mark-routing chain=prerouting connection-mark=Ether-1-Speedy_conn disabled=no in-interface=ether-4-wired new-routing-mark=to_Ether-1-Speedy passthrough=yes
add action=mark-routing chain=prerouting connection-mark=Ether-2-Speedy_conn disabled=no in-interface=ether-4-wired new-routing-mark=to_Ether-2-Speedy passthrough=yes
add action=mark-routing chain=prerouting connection-mark=Ether-3-Speedy_conn disabled=no in-interface=ether-4-wired new-routing-mark=to_Ether-3-Speedy passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat disabled=no out-interface=ether-1-speedy
add action=masquerade chain=srcnat disabled=no out-interface=ether-2-speedy
add action=masquerade chain=srcnat disabled=no out-interface=ether-3-speedy
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
Got it - that is simple to fix. Your PCC rules are overriding the normal routing that would occur between the two local networks on ether4 and ether5. All you have to do is exempt traffic between the two networks from PCC. This comes up a lot, I wish Mikrotik made this part of the PCC manual.
/ip firewall address-list
list=local-networks address=192.168.4.0/24
list=local-networks address=192.168.5.0/24
/ip firewall mangle
add chain=prerouting src-address-list=local-networks dst-address-list=local-networks action=accept
Then move that mangle rule above all the other mangle rules, so that it is listed first.
Edit: wrote it up as a wiki article with more complete explanations and examples at http://wiki.mikrotik.com/wiki/PCC_exemptions
Thanx … got it , thank you so much.
I m using Bridge network and now i want to migrate to routed network.
Our server has a ip range of 203.xx.xx35 to 203.xx.xx.94 with bridge network our clients uses 203.xx.xx.38, 39, 40, 47 till 203.xx.xx.94 to connect to internet.
Now i want Client 10.10.1.10 can access 203.xx.xx.65, client 10.10.1.12 can aceess 203.xx.xx.67, Client 10.10.1.15 can access 203.xx.xx.78.
How can i do this via routing?
please create your own post and give the necessary info like I did above. Thanx