I have a RB2011UiAS and so far I’m loving it. I have my ddns & hairpin scripts setup and working. I have eth1 (WAN) set up and eth2 configured as DHCP server and feeding into my switch, feeding out 192.168.1.x addresses. I also have a NVR that has it’s own switch and built in DHCP server, which cannot be disabled and gives out 192.168.2.x addresses. What I would like to do is attach one of the ports on the NVR switch to an interface on my Mikrotik, say eth6 and be able to access the 192.168.2.x subnet that the NVR has from my local lan (192.168.1.x). I know there could be a problem with that because I’d have two DHCP servers running on one LAN, but not exactly sure how to make this happen. Any help would be greatly appreciated.
Remove the port from switch, leave it alone and use routing between those two networks. Or set firewall rules blocking the dhcp packets.
Sorry, I am using Winbox for management, and I’m unsure how to do either of those two things. I can’t remove the ether6 from the interfaces, it won’t let me.
Remove any master port set to that port. That releases the port from switch and connects it directly to cpu as independent interface. Then you can do on L2 or L3 whatever you need…
I understand, I think. On this model there are two masters, eth6 is one of them, but I did remove it from the bridge. Is that the correct method? But how to I direct traffic from the subnet that lives on eth2 (192.168.1.x) and the eth6 (192.168.2.x)? I appreciate the patience.
So here is where I am now: removed eth6 from the bridge. I can ping the 192.168.2.1 gateway, but nothing else in that subnet ~ any suggestions?
Oh. It may stop port 7-10 because their master has changed its role. In this case you shoud set port 7 as master of 8-10 and put it into the bridge instead of the port 6. After that they will work like before and port 6 stays free. Then set dhcp client on port 6, take care not to allow default route from it and try the access to NVR. May happen it will not be able to route back to your network but masquerade firewall rule at that port should solve it.
It still doesn’t explain why I can ping the 192.168.2.1 from my 192.168.1.x network, but none of the other devices on the 192.168.2.x subnet. Do I need to add addresses to the ether6 interface or create additional routes? I just don’t get why I can ping one, but not the other ones. If I bypass the router and plug a laptop directly into the NVR switch I can access them all.
The .2.x network is probably trying to use the NVR as the default GW, so those hosts don’t know how to use your Mikrotik’s 192.168.2.x interface as a gateway to reach the .1.x network.
The easy fix is to put a srcnat rule:
out-interface=ether6 action=masquerade
This will allow .1.x hosts to reach .2.x hosts, but not the other way around.
If you need both ways, then the only thing to do is to see if you can add any static routes to your NVR.
In this scenario, you’ll want to set a static IP on the Mikrotik’s ether6 interface (no dhcp-client) so that it’s always the same - say 192.168.2.2/24 for example…
Then in the NVR, add a static route where the destination is 192..168.1.0/24 and the gateway = 192.168.2.2
In this scenario, you should make sure that your NAT rules don’t do anything to packets going between your LAN interface and ether6
It’s ok if the 2.x can’t get to the 1.x network, I’d rather the cameras on the 2.x network not have access out. But when I tried adding the masq to the out interface eth6 it didn’t work either.
Cannot you really reconfigure the NVR? Bad thing… And what about connecting the wan port of NVR onto one of your internal lan ports of your network? Normally you should not need access to cameras directly when you have an NVR…