Greetings !
I have 3 WANs:
At the current setup (all 3 WANs enabled) I can only open 1st one in my browser to check settings and info. I cannot open in browser 2nd one and I cannot open in winbox 3rd one. I have to disable 1st one to get to 2nd one, and both to get to 3rd one.
What do I need to add in main router to be able to open all 3 device’s settings ?
Thanks !
Blind guess without seeing your config:
/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main
You probably mark routing for different LAN devices and routing tables contain only default route, so other locally connected networks can not be found there. If not, see if you can find hidden hint in my post, about what to do next.
Thanks a lot, that worked !
EDIT:
Next problem:
How do I restrict access to web interface of the modems from guest networks subnets (3.x, 4x. etc.) and only allow from my network subnet (0.x) ?
Firewall is your friend. You can specifically block access from selected networks, you can do the whole thing in a way that you define what should be allowed and block the rest, many details can be done differently, depending on what you adready have, etc…
You could just add accept rules on top of your mangle rules for all your directly connected networks (subnets)
when in interface is your Bridge, your LAN in simple words…
So when you try to access any of the subnets 192.168.5.1, 192.168.2.1 or 192.168.3.1 from your computer, those accept rules will force the router to leave the mangles facility and use the main routing Table…
I think this is a better implementation…
I’m not sure I understood you correctly, I’ll describe in rough details my network structure:
192.168.0.x - My private network (via physical connections through LAN ports and WiFi across APs)
192.168.6.x - Network for my family, friends, etc (it’s Wi-Fi only via virtual WLANs across APs)
192.168.4.x - Guest network (it’s Wi-Fi only, via virtual WLANs across APs)
192.168.0.1 - main router
192.168.2.1 - vDSL modem
192.168.5.1 - Optics ONT
192.168.3.1 - Mikrotik LTE device
What to I need ?
With this:
/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main
I am now able to connect to wan devices settings but everyone from other 3 networks can also access it.
Thanks for your help !
Try my suggestion, as source address put the address you want to have access to the WAN routers, as dst address the WAN subnet, so you need this rule 2 more times for the other 2 WAN subnets… in interface add your LAN and action must be accept… these rules must be on top in the mangles list…
Or don’t. 
By which I mean that you’re looking in wrong place. You previously blocked access by accident. It can be fixed either by what I gave you or using the other way with exceptions for mangle rules. One or the other, both methods work. Which one is better, that’s a question, we can try to find some argument for or against each one.
But if you want to block something, it belongs in “/ip firewall filter”, chain=forward. It’s possible to achieve the same in “/ip firewall mangle”, if you basically apply the same mistake again, but only to some interfaces. But it’s not correct. What exactly you need to do with filter, again, it’s difficult to say without seeing what you have there now.
@sob my approach is simple, since he uses the mangles facility i think its better to fix the problem through mangles as well… Thats what i would do and thats why i suggest it…
I do not try to argue or show my solution as better…
This is what I have (enabled) in firewall:
# model = RouterBOARD 3011UiAS
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept establieshed,related" connection-state=\
established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established
add action=accept chain=input connection-state=related
/ip firewall mangle
add action=mark-connection chain=input comment="WAN_1 (288)" in-interface=\
"WAN1 (288-vdsl)-ether1" new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input comment="WAN_2 (434)" in-interface=\
"WAN2 (434-optics)-ether2" new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=input comment="WAN_3 (TELE2)" in-interface=\
"WAN3 (Tele2)-ether8" new-connection-mark=WAN3_conn passthrough=yes
add action=mark-routing chain=output comment="WAN_1 (288)" connection-mark=\
WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment="WAN_2 (434)" connection-mark=\
WAN2_conn new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output comment="WAN_3 (TELE2)" connection-mark=\
WAN3_conn new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting comment=WAN2_288_ONLY \
connection-mark=no-mark in-interface=bridge new-connection-mark=\
WAN_1_ONLY passthrough=yes routing-mark="" src-address-list=WAN_1_ONLY
add action=mark-routing chain=prerouting comment=WAN2_288_ONLY \
connection-mark=WAN_1_ONLY in-interface=bridge new-routing-mark=\
WAN_1_ONLY passthrough=no
add action=mark-connection chain=prerouting comment=VLAN@288-vdsl \
dst-address-type=!local in-interface=guest-vlan new-connection-mark=\
WAN1_conn passthrough=yes
add action=mark-routing chain=prerouting comment=VLAN@288-vdsl \
connection-mark=WAN1_conn in-interface=guest-vlan new-routing-mark=\
to_WAN1 passthrough=yes
add action=mark-connection chain=prerouting comment=\
PRIVATE-GUEST-VLAN@288-vdsl dst-address-type=!local in-interface=\
private-guest-vlan new-connection-mark=WAN1_conn passthrough=yes
add action=mark-routing chain=prerouting comment=PRIVATE-GUEST-VLAN@288-vdsl \
connection-mark=WAN1_conn in-interface=private-guest-vlan \
new-routing-mark=to_WAN1 passthrough=yes
add action=mark-connection chain=prerouting comment="BRIDGE@(434-optics)" \
dst-address-type=!local in-interface=bridge new-connection-mark=WAN2_conn \
passthrough=yes
add action=mark-routing chain=prerouting comment="BRIDGE@(434-optics)" \
connection-mark=WAN2_conn in-interface=bridge new-routing-mark=to_WAN2 \
passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=WAN@288 out-interface=\
"WAN1 (288-vdsl)-ether1"
add action=masquerade chain=srcnat comment=WAN@434 out-interface=\
"WAN2 (434-optics)-ether2"
add action=masquerade chain=srcnat comment=WAN@TELE2 out-interface=\
"WAN3 (Tele2)-ether8"
At the moment, WAN 3 is not used. (it’s usually used during the summer, along with WAN1 in PCC configuration, for more bandwidth).
Your current firewall filter allows everything. The only thing you block are packets with invalid state, which in this case doesn’t make anything more secure. Anyone from anywhere can establish new connections to anywhere else. Guests can access not only your other routers/modems, but also anything in main LAN. Even connections from outside would be possible if you’d have router connected directly to ISPs without other routers.
It wasn’t possible before, because when you marked routing for guests, only to_WAN1 routing table was used. I don’t know what’s there, I assume just one default route. So it didn’t work (they were not able to connect), but not because anything was blocked, but because those packets were sent to internet and therefore had no chance to reach destination (@Zacharias: I’m sure you understand that this is not proper way how to block something; my complaint about your method is not about using mangle rules instead of routing rules, that’s fine, but that the end result relies on this).
The simplest way would be only block access from guests to local networks, e.g.:
/ip firewall filter
add chain=forward in-interface=private-guest-vlan dst-address=192.168.0.0/16 action=drop
But better way would be to make real firewall, which means:
And similarly for input chain, now you allow everything, but do you really want guests to be able to connect to router (WinBox, WebFig, …)? Probably not, even if they don’t know password.
I did this for both “guest” networks and it works. Are there any downsides with this rule, oposite to going “real” firewall rules like you suggested ?
Thanks
It works, but everything else is still allowed. So for example if someone hacked your other routers/modems, they would be able to connect to any device in main LAN. It probably won’t happen, so it should be ok. But it doesn’t hurt to use more secure config.