RB 1100AHx2. Newbie: how to access internet from all eht ports? I have one WAN

RouterOS Beginner Basics
1

Hi

i have a RB 1100AHx2

I have create a WAN on eth1 and it works, router has downloaded an update.

Then i need to use the internet connection on all eht ports.
But i need to set different LAN with different subnet on every eth port.

For example:

eth1 WAN
eth2 LAN wth DHCP from 192.168.1.10 to 192.168.1.200
eth2 LAN wth DHCP from 192.168.2.10 to 192.168.2.200
eth2 LAN wth DHCP from 192.168.3.10 to 192.168.3.200
… etc

I need to have internet access in all eth ports.

I’m in difficult :frowning:

i have tried to create a DHCP server, a bridge for LAN… but nothing work…

Where i can find a step by step tutorial for WebFig interface?

Thanks!

Another SIP (Gigaset C610 A IP) is not registering with RB1100AHx2
Another SIP (Gigaset C610 A IP) is not registering with RB1100AHx2
2

This page should help you:
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration

3

If your srcnat rule is generic:
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade

then you should have no trouble creating as many LAN networks as you like. Just put an IP on each interface as in your example.
You will need to set up DHCP for each interface separately, as they are each a unique network.

If you want to block the lans from talking to each other by default, but all be able to surf, then a simple set of filter rules can do this:
/ip firewall filter
add chain=forward connection-state=established,related action=fasttrack-connection
add chain=forward connection-state=established,related action=accept
add chain=forward out-interface=ether1 action=accept
add chain=forward action=drop

If you wanted a special LAN to be granted access to all other LANs, then add this rule just before the action=drop rule above:
add chain=forward in-interface=ether5 action=accept

If you wanted ether4 to reach the lan of ether6:
add chain=forward in-interface=ether4 out-interface=ether6

If you wanted ether6 to also be able to reach ether4:
add chain=forward in-interface=ether6 out-interface=ether4

These are just some examples, of course.

4

Thank you! A very useful bunch of rules! I go to try!

5

I have a problem with the creation of a DCHP for every eth ports.

I have created a Bridge “LAN”, with some networks.

Then i have create one DCHP Server interface “LAN” (bridge), with an ip pool of 192.168.1.10 - 192.168.1.200.
It is the only setup than give me see internet from internal lan.
You say create a DHCP for each interface, but WebFig stops me and say that it can create a news DHCP on the same “interface” where i have another dhcp server enabled.
So, now i can configure the RB with only one DHCP that assign ip from 192.168.1.10 to 192.168.1.200 on all ports, but i can create a subnet for all port :frowning:

LAST QUESTION: I have inside the my office lan a little web server at ip 192.168.1.150. I have just reserved the IP in DHCP server - Lease.
I have a domain owncloud.mysite.com that point to the WAN IP.
So i know that i have to do a port forwarding for let people access my webserver from outside.
I have set a IP → Firewall → NAT with dstnat with the port 80 and server address, but then all web traffic (like i write google.com) are forwarded to the internal webserver with ip 192.168.1.150.

What i have to do to give webserver access only if someone write the correct domain?

6

If you use a bridge, then IP address / DHCP server / firewall rules apply to the bridge interface itself, and not the physical interfaces that are connected to the bridge. The DHCP configuration wizard should let you choose the interface and then give options that are suitable for that interface - but you do have to assign an IP address to the interface before it will work properly.

As for the NAT rule - make sure that the dstnat rule specifies in-interface=ether1 or dst-address=x.x.x.x (your public IP) - if you don’t do that, then outgoing connections will match as well, and that’s why you’re being redirected to the owncloud server.

7

Hi have solved something, thank to all.
My subnet now don’t see clients in other subnets. I have do this with the firewall, in this way:
firewall-subnets.PNG
But i have not obtained the ideal situation.

This is the “structure” that i need to obtain:
net.png
My actual problem is that i have only one DHCP server that manage ip for all subnets (with a lot of problems*) and i have not set the wifi access point to manage more that one subnet.

*For example, an Android device that connect to the wifi ap, take and ip outside the pool for right subnet. (for example an ip like 192.168.7.145).

Can you help me?

PS: how can i show you how i have set up the Router? Are there some tools to export and show in this forum my settings? So you know what settings I used…

Thanks a lot!

8

Your design requires that you not do any bridging or hardware switching between the ethernet interfaces.

In your drawing:
ether2 - master-port=none
ether3 - master-port=none

For vlan-capable WiFi, put VLAN interfaces on ether2:
/interface vlan
add name=wireless1 interface=ether2 vlan-id=11
add name=wireless2 interface=ether2 vlan-id=12
add name=wireless3 interface=ether2 vlan-id=13

Then
/ip address
add address=192.168.2.1/24 interface=ether3
add address=192.168.3.1/24 interface=ether4

add address=192.168.1.1/24 interface=wireless1
add address=192.168.5.1/24 interface=wireless5

Basically, anywhere you want a separate LAN segment, make sure there’s no bridging or switching and just put an IP address and DHCP server instance on each interface.

If you want no communication between the LANs in general, just use an IP firewall filter forward chain like this:

  1. fasttrack-connection connection-state=established,related
  2. accept connection-state=established,related
  3. accept out-interface=ether1
  4. drop

If you want ether3 to be able to reach into all other lans, but nothing to be able to reach into ether3, then insert this rule before rule 4:
accept in-interface=ether3

If you want ether3 to be able to reach into ether4 and ether5 but nothing else, instead of the above rule, add these before rule 4:
accept in-interface=ether3 out-interface=ether4
accept in-interface=ether3 out-interface=ether5

I highly recommend using interfaces instead of IP ranges.
Whether you use IP ranges or interface names, though, the general idea is to make a default policy of DROP EVERYTHING, and put exceptions before this default - otherwise, if you explicitly block 1->2, 1->3, 1->4, 1->5, 1->6, 2->1, 3->1, 4->1, 5->1, 6->1, 2->3,2->4,2->5,2->6,3->2,4->2,… this explodes to a huge list of combinations very quickly… note that I didn’t even list all combinations above, just for 6 networks.

9

Very clear!

You say to not do any bridging or switching…
I have followed some posts in this forum to create “internet” connection and let this is available for every client.

In the attachment you can see a good bunch of my settings.

What i need to do with the WAN/Internet connection, if i follow your directives for subnets? I have a bridge, is it not necessary?