I have RB750 Gr hEX configured to provide communication between two subnet with different IP addresses (192.168.33.0/24 (one of company’s VLAN) and 192.168.10.0/24 (Ethernet devices)). Checked in “lab” conditions, laptop - RB - Ethernet device, all works fine. If the RB is connected to VLAN 192.168.33.0 from the company’s network , it is not detectable in Winbox, not by MAC address, neither by IP. Winbox is installed on Windows 2016 Server with VLAN 192.168.0.0.
Current Configuration:
/ip address
add address=192.168.10.150/24 interface=ether3 network=192.168.10.0
add address=192.168.33.120/24 interface=ether2 network=192.168.33.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether3
add action=dst-nat chain=dstnat in-interface=ether2 protocol=tcp
to-addresses=192.168.10.125 to-ports=5000
What has to be done (added to the code) to make the communication possible?
You mention VLANs with IP addresses which is not strictly correct - ethernet VLANs may carry assorted IP subnets but a VLAN itself does not have an IP address.
Winbox discovery will only display devices on directly attached networks as the information is broadcast, so never routed to other subnets.
You have no routes specified in that configuration, so IP connections are only possible from devices with 192.168.10.0/24 or 192.168.33.0/24 addresses.
Dear tdw: I do not pretend I use the proper terms, and for sure you have a point. Further, I understand I have to specify routes to make it working, is that correct?
Dear mkx: this is the whole configuration:
model = RB750Gr3
serial number = CC210B4938EA
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.10.150/24 interface=ether3 network=192.168.10.0
add address=192.168.33.120/24 interface=ether2 network=192.168.33.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether3
add action=dst-nat chain=dstnat in-interface=ether2 protocol=tcp
to-addresses=192.168.10.125 to-ports=5000
I and can recall you helped me a lot (Post name: Static IP address configuration), but as I said, it worked in topology laptop - RB - Ethernet device, not in network.
You probably won’t be able to use MAC connections between PC in subnet 192.168.0.0/24 if RB is in 192.168.33/24 because there’s probably a router in between and MAC connectivity only works inside same subnet. For IP access from same remote host your RB lacks configuration of default gateway, such as
The dst-address shown is alias for “default”, you may want to narrow down the reachable subnets (or not).
Without setting gateway your RB doesn’t know how to return packets to sender.
You may want to adjust the dst-nat rule … as it is now it might dst-nat just all TCP packets arriving at ether2 regardless port number. You probably want to add dst-port=5000 to the rule (if you want to forward port 5000 to internal server without change of port number. In that case you can omit the to-ports property afterwards).
After adding the ip route, i.e.
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.33.120 (because this is the actual gateway address, not 192.168.33.1) , it seems we are closer - I can ping 192.168.33.101. Please note I have changed ip address of ether2, because it was the same like the real gateway address of VLAN 33:
/ip address
add address=192.168.33.101/24 interface=ether2 network=192.168.33.0 - in the initial configuration I have posted this line was: add address=192.168.33.120/24 interface=ether2 network=192.168.33.0
As I said, now I am able to ping 192.168.33.101 from server on 192.168.0.213, but still I cannot connect to Winbox.
OK, so IP routing between your management PC (192.168.0.213) and router (192.168.33.101) works, without it you wouldn’t be able to ping router from PC. Router itself doesn’t block any connectivity towards own services (winbox, http, etc.) nor it blocks any connectivity towards “restricted area” (IP subnet 192.168.10.0/24).
We’ve also already established that you most probably won’t be able to use winbox MAC connectivity. But what should work is winbox IP connection … Mind that when launching winbox it won’t be able to discover your router (because that works in L2 network), you’ll have to type in the router’s IP address manually (in the “Connect To:” field). If that doesn’t work, then it some other device (router between subnets 192.168.0.0/24 and 192.168.33.0/24) that is blocking the connection.
With your current router setup you can try with webfig (http) connection, since http is protocol most network administrators know about it’s more likely that it’s not blocked.
Some updates: I have narrowed the reachable subnets on dst-address - 192.168.0.0/24. And, something changed, Winbox tried to logging in, after few seconds however the following error message popped up: “router does not support secure connection, please enable Legacy mode if you want to connect anyway”. In the older Winbox version (mine is 6.44), it seems easy to enable Legacy mode ( I have never done that, just did some search on the net), but on this newest version I cannot find how to do that - Legacy mode is not under Tools tab.
I have tried Webfig as well, but the error I got was “Access denied”.
Any thoughts?
Hi,
I have enabled Legacy mode, and Winbox freezes in logging in status (on attachment).
I have tried to connect to RB750 Gr from PC on VLAN 33, as requested mkx, but same outcome -Winbox freezes in logging in…However, under Neighbors tab, Winbox detect the router.
I’m running out of ideas. The last one: disconnect router from company LAN, connect a PC to ether2 (the port router is supposed to connect to company LAN) and configure static IP address on PC (use one from 192.168.33.0/24), then try the connection again. If it works this way, then something funny is going on on the company LAN. If it doesn’t work, then you’re back to the lab and try to fix things.
