Hello all :
I have some problem with my routeros , I draw a picture to describe my problem .
My question is which mode I can choice to the center roueros? bridge or router ? Use ip firewall rules or router rules?
thank you very much.
Better with router, and IP firewall
thank you and should I use routering mark?
As seen I think it couldn’t be just a bridge. You have different networks (100, 105, 98, 95) which have to be routed. Routing marks? What for…
thank you
I am beginner to the routeros , so , I couldn’t figure out what to do next . sorry .
I just try router mode , set the router rule , mangle the routing package, but it does’t work, so I am confused.
What in particular doesn’t work?
Post output of command /export hide-sensitive as well …
I have config the center routeros in router mode and can’t get to the area c or area d , I will put the configuration later.
I think can I use vlan to config this network ?
-
config the center router in router mode and setup the router rules both in gateway and center ROS
-
Can I use vlan to config the network ? 4vlans in the network , pick out some pc as manager pc to access the area C and area D ?
If in this way , the center ROS should be bridge mode right ? also the 4 nics in center ROS be configed in trunk mode and vlan id be configed in trunk ?
,
,
While waiting for the config … what are configured routes on router in .A area? I expect that PCs in the lower center rectangle have router A set as their default gateway …
sorry for the late, here is my centerROS export file
# may/30/2019 04:34:01 by RouterOS 6.44
#
#
#
/interface ethernet
set [ find default-name=ether3 ] name=Ethernet-95
set [ find default-name=ether2 ] name=Ethernet-100
set [ find default-name=ether1 ] name=Ethernet-105
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=192.168.95.100/24 interface=Ethernet-1 network=192.168.95.0
add address=192.168.105.116/24 interface=Ethernet-26 network=192.168.105.0
/ip cloud
set update-time=no
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=Ethernet-100
/ip dns
set allow-remote-requests=yes cache-size=40960KiB max-concurrent-queries=1000 \
max-concurrent-tcp-sessions=200
/system identity
set name="ROS "
The centerROS can ping the client in any network , network A , network B network D
but I can’t see any route rule in the centerROS . that’s normal ?
The router A is the gateway in areaA and the client in the areaA can access the internet use the routerA as their gateway
I didn’t set any route rules in the Router A .
and here is the part of areaA gateway configuration
# may/30/2019 12:48:07 by RouterOS 6.44
#
#
#
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan keepalive-timeout=\
60 max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-out1
/interface bonding
add arp-interval=50ms arp-ip-targets=192.168.100.1 lacp-rate=1sec \
link-monitoring=arp name=bonding1 slaves=ether2,ether3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=DHCP_pool1 ranges=192.168.100.50-192.168.100.180
add name=OVPN ranges=192.168.100.245-192.168.100.246
/ip dhcp-server
add add-arp=yes address-pool=DHCP_pool1 authoritative=after-2sec-delay \
disabled=no interface=bonding1 lease-time=2d10m name=server1
/ppp profile
set *FFFFFFFE local-address=192.168.100.1 remote-address=OVPN
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/ip firewall connection tracking
set tcp-close-timeout=15s
/ip address
add address=192.168.100.1/24 interface=bonding1 network=192.168.100.0
/ip cloud
set update-time=no
/ip dhcp-client
add dhcp-options=hostname,clientid
/ip dns
set allow-remote-requests=yes cache-max-ttl=5d cache-size=4096KiB \
max-concurrent-queries=1000 max-concurrent-tcp-sessions=100 \
max-udp-packet-size=40960 servers=\
192.168.100.16,1.1.1.1,185.228.168.9,8.8.8.8,8.8.4.4,240c::6666
/ip firewall filter
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment=screen.cast dst-port=1368 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=cichainlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment=Snid.X2Trojan-1 dst-port=1784 protocol=\
tcp
add action=drop chain=virus comment=Worm dst-port=4006 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5900 protocol=tcp
add action=drop chain=virus comment=TheThing.Trojan-1 dst-port=6400 protocol=\
tcp
add action=drop chain=virus comment=W32.Korgo.A/B/C/D/E/F-4 dst-port=6667 \
protocol=tcp
add action=drop chain=virus comment=DeepThroat.Trojan-4 dst-port=6670 \
protocol=tcp
add action=drop chain=virus comment=SubSeven-5 dst-port=6711-6713 protocol=\
tcp
add action=drop chain=virus comment=DeepThroat.Trojan-5 dst-port=6771 \
protocol=tcp
add action=drop chain=virus comment=Worm.BBeagle.a.Bagle.a. dst-port=6777 \
protocol=tcp
add action=drop chain=virus comment=Worm.NetSky.S/T/U@mm dst-port=6789 \
protocol=tcp
add action=drop chain=virus comment=Delta.Source.Trojan-1 dst-port=6883 \
protocol=tcp
add action=drop chain=virus comment=Backdoor.YAI.Trojan-2 dst-port=7215 \
protocol=tcp
add action=drop chain=virus comment=NetMonitor.Trojan-1 dst-port=7300-7301 \
protocol=tcp
add action=drop chain=virus comment=NetMonitor.Trojan-2 dst-port=7306-7308 \
protocol=tcp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=1 dst-address=192.168.95.0/24 gateway=\
192.168.100.116 routing-mark=cc
/ip route rule
add dst-address=192.168.95.0/24 interface=bonding1 routing-mark=cc \
src-address=192.168.100.0/24 table=cc
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/snmp
set enabled=yes trap-version=2
/system identity
set name="MikroTik "
/system ntp client
set enabled=yes primary-ntp=85.199.214.100 secondary-ntp=202.112.7.13
/system package update
set channel=long-term
/system resource irq
set 3 cpu=0
set 4 cpu=0
set 6 cpu=0
set 7 cpu=1
set 8 cpu=1
set 11 cpu=1
set 16 cpu=1
set 21 cpu=1
/system upgrade mirror
set enabled=yes
A few things puzzle me in posted config:
- Center router has two L3 interfaces defined: 192.168.95.100/24 (connecting it to .B area) and 192.168.105.116/24 (connecting it to .A area). It can communicate with those hosts without problem because they are all directly accessible. For communication with hosts in areas .C and D. it would need either defined L3 interface (ethernet port config hints at interface towards area .D, but IP config is not there) or it would need some default route (which is not in the posted config either).
So I don’t understand how center router can ping hosts in areas C. and D.
It should have defined 4 IP addresses, one for each area, on their corresponding interfaces. - The posted “edge router” config, according to IP address in config, is actually from .B area. Never the less, you have config which allows it to communicate with other networks:
/ip route
add check-gateway=ping distance=1 dst-address=192.168.95.0/24 gateway=\
192.168.100.116 routing-mark=cc
/ip route rule
add dst-address=192.168.95.0/24 interface=bonding1 routing-mark=cc \
src-address=192.168.100.0/24 table=cc
It allows communication with hosts in area .D by using center router as gateway. The config above is awkward, I guess simpler would do:
/ip route
add dst-address=192.168.95.0/24 gateway=192.168.100.116 # area .D
add dst-address=192.168.98.0/24 gateway=192.168.100.116 # area .C
add dst-address=192.168.105.0/24 gateway=192.168.100.116 # area .A
Very similar routing rules should exist on router in area .A:
/ip route
add dst-address=192.168.95.0/24 gateway=192.168.105.xx # area .D
add dst-address=192.168.98.0/24 gateway=192.168.105.xx # area .C
add dst-address=192.168.100.0/24 gateway=192.168.105.xx # area .B
Thank you very much for your reply.
I did not make the situation here clear, and I made some scribbled instructions, I am very sorry.
The situation here is this, the devices are in use, I can only simulate the central router and change their respective IP addresses.
3 routers are routers of MIkrotik, the software version is 6.44
Router C has three network cards and three physical networks. However, because of the need to connect area c and area d, the third network card is assigned two IP addresses.
In the previous configuration, when 4 ip addresses were assigned, the system automatically created 4 routing entries in the routing table, all of which are DAC entries.
The following is the configuration of ros C, I don’t know where it is wrong, can’t connect to rosA
# may/30/2019 13:23:13 by RouterOS 6.44
#
#
#
/interface ethernet
set [ find default-name=ether3 ] name=NIC3
set [ find default-name=ether2 ] name=NIC2
set [ find default-name=ether1 ] name=NIC1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip settings
set accept-redirects=yes accept-source-route=yes tcp-syncookies=yes
/interface list member
add interface=NIC1 list=WAN
add list=LAN
/ip address
add address=192.168.95.100/24 interface=NIC3 network=192.168.95.0
add address=192.168.90.1/24 interface=NIC3 network=192.168.90.0
add address=192.168.100.36/24 interface=NIC2 network=192.168.100.0
add address=192.168.105.116/24 interface=NIC1 network=192.168.105.0
/ip cloud
set update-time=no
/ip dns
set allow-remote-requests=yes cache-size=40960KiB max-concurrent-queries=1000 \
max-concurrent-tcp-sessions=200
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=192.168.95.0/24 \
new-routing-mark=cctv passthrough=yes
add action=mark-routing chain=prerouting dst-address=192.168.105.0/24 \
new-routing-mark=26 passthrough=yes
add action=mark-routing chain=prerouting dst-address=192.168.100.0/24 \
new-routing-mark=2wy passthrough=yes
add action=mark-routing chain=prerouting dst-address=192.168.90.0/24 \
new-routing-mark=ck passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.95.0/24 src-address=\
192.168.105.116
/ip route
add check-gateway=ping distance=1 dst-address=192.168.105.0/24 gateway=\
NIC1
add check-gateway=ping distance=1 dst-address=192.168.100.0/24 gateway=\
NIC2
/ip route rule
add dst-address=192.168.95.0/24 interface=NIC3 routing-mark=cctv \
src-address=192.168.105.0/24 table=cctv
add dst-address=192.168.90.0/24 interface=NIC3 routing-mark=ck \
src-address=192.168.105.0/24 table=ck
add dst-address=192.168.95.0/24 interface=NIC3 routing-mark=cctv \
src-address=192.168.100.0/24 table=cctv
add dst-address=192.168.90.0/24 interface=NIC3 routing-mark=ck \
src-address=192.168.100.0/24 table=ck
add dst-address=192.168.105.0/24 interface=NIC1 routing-mark=26 \
src-address=192.168.95.0/24 table=26
add dst-address=192.168.105.0/24 interface=NIC1 routing-mark=26 \
src-address=192.168.90.0/24 table=26
add dst-address=192.168.100.0/24 interface=NIC2 routing-mark=2wy \
src-address=192.168.90.0/24 table=2wy
add dst-address=192.168.100.0/24 interface=NIC2 routing-mark=2wy \
src-address=192.168.105.0/24 table=2wy
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system identity
set name="ROS "
In addition, on the rosA, if I wanna go to 95 then I add a new router rule on rosA like this
Add check-gateway=ping distance=1 dst-address=192.168.95.0/24 gateway=192.168.105.116
Am I right ?
Are you sure that’s not still the case? Dynamic routes are shown using /ip route print but aren’t present in configuration export.
Right.
I’m not sure you need check-gateway option … as there’s no other practical route towards destination it doesn’t really matter if that particular gateway is alive or not.
And I’m still not sure what’s that you’re trying to achieve by using routing marks etc. … that you couldn’t do with a few simple static routes.
Are you sure that’s not still the case? Dynamic routes are shown using > /ip route print > but aren’t present in configuration export.
After reset the configuration I add some configuration and export the file , I don’t know why didn’t show up. I can see them in the winbox
I’m not sure you need > check-gateway > option … as there’s no other practical route towards destination it doesn’t really matter if that particular gateway is alive or not.
And I’m still not sure what’s that you’re trying to achieve by using routing marks etc. … that you couldn’t do with a few simple static routes.
I think the centeros setting is fine .
I tracert the area c and area d in gateway , it goes to the internet gateway.
how to config the gateway route? set up the static route rule ?