Hello everyone
I got two mikrotik router and one internet connection that is connected to one of them. what I’m trying to achieve is that to share the internet (WAN) that is connected to the port 10 of the router number one (RB4011) to the port 1 of the router number two (Hap lite), in a way that the clients which are connected to the router 2 couldn’t access the LAN network on the router 1 (192.168.11.111/24) and also client on router 1 couldn’t access the LAN network on the router 2 (10.10.5.135/24) but I would like to be able to control (limit) the speed of the internet connection which router 2 is receiving and also access router 2 via Winbox over one of the computers that are on the Lan network of router 1.
Thanks
Any idea?
And what exactly seems to be the problem? It’s simple firewall config. Basic choice is between:
a) Connect router 2 same way as any other client to router 1 (router 2 will have 192.168.11.x/24 on WAN). On router 1 add route to 10.10.5.0/24 via 192.168.11.x. On router 2 use firewall filter to block traffic between the two subnets.
b) Connect router 2 to separate port on router 1. Add some interconnecting subnet between them, and again on router 1 route to 10.10.5.0/24 via router 2. Do the filtering on router 1.
Regarding queues, I don’t use them very often, but I guess simple queue for second subnet should work. If not, some packets marking may be required, but it’s definitely doable.
Lets stop and provide some meaningful discussion. Throwing out ideas can be confusing at the moment.
To the OP, before coming up with a config that works for you, its always best to understand the requirements. With that and the context of what the network entails will yield to an optimal solution without guesswork.
Context/Network
You have two routers, one very powerful, one with weak wifi and slow ports.
You have a simple single WAN connection from an ISP
The WAN connection is from a modem and not a modem router (hence you get a public IP).
You have two separate groups of pcs/users.
Requirements:
The groups of pcs/users should be separated from each other
All users should be able to access the internet.
One group of users is to be prevented from garnering all the bandwidth via queues.
SOLUTION:
RB4011 - Single Router on the network.
HAPlite - Used as an access point/switch, the switch part if there are not enough ports and the users dont mind being only on a 10/100 connection.
example:
RB4011
Port 10 -ethernet
Ports 2-5 Trusted Subnet vlan10 - all access ports
Ports 6-8 Other subnet vlan20 - all access ports
Port 9 to Haplite trunk port (carrying vlan10 and 20 - vlan10 for the haplite itself for management purposes)
one bridge, parent interface for both vlans.
each vlan gets ip pool, dhcp server, dhcp server network, ip address
/interface bridge port settings
add bridge=bridge interface=ether2 ingress-filtering=yes frame-types=admit-untagged-and-priority pvid=10
repeat for ether3-5
add bridge=bridge interface=ether6 ingress-filtering=yes frame-types=admit-untagged-and-priority pvid=10
repeat for ether7,8
add bridge=bridge interface=ether9 ingress-filtering=yes frame-types=admit-only-vlan-tagged
/Interface bridge vlan settings
add bridge=bridge tagged=bridge,ether9 untagged=ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether9 untagged=ether6,ether7,ether8 vlan-ids=20
And so forth.
Now you can do this with two bridge, no bridge, no vlans etc..
But the path provided is easy, and allows max flexibilty in the future. You can designated multiple vlans to any ports or managed switches in the future.
The haplite is basically a managed switch with wifi, if you dont use its routing capabilities.
As far as the haplite is concerned. — https://forum.mikrotik.com/viewtopic.php?t=182276 see the example config!!
Firewall rules all easily handled on the RB4011 - https://forum.mikrotik.com/viewtopic.php?t=180838
For example in the forward chain this does what you want.
/ip firewall filter
{forward chain}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward
All users have internet access, vlans cannot access each other.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Once you have a solid working config that is doing what you want, then introduce more complex items such as queues.