Routing between 2 local networks

RouterOS General
1

Hello

I’m running 2 local networks on the same Router and I want to be able to access my PRTG server and my Access Points WebUI configured on the 1st network from the 2nd network.
1st Network= 40.40.0.0/21
2nd Network= 50.50.0.0/24

Any help would be appreciated.

2

Hello

If there are no firewall rules, then by default router will route between networks. if there are rules, then without seeing them, its hard to suggest a solution.

Egert

3

Your IP addresses are not for private networks!!!
I would suggest you pick one that is correct from the 3 available classes (10..xxx or 172.xxx or 192.xxx)
Else you will run into issues sooner or later…

4 



/ip firewall filter
add action=reject chain=input comment="Drop WAN DNS requests" dst-port=\
    53,5353,64872 in-interface=WAN protocol=udp reject-with=\
    icmp-network-unreachable
add action=reject chain=input comment="Drop WAN DNS requests" dst-port=\
    53,5353,64872 in-interface=WAN protocol=tcp reject-with=\
    icmp-network-unreachable
add action=accept chain=input comment="Accept established and related" \
    connection-state=established,related
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop all from WAN" in-interface=WAN
add action=accept chain=forward comment="Accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Block Bogon IP addresses" src-address=\
    0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="Deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="Deny RPC portmapper" dst-port=111 protocol=\
    tcp
add action=drop chain=tcp comment="Deny RPC portmapper" dst-port=135 protocol=\
    tcp
add action=drop chain=tcp comment="Deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="Deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="Deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=12345-12346 protocol=\
    tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="Deny BackOriffice" dst-port=3133 protocol=\
    tcp
add action=drop chain=tcp comment="Deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="Deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="Deny PRC portmapper" dst-port=111 protocol=\
    udp
add action=drop chain=udp comment="Deny PRC portmapper" dst-port=135 protocol=\
    udp
add action=drop chain=udp comment="Deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="Deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="Deny BackOriffice" dst-port=3133 protocol=\
    udp
add action=accept chain=icmp comment="Echo reply" icmp-options=0:0 limit=\
    5,5:packet protocol=icmp
add action=accept chain=icmp comment="Net unreachable" icmp-options=3:0 limit=\
    5,5:packet protocol=icmp
add action=accept chain=icmp comment="Host unreachable" icmp-options=3:1 limit=\
    5,5:packet protocol=icmp
add action=accept chain=icmp comment="Host unreachable fragmentation required" \
    icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=accept chain=icmp comment="Allow source quench" icmp-options=4:0 \
    limit=5,5:packet protocol=icmp
add action=accept chain=icmp comment="Allow echo request" icmp-options=8:0 \
    limit=5,5:packet protocol=icmp
add action=accept chain=icmp comment="Allow time exceed" icmp-options=11:0 \
    limit=5,5:packet protocol=icmp
add action=accept chain=icmp comment="Allow parameter bad" icmp-options=12:0 \
    limit=5,5:packet protocol=icmp
add action=drop chain=icmp comment="Deny all other types"
5

According to your firewall nothing blocks any LAN communication.
You should be able to do what you want (L3 communication between devices).
Except if you have some hotspot isolation feature (which I am not familiar with).

But as I said, your choice of IP is buggy. And you have no protection/seperation at all between those sub networks in your firewall…!

6

Your firewall rules are not even close to the default, which I recommend you reinstall to replace the crap in there now.

If not at least move to something resembling clear and efficient.
/ip firewall filter
add action=accept chain=input comment=“Accept established and related”
connection-state=established,related
add action=accept chain=input comment=“Allow ICMP” protocol=icmp
add action=drop chain=input comment=“Drop invalid” connection-state=invalid
add action=accept chain=input comment=“Allow admin access” source-address-list=adminaccess ***
add action=accept chain=input comment=“allow services for lan users” HERE YOU CAN PUT IN DNS port 53 udp, tcp for example.
add action=drop chain=input comment=“Drop all other Traffic from LAN or WAN

*** Create firewall address list of lanips that are allowed to configure the router (admin desktop, admin laptop, admin notepad etc.) This list and associated rule must be put in place before you modify the last rule to DROP ALL.


As for the forward chain… I have never heard of the tcp or udp chains ??? etc… In any case here is what i would do to clean it up…


add action=accept chain=forward comment=“Accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid

add action=drop chain=forward " Drop all else"

********** here is where you would put any allow rules you need.
Subnet or vlan access to WAN for internet for example.

7

Anav, these chains come from some web page/tuto about security on ROS, I think its even in the Wiki/firewall page.
Some devices in my network failed to work as this ICMP chain filters some needed pings.
Just the other day I had to add a new ICMP type for Apple devices…

The good thing is it shows how custom chains do work in firewall (usefull for other use cases…)

8

The plain jane except ICMP works for all devices. KISS.

9

I’m actually running hotspot server on the 1st network (bridge configuration with bridge horizon enables to isolate ports).
The real Private IP classes on my networks are 10.xx and 172.xx .. I just always use random IP addresses on forums lol
I should mention that I can ping the gatewayof the 1st network from the 2nd, but I can’t ping my access point or access their Web-UI!
And I still didn’t add a firewall rule to separate between the 2 networks because I want to figure out how to access devices between them first.

10

I actually followed Mikrotik Wiki regarding firewall rules!
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

11

I solved the problem.

The problem was with hotspot dynamic rules! I added accept rules between the two networks and moved them on top.