routing between subnets to host

papayanetwork · November 16, 2023, 4:58pm

Hello,

Guys i need help. I need access from my host(pc- 88.20) to my switch 80.6. Can you help me?

Flags: X - DISABLED, D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE

ADDRESS NETWORK INTERFACE

;;; eric dhcp
0 192.168.88.1/24 192.168.88.0 bridge
1 192.168.80.5/23 192.168.80.0 mgmtDCN_vlan101
2 X 10.10.10.1/24 10.10.10.0 *14
;;; nat dhcp
3 X 172.16.0.1/24 172.16.0.0 *15
4 X 10.0.0.2/24 10.0.0.0 LACP-PORTax3
5 10.11.12.1/24 10.11.12.0 wireguard1
6 10.0.0.1/24 10.0.0.0 dockers
7 D 10.24.15.233/19 10.24.0.0 vlan_421_bridge
8 D xx.xx5.2x2.xxx/22 109.125.232.0 ether1

Columns: DST-ADDRESS, GATEWAY, DISTANCE

DST-ADDRESS GATEWAY DISTANCE

0 As 0.0.0.0/0 x.1xx5.x.1 1
1 s 0.0.0.0/0 10.24.0.1 5
2 As 1.1.1.1/32 10.24.0.1 1
DAc 10.0.0.0/24 dockers 0
DAc 10.11.12.0/24 wireguard1 0
DAc 10.24.0.0/19 vlan_421_bridge 0
DAc xxx.x5.xx2.0/22 ether1 0
DAc 192.168.80.0/23 mgmtDCN_bridge 0
;;; DCN MGMT Z KOMPA
3 IsH 192.168.80.0/24 192.168.88.1 1
;;; DNS MGMT Z KOMPA
4 IsH 192.168.88.0/24 192.168.88.1 1
DAc 192.168.88.0/24 bridge 0

here is my info about addresses, and routing table, thx!

anav · November 16, 2023, 5:01pm

Yes, the key is the firewall rules…

papayanetwork · November 16, 2023, 5:11pm

can you tell me something more about this FW? You mean something with NAT?

gigabyte091 · November 16, 2023, 7:01pm

Well, @anav here gave you as much information as possible because he doesn’t know your configuration.

You should export your configuration, redact any sensitive information and post it here.

By default L2 communication between VLANs is blocked. L3 is not so if you can’t access your switch maybe there is a problem in firewall rules.

papayanetwork · November 16, 2023, 7:36pm

can you help me with printing this? What i should type in terminal ip>firewall>filter>print? what else?

anav · November 16, 2023, 7:39pm

para B. → https://forum.mikrotik.com/viewtopic.php?t=191442

papayanetwork · November 16, 2023, 7:57pm

/ip firewall filter
add action=drop chain=forward dst-port=22 protocol=tcp src-port=22
add action=drop chain=forward disabled=yes layer7-protocol=blockfacebook
add action=drop chain=output disabled=yes dst-address=xx.1x.xx.x protocol=\
    icmp
add action=accept chain=forward disabled=yes layer7-protocol="wireless allow"
add action=drop chain=input dst-port=2000 protocol=tcp
add action=drop chain=input dst-port=1234 protocol=tcp
add action=accept chain=input disabled=yes protocol=udp
add action=accept chain=input comment="Allow ICMP Ping" icmp-options=8:0-255 \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
    protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=add-src-to-address-list address-list=bruteforce_blacklist \
    address-list-timeout=9w3d chain=input comment=Blacklist connection-state=\
    new dst-port=8291 protocol=tcp src-address-list=connection3
add action=add-src-to-address-list address-list=connection3 \
    address-list-timeout=1h chain=input comment="Third attempt" \
    connection-state=new dst-port=8291 protocol=tcp src-address-list=\
    connection2,!secured
add action=add-src-to-address-list address-list=connection2 \
    address-list-timeout=1d chain=input comment="Second attempt" \
    connection-state=new dst-port=8291 protocol=tcp src-address-list=\
    connection1
add action=add-src-to-address-list address-list=connection1 \
    address-list-timeout=3w2d chain=input comment="First attempt" \
    connection-state=new dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
    !bruteforce_blacklist
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=domtel-eric \
    passthrough=no src-address=192.168.88.0/24
add action=mark-routing chain=prerouting new-routing-mark=domtel-nat \
    passthrough=no src-address=172.16.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="masquarade pub" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquarade nat" ipsec-policy=\
    out,none out-interface=vlan_421_bridge
add action=masquerade chain=srcnat disabled=yes out-interface=LTE
add action=masquerade chain=srcnat disabled=yes out-interface=local-bridge
add action=dst-nat chain=dstnat comment="port forward syno" disabled=yes \
    dst-port=33331 in-interface=ether1 log=yes protocol=tcp to-addresses=\
    192.168.88.12 to-ports=22
add action=dst-nat chain=dstnat comment=stronka disabled=yes dst-port=33332 \
    in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.88.12 \
    to-ports=80