On the same router I have a LAN subnet (192.168.3.0/16, pool 3.2-3.254…5.2-5.254 ) and a VoIP dedicated VLAN (192.168.20.1/24, pool 20.2-20.254), with their respective DHCP Servers and Networks.
Everything is working fine, only it’s impossible for a client on LAN having access to another client on VLAN.
In other words, sometimes I should need to access the VoIP PBX (192.168.20.4) but the only way to do that it’s being connected to VLAN.
I tried firewall rules, routing, addresses etc, withoout solving.
Wow, so you get PPOE internet over the wireless connection.
Thats brave! Then you with the same device are running a hotspot and have queueus… not to mention voip.
This device is a low cost board meant to be a CPE device not a full fledged router but its cool what you are trying to do.
I suppose there is no reason to use a bridge with one PORT LOL.
(1) This is rather a wide range of IP addresses … how many do you need ??? Can you break it down to another VLAN perhaps or two??
add name=dhcp ranges=192.168.3.2-192.168.5.254
(2) Ensure vlans are also part of LAN interface group
interface list member
add comment=defconf interface=ether1 list=LAN
add interface=pppoe-out1 list=WAN
add interface=wlan1 list=WAN
add interface=Hotspot_Vlan list=VLans
add interface=VoIP_VLan list=VLans add interface=Hotspot_Vlan list=LAN
add interface=VoIP_VLan list=LAN
(3) IP ADDRESS - already noted before. And DHCP Server Network.
192.168.3.1/16 that describes 65,534 potential addresses.
So thats something like
192.168.3.1 to 192.168**.258**.1 (and you only want 192.168.3.1 to 192.168.5.1 I think… a
/24 gives you 254 IPs usable out of 256 IPs 192.168.3.1 to 192.168.4.254
/23 gives you 510 IPs useable out of 512 IPs 192.168.3.1 to 192.168.4.254
/22 gives you 1022 IPs useable out of 1024 IPs 192.168.3.1 to 192.168.6.254
Why not stick to the norm?? 192.168.3.1/24???
(4) Firewall rules…
They should be in reasonable order for assessment and understanding
Either all Forward chain rules first or Input chain, NOT MIXED together.
What is the purpose of this rule.
add action=accept chain=input comment=“Gigliotti R.A. CPE Remote” dst-port=80
in-interface-list=WAN protocol=tcp
Is this router attached to an ISP modem? If The answer is yes.
So why did you open up the router itself on port 80 That is very unsafe as is unencrypted telnet.
ONe should ONLY access the router via VPN, and then use winbox to config the router.
(5) You seem to have much port forwarding enabled and its unclear what you are trying to accomplish maybe there are better ways??
Anav,
thank you so much for your infos, very very helpful.
So:
I corrected network class, in DHCP network from 192.168.0.0/16 to 192.168.0.0/22, to accomplish range I need from 192.168.3.1 to 192.168.5.254. I hope this is right.
I added VoIP and Hotspot networks into LAN interface list (I didn’t remove them from VLAN list)
Corrected IP address from 192.168.3.1/16 to 192.168.3.1/22
Firewall rules order is just as I found it on default config; I only added what I needed. The rule Gigliotti CPE Remote is working with a NAT redirect rule: I need to connect to this router (CPE) from remote, so I redirect port 8010 to 80 when I’m connecting from remote and I use port 80 when I’m on local network.
each port forwarding is used to connect to my home devices from remote. It’s the only way I know to accomplish this task. I.E. wake on LAN or remote desktop for MY PC, connecting to my AP’s, remote desktop for notebook ecc.
Please, don’t look at queue rules: I have to write them from zero, since I’m using VLAN, now, for VoIP.
After all, sorry, I don’t see a way to solve my trouble yet. Are you thinking about bridging LAN and VLANs? Is this the only way?
Clearly Anav doesn’t understand subnetting (like so many other things), and nor do you.
The only ones that are going to work instead of /16 with those weird ranges are /20 and /21.
192.168.0.0/22 gives 192.168.0.0-192.168.3.255 - it does NOT cover 192.168.5.xxx
192.168.4.0/22 gives 192.168.4.0-192.168.7.255 - it does NOT cover 192.168.3.xxx
So /21 gives 192.168.0.0-192.168.7.255
and /20 gives 192.168.0.0-192.168.15.255
Anything /19 or less will clash with 192.168.20.xxx
Use a subnet calculator if you don’t know what you’re doing.
Hi there, I dont do anything outside of standard subnetting for a reason, its greek to me, and I just went by google and subnet masks, so my apologies for misleading you.
Certainly the other person posting here has a much better handle on it.
My main concern is the fact that you are accessing the router remotely in a very unsafe manner.
YOu really need to tunnel in via port knocking or VPN and not the way you are doing it.
If I may, I just started using winboxremote on a trial basis, I use it as backup to a wireguard vpn tunnel I also use…
The first account is free (per email address) and its really easy to use.
If you do decide to get it, you basically put in winbox address, the username and password you normally use to gain access to the router via winbox and you will connect remotely.
Its easier and much safer than what you are doing.
If you want help walking through it, my email is available on my signa.
Sid5632,
I thank you so much for your clarification but…please, would you be more kind in your answer?
You will surely know that Anav’s suggestions about ip class just worked, even if my pool ip was wrong.
It’s clear, and you know it too, that neither me and Anav don’t know much about subnet. I’m a programmer and I’m just learning right now.
After correction suggested by Anav (/22 instead of /16), I finally have access to my VoIP vlan devices.
Of course I applied correction to ip Pool suggested by Sid5632 (using an IP calculator): from 3.1-5.254 to 0.1-3.254, so I had not to change anything else in my config.
I’m afraid not, certainly where that person is concerned. I can’t abide his mega-posting quantity about every subject going, from a position of his own admitted ignorance a lot of the time.
I kill-filed him a long time ago, as I suspect did many others. I strongly believe he is responsible for driving other knowledgable people away from the forum over the last couple of years. The post quality on here is way down on what it used to be.
You will surely know that Anav’s suggestions about ip class just worked, even if my pool ip was wrong.
The suggestions were largely non-sensical and based on supposition and guess-work.
Sid5632. I surely understand your point of view. Anyway, after changing subnet mask (as he said!) I was able to reach devices on VoIP VLANs. Luck? I don’t know: it worked. You made the rest of the job, exactly and correctly, suggesting me learning something about subnets and masks.
That’s all.
Thank you both again.
See you.