I want my 750G to do some general routing in my networks. For now that means routing between 5 networks.
First, about the internal routing: I have 10.0.40.0, 192.168.0.0, 192.168.2.0 and 192.168.101.0
Is it enough if I set up ip/route/rules ?
Is the following list correct, if I want 10.0.40.0 and 192.168.101.0 to be able to communicate, but no communication between the rest?
sorry for the late reply, had to do some other stuff first and played around, got it working with some help from irc.
just to double check:
I don’t need to put anything in ip / routes for allowing/disallowing access between subnets of the mikrotik - that is all done with firewall nat.
Something like that should enable routing between 192.168.0.0/24 and 192.168.2.0/24, right?
0 X chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=192.168.2.0/24 out-interface=ether2-local-master
You don’t need to NAT to route. Routers just route between directly connected networks out of the box. Only NAT when you have to. To drop traffic between directly connected networks use firewall filters, as mrz said.
well, I’m still new to MT, but I can’t remember having removed any settings that sound like routing. And routing did not work out of the box for me.
After the above NAT it worked…The MT itself was always able to connect to the different subnets, but I wasn’t able to ping Client1 in subnet A from Client2 in subnet B…where do I find these basic routing settings, that should be enabled by default?
Hello again. I’m really sorry for the late reply, but things turned a little bit upside down here and I wasn’t able to work on the Mikrotik issue at all.
Right now I don’t have access to the MT, that’s why I can’t post the proper outputs. But I’ll give a quick overview of the scenario I’m planning to use the MT for, hopefully that’s enough.
I want the MT to be a gateway for serveral networks:
Network A 192.168.0.0/24 - with internet access
Network B 192.168.2.0/24 - with internet access
Network C 10.0.40.0/24 - without internet access
Network D 192.168.101.0/24 - without internet access
The MT always has the .4 as it’s own IP, that means 192.168.0.4, 192.168.2.4 et cetera.
Now all I want is the MT to be a DHCP in the 10.0.40.0/24 network and to allow / deny certain routes.
A is not allowed to communicate with B, C or D (and the other way round). Same situation for B.
C is allowed to communicate with D and vice versa.
Since A and B have internet access (another router at 192.168.0.1 and 192.168.2.1) I need to do a routing for 0.0.0.0 → next hop 192.168.0.1 / 192.168.2.1 if I’m not mistaken - please correct me, if I’m wrong.
Last but not least, C and D should be able to communicate with E (192.168.102.0/24) and F (192.168.103.0/24), which are reachable through a VPN established by the router at 192.168.2.1.
I’d really appreciate it, if someone did show me the basic steps I need to take to make this scenario work. From the answers so far I understand, that the routing between the subnets should work out of the box, but I have to configure the firewall to block certain routing? If I remember correctly, the routing didn’t work out of the box for me, but I have to admit I did start with an empty config, since I don’t need all the WAN/LAN stuff and switch modes etc.
What you have is a router. It will have a directly connected route to networks that it has an IP address on, and whenever it sees a packet it’ll try to route it. Therefore routing between directly connected networks works out of the box - after all, that’s the basic purpose of a router.
To keep networks from talking to one another implement firewall rules.
However, your specifications are contradictory. First you say that A and B shouldn’t be able to communicate with the other networks. Then you say C and D should be able to communicate with remote networks reached through a router on network B. That would necessarily involved C and D being able to communicate with at least one host on network B (the router).
Generally speaking, just write firewall rules like this in the forward chain (filters packets going THROUGH the router:
/ip firewall filter
add chain=forward src-address=192.168.0.0/24 dst-address=192.168.2.0/24 action=drop comment="drop A to B"
add chain=forward src-address=192.168.2.0/24 dst-address=192.168.0.0/24 action=drop comment="drop B to A"
add chain=forward src-address=192.168.0.0/24 dst-address=10.0.40.0/24 action=drop comment="drop A to C"
add chain=forward src-address=10.0.40.0/24 dst-address=192.168.0.0/24 action=drop comment="drop C to A"
Firewall rules are ‘default accept’, which means that if no rule denied a packet, the packet will be allowed.
And so on, until you have the logic you want implemented.
In the case of C, where you only want communication to E and F but nothing else, you’d start introducing default denies:
/ip firewall filter
add chain=forward src-address=10.0.40.0/24 dst-address=192.168.102.0/24 action=accept comment="allow C to E"
add chain=forward src-address=10.0.40.0/24 dst-address=192.168.103.0/24 action=accept comment="allow C to F"
add chain=forward src-address=10.0.40.0/24 action=drop comment="default deny C to anything"
That can make previous rules redundant, of course - you no longer need to drop “C to A” in this case.
True, I forgot the always existing exception
The MT will be the gateway for network C and D, probably as well for A and B, but I think that is currently not even necessary in my setup.
Since my internet router has only two interfaces, I can’t put him in C or D as well. Is it possible to have a routing entry that does the following:
If a client in C wants to get to a client in E, he asks his gateway = MT 10.0.40.4, the MT routes connections for 192.168.102.0/24 to 192.168.2.1, that one establishes the VPN to E and return any pakets for 10.0.40.0/24 (which he isn’t part of) to 192.168.2.4 (the MT). I’ve read something about this kind of double gateway (not sure, but perhabs it was something about “transparent routing”???), where the original subnet doesn’t see all the gateways.
If the VPN router is only going to be used for transit than the rules I posted would work fine, since the destination address would never be 192.168.2.0/24, but the network behind it.
The 192.168.2.0/24 net is indeed only a transit network, no client from 10.0.40.0/24 or 192.168.101.0/24 has to be able to reach any IP of that network.
I’ll try to get your suggestions working as soon as possible, probably thursday or after the easter weekend.
Thanks again!
