You only need to set that address 192.168.2.253/24 on one of the ports of the MikroTik and take that port out of
the switch or bridge used for the LAN. Then connect it to the other network.
Of course!
So cable from SRX to Mikrotik port (say) 5.
Then configure (in the Mikrotik) port 5 with a fixed IP of 192.168.2.253/24, which would allow the devices on 192.168.2.x to reach the devices on the other LAN 192.168.3.x ?
If you wish to only allow communication between the 192.168.3.0/24 and 192.168.2.250(printer IP) then you will want to configure a firewall rule which only permits said communication between the networks and will deny all other traffic between them.
Hi, thank you. I can see this is an important point as both LANs have different routers etc. This will prevent a lot of cross-talk.
What would this rule look like?
Thanks!
Would it be possible to have two separate LANs both 192.168.2.x each with own router, and share a printer on LAN1 (192.168.2.50 say) with LAN2 (router is Mikrotik) ?
LAN1 is using a Juniper SRX as its router.
Or does LAN2 need to be running a completely different subnet i.e./e.g. 192.168.3.x ?
OK thanks to help from the forum, I’m almost there.
After this configuration, using a terminal window in Winbox, I can ping the printer (LAN B at IP 192.168.2.152) i.e. from the Mikrotik, and can ping the Mikrotik from LAN B at IP 192.168.2.250.
(previously the printer was at 192.168.2.150 and the fixed IP for the Mikrotik’s port on LAN B was 192.168.2.253, but these have changed).
But I can’t figure out why I still can’t reach (ping/configure) the printer (192.168.2.152 on LAN B) from clients on LAN A.
I have included the complete configuration below.
Can anybody spot anything obvious (or, hopefully, not so obvious!) than find the missing puzzle piece?
Thank you!
Robin
# Mikrotik has internet via PPPoE tagged on VLAN10
# LAN A 192.168.3.0/24 is primary LAN
# LAN B 192.168.2.0/24 is another LAN with a printer at IP 192.168.2.152
# LAN B's switch is connected with a patch cable to ethernet port 3 on Mikrotik
# The goal is to allow workstations on LAN A to use the printer on LAN B
#
/interface ethernet
set [ find default-name=ether2 ] comment="ether2 LAN" name=LAN
set [ find default-name=ether1 ] comment="ether1 WAN port" name=WAN
set [ find default-name=ether3 ] comment="printer on LAN B"
set [ find default-name=ether4 ] arp=disabled comment=spare master-port=LAN
set [ find default-name=ether5 ] arp=disabled comment=spare master-port=LAN
/ip neighbor discovery
set LAN comment="ether2 LAN A"
set WAN comment="ether1 WAN port internet"
set ether3 comment="printer LAN B"
set ether4 comment=spare
set ether5 comment=spare
/interface vlan
add interface=WAN name=VLAN10 vlan-id=10
/interface pppoe-client
add add-default-route=yes comment="ISP PPPoE client WAN" disabled=no \
interface=VLAN10 max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-out1 \
password=xxxxxxxxxx use-peer-dns=yes user=yyy@zzz
/ip neighbor discovery
set pppoe-out1 comment="ISP PPPoE client WAN"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.3.50-192.168.3.150 comment="DHCP pool for LAN A"
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LAN lease-time=1d name=dhcp1
/ip neighbor discovery settings
set default=no
/ip address
add address=192.168.3.254/24 comment="LAN A" interface=LAN network=\
192.168.3.0
add address=192.168.2.250/24 comment=\
"Mikrotik's ethernet#3 port has 192.168.2.250 IP on LAN B" interface=ether3 \
network=192.168.2.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN
/ip dhcp-server network
add address=192.168.3.0/24 comment="DHCP to LAN" gateway=192.168.3.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=xx.xx.xx.xx comment="management IP" list="Allowed IPs"
add address=192.168.3.0/24 comment="allow management from LAN A" list="Allowed IPs"
add address= xx.xx.xx.xx comment="management IP" list="Allowed IPs"
/ip firewall filter
add action=accept chain=input comment="allow ping from LAN B" disabled=\
yes dst-address=192.168.2.250 protocol=icmp src-address=192.168.2.0/24
add action=accept chain=forward comment=\
"allow traffic from LAN A 192.168.3.0 to printer IP 192.168.2.152 on LAN B" dst-address=\
192.168.2.152 src-address=192.168.3.0/24
add action=accept chain=forward comment=\
"allow traffic from LAN B printer IP 192.168.2.152 to LAN A" dst-address=\
192.168.3.0/24 src-address=192.168.2.152
add action=drop chain=forward comment=\
"drop all other traffic from LAN B 192.168.2.0/24" dst-address=\
192.168.3.0/24 src-address=192.168.2.0/24
add action=accept chain=input comment="winbox admin from WAN" dst-port=8291 \
protocol=tcp
add action=accept chain=input comment=\
"Accept connections TO router from allowed IPs" src-address-list=\
"Allowed IPs"
add action=drop chain=forward comment="Drop invalid packets THROUGH router" \
connection-state=invalid
add action=accept chain=forward comment="Accept new connections from LAN" \
connection-state=new in-interface=pppoe-out1
add action=accept chain=forward comment="Allow related connections" \
connection-state=related
add action=accept chain=forward comment="Allow established connections" \
connection-state=established
add action=drop chain=forward comment=\
"Drop all other traffic THROUGH the router" disabled=yes
add action=accept chain=input comment=\
"Allow etablished connections to the router" connection-state=established
add action=accept chain=input comment=\
"Allow related connections to the router" connection-state=related
add action=drop chain=input comment="Drop all other traffic TO the router"
add action=drop chain=forward comment="Drop invalid packets TO router" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="Allow outgoing traffic" \
dst-address=0.0.0.0/0 out-interface=pppoe-out1
/ip service
set telnet disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name="MikroTik"
/system note
set note=\
"Authorised administrators only. Access to this device is monitored."
/system ntp client
set enabled=yes server-dns-names=us.pool.ntp.org,pool.ntp.org
Alright, there are some issues… You can’t just rely on a /24 network between the routers to route your traffic effectively. I created a rudimentary diagram to show how you can set this up and have it work. You can adjust the IPs as needed.
Now the ip route commands are probably not the correct syntax for Mikrotik, it should get you close. You have to inform the routers where to send packets. Instead of using IPs from your /24 LAN, we’ll use a different address space to keep things simple. This can be done with addresses from your LAN, just for now change it up. The “.1” and “.2” represent the last octect of that network address space going between the routers. When it comes to the routes, you have to point the traffic you are trying to reach to the remote or distance interface. Your firewall rules will still come into play, if you want to limit traffic into and out of the network.
Hopefully this makes more sense for you and you can quickly get things setup the way you want it.
Okay, no problem on the IPs. The information below is based on the diagram to keep things clear, change the IPs to meet your actual environment.
The /30 between them is important. Both routers will know of the directly connected route automatically. What you then do is add routing statements to send the traffic for the printer over that network.
For Mikrotik I think it would go like:
/ip route
add dst-address=192.168.3.0/24 gateway=ether3
The Juniper would be something like: (it’s been a long time since I touched a Juniper)
set static route 192.168.2.250/32 next-hop 192.168.5.1
Once you have the /30 configured between them, go ahead and ping the remote IP from each box. before we get into configuring routes and FW rules, lets make sure the basics are working.
If both ping successfully, move on to creating the static routes. You then want to test that by pinging the Printer’s IP address from the remote LAN. Now you want to add FW rules to limit traffic and test again to ensure you maintain the desired level of connectivity.
Revelation has explained to you how to do this.
I would add that on the MikroTik you should not use gateway=ether3 but use the IP of the Juniper in that field.
IP firewall rules are what you want them to be. You need to understand and setup that yourself, or else
you will have problems with this forever. Outsiders cannot know all your requirements. When you have no
requirements, you can just remove all forward rules.
I think I’ve got my head around this, but I have a problem: the administrators of the Juniper box have given me a fixed IP and basically said that I need to sort it out from there. Additionally, the Juniper side is a busy network for most hours so it’s difficult to get in and experiment for fear of crashing their network routing or something.
Is there any other way of achieving this just from the Mikrotik side?
I do appreciate you taking the time to contribute. I have done quite a bit of research and haven’t come up with anything particularly useful!
Since we only discussed static routes you can’t “crash their network routing.”
On the Juniper side, what is the IP of the interface that connects to the Mikrotik or is it setup as a switchport? Unless they intend for you to setup a NAT with their IP they will have to have some routing changes to point back to your network for relevant data flows.
Redo the diagram with the correct IPs and connection information so we can make sure we are talking “on the same page.”
I don’t see a diagram, could also be my work computer - they provide a POS.
I’m at work, so I cannot verify syntax. Basically the IP they provided will be assigned to your interface. You will then setup an ip route, if it is not added automatically, to reach all of the /24 address space using that IP / interface.
You will setup nat with masquerade using that IP. This will be in addition to your NAT for traffic leaving through your WAN. When I have a chance, after I am off of work, I will lab it up and see if there is any need for additional configs.
EDIT
You will probably want or need a firewall rule allowing your subnet to reach the printer IP via that NAT. That way only that specific traffic uses that NAT and for everything else the default route out through your WAN.
