Traffic between 2 subnets

Hi,

I’m working on my lab where I have ROS 6.48.1.
Before I had one subnet for all, wifi guest clients and my lab servers. What I did now is separate those with different subnets.

What I did:
-Added new bridge - WIFI
-added new ip pool (10.10.10.10-10.10.10.254)
-added new gw addres for that pool - 10.10.10.1
-added dhcp-server for that address pool
-added wifi1 interface from bridge_local to new WIFI bridge

reconnected/renewed leases for wifi clients, they are now receiving new IPs.

But in some cases I still need communication between 192.168.88.0/24 and 10.10.10.0/24. For example I have a debian server on 192.168.88.150 and want to communicate to a smart home GW which is on 10.10.10.121.
I added a static route on debian server to 10.10.10.0/24 via gw 192.168.88.1
I tried with FW rules on Mikrotik to allow traffic to 10.10.10.0/24 from 192.168.88.150/32
Added static routes on Mikrotik from WIFI bridge to bridge_local and vice versa


I probably did a stupid fail somewhere in between or I misexplained to myself what I want.

Bottom line, wifi clients should be on 10.10.10.0/24, Ethernet clients on 192.168.88.0/24, and still some traffic communication between them.

I apologize if I (probably) opened a new topic which was already discussed.

Br,
Mario

Hosts in both subnets should not need any special setup (e.g. static route) if your RB is default gateway for both subnets. You probably need to adjust other settings on RB device, such as firewall settings, interface list memberships etc. It’s hard to tell what and how without seeing your current settings. Execute /export hide-sensitive file=anynameyouwish in terminal window, fetch resulting file to management PC, open it in a text editor, redact public IP address (if it’s present in export), wireless passwords. Then post it in [__code] [/code] environment.

I made a backup of what I configured so far and after that reverted routeros to normal working condition.

Can I extract required info from backup file?

Thanks

No, you can’t “see” what’s in backup file. Configuration export created by executing /export file=myexport.rsc is, OTOH, plain text file and you can easily use its contents when doing some configuration … If you only have backup file, you’ll have to restore device configuration from it, make text export and reset device to factory default again.

No need for factory default - backup the current state, restore the previous backup, export the configuration, restore the fresh backup.

this should be ok
last action was removal of static routes

# mar/07/2021 15:39:12 by RouterOS 6.48.1
# software id = LISM-E5E5
#
# model = 951G-2HnD
# serial number = 4F4504F68719
/interface bridge
add igmp-snooping=yes mtu=1500 name=IPTV
add name=WIFI
add admin-mac=4C:5E:0C:3D:47:87 auto-mac=no fast-forward=no mtu=1500 name=\
    bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=uplink name=ether1-gateway speed=\
    100Mbps
set [ find default-name=ether2 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full comment=Edimax name=\
    ether2-master-local speed=100Mbps
set [ find default-name=ether3 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full comment=IPTV name=\
    ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] comment="philips hue" name=\
    ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] comment=Switch name=ether5-slave-local \
    speed=100Mbps
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn country=slovenia disabled=no \
    distance=indoors frequency=2472 mode=ap-bridge ssid=MikroTik-3D478B \
    station-roaming=enabled wireless-protocol=802.11
/interface vlan
add interface=ether1-gateway name=DATA-60 vlan-id=60
add interface=ether1-gateway name=IPTV-62 vlan-id=62
add interface=ether5-slave-local name=IPTV-SW-102 vlan-id=102
add interface=ether1-gateway name=MGMT-4010 vlan-id=4010
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=facebook regexp="^.+(facebook.com).*\$"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=wifi ranges=10.10.10.10-10.10.10.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge-local lease-time=3d name=default
add address-pool=wifi disabled=no interface=WIFI lease-time=1w name=WIFI
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
set 3 remote=192.168.88.150
add disk-file-name=pptp.txt name=pptp target=disk
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=WIFI interface=wlan1
add bridge=bridge-local hw=no interface=ether5-slave-local
add bridge=IPTV interface=IPTV-62
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether3-slave-local
add bridge=IPTV interface=IPTV-SW-102
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether1-gateway list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=bridge-local list=discover
add interface=pppoe-out1 list=discover
add interface=MGMT-4010 list=discover
add list=discover
add interface=torguard list=discover
add interface=IPTV-62 list=discover
add interface=IPTV list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    ether2-master-local network=192.168.88.0
add address=10.10.10.1/24 interface=WIFI network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.10.10.0/24 comment=wifi gateway=10.10.10.1 netmask=24
add address=192.168.88.0/24 comment="default configuration" gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.88.150 name=tiny.lan
add address=192.168.88.99 name=switch.lan
add address=192.168.88.125 name=edimax.lan
/ip firewall address-list
add address=192.168.88.155 list=VPN
/ip firewall filter
add action=accept chain=forward disabled=yes dst-address=52.58.164.25 \
    dst-port=19000 protocol=tcp src-address=192.168.88.131
add action=accept chain=forward disabled=yes dst-address=35.156.84.163 \
    dst-port=19001 protocol=tcp src-address=192.168.88.131
add action=accept chain=forward disabled=yes dst-address=134.119.0.0/16 \
    dst-port=19005 protocol=tcp src-address=192.168.88.131
add action=accept chain=forward disabled=yes dst-address=8.8.0.0/16 protocol=\
    udp src-address=192.168.88.131
add action=drop chain=forward dst-address=!192.168.0.0/16 src-address=\
    192.168.88.129
add action=drop chain=forward dst-address=!192.168.0.0/16 src-address=\
    192.168.88.121
add action=drop chain=forward disabled=yes dst-address=!192.168.0.0/16 \
    log-prefix=ipcdrop src-address=192.168.88.131
add action=accept chain=forward dst-address=193.2.1.117 src-address=\
    192.168.88.125
add action=accept chain=forward dst-address=8.8.0.0/16 src-address=\
    192.168.88.125
add action=drop chain=forward dst-address=!192.168.0.0/16 log-prefix=edimax \
    src-address=192.168.88.125
add action=accept chain=forward dst-address=10.10.10.0/24 src-address=\
    192.168.88.150
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established
add action=accept chain=input comment="default configuration" \
    connection-state=related
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add action=accept chain=forward comment="default configuration" \
    connection-state=established
add action=accept chain=forward comment="default configuration" \
    connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=input in-interface=DATA-60 protocol=icmp
add action=accept chain=input comment="Accept established connections" \
    connection-state=established
add action=accept chain=input comment="Accept related connections" \
    connection-state=related
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=accept chain=input comment=UDP protocol=udp
add action=accept chain=input comment="Allow limited pings" limit=50/5s,2 \
    protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=accept chain=input comment="SSH for secure shell" disabled=yes \
    dst-port=22 protocol=tcp
add action=accept chain=input comment=winbox disabled=yes dst-port=8291 \
    protocol=tcp
add action=accept chain=input comment="From Amis API" src-address=10.250.0.5
add action=accept chain=input disabled=yes in-interface=IPTV protocol=icmp
add action=accept chain=input comment="From our private LAN" src-address=\
    192.168.88.0/24
add action=accept chain=input src-address=10.10.10.0/24
add action=accept chain=input src-address=192.168.89.0/24
add action=accept chain=forward comment=facebook disabled=yes \
    layer7-protocol=facebook src-address=192.168.88.253
add action=reject chain=forward disabled=yes layer7-protocol=facebook \
    reject-with=icmp-network-unreachable
add action=log chain=input comment="Log everything else" log-prefix=\
    "DROP INPUT"
add action=drop chain=input comment="Drop everything else"
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark="VPN - torguard" \
    passthrough=yes src-address-list=VPN
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=DATA-60 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=torguard
add action=masquerade chain=srcnat disabled=yes out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="Plex Remote" disabled=yes dst-port=\
    45554 protocol=tcp src-address=188.64.31.76 to-addresses=192.168.88.150 \
    to-ports=32400
add action=dst-nat chain=dstnat disabled=yes dst-port=32400 in-interface=\
    DATA-60 protocol=tcp to-addresses=192.168.88.150 to-ports=32400
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add check-gateway=ping disabled=yes distance=1 gateway=torguard routing-mark=\
    "VPN - torguard"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24,10.250.0.5/32,192.168.89.0/24,10.10.10.0/24 \
    port=8080
set ssh address=10.250.0.5/32,192.168.88.0/24
set www-ssl address=\
    192.168.88.0/24,10.250.0.5/32,192.168.89.0/24,10.10.10.0/24 certificate=\
    router.lan.pem_0 disabled=no port=8443
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ppp secret
add name=vpn
/snmp
set contact=router enabled=yes location=v91
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Ljubljana
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set MGMT-4010 disabled=yes display-time=5s
set IPTV-SW-102 disabled=yes display-time=5s
set IPTV-62 disabled=yes display-time=5s
set DATA-60 disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set ether1-gateway disabled=yes display-time=5s
set ether2-master-local disabled=yes display-time=5s
set ether3-slave-local disabled=yes display-time=5s
set ether4-slave-local disabled=yes display-time=5s
set ether5-slave-local disabled=yes display-time=5s
set pppoe-out1 disabled=yes display-time=5s
set torguard disabled=yes display-time=5s
set bridge-local disabled=yes display-time=5s
set IPTV disabled=yes display-time=5s
set WIFI disabled=yes display-time=5s
/system leds
set 0 interface=wlan1
/system logging
add action=pptp disabled=yes prefix=PPTP topics=pptp
add
add action=remote topics=info
add action=remote topics=critical
add action=remote topics=warning
add action=remote topics=error
add action=remote disabled=yes topics=pppoe
/system ntp client
set enabled=yes primary-ntp=193.2.1.117 secondary-ntp=193.2.1.92
/system scheduler
add disabled=yes interval=30s name=IPC on-event=streaming policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add disabled=yes interval=12h name=email_notify on-event=\
    fw_filter_email_notify policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/25/2018 start-time=08:00:00
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon port
add
/tool sniffer
set file-limit=30000KiB filter-mac-address=\
    90:F8:91:B0:1A:43/FF:FF:FF:FF:FF:FF filter-stream=yes memory-scroll=no \
    streaming-enabled=yes streaming-server=192.168.88.153
/tool user-manager database
set db-path=user-manager1

Any idea what I missed? I used some posts on this forums as guidance.

Thanks

A bit complicated for me in that I dont have any vlans associated with my ethernet port to the ISP modem for the purposes of IPTV.
I do have a vlan associated with my WAN port but it is not attached to my bridge, it only is visible in my DHCP client and stops there and its master interface is the etherport.
WHY DO you have management vlan associated with ether1 AND a data vlan on ether1.
So confusing!!
Also most here are a proponent of a single bridge!

(1) I am guessing that IPTV is a different beast and needs to be part of the bridge but how?
What I would do is associate those vlans with the bridge and the management vlan? to ether1 and dhcp client settings.
/interface vlan
add interface=ether1-gateway name=DATA-60 vlan-id=60 ??? PURPOSE??
add interface=one_bridge name=IPTV-62 vlan-id=62
add interface=one_bridge name=IPTV-SW-102 vlan-id=102
add interface=ether1-gateway name=MGMT-4010 vlan-id=4010 ??? PURPOSE??

What I can say is definitely wrong is associating vlans in the bridge port settings, they are not bridge ports (only physical ports and WLANS count)
/interface bridge port
add bridge=IPTV interface=IPTV-62
add bridge=IPTV interface=IPTV-SW-102

Finally, I don’t see have corresponding bridge vlan rules so a whole section of configuration is missing.

Lots of work to do on firewall rules… but first need to sort out the above.

Normally one does ALL input chain and the forward chain but as long as they are grouped together thats good. Removed fluff including all the forward chain rules that looked like dst nat rules.

/ip firewall filter
{input chain}
add action=accept chain=input comment=“default configuration”
connection-state=established
add action=accept chain=input comment=“default configuration”
connection-state=related
add action=drop chain=input comment=“Drop invalid connections”
connection-state=invalid
add action=accept chain=input comment=“default configuration” protocol=icmp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=accept chain=input comment=“allow pptp” dst-port=1723 protocol=tcp
add action=accept chain=input comment=“allow sstp” dst-port=443 protocol=tcp
add action=accept chain=input comment="allow Admin access in-interface=bridge source-address-list=adminIPs
add two RULES FOR ALL USERS TO ACCESS DNS service on the router tcp&udp
add rule for all users to access NTP service on the router
add action=drop chain=input comment=“Drop All else”

One should add the admin access rule FIrst and the last rule otherwise you will lock yourself out of the router.
firewall address list
add address=IPofadminDesktop list=adminIPs
add address=IPofadminLaptop list=adminIPs
add address=IPofIpad list=adminIPs
add address=IPofsmartphone list-adminIPs
(assumed these have been made static entries in your dhcp server lease list).

The above last rule will stop all other traffic from occurring to or from the router.

{forward chain}
add action=accept chain=forward comment=“default configuration”
connection-state=established
add action=accept chain=forward comment=“default configuration”
connection-state=related
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
add action=drop chain=input comment=“Drop invalid connections”
connection-state=invalid
ADD RULES FOR USERS TO ACCESS INTERNET (all users LAN to WAN etc.)
ADD RULES FOR USERS TO ACCESS SHARED DEVICES ( one vlan access to a shared printer on another vlan for example)
add action=log chain=input comment=“Log everything else” log-prefix=
“DROP INPUT”
add action=drop chain=input comment=“Drop everything else”

Hi,

Sorry for late reply. Just too busy all the time…

WHY DO you have management vlan associated with ether1 AND a data vlan on ether1.

I work for an ISP, MGMT vlan is for remote management purposes. If you got a laptop with no ETH port, sometimes you need to be creative.
DATA vlan is for internet access as the description suggests.

(1) I am guessing that IPTV is a different beast and needs to be part of the bridge but how?
What I would do is associate those vlans with the bridge and the management vlan? to ether1 and dhcp client settings.
/interface vlan
add interface=ether1-gateway name=DATA-60 vlan-id=60 ??? PURPOSE??
add interface=one_bridge name=IPTV-62 vlan-id=62
add interface=one_bridge name=IPTV-SW-102 vlan-id=102
add interface=ether1-gateway name=MGMT-4010 vlan-id=4010 ??? PURPOSE??

As said. DATA-60 for DATA access over ISPs DHCP, MGMT vlan for remote management in case I cut myself out of wifi access.
IPTV-62 and IPTV-102 are IPTV vlans. Vlan62 is in trunk on uplink side, eth1. Vlan102 I added (got it working that way, hope it’s the correct way) as vlan that I use further on a mikrotik switch. Vlan interface is on ETH5 which I have as uplink for switch. Default vlan is data, iptv is tagged on switch.

So basic config is ok and in my case I need to tweak only the FW rules?

Thanks!