Two Lan bridged, change default gateway

sette · March 12, 2012, 5:06pm

HI all,
I’ll try to explain my situation:
Lan1 with DHCP server (Win2008 server), connected to RB450 ether2.
On this RB ether2 is bridged with eoip-tunnel1.

Lan2 with only some clients pc (windows) connected to RB750 ether2.
Ether2 also here is bridged with eoip-tunnel1.

Eoip-tunnel is obviously made over internet between this two devices.

Now all is working great! on LAN2 I can work like i’m on Lan1, only one issue:
Default gateway (of course) is RB450 on LAN1 (this is assigned by DHCP).

Could I intercept on RB750 (LAN2) packet directed to internet (or to RB450 for routing) and redirect them directly to internet and not inside the tunnel?

I hope I explained in a decent way

Thank you in advance!
Denis

vik1988 · March 13, 2012, 5:00am

you want to use RB 450 as a gateway for LAN2 and browsing of internet on LAN 2 only through RB 450 ..Correct ?

sette · March 13, 2012, 10:51am

I want to use RB450 (LAN1) as a gateway for LAN1 (is the default gateway for DHCP). But on LAN2 I want to navigate in internet through RB750.

vik1988 · March 14, 2012, 4:04am

don’t know whether it works or not but for try you can configure Routing Policy

in which dst-address=!LAN1 traffic will go thru RB750 ISP. otherwsie go to LAN1 Gateway.

Davis · March 14, 2012, 2:15pm

The architecute question - why do you bridge those 2 LANs in separate buildings together? Is there any special applications that need this? This is bad, because network broadcasts/multicasts traveling betwen buildings consume your bandwidth… Usually routed VPN is used in such cases.
You must create bridge NAT rules.
You can use something like this on RB750 (replace bridge1 with name of your bridge and 12:34:56:78:90:12 with mac address of the bridge on RB450):

/interface bridge nat add chain=dstnat in-bridge=bridge1 in-interface=ether2 dst-mac-address=12:34:56:78:90:12/ff:ff:ff:ff:ff:ff action=redirect
/interface bridge nat add chain=dstnat in-bridge=bridge1 in-interface=eoip-tunnel1 src-mac-address=12:34:56:78:90:12/ff:ff:ff:ff:ff:ff action=redirect

/ip firewall filter add chain=output protocol=icmp icmp-options=5 action=drop

Notice last line, it will protect hosts from ICMP redirect messages.

Also you may want to add another bridge source NAT rule with action arp-reply to make your LAN2 internet connection independent from VPN with LAN1. And even with this rule you still won’t be able to resolve DNS on LAN2 without VPN to LAN1…

sette · March 16, 2012, 4:39pm

Hi, yes i know that bridge is not a good thing over internet, but…
it’s a very small network, broadcast is limited, and user doesn’t notice any difference, in the end it’s only a temporary solution.
Apart of this your two rules works very well!!!
Thank you a lot!
Now i’ll understand what’s arp-reply and then i’ll implement also that.

Thank you again!