Hello i new in routeros and i have a question how separate homelab from home network ? I want to set the router so that homelab(192.168.1.1/24) is on eth2.3 and home(192.168.2.1/24) on eth4.5. I created two bridge, set dhcp servers ip pool … Now devices have internet but pc1 in home network(example 192.168.2.10) can login into server in homelab network, (server example ip 192.168.1.46) via ssh. What did I do wrong ?
hmm…firewall rules ?
Dont need two bridge, one bridge and use vlans for separation.
I’m with jvanhambelgium.
Bare minimum, firewall rules should be enough.
Even with 1 bridge.
(router functions like DHCP etc can be tied to the port connecting to the different subnet).
VLANs are more elegant and easier for future expansion, true, but not always needed per se.
I am very new guy i trayed vlan and these broke my network. I like to use firewall settings but how to set these up ? Between two bridges
Edit i set up firewall settings
- Forward bridge - bridge1 drop
- Forward bridge1-bridge drop
These are sufficiently?
Perhaps begin with posting you config here so things are more clear
/export file=anynameyouwish (minus router serial number and any public WANIP information)
I run three LANs on one router without VLANs. It shouldn’t be an issue for the OP.
I can send you a stale cookie… Of course it can be done, my angst was that he decided to use multiple bridge.
If one is going to multiple anything it should be vlans, thats all.
Concur, one could do multiple LANs without any bridge.
Now I am little confused these configuration is good or not?(for my its working) when not tell my why and how to change to good
I from poland and
dom mean home
serwery mean servers
/interface bridge
add name=br_dom
add admin-mac=XX:XX:XX:XX auto-mac=no comment=defconf name=br_serwery
/disk
set usb1 type=hardware
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
"4 006 608 384" type=partition
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool2 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=br_dom name=dhcp1
add address-pool=dhcp_pool2 interface=br_serwery name=dhcp2
/port
set 0 name=serial0
/system logging action
set 0 target=disk
set 2 target=disk
/dude
set data-directory=usb1-part1/dude-data enabled=yes
/interface bridge port
add bridge=br_serwery comment=defconf interface=ether2
add bridge=br_serwery comment=defconf interface=ether3
add bridge=br_dom comment=defconf interface=ether4
add bridge=br_dom comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/interface list member
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=br_serwery network=\
192.168.1.0
add address=192.168.2.1/24 interface=br_dom network=192.168.2.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.2.253 client-id= mac-address=\
server=dhcp1
add address=192.168.1.2 client-id= mac-address=\
server=dhcp2
add address=192.168.1.3 client-id=\
mac-address=\
server=dhcp2
add address=192.168.1.164 client-id=\
mac-address=\
server=dhcp2
add address=192.168.1.174 client-id=\
mac-address=\
server=dhcp2
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add list=ddos-attackers
add list=ddos-targets
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
add action=add-src-to-address-list address-list=bruteforce_blacklist \
address-list-timeout=1d chain=input comment=Blacklist connection-state=\
new dst-port=22 protocol=tcp src-address-list=connection3
add action=add-src-to-address-list address-list=connection3 \
address-list-timeout=1h chain=input comment="Third attempt" \
connection-state=new dst-port=22 protocol=tcp src-address-list=\
connection2,!secured
add action=add-src-to-address-list address-list=connection2 \
address-list-timeout=15m chain=input comment="Second attempt" \
connection-state=new dst-port=22 protocol=tcp src-address-list=\
connection1
add action=add-src-to-address-list address-list=connection1 \
address-list-timeout=5m chain=input comment="First attempt" \
connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
!bruteforce_blacklist
add action=accept chain=input comment="Porty VPN" dst-port=443 protocol=tcp
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=drop chain=forward comment=VPN_SSTP_RULES dst-address=\
10.0.0.2-10.0.0.50 log=yes src-address=192.168.2.2-192.168.2.254
add action=drop chain=forward dst-address=192.168.2.2-192.168.2.254 log=yes \
src-address=10.0.0.2-10.0.0.50
add action=drop chain=forward dst-address=10.0.0.2-10.0.0.50 log=yes \
src-address=192.168.1.2-192.168.1.254
add action=drop chain=forward dst-address=192.168.1.2-192.168.1.254 log=yes \
src-address=10.0.0.2-10.0.0.50
add action=drop chain=forward comment=rozdzielenie_dom-vpn in-interface=\
br_dom out-interface=all-ppp
add action=drop chain=forward in-interface=all-ppp out-interface=br_dom
add action=drop chain=forward comment=rodzielenie_dom-lan in-interface=br_dom \
out-interface=br_serwery
add action=drop chain=forward in-interface=br_serwery out-interface=br_dom
add action=return chain=detect-ddos comment=ANTYDDOS dst-limit=\
32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
protocol=tcp tcp-flags=syn,ack
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp \
to-addresses=192.168.1.11
add action=dst-nat chain=dstnat dst-port=21 protocol=tcp to-addresses=\
192.168.1.3
add action=dst-nat chain=dstnat dst-port=25565-25567 protocol=tcp \
to-addresses=192.168.1.174
add action=dst-nat chain=dstnat dst-port=30120 protocol=tcp to-addresses=\
192.168.1.108
add action=dst-nat chain=dstnat dst-port=30120 protocol=udp to-addresses=\
192.168.1.108
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=\
192.168.1.174
add action=dst-nat chain=dstnat dst-port=6070 protocol=tcp to-addresses=\
192.168.1.164
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-targets \
src-address-list=ddos-attackers
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=Mikro
/system note
set show-at-login=no
/system script
add dont-require-permissions=no name=script1 owner=polandlp policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall address-list\r\
\nadd address=0.0.0.0/8 comment=RFC6890 list=not_in_internet\r\
\nadd address=172.16.0.0/12 comment=RFC6890 list=not_in_internet\r\
\nadd address=192.168.0.0/16 comment=RFC6890 list=not_in_internet\r\
\nadd address=10.0.0.0/8 comment=RFC6890 list=not_in_internet\r\
\nadd address=169.254.0.0/16 comment=RFC6890 list=not_in_internet\r\
\nadd address=127.0.0.0/8 comment=RFC6890 list=not_in_internet\r\
\nadd address=224.0.0.0/4 comment=Multicast list=not_in_internet\r\
\nadd address=198.18.0.0/15 comment=RFC6890 list=not_in_internet\r\
\nadd address=192.0.0.0/24 comment=RFC6890 list=not_in_internet\r\
\nadd address=192.0.2.0/24 comment=RFC6890 list=not_in_internet\r\
\nadd address=198.51.100.0/24 comment=RFC6890 list=not_in_internet\r\
\nadd address=203.0.113.0/24 comment=RFC6890 list=not_in_internet\r\
\nadd address=100.64.0.0/10 comment=RFC6890 list=not_in_internet\r\
\nadd address=240.0.0.0/4 comment=RFC6890 list=not_in_internet\r\
\nadd address=192.88.99.0/24 comment=\"6to4 relay Anycast [RFC 3068]\" lis\
t=not_in_internet"
add dont-require-permissions=no name=script2 owner=polandlp policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall filter\r\
\nadd action=fasttrack-connection chain=forward comment=FastTrack connecti\
on-state=established,related\r\
\nadd action=accept chain=forward comment=\"Established, Related\" connec\
tion-state=established,related\r\
\nadd action=drop chain=forward comment=\"Drop invalid\" connection-state=\
invalid log=yes log-prefix=invalid\r\
\nadd action=drop chain=forward comment=\"Drop incoming packets that are n\
ot NATted\" connection-nat-state=!dstnat connection-state=new in-interface\
=ether1 log=yes log-prefix=!NAT\r\
\nadd action=drop chain=forward comment=\"Drop incoming from internet whic\
h is not public IP\" in-interface=ether1 log=yes log-prefix=!public src-ad\
dress-list=not_in_internet"
add dont-require-permissions=no name=script3 owner=polandlp policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall filter\r\
\nadd action=add-src-to-address-list address-list=bruteforce_blacklist add\
ress-list-timeout=1d chain=input comment=Blacklist connection-state=new ds\
t-port=22 protocol=tcp src-address-list=connection3\r\
\nadd action=add-src-to-address-list address-list=connection3 address-list\
-timeout=1h chain=input comment=\"Third attempt\" connection-state=new dst\
-port=22 protocol=tcp src-address-list=connection2,!secured\r\
\nadd action=add-src-to-address-list address-list=connection2 address-list\
-timeout=15m chain=input comment=\"Second attempt\" connection-state=new d\
st-port=22 protocol=tcp src-address-list=connection1\r\
\nadd action=add-src-to-address-list address-list=connection1 address-list\
-timeout=5m chain=input comment=\"First attempt\" connection-state=new dst\
-port=22 protocol=tcp\r\
\nadd action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
!bruteforce_blacklist"
add dont-require-permissions=no name=script4 owner=polandlp policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall address-list\r\
\nadd list=ddos-attackers\r\
\nadd list=ddos-targets\r\
\n/ip firewall filter\r\
\nadd action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresse\
s/10s\r\
\nadd action=add-dst-to-address-list address-list=ddos-targets address-lis\
t-timeout=10m chain=detect-ddos\r\
\nadd action=add-src-to-address-list address-list=ddos-attackers address-l\
ist-timeout=10m chain=detect-ddos\r\
\n/ip firewall raw\r\
\nadd action=drop chain=prerouting dst-address-list=ddos-targets src-addre\
ss-list=ddos-attackers"
I cut some informations when you need these type
Hmm, a lot of various rules, not perse “bad” but it doesn’t make thing easy to follow.
Some forum-member will tell you this is a very messy config 
Anyway your question was about flows between 192.168.2.x (home-network) and 192.168.1.x (homelab-server) that should be blocked right ?
(in both directions?)
Why not simply add them ? You can optionally specific the “bridge” where the packets would arrive, but you don’t need that.
Rules like this be enough.
Adding such rule will effective block any traffic between the segments 192.168.2.x towards 192.168.2.x
(you could make a rule below this also in opposite direction)
add action=drop chain=forward dst-address=192.168.2.2-192.168.2.254 log=yes
src-address=192.168.1.2-192.168.1.254
Best is to place this rule all the way on top of the forward-chain and evaluate if you see the packet-counter increase. Should work.
ok its work now. But can you tell my why when I forward port 80 linux cant find serwer to update, and i cant test network with speed test (cant find servers when i forward 8080 port)
Where do you want to forward port ? From Internet ? Internally between 192.168I.1.x and 192.168.2.x you do not need to forward ports, (under the NAT-tab in Firewall) you simply need to make firewall-rule to ALLOW it through. (and offcourse above the rules where you block all further communications)
Please be a bit more specific & clear in what you try to obtain. A simple schematic also helps a lot.
I also see in your config :
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
So you don’t have a PUBLIC IP on your own router ? Because you default-route upstream to some other 192.168.88.x node. What is that ? You only spoke about 2 LAN 192.168.1.x and 192.168.2.x before.
Port-forwarding from Internet to a server on your internal network only works if you CONTROL the upstream-router and can “punch” a hole over there.
If you have WebFig or Let’s Encrypt (automatic TLS cert renewal) enabled on the router, that will interfere with port forwarding on port 80, as it uses the same port.
You’ve limited me to this speculation by not including the “/ip service” info in your configuration posting above. With it, I could’ve checked my guess before posting. Ahem. 
Sorry for all misunderstandings but I ask these question in not these topic. Topic about two lans is ends now i need to forward port to internet but it is not these topic