I have a main router that connects to the ISP and also has few computers connected to it…
I connected Mikrotik Hap AC2 as an additional router to this one, using first port on the Mikrotik.
Main router has a subnet like 192.168.1.1
Mikrotik router has a subnet like 192.168.2.1
I noticed that ports/services like the web interface of the Mikrotik cannot be accessed by devices from the other / main subnet, unless I change the “eth1” interface list to “LAN” (from the default “WAN”).
Is that correct / normal ?
What does that do ? Does it automatically change some firewall rules ?
Also, with this configuration, it is correct to use mask 255.255.255.0 on main router under “network > lan” ? It doesn’t need 255.255**.0.0**, correct ?
Not important: I also set static “routes” on main router telling devices on main router to find Mikrotik’s subnet using Mikrotik’s ip from main router.
Yes, it’s normal. In default firewall, some rules reference interface lists. The idea behind that is to not have interfaces hardcoded in firewall rules, so if you change something (use different WAN port, add another LAN, etc), you update only interface list and don’t have to touch firewall rules.
WAN port is normally connected to internet and you don’t want anyone from there connecting to services on router. If in your case it’s connected to another LAN, and you trust it as much as you trust the other LAN behind router, then moving ether1 from “WAN” list to “LAN” list is correct. If you’d like different rules for this LAN, you can add another list (“LAN” and “WAN” are just names, you can have any other you like), put the interface in there and then add firewall rules for this list.
If first LAN should have addresses 192.168.1.x and second one 192.168.2.x (with x = 1-254), then 255.255.255.0 is correct.
And static route to second LAN on main router is not “not important”. You need it for devices in first LAN to be able to reach the other LAN.
Thank you.
I meant “not important” for the question, but as you confirmed, it is critical for the first subnet to see the other.
One more: On Mikrotik’s end, the routes to the other subnet were added automatically from what I can tell (and marked as “Dynamic”);
How did it do that ? Is it because it got an IP from the DHCP of the main router ?