Two Seperate LAN Networks Behind One RB750 ?

RealMuhko · November 12, 2016, 5:39pm

Dear Forum.

I hope you are able to assist me in this madder.

Is is possible to run two separate LAN networks behind a Mikrotik RB750r2 (Hex) ?

The computers on each network should not be able to communicate with each other at all but the Routerboard should work as an internet gateway for both networks.

Is it possible?

I have attached a rough drawing of my network. On this you can see all network clients are running on same IP range + Subnet besides the “Server 3” which is the server I would like to run on a separate network with no possibility of seeing the clients already connected.

Is this possible in an easy way ?

Thank you for your help forum and have a nice weekend.

Martin B.
Drawing1.pdf (228 KB)

erlinden · November 12, 2016, 8:28pm

I would suggest creating a VLAN (for the servers) to separate the networks.
Don’t forget a firewall rule that drops any traffic between the two.

Wat have you tried so far?

RealMuhko · November 12, 2016, 8:46pm

Thank you for the answer!

I have done nothing at all yet just wanted to ask about easy solutions before trying anything.

My first idea was to create a separate subnet for the server or use 10.x.x.x ip address for the server and 192.168.x.x address for the current network.

I will work on the VLAN now to see if it will work out good.

Thanks!

Sn1p3r · November 13, 2016, 12:59am

By adding a simple rule to Firewall you can disable communication between all devices on those networks. If you decide for that solution I will show you the way.
Other way is like someone before me said, just add VLAN tagging for each network and you will be fine.

thiagomedeiros · November 13, 2016, 1:56am

You can remove port 3 or 4 from the master switch. Select none at interface. Doing this you can set a DHCP server for every network without conflicts and can do some more.

Remeber to not use the same cables in the 24 ports switch. For server 3 use a separate switch. If you need to use the same, use vlan.

RealMuhko · November 13, 2016, 9:48pm

Hi Guys!

I decided to give the VLAN solution a try and fought with it all night with no success.

Now I am trying to understand how the VLAN ideology works.

I found this guide: http://wiki.mikrotik.com/wiki/Vlans_on_Mikrotik_environment

According to the information provided on that page, it seems like when it comes down to VLAN you would always have one or more VLAN access-ports.
You would also have trunk ports which is like a highway with different kinds of traffic running in fixed lanes.

The example provided on the above page is with a trunk between two switches - But I am wondering if it is possible to use the VLAN internally in the RB750’s switch?

I have my WAN on ETH1 and my LAN on ETH2. I am then putting my SERVER 3 on my ETH5. (See attached Drawing)

So am I correct when assuming I would now need to set up a BRIDGE between my ETH1 (WAN) and my ETH5 (SERVER3) + a BRIDGE between my ETH1 (WAN) and my ETH2 (LAN) and then add a VLAN10 for the ETH1-ETH2 traffic and a VLAN20 for the ETH1-ETH5 traffic ?

Will this be enough for a port based VLAN enviroment within the RB750 swtich?

I plan on using these commands:

/interface vlan add name=vlan-10 vlan-id=10 interface=ETH2 disabled=no (Marking traffic from ETH2 with VLAN10 tag)
/interface vlan add name=vlan-20 vlan-id=20 interface=ETH5 disabled=no (Marking traffic from ETH5 with VLAN20 tag)

/interface bridge add name=WAN-ETH2 disabled=no (Create a bridge between WAN and ETH2)
/interface bridge add name=WAN-ETH5 disabled=no (Create a bridge between WAN and ETH5)

/interface bridge port add interface=“vlan-10” bridge=“WAN-ETH2” disabled=no (Allow traffic with VLAN10 tag into WAN-ETH2 brigde)
/interface bridge port add interface=“ETH2” bridge=“WAN-ETH2” disabled=no (Allow traffic to/from ETH2 into WAN-ETH2 brigde)
/interface bridge port add interface=“vlan-20” bridge=“WAN-ETH5” disabled=no (Allow traffic with VLAN20 tag into WAN-ETH5 brigde)
/interface bridge port add interface=“ETH5” bridge=“WAN-ETH5” disabled=no (Allow traffic to/from ETH5 into WAN-ETH5 brigde)

Is is in some way correct or am I way off ? Do I need to add the ETH1 interface to my bridges as this is the interface with my WAN connected ?

Thank you so much guys for helping me with this!

Best Regards

Martin B.
Drawing2.pdf (206 KB)

Sob · November 14, 2016, 2:23am

Forget VLANs. They are great when you want to have multiple separate networks on one cable, but you also need either a managed switch or end device (server) specifically configured for VLAN.

In your case, simply split router’s switch into separate ports and assign a subnet to each one. Then use firewall to allow traffic from each LAN to internet and block the rest, i.e. communucation between LANs.

RealMuhko · November 14, 2016, 11:03pm

Hello!

Thank you so much for your reply. Today I have been working with different subnets and for now it seems to work somehow.
ETH1=WAN (Address: Public Static IP)
ETH2=LAN (Address: 192.168.1.1/24 Network: 192.168.1.0 Subnet: 255.255.255.0)
ETH3=DISABLED
ETH4=DISABLED
ETH5=SERVER (Address 192.168.5.1/30 Network: 192.168.5.0 Subnet: 255.255.255.252)

All ETH ports are not linked and only acting as stand-alone ports.

Server is connected to ETH5 and obtains IP Address: 192.168.5.2/30 Network: 192.168.5.0 Subnet: 255.255.255.252

At the moment I am not able to access the internet FROM the server and also I can not ping fx. google.com. But I can ping the ETH2 address 192.168.1.1.

Are you able to suggest which rules to add in RB750 Firewall to allow the Server to get internet access via the WAN in RB750 ?

Also, please suggest rules to add in the firewall to block any traffic between subnet 255.255.255.0 and subnet 255.255.255.252 ?

Thank you so much for your kind help - I really appreciate it a lot.

Best Regards,

Martin B.

Drawing2.pdf (206 KB)

Sob · November 15, 2016, 1:13am

You need to allow outgoing traffic from second subnet (it probably is, if you didn’t block anything) and NAT outgoing connections from there (I’d expect it to work too, if you have the usual generic masquerade rule). If it doesn’t work, it would be best to post your current config, it would save a lot of guesswork.

RealMuhko · November 17, 2016, 2:42am

Hello again and thank you for the reply!

The internet traffic from the server to and from the internet is working now.

Server (192.168.5.2 / 255.255.255.252) working on ETH5 in router is able to ping Workstation (192.168.2.2 / 255.255.255.0) working on ETH1.

How can I disable ALL communication between the two subnets and clients working on them ?

Thank you again and have a good day,

Regards,

Martin B.

JB172 · November 17, 2016, 9:56am

/ip firewall filter
add action=drop chain=forward dst-address=192.168.5.0/30 src-address=192.168.1.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=192.168.5.0/30

RealMuhko · November 17, 2016, 3:08pm

Hello again.

Thank you so much, the below rules is now implemented in the RB750 and clients connected to the separate subnets are now not able to ping each other or exchange data at all.
I just noticed that the clients of each subnet however is able to ping the gateway of the other subnet. Fx:

Client 192.168.1.2 / 255.255.255.0 can ping gateway 192.168.5.1 / 255.255.255.252
Client 192.168.5.2 / 255.255.255.252 can ping gateway 192.168.1.1 / 255.255.255.0

Is is also possible to prohibit traffic between these two interfaces (LAN2 + LAN5 on RB750 switch) ?

Thank you for your help guys, it is much appreciated.

Best Regards,

Martin B.

JB172 · November 17, 2016, 6:06pm

Hello Martin.
Try this:

/ip firewall filter
add action=drop chain=input dst-address=192.168.1.1 protocol=icmp src-address=192.168.5.0/30
add action=drop chain=input dst-address=192.168.5.1 protocol=icmp src-address=192.168.1.0/24

RealMuhko · November 17, 2016, 10:26pm

Hello Guys!

Everything is working now - Thank you for all your help and assistance.

Best Regards,

Martin B.