You only need to set that address 192.168.2.253/24 on one of the ports of the MikroTik and take that port out of
the switch or bridge used for the LAN.   Then connect it to the other network.

With a cable, of course, running from the port on the MikroTik where that address is configured to any port on the switch.

With a cable, of course, running from the port on the MikroTik where that address is configured to any port on the switch.

Of course! 
So cable from SRX to Mikrotik port (say) 5.
Then configure (in the Mikrotik) port 5 with a fixed IP of 192.168.2.253/24, which would allow the devices on 192.168.2.x to reach the devices on the other LAN 192.168.3.x ? 

With a cable, of course, running from the port on the MikroTik where that address is configured to any port on the switch.

Of course! 
So cable from SRX to Mikrotik port (say) 5.
Then configure (in the Mikrotik) port 5 with a fixed IP of 192.168.2.253/24, which would allow the devices on 192.168.2.x to reach the devices on the other LAN 192.168.3.x ? 

If you wish to only allow communication between the 192.168.3.0/24 and 192.168.2.250(printer IP) then you will want to configure a firewall rule which only permits said communication between the networks and will deny all other traffic between them.

With a cable, of course, running from the port on the MikroTik where that address is configured to any port on the switch.

Of course! 
So cable from SRX to Mikrotik port (say) 5.
Then configure (in the Mikrotik) port 5 with a fixed IP of 192.168.2.253/24, which would allow the devices on 192.168.2.x to reach the devices on the other LAN 192.168.3.x ? 

If you wish to only allow communication between the 192.168.3.0/24 and 192.168.2.250(printer IP) then you will want to configure a firewall rule which only permits said communication between the networks and will deny all other traffic between them.

Hi, thank you. I can see this is an important point as both LANs have different routers etc. This will prevent a lot of cross-talk.
What would this rule look like?
Thanks!

chain=forward action=accept src-address=192.168.3.0/24 dst-address=192.168.2.250/32 log=no log-prefix=""
chain=forward action=accept src-address=192.168.2.250/32 dst-address=192.168.3.0/24 log=no log-prefix=""
chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.3.0/24 log=no log-prefix=""

Alright, there are some issues... You can't just rely on a /24 network between the routers to route your traffic effectively. I created a rudimentary diagram to show how you can set this up and have it work. You can adjust the IPs as needed.

Now the ip route commands are probably not the correct syntax for Mikrotik, it should get you close. You have to inform the routers where to send packets. Instead of using IPs from your /24 LAN, we'll use a different address space to keep things simple. This can be done with addresses from your LAN, just for now change it up. The ".1" and ".2" represent the last octect of that network address space going between the routers. When it comes to the routes, you have to point the traffic you are trying to reach to the remote or distance interface. Your firewall rules will still come into play, if you want to limit traffic into and out of the network.

Hopefully this makes more sense for you and you can quickly get things setup the way you want it.


pohutukawa.png

With a cable, of course, running from the port on the MikroTik where that address is configured to any port on the switch.

Once you have the /30 configured between them, go ahead and ping the remote IP from each box. before we get into configuring routes and FW rules, lets make sure the basics are working.

If both ping successfully, move on to creating the static routes. You then want to test that by pinging the Printer's IP address from the remote LAN. Now you want to add FW rules to limit traffic and test again to ensure you maintain the desired level of connectivity.

Hi and thanks again for your help.

I think I've got my head around this, but I have a problem: the administrators of the Juniper box have given me a fixed IP and basically said that I need to sort it out from there. Additionally, the Juniper side is a busy network for most hours so it's difficult to get in and experiment for fear of crashing their network routing or something.

Is there any other way of achieving this just from the Mikrotik side?

I do appreciate you taking the time to contribute. I have done quite a bit of research and haven't come up with anything particularly useful!

Regards
Robin

Hi and thanks again for your help.

I think I've got my head around this, but I have a problem: the administrators of the Juniper box have given me a fixed IP and basically said that I need to sort it out from there. Additionally, the Juniper side is a busy network for most hours so it's difficult to get in and experiment for fear of crashing their network routing or something.

Is there any other way of achieving this just from the Mikrotik side?

I do appreciate you taking the time to contribute. I have done quite a bit of research and haven't come up with anything particularly useful!

Regards
Robin

Since we only discussed static routes you can't "crash their network routing."

On the Juniper side, what is the IP of the interface that connects to the Mikrotik or is it setup as a switchport? Unless they intend for you to setup a NAT with their IP they will have to have some routing changes to point back to your network for relevant data flows.

Redo the diagram with the correct IPs and connection information so we can make sure we are talking "on the same page."

Hi and thanks again for your help.

I think I've got my head around this, but I have a problem: the administrators of the Juniper box have given me a fixed IP and basically said that I need to sort it out from there. Additionally, the Juniper side is a busy network for most hours so it's difficult to get in and experiment for fear of crashing their network routing or something.

Is there any other way of achieving this just from the Mikrotik side?

I do appreciate you taking the time to contribute. I have done quite a bit of research and haven't come up with anything particularly useful!

Regards
Robin

Since we only discussed static routes you can't "crash their network routing."

On the Juniper side, what is the IP of the interface that connects to the Mikrotik or is it setup as a switchport? Unless they intend for you to setup a NAT with their IP they will have to have some routing changes to point back to your network for relevant data flows.

Redo the diagram with the correct IPs and connection information so we can make sure we are talking "on the same page."

Hi Revelation, thanks for the additional info.

I have made a diagram (see below). Please let me know if something isn't clear and I will update!

Your comment regarding NAT with their IP is particularly interesting. I think that this is their preferred configuration.

Regards

Robin

Hi and thanks again for your help.

I think I've got my head around this, but I have a problem: the administrators of the Juniper box have given me a fixed IP and basically said that I need to sort it out from there. Additionally, the Juniper side is a busy network for most hours so it's difficult to get in and experiment for fear of crashing their network routing or something.

Is there any other way of achieving this just from the Mikrotik side?

I do appreciate you taking the time to contribute. I have done quite a bit of research and haven't come up with anything particularly useful!

Regards
Robin

Since we only discussed static routes you can't "crash their network routing."

On the Juniper side, what is the IP of the interface that connects to the Mikrotik or is it setup as a switchport? Unless they intend for you to setup a NAT with their IP they will have to have some routing changes to point back to your network for relevant data flows.

Redo the diagram with the correct IPs and connection information so we can make sure we are talking "on the same page."

Hi Revelation, thanks for the additional info.

I have made a diagram (see below). Please let me know if something isn't clear and I will update!

Your comment regarding NAT with their IP is particularly interesting. I think that this is their preferred configuration.

Regards

Robin

I don't see a diagram, could also be my work computer - they provide a POS.

I'm at work, so I cannot verify syntax. Basically the IP they provided will be assigned to your interface. You will then setup an ip route, if it is not added automatically, to reach all of the /24 address space using that IP / interface.

You will setup nat with masquerade using that IP. This will be in addition to your NAT for traffic leaving through your WAN. When I have a chance, after I am off of work, I will lab it up and see if there is any need for additional configs.

**EDIT**
You will probably want or need a firewall rule allowing your subnet to reach the printer IP via that NAT. That way only that specific traffic uses that NAT and for everything else the default route out through your WAN.

Hi and thanks again for your help.

I think I've got my head around this, but I have a problem: the administrators of the Juniper box have given me a fixed IP and basically said that I need to sort it out from there. Additionally, the Juniper side is a busy network for most hours so it's difficult to get in and experiment for fear of crashing their network routing or something.

Is there any other way of achieving this just from the Mikrotik side?

I do appreciate you taking the time to contribute. I have done quite a bit of research and haven't come up with anything particularly useful!

Regards
Robin

Since we only discussed static routes you can't "crash their network routing."

On the Juniper side, what is the IP of the interface that connects to the Mikrotik or is it setup as a switchport? Unless they intend for you to setup a NAT with their IP they will have to have some routing changes to point back to your network for relevant data flows.

Redo the diagram with the correct IPs and connection information so we can make sure we are talking "on the same page."

Hi Revelation, thanks for the additional info.

I have made a diagram (see below). Please let me know if something isn't clear and I will update!

Your comment regarding NAT with their IP is particularly interesting. I think that this is their preferred configuration.

Regards

Robin

I don't see a diagram, could also be my work computer - they provide a POS.

I'm at work, so I cannot verify syntax. Basically the IP they provided will be assigned to your interface. You will then setup an ip route, if it is not added automatically, to reach all of the /24 address space using that IP / interface.

You will setup nat with masquerade using that IP. This will be in addition to your NAT for traffic leaving through your WAN. When I have a chance, after I am off of work, I will lab it up and see if there is any need for additional configs.

**EDIT**
You will probably want or need a firewall rule allowing your subnet to reach the printer IP via that NAT. That way only that specific traffic uses that NAT and for everything else the default route out through your WAN.

Hi and thanks again for your help.

I think I've got my head around this, but I have a problem: the administrators of the Juniper box have given me a fixed IP and basically said that I need to sort it out from there. Additionally, the Juniper side is a busy network for most hours so it's difficult to get in and experiment for fear of crashing their network routing or something.

Is there any other way of achieving this just from the Mikrotik side?

I do appreciate you taking the time to contribute. I have done quite a bit of research and haven't come up with anything particularly useful!

Regards
Robin

Since we only discussed static routes you can't "crash their network routing."

On the Juniper side, what is the IP of the interface that connects to the Mikrotik or is it setup as a switchport? Unless they intend for you to setup a NAT with their IP they will have to have some routing changes to point back to your network for relevant data flows.

Redo the diagram with the correct IPs and connection information so we can make sure we are talking "on the same page."

Hi Revelation, thanks for the additional info.

I have made a diagram (see below). Please let me know if something isn't clear and I will update!

Your comment regarding NAT with their IP is particularly interesting. I think that this is their preferred configuration.

Regards

Robin

I don't see a diagram, could also be my work computer - they provide a POS.

I'm at work, so I cannot verify syntax. Basically the IP they provided will be assigned to your interface. You will then setup an ip route, if it is not added automatically, to reach all of the /24 address space using that IP / interface.

You will setup nat with masquerade using that IP. This will be in addition to your NAT for traffic leaving through your WAN. When I have a chance, after I am off of work, I will lab it up and see if there is any need for additional configs.

**EDIT**
You will probably want or need a firewall rule allowing your subnet to reach the printer IP via that NAT. That way only that specific traffic uses that NAT and for everything else the default route out through your WAN.

Hi, did the links work for you?

Thanks!

Robin

Hi Again!

Just a quick reply with some links for the image...

https://s22.postimg.io/4r6uq2kz5/network.png

or shortened with Goo.gl:
goo.gl/hrXkyX

Can you see those?

Could aways email…

Regards

Robin

chain=srcnat action=masquerade src-address=192.168.3.0/24 dst-address=192.168.2.152 out-interface=ether3 log=no log-prefix=""

chain=forward action=accept src-address=192.168.3.0/24 dst-address=192.168.2.152 out-interface=ether3 log=no log-prefix=""
chain=forward action=accept src-address=192.168.2.152 dst-address=192.168.3.0/24 in-interface=ether3 log=no log-prefix=""
chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.3.0/24 log=no log-prefix=""

Hi Again!

Just a quick reply with some links for the image...

https://s22.postimg.io/4r6uq2kz5/network.png

or shortened with Goo.gl:
goo.gl/hrXkyX

Can you see those?

Could aways email…

Regards

Robin

Hey Robin,

Got it sorted and what I was thinking was correct. So I am going to assume that you have a masquerade for your LAN traffic to go out your WAN interface already based on the diagram.

Next we want to configure another NAT:

Code: Select all

chain=srcnat action=masquerade src-address=192.168.3.0/24 dst-address=192.168.2.152 out-interface=ether3 log=no log-prefix=""

We now want to configure firewall rules to permit traffic to reach the Printer and to deny any traffic coming into your network that isn't supposed to:

Code: Select all

chain=forward action=accept src-address=192.168.3.0/24 dst-address=192.168.2.152 out-interface=ether3 log=no log-prefix=""
chain=forward action=accept src-address=192.168.2.152 dst-address=192.168.3.0/24 in-interface=ether3 log=no log-prefix=""
chain=forward action=drop src-address=192.168.2.0/24 dst-address=192.168.3.0/24 log=no log-prefix=""

With this config it also limits your LAN hosts from reaching any other IP in the 192.168.2.0/24 network. Obviously you can change that should your needs change down the road.

This should get you where you need to be.

Hey Revelation

Thanks! I will try this configuration and see how I get on.

With my earlier configuration, I was firstly missing the NAT masquerade and additionally did not have ether3 as out/in interfaces on the first two firewall rules.

On the drop firewall rule (your #3 above) do I need to specify any in/out interface(s)?

Cheerio

Robin

Hey Revelation

Thanks! I will try this configuration and see how I get on.

With my earlier configuration, I was firstly missing the NAT masquerade and additionally did not have ether3 as out/in interfaces on the first two firewall rules.

On the drop firewall rule (your #3 above) do I need to specify any in/out interface(s)?

Cheerio

Robin

The reason I like using interface on the NAT option is in case the Juniper admin ever forces you to change the IP address assigned, or switches it to DHCP. For the Firewall rules, you really don't need the interface option on those; I add them out of habit.

Hi Revelation

Well that worked fantastically and exactly as expected.

Thank you so much for your help with this. I've learned a lot, which will also apply to other situations I'm sure to face so thank you for your help on the education front also!

Best wishes

Robin

Hi Revelation

Well that worked fantastically and exactly as expected.

Thank you so much for your help with this. I've learned a lot, which will also apply to other situations I'm sure to face so thank you for your help on the education front also!



Best wishes

Robin

Glad everything is working as expected.

Multicast DNS operates over UDP (IP protocol 17) with a destination port 5353 and a source port above 1024. The destination address is, of course, a multicast address (in the 224.0.0.0 range). Responses to mDNS multicasts originate from UDP port 5353, but are bound for a random high port above 1024. Simply defining a rule that allows traffic to and from UDP port 5353 won’t work, because while outbound traffic will be correctly matched the responses to those outbound requests won’t be matched and will be dropped (assuming the default action is to deny traffic). So, a sample rule to be added to ipfw might look something like this:

add 2008 allow udp from 10.1.1.0/24 5353 to any 1024-65535 in via en0

Hi Revelation

One minor issue has arisen whereby Macs on both networks can see one another via Bonjour, which as far as I can ascertain uses UDP 5353 Multicast.

Do I need to define a specific firewall rule dropping all UDP packets between the two LANs and if so what would that look like?

If you set up your firewall rules to only allow traffic to and from the printer IP, this should not be a problem at all. If you wish to have more access between your networks then you can look at blocking the ports used by Bonjour. You should only need ports 5353, 5297, 5298 blocked.

/ip firewall filter
add action=accept chain=forward comment=\
    "Allow traffic from .3.0/24 to printer .2.152" dst-address=192.168.2.152 \
    dst-address-type="" out-interface=ether3 src-address=192.168.3.0/24 \
    src-address-type=""
add action=accept chain=forward comment=\
    "Allow traffic from printer .2.152 to .3.x/24" dst-address=192.168.3.0/24 \
    in-interface=ether3 src-address=192.168.2.152
add action=drop chain=forward comment="Drop all other traffic from .2.0/24" \
    dst-address=192.168.3.0/24 src-address=192.168.2.0/24
add action=accept chain=input comment="winbox admin from WAN" dst-port=8291 \
    protocol=tcp
add action=accept chain=input comment=\
    "Accept connections TO router from allowed IPs" src-address-list=\
    "Allowed IPs"
add action=drop chain=forward comment="Drop invalid packets THROUGH router" \
    connection-state=invalid
add action=accept chain=forward comment="Accept new connections from LAN" \
    connection-state=new in-interface=pppoe-out1
add action=accept chain=forward comment="Allow related connections" \
    connection-state=related
add action=accept chain=forward comment="Allow established connections" \
    connection-state=established
add action=accept chain=input comment=\
    "Allow etablished connections to the router" connection-state=established
add action=accept chain=input comment=\
    "Allow related connections to the router" connection-state=related
add action=drop chain=input comment="Drop all other traffic TO the router"
add action=drop chain=forward comment="Drop invalid packets TO router" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="Allow outgoing traffic" \
    dst-address=0.0.0.0/0 out-interface=pppoe-out1
add action=masquerade chain=srcnat comment=\
    "Masquerade/NAT ether3 to the .2.0/24 LAN with printer IP as destination" \
    dst-address=192.168.2.152 out-interface=ether3 src-address=192.168.3.0/24

If you set up your firewall rules to only allow traffic to and from the printer IP, this should not be a problem at all. If you wish to have more access between your networks then you can look at blocking the ports used by Bonjour. You should only need ports 5353, 5297, 5298 blocked.

Hi Revelation

I have attempted to do this with rules #0 and #1, and drop all other traffic with rule #3 (see screenshot linked below).

image hosting over 5mb

What have I missed?

Maybe it is something to do with the order of rules?

Regards

Robin

If you set up your firewall rules to only allow traffic to and from the printer IP, this should not be a problem at all. If you wish to have more access between your networks then you can look at blocking the ports used by Bonjour. You should only need ports 5353, 5297, 5298 blocked.

Hi Revelation

I have attempted to do this with rules #0 and #1, and drop all other traffic with rule #3 (see screenshot linked below).

image hosting over 5mb

What have I missed?

Maybe it is something to do with the order of rules?

Regards

Robin

Add in a drop rule for your traffic going to any other IP in the 192.168.2.0/24 network space.

Once you have that in place you should not have any other issues with Bonjour.

add chain=forward protocol=tcp in-interface=ether3 src-address=!192.168.2.152 action=drop
add chain=forward protocol=tcp out-interface=ether3 dst-address=!192.168.2.152 action=drop

If you set up your firewall rules to only allow traffic to and from the printer IP, this should not be a problem at all. If you wish to have more access between your networks then you can look at blocking the ports used by Bonjour. You should only need ports 5353, 5297, 5298 blocked.

Hi Revelation

I have attempted to do this with rules #0 and #1, and drop all other traffic with rule #3 (see screenshot linked below).

image hosting over 5mb

What have I missed?

Maybe it is something to do with the order of rules?

Regards

Robin

Add in a drop rule for your traffic going to any other IP in the 192.168.2.0/24 network space.

Once you have that in place you should not have any other issues with Bonjour.

Great, OK can I assume that I need to drop this traffic both directions?

Like this?:

Code: Select all

add chain=forward protocol=tcp in-interface=ether3 src-address=!192.168.2.152 action=drop
add chain=forward protocol=tcp out-interface=ether3 dst-address=!192.168.2.152 action=drop

Thanks!

Robin

If you set up your firewall rules to only allow traffic to and from the printer IP, this should not be a problem at all. If you wish to have more access between your networks then you can look at blocking the ports used by Bonjour. You should only need ports 5353, 5297, 5298 blocked.

Hi Revelation

I have attempted to do this with rules #0 and #1, and drop all other traffic with rule #3 (see screenshot linked below).

image hosting over 5mb

What have I missed?

Maybe it is something to do with the order of rules?

Regards

Robin

Add in a drop rule for your traffic going to any other IP in the 192.168.2.0/24 network space.

Once you have that in place you should not have any other issues with Bonjour.

Great, OK can I assume that I need to drop this traffic both directions?

Like this?:

Code: Select all

add chain=forward protocol=tcp in-interface=ether3 src-address=!192.168.2.152 action=drop
add chain=forward protocol=tcp out-interface=ether3 dst-address=!192.168.2.152 action=drop

Thanks!

Robin

No, just add another rule dropping your traffic from reaching any IP in the 192.168.2.0/24 address space. You place that right after your permit to 192.168.2.152 for the printer.

/ip firewall filter
add action=accept chain=forward comment=\
    "Allow traffic from .3.0/24 to printer .2.152" dst-address=192.168.2.152 \
    out-interface=ether3 src-address=192.168.3.0/24
add action=accept chain=forward comment=\
    "Allow traffic from printer .2.152 to .3.x/24" dst-address=192.168.3.0/24 \
    in-interface=ether3 src-address=192.168.2.152

add action=drop chain=forward comment="Drop all other traffic from .2.0/24" \
    dst-address=192.168.3.0/24 src-address=192.168.2.0/24

No, just add another rule dropping your traffic from reaching any IP in the 192.168.2.0/24 address space. You place that right after your permit to 192.168.2.152 for the printer.

/ip firewall filter
add action=accept chain=forward comment=\
    "Allow traffic from .3.0/24 to printer .2.152" dst-address=192.168.2.152 \
    out-interface=ether3 src-address=192.168.3.0/24
add action=accept chain=forward comment=\
    "Allow traffic from printer .2.152 to .3.x/24" dst-address=192.168.3.0/24 \
    in-interface=ether3 src-address=192.168.2.152

add action=drop chain=forward comment="Drop all other traffic from .2.0/24" \
    dst-address=192.168.3.0/24 src-address=192.168.2.0/24

No, just add another rule dropping your traffic from reaching any IP in the 192.168.2.0/24 address space. You place that right after your permit to 192.168.2.152 for the printer.

Hi Revelation

Yep I understand. Isn't that what the second of the two rules above does? (using the !=not)

Could you give me an example rule?

This is where I'm at currently:

Code: Select all

/ip firewall filter
add action=accept chain=forward comment=\
    "Allow traffic from .3.0/24 to printer .2.152" dst-address=192.168.2.152 \
    out-interface=ether3 src-address=192.168.3.0/24
add action=accept chain=forward comment=\
    "Allow traffic from printer .2.152 to .3.x/24" dst-address=192.168.3.0/24 \
    in-interface=ether3 src-address=192.168.2.152

With this rule dropping the other traffic, but it doesn't seem to work:

Code: Select all

add action=drop chain=forward comment="Drop all other traffic from .2.0/24" \
    dst-address=192.168.3.0/24 src-address=192.168.2.0/24

Should I maybe be looking to drop traffic in the other direction? I'm just unclear on how to drop it all in a bidirectional way!

Cheerio

Robin