Page 1 of 1

Allow trafic betwen different subnets.

Posted: Thu Apr 26, 2018 4:36 am
by CyborgXCZ
Hello,

I got this issue that I'm trying to figured out. I have main network that sits on 10.0.0.0/24 also I have 2 additional networks WiFi Home 10.0.10.0/24 and WiFi Guest 10.0.20.0/24 everybody can get on internet but I would also like to network 10.0.10.0/24 to be able to access network 10.0.0.0/24. In my case for example to get to the shared folders or use mobile app to control AC that sits on 10.0.0.0/24.

Here is my topology for better understanding. So basically PC connected through Wi-Fi Home cant access PC connected via network 10.0.0.0/24 (Connection in Red). Also including relevant config that is currently on my router

/interface vlan
add comment="Cisco_Home" interface=ether6-master-Cisco name="VLAN 10 - Cisco_Home" vlan-id=10
add comment="Cisco_Guest" interface=ether6-master-Cisco name="VLAN 20 - Cisco_Guest" vlan-id=20

/ip address
add address=10.0.10.1/24 comment="Cisco_Home" interface="VLAN 10 - Cisco_Home"
add address=10.0.20.1/24 comment="Cisco_Guest" interface="VLAN 20 - Cisco_Guest"

/ip pool
add name=Cisco_Home ranges=10.0.10.20-10.0.10.254
add name=Cisco_Guest ranges=10.0.20.20-10.0.20.254

/ip dhcp-server network
add address=10.0.10.0/24 comment="Cisco_Home" dns-server=8.8.8.8,8.8.4.4 gateway=10.0.10.1
add address=10.0.20.0/24 comment="Cisco_Guest" dns-server=8.8.8.8,8.8.4.4 gateway=10.0.20.1

/ip dhcp-server
add address-pool=Cisco_Home disabled=no interface="VLAN 10 - Cisco_Home" name=Cisco_Home
add address-pool=Cisco_Guest disabled=no interface="VLAN 20 - Cisco_Guest" name=Cisco_Guest

/ip route
add distance=1 dst-address=10.0.10.0/24 gateway=10.0.0.2

Image

Re: Allow trafic betwen different subnets.

Posted: Thu Apr 26, 2018 4:23 pm
by anavds
Nice diagram by the way!
What I don't see is the tie-in between the VLAN networks and the LAN network 10.0.0.0 ?
Where, how do you tell the VLAN to piggyback/ride symbiotically live off the HOST LAN?

I'm assuming the VLAN networks are specifically used for WIFI and the rest of the network is normal LAN traffic.
In general, I thought that at the router level without a specific drop rule VLAN members would be able to connect to other VLAN members through layer 3 routing?
In other words, even if you had specific ROUTING to go out the internet, a FW rule would be needed to block inter VLAN to LAN or to other VLAN traffic at the layer 3 routing level (VLANS only block at layer2).

Re: Allow trafic betwen different subnets.

Posted: Thu Apr 26, 2018 4:45 pm
by solar77
configuration for IP Interface and IP Address is not complete. The native LAN must have an address and interface as well. and showing your NAT rules would help.
My best guess, is the problem is likely to be a source NAT issue, try this
add chain=srcnat action=masquerade out-interface=ether2
Edit: that L3 switch on 10.0.0.0/24, assuming it is acting as a L2 switch?

Re: Allow trafic betwen different subnets.

Posted: Thu Apr 26, 2018 5:50 pm
by CyborgXCZ
I'm assuming the VLAN networks are specifically used for WIFI and the rest of the network is normal LAN traffic.
In general, I thought that at the router level without a specific drop rule VLAN members would be able to connect to other VLAN members through layer 3 routing?
In other words, even if you had specific ROUTING to go out the internet, a FW rule would be needed to block inter VLAN to LAN or to other VLAN traffic at the layer 3 routing level (VLANS only block at layer2).
Correct VLAN are just for WiFi everything else sits on LAN 10.0.0.0/24 trying to help friend of mine with this setup and basically doing this remotely. Unfortunately I don't know nothing about Mikrotik so I'm a little bit lost here :-(

Re: Allow trafic betwen different subnets.

Posted: Thu Apr 26, 2018 5:54 pm
by CyborgXCZ
configuration for IP Interface and IP Address is not complete. The native LAN must have an address and interface as well. and showing your NAT rules would help.
My best guess, is the problem is likely to be a source NAT issue, try this
add chain=srcnat action=masquerade out-interface=ether2
Edit: that L3 switch on 10.0.0.0/24, assuming it is acting as a L2 switch?
Correct from what i understand that L3 switch is just setup as L2 switch and since it's PoE I think he use that to feed some security cameras with that. if you guys tell me what output to show i will do that once I get home tonight.

Re: Allow trafic betwen different subnets.

Posted: Thu Apr 26, 2018 5:59 pm
by anavds
Export the config file via the terminal....
/export hide-sensitive

The file will show up in the file directory location and then you have to download it to your computer. (notepad ++ is your friend to read it).

Re: Allow trafic betwen different subnets.

Posted: Thu Apr 26, 2018 6:23 pm
by CZFan
Export the config file via the terminal....
/export hide-sensitive

The file will show up in the file directory location and then you have to download it to your computer. (notepad ++ is your friend to read it).
You will need "export hide-sensitive file=filename" to be able to download the config in a file, else it will only display in terminal window

Re: Allow trafic betwen different subnets.

Posted: Thu Apr 26, 2018 8:22 pm
by CyborgXCZ
OK will do that tonight and post the config and thank you guys for the help :-)

Re: Allow trafic betwen different subnets.

Posted: Fri Apr 27, 2018 12:45 am
by CyborgXCZ
So here is the current config . There is few other Wi-Fi vlans for 5GHz radio but If I know what I'm missing for vlan10 I'm, sure I can fix the on the other one....

# apr/26/2018 23:39:47 by RouterOS 6.41.3
# software id = 5GSV-WY2I
#
# model = RouterBOARD 3011UiAS
# serial number =
/interface bridge
add admin-mac=CC:2D:E0:62:BD:89 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=LAN-ETH2
set [ find default-name=ether1 ] name=WAN1-ETH1
set [ find default-name=ether3 ] name=ether3-PoE-switch
set [ find default-name=ether6 ] name=ether6-master-Cisco
/interface pppoe-client
add add-default-route=yes disabled=no interface=WAN1-ETH1 max-mru=1480 \
max-mtu=1480 name=pppoe-out1 use-peer-dns=yes user=o2
/interface vlan
add comment=Cisco_Home interface=ether6-master-Cisco name=\
"VLAN 10 - Cisco_Home" vlan-id=10
add comment=Cisco_Guest interface=ether6-master-Cisco name=\
"VLAN 20 - Cisco_Guest" vlan-id=20
add comment=Cisco_Home_5Ghz interface=ether6-master-Cisco name=\
"VLAN 30 - Cisco_Home_5Ghz" vlan-id=30
add comment=Cisco_Guest_5Ghz interface=ether6-master-Cisco name=\
"VLAN 40 - Cisco_Guest_5Ghz" vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.254
add name=Cisco_Home ranges=10.0.10.20-10.0.10.254
add name=Cisco_Guest ranges=10.0.20.20-10.0.20.254
add name=Cisco_Home_5Ghz ranges=10.0.30.20-10.0.30.254
add name=Cisco_Guest_5Ghz ranges=10.0.40.20-10.0.40.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=Cisco_Home disabled=no interface="VLAN 10 - Cisco_Home" \
name=Cisco_Home
add address-pool=Cisco_Guest disabled=no interface="VLAN 20 - Cisco_Guest" \
name=Cisco_Guest
add address-pool=Cisco_Home_5Ghz disabled=no interface=\
"VLAN 30 - Cisco_Home_5Ghz" name=Cisco_Home_5Ghz
add address-pool=Cisco_Guest_5Ghz disabled=no interface=\
"VLAN 40 - Cisco_Guest_5Ghz" name=Cisco_Guest_5Ghz
/interface bridge port
add bridge=bridge comment=defconf interface=LAN-ETH2
add bridge=bridge comment=defconf interface=ether3-PoE-switch
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6-master-Cisco
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1-ETH1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=10.0.0.1/24 comment=defconf interface=LAN-ETH2 network=10.0.0.0
add address=10.0.10.1/24 comment=Cisco_Home interface="VLAN 10 - Cisco_Home" \
network=10.0.10.0
add address=10.0.20.1/24 comment=Cisco_Guest interface=\
"VLAN 20 - Cisco_Guest" network=10.0.20.0
add address=10.0.30.1/24 comment=Cisco_Home_5Ghz interface=\
"VLAN 30 - Cisco_Home_5Ghz" network=10.0.30.0
add address=10.0.40.1/24 comment=Cisco_Guest_5Ghz interface=\
"VLAN 40 - Cisco_Guest_5Ghz" network=10.0.40.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=WAN1-ETH1
/ip dhcp-server lease
add address=10.0.0.43 mac-address=FC:AA:14:A8:EF:45
add address=10.0.0.44 mac-address=50:E5:49:CE:E1:3E
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1 netmask=24
add address=10.0.10.0/24 comment=Cisco_Home dns-server=8.8.8.8,8.8.4.4 \
gateway=10.0.10.1
add address=10.0.20.0/24 comment=Cisco_Guest dns-server=8.8.8.8,8.8.4.4 \
gateway=10.0.20.1
add address=10.0.30.0/24 comment=Cisco_Home_5Ghz dns-server=8.8.8.8,8.8.4.4 \
gateway=10.0.30.1
add address=10.0.40.0/24 comment=Cisco_Guest_5Ghz dns-server=8.8.8.8,8.8.4.4 \
gateway=10.0.40.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.66,8.8.8.8
/ip dns static
add address=10.0.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=pppoe-out1
/system clock
set time-zone-name=Europe/Prague
/system ntp client
set enabled=yes primary-ntp=195.113.144.201 secondary-ntp=78.108.145.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Re: Allow trafic betwen different subnets.

Posted: Fri Apr 27, 2018 1:14 am
by anav
Hmm with my limited experience nothing jumped out at me.
I see that all interface are on the same bridge and same LAN.
I am just not sure the right way to tell the router that the VLANs are piggybacking on 10.0.0.0???

Re: Allow trafic betwen different subnets.

Posted: Fri Apr 27, 2018 2:20 pm
by CyborgXCZ
Yeah like i said I'm lost here:-( Not sure If I need to do some NAT-ing etc... On Cisco Router I will find my way but this is new to me....

Re: Allow trafic betwen different subnets.

Posted: Fri Apr 27, 2018 2:55 pm
by 2frogs
I believe you need to enable vlan filtering on the bridge. By default, Mikrotik allows communications between any routed interfaces. You would have to use firewall rules to drop any traffic between LAN segments you did not want.
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering

Re: Allow trafic betwen different subnets.

Posted: Fri Apr 27, 2018 3:18 pm
by Sob
What exactly does and doesn't work now?

The image gives first impression that there's a lot of stuff, but on second look, there isn't anything special. Just one router with VLANs, different subnet for each, and serves as gateway for all of them. Firewall config is default, so the only thing it blocks is access from WAN, there's no filtering between VLAN subnets, so everything should be able to communicate with everything else.

Only thing I see, that might need adjusting, is bridge/VLAN config. For example, IP address on bridged port (LAN-ETH2) is wrong, it should be on bridge (but it's not breaking bug). I'm not completely sure what VLANs on bridged port do with current bridge implementation.

Re: Allow trafic betwen different subnets.

Posted: Fri Apr 27, 2018 4:18 pm
by CyborgXCZ
I believe you need to enable vlan filtering on the bridge. By default, Mikrotik allows communications between any routed interfaces. You would have to use firewall rules to drop any traffic between LAN segments you did not want.
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
I will look in to that...
What exactly does and doesn't work now?

The image gives first impression that there's a lot of stuff, but on second look, there isn't anything special. Just one router with VLANs, different subnet for each, and serves as gateway for all of them. Firewall config is default, so the only thing it blocks is access from WAN, there's no filtering between VLAN subnets, so everything should be able to communicate with everything else.

Only thing I see, that might need adjusting, is bridge/VLAN config. For example, IP address on bridged port (LAN-ETH2) is wrong, it should be on bridge (but it's not breaking bug). I'm not completely sure what VLANs on bridged port do with current bridge implementation.
You right technically there is only 2 interfaces eth2 with one switch that runs 10.0.0.0/24 and eth6 with Cisco switch Dot1q Trunk and 4 Vlans. The only thing that works is internet for Lan (eth2 10.0.0.0/24) and all 4 vlans (4x wifi connections) what is not working is communication between 10.0.0.0 and 10.0.10.0. Other words if I log in with laptop to wifi and lets say I will get address 10.0.10.120 from DHCP pool which I can confirm in the output on Cisco AP and trying ping that address from computer that is wired to LAN 10.0.0.0/24 nothing happened and getting the usual "time out" so there is only 2 things that could prevent this either the local system has no route to the desired destination, or a remote router reports that it has no route to the destination. Not sure about Firewall since if that was the case I should receive different msg.

Re: Allow trafic betwen different subnets.

Posted: Fri Apr 27, 2018 4:30 pm
by 2frogs
Just a quick thought, since you are using a Cisco AP, it doesn't have any client-isolation or vlan filtering on it that is blocking vlan subnets from communicating does it?

Re: Allow trafic betwen different subnets.

Posted: Fri Apr 27, 2018 4:31 pm
by Sob
Can't it be firewall on laptop? For example Windows by default drop pings from non-local subnets.

Re: Allow trafic betwen different subnets.

Posted: Fri Apr 27, 2018 4:34 pm
by mkx
Is ether6 trunk (all tagged) or hybrid (some untagged together with tagged) port?

If it's trunk then it woukd perhaps work better if that port wasn't member of bridge.

If it's hybrid, I'd make it trunk by creating another VLAN, used for passing otherwise untagged traffic over trunk connections.
N.b.: VLAN id 1 is sometimes considered untagged, sometimes tagged. To avoid confusion about that, it's better to avoid using that VLAN id and explicitly configure access ports for chosen VLAN id (different than 1).

Re: Allow trafic betwen different subnets.

Posted: Fri Apr 27, 2018 4:48 pm
by CyborgXCZ
Just a quick thought, since you are using a Cisco AP, it doesn't have any client-isolation or vlan filtering on it that is blocking vlan subnets from communicating does it?
I don't thing so since I didn't set up anything like that just a simple setup as far for Cisco AP
Can't it be firewall on laptop? For example Windows by default drop pings from non-local subnets.

Hmmm i will have to ask my friend to check this out for me. The home Wif-Fi clients are authenticating through RADIUS server that sits under Windows Server there might be possibility since it's default behavior that there are some rules preventing different sub-net from ping request. His problem is that some of his appliances like printers, air condition controllers are plug in to the home network which is 10.0.0.0 and he wants to be able to access those devices through that 10.0.10.0 network and now I remember one thing at one point when i was testing some stuff there was a time when i saw two clients (2 IP addresses) connected to the AP I was able to ping one but not the other and i really didn't pay much attention to that but he mention that I should use the other one which was his computer the first one that worked was his cellphone. I will try that test again let him sign up with 2 devices aka phone and pc and then try to ping individual IP if I get through the phone then I know the problem is not on router but rather at the end device which could be the Server/PC.

Re: Allow trafic betwen different subnets.

Posted: Fri Apr 27, 2018 4:56 pm
by CyborgXCZ
Is ether6 trunk (all tagged) or hybrid (some untagged together with tagged) port?

If it's trunk then it woukd perhaps work better if that port wasn't member of bridge.

If it's hybrid, I'd make it trunk by creating another VLAN, used for passing otherwise untagged traffic over trunk connections.
N.b.: VLAN id 1 is sometimes considered untagged, sometimes tagged. To avoid confusion about that, it's better to avoid using that VLAN id and explicitly configure access ports for chosen VLAN id (different than 1).
Yes I was avoiding to use VLAN1 since it's not the secure way to do things on business network. I know if I left everything to default VLAN1 I could just easily have only 2 SSID running both frequencies but since I'm not using the default VLAN1 then each radio needs to have its own SSID and vlan. Other words VLAN1 would allow me to have single SSID Home on both 2.4 and 5Ghz at the same time if that makes sense at least on cisco devices not sure about other manufacturers.

Re: Allow trafic betwen different subnets.

Posted: Fri Apr 27, 2018 11:38 pm
by CZFan
Did I understand this correctly, this is a home setup? If so, wow, how to NOT setup for Netflix :D

Re: Allow trafic betwen different subnets.

Posted: Sat Apr 28, 2018 7:36 am
by CyborgXCZ
So no the test with cell phone didn't work either still no communication between LAN and Vlan10 :-(

Re: Allow trafic betwen different subnets.

Posted: Sat Apr 28, 2018 7:36 am
by CyborgXCZ
Did I understand this correctly, this is a home setup? If so, wow, how to NOT setup for Netflix :D
What do you mean? and yes it's kind of both home and work :-)

Re: Allow trafic betwen different subnets.

Posted: Sat Apr 28, 2018 7:14 pm
by anav
I think it was a late at night, lots of schnapps type comment. ;-)

Re: Allow trafic betwen different subnets.

Posted: Sat Apr 28, 2018 9:04 pm
by CZFan
Did I understand this correctly, this is a home setup? If so, wow, how to NOT setup for Netflix :D
What do you mean? and yes it's kind of both home and work :-)

What I am saying, tyo me personally, it is a bit of a complicated setup for Home Office environment, you have Routers doing routing, swithches doing routing, multiple VLAN's, radius server doing authentication, etc.

Based on you OP, you have the below which indicates routing happening on Cisco switch 10.0.0.2, is the problem not maybe there?

"/ip route
add distance=1 dst-address=10.0.10.0/24 gateway=10.0.0.2"

Re: Allow trafic betwen different subnets.

Posted: Sun Apr 29, 2018 2:49 am
by Sob
I went through your config again, and I just don't see it. There are some small mistakes with the bridge, but if vlans can access internet, there's no breaking bug. Firewall doesn't do it either. Traffic between different interfaces/subnets goes through forward chain and its implicit default actions is to allow everything. And the only two blocking rules are for invalid packets (that's not it) and connections from WAN that are not dstnatted (i.e. not forwarded ports, so that's not it either). So everything between all local subnets is allowed.

Try to watch what's going on. Either use Tools->Torch on interfaces, or use some logging rules, e.g.:
/ip firewall mangle
add action=log chain=prerouting dst-port=33333 protocol=tcp
add action=log chain=forward dst-port=33333 protocol=tcp
add action=log chain=postrouting dst-port=33333 protocol=tcp
If you try to connect to port 33333 (you can e.g. try to open http://<address in another vlan>:33333 in browser, it of course won't connect, but you should see SYN packets logged in all three chains). If that happens, they passed through router correctly. Instead of "dst-port=33333 protocol=tcp", you can use "protocol=icmp dst-address=<address in another vlan>" and if the target device will respond to pings, you can catch replies with similar set of logging rules, just change dst-adress to src-address. The advantage of using unique tcp port is that there's almost no chance that any other packets will go to that port, only yours. I think you get idea.

Re: Allow trafic betwen different subnets.

Posted: Sun Apr 29, 2018 6:07 am
by CyborgXCZ
I will do some testing and get back but dont know when will be moving soon so busy with packing and such ;-(

Re: Allow trafic betwen different subnets.

Posted: Sun Apr 29, 2018 6:12 am
by CyborgXCZ
Did I understand this correctly, this is a home setup? If so, wow, how to NOT setup for Netflix :D
What do you mean? and yes it's kind of both home and work :-)

What I am saying, tyo me personally, it is a bit of a complicated setup for Home Office environment, you have Routers doing routing, swithches doing routing, multiple VLAN's, radius server doing authentication, etc.

Based on you OP, you have the below which indicates routing happening on Cisco switch 10.0.0.2, is the problem not maybe there?

"/ip route
add distance=1 dst-address=10.0.10.0/24 gateway=10.0.0.2"
Well like I said it's not mine but my friend... mine is even more complicated :-) but built with cisco equipment only so I know what to do there ... as far for the Cisco switch nothing happening there besides vlans and trunk port... either way i will do some more testing when i have a chance....