Community discussions

MikroTik App
 
cyberson
just joined
Topic Author
Posts: 5
Joined: Fri Sep 21, 2018 12:13 am

multiple subnets one gateway

Fri Sep 21, 2018 1:18 am

hello world,
Thanks in advance for any help and apologies for forgetting what to include.
I have an RB3011 I have used the default configuration.
I then tried to add 2 additional IP networks by following the commands in the default script.
The three networks are (I also changed the first IP network address) 192.168.16.0, 192.168.96.0, 192.168.98.0
The first thing I did was to remove ether ports 6-10 from the default bridge.
Made 2 new bridges, one with ether 6 and 7 and one with ether 8 and 9.
I then created 2 new dhcp pools and dhcp servers.
I added the .1 address for each network to the appropriate bridge and most things seem to work.
The main problem is that when I run an Internet speedtest the .16 network is fine with about 80 meg download, but the .96 and .98 won't run the speedtest and a 100 meg download took 5 minutes.
Another strange problem is that I cannot run a mikrotik terminal from the browser on any of the networks. But I can run it in winbox.
I am also worried about my firewall settings, since they use the LAN and WAN lists and the bridges I created are not included. I was actually surprised that I had an Internet connection on those bridges.
My set up is in the attached file and is below.
Thx, core
# sep/20/2018 17:34:30 by RouterOS 6.43
# software id = E5UB-48Z4
#
# model = RouterBOARD 3011UiAS
# serial number = #####
/interface bridge
add admin-mac=###### auto-mac=no comment=garage name=bridge2
add comment=main name=bridge6
add comment=upstairs name=bridge8
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.16.101-192.168.16.150
add name=dhcpPool2 ranges=192.168.96.100-192.168.96.150
add name=dhcpPool3 ranges=192.168.97.100-192.168.97.150
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge2 name=DHCPsrvr1
add address-pool=dhcpPool2 disabled=no interface=bridge6 lease-time=2h 
name=\
     DHCPsrvr2
add address-pool=dhcpPool3 disabled=no interface=bridge8 lease-time=2h 
name=\
     DHCPsrvr3
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge2 comment=defconf interface=ether2
add bridge=bridge2 comment=defconf interface=ether3
add bridge=bridge2 comment=defconf interface=ether4
add bridge=bridge2 comment=defconf interface=ether5
add bridge=bridge6 comment=main interface=ether6 trusted=yes
add bridge=bridge6 interface=ether7
add bridge=bridge8 comment=upstairs interface=ether8
add bridge=bridge8 interface=ether9
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret=???????? use-ipsec=yes
/interface list member
add comment=defconf interface=bridge2 list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.16.1/24 comment=garage interface=ether2 network=\
     192.168.16.0
add address=#########/29 interface=ether1 network=##########
add address=192.168.96.1/24 comment=main interface=bridge6 network=\
     192.168.96.0
add address=192.168.97.1/24 comment=upstairs interface=bridge8 network=\
     192.168.97.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.16.0/24 comment=garage gateway=192.168.16.1 netmask=24
add address=192.168.96.0/24 comment=main gateway=192.168.96.1
add address=192.168.97.0/24 comment=upstairs gateway=192.168.97.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.16.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
     "defconf: accept established,related,untracked" connection-state=\
     established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
     protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 
protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 
protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" 
connection-state=\
     invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from 
LAN" \
     in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
     ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
     ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
     connection-state=established,related
add action=accept chain=forward comment=\
     "defconf: accept established,related, untracked" connection-state=\
     established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
     connection-state=invalid
add action=drop chain=forward comment=\
     "defconf:  drop all from WAN not DSTNATed" 
connection-nat-state=!dstnat \
     connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
     ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
     192.168.89.0/24
/ip route
add distance=1 gateway=########
/ppp secret
add name=vpn password=????????
/system clock
set time-zone-name=America/New_York
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: multiple subnets one gateway

Fri Sep 21, 2018 1:40 pm

  • You could add bridge6 and bridge8 to interface list LAN, it will not matter for forwarded traffic since forward chain drops by WAN interface list but i will affect input chain.
  • IP address 16.1 should be placed on bridge2, not ether2 since it is a slave port.
  • You may want to set dns-server=192.168.x.1 in each dhcp network to use DNS cache and static entries.
  • You use two default routes with distance=1, one from dhcp-client and one static. If you want to use separate gateways, use policy based routing.
 
cyberson
just joined
Topic Author
Posts: 5
Joined: Fri Sep 21, 2018 12:13 am

Re: multiple subnets one gateway

Fri Sep 21, 2018 11:47 pm

Thank you for the reply. I will try your suggestions this evening and post the results, although I am not sure about the gateways.
I don't think I really need separate gateways, but I do want the 3 LANs isolated.
And I am not sure how to accomplish "policy based routing". I will do some reading and see if I can decide if that is something I can accomplish.
Thank you again, and have a great evening!
Thx, core
 
cyberson
just joined
Topic Author
Posts: 5
Joined: Fri Sep 21, 2018 12:13 am

Re: multiple subnets one gateway

Fri Sep 21, 2018 11:50 pm

Ah . . . mangle. I will have to try that.
Thx, core
 
cyberson
just joined
Topic Author
Posts: 5
Joined: Fri Sep 21, 2018 12:13 am

Re: multiple subnets one gateway

Sat Sep 22, 2018 7:19 am

Thank you again for your help nescafe2002.
I believe I have implemented most of what you suggested, but the speed is good for the 16.1 but slow for 97.1.
I actually had tried to add bridge6 and bridge8 to the interface list LAN, but I tried it through webfig and I could find no way to add, only replace.
I'm not even sure I have done it now because "/interface list member add list=LAN interface=bridge6", seems to complete but "/interface list member print" only shows bridge2.
I also did not understand and was not able to find 2 default routes with 1.
I don't think dhcp client is even running, because I have static IPs.
I apologize for being dense. I feel like I understand all the parts but can't seem to figure out the flow between them.
I have attached my config again.
Thx, core

PS. why does it say "add bridge=bridge6 comment=main interface=ether6 trusted=yes" that trusted=yes doesn't seem right.
Also, I thought I had tested it, but when I just tried connecting to 96.1 I received a 96.x IP address, but I don't have DNS (however i can ping the ISP gateway).
Way too long of a PS, apologies.
Have a great day!

(edit: it took me a little while, but now I've completely broken it, all 3 networks have no DNS. But I can recover to the backup I posted so any suggestions from that point are still appreciated.)
You do not have the required permissions to view the files attached to this post.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: multiple subnets one gateway

Sat Sep 22, 2018 8:28 am

Not sure if the dhcp-client is not running or not bound. In either way, you can disable it by clicking D in IP > DHCP Client in webfig.
When not bound it will not generate a default route so you can skip that part.

You can add the bridge to interface list by going to Interfaces > Interface List > Add New or go to the terminal (button top right) and run these statements:

/interface list member
add interface=bridge6 list=LAN
add interface=bridge8 list=LAN

Without this, your clients will not be able to resolve DNS after they refresh their DHCP leases (when DNS network change will actually be applied).

Trusted=yes is explained here: https://wiki.mikrotik.com/wiki/Manual:I ... t_Settings
In fact, every configuration option is explained in wiki. Just do a Google search (e.g. mikrotik bridge port trusted).

Furthermore: apply Admin. MAC Address (copy actual MAC Address) on bridge6 and bridge8 to make sure clients see the same network.

Not sure about the speed though. Maybe someone else on this forum can see why.
 
cyberson
just joined
Topic Author
Posts: 5
Joined: Fri Sep 21, 2018 12:13 am

Re: multiple subnets one gateway

Sat Sep 22, 2018 11:56 pm

The LAN list command is exactly what I put in my post and already tried. I don't why it didn't work, but I tried through webfig again and with your help figured it out, and now they are added.

Now everything seems to be working and at the correct speed.

I'm not sure what apply Admin. MAC Address means. Do you mean the gateway?

Can you point a link to show how to have each of the 3 networks have a separate public ip.
They still all have to use the same isp gateway since I only have one correct?
edit: I have searched, but I can only find multiple ISPs with load balancing.

Thx, core
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: multiple subnets one gateway

Sun Sep 23, 2018 12:43 am

You should apply (enable and fill) admin mac on bridge6 and bridge8. Go to Bridge menu, open bridge6/bridge8, enable Admin. MAC Address and copy/paste the MAC Address visible in the same screen.

For multiple public IP's, you could split your single masquerade into separate srcnat rules based on source address:

/ip firewall nat
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface-list=WAN \
    src-address=192.168.16.0/24 to-addresses=1.1.1.1
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface-list=WAN \
    src-address=192.168.96.0/24 to-addresses=1.1.1.2
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface-list=WAN \
    src-address=192.168.97.0/24 to-addresses=1.1.1.3

These rules should replace the first NAT rule or at least be placed above them, you can drag/drop rearrange rules in webfig.

Who is online

Users browsing this forum: GoogleOther [Bot] and 16 guests