Community discussions

 
coolfishsq
just joined
Topic Author
Posts: 1
Joined: Thu Jun 06, 2019 4:54 pm

1 mikrotik, 2 ISPs, 2 LANs, can't make LANS see each other

Thu Jun 06, 2019 5:10 pm

Hello dear friends! I am trying to make the following work: first mikrotik port is ISP1, second - LAN1, third ISP2, forth LAN2, first lan gets its internet from ISP1, second - from ISP2, but I also have some files shared in LAN2 that should be seen from LAN1, and i am kinda struggling with this, cannot even ping LAN2 from 1, tried 3 different configurations, none of them worked for me, any help would be appreciated :)

1 config
/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1 name=eth1
set [ find default-name=ether2 ] comment=LAN1 name=eth2
set [ find default-name=ether3 ] comment=WAN2 name=eth3
set [ find default-name=ether4 ] comment=LAN2 name=eth4
set [ find default-name=ether5 ] name=eth5
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth3 name=* password=* use-peer-dns=yes \
user=*
add add-default-route=yes disabled=no interface=eth1 name=* password=* use-peer-dns=yes \
user=*
/interface wireless
set [ find default-name=wlan2 ] country=russia disabled=no mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=\
MikroTik wpa-pre-shared-key=* wpa2-pre-shared-key=*
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys \
name=profile1 supplicant-identity="" wpa2-pre-shared-key=*
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=russia disabled=no mode=ap-bridge \
security-profile=profile1 ssid=MikroTik wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool_LAN1 ranges=192.168.0.10-192.168.0.110
add name=pool_LAN2 ranges=192.168.0.130-192.168.0.230
/ip dhcp-server
add address-pool=pool_LAN1 disabled=no interface=bridge-local name=server1
add address-pool=pool_LAN2 disabled=no interface=eth4 name=server2
/interface bridge port
add bridge=bridge-local interface=eth2
add bridge=bridge-local interface=wlan1
add bridge=bridge-local disabled=yes interface=wlan2
/interface list member
add interface=bridge-local list=LAN
add interface=TEK list=WAN
/ip address
add address=192.168.0.1/25 interface=bridge-local network=192.168.0.0
add address=192.168.0.129/25 interface=eth4 network=192.168.0.128
/ip dhcp-client
add dhcp-options=hostname,clientid interface=wlan2
/ip dhcp-server network
add address=192.168.0.0/25 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.0.128/25 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.129
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="drop ssh forcers" dst-port=22,23 protocol=tcp src-address-list=\
login_blacklist
add action=add-src-to-address-list address-list=login_blacklist address-list-timeout=1w3d chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=input in-interface=TEK new-connection-mark=in_WAN1 passthrough=no
add action=mark-connection chain=input in-interface=FORT new-connection-mark=in_WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=in_WAN1 new-routing-mark=rt_WAN1 passthrough=no
add action=mark-routing chain=output new-routing-mark=rt_WAN2 passthrough=no routing-mark=in_WAN2
add action=mark-routing chain=prerouting in-interface=bridge-local new-routing-mark=rt_LAN1-WAN1 \
passthrough=no
add action=mark-routing chain=prerouting in-interface=eth4 new-routing-mark=rt_LAN2-WAN2 passthrough=\
no
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24
/ip route
add check-gateway=ping distance=1 gateway=TEK routing-mark=rt_WAN1
add distance=2 gateway=FORT routing-mark=rt_WAN1
add check-gateway=ping distance=1 gateway=FORT routing-mark=rt_WAN2
add distance=2 gateway=TEK routing-mark=rt_WAN2
add check-gateway=ping distance=1 gateway=TEK routing-mark=rt_LAN1-WAN1
add distance=2 gateway=TEK routing-mark=rt_LAN1-WAN1
add check-gateway=ping distance=1 gateway=FORT routing-mark=rt_LAN2-WAN2
add distance=2 gateway=FORT routing-mark=rt_LAN2-WAN2
so i tried to add exceptions for local traffic like this
add action=mark-routing chain=prerouting in-interface=bridge-local out-interface!=eth4 new-routing-mark=rt_LAN1-WAN1 assthrough=no
add action=mark-routing chain=prerouting in-interface=eth4 out-interface!=bridge-local new-routing-mark=rt_LAN2-WAN2 passthrough=no
but it didnt work, it shows me an error "Couldn't change Mangle Rule - outgoing interface matching not possible in input and prerouting chains (6)"

then i tried this way
add action=mark-routing chain=prerouting in-interface=bridge-local dst-address=!192.168.0.128/25 new-routing-mark=rt_LAN1-WAN1 passthrough=no
add action=mark-routing chain=prerouting in-interface=eth4 dst-address=!192.168.0.0/25 new-routing-mark=rt_LAN2-WAN2 passthrough=no
add action=mark-routing chain=prerouting dst-address=192.168.0.0/24 new-routing-mark=main passthrough=no
so it looks like this
/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1 name=eth1
set [ find default-name=ether2 ] comment=LAN1 name=eth2
set [ find default-name=ether3 ] comment=WAN2 name=eth3
set [ find default-name=ether4 ] comment=LAN2 name=eth4
set [ find default-name=ether5 ] name=eth5
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth3 name=* password=* use-peer-dns=yes \
user=*
add add-default-route=yes disabled=no interface=eth1 name=* password=* use-peer-dns=yes \
user=*
/interface wireless
set [ find default-name=wlan2 ] country=russia disabled=no mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=\
MikroTik wpa-pre-shared-key=* wpa2-pre-shared-key=*
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys \
name=profile1 supplicant-identity="" wpa2-pre-shared-key=*
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=russia disabled=no mode=ap-bridge \
security-profile=profile1 ssid=MikroTik wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool_LAN1 ranges=192.168.0.10-192.168.0.110
add name=pool_LAN2 ranges=192.168.0.130-192.168.0.230
/ip dhcp-server
add address-pool=pool_LAN1 disabled=no interface=bridge-local name=server1
add address-pool=pool_LAN2 disabled=no interface=eth4 name=server2
/interface bridge port
add bridge=bridge-local interface=eth2
add bridge=bridge-local interface=wlan1
add bridge=bridge-local disabled=yes interface=wlan2
/interface list member
add interface=bridge-local list=LAN
add interface=TEK list=WAN
/ip address
add address=192.168.0.1/25 interface=bridge-local network=192.168.0.0
add address=192.168.0.129/25 interface=eth4 network=192.168.0.128
/ip dhcp-client
add dhcp-options=hostname,clientid interface=wlan2
/ip dhcp-server network
add address=192.168.0.0/25 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.0.128/25 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.129
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="drop ssh forcers" dst-port=22,23 protocol=tcp src-address-list=\
login_blacklist
add action=add-src-to-address-list address-list=login_blacklist address-list-timeout=1w3d chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=input in-interface=TEK new-connection-mark=in_WAN1 passthrough=no
add action=mark-connection chain=input in-interface=FORT new-connection-mark=in_WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=in_WAN1 new-routing-mark=rt_WAN1 passthrough=no
add action=mark-routing chain=output new-routing-mark=rt_WAN2 passthrough=no routing-mark=in_WAN2
add action=mark-routing chain=prerouting dst-address=!192.168.0.128/25 in-interface=bridge-local \
new-routing-mark=rt_LAN1-WAN1 passthrough=no
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/25 in-interface=eth4 \
new-routing-mark=rt_LAN2-WAN2 passthrough=no
add action=mark-routing chain=prerouting dst-address=192.168.0.0/24 new-routing-mark=main \
passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24
/ip route
add check-gateway=ping distance=1 gateway=TEK routing-mark=rt_WAN1
add distance=2 gateway=FORT routing-mark=rt_WAN1
add check-gateway=ping distance=1 gateway=FORT routing-mark=rt_WAN2
add distance=2 gateway=TEK routing-mark=rt_WAN2
add check-gateway=ping distance=1 gateway=TEK routing-mark=rt_LAN1-WAN1
add distance=2 gateway=TEK routing-mark=rt_LAN1-WAN1
add check-gateway=ping distance=1 gateway=FORT routing-mark=rt_LAN2-WAN2
add distance=2 gateway=FORT routing-mark=rt_LAN2-WAN2
didnt work, so the 3rd option was:
/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1 name=eth1
set [ find default-name=ether2 ] comment=LAN1 name=eth2
set [ find default-name=ether3 ] comment=WAN2 name=eth3
set [ find default-name=ether4 ] comment=LAN2 name=eth4
set [ find default-name=ether5 ] name=eth5
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth3 name=* password=* use-peer-dns=yes \
user=*
add add-default-route=yes disabled=no interface=eth1 name=* password=* use-peer-dns=yes \
user=*
/interface wireless
set [ find default-name=wlan2 ] country=russia disabled=no mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=\
MikroTik wpa-pre-shared-key=* wpa2-pre-shared-key=*
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys \
name=profile1 supplicant-identity="" wpa2-pre-shared-key=*
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=russia disabled=no mode=ap-bridge \
security-profile=profile1 ssid=MikroTik wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool_LAN1 ranges=192.168.0.10-192.168.0.110
add name=pool_LAN2 ranges=192.168.0.130-192.168.0.230
/ip dhcp-server
add address-pool=pool_LAN1 disabled=no interface=bridge-local name=server1
add address-pool=pool_LAN2 disabled=no interface=eth4 name=server2
/interface bridge port
add bridge=bridge-local interface=eth2
add bridge=bridge-local interface=wlan1
add bridge=bridge-local disabled=yes interface=wlan2
/interface list member
add interface=bridge-local list=LAN
add interface=TEK list=WAN
/ip address
add address=192.168.0.1/25 interface=bridge-local network=192.168.0.0
add address=192.168.0.129/25 interface=eth4 network=192.168.0.128
/ip dhcp-client
add dhcp-options=hostname,clientid interface=wlan2
/ip dhcp-server network
add address=192.168.0.0/25 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.0.128/25 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.129
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="drop ssh forcers" dst-port=22,23 protocol=tcp src-address-list=\
login_blacklist
add action=add-src-to-address-list address-list=login_blacklist address-list-timeout=1w3d chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=input in-interface=TEK new-connection-mark=in_WAN1 passthrough=no
add action=mark-connection chain=input in-interface=FORT new-connection-mark=in_WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=in_WAN1 new-routing-mark=rt_WAN1 passthrough=no
add action=mark-routing chain=output new-routing-mark=rt_WAN2 passthrough=no routing-mark=in_WAN2
add action=mark-routing chain=prerouting dst-address=!192.168.0.230-192.168.0.250 in-interface=\
bridge-local new-routing-mark=rt_LAN1-WAN1 passthrough=no
add action=mark-routing chain=prerouting dst-address=!192.168.0.2-192.168.0.9 in-interface=eth4 \
new-routing-mark=rt_LAN2-WAN2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24
/ip route
add check-gateway=ping distance=1 gateway=TEK routing-mark=rt_WAN1
add distance=2 gateway=FORT routing-mark=rt_WAN1
add check-gateway=ping distance=1 gateway=FORT routing-mark=rt_WAN2
add distance=2 gateway=TEK routing-mark=rt_WAN2
add check-gateway=ping distance=1 gateway=TEK routing-mark=rt_LAN1-WAN1
add distance=2 gateway=TEK routing-mark=rt_LAN1-WAN1
add check-gateway=ping distance=1 gateway=FORT routing-mark=rt_LAN2-WAN2
add distance=2 gateway=FORT routing-mark=rt_LAN2-WAN2
where i was adviced to change the ip of the computer with shared files to 192.168.0.1-10 and add the ip 192.168.0.240-50 in this range so that both LANs can see it but it also didnt work
 
anav
Forum Guru
Forum Guru
Posts: 2964
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 1 mikrotik, 2 ISPs, 2 LANs, can't make LANS see each other

Sat Jun 08, 2019 4:13 am

You should reset to defaults and start new.
Dont add any firewall rules as the defaults work out of the box.
Then come back and post what you have.
It will be easier to discern when much cleaner.
Then after if you want to add all the xtra garbage in you can to a working config
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: 1 mikrotik, 2 ISPs, 2 LANs, can't make LANS see each other

Tue Jun 11, 2019 4:32 pm

Hi

I've looked at first config only: it's using mangling to route traffic. It could be done, but is quite heavy on cpu.

Better solution: use routing rules together with routing tables.

Todo:
* add/adjust routing tables
* add routing rules
* clean up existing config
# route table
/ip route add gateway=<gateway> routing-mark=lan1
/ip route add gateway=<gateway> routing-mark=lan2

# route rule
/ip route rule add dst-address=<lan1> action=lookup table=main
/ip route rule add dst-address=<lan2> action=lookup table=main
/ip route rule add action=lookup-only-in-table interface=bridge-local table=lan1
/ip route rule add action=lookup-only-in-table interface=ether4 table=lan2

Who is online

Users browsing this forum: No registered users and 26 guests