Community discussions

 
punx
newbie
Topic Author
Posts: 29
Joined: Sun Jun 30, 2013 3:37 am

RB4011iGS with more subnets

Sun Aug 25, 2019 10:25 pm

Hello,

I have RB4011iGS

- ether1 is wan
- ether2 is 192.168.10.1/24, DHCP - connected to PC1 (Windows, IP 192.168.10.254)
- ether10 is 192.168.20.1/24, DHCP - connected to PC2 (Windows, IP 192.168.20.254)

Internet works on PC1 and PC2.

PC1 can not ping PC2
PC2 can not ping PC1

From RB I can not ping PC1, but I can ping PC2.

How can I reconfigurate so that PC1 can ping PC2 and vice versa?
Why can RB ping PC2,and not PC1?

On different RB (RB751U) I have default configuration with ether ports that have different subnets and RB can ping all the clients. Also, clients form different subnets can ping each other as long as this filter rule is not applied:
ip firewall filter add chain=forward action=drop src-address=192.168.10.0/24 dst-addresss=192.168.20.0/24
ip firewall filter add chain=forward action=drop src-address=192.168.20.0/24 dst-addresss=192.168.10.0/24


Why doesn't RB4011iGS work like RB751U and how can it be set so that it does?


RB4011iGS (RouterOS 6.45.3) conf:
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add include=dynamic name=WAN
add include=dynamic name=lan_hotspot
add include=dynamic name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_hotspot ranges=192.168.10.2-192.168.10.254
add name=dhcp_lan ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_hotspot disabled=no interface=ether2 name=dhcp_hotspot
add address-pool=dhcp_lan disabled=no interface=ether10 name=dhcp_lan
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=lan_hotspot
add interface=ether10 list=LAN
/ip address
add address=192.168.10.1/24 interface=ether2 network=192.168.10.0
add address=192.168.20.1/24 interface=ether10 network=192.168.20.0
add address=192.168.2.22/24 interface=ether1 network=192.168.2.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.2.1
 
mkx
Forum Guru
Forum Guru
Posts: 2829
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB4011iGS with more subnets

Sun Aug 25, 2019 10:47 pm

As somebody replied in some thread: the magic ball department is using another forum. If you want to get some useful input here, start by posting complete configuration - you can get it running /export hide-sensitive in command window.
BR,
Metod
 
punx
newbie
Topic Author
Posts: 29
Joined: Sun Jun 30, 2013 3:37 am

Re: RB4011iGS with more subnets

Mon Aug 26, 2019 12:02 am

Sorry on mistake....complete configuration with changed IPs:
/interface bridge
add admin-mac=74:4D:28:87:E1:32 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="dol"
set [ find default-name=ether2 ] comment="HS"
set [ find default-name=ether3 ] comment=Bridge
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.8.0.101-10.8.0.199
add name=dhcp_HS ranges=192.168.101.2-192.168.101.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp_LAN
add address-pool=dhcp_HS interface=ether2 lease-time=30m name=dhcp_HS
/queue simple
add dst=ether1 limit-at=20M/20M max-limit=20M/20M name=HotSpot target=ether2
add dst=ether1 limit-at=30M/30M max-limit=30M/30M name=LAN target=bridge
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.8.0.253/24 comment=defconf interface=bridge network=10.8.0.0
add address=192.168.101.2/24 interface=ether1 network=192.168.101.0
add address=192.168.101.1/24 disabled=yes interface=ether2 network=192.168.101.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m
/ip dhcp-server network
add address=10.8.0.0/24 comment=defconf gateway=10.8.0.253 netmask=24
add address=192.168.101.0/24 gateway=192.168.101.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=195.29.247.161,195.29.247.162
/ip dns static
add address=10.8.0.253 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.101.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8291
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system identity
set name=RB_1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
mkx
Forum Guru
Forum Guru
Posts: 2829
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB4011iGS with more subnets

Mon Aug 26, 2019 8:26 am

The shown configuration doesn't correspond to how you described the config:
- ether2 is 192.168.10.1/24, DHCP - connected to PC1 (Windows, IP 192.168.10.254)
- ether10 is 192.168.20.1/24, DHCP - connected to PC2 (Windows, IP 192.168.20.254)

The config doesn't show any IP config on ether2 - there's a disabled entry for 192.168.101.1/24 which by itself doesn't allow communication with PC1.
ether10 is member of bridge, which has set IP address 10.8.0.253/24 - which doesn't allow communication with PC2.

So either you obfuscated posted config just too much (thus muddying the view in crystal ball beyond usability) or you need to fix the IP setup on your router to match designed LAN layout. Or there's another router in the play which stirs the setup even more.

BTW, if you did obfuscate IP addresses: you only have to obfuscate public IP address, nobody is able to connect to your private (LAN) IP addresses directly so no point in obfuscating that.

The firewall rule set is default and most of rules deal with WAN connectivity. There's nothing which would break connections between ether2 (not accounted in any of interface lists) and ether10 (member of bridge, which is member of LAN interface list). On the other hand, the last rule in chain=input drops all connections to the router itself not coming from LAN, which also disallows any connection from ether2 to router including to DNS service (but that one is not set-up in dhcp-server network section, so it's fine ... if you intended to make it so).
BR,
Metod
 
punx
newbie
Topic Author
Posts: 29
Joined: Sun Jun 30, 2013 3:37 am

Re: RB4011iGS with more subnets

Tue Aug 27, 2019 10:06 pm

New configuration, without any Firewall Filter Rules (only for this test).

ether1 - DHCP client, wan
PC1 have IP 192.168.5.254 and is connect to ether2
PC2 have IP 192.168.10.254 and is connect to ethr10
Internet works on PC1 and PC2.

PC1 can ping PC2, PC2 can ping PC1.

How can config RB that block traffic between subnets in both directions?
How can config RB that block traffic between subnets only in one direction (PC1 can ping PC2 but PC2 can not ping PC1)?

Thank you and sorry on my mistakes.

RB configuration:
# aug/27/2019 20:42:49 by RouterOS 6.45.3
# software id = EUPX-DS2T
#
# model = RB4011iGS+
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.5.2-192.168.5.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2 lease-time=1h name=\
    dhcp1
add address-pool=dhcp_pool1 disabled=no interface=ether10 lease-time=1h name=\
    dhcp2
/ip address
add address=192.168.5.1/24 interface=ether2 network=192.168.5.0
add address=192.168.10.1/24 interface=ether10 network=192.168.10.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.10.0/24 gateway=192.168.10.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

 
mkx
Forum Guru
Forum Guru
Posts: 2829
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB4011iGS with more subnets

Wed Aug 28, 2019 8:46 am

If the RB configuration you posted is complete, then firewall is non-existing (and the device is thus open for any attacks). I strongly suggest to start again, this time select reset with factory defaults to have a very sensible firewall rules enabled.

Anyway, if we start from empty firewall, you can block connections between the subnets this way:

blocking all traffic in both directions:
/ip firewall raw
# note that raw rules work on raw packets so src-address and dst-address strictly filter every single packet without taking context into account
add action=drop chain=prerouting src-address=192.168.5.0/24 dst-address=192.168.10.0/24
add action=drop chain=prerouting dst-address=192.168.5.0/24 src-address=192.168.10.0/24
If you only want to block certain type of traffic, then you can add additional selectors to the above rules (e.g. add protocol=tcp dst-port=80 to block only HTTP). In that case you might need to add more rules to block everything you want to block ... in this case it might be better to explicitly allow permissible traffic (by adding rules with action=accept) and block everything else using the shown rules. Mind that rule order is important, they are executed from top to bottom.

If you want to bock traffic only when connections get initiated from one side, then you have to use different rules (which include connection tracking):
/ip firewall filter
# the first rule is there by default
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
# block connections from PC2 only ... 
add action=drop chain=forward src-address=192.168.10.0/24 dst-address=192.168.5.0/24
# connections from PC1 are not blocked and are thus allowed. The other direction is allowed due to top most rule
BR,
Metod
 
punx
newbie
Topic Author
Posts: 29
Joined: Sun Jun 30, 2013 3:37 am

Re: RB4011iGS with more subnets

Wed Aug 28, 2019 12:17 pm

If the RB configuration you posted is complete, then firewall is non-existing (and the device is thus open for any attacks). I strongly suggest to start again, this time select reset with factory defaults to have a very sensible firewall rules enabled.
RB configuration is complete, firewall is non-existing only for this tests.

I need config which will for sure block all traffic between the subnets (on one subnet is sensitive data and I do not want someone from other subnet to reach them).

Thank you!
 
martinclaro
newbie
Posts: 30
Joined: Sat Sep 28, 2013 6:08 am
Location: Buenos Aires, Argentina
Contact:

Re: RB4011iGS with more subnets

Wed Aug 28, 2019 6:13 pm

You can start by removing the ether10 port from bridge, or assign the IP address to the bridge.
Martín C. @ TopHost Soluciones
MTCNA | MTCTCE
 
punx
newbie
Topic Author
Posts: 29
Joined: Sun Jun 30, 2013 3:37 am

Re: RB4011iGS with more subnets

Wed Aug 28, 2019 8:50 pm

You can start by removing the ether10 port from bridge, or assign the IP address to the bridge.


From post #5, ether10 not in bridge.
 
martinclaro
newbie
Posts: 30
Joined: Sat Sep 28, 2013 6:08 am
Location: Buenos Aires, Argentina
Contact:

Re: RB4011iGS with more subnets

Wed Aug 28, 2019 9:01 pm

Ok, can you provide the output of the following commands?
/export hide-sensitive
/ip arp print
/ip address print
/ip route print
Just obfuscate the public IP addresses only.
Martín C. @ TopHost Soluciones
MTCNA | MTCTCE
 
punx
newbie
Topic Author
Posts: 29
Joined: Sun Jun 30, 2013 3:37 am

Re: RB4011iGS with more subnets

Wed Aug 28, 2019 10:04 pm

Ok, can you provide the output of the following commands?

/export hide-sensitive
# aug/27/2019 20:42:49 by RouterOS 6.45.3
# software id = EUPX-DS2T
#
# model = RB4011iGS+
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.5.2-192.168.5.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2 lease-time=1h name=\
    dhcp1
add address-pool=dhcp_pool1 disabled=no interface=ether10 lease-time=1h name=\
    dhcp2
/ip address
add address=192.168.5.1/24 interface=ether2 network=192.168.5.0
add address=192.168.10.1/24 interface=ether10 network=192.168.10.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.10.0/24 gateway=192.168.10.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1


/ip arp print
 #    ADDRESS         MAC-ADDRESS       INTERFACE                                                             
 0 DC 192.168.5.254   00:25:22:AF:F0:30 ether2 
 1 DC 192.168.10.254  A0:2B:B8:34:DB:7A ether10  


/ip address print
 #   ADDRESS            NETWORK         INTERFACE                                                             
 0   192.168.5.1/24     192.168.5.0     ether2  
 1   192.168.10.1/24    192.168.10.0    ether10 



/ip route print
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  192.168.5.0/24     192.168.5.1     ether2                    0
 1  DC  192.168.10.0/24    192.168.10.1    ether10                 255
 
punx
newbie
Topic Author
Posts: 29
Joined: Sun Jun 30, 2013 3:37 am

Re: RB4011iGS with more subnets

Wed Aug 28, 2019 10:08 pm

Now I apply code from mkx and all works fine.

Thank you mkx and thank you martinclaro! :-)

Who is online

Users browsing this forum: No registered users and 18 guests