Page 1 of 1

Connecting Two Mikrotik routers / Two Subnets

Posted: Sat Oct 05, 2019 4:29 pm
by pedroSwan
Hi All

Can someone help me with the steps through to getting two Mikrotik Routers working together on different subnets.

R1 is (RB2011Uias) works just fine using PPPoE to my Fibre modem. R1 is at 192.168.1.1/24 with DHCP 192.168.1.10 - 192.168.1.30, NAT enabled.

R2 is (RB2011UAS-2HND-IN)

I would like R2 to be using 10.0.1.1/24 with DHCP in that range.

I would like to use ETHER5 on R1 connected to ETHER1 on R2.

All my efforts fail to provide internet access though strangely from within 10.0.1.0 I can ping 192.168.1.1

Any help really appreciated

Re: Connecting Two Mikrotik routers / Two Subnets

Posted: Sat Oct 05, 2019 4:43 pm
by mkx
There's potential chance for having problems if you want connectivity between devices in different LAN subnets and you want to have firewall between them.

If you want to have it, then the setup will have to be slightly more complicated.

If you won't allow any connectivity between devices in both subnets, then you'll have to run firewall on R2 which will block things. In addition to that, you can either run srcnat on R2 (and leave R1 as if there wasn't R2 with its subnet) or don't run srcnat on R2 but configure static route on R1 (something like /ip route add dst-address=10.0.1.1/24 gateway=<R2 "WAN" address>).

Re: Connecting Two Mikrotik routers / Two Subnets

Posted: Sun Oct 06, 2019 1:33 pm
by pedroSwan
So my modest (nay novice) skill level still won't allow traffic to the internet from R2.

Re: Connecting Two Mikrotik routers / Two Subnets

Posted: Sun Oct 06, 2019 4:56 pm
by dmitris
Maybe you need something like this?

On R2:

/ip dhcp-client
add comment=uplink dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="Masq LAN" out-interface=\
ether1 src-address=10.0.1.0/24

Re: Connecting Two Mikrotik routers / Two Subnets

Posted: Sun Oct 06, 2019 9:46 pm
by pedroSwan
R1
 /export
# oct/06/2019 19:46:44 by RouterOS 6.45.6
# software id = 0273-98QJ
#
# model = 2011UiAS
# serial number = *******
/interface bridge
add admin-mac=D4:CA:******4 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=*********user=******
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf disabled=yes interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1 \
    use-peer-dns=no
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=\
    208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=******** dst-port=1**8 \
    protocol=udp to-addresses=192.168.**** to-ports=1**8
add action=dst-nat chain=dstnat disabled=yes dst-address=****** dst-port=\
    1** protocol=tcp to-addresses=192.168.**** to-ports=1*****9
add action=dst-nat chain=dstnat disabled=yes dst-address=***** dst-port=\
    8**** protocol=tcp src-port="" to-addresses=192.168.**** to-ports=**
add action=dst-nat chain=dstnat dst-address=***** dst-port=*1 \
    protocol=udp to-addresses=192.168.* to-ports=***
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=stats-all
/system clock
set time-zone-name=Europe/London
/system logging
add prefix=PPPoE topics=pppoe
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether1
R2
[admin@MikroTik] > /export
# jan/02/1970 00:03:42 by RouterOS 6.44.3
# software id = EPF9-8J8D
#
# model = 2011UAS-2HnD
# serial number = ********
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client
add comment=uplink dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="Masq LAN" out-interface=ether1 \
    src-address=10.0.1.0/24
/system routerboard settings
set cpu-frequency=650MHz



Still nothing.. Sorry guys... BASIC please :roll:

Re: Connecting Two Mikrotik routers / Two Subnets

Posted: Sun Oct 06, 2019 10:18 pm
by dmitris
On R1:
/interface bridge port
add bridge=bridge comment=defconf disabled=no interface=ether5

This should help you... When you enable ether5 back, try to ping on R2, 8.8.8.8
Basicaly your R2 should get ip from R1 and use it as WAN ip.

If it still not working, please post here export from R2:
/interface bridge export
/ip route export

Re: Connecting Two Mikrotik routers / Two Subnets

Posted: Mon Oct 07, 2019 10:10 pm
by pedroSwan
Thanks of the replies.

I'm afraid neither worked and I thought I'd give a default config a go and BINGO!

R1 Config
# oct/07/2019 20:03:32 by RouterOS 6.45.6
# software id = 0273-98QJ
#
# model = 2011UiAS
# serial number = R1 SERIAL
/interface bridge
add admin-mac=R1 MAC auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=/////////// user=****************************
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf disabled=yes interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=ISP IP ADDRESS dst-port= :) protocol=udp to-addresses=192.168.1.75 to-ports= :)
add action=dst-nat chain=dstnat disabled=yes dst-address=ISP IP ADDRESS dst-port= :( protocol=tcp to-addresses=192.168.1.245 to-ports= :(
add action=dst-nat chain=dstnat disabled=yes dst-address=ISP IP ADDRESS dst-port=8080 protocol=tcp src-port="" to-addresses=192.168.1.222 to-ports=???
add action=dst-nat chain=dstnat dst-address=ISP IP ADDRESS dst-port=11941 protocol=udp to-addresses=192.168.1.245 to-ports=?????
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=stats-all
/system clock
set time-zone-name=Europe/London
/system logging
add prefix=PPPoE topics=pppoe
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether1
R2 Config

# oct/07/2019 20:00:12 by RouterOS 6.44.3
# software id = EPF9-8J8D
#
# model = 2011UAS-2HnD
# serial number = *************
/interface bridge
add admin-mac=D4:CA********* auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=4 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country="united kingdom" disabled=no distance=indoors \
    frequency=auto frequency-mode=regulatory-domain mode=ap-bridge ssid=\
    "Office LAN" wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=: ) :) :) :)  \
    wpa2-pre-shared-key=:) :) :) :)
/ip pool
add name=dhcp ranges=10.0.0.200-10.0.0.210
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.0.0.1/24 comment=defconf interface=ether2 network=10.0.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf gateway=10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system identity
set name="MikroTik Wireless"
/system routerboard settings
set cpu-frequency=650MHz
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

So thanks all.... Does R2 rely on the Firewall settings of R1? I think I have read that correctly?

Re: Connecting Two Mikrotik routers / Two Subnets

Posted: Mon Oct 07, 2019 10:54 pm
by dmitris
I checked your configuration of R1 and R2 and i'm totally confused. Your configuration should not work....
On R1 ether5 removed from bridge ... and on R2 ether1 used as WAN with dhcp-client on it.....it means that R2 will not get WAN ip and will not work.. Are u sure that R2 connected to eth5 on R1? =))

Re: Connecting Two Mikrotik routers / Two Subnets

Posted: Mon Oct 07, 2019 11:28 pm
by pedroSwan
Yes

R1 Ether5 >>>>>> R2 Ether1 🤔

DHCP on R1 192.168.1.xxx
DHCP on R2 10.0.0.xxx

I’m wirelessly connected to R2 as I type!

Re: Connecting Two Mikrotik routers / Two Subnets

Posted: Mon Oct 07, 2019 11:38 pm
by dmitris
Can you run commands on your R2 and post here output :
/ip route print detail
/ip dhcp-client print detail

Re: Connecting Two Mikrotik routers / Two Subnets

Posted: Tue Oct 08, 2019 7:35 pm
by pedroSwan
/ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=192.168.1.1 gateway-status=192.168.1.1 reachable via  ether1 distance=1 scope=30 target-scope=10 vrf-interface=ether1 

 1 ADC  dst-address=10.0.0.0/24 pref-src=10.0.0.1 gateway=bridge gateway-status=bridge reachable distance=0 scope=10 

 2 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.37 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10 

/ip dhcp-client print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; defconf
     interface=ether1 add-default-route=yes default-route-distance=1 use-peer-dns=yes use-peer-ntp=yes dhcp-options=hostname,clientid status=bound address=192.168.1.37/24 gateway=192.168.1.1 dhcp-server=192.168.1.1 primary-dns=192.168.1.1 
     secondary-dns=208.67.222.222 expires-after=5m38s 

Re: Connecting Two Mikrotik routers / Two Subnets

Posted: Wed Oct 09, 2019 9:34 am
by dmitris
Thank you, this is what i expected to see =)