Community discussions

MikroTik App
 
nikaein
just joined
Topic Author
Posts: 6
Joined: Wed Oct 07, 2020 2:43 pm

ip forward between two local networks

Thu Jan 28, 2021 4:44 pm

I have two local networks and a public one connected to my Mikrotik via VLAN. I want the local networks to see each other without any nat. So I have the following config on my Mikrotik. But the local networks can't see each other.
/ip address
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
add address=172.16.16.1/24 interface=vlan3 network=172.16.16.0
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!192.168.2.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat dst-address=!192.168.1.0/24 src-address=192.168.2.0/24
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ip forward between two local networks

Fri Jan 29, 2021 3:08 pm

Why have two separate subnets if they can see each other both ways??
The fact that you have different subnets means you are already starting to separate them at layer 2.
You can make firewall rules to allow routing between them at L3, which is not NAT. Is that what you mean?

I hope thats not your config cause you should reset it back to defaults and then ask how to proceed.
(ps showing a partial config is useless as its all inter related).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
nikaein
just joined
Topic Author
Posts: 6
Joined: Wed Oct 07, 2020 2:43 pm

Re: ip forward between two local networks

Fri Jan 29, 2021 9:40 pm

I want to put further rules on these networks. But first I need to make them see each other.
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: ip forward between two local networks

Sat Jan 30, 2021 1:53 am

Since you're not NAT-ing, then you shouldn't have chain=src-nat rules.

chain=forward, action=accept means that ALL packets can forward between the subnets. If you'll permit all, then you don't need a default deny rule. And if you don't have a default-deny rule, then it's permitted anyway. So this rule would be superfluous.

chain=input, action=accept means that every node on any of your subnets can connect to a service running on the Mikrotik itself. So like winbox, dns, etc. Typically you'd have a default-deny rule for the input chain and then allow service ports as required (like winbox, or whatever your preferred management interface is). But add the accept rule before your deny rule otherwise you can lock yourself out of the device...

With default config your physical interfaces may be in the same bridge. Good idea to delete the bridge.
Also with default config there may be masquerading on the ether1 interface. You'd have to get rid of that if you're using ether1.

The devices on each subnet would have to have their default gateway set to the IP you've given each vlan interface.

When a packet comes into the router whether on an ether interface or vlan interface, it will be routed.
 
nikaein
just joined
Topic Author
Posts: 6
Joined: Wed Oct 07, 2020 2:43 pm

Re: ip forward between two local networks

Sat Jan 30, 2021 10:01 am

I'm NAT-ing, because I want local networks to see public network.

I have deleted the bridge, also.

All devices have mikrotik as their gateway.
Since you're not NAT-ing, then you shouldn't have chain=src-nat rules.

chain=forward, action=accept means that ALL packets can forward between the subnets. If you'll permit all, then you don't need a default deny rule. And if you don't have a default-deny rule, then it's permitted anyway. So this rule would be superfluous.

chain=input, action=accept means that every node on any of your subnets can connect to a service running on the Mikrotik itself. So like winbox, dns, etc. Typically you'd have a default-deny rule for the input chain and then allow service ports as required (like winbox, or whatever your preferred management interface is). But add the accept rule before your deny rule otherwise you can lock yourself out of the device...

With default config your physical interfaces may be in the same bridge. Good idea to delete the bridge.
Also with default config there may be masquerading on the ether1 interface. You'd have to get rid of that if you're using ether1.

The devices on each subnet would have to have their default gateway set to the IP you've given each vlan interface.

When a packet comes into the router whether on an ether interface or vlan interface, it will be routed.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ip forward between two local networks

Sat Jan 30, 2021 5:19 pm

Nothing you have said makes any sense to me.
If you have two subnets that need full view of each other, then simply put them on the same subnet.
You can try and put the two groups on different pools within the same subnet for example so they have some degree of separation.
The only reason to have different subnets is if there are restrictions on the traffic between them, if not, there is no reason I can see.
So please confirm the reason??

You really need to scrap all the silly rules made to try and twist this setup like a pretzel.
Start with the defaults, and come clean and let us no what the use cases are for devices and users on the two subnets (without using any words containing the config).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
nikaein
just joined
Topic Author
Posts: 6
Joined: Wed Oct 07, 2020 2:43 pm

Re: ip forward between two local networks

Sun Jan 31, 2021 10:18 am

Nothing you have said makes any sense to me, too.
Nothing you have said makes any sense to me.
If you have two subnets that need full view of each other, then simply put them on the same subnet.
You can try and put the two groups on different pools within the same subnet for example so they have some degree of separation.
The only reason to have different subnets is if there are restrictions on the traffic between them, if not, there is no reason I can see.
So please confirm the reason??

You really need to scrap all the silly rules made to try and twist this setup like a pretzel.
Start with the defaults, and come clean and let us no what the use cases are for devices and users on the two subnets (without using any words containing the config).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ip forward between two local networks

Sun Jan 31, 2021 3:45 pm

LIke I said, when you are able to describe the use cases, the requirements in words without discussing configuration, I will be able to provide assistance.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: ip forward between two local networks

Mon Feb 01, 2021 5:22 am

To have your subnets access the internet, you would only need to do a src-nat masquerade rule on the WAN interface only. All other interfaces should not have src-nat or dst-nat. No mangle rules. Since you've already removed the bridge, then when packets come into the router then they should be routed according to the routes list.

Check the IP > routes. A route should've been created for each interface in which you assigned an IP. For example, you should see 172.16.16.0/24 listed with a gateway of vlan3
If it's still not working then I'm wondering if the incoming packets are actually tagged? If they're not tagged you'd see them coming in the ether-interface and not vlan. What do you have on the other end? And which vlans are attached to what physical ports?
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: ip forward between two local networks

Mon Feb 01, 2021 5:37 am

the use cases
I regularly split out the data, phones, and guest networks. If all cables terminate in the same room then I don't need a vlan, instead I delete the bridge which makes each physical port it's own network. But if a customer has two floors with just 1 cable going between the floors, I have to fall back on vlan's to keep the networks/subnets separate across that cable. Reasons to use multiple subnets is typically security.
 
nikaein
just joined
Topic Author
Posts: 6
Joined: Wed Oct 07, 2020 2:43 pm

Re: ip forward between two local networks

Mon Feb 01, 2021 7:31 pm

You are right. But with the src-nat masquerade on WAN interface, the private networks can't see each other.

The routes are fine. Also, the incoming packets have not problem because with this config everything works fine: (difference is in the masquerade rules)
/ip address
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
add address=172.16.16.1/24 interface=vlan3 network=172.16.16.0
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=192.168.2.0/24
To have your subnets access the internet, you would only need to do a src-nat masquerade rule on the WAN interface only. All other interfaces should not have src-nat or dst-nat. No mangle rules. Since you've already removed the bridge, then when packets come into the router then they should be routed according to the routes list.

Check the IP > routes. A route should've been created for each interface in which you assigned an IP. For example, you should see 172.16.16.0/24 listed with a gateway of vlan3
If it's still not working then I'm wondering if the incoming packets are actually tagged? If they're not tagged you'd see them coming in the ether-interface and not vlan. What do you have on the other end? And which vlans are attached to what physical ports?
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: ip forward between two local networks

Mon Feb 01, 2021 10:09 pm

What is your WAN interface on that router? Ether1?
These two lines are incorrect:
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=192.168.2.0/24
Delete them.

Then add
add action=masquerade chain=srcnat out-interface=ether1

And the default route (the 0.0.0.0/0 one) that will already be there if ether1 uses a DHCP client to get the public IP. If you set a static IP on the WAN then you have to manually add the route.
 
nikaein
just joined
Topic Author
Posts: 6
Joined: Wed Oct 07, 2020 2:43 pm

Re: ip forward between two local networks

Tue Feb 02, 2021 5:02 am

No it is on VLAN3 as you can see. And it has a static IP 172.16.16.1.

In case of delete those two rules and replace the one you have said, the private networks can't see each other.
What is your WAN interface on that router? Ether1?
These two lines are incorrect:
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=192.168.2.0/24
Delete them.

Then add
add action=masquerade chain=srcnat out-interface=ether1

And the default route (the 0.0.0.0/0 one) that will already be there if ether1 uses a DHCP client to get the public IP. If you set a static IP on the WAN then you have to manually add the route.

Who is online

Users browsing this forum: Joe1962, pfremout, yegorovp and 44 guests