Community discussions

MikroTik App
 
Huluziandal
just joined
Topic Author
Posts: 11
Joined: Thu Feb 04, 2021 12:44 pm

Networking Strucutre

Thu Feb 04, 2021 12:55 pm

Hello Mikrotik User :)

just got a Mikrotik hex and iam really impressed with the capabilities of this small thing.
But i cant seem to figure out how to configure this for my use.

What i want is the following:

Ethernet1/Wan is connected to my firewall
Ethernet 1-4 should work like a switch
Ethernet5 should be connected to my webserver which runs on a diffrent network i want to reach this one from port 4088.

I hope what i wrote is somewhat understandable.
Thanks for any advice.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Networking Strucutre

Fri Feb 05, 2021 3:57 am

Yes,
please post your config to see what is currently attempted.

/export hide-sensitive file=anynameyouwish
 
Huluziandal
just joined
Topic Author
Posts: 11
Joined: Thu Feb 04, 2021 12:44 pm

Re: Networking Strucutre

Fri Feb 05, 2021 10:22 am

Think the Portforwarding should work like this i can test it next week.
I disabled the ports which should act like a switch.


/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.214.10-192.168.214.254
add name=dhcp_pool1 ranges=192.168.214.2-192.168.214.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether5 name=dhcp1
/interface bridge port
add comment=defconf interface=ether2
add comment=defconf interface=ether3
add comment=defconf interface=ether4
add comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.214.1/24 comment=defconf interface=ether5 network=\
    192.168.214.0
add address=10.38.25.31/16 interface=ether1 network=10.38.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.214.0/24 comment=defconf gateway=192.168.214.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.38.4.2
/ip dns static
add address=192.168.214.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward in-interface-list=WAN out-interface-list=LAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.38.25.31 dst-port=4880 log=yes \
    protocol=tcp to-addresses=192.168.214.160 to-ports=4880
add action=masquerade chain=srcnat dst-address=192.168.214.160 dst-port=4880 \
    out-interface=ether5 protocol=tcp src-address=10.38.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=10.38.25.31 dst-port=4899 \
    protocol=tcp to-addresses=192.168.214.160 to-ports=0-65535
/ip route
add distance=1 gateway=10.38.10.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=all memory-scroll=no only-headers=yes

Thanks for your help.
 
User avatar
chuckt
just joined
Posts: 13
Joined: Sun Jan 12, 2020 5:11 pm

Re: Networking Strucutre

Sun Feb 07, 2021 10:35 pm

I'm no expert but, I thought disabling those ports would turn them off completely.
Also, you have set disable=yes to several important firewall rules.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Networking Strucutre

Mon Feb 08, 2021 12:36 am

Firewall is cripled beyond any usable protection simply because of first (top-most) rule allowing just any connection from WAN towards LAN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Networking Strucutre

Mon Feb 08, 2021 2:50 am

Not impressed that you made changes not knowing what you are doing.
Reset back to defaults on the firewall and ask from help from there.
 
Huluziandal
just joined
Topic Author
Posts: 11
Joined: Thu Feb 04, 2021 12:44 pm

Re: Networking Strucutre

Mon Feb 08, 2021 8:20 am

Not impressed that you made changes not knowing what you are doing.
Reset back to defaults on the firewall and ask from help from there.
Okay i restored the default settings.

Firewall is cripled beyond any usable protection simply because of first (top-most) rule allowing just any connection from WAN towards LAN.
thats not really a problem because the WAN port is conected to a lokal network.
The lokal network is already protected by a sophos firewall.
I only need the hex for portforwarding and access to the lokal network.
I'm no expert but, I thought disabling those ports would turn them off completely.
Also, you have set disable=yes to several important firewall rules.

That was my intention because i could not get these port to work like a switch i thought it would be best to disable them.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Networking Strucutre  [SOLVED]

Mon Feb 08, 2021 1:45 pm

Well, I missed the fact you're using the device inside LAN.

To achieve what you want it would best to configure device from scratch like this:
  • Download winbox to your management PC
  • connect management PC to router using one of ether2-ether5, run winbox and click MAC address of router to connect to it
  • reset router with no defaults and reconnect by clicking MAC address
  • create bridge and add ports ether1-ether4 to it
  • set IP on bridge interface ... either run DHCP client or set static IP address. In the later case add default route and set IP address of a DNS server (these settings are only necessary to perform ROS upgrades. If you intend to upgrade it by uploading package files from management PC you can skip setting route and DNS)
  • if you want router to sync time, configure (S)NTP client ... you might need default route and DNS settings if you're going to use some internet time server
  • set IP address on ether5 interface (select IP address from server's subnet)
  • add NAT rule:
    /ip firewall nat
    add action=dst-nat chain=dstnat dst-port=4088 in-interface=<bridge> to-addresses=<WEB server address>
    
  • if web server doesn't use this router as default gateway, you'll have to add another NAT rule:
    /ip firewall nat
    add action=src-nat chain=srcnat in-interface=<bridge> dst-address=<WEB server address> to-addresses=<address of router in server's subnet>
    

There are additional tasks to be done if you want to restrict management access to router or if you want to restrict connections between both subnets.
 
Huluziandal
just joined
Topic Author
Posts: 11
Joined: Thu Feb 04, 2021 12:44 pm

Re: Networking Strucutre

Tue Feb 09, 2021 9:28 am

Well, I missed the fact you're using the device inside LAN.

To achieve what you want it would best to configure device from scratch like this:
  • Download winbox to your management PC
  • connect management PC to router using one of ether2-ether5, run winbox and click MAC address of router to connect to it
  • reset router with no defaults and reconnect by clicking MAC address
  • create bridge and add ports ether1-ether4 to it
  • set IP on bridge interface ... either run DHCP client or set static IP address. In the later case add default route and set IP address of a DNS server (these settings are only necessary to perform ROS upgrades. If you intend to upgrade it by uploading package files from management PC you can skip setting route and DNS)
  • if you want router to sync time, configure (S)NTP client ... you might need default route and DNS settings if you're going to use some internet time server
  • set IP address on ether5 interface (select IP address from server's subnet)
  • add NAT rule:
    /ip firewall nat
    add action=dst-nat chain=dstnat dst-port=4088 in-interface=<bridge> to-addresses=<WEB server address>
    
  • if web server doesn't use this router as default gateway, you'll have to add another NAT rule:
    /ip firewall nat
    add action=src-nat chain=srcnat in-interface=<bridge> dst-address=<WEB server address> to-addresses=<address of router in server's subnet>
    

There are additional tasks to be done if you want to restrict management access to router or if you want to restrict connections between both subnets.
Thanks alot this works.
 
aesmith
Member Candidate
Member Candidate
Posts: 264
Joined: Wed Mar 27, 2019 6:43 pm

Re: Networking Strucutre

Tue Feb 09, 2021 6:29 pm

Why NAT to the web server from Inside? You should be able to simply route to it.
 
Huluziandal
just joined
Topic Author
Posts: 11
Joined: Thu Feb 04, 2021 12:44 pm

Re: Networking Strucutre

Wed Feb 10, 2021 9:08 am

Why NAT to the web server from Inside? You should be able to simply route to it.
That came to my mind also so for exercise iam trying this approach too.
I still neet to get used to Mikrotik.
I configured a static route on my Sophos to route all requests for 192.168.214.xxx/24 to the Mikrotik hex on 10.38.25.31/16.
A tracert from 10.38.x.x/16 to 192.168.214.x shows the redirection to the Mikrotik hex works.
I can ping everything from the Mikrotik subnet but can't ping the Computer from my Sophos network.

Do i need some kind of Masquarade on the Mikrotik?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Networking Strucutre

Wed Feb 10, 2021 9:16 am

Check firewall on the Computer ... some OSes (Windows most notably) consider anything but it's own subnet to be evil internet and block pings originating from other networks.
 
Huluziandal
just joined
Topic Author
Posts: 11
Joined: Thu Feb 04, 2021 12:44 pm

Re: Networking Strucutre

Wed Feb 10, 2021 9:29 am

Check firewall on the Computer ... some OSes (Windows most notably) consider anything but it's own subnet to be evil internet and block pings originating from other networks.
I turned the Firewall on the Computer off completly still no response.
There are no acive FW rules only a Masquarade on th WAN port
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Networking Strucutre

Wed Feb 10, 2021 10:10 am

What is server's default gateway IP address? You can only route traffic from Sophos network via MT is either server or its default gateway know to use RB as gateway towards Sophos network.
 
Huluziandal
just joined
Topic Author
Posts: 11
Joined: Thu Feb 04, 2021 12:44 pm

Re: Networking Strucutre

Wed Feb 10, 2021 10:24 am

What is server's default gateway IP address? You can only route traffic from Sophos network via MT is either server or its default gateway know to use RB as gateway towards Sophos network.
I want to route from Sophos network to Mk network.


Mikrotik bridge IP: 10.38.25.31
MIkrotik bridge GW: 10.38.10.1/16

Mikrotik ethernet 5 DHCP server: 192.168.214.1

Server IP: 192.168.214.20
GW:192.168.214.1
 
Huluziandal
just joined
Topic Author
Posts: 11
Joined: Thu Feb 04, 2021 12:44 pm

Re: Networking Strucutre

Wed Feb 10, 2021 12:10 pm

What is server's default gateway IP address? You can only route traffic from Sophos network via MT is either server or its default gateway know to use RB as gateway towards Sophos network.
I want to route from Sophos network to Mk network.


Mikrotik bridge IP: 10.38.25.31
MIkrotik bridge GW: 10.38.10.1/16

Mikrotik ethernet 5 DHCP server: 192.168.214.1

Server IP: 192.168.214.20
GW:192.168.214.1
I found this. https://wiki.mikrotik.com/wiki/Manual:S ... ic_Routing
this is basically what iam trying to do.

Router 1 is my Sophos Network.
Router 2 is MT Network.
I can ping Client LAN1 from Client1 Lan2
but can the other way around
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Networking Strucutre

Wed Feb 10, 2021 12:30 pm

In the linked page, note the "routing subnet" between router1 and router2 ... it is important and makes life of both routers easier. The thing is that in usual SOHO networks router1 runs a stateful firewall as well ... and this firewall can trip if it doesn't see traffic in both directions. Which happens if router2 "WAN" address is directly part of router1 "LAN" subnet.
The other thing is (potential) firewall running on router2 ... so please post actual running config of mikrotik again (run /export file=anynameyouwish and copy-paste contents of that file).
 
Huluziandal
just joined
Topic Author
Posts: 11
Joined: Thu Feb 04, 2021 12:44 pm

Re: Networking Strucutre

Fri Feb 12, 2021 11:03 am

In the linked page, note the "routing subnet" between router1 and router2 ... it is important and makes life of both routers easier. The thing is that in usual SOHO networks router1 runs a stateful firewall as well ... and this firewall can trip if it doesn't see traffic in both directions. Which happens if router2 "WAN" address is directly part of router1 "LAN" subnet.
The other thing is (potential) firewall running on router2 ... so please post actual running config of mikrotik again (run /export file=anynameyouwish and copy-paste contents of that file).
# jan/01/2002 02:28:45 by RouterOS 6.47.9
# software id = LVL6-6NB9
#
# model = RB750Gr3
# serial number = CC210CD3A5AF
/interface list
add comment=192.168.214.x name=LAN2
add comment=10.38.x.x name=LAN1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
    up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
    up-port=1700
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip settings
set accept-redirects=yes accept-source-route=yes
/interface list member
add interface=ether1 list=LAN1
add interface=ether5 list=LAN2
/ip address
add address=10.38.25.31/16 interface=ether1 network=10.38.0.0
add address=192.168.214.1/24 interface=ether5 network=192.168.214.0
add address=10.38.25.31 interface=ether1 network=10.38.25.31
add address=192.168.214.1/24 interface=ether2 network=192.168.214.0
/ip dns
set servers=10.38.4.2
/ip route
add check-gateway=ping distance=1 dst-address=10.38.0.0/16 gateway=ether1
add distance=1 dst-address=10.38.10.1/32 gateway=ether1
/tool user-manager database
set db-path=flash/user-manager
 
Huluziandal
just joined
Topic Author
Posts: 11
Joined: Thu Feb 04, 2021 12:44 pm

Re: Networking Strucutre

Fri Feb 12, 2021 2:01 pm

In the linked page, note the "routing subnet" between router1 and router2 ... it is important and makes life of both routers easier. The thing is that in usual SOHO networks router1 runs a stateful firewall as well ... and this firewall can trip if it doesn't see traffic in both directions. Which happens if router2 "WAN" address is directly part of router1 "LAN" subnet.
The other thing is (potential) firewall running on router2 ... so please post actual running config of mikrotik again (run /export file=anynameyouwish and copy-paste contents of that file).
# jan/01/2002 02:28:45 by RouterOS 6.47.9
# software id = LVL6-6NB9
#
# model = RB750Gr3
# serial number = CC210CD3A5AF
/interface list
add comment=192.168.214.x name=LAN2
add comment=10.38.x.x name=LAN1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
    up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
    up-port=1700
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip settings
set accept-redirects=yes accept-source-route=yes
/interface list member
add interface=ether1 list=LAN1
add interface=ether5 list=LAN2
/ip address
add address=10.38.25.31/16 interface=ether1 network=10.38.0.0
add address=192.168.214.1/24 interface=ether5 network=192.168.214.0
add address=10.38.25.31 interface=ether1 network=10.38.25.31
add address=192.168.214.1/24 interface=ether2 network=192.168.214.0
/ip dns
set servers=10.38.4.2
/ip route
add check-gateway=ping distance=1 dst-address=10.38.0.0/16 gateway=ether1
add distance=1 dst-address=10.38.10.1/32 gateway=ether1
/tool user-manager database
set db-path=flash/user-manager
After this i created a masquarading srcnat rule on ether 1.
Now i can ping the 10.38.x.x network from the 192.168.214.x

but not the other way around
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Networking Strucutre

Fri Feb 12, 2021 7:56 pm

There are a few errors in your configuration:
/ip address
add address=10.38.25.31/16 interface=ether1 network=10.38.0.0
add address=192.168.214.1/24 interface=ether5 network=192.168.214.0
# The following two lines should be removed
add address=10.38.25.31 interface=ether1 network=10.38.25.31
add address=192.168.214.1/24 interface=ether2 network=192.168.214.0


/ip route
# Routes are both wrong
add check-gateway=ping distance=1 dst-address=10.38.0.0/16 gateway=ether1
add distance=1 dst-address=10.38.10.1/32 gateway=ether1

# Use this one instead ... not needed for connections between both subnets but it is needed for subnet 192.168.214.0/24 to be able to reach network beyond sophos LAN
add gateway=10.38.10.1

The last error (routing) was probably not a show stopper for your particular problem.

Regarding your last change (adding NAT): it may or may not be necessary, but that entirely depends on settings of sophos router/firewall:
  • If you can configure sophos to use MT as gateway towards subnet 192.168.214.0/24 and configure its firewall not to track connections between both subnets, then no NAT on MT is necesary (well, this depends also on firewalls on end devices, they might trip on connections from the other subnet).
  • If you can setup sophos with static route but you can't change firewall settings, then use of "routing subnet" between sophos and MT solves this problem, again no NAT needed.
  • if you can't change any settings on sophos, then you'll need to do both src-nat and dst-nat on MT. If this is the case and you don't know what particular kind of NAT rules are needed, come back with good description of requirements. Beware that using NAT comes with constraints and limitations so you should avoid this type of solution if possible
 
Huluziandal
just joined
Topic Author
Posts: 11
Joined: Thu Feb 04, 2021 12:44 pm

Re: Networking Strucutre

Mon Feb 15, 2021 9:16 am

There are a few errors in your configuration:
/ip address
add address=10.38.25.31/16 interface=ether1 network=10.38.0.0
add address=192.168.214.1/24 interface=ether5 network=192.168.214.0
# The following two lines should be removed
add address=10.38.25.31 interface=ether1 network=10.38.25.31
add address=192.168.214.1/24 interface=ether2 network=192.168.214.0


/ip route
# Routes are both wrong
add check-gateway=ping distance=1 dst-address=10.38.0.0/16 gateway=ether1
add distance=1 dst-address=10.38.10.1/32 gateway=ether1

# Use this one instead ... not needed for connections between both subnets but it is needed for subnet 192.168.214.0/24 to be able to reach network beyond sophos LAN
add gateway=10.38.10.1

The last error (routing) was probably not a show stopper for your particular problem.

Regarding your last change (adding NAT): it may or may not be necessary, but that entirely depends on settings of sophos router/firewall:
  • If you can configure sophos to use MT as gateway towards subnet 192.168.214.0/24 and configure its firewall not to track connections between both subnets, then no NAT on MT is necesary (well, this depends also on firewalls on end devices, they might trip on connections from the other subnet).
  • If you can setup sophos with static route but you can't change firewall settings, then use of "routing subnet" between sophos and MT solves this problem, again no NAT needed.
  • if you can't change any settings on sophos, then you'll need to do both src-nat and dst-nat on MT. If this is the case and you don't know what particular kind of NAT rules are needed, come back with good description of requirements. Beware that using NAT comes with constraints and limitations so you should avoid this type of solution if possible

Thank you alot mkx.
After you said that the problem has to be on the sophos side i looked into it again and saw that there was a static route set to but no Firewall rule which allowd connection from 10.38.x.x to 192.168.214.x.

Who is online

Users browsing this forum: Majestic-12 [Bot], mszru, shadarim and 49 guests