Community discussions

MikroTik App
 
SaxophoneSolo
just joined
Topic Author
Posts: 2
Joined: Sun Mar 07, 2021 4:58 pm

Separate network with access to the internet

Sun Mar 07, 2021 5:30 pm

I'm new to networking as well as Mikrotik configuration and would appreciate any help I can get. :)

I am trying to create a separate subnet for my small homelab. Since I'm new to networking, trying to learn, but still not complicate things too much, the new network should have access to the main network and to the internet.

My main network is 192.168.0.0/24, the router/modem from my ISP takes care of wifi, dhcp and everything else. I connected one of the ports with my switch, which connects my main pc, TV.

The switch is also connected with Mikrotiik Hap ac2, which until now was being used as a WIFI access point (configured by using QuickSet).
The wan port is connected to the switch, ports 2-4 are used for computers from my small homelab.

However I'd like to separate the networks a bit and use the ethernet ports 2-4 for a different network, for example 172.31.0.0 or 192.168.1.0.
This network should have access to the internet.


I have managed to configure the Mikrotik to give those PCs an IP address with a predefined DNS server, however none of them can access the internet or any other computer in the household.

Here is a quick scheme of my setup:
* Link to the image: https://ibb.co/nwFzGLG

This is my configuration:
# mar/07/2021 16:23:05 by RouterOS 6.47.7
# software id = Q6K6-I8T1
#
# model = RBD52G-5HacD2HnD
# serial number = C6140C325ACD
/interface bridge
add admin-mac=48:8F:5A:A5:CF:86 auto-mac=no comment=defconf name=bridge
add name=bridge2-hypervisors
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge name=wlan1_2.4 ssid="You know the rules and so do I" \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=slovenia disabled=no distance=indoors \
    installation=indoor mode=ap-bridge name=wlan2_5ghz ssid=\
    "You know the rules and so do I" wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip dhcp-server
add interface=bridge name=defconf
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool1-hypervisors ranges=172.31.0.2-172.31.0.250
/ip dhcp-server
add address-pool=pool1-hypervisors disabled=no interface=bridge2-hypervisors \
    name=dhcpserver-hyperv
/interface bridge port
add bridge=bridge2-hypervisors comment=defconf interface=ether2
add bridge=bridge2-hypervisors comment=defconf interface=ether3
add bridge=bridge2-hypervisors comment=defconf interface=ether4
add bridge=bridge2-hypervisors comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1_2.4
add bridge=bridge comment=defconf interface=wlan2_5ghz
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2_5ghz list=LAN
add interface=wlan1_2.4 list=LAN
/ip address
add address=192.168.0.251/24 comment=defconf disabled=yes interface=ether2 \
    network=192.168.0.0
add address=172.31.0.1/24 interface=bridge2-hypervisors network=172.31.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridge
/ip dhcp-server network
add address=172.31.0.0/24 dns-server=77.111.1.77,8.8.8.8 gateway=172.31.0.1
/ip dns
set allow-remote-requests=yes servers=77.111.1.77,8.8.8.8
/ip dns static
add address=192.168.0.251 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=bridge2-hypervisors
/system clock
set time-zone-name=Europe/Ljubljana
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Ipconfig and traceroute:
tracert:
C:\WINDOWS\system32>tracert 8.8.8.8

Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

  1  172.31.0.1  reports: Destination net unreachable.

Trace complete.

ipconfig:
Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection (4) I219-V
   Physical Address. . . . . . . . . : 48-2A-E3-00-E8-87
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8c8d:171a:9d5d:831%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.31.0.249(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, March 7, 2021 4:13:28 PM
   Lease Expires . . . . . . . . . . : Sunday, March 7, 2021 4:23:28 PM
   Default Gateway . . . . . . . . . : 172.31.0.1
   DHCP Server . . . . . . . . . . . : 172.31.0.1
   DHCPv6 IAID . . . . . . . . . . . : 105392867
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-FC-31-76-48-2A-E3-00-E8-87
   DNS Servers . . . . . . . . . . . : 77.111.1.77
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

I've been folowing these tutorials/threads, however Im a bit lost now:
- viewtopic.php?t=139330
- How to run multiple networks from a Mikrotik
- viewtopic.php?t=87458
- MikroTik Tutorial 42 - Separate DHCP Server for WiFi Clients



How could I make this work? What should be changed?
Thank you for any suggestions :)
 
sarah
newbie
Posts: 27
Joined: Mon Feb 29, 2016 1:41 am

Re: Separate network with access to the internet

Mon Mar 08, 2021 11:05 am

Can you try remove the static route that you have created?
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Separate network with access to the internet

Tue Mar 09, 2021 6:48 pm

Your /interface list members are set incorrectly. You have the individual Interfaces set as members, but the interfaces are slaved to a bridge, so you must use the bridges as the interface. As a result, your firewall filter rules are currently dropping your traffic. You should only need:
/interface list members
add interface=bridge list=WAN
add interface=bridge1 list=LAN
Note: Once corrected, you will not be able to access the device from WAN network unless you edit the firewall rules.
 
SaxophoneSolo
just joined
Topic Author
Posts: 2
Joined: Sun Mar 07, 2021 4:58 pm

Re: Separate network with access to the internet

Wed Mar 10, 2021 11:37 pm

Thank you both very much!

I will check and try to correct it in the following days.

Who is online

Users browsing this forum: No registered users and 27 guests