Community discussions

MikroTik App
 
mp82
just joined
Topic Author
Posts: 8
Joined: Tue Apr 27, 2021 10:03 am

Two segmented networks access to one shared network

Tue Apr 27, 2021 10:21 am

I have the hEX and trying to figure out how to be able to do the following:

ether1 - unused
ether2 - management port
ether3 - subnet A (DHCP 192.168.1.0/24) - Network 1
ether4 - subnet B (DHCP 192.168.2.0/24) - Network 2
ether5 - subnet C (DHCP 192.168.3.0/24) - Device 1 & 2

On subnet C there will be two devices that both subnet A and B will need to access, but subnet A and B should not be able to talk to each other.
Another possible setup would be the following:

ether1 - management port
ether2 - subnet A (DHCP 192.168.1.0/24) - Network 1
ether3 - subnet B (DHCP 192.168.2.0/24) - Network 2
ether4 - subnet C (DHCP 192.168.3.0/24) - Device 1
ether5 - subnet D (DHCP 192.168.4.0/24) - Device 2

In this setup, subnet A and subnet B should be able to communicate with subnet C and subnet D, but not with each other.

But I'm not able to figure out how to set this up. I've started with adding addresses and tried DHCP, but it doesn't allow me to use these on ether1-5, only on bridges and VLANs. As bridges didn't seem like the correct solution, I tried with VLANs but I'm not able to figure out how.
 
mp82
just joined
Topic Author
Posts: 8
Joined: Tue Apr 27, 2021 10:03 am

Re: Two segmented networks access to one shared network

Wed Apr 28, 2021 12:53 pm

I was able to segment the networks by removing the bridge and I have DHCP on all 5 ports working.
Now I'm trying using the Firewall to block traffic between the networks that don't need to communicate with eachother.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two segmented networks access to one shared network  [SOLVED]

Wed Apr 28, 2021 1:08 pm

Very easy to do with or without vlans.
This is the best reference for vlans.....
viewtopic.php?f=23&t=143620

The answer to your question is basically the port structure.
If you will not need any of your ports for anything but one subnet, then vlans are not required.
However if you wish to have the flexibility of multiple subnets over a single port, vlans make sense.

Keep in mind that the other end of the port (the next device has to be able to read vlans aka a smart switch, to pass along the subnets.

In your case you are already struggling with setup due to limited ports and perhaps a smart switch is in your future.
In any case,
you could assign FOUR different subnets
a . management or emerg access
b. subnet A eth3
c. subnet B eth4
d. subnet C eth5

Simply add to the end of the default firewall rules a single rule, and all the subnets will be blocked from each other.
add chain=forward action=drop

Prior to this last rule in the forward chain you state the following to allow users in each subnet to access a shared device. With two devices it would be four rules........
subnet A is allowed access to device1 in subnet C
subnet A is allowed access to device2 in subnet C
subnet B is allowed access to device1 in subnet C
subnet B is allowed access to device2 in subnet C

Since you have two devices you make a firewall address list call it printers or whatever device it is
Add both devices to this list and then you only need to make the two firewall rules above with destination address list.
add chain=forward action=accept in-interface=ether3 out-interface=eth5 dst-address-list=printers
add chain=forward action=accept in-interface=ether4 out-interface=eth5 dst-address-list=printers

Further you can reduce this to one SiNGLE firewall rule using interface members.
/interface list members
ether1=WAN
ether2=LAN
ether3=LAN
ether4=LAN
ether5=LAN

add chain=forward action=accept in-interface-list=LAN out-interface=ether5 dst-address-list=printers

To illustrate the use of interface member lists imagine that
You may not want to have eth5 to get internet access.

So you have
ether1=WAN
ether2=LAN
ether3=LAN
ether4=LAN
ether5=LAN
eth2=internet
eth3=internet
eth4=internet

So before the drop all rule you will need to state
add chain=forward action=accept in-interface-list=internet out-interface-list=WAN

You could also refine the devices rule to
add chain=forward action=accept in-interface-list=internet out-interface-list=eth5 dst-address-list=printers
 
mp82
just joined
Topic Author
Posts: 8
Joined: Tue Apr 27, 2021 10:03 am

Re: Two segmented networks access to one shared network

Wed Apr 28, 2021 1:22 pm

@anav thank you for the tips, it seems it's working !
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two segmented networks access to one shared network

Wed Apr 28, 2021 2:25 pm

You should post your config to ensure all is good.
/export hide-sensitive file=anynameyouwish
 
mp82
just joined
Topic Author
Posts: 8
Joined: Tue Apr 27, 2021 10:03 am

Re: Two segmented networks access to one shared network

Wed Apr 28, 2021 2:53 pm

Thanks for taking your time. I made some changes to the concept based on your advice.
# apr/27/2021 10:34:13 by RouterOS 6.47.8
# software id = 45F8-20L9
#
# model = RB750Gr3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="Secure devices" name=SECURE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool4 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool5 ranges=192.168.40.2-192.168.40.254
add name=dhcp_pool6 ranges=192.168.50.2-192.168.50.254
add name=dhcp_pool7 ranges=192.168.60.2-192.168.60.254
add name=dhcp_pool8 ranges=192.168.70.2-192.168.70.254
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface=ether1 lease-time=1h name=\
    dhcp1
add address-pool=dhcp_pool5 disabled=no interface=ether2 lease-time=1h name=\
    dhcp2
add address-pool=dhcp_pool6 disabled=no interface=ether3 lease-time=1h name=\
    dhcp3
add address-pool=dhcp_pool7 disabled=no interface=ether4 lease-time=1h name=\
    dhcp4
add address-pool=dhcp_pool8 disabled=no interface=ether5 lease-time=1h name=\
    dhcp5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set lan-interface-list=LAN
/interface list member
add comment=MGMT interface=ether1 list=LAN
add comment="LAN 1" interface=ether2 list=LAN
add comment="LAN 2" interface=ether3 list=LAN
add comment="SECURE 1" interface=ether4 list=LAN
add comment="SECURE 2" interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=MGMT interface=ether1 network=\
    192.168.88.0
add address=192.168.40.1/24 comment="LAN 1" interface=ether2 network=\
    192.168.40.0
add address=192.168.50.1/24 comment="LAN 2" interface=ether3 network=\
    192.168.50.0
add address=192.168.60.1/24 comment="SECURE 1" interface=ether4 network=\
    192.168.60.0
add address=192.168.70.1/24 comment="SECURE 2" interface=ether5 network=\
    192.168.70.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.60.0/24 gateway=192.168.60.1
add address=192.168.70.0/24 gateway=192.168.70.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward in-interface=ether2 out-interface=ether4
add action=accept chain=forward in-interface=ether2 out-interface=ether5
add action=accept chain=forward in-interface=ether3 out-interface=ether4
add action=accept chain=forward in-interface=ether3 out-interface=ether5
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=ROUTER
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two segmented networks access to one shared network

Wed Apr 28, 2021 4:03 pm

(1) Bit confused, I assumed the hex was acting as a router??
To me this looks like a switch setting? as there is no connection to an ISP???

(2) Set this to NONE, as it is known to cause problems!
/interface detect-internet
set lan-interface-list=LAN

The rest of my comments depend on answers to 1!!
 
mp82
just joined
Topic Author
Posts: 8
Joined: Tue Apr 27, 2021 10:03 am

Re: Two segmented networks access to one shared network

Wed Apr 28, 2021 4:09 pm

It is acting as a router, to allow a two computers, owned one each by two companies under the same roof, to connect to two devices both companies need access to.

There's no need for an internet connection as these devices don't need it. The computers will be fitted with an additional network card for connectivity if needed to remain connected to the internet. That's above my pay grade, I just need to get it done.
Company A --> (Network A) --> Computer A <-- Network X <-- hEX ether2
Company B --> (Network B) --> Computer B <-- Network Y <-- hEX ether3
                                Device 1 <-- Network Z <-- hEX ether4
                                Device 2 <-- Network S <-- hEX ether5
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two segmented networks access to one shared network

Wed Apr 28, 2021 4:34 pm

Okay............. very weird setup, but if it works LOL........ Beyond my scope of knowlege.
To me that sounds more like funky nat or routing settings but if you have found an easier way!!!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Two segmented networks access to one shared network

Wed Apr 28, 2021 4:42 pm

Beyond my scope of knowlege.

Undoubtedly.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two segmented networks access to one shared network

Wed Apr 28, 2021 4:50 pm

Feeling perky today LOL
 
mp82
just joined
Topic Author
Posts: 8
Joined: Tue Apr 27, 2021 10:03 am

Re: Two segmented networks access to one shared network

Thu Apr 29, 2021 9:42 am

To give context, it's for two companies that occupy the same building and need access to building management devices. Since both companies have separate networks and WANs, along with separate policies and concepts of security, a way to keep both networks separated (Network A and B can't communicate with each other) but allow access to those devices. The devices and computers connecting to those devices don't need a WAN link. If the computers are required to have a WAN link, they can add a network card so they can have both the company network and the LAN network that only allows access to the devices.

So they can configure it best case for an airgapped scenario or worst case make the device accessible through their network. Either way is better than connecting both networks through one computer both companies don't claim responsibility for. Either way, it works as intended and I'm happy for your help and I'm very impressed with MikroTik.
 
mp82
just joined
Topic Author
Posts: 8
Joined: Tue Apr 27, 2021 10:03 am

Re: Two segmented networks access to one shared network

Wed Jul 28, 2021 10:16 am

I got around to installing this and I'm going over my configuration. Tests show it doesn't seem to work anymore somehow, even though the config was still in place and a reset + restore of the config isn't working any more.

So to summarize what I want to do:
- I have 4 LAN subnets:
Port 2 - 192.168.40.0 - LAN subnet A
Port 3 - 192.168.50.0 - LAN subnet B
Port 4 - 192.168.60.0 - Shared device X
Port 5 - 192.168.70.0 - Shared device Y

Port 1 is being used for management and maintenance only. There is no need for internet for now, so I'll only focus on the LAN to LAN settings.
The purpose is that both subnet A and B have access to both shared devices, but not to eachother (A and B or X and Y). @anav helped me see the light by not going with VLANs but just DHCP and firewall rules. Though I'm unable to even ping devices from subnet A to shared device X.

I'm uncertain if anything else needs to happen to allow traffic to flow between subnets.

I added an extra rule to the firewall (add action=accept chain=forward in-interface=ether4 out-interface=ether2) and disabled the "drop forward" to see if this fixes it.
I'm just getting hits on the "accept forward" rules but ICMP/ping still don't reach devices.

Current config:
# jul/28/2021 09:06:55 by RouterOS 6.47.10
# software id = 45F8-20L9
#
# model = RB750Gr3
# serial number = xxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="Secure devices" name=SECURE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool4 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool5 ranges=192.168.40.2-192.168.40.254
add name=dhcp_pool6 ranges=192.168.50.2-192.168.50.254
add name=dhcp_pool7 ranges=192.168.60.2-192.168.60.254
add name=dhcp_pool8 ranges=192.168.70.2-192.168.70.254
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface=ether1 lease-time=1h name=\
    dhcp1
add address-pool=dhcp_pool5 disabled=no interface=ether2 lease-time=1h name=\
    dhcp2
add address-pool=dhcp_pool6 disabled=no interface=ether3 lease-time=1h name=\
    dhcp3
add address-pool=dhcp_pool7 disabled=no interface=ether4 lease-time=1h name=\
    dhcp4
add address-pool=dhcp_pool8 disabled=no interface=ether5 lease-time=1h name=\
    dhcp5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set lan-interface-list=LAN
/interface list member
add comment=MGMT interface=ether1 list=LAN
add comment="LAN 1" interface=ether2 list=LAN
add comment="LAN 2" interface=ether3 list=LAN
add comment="SECURE 1" interface=ether4 list=LAN
add comment="SECURE 2" interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=MGMT interface=ether1 network=\
    192.168.88.0
add address=192.168.40.1/24 comment="LAN 1" interface=ether2 network=\
    192.168.40.0
add address=192.168.50.1/24 comment="LAN 2" interface=ether3 network=\
    192.168.50.0
add address=192.168.60.1/24 comment="SECURE 1" interface=ether4 network=\
    192.168.60.0
add address=192.168.70.1/24 comment="SECURE 2" interface=ether5 network=\
    192.168.70.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.60.0/24 gateway=192.168.60.1
add address=192.168.70.0/24 gateway=192.168.70.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward in-interface=ether2 out-interface=ether4
add action=accept chain=forward in-interface=ether2 out-interface=ether5
add action=accept chain=forward in-interface=ether3 out-interface=ether4
add action=accept chain=forward in-interface=ether3 out-interface=ether5
add action=accept chain=forward in-interface=ether4 out-interface=ether2
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
mp82
just joined
Topic Author
Posts: 8
Joined: Tue Apr 27, 2021 10:03 am

Re: Two segmented networks access to one shared network

Wed Jul 28, 2021 12:29 pm

Never mind, it was the devices' firewalls blocking traffic from between the different subnets because the networks aren't trusted. Strangely this wasn't an issue the first time.

Who is online

Users browsing this forum: No registered users and 39 guests