Community discussions

MikroTik App
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

How do I connect two subnet in a single router?

Mon May 17, 2021 3:54 pm

My default subnet is 192.168.88.0/24 which has DHCP of its own. I have created another subnet 192.168.188.0/24 with its own DHCP. The target was that both subnet can communicate to each other and both have internet access. The original intention was to send all dns traffic to pihole for filtering ads then back to router as a DNS forwarder using DoH. Original post was viewtopic.php?f=2&t=174873&p=857287#p857287.
Client --> Mikrotik-->pihole-->Mikrotik as a DNS--> internet

The issue is that after creating the subnet (192.168.188.0/24) , the newly created subnet cant communicate to the other subnet, neither it has internet access. Also, there are other apps/devices on the new subnet, those devices will need internet access. Any help regarding how to fix this issue will be highly appreciated.Here is my configuration:
# may/13/2021 08:15:52 by RouterOS 6.48.2
# model = RouterBOARD 962UiGS-5HacT2HnT

/interface bridge
add admin-mac=xxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=xxxxx user=xxxxxxx
/interface wireless

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pinet ranges=192.168.188.20-192.168.188.40
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=pinet disabled=no interface=ether5 name=pinetDHCP
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=loose
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.245 client-id=1:bc:5f:f4:8a:a0:2 mac-address=\
    xxxxxx server=defconf
add address=192.168.88.246 client-id=1:10:dd:b1:b0:32:3d mac-address=\
    xxxxxx server=defconf
add address=192.168.88.247 client-id=1:0:26:bb:68:22:82 mac-address=\
    xxxxxx server=defconf
add address=192.168.88.4 client-id=1:dc:a6:32:44:f:f8 mac-address=\
    xxxxxx server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d query-server-timeout=100ms \
    query-total-timeout=5s servers=1.1.1.1,1.0.0.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.188.20-192.168.188.40 list=allowed_to_router

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN

add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
    bridge out-interface-list=WAN
add action=drop chain=forward comment="Drop All Else"
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp
/ip firewall mangle

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip route
add check-gateway=ping distance=1 gateway=104.16.248.249 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=to_ISP1
add check-gateway=ping distance=2 gateway=104.16.249.249 routing-mark=to_ISP1
add distance=1 dst-address=104.16.248.249/32 gateway=pppoe-out1 scope=10
add distance=1 dst-address=104.16.249.249/32 gateway=pppoe-out1 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Asia/Dhaka
/system logging
add topics=wireless,debug
add disabled=yes topics=dns
/system ntp client
set enabled=yes server-dns-names=\
    0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system scheduler
add interval=1d name=reboot on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/07/2020 start-time=05:05:00
add interval=2w1d name="Package upgrade" on-event=\
    "system package update install" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/23/2020 start-time=04:00:00
add interval=2w1d name="Routerboard Upgrade" on-event=":global Var1\r\
    \n:global Var2\r\
    \n:set Var1 \"\$[/system package get system version]\"\r\
    \n:set Var2 \"\$[/system routerboard get current-firmware]\"\r\
    \n:if (\$Var1>\$Var2) do={/system routerboard upgrade;\r\
    \n/system reboot;\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/23/2020 start-time=04:10:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no/code]
Last edited by shafiqrahman on Mon May 17, 2021 5:00 pm, edited 2 times in total.
 
User avatar
karlisi
Member
Member
Posts: 437
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: How do I connect two subnet in single subnet?

Mon May 17, 2021 4:26 pm

You have wrong gw here, I believe
/ip dhcp-server network
add address=192.168.188.0/24 comment=pinet gateway=192.168.88.1 netmask=24
should be 192.168.188.1
Not related to connection problems, but last 2 drop rules in forward chain are not needed, the previous rule already dropping all from all interfaces.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I connect two subnet in a single router?

Mon May 17, 2021 5:09 pm

Thank you for the response. After applying
/ip dhcp-server network
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
issue still remains. device IP on new subnet is 192.168.188.40. Pinging from 192.168.88.246 returns:
ping 192.168.188.40
PING 192.168.188.40 (192.168.188.40): 56 data bytes
Request timeout for icmp_seq 0
You are talking about the two rules after "drop all else"? Will remove them, thank you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I connect two subnet in a single router?

Tue May 18, 2021 2:49 am

Because you use the preferred drop all else rule in the forward chain, you are required to state what traffic you wish to allow - which is a good thing!
Note that you state I want to allow some traffic to the internet via the WAN!
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
bridge out-interface-list=WAN


(1) Similarly you need to state you wish to allow the router to connect the two subnets at Layer 3.
add action=accept chain=forward source address=192.168.88.0/24 dst-address=192.168.188/0/24 AND for the reverse........
add action=accept chain=forward source address=192.168.188.0/24 dst-address=192.168.88.0/24

However that begs the question..... Why did you create a separate subnet if everyone can see each other????????????


(2) The reason one subnet cannot get to the internet is because you didnt allow it access to the internet - after all you are the one in charge!!!
Looking at the rule above what did it say, everyone on the Bridge can get access to the WAN................
......................... light bulb come on yet???

If not then remember this config line you made....
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
192.168.188.0

You need to add another similar rule allow ethernet 5 to the internet as well!!
OR
The more elegant way is to use interface list members which already looks like exists in the format to provide the better answer!!!
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN

Based on this, the only thing you need to change is the existing rule
FROM
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
bridge out-interface-list=WAN


TO
[add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface-list=LAN\
out-interface-list=WAN[/i]

after all the mistake was staring you in the face as the comment always stated LAN to WAN, not Bridge to WAN ;-PPP
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I connect two subnet in a single router?

Tue May 18, 2021 10:57 pm

Hello, @anav. Nice to see you dropping by and thank you for pointing out the mistakes. Seems, like
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
bridge out-interface-list=WAN the bridge portion was a mistake/typo during the securing process of the firewall. I didn't notice that it should be LAN instead of a bridge. viewtopic.php?f=2&t=145927&p=718675#p718639

(1)For a separate subnet, my intention was to route all(DNS) traffic to a pihole that is connected to the router for ad filtration, then redirecting that dns traffic to mikrotik. Where Mikrotik will then forward those traffic to an upstream dns server using DoH. Tried some nat rules that didn't work, then used DHCP network in combination with a script. That worked but found out that breaks DoH. So, by other user suggestions, the only way left is separating subnets.viewtopic.php?f=2&t=174873&p=857287#p857287
My raspberry has other apps that need to be accessed from the other computers in my household, so it needs to be accessible.
(2) I had this rule
/interface list member add interface=ether5 list=LAN on previous experimental config but after some change in detect internet seems like router auto-detects the ether 5 in LAN interface. So, I left it out. Now, the new implementation command is:

/interface bridge port remove [find interface="ether5"]
/interface list member add interface=ether5 list=LAN
/ip address 
add address=192.168.188.1/24 comment=pinet interface=ether5 network=192.168.188.0
/ip pool
add name=pinet ranges=192.168.188.20-192.168.188.40
/ip dhcp-server
add address-pool=pinet disabled=no interface=ether5 name=pinetDHCP
/ip dhcp-server network
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
/ip firewall address-list
add address=192.168.188.20-192.168.188.40 list=allowed_to_router
/ip firewall filter
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24
And the new firewall is:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24 src-address-list=""
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24 src-address-list=""
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop All Else"
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp
So, far its now working as expected. I was able to ssh into my raspberry pi (192.168.188.40) and ping google.com from it. I will test the new configuration for few days and report back. Thank you again @anav for solving this issue and that awesome firewall that still holding.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I connect two subnet in a single router?

Wed May 19, 2021 12:02 am

Good to hear,
as one other poster suggested the two rules after the drop all else rule should go,,,,,,,,

add action=drop chain=forward comment="Drop All Else"
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I connect two subnet in a single router?

Wed May 19, 2021 1:09 am

If you want to feel more secure you can always add these ones in the forward chain.
add chain=forward action=drop destport=53 protocol=tcp/udp \
in-interface-list=wan
This was the comment when you configure the firewall last time, so they must go? And is it ok if I add the ether 5 in /ip upnp?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How do I connect two subnet in a single router?

Wed May 19, 2021 1:11 am

Good to hear,
as one other poster suggested the two rules after the drop all else rule should go,,,,,,,,

add action=drop chain=forward comment="Drop All Else"
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp

Seriously?
¯\(ツ)/¯
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How do I connect two subnet in a single router?

Wed May 19, 2021 1:31 am

/ip upnp interfaces
add interface=bridge type=internal
add interface=ether5 type=internal
add interface=ether1 type=external
the external interface are pppoe-out1 or dhcp client on ether1?
Or both?....
Yes, you can add ether5, but if the firewall block all incoming from internet as default, upnp do not work.

also you can delete all those useless route:
/ip route
add check-gateway=ping distance=1 gateway=104.16.248.249 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=to_ISP1
add check-gateway=ping distance=2 gateway=104.16.249.249 routing-mark=to_ISP1
add distance=1 dst-address=104.16.248.249/32 gateway=pppoe-out1 scope=10
add distance=1 dst-address=104.16.249.249/32 gateway=pppoe-out1 scope=10

Very bad idea to auto update routeros, bug talk...
interval=2w1d name="Package upgrade" on-event= "system package update install"

the scheduler "Routerboard Upgrade" do not work on some case...
better check auto-update on system routerboard settings...
for example, you compare string,
if system is "6.48" and current firmware is "6.40.1" comparing the two string the older are "newer" because "6.40.1" > "6.48"
:put [("6.40.1" > "6.48")]

after drop all these are useless...
/ip firewall filter
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp

Remomve dude from full group, are deprecated:
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I connect two subnet in a single router?

Wed May 19, 2021 2:07 am

Thank you, @rextended , Will remove these rules and post an update.

for upnp
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
Thoough, the isp connection is pppoe-out1.
Last edited by shafiqrahman on Wed May 19, 2021 2:12 am, edited 1 time in total.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I connect two subnet in a single router?

Wed May 19, 2021 4:40 am

Here is the full config:
# may/19/2021 06:28:44 by RouterOS 6.48.2
#
# model = RouterBOARD 962UiGS-5HacT2HnT

/interface bridge
add admin-mac=xxxxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=xxxxxxx user=xxxxxx
/interface wireless

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pinet ranges=192.168.188.20-192.168.188.40
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=pinet disabled=no interface=ether5 name=pinetDHCP
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=loose
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.245 client-id=xxxxxxx mac-address=\
    xxxxxxx server=defconf
add address=192.168.88.246 client-id=xxxxxxx mac-address=\
    xxxxxxx server=defconf
add address=192.168.88.247 client-id=xxxxxxx mac-address=\
    xxxxxxx server=defconf
add address=192.168.88.4 client-id=xxxxxxx mac-address=\
    xxxxxxx server=defconf
add address=192.168.188.21 client-id=xxxxxxx mac-address=\
    xxxxxxx server=pinetDHCP
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d query-server-timeout=100ms \
    query-total-timeout=5s servers=1.1.1.1,1.0.0.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.188.20-192.168.188.40 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24 src-address-list=""
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop All Else"
/ip firewall mangle

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
add interface=ether5 type=internal
/system clock
set time-zone-name=Asia/Dhaka
/system logging
add topics=wireless,debug
add disabled=yes topics=dns
/system ntp client
set enabled=yes server-dns-names=\
    0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=reboot on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/07/2020 start-time=05:05:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Missing things from configuration file (reason unknown) are /ip route, /user group and /interface list member.
/ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          pppoe-out1                1
 1 ADC  10.11.44.1/32      45.250.228.16   pppoe-out1                0
 2 ADC  192.168.88.0/24    192.168.88.1    bridge                    0
 3 ADC  192.168.188.0/24   192.168.188.1   ether5                    0
 /user group> print
2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,
       sensitive,api,romon,tikapp,!dude
And /interface list member shows ether 5 as Dynamic but, I did use /interface list member add interface=ether5 list=LAN. And the dhcp server lease shows devices on new subnet ,but not configuration export unless I make it static.
Last edited by shafiqrahman on Wed Nov 22, 2023 7:09 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I connect two subnet in a single router?  [SOLVED]

Wed May 19, 2021 5:50 am

Why do I bother posting stuff for it to be ignored??

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN

add action=accept chain=forward comment="ENABLE LAN to WAN" \
in-interface-list=LAN out-interface-list=WAN

hint: what interface LAN member is missing????
hint: i already gave you the answer once LOL.

Also the order of firewall rules is important,
The two rules allowing the subnets to talk to each other that you have at the top of the forward chain should move down to right before the drop all rule.
Also you have some garbage text on the end of that first rule { src-address-list="" }

Also wanted to point out something for education purposes.......... based on the question being asked..
The reason this config made no sense and was advised to change......
add action=drop chain=forward comment="Drop All Else"
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp


Is because you are telling the router DROP ALL OTHER TRAFFIC, in other words, the router would never look at the next two rules as the router has matched all other traffic on the Drop all else rule. THere will no traffic reaching those rules............. I hope that makes it clearer to you. So order of matching is important but understanding what each rules does is also important.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I connect two subnet in a single router?

Wed May 19, 2021 7:54 am

Thank you, @anav. { src-address-list="" } was a typo and removed. /interface list member is also as you mentioned. ENABLE LAN to WAN also changed to LAN from bridge the very first time you mentioned. The last two drop rules also removed. And the newly added rules were also reallocated as per your suggestion finally. Thanks to @rextended I was ironing out some stuffs. I started configuring the router the moment I saw your post that was 0000hr and now 1100hr. So, your posts are much desired and praised. Thanks @anav for fixing the firewall again :P , and thank you @rextended for ironing out some stuffs :D .
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How do I connect two subnet in a single router?

Wed May 19, 2021 10:13 am

Thank you, @rextended , Will remove these rules and post an update.

for upnp
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
add interface=ether5 type=internal
Thoough, the isp connection is pppoe-out1.
change ether1 to pppoe-out1

>>>...Missing things from configuration file (reason unknown) are /ip route, /user group...<<<
Is right because the ruote are dynamically added and updated from pppoe-out1 when connected
User group now is a standard and the export "export" only what is changed from default
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I connect two subnet in a single router?

Wed May 19, 2021 1:09 pm

Glad its working for you, minor points
/ip neighbor discovery-settings
set discover-interface-list=none (nothing wrong with putting LAN)


/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN ( I set this ALL to NONE as its use is not well known and can cause issues)
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I connect two subnet in a single router?

Wed May 19, 2021 10:35 pm

Thank you, @rextended. here is the result as per your suggestion:

/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
add interface=ether5 type=internal
:D

@anav, thank you :D. Here is the output:
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
I am a bit confused about this one. Is it ok now, or all interface list in detect internet should be "none"?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How do I connect two subnet in a single router?

Thu May 20, 2021 12:27 am

Thank you, @rextended. here is the result as per your suggestion:

/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
add interface=ether5 type=internal
:D

@anav, thank you :D. Here is the output:
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
I am a bit confused about this one. Is it ok now, or all interface list in detect internet should be "none"?
INTERNET DETECT = NONE
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I connect two subnet in a single router?

Thu May 20, 2021 1:54 am

Thank you :D
Its done

/interface detect-internet> print
detect-interface-list: none
lan-interface-list: none
wan-interface-list: none
internet-interface-list: none
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I connect two subnet in a single router?

Thu May 20, 2021 9:48 pm

Update report:
@rextended
Seems like removing
/ip route
add check-gateway=ping distance=1 gateway=104.16.248.249 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=to_ISP1
add check-gateway=ping distance=2 gateway=104.16.249.249 routing-mark=to_ISP1
add distance=1 dst-address=104.16.248.249/32 gateway=pppoe-out1 scope=10
add distance=1 dst-address=104.16.249.249/32 gateway=pppoe-out1 scope=10
bring backs dns,error: DoH server connection error: Network unreachable
reference: viewtopic.php?f=2&t=164078&p=818234#p811844

@anav
found out
/interface detect-internet
set detect-interface-list=none 
This portion is linked with "tik app". Setting none removes the internet graph from the "tik app". Enabling it on the app changes to "detect-interface-list=all". :D
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How do I connect two subnet in a single router?

Fri May 21, 2021 12:33 am

Update report:
@rextended
Seems like removing
/ip route
add check-gateway=ping distance=1 gateway=104.16.248.249 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=to_ISP1
add check-gateway=ping distance=2 gateway=104.16.249.249 routing-mark=to_ISP1
add distance=1 dst-address=104.16.248.249/32 gateway=pppoe-out1 scope=10
add distance=1 dst-address=104.16.249.249/32 gateway=pppoe-out1 scope=10
bring backs dns,error: DoH server connection error: Network unreachable
reference: viewtopic.php?f=2&t=164078&p=818234#p811844
Sorry, I do not use DoH....
Remember to remove when mikrotik solve the problem... I hope...
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: How do I connect two subnet in a single router?

Fri May 21, 2021 5:37 am

Thank you, @rextended I already removed that. The new config is still in testing,posted it just to inform you guys :D

Who is online

Users browsing this forum: Kuitz, mtkvvv and 37 guests