Community discussions

MikroTik App
 
difluoroethane
just joined
Topic Author
Posts: 2
Joined: Wed Sep 01, 2021 1:24 am

Best way to share 1 WAN connection on MB4011 to 2nd Router and separate network?

Fri Sep 03, 2021 11:37 pm

Hey everyone! So what I have going on is my brother is moving in next door and I have a 1200mb internet connection that is way more than enough for me and wanted to share it with him since he's not certain if he will stay for the long term and didn't want to sign up for something he would have to cancel later. Going to set up a wireless link between our two houses with some Engenius ENH500v3's https://www.engeniustech.com/engenius-p ... et-bridge/ and wanted our networks to be totally separate from each other and for his connection to be unfirewalled at my router. He wants to use his own router/firewall so he can set things up however he wants and not log into my MB4011 to have to do things.

Anyway, while I'm pretty sure this can be done, though please correct me if I'm wrong, I'm not 100% certain exactly how to configure my MB4011 to do this. I started to work on things myself, set up bridge2 with only port 9 on it (for the connection to his house) and removed port 9 from the default bridge (now named bridge1). I figured it would be easiest to set up a static IP address for port 9 and statically configure his own router as well instead of using DHCP, though maybe I'm thinking wrong. I'm guessing I need to have the wireless links on my network side but maybe it doesn't matter. Anyway, I drew up a rough network map to give you an idea of the current setup and what I'm thinking I should do.

Right now, my network is a 192.168.10.0/24 with the MB4011 at 192.168.10.1. He was planing on using 172.16.0.0/24 I think on his end with 172.16.0.1 for his router. I think the only thing we would need to worry about is just whatever port numbers we use for any servers or whatever we expose to the internet so there isn't any overlap, yes? Currently, neither one of us are doing anything special like that though I do currently have UPnP turned on for my Xbox ports and maybe I should turn it off and statically forward the ports instead.

Any ideas of how to go about setting things up like I'm describing, or am I "barking up the wrong tree" as it were? Thanks in advance for any advice!

Here is the rough network map I was thinking of:
Network map.PNG
Here is my current config:

# sep/03/2021 15:20:17 by RouterOS 6.48.1
# software id = XNZ5-SD9F
#
# model = RB4011iGS+
# serial number = D4450DE3C8A5
/interface ethernet
set [ find default-name=ether1 ] comment="WAN - Motorola 8600"
set [ find default-name=ether2 ] comment="Switch Ports"
set [ find default-name=ether9 ] comment="Robert's Port"
set [ find default-name=ether10 ] comment="UBNT AP-AC-Lite" \
    power-cycle-ping-address=192.168.10.251 power-cycle-ping-enabled=yes \
    power-cycle-ping-timeout=10m
set [ find default-name=sfp-sfpplus1 ] comment="SFP Disabled" disabled=yes
/interface bridge
add admin-mac=08:55:31:CC:6C:3F auto-mac=no comment=defconf name=bridge1
add admin-mac=08:55:31:CC:6C:3F auto-mac=no comment=defconf name=bridge2
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.10.100-192.168.10.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=12h name=\
    defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=ether5
add bridge=bridge1 comment=defconf interface=ether6
add bridge=bridge1 comment=defconf interface=ether7
add bridge=bridge1 comment=defconf interface=ether8
add bridge=bridge2 comment=defconf interface=ether9
add bridge=bridge1 comment=defconf interface=ether10
add bridge=bridge1 comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.10.1/24 comment=defconf interface=ether2 network=\
    192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="defconf - WAN" disabled=no interface=ether1 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.10.80 comment="Honeywell Thermostat" mac-address=\
    00:D0:2D:90:0C:2A server=defconf
add address=192.168.10.251 client-id=1:18:e8:29:fd:f5:9d comment=\
    "UBNT AP-AC-Lite" mac-address=18:E8:29:FD:F5:9D server=defconf
add address=192.168.10.90 client-id=1:4c:3b:df:80:32:3 comment="RSJ Series X" \
    mac-address=4C:3B:DF:80:32:03 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=\
    192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.10.1 comment=defconf name=router.local
add address=127.0.0.1 comment="Android TV Ad server" name=\
    androidtvwatsonfe-pa.googleapis.com
/ip firewall address-list
add address=192.168.10.1 comment="For redirecting DNS requests to Mikrotik (or\
    \_another DNS server on the network)" list=DNS_Forward
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="DNS redirect TCP/UPD" \
    dst-address-list=!DNS_Forward dst-port=53 in-interface=bridge1 protocol=\
    tcp to-addresses=192.168.10.1 to-ports=53
add action=dst-nat chain=dstnat dst-address-list=!DNS_Forward dst-port=53 \
    in-interface=bridge1 protocol=udp to-addresses=192.168.10.1 to-ports=53
/ip traffic-flow
set cache-entries=1k
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge1 type=internal
/system clock
set time-zone-name=America/Chicago
/system ntp client
set enabled=yes server-dns-names=time.windows.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Best way to share 1 WAN connection on MB4011 to 2nd Router and separate network?

Tue Sep 07, 2021 8:11 pm

In general unless you have mutitiple IPs, there is no way to NOT firewall an LAN connection.
He will have access to your LANS and your router but this can be handled.
However NAT comes into play and thus if he wants any ports forwarded you will have to also do the port forwarding from the RB4011 WAN to the LANIP of his device.
What is he concerned about.....???
 
difluoroethane
just joined
Topic Author
Posts: 2
Joined: Wed Sep 01, 2021 1:24 am

Re: Best way to share 1 WAN connection on MB4011 to 2nd Router and separate network?

Wed Sep 08, 2021 4:57 am

Hey Anav! Thank you for your reply. I realized thinking about it more that what I was talking about was likely not possible without multiple external IP addresses. I did get things set up with our networks roughly like how I drew the map. We can both access the internet fine, though I don't yet have each network separate. And yes, I realized that I would likely have to manually port forward for him, but I wasn't certain exactly. I'm not a networking guru by any means, really I'm just good enough to be dangerous! :lol:

Basically, I wanted to have our networks separate as much as possible with no communication between the two and not give him access to my Mikrotik. Make it where he could do his thing and I could do mine without having to worry about who was doing what. I was thinking of just forwarding a port range for him and letting him know what that range was to be able to be used, and then making sure I use my own port range that he doesn't use. Or if possible, being able to have UPnP set up for his connection as well. I guess what I was thinking of doing would pretty much be like CGNAT https://wiki.mikrotik.com/wiki/Manual:I ... _or_NAT444 which would be more of a pain in the ass than I want to mess with.

I guess maybe one way to do what we were thinking would be for him to set up a VPN tunnel to "bypass" the firewall of the Mikrotik? Then of course be limited by the VPN speeds and having to keep it running all the time.



Ok, so I guess thinking about it more, it should then be possible to have my stuff on 192.168.10.XXX with 192.168.10.1 as the gateway for my network (and using my Mikrotik for DHCP on my network) and then have 192,168.50.XXX for his network with 192,168.50.1 as his gateway (with no DHCP server) and then he can set his router up to just act as a DHCP server for his network, point everything at his gateway, and use whatever DNS servers he feels like using? Then just set up a firewall rule to not allow traffic between the 2 networks and have UPnP enabled on both bridge1 and bridge2 so that way most things like XBox live will work ok and we can just handle static port mappings manually if necessary? If the two networks can't talk to each other due to the firewall rule, then he can have his own DHCP server for his network and not interfere with my network I'm assuming.

Or would it maybe be better to use VLANs instead to keep things separate? I was under the impression that it was easier to just keep the interfaces separate and set up a firewall rule to not allow them to talk then it was to mess with VLANs unless there weren't enough free physical ports. But I'm open to learning VLANs if that would somehow make things better.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Best way to share 1 WAN connection on MB4011 to 2nd Router and separate network?

Wed Sep 08, 2021 2:32 pm

Interesting, if he had a MT router at his end I would be tempted to setup a wireguard type connection where he used your router to go out the internet via wireguard
but really doing via VLANS should be good enough.
That way all his traffic is on a VLAN that is cutoff from any of your traffic

Who is online

Users browsing this forum: Bing [Bot], SMARTNETTT and 35 guests