Community discussions

MikroTik App
 
chooidos
just joined
Topic Author
Posts: 5
Joined: Tue Feb 14, 2023 9:43 pm

Allow 2 groups of users to conect to each other

Tue Feb 14, 2023 10:10 pm

I have 2 ISP on eth1 and eth2. I want my servers to use 1st ISP only, and if there is no connection - NOT use 2nd ISP. All other clients should use 2nd ISP, and if there is no connection - use 1st ISP. All clients can connect to servers. By servers I mean few IP adresses, other IPs are clients. Servers and clients should be in same subnet.
My config:
# feb/14/2023 21:51:06 by RouterOS 7.7
# software id = Y3ZY-732P
#
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=48:8F:5A:7B:E3:79 auto-mac=no comment=defconf name=bridge
add name=bridge-servers
/interface ethernet
set [ find default-name=ether1 ] name=ether1-datagroup
set [ find default-name=ether2 ] name=ether2-kyivstar
set [ find default-name=ether3 ] name=ether3-pi
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=secured_main supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    band=2ghz-b/g/n channel-width=20/40mhz-XX country=no_country_set \
    disabled=no frequency=auto frequency-mode=manual-txpower mode=ap-bridge \
    security-profile=secured_main ssid=MikroTik station-roaming=enabled \
    tx-power=20 tx-power-mode=all-rates-fixed wireless-protocol=802.11 \
    wmm-support=enabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=no_country_set disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower mode=ap-bridge \
    security-profile=secured_main ssid=MikroTik station-roaming=enabled \
    tx-power=26 tx-power-mode=all-rates-fixed wireless-protocol=802.11 \
    wmm-support=enabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:7B:E3:7D \
    master-interface=wlan1 multicast-buffering=disabled name=iot \
    security-profile=secured_main ssid=IOT_ONLY wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip pool
add name=local-dhcp-pool ranges=192.168.88.10-192.168.88.254
add name=guest_pool ranges=10.10.10.2-10.10.10.254
add name=servers-pool ranges=192.168.10.101-192.168.10.254
/ip dhcp-server
add address-pool=local-dhcp-pool interface=bridge name=local-dhcp
add address-pool=servers-pool interface=bridge-servers name=servers-dhcp
/interface bridge port
add bridge=bridge-servers comment=defconf disabled=yes ingress-filtering=no \
    interface=ether2-kyivstar
add bridge=bridge-servers comment=defconf ingress-filtering=no interface=\
    ether3-pi
add bridge=bridge-servers comment=defconf ingress-filtering=no interface=\
    ether4
add bridge=bridge-servers comment=defconf ingress-filtering=no interface=\
    ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge-servers interface=iot
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-datagroup list=WAN
add comment=Servers interface=bridge-servers list=LAN
add interface=ether2-kyivstar list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireless access-list
add comment="oneplus 6 \D0\BC\D1\96\D0\B9" interface=wlan2 mac-address=\
    22:97:D3:1F:F0:EB
add comment="\D0\9D\D0\B0\D1\81\D1\82\D1\96 \D1\82\D0\B5\D0\BB\D0\B5\D1\84\D0\
    \BE\D0\BD" interface=wlan1 mac-address=20:F4:78:65:E9:94
add comment="\D0\86\D1\80\D0\B8 \D1\82\D0\B5\D0\BB\D0\B5\D1\84\D0\BE\D0\BD" \
    interface=wlan1 mac-address=20:47:DA:FC:1A:38
add comment=\
    "\D1\80\D0\BE\D0\B1\D0\BE\D1\87\D0\B8\D0\B9 \D0\BD\D0\BE\D1\83\D1\82" \
    interface=wlan2 mac-address=00:E1:8C:B9:3F:25
add comment="oneplus6 \D0\BC\D1\96\D0\B9" interface=wlan1 mac-address=\
    76:B4:9A:1C:80:3E
add comment="\D0\9D\D0\B0\D1\81\D1\82\D1\96 \D0\BD\D0\BE\D1\83\D1\82" \
    interface=wlan1 mac-address=38:59:F9:9C:40:C2
add comment="\D0\B4\D0\B0\D1\82\D1\87\D0\B8\D0\BA \D0\B7\D0\B0\D0\BB" \
    interface=wlan1 mac-address=E8:DB:84:9B:F2:DF
add comment="\D0\B4\D0\B0\D1\82\D1\87\D0\B8\D0\BA \D1\81\D0\BF\D0\B0\D0\BB\D1\
    \8C\D0\BD\D1\8F" interface=wlan1 mac-address=E8:DB:84:9B:DB:4E
add interface=wlan2 mac-address=22:97:D3:1F:F0:EB
add comment=switcher_zal interface=wlan1 mac-address=E8:DB:84:DD:DC:4B
add comment="\D0\BC\D0\B0\D0\BA \D1\80\D0\BE\D0\B1\D0\BE\D1\87\D0\B8\D0\B9" \
    interface=wlan2 mac-address=A4:83:E7:91:80:47
add comment="\D0\BD\D0\BE\D1\83\D1\82 \D0\B5\D0\BF\D0\BB \D1\80\D0\BE\D0\B1\D0\
    \BE\D1\87\D0\B8\D0\B9" interface=wlan2 mac-address=F8:FF:C2:66:EE:EF
/ip address
add address=192.168.88.1/24 comment=local-adresses interface=bridge network=\
    192.168.88.0
add address=192.168.10.1/24 interface=bridge-servers network=192.168.10.0
/ip arp
add address=192.168.10.95 interface=bridge-servers mac-address=\
    02:42:C0:A8:0A:5F
add address=192.168.88.100 interface=bridge mac-address=24:4B:FE:52:96:6B
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1-datagroup \
    use-peer-dns=no
add add-default-route=no interface=ether2-kyivstar use-peer-dns=no
/ip dhcp-server lease
add address=192.168.10.101 comment=kitchen_switcher mac-address=\
    C4:5B:BE:6C:9F:24 server=servers-dhcp
add address=192.168.10.102 comment=sleaping_switcher mac-address=\
    80:7D:3A:69:3E:3E server=servers-dhcp
add address=192.168.10.103 comment=living_switcher mac-address=\
    E8:DB:84:DD:DC:4B server=servers-dhcp
add address=192.168.10.10 comment=PiHole-DHCP1 mac-address=32:12:CE:01:39:17 \
    server=servers-dhcp
add address=192.168.10.50 comment=proxmox disabled=yes mac-address=\
    EC:8E:B5:6F:FA:2C server=servers-dhcp
add address=192.168.10.40 client-id=1:e2:a5:4a:c7:e2:47 comment=TrueNAS \
    mac-address=E2:A5:4A:C7:E2:47 server=servers-dhcp
add address=192.168.10.41 client-id=1:1e:5d:b1:4b:cb:ec comment=nextcloud \
    mac-address=1E:5D:B1:4B:CB:EC server=servers-dhcp
add address=192.168.10.90 client-id=\
    ff:53:5c:66:99:0:2:0:0:ab:11:67:9d:98:d7:e1:41:f6:5b comment=\
    RaspberryPi-OMV mac-address=DC:A6:32:E9:F9:E3 server=servers-dhcp
add address=192.168.88.2 mac-address=E8:DE:27:CF:28:2D server=local-dhcp
add address=192.168.10.250 client-id=1:24:4b:fe:52:96:6b comment=PC \
    mac-address=24:4B:FE:52:96:6B server=servers-dhcp
add address=192.168.10.60 client-id=\
    ff:b0:1:15:3:0:2:0:0:ab:11:56:7f:59:82:50:55:34:c6 comment="NUT server" \
    mac-address=22:EC:95:EB:ED:AF server=servers-dhcp
add address=192.168.10.20 client-id=\
    ff:ca:53:9:5a:0:2:0:0:ab:11:2f:6e:63:6f:e1:48:92:8e comment=dockering \
    mac-address=9E:8C:ED:FB:18:5D server=servers-dhcp
add address=192.168.10.70 client-id=1:aa:a1:a7:87:6:67 comment=jellyfin \
    mac-address=AA:A1:A7:87:06:67 server=servers-dhcp
add address=192.168.10.75 client-id=1:a:45:17:d4:b4:df comment=torrent \
    mac-address=0A:45:17:D4:B4:DF server=servers-dhcp
add address=192.168.10.80 client-id=\
    ff:88:36:5d:a:0:1:0:1:2a:8b:b3:84:f2:35:88:36:5d:a comment=gameservers \
    mac-address=F2:35:88:36:5D:0A server=servers-dhcp
add address=192.168.10.91 client-id=\
    ff:ca:53:9:5a:0:2:0:0:ab:11:f9:be:c5:36:4e:dd:aa:ef comment=pve_docker \
    mac-address=9A:4F:52:8A:B0:64 server=servers-dhcp
add address=192.168.88.21 client-id=1:d2:9b:e1:68:8e:51 mac-address=\
    D2:9B:E1:68:8E:51 server=local-dhcp
add address=192.168.88.18 client-id=1:dc:a6:32:29:70:29 mac-address=\
    DC:A6:32:29:70:29 server=local-dhcp
add address=192.168.88.19 comment=LED mac-address=B4:E8:42:A1:D6:E2 server=\
    local-dhcp
add address=192.168.10.106 mac-address=E8:DB:84:9C:3D:1F server=servers-dhcp
add address=192.168.10.108 mac-address=BC:FF:4D:2B:45:CD server=servers-dhcp
add address=192.168.10.109 mac-address=C4:5B:BE:6D:07:6C server=servers-dhcp
add address=192.168.10.107 mac-address=BC:FF:4D:2B:24:BC server=servers-dhcp
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.10,192.168.10.11 gateway=\
    192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=\
    192.168.10.10,192.168.10.11 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.10.10,192.168.10.11
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="allow iot to main" dst-address=\
    192.168.88.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether1-datagroup \
    new-connection-mark=from-datagroup
add action=mark-routing chain=output connection-mark=from-datagroup \
    new-routing-mark=main
add action=mark-connection chain=input in-interface=ether2-kyivstar \
    new-connection-mark=from-kiyvstar
add action=mark-routing chain=output connection-mark=from-kiyvstar \
    new-routing-mark=main
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=http dst-port=80 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.10.90 to-ports=80
add action=dst-nat chain=dstnat comment=https dst-port=443 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.10.90 to-ports=443
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping comment=datagroup disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway="some ip" pref-src=0.0.0.0 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
add comment=kiyvstar disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    "some ip" pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api-ssl disabled=yes
/ip smb
set domain=HOME_MIKROTIK
/ip upnp interfaces
add interface=bridge type=internal
/system clock
set time-zone-name=Europe/Kiev
/system ntp client
set mode=broadcast
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by chooidos on Sun Mar 05, 2023 4:10 pm, edited 2 times in total.
 
chooidos
just joined
Topic Author
Posts: 5
Joined: Tue Feb 14, 2023 9:43 pm

Re: 2 ISP - 2 groups of clients

Tue Feb 28, 2023 1:11 pm

So I have configured all as I need and it works, but clients cannot connect to servers and vice-versa.
THis is my new config:
# feb/28/2023 13:01:41 by RouterOS 7.7
# software id = Y3ZY-732P
#
# model = RBD52G-5HacD2HnD
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=\
    2Ghz skip-dfs-channels=yes tx-power=18
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XXXX frequency="" name=5Ghz \
    skip-dfs-channels=yes tx-power=25
/interface bridge
add admin-mac=48:8F:5A:7B:E3:79 auto-mac=no comment=defconf name=bridge
add name=bridge-servers
/interface wireless
# managed by CAPsMAN
# channel: 2472/20/gn(15dBm), SSID: MikroTik, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: MikroTik, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX distance=indoors \
    frequency=auto mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes name=bridge
add bridge=bridge-servers client-to-client-forwarding=yes name=servers-bridge
/interface wireless
# managed by CAPsMAN
# SSID: IOT_ONLY, CAPsMAN forwarding
add keepalive-frames=disabled mac-address=4A:8F:5A:7B:E3:7D master-interface=wlan1 \
    multicast-buffering=disabled name=iot ssid=IOT_ONLY wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=main
/caps-man configuration
add channel=2Ghz country=etsi datapath=servers-bridge mode=ap name=IOT security=main ssid=\
    IOT_ONLY
add channel=5Ghz country=etsi datapath=bridge mode=ap name=5Ghz security=main ssid=MikroTik
add channel=2Ghz country=etsi datapath=bridge mode=ap name=2Ghz security=main ssid=MikroTik
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=servers-pool ranges=192.168.10.150-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=local-dhcp
add address-pool=servers-pool interface=bridge-servers name=servers-dhcp
/routing table
add disabled=no fib name=ISP-1-route
add disabled=no fib name=ISP-2-route
/caps-man aaa
set mac-caching=10m10s
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=5Ghz name-format=\
    prefix-identity name-prefix=5Ghz
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=2Ghz name-format=\
    prefix-identity name-prefix=2ghz slave-configurations=IOT
/interface bridge port
add bridge=bridge-servers comment=defconf interface=ether3
add bridge=bridge-servers comment=defconf interface=ether4
add bridge=bridge-servers comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge-servers interface=iot
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all \
    wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=bridge-servers list=LAN
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2 static-virtual=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.10.1/24 interface=bridge-servers network=192.168.10.0
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
add interface=ether2 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.10.2 client-id=1:18:fd:74:10:9:80 mac-address=18:FD:74:10:09:80 server=\
    servers-dhcp
add address=192.168.10.104 mac-address=48:55:19:C9:96:02 server=servers-dhcp
add address=192.168.10.101 comment=kitchen_switcher mac-address=C4:5B:BE:6C:9F:24 server=\
    servers-dhcp
add address=192.168.10.102 comment=sleaping_switcher mac-address=80:7D:3A:69:3E:3E server=\
    servers-dhcp
add address=192.168.10.103 comment=living_switcher mac-address=E8:DB:84:DD:DC:4B server=\
    servers-dhcp
add address=192.168.10.10 comment=PiHole-DHCP1 mac-address=32:12:CE:01:39:17 server=servers-dhcp
add address=192.168.10.50 comment=proxmox disabled=yes mac-address=EC:8E:B5:6F:FA:2C server=\
    servers-dhcp
add address=192.168.10.40 client-id=1:e2:a5:4a:c7:e2:47 comment=TrueNAS mac-address=\
    E2:A5:4A:C7:E2:47 server=servers-dhcp
add address=192.168.10.41 client-id=1:1e:5d:b1:4b:cb:ec comment=nextcloud mac-address=\
    1E:5D:B1:4B:CB:EC server=servers-dhcp
add address=192.168.10.90 client-id=ff:53:5c:66:99:0:2:0:0:ab:11:67:9d:98:d7:e1:41:f6:5b \
    comment=RaspberryPi-OMV mac-address=DC:A6:32:E9:F9:E3 server=servers-dhcp
add address=192.168.10.250 client-id=1:24:4b:fe:52:96:6b comment=PC mac-address=\
    24:4B:FE:52:96:6B server=servers-dhcp
add address=192.168.10.60 client-id=ff:b0:1:15:3:0:2:0:0:ab:11:56:7f:59:82:50:55:34:c6 comment=\
    "NUT server" mac-address=22:EC:95:EB:ED:AF server=servers-dhcp
add address=192.168.10.20 client-id=ff:ca:53:9:5a:0:2:0:0:ab:11:2f:6e:63:6f:e1:48:92:8e comment=\
    dockering mac-address=9E:8C:ED:FB:18:5D server=servers-dhcp
add address=192.168.10.70 client-id=1:aa:a1:a7:87:6:67 comment=jellyfin mac-address=\
    AA:A1:A7:87:06:67 server=servers-dhcp
add address=192.168.10.75 client-id=1:a:45:17:d4:b4:df comment=torrent mac-address=\
    0A:45:17:D4:B4:DF server=servers-dhcp
add address=192.168.10.80 client-id=ff:88:36:5d:a:0:1:0:1:2a:8b:b3:84:f2:35:88:36:5d:a comment=\
    gameservers mac-address=F2:35:88:36:5D:0A server=servers-dhcp
add address=192.168.10.91 client-id=ff:ca:53:9:5a:0:2:0:0:ab:11:f9:be:c5:36:4e:dd:aa:ef comment=\
    pve_docker mac-address=9A:4F:52:8A:B0:64 server=servers-dhcp
add address=192.168.88.21 client-id=1:d2:9b:e1:68:8e:51 mac-address=D2:9B:E1:68:8E:51 server=\
    local-dhcp
add address=192.168.88.19 comment=LED mac-address=B4:E8:42:A1:D6:E2 server=local-dhcp
add address=192.168.10.106 mac-address=E8:DB:84:9C:3D:1F server=servers-dhcp
add address=192.168.10.108 mac-address=BC:FF:4D:2B:45:CD server=servers-dhcp
add address=192.168.10.109 mac-address=C4:5B:BE:6D:07:6C server=servers-dhcp
add address=192.168.10.107 mac-address=BC:FF:4D:2B:24:BC server=servers-dhcp
add address=192.168.10.105 mac-address=B4:E8:42:A1:D6:E2 server=servers-dhcp
add address=192.168.10.150 client-id=1:e2:d7:12:6e:de:62 mac-address=E2:D7:12:6E:DE:62 server=\
    servers-dhcp
add address=192.168.10.110 client-id=1:c8:f0:9e:4d:8d:1c mac-address=C8:F0:9E:4D:8D:1C server=\
    servers-dhcp
add address=192.168.88.30 client-id=1:dc:a6:32:29:70:29 mac-address=DC:A6:32:29:70:29 server=\
    local-dhcp
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.10,192.168.10.11 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.10.10,192.168.10.11
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 list=bagon
add address=10.0.0.0/8 list=bagon
add address=100.64.0.0/10 list=bagon
add address=127.0.0.0/8 list=bagon
add address=169.254.0.0/16 list=bagon
add address=172.16.0.0/12 list=bagon
add address=192.0.0.0/24 list=bagon
add address=192.0.2.0/24 list=bagon
add address=192.168.0.0/16 list=bagon
add address=198.18.0.0/16 list=bagon
add address=198.51.100.0/24 list=bagon
add address=203.0.113.0/24 list=bagon
add address=224.0.0.0/4 list=bagon
add address=240.0.0.0/4 list=bagon
add address=192.168.10.1 list=servers
add address=192.168.88.0/24 list=clients
add address=192.168.10.250 list=clients
add address=192.168.10.2/31 list=servers
add address=192.168.10.4/30 list=servers
add address=192.168.10.8/29 list=servers
add address=192.168.10.16/28 list=servers
add address=192.168.10.32/27 list=servers
add address=192.168.10.64/26 list=servers
add address=192.168.10.128/26 list=servers
add address=192.168.10.192/27 list=servers
add address=192.168.10.224/28 list=servers
add address=192.168.10.240 list=servers
add address=192.168.10.75 list=clients
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop BOGON networks on WAN" in-interface-list=WAN \
    src-address-list=bagon
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=\
    WAN
add action=accept chain=forward comment="allow iot to main" dst-address=192.168.88.0/24 \
    src-address=192.168.10.0/24
add action=accept chain=forward dst-address=192.168.10.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\
    out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="Prevent routing loop ISP1" dst-address=\
    XX.XX.XX.XX in-interface=bridge-servers
add action=accept chain=prerouting comment="Prevent routing loop ISP2" dst-address=\
    XX.XX.XX.0/17 in-interface=bridge
add action=mark-connection chain=prerouting comment="ISP1 incomming trafic" connection-mark=\
    no-mark in-interface=ether1 new-connection-mark=ISP1-connection
add action=mark-connection chain=prerouting comment="ISP2 incomming trafic" connection-mark=\
    no-mark in-interface=ether2 new-connection-mark=ISP2-connection
add action=mark-connection chain=prerouting comment="From clients to ISP2" connection-mark=\
    no-mark dst-address-type=!local new-connection-mark=ISP2-connection src-address-list=clients
add action=mark-connection chain=prerouting comment="From servers to ISP1" connection-mark=\
    no-mark dst-address-type=!local new-connection-mark=ISP1-connection src-address-list=servers
add action=mark-routing chain=prerouting comment="mark routes to ISP1" connection-mark=\
    ISP1-connection new-routing-mark=ISP-1-route src-address-list=servers
add action=mark-routing chain=prerouting comment="mark routes to ISP2" connection-mark=\
    ISP2-connection new-routing-mark=ISP-2-route src-address-list=clients
add action=mark-routing chain=output comment="Mark outgoing routes to ISP1" connection-mark=\
    ISP1-connection new-routing-mark=ISP-1-route
add action=mark-routing chain=output comment="Mark outgoing routes to ISP2" connection-mark=\
    ISP2-connection new-routing-mark=ISP-2-route
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface=ether1 src-address-list=servers
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface=ether2 src-address-list=clients
add action=dst-nat chain=dstnat comment=wireguard dst-port=51820 in-interface=ether1 protocol=\
    udp to-addresses=192.168.10.90 to-ports=51820
add action=dst-nat chain=dstnat comment=http dst-port=80 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.10.90 to-ports=80
add action=dst-nat chain=dstnat comment=https dst-port=443 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.10.90 to-ports=443
add action=dst-nat chain=dstnat dst-port=19132 in-interface=ether1 protocol=udp to-addresses=\
    192.168.10.90 to-ports=19132
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=XX.XX.XX.XX pref-src=0.0.0.0 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=XX.XX.XX.XX pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=XX.XX.XX.XX \
    pref-src=0.0.0.0 routing-table=ISP-2-route scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=XX.XX.XX.XX pref-src=0.0.0.0 \
    routing-table=ISP-1-route scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 \
    protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." \
    dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Kyiv
/system identity
set name=MikroTik_master
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by chooidos on Sun Mar 05, 2023 4:10 pm, edited 1 time in total.
 
chooidos
just joined
Topic Author
Posts: 5
Joined: Tue Feb 14, 2023 9:43 pm

Re: Allow 2 groups of users to conect to each other

Fri Mar 03, 2023 3:06 pm

Any advice?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow 2 groups of users to conect to each other

Fri Mar 03, 2023 4:44 pm

I avoided this thread because I could not understand which server were located where....
I could not understand which users needed access to which servers
I could not understand how you were expecting users to reach servers ( by LANIP or what )?

No network diagram!!!
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: Allow 2 groups of users to conect to each other

Sat Mar 04, 2023 1:57 pm

Without your explanations, no one will deal with the config.
There are many ways to get the same result as guessing which one you use.
If no one here on the forum is answering then you have not asked the question properly.
So far I see the following error you are separating clients and servers by address list.
You set the range of addresses. e.g. 192.168.10.64-192.168.10.127 that all these addresses are in the list of "server".
Then you try to add 192.168.10.75 to the list of "clients". The rule handling the list "server" is higher, so this address will always be treated as a "server".
Allocate the IP addresses correctly into blocks and you won't get confused. This is your home network, so manually allocate the addresses.
For example 192.168.10.20-192.168.10.30 clients, 192.168.10.30-192.168.10.80 servers, 192.168.10.100-192.168.10.199 DHCP
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow 2 groups of users to conect to each other

Sat Mar 04, 2023 6:02 pm

viewtopic.php?p=908118

For me its a diagram and a clear complete set of user requirements.
What do your users and devices NEED in terms of traffic flow, without any mention of the config etc.. (including the admin)
 
chooidos
just joined
Topic Author
Posts: 5
Joined: Tue Feb 14, 2023 9:43 pm

Re: Allow 2 groups of users to conect to each other

Sun Mar 05, 2023 4:09 pm

So, servers - all in 192.168.10.0/24 subnet except 192.168.10.250, clients - all in 192.168.88.0/24 subnet and 192.168.10.250(this IP should be in 192.168.10.0/24 subnet because WoL doesn't work on different subnets. Servers use WAN1 internet, clients use WAN2 internet. Clients and servers can connect to each other. That is why I have created lists of IPs. Maybe there is another and better way to do this than I do.
All works as I need in the last posted config except servers cannot connect to clients and vice-versa.
diagram.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow 2 groups of users to conect to each other

Sun Mar 05, 2023 6:19 pm

(1) TO confirm even the client 192.168.10.250 uses WAN1 for internet ????
(2) Also, do you have an external folks, from the internet, accessing your network to reach servers?? Not from LAN........
(3) How do local LAN client users .88.X access the servers?? By the server LANIP address??
(4) How does the LAN client 10.250 access the servers on its subnet, by LANIP address??
 
chooidos
just joined
Topic Author
Posts: 5
Joined: Tue Feb 14, 2023 9:43 pm

Re: Allow 2 groups of users to conect to each other

Sun Mar 05, 2023 8:04 pm

1. 192.168.10.250 uses WAN2
2. yes
3. LANIP
4. LANIP
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: Allow 2 groups of users to conect to each other

Sun Mar 05, 2023 8:31 pm

Try disabling the firewall on your Windows computer. It often blocks access from outside its LAN.
You can also try setting a masquerade on .88.0/24 and .10.0/24 to bypass the firewall blocking the computer.
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.10.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.10.0/24

.
because WoL doesn't work on different subnets.
There are many manuals on the Internet on how to do this via broadcast packets, you can wake up from either the Internet or any network.
.
Remove the wlan1 and wlan2 interfaces from the bridge or you may "get a loop" on the capsman interfaces
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow 2 groups of users to conect to each other  [SOLVED]

Sun Mar 05, 2023 11:54 pm

Okay, its not too bad to deal with.
The only real issue is that you will need to use mangle rules to ensure people coming in WAN2 for servers are sent back out wan2.

(1) First we create the xtra table we are going to us for routing.
/routing table add fib name=useWAN2

(2) Thus all we do is mark any traffic coming on wan2, ostensibly would be heading to servers.
/ip firewall mangle
add action=accept chain=prerouting comment="capture external traffic coming in on wan2" in-interface=WAN2 mark=no-mark
new-connection-mark=fromISP2 passthrough=yes
add action=accept chain=prerouting comment="provide route marking for later use " connection-mark=fromISP2 new-routing-mark=useWAN2 passthrough=no


(3) No need to attempt to use sourcnat rules to refine anything as its handled adequately by mangling, routes and firewall rules.
Here we state anything going out WAN1 to the internet gets IP of WAN1, going out WAN2 gets IP of WAN2. Simple.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface=ether1
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface=ether2


Note: no hairpin sourcenat rules are required because all users are using LANIP for server addresses. Even if using WANIP dyndns name for example it would not be an issue for
any of the users in a different subnet. Thus the only time it would have to be considered is the local user on the same subnet.....

(4) You can shorten up the dstnat rules a tad...... ( too ports not required if same as dst-ports )
add action=dst-nat chain=dstnat comment=wireguard dst-port=51820,19132 in-interface=ether1 protocol=\
udp to-addresses=192.168.10.90
add action=dst-nat chain=dstnat comment=http dst-port=80,443 in-interface=ether1 protocol=tcp \
to-addresses=192.168.10.90


(5) This is the easy way to get your outgoing traffic as per the requirements..........
/ip route (need the basic routes)
add distance=5 dst-address=0.0.0.0/0 gateway=WAN1_gatewayIP check-gateway=ping routing-table=main
add distance=10 dst-address=0.0.0.0/0 gateway=WAN2_gatewayIP routing-table=main


Note: In this configuration, ALL USERs will be pushed to WAN1 due to shorter distance.
If WAN1 goes down all users will be pushed to WAN2.
So all we have to do is ensure WAN2 users are forced to LAN2 only ( all the time ). Is accomplished by adding an additional route and a routing rule.

/ip route
add dst-address=0.0.0.0/0 gateway=WAN2-gatewayIP routing-table=useWAN2

/ip routing rule
add action=lookup-only-in-table src-address=192.168.10.0/24 table=useWAN2


Note1: In this case we have now covered off two requirements.
All traffic that entered the router from WAN is marked and when the associated return traffic attempts to leave the router, the router finds the appropriate table and uses WAN2.
Any traffic originating from the 192.168.10.0 subnet, leaving the router is also forced out WAN2.

Note2: I will mention that the sole user in the server subnet also goes out WAN2, and if WAN2 goes down will not be able to reach WAN1.
If you wanted to avoid that scenerio, then simply use a different routing rule before (AS order is KEY) the other one with a different action.

/ip routing rule
add action=lookup src-address=192.168.10.250/32 table=useWAN2
add action=lookup-only-in-table src-address=192.168.10.0/24[/color] table=useWAN2


Note3: In this case the router will ensure that the sole user, goes out WAN, but leaving action more open means that if WAN2 is not available, then the router will look at the main table for other possible routes and will find WAN1 !!!

(6) BUT ARE WE DONE................. No not yet.
What have we missed in our logic??

The ability for the SERVERS, and the sole user in the Server Subnet to either.
a. contact USER subnet or
b. return traffic to USER subnet.

WHY....................... because we just forced them out WAN2 for all traffic.
HOW.......................do we fix it.............. Clue routing ruleS!!

Yes. The final step would be to AGAIN ORDER IS KEY, to ensure traffic to a more finite address block is permitted so the final routing rules looks like.
/ip routing rules
add action=lookup-only-in-table dst-address=192.168.88.0/24 table=main
add action=lookup src-address=192.168.10.250/32 table=useWAN2
add action=lookup-only-in-table src-address=192.168.10.0/24 table=useWAN2

Note: To recap:
The router will examine traffic requiring routing...........
First it will trip over the routing rules.......
Here any traffic heading to 192.168.88.0/24 is first viewed and sent to main table for processing (where connected routes dist=0) are available and used.
Then all other traffic remaining is examined and if from .10.250 will head out WAN2, unless WAN2 is not available, and then will look at table main and find WAN1....
Then all other remaining traffic is examined from 192.168.10.0/24 and if from there is sent out WAN2.
Finally all other remaining traffic is viewed against table main and if its a connected route (local interfaces dist=0 ) more finite address, is routed and then anything left over is checked against the othe IP routes in the main table, and in this case means WAN1.
IF WAN1 is down that remaining traffic will go to WAN2.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow 2 groups of users to conect to each other

Sun Mar 05, 2023 11:55 pm

Additionally you will need firewall rules allowing traffic between subnets as required but figured that was already done.

Due to the necessity to mangle we can either disable the fastrack rule or preferably just avoid fastrack for the mangling bits and keep it for the rest of the traffic.
In our case with only requiring basic mangling we simply need to modify the fastrack rule to bypass it for marked traffic.
See fastrack rule below!!
However your forward chain rules are all over the map very disorganized list ................
I will stick into an organized forward chain. FOR SANITY!!!!!

/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\
out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related hw-offload=yes connection-mark=no-mark
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow users to servers" dst-address=192.168.10.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="allow server to users????" dst-address=192.168.88.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"


NOTE1: I have dropped the invalid rule for the forward chain going forward. It does potentially more harm than good.
NOTE2: I have replaced the last default rule with a much clearer set of rules that make sense for easy adding of needed traffic by basically blocking everything else at the end. In other words the rules you created were already allowed because the default rules are too wide open after changing the config and were not needed. However that is too loosey goosey.
Now your rules will make sense!!
NOTE3: I question this rule because very rarely do you want servers or iot devices to originate connections to users, security wise. As long as you give users access to the servers, RETURN traffic is already permitted so you dont have to make an allow rule for that, which I suspect you may have done????

Who is online

Users browsing this forum: cdblue, CJWW, sybadi, tjanas94, Valerio5000 and 43 guests