Community discussions

 
RealMuhko
just joined
Topic Author
Posts: 11
Joined: Tue Jul 14, 2015 5:47 am

Two Seperate LAN Networks Behind One RB750 ?

Sat Nov 12, 2016 7:39 pm

Dear Forum.

I hope you are able to assist me in this madder.

Is is possible to run two separate LAN networks behind a Mikrotik RB750r2 (Hex) ?

The computers on each network should not be able to communicate with each other at all but the Routerboard should work as an internet gateway for both networks.

Is it possible?

I have attached a rough drawing of my network. On this you can see all network clients are running on same IP range + Subnet besides the "Server 3" which is the server I would like to run on a separate network with no possibility of seeing the clients already connected.

Is this possible in an easy way ?

Thank you for your help forum and have a nice weekend.

Martin B.
You do not have the required permissions to view the files attached to this post.
 
erlinden
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Jun 12, 2013 1:59 pm

Re: Two Seperate LAN Networks Behind One RB750 ?

Sat Nov 12, 2016 10:28 pm

I would suggest creating a VLAN (for the servers) to separate the networks.
Don't forget a firewall rule that drops any traffic between the two.

Wat have you tried so far?
 
RealMuhko
just joined
Topic Author
Posts: 11
Joined: Tue Jul 14, 2015 5:47 am

Re: Two Seperate LAN Networks Behind One RB750 ?

Sat Nov 12, 2016 10:46 pm

Thank you for the answer!

I have done nothing at all yet just wanted to ask about easy solutions before trying anything.

My first idea was to create a separate subnet for the server or use 10.x.x.x ip address for the server and 192.168.x.x address for the current network.

I will work on the VLAN now to see if it will work out good.

Thanks!
 
User avatar
Sn1p3r
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Thu Mar 10, 2011 5:50 pm
Location: Croatia
Contact:

Re: Two Seperate LAN Networks Behind One RB750 ?

Sun Nov 13, 2016 2:59 am

By adding a simple rule to Firewall you can disable communication between all devices on those networks. If you decide for that solution I will show you the way.
Other way is like someone before me said, just add VLAN tagging for each network and you will be fine.
 
thiagomedeiros
just joined
Posts: 16
Joined: Tue Apr 03, 2012 10:38 pm

Re: Two Seperate LAN Networks Behind One RB750 ?

Sun Nov 13, 2016 3:56 am

You can remove port 3 or 4 from the master switch. Select none at interface. Doing this you can set a DHCP server for every network without conflicts and can do some more.
Image

Remeber to not use the same cables in the 24 ports switch. For server 3 use a separate switch. If you need to use the same, use vlan.
 
RealMuhko
just joined
Topic Author
Posts: 11
Joined: Tue Jul 14, 2015 5:47 am

Re: Two Seperate LAN Networks Behind One RB750 ?

Sun Nov 13, 2016 11:48 pm

Hi Guys!

I decided to give the VLAN solution a try and fought with it all night with no success.

Now I am trying to understand how the VLAN ideology works.

I found this guide: http://wiki.mikrotik.com/wiki/Vlans_on_ ... nvironment

According to the information provided on that page, it seems like when it comes down to VLAN you would always have one or more VLAN access-ports.
You would also have trunk ports which is like a highway with different kinds of traffic running in fixed lanes.

The example provided on the above page is with a trunk between two switches - But I am wondering if it is possible to use the VLAN internally in the RB750's switch?

I have my WAN on ETH1 and my LAN on ETH2. I am then putting my SERVER 3 on my ETH5. (See attached Drawing)

So am I correct when assuming I would now need to set up a BRIDGE between my ETH1 (WAN) and my ETH5 (SERVER3) + a BRIDGE between my ETH1 (WAN) and my ETH2 (LAN) and then add a VLAN10 for the ETH1-ETH2 traffic and a VLAN20 for the ETH1-ETH5 traffic ?

Will this be enough for a port based VLAN enviroment within the RB750 swtich?

I plan on using these commands:

/interface vlan add name=vlan-10 vlan-id=10 interface=ETH2 disabled=no (Marking traffic from ETH2 with VLAN10 tag)
/interface vlan add name=vlan-20 vlan-id=20 interface=ETH5 disabled=no (Marking traffic from ETH5 with VLAN20 tag)

/interface bridge add name=WAN-ETH2 disabled=no (Create a bridge between WAN and ETH2)
/interface bridge add name=WAN-ETH5 disabled=no (Create a bridge between WAN and ETH5)

/interface bridge port add interface="vlan-10" bridge="WAN-ETH2" disabled=no (Allow traffic with VLAN10 tag into WAN-ETH2 brigde)
/interface bridge port add interface="ETH2" bridge="WAN-ETH2" disabled=no (Allow traffic to/from ETH2 into WAN-ETH2 brigde)
/interface bridge port add interface="vlan-20" bridge="WAN-ETH5" disabled=no (Allow traffic with VLAN20 tag into WAN-ETH5 brigde)
/interface bridge port add interface="ETH5" bridge="WAN-ETH5" disabled=no (Allow traffic to/from ETH5 into WAN-ETH5 brigde)

Is is in some way correct or am I way off ? Do I need to add the ETH1 interface to my bridges as this is the interface with my WAN connected ?

Thank you so much guys for helping me with this!

Best Regards

Martin B.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 4802
Joined: Mon Apr 20, 2009 9:11 pm

Re: Two Seperate LAN Networks Behind One RB750 ?

Mon Nov 14, 2016 4:23 am

Forget VLANs. They are great when you want to have multiple separate networks on one cable, but you also need either a managed switch or end device (server) specifically configured for VLAN.

In your case, simply split router's switch into separate ports and assign a subnet to each one. Then use firewall to allow traffic from each LAN to internet and block the rest, i.e. communucation between LANs.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
RealMuhko
just joined
Topic Author
Posts: 11
Joined: Tue Jul 14, 2015 5:47 am

Re: Two Seperate LAN Networks Behind One RB750 ?

Tue Nov 15, 2016 1:03 am

Hello!

Thank you so much for your reply. Today I have been working with different subnets and for now it seems to work somehow.
ETH1=WAN (Address: Public Static IP)
ETH2=LAN (Address: 192.168.1.1/24 Network: 192.168.1.0 Subnet: 255.255.255.0)
ETH3=DISABLED
ETH4=DISABLED
ETH5=SERVER (Address 192.168.5.1/30 Network: 192.168.5.0 Subnet: 255.255.255.252)

All ETH ports are not linked and only acting as stand-alone ports.

Server is connected to ETH5 and obtains IP Address: 192.168.5.2/30 Network: 192.168.5.0 Subnet: 255.255.255.252

At the moment I am not able to access the internet FROM the server and also I can not ping fx. google.com. But I can ping the ETH2 address 192.168.1.1.

Are you able to suggest which rules to add in RB750 Firewall to allow the Server to get internet access via the WAN in RB750 ?

Also, please suggest rules to add in the firewall to block any traffic between subnet 255.255.255.0 and subnet 255.255.255.252 ?

Thank you so much for your kind help - I really appreciate it a lot.

Best Regards,

Martin B.

In your case, simply split router's switch into separate ports and assign a subnet to each one. Then use firewall to allow traffic from each LAN to internet and block the rest, i.e. communucation between LANs.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 4802
Joined: Mon Apr 20, 2009 9:11 pm

Re: Two Seperate LAN Networks Behind One RB750 ?

Tue Nov 15, 2016 3:13 am

You need to allow outgoing traffic from second subnet (it probably is, if you didn't block anything) and NAT outgoing connections from there (I'd expect it to work too, if you have the usual generic masquerade rule). If it doesn't work, it would be best to post your current config, it would save a lot of guesswork.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
RealMuhko
just joined
Topic Author
Posts: 11
Joined: Tue Jul 14, 2015 5:47 am

Re: Two Seperate LAN Networks Behind One RB750 ?

Thu Nov 17, 2016 4:42 am

Hello again and thank you for the reply!

The internet traffic from the server to and from the internet is working now.

Server (192.168.5.2 / 255.255.255.252) working on ETH5 in router is able to ping Workstation (192.168.2.2 / 255.255.255.0) working on ETH1.

How can I disable ALL communication between the two subnets and clients working on them ?

Thank you again and have a good day,

Regards,

Martin B.
You need to allow outgoing traffic from second subnet (it probably is, if you didn't block anything) and NAT outgoing connections from there (I'd expect it to work too, if you have the usual generic masquerade rule). If it doesn't work, it would be best to post your current config, it would save a lot of guesswork.
 
JB172
Member
Member
Posts: 306
Joined: Fri Jul 24, 2015 3:12 pm
Location: AWMN

Re: Two Seperate LAN Networks Behind One RB750 ?

Thu Nov 17, 2016 11:56 am


Server (192.168.5.2 / 255.255.255.252) working on ETH5 in router is able to ping Workstation (192.168.2.2 / 255.255.255.0) working on ETH1.

How can I disable ALL communication between the two subnets?
/ip firewall filter
add action=drop chain=forward dst-address=192.168.5.0/30 src-address=192.168.1.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=192.168.5.0/30
 
RealMuhko
just joined
Topic Author
Posts: 11
Joined: Tue Jul 14, 2015 5:47 am

Re: Two Seperate LAN Networks Behind One RB750 ?

Thu Nov 17, 2016 5:08 pm

Hello again.

Thank you so much, the below rules is now implemented in the RB750 and clients connected to the separate subnets are now not able to ping each other or exchange data at all.
I just noticed that the clients of each subnet however is able to ping the gateway of the other subnet. Fx:

Client 192.168.1.2 / 255.255.255.0 can ping gateway 192.168.5.1 / 255.255.255.252
Client 192.168.5.2 / 255.255.255.252 can ping gateway 192.168.1.1 / 255.255.255.0

Is is also possible to prohibit traffic between these two interfaces (LAN2 + LAN5 on RB750 switch) ?

Thank you for your help guys, it is much appreciated.

Best Regards,

Martin B.
/ip firewall filter
add action=drop chain=forward dst-address=192.168.5.0/30 src-address=192.168.1.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=192.168.5.0/30
 
JB172
Member
Member
Posts: 306
Joined: Fri Jul 24, 2015 3:12 pm
Location: AWMN

Re: Two Seperate LAN Networks Behind One RB750 ?

Thu Nov 17, 2016 8:06 pm

I just noticed that the clients of each subnet however is able to ping the gateway of the other subnet. Fx:

Client 192.168.1.2 / 255.255.255.0 can ping gateway 192.168.5.1 / 255.255.255.252
Client 192.168.5.2 / 255.255.255.252 can ping gateway 192.168.1.1 / 255.255.255.0
Hello Martin.
Try this:

/ip firewall filter
add action=drop chain=input dst-address=192.168.1.1 protocol=icmp src-address=192.168.5.0/30
add action=drop chain=input dst-address=192.168.5.1 protocol=icmp src-address=192.168.1.0/24
 
RealMuhko
just joined
Topic Author
Posts: 11
Joined: Tue Jul 14, 2015 5:47 am

Re: Two Seperate LAN Networks Behind One RB750 ?

Fri Nov 18, 2016 12:26 am

Hello Guys!

Everything is working now - Thank you for all your help and assistance.

Best Regards,

Martin B.

Who is online

Users browsing this forum: No registered users and 104 guests