Page 1 of 1

extremely ugly network bridging

Posted: Wed Mar 14, 2018 1:08 am
by dadaniel
Please help me with the following situation:

I have two buildings:
A has one internet gateway and one IP camera(AC:CC:8E).
B has one internet gateway and a NAS(00:11:32).
It is possible to connect both buildings using ethernet wire.

Both internet gateways have the same non-changeable IP address, they also don't support static routes. I cannot replace them.

The IP camera of building A should be able to access the NAS of building B while maintaining internet connectivity through the internet gateway of building A. It should not use gateway from building B! It is not possible to assign more than one IP address to the camera!

I tried the following approach, but although I only allow the MAC address of NAS and camera, it is failing because they are sending wrong ARP broadcast replies for other devices when asked to the other network:
/interface bridge port
add bridge=bridge1 hw=no interface=ether1
add bridge=bridge1 hw=no interface=ether2
/interface bridge filter
add action=accept chain=forward dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF src-mac-address=AC:CC:8E:??:??:??/FF:FF:FF:FF:FF:FF
add action=accept chain=forward dst-mac-address=00:11:32:??:??:??/FF:FF:FF:FF:FF:FF src-mac-address=AC:CC:8E:??:??:??/FF:FF:FF:FF:FF:FF
add action=accept chain=forward dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF src-mac-address=00:11:32:??:??:??/FF:FF:FF:FF:FF:FF
add action=accept chain=forward dst-mac-address=AC:CC:8E:??:??:??/FF:FF:FF:FF:FF:FF src-mac-address=00:11:32:??:??:??/FF:FF:FF:FF:FF:FF
add action=drop chain=forward
Please tell me if there is an other solution for this, I know this is very ugly but I cannot change the requirement at the moment.

Re: extremely ugly network bridging

Posted: Wed Mar 14, 2018 1:44 am
by nichky
if you have got on both side ISP, why you didn't try with VPN ,instead of ethernet wire.

Re: extremely ugly network bridging

Posted: Wed Mar 14, 2018 2:20 am
by CZFan
VPN can work, but might be slow due to VPN technology and will also eat into your internet bandwidth.

If distance between Ethernet cable end points is not more than 100meters you should be ok, else you will have to either add switches along the way or go fiber .

Then all you do is route from building a to build subnet and vica versa. And use a default rout to Internet gateway fro other traffic on both side

Re: extremely ugly network bridging

Posted: Wed Mar 14, 2018 7:38 am
by dadaniel
VPN can work, but might be slow due to VPN technology and will also eat into your internet bandwidth.

Then all you do is route from building a to building b subnet and vica versa. And use a default route to Internet gateway for other traffic on both side
Yes, VPN is not an option because the internet bandwidth cannot handle the camera stream.

I wrote that the gateway does not support static routes, so how can I route here?

Re: extremely ugly network bridging

Posted: Wed Mar 14, 2018 1:21 pm
by Sans
Just thinking loud here: https://wiki.mikrotik.com/wiki/Manual:M ... ed_example is an option?

Is the stream to internet resulting from a request coming in through gateway A? Can src-address be used for routing?

Re: extremely ugly network bridging

Posted: Wed Mar 14, 2018 3:01 pm
by jarda
Or just put there two routers that will handle the routing between those two ,their networks and their wans.

Re: extremely ugly network bridging

Posted: Thu Mar 15, 2018 3:49 am
by Sob
If you can live with only direct connections from one address to another (no broadcasts), then proxy ARP is your friend. Lets say that you have:

192.168.1.10 - NAS
192.168.1.20 - camera
192.168.1.100 - router used to connect NAS and camera
LAN1 - primary LAN where router is connected to, all devices in this LAN can access router
LAN2 - secondary LAN, only selected devices can access router (in this case only camera)

Then this is the config (just this, nothing else):
/ip address
add address=192.168.1.100/24 interface=LAN1 network=192.168.1.0 comment="standard config"
add address=192.168.1.100 interface=LAN2 network=192.168.1.20 comment="point to point to camera"
/ip arp
add address=192.168.1.20 interface=LAN1 published=yes comment="make camera visible on LAN1(*)"
add address=192.168.1.10 interface=LAN2 published=yes comment="make NAS visible on LAN2(*)"
(*) Even though every device on LAN1 can see camera (ARP will resolve), only NAS will be able to communicate with it, because camera won't see anything else from LAN1 except NAS and router.

Re: extremely ugly network bridging

Posted: Thu Mar 15, 2018 4:06 pm
by dadaniel
@Sob:

Do I need static routes on NAS or camera in this case? Do I have to enable (local)proxy-arp in interface settings?

I cannot make this router the default gateway for any device on both LANs!

Re: extremely ugly network bridging

Posted: Thu Mar 15, 2018 5:45 pm
by Sob
No static routes and no additional proxy arp settings.

Both devices are still in same IP subnet, so they don't need gateway to communicate with each other. They will ask for the other one using arp and the only difference is that instead of real target device, the router will answer with its own MAC address. That's what proxy arp does.

And don't touch arp settings on interfaces. If you enable proxy arp there, it won't work correctly, because the router will answer even for other addresses. Using published addresses in "/ip arp" is selective, it only works for addresses you put there.

Re: extremely ugly network bridging

Posted: Thu Mar 15, 2018 5:48 pm
by Sob
One more thing about entries in "/ip arp", if it's not clear, the example config assumes that NAS is in LAN1 and camera in LAN2.

Re: extremely ugly network bridging

Posted: Thu Mar 15, 2018 5:55 pm
by dadaniel
That's seems to be a very easy and clean solution. I'll try it this weekend and report back, thank you very much!!

Re: extremely ugly network bridging

Posted: Fri Mar 16, 2018 11:42 pm
by dadaniel
Thank you very much, it works perfectly!
Is it possible to allow NAS access for more than one camera? Do I just have to add an additional ip address and arp entry for another camera IP? (keeping the router IP unchanged, so have multiple entrys of it with only the network IP changed?)

Re: extremely ugly network bridging

Posted: Sat Mar 17, 2018 2:49 am
by Sob
Exactly, add as many as you need.

Re: extremely ugly network bridging

Posted: Sat Mar 17, 2018 7:46 am
by nichky
@dadaniel can i have your topology?

Re: extremely ugly network bridging

Posted: Sat Mar 17, 2018 11:30 am
by dadaniel
@dadaniel can i have your topology?
I don't have a suitable network diagram ready, but you could ask me any question about topology that you don't find in first post.

Both LANs use 10.0.0.x/24, both Internet Gateways have the same address 10.0.0.138 and DHCP server active. The solution from Sob works great, as it doesn't bridge the two networks or forward broadcasts. Instead only selected devices from both networks could reach each other, all without the need of using static routes or such things. Simply clever :)