Community discussions

MikroTik App
  4. RouterOS
  5. General

Allow all traffic between one LAN and WAN interface

Post Reply
 
sporkman
newbie
Topic Author
Posts: 32
Joined: Thu May 02, 2013 4:37 am

Allow all traffic between one LAN and WAN interface

Tue Jan 15, 2019 8:58 pm

I have a CCR with two WAN links, and a LAN link with a few VLANs on it. Everything on the LAN/VLANs is being NAT'd ("masqueraded").

I have an extra /28 routed to one of the WAN links and want to give unfettered access to a piece of that subnet to someone plugged-in to one of the extra LAN ports.

In Cisco world, where I'm generally not doing NAT or firewalling on the router itself, this is a no-brainer.

In Mikrotik world, I'm a bit stumped.

So far I did the following:
- made my NAT rules more specific so they only match traffic from the existing NAT'd LAN/VLAN subnets
- took a /31 from the /28 and assigned it to an unused LAN interface (oops! /31 is a no-go on Mik, make that a /30)
- added two rules above all other rules on the forward chain to allow all traffic from the WAN interface to this new LAN interface and vice-versa (no go)
- added two rules above all other rules on the input chain to allow all traffic to the new /28 on this new LAN interface and vice-versa (works)

Is this correct? Is there a better or more efficient way to achieve this?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19322
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Allow all traffic between one LAN and WAN interface

Tue Jan 15, 2019 9:34 pm

No idea but you have to conduct 3 separate and sometimes related rules.
a. NAT the traffic appropriately
b. Route the traffic appropriately.
c. If necessary apply firewall filter rules to allow traffic to flow

Sometimes one has to use mangle type rules to correctly identify the traffic to be routed.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11590
Joined: Thu Mar 03, 2016 10:23 pm

Re: Allow all traffic between one LAN and WAN interface

Wed Jan 16, 2019 1:39 pm

In Cisco world, where I'm generally not doing NAT or firewalling on the router itself, this is a no-brainer.

If you don't need firewall for those devices, you could simply bridge the WAN interface with the extra LAN port and move WAN config off the WAN port to the new bridge. Bridge will act as a dumb switch between WAN port, extra LAN port and internal WAN "interface".

E.g. if your current config looks like this:
Code: Select all
/interface ethernet
set [ find default-name=etherX ] name=WAN1
set [ find default-name=etherY] name=extraLAN
/interface bridge port
add bridge=bridge interface=extraLAN
/ip address
add address=<WAN1 IP address>/28 interface=WAN1 network=<WAN1 network address>
(I omitted most of config, just showing items that need to be changed to follow my suggestion).

you could change it to this:
Code: Select all
/interface ethernet
set [ find default-name=etherX ] name=WAN1
set [ find default-name=etherY] name=extraLAN
/interface bridge
add comment="WAN ports bridge" name=WANbridge protocol-mode=none auto-mac=no admin-mac=<enter MAC of WAN1 port here>
/interface bridge port
add bridge=WANbridge interface=WAN1
add bridge=WANbridge interface=extraLAN
/ip address
add address=<WAN1 IP address>/28 interface=WANbridge network=<WAN1 network address>
I.e. no change in ether interface naming (not needed that is), remove extraLAN ether port from default bridge, create new bridge, add WAN1 and extraLAN ports to it, remove IP config from WAN1 port (whatever that might be, I just showed about static IP address, but it could be PPPoE client, DHCP client, routing, whatnot) and re-create same IP config on "interface" WANbridge.

For device, connected to extraLAN port, it will look like it's connected to a dumb switch ... i.e. transparent connection to WAN1.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 40 guests
  4. RouterOS
  5. General