Page 1 of 1

Allow all traffic between one LAN and WAN interface

Posted: Tue Jan 15, 2019 8:58 pm
by sporkman
I have a CCR with two WAN links, and a LAN link with a few VLANs on it. Everything on the LAN/VLANs is being NAT'd ("masqueraded").

I have an extra /28 routed to one of the WAN links and want to give unfettered access to a piece of that subnet to someone plugged-in to one of the extra LAN ports.

In Cisco world, where I'm generally not doing NAT or firewalling on the router itself, this is a no-brainer.

In Mikrotik world, I'm a bit stumped.

So far I did the following:
- made my NAT rules more specific so they only match traffic from the existing NAT'd LAN/VLAN subnets
- took a /31 from the /28 and assigned it to an unused LAN interface (oops! /31 is a no-go on Mik, make that a /30)
- added two rules above all other rules on the forward chain to allow all traffic from the WAN interface to this new LAN interface and vice-versa (no go)
- added two rules above all other rules on the input chain to allow all traffic to the new /28 on this new LAN interface and vice-versa (works)

Is this correct? Is there a better or more efficient way to achieve this?

Re: Allow all traffic between one LAN and WAN interface

Posted: Tue Jan 15, 2019 9:34 pm
by anav
No idea but you have to conduct 3 separate and sometimes related rules.
a. NAT the traffic appropriately
b. Route the traffic appropriately.
c. If necessary apply firewall filter rules to allow traffic to flow

Sometimes one has to use mangle type rules to correctly identify the traffic to be routed.

Re: Allow all traffic between one LAN and WAN interface

Posted: Wed Jan 16, 2019 1:39 pm
by mkx
In Cisco world, where I'm generally not doing NAT or firewalling on the router itself, this is a no-brainer.

If you don't need firewall for those devices, you could simply bridge the WAN interface with the extra LAN port and move WAN config off the WAN port to the new bridge. Bridge will act as a dumb switch between WAN port, extra LAN port and internal WAN "interface".

E.g. if your current config looks like this:
/interface ethernet
set [ find default-name=etherX ] name=WAN1
set [ find default-name=etherY] name=extraLAN
/interface bridge port
add bridge=bridge interface=extraLAN
/ip address
add address=<WAN1 IP address>/28 interface=WAN1 network=<WAN1 network address>
(I omitted most of config, just showing items that need to be changed to follow my suggestion).

you could change it to this:
/interface ethernet
set [ find default-name=etherX ] name=WAN1
set [ find default-name=etherY] name=extraLAN
/interface bridge
add comment="WAN ports bridge" name=WANbridge protocol-mode=none auto-mac=no admin-mac=<enter MAC of WAN1 port here>
/interface bridge port
add bridge=WANbridge interface=WAN1
add bridge=WANbridge interface=extraLAN
/ip address
add address=<WAN1 IP address>/28 interface=WANbridge network=<WAN1 network address>
I.e. no change in ether interface naming (not needed that is), remove extraLAN ether port from default bridge, create new bridge, add WAN1 and extraLAN ports to it, remove IP config from WAN1 port (whatever that might be, I just showed about static IP address, but it could be PPPoE client, DHCP client, routing, whatnot) and re-create same IP config on "interface" WANbridge.

For device, connected to extraLAN port, it will look like it's connected to a dumb switch ... i.e. transparent connection to WAN1.