Community discussions

MikroTik App
 
xaviote
just joined
Topic Author
Posts: 2
Joined: Sat Mar 27, 2021 7:28 am

Three Subnets in one ethernet interface

Sat Mar 27, 2021 7:44 am

Hello,
I have a similar problem/need that the one related here:
viewtopic.php?t=66832
Basically, I need to get three subnets working through one ethernet interface: 192.168.0.0/24, 192.168.3.0/24, 192.168.10.0/24.
I know this is not recommended, I will fix it but for now I have to make it work (three different offices with different configurations have been merged in one physical location and I need them to be able to use each other's resources while I make the integration). The router was working with subnet 192.168.3.0/24 and now I want to add the others, all of them are connected to an unmanaged switch through Ethernet 2.
RouterBoard 3011UiAS, RouterOS 6.45.1,
Ethernet 2:
ip address 192.168.3.5/24
ip address 192.168.10.5/24
ip address 192.168.0.220/24

But the clients cannot see each other. The router can see them all tough.
Any ideas?
Thank you!
Xavi
R
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Three Subnets in one ethernet interface

Mon Mar 29, 2021 3:49 pm

Hi Xavi what you are asking is not possible, at least from limited knowledge base.
What you need to do is use vlans and a managed switch.

Each office should be on its own vlan and then through firewall rules you can allow
shared sources in a precise way.
For example VLANA to shared printer on VLANB
or VLANC to server on VLAN A etc...
 
User avatar
SpartanX
newbie
Posts: 44
Joined: Mon Jun 27, 2016 6:13 pm

Re: Three Subnets in one ethernet interface

Mon Mar 29, 2021 4:47 pm

That's called multinetting and is occasionally used in just such a situation (merging networks) prior to setting them up 'properly' on one flat network or multiple VLANs. At least on Cisco kit it is.

Are all the hosts configured with appropriate address (the one on their subnet) on the MT router as their gateway?

If so, then perhaps the firewall is preventing them being routed to each other.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Three Subnets in one ethernet interface  [SOLVED]

Mon Mar 29, 2021 4:53 pm

Ethernet 2:
ip address 192.168.3.5/24
ip address 192.168.10.5/24
ip address 192.168.0.220/24
Simply setting all 3 addresses to same interface (ether2) does the trick.

But the clients cannot see each other. The router can see them all tough.
What exactly is the question? That clients should not see each other? That's impossible to achieve as long as they share same (unmanaged) ethernet network as @anav already wrote.

If users are not trying to play tricks, then computers won't try to communicate directly bypassing router. However, the big problem in usual office environments is this: you can't have more than one authoritative DHCP server (without playing tricks) in single unmanaged ethernet network. You can divide computers into different IP subnets using single DHCP server, but you have to assign every computer a static lease (or by using some filters, but with assorted computers that's a hard task).

In short: you're looking at a nightmare.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Three Subnets in one ethernet interface

Mon Mar 29, 2021 4:56 pm

Hi Mkx, Understood thanks for the clarification.
During the MTUNA course we call this.......... yes you can stuff a raccoon up the anus, but it hurts!
On a happier note: The Suez canal, unlike the tube in the previous sentence is now unblocked!!
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Three Subnets in one ethernet interface

Mon Mar 29, 2021 9:03 pm

Even with the static IP addresses (or reserved DHCP leases), as this works when the router has the 3 IP addresses, and all clients use that router on the corresponding IP address, there might be a problem with RouterOS sending ICMP redirects. I did NOT experience this myself, just have read it in the forum: viewtopic.php?f=2&t=139465 .

But maybe "proxy-arp" and/or "hairpin NAT" could add ways to facilitate the interconnection.

On the other hand, normally only servers need to be visible for all clients. So giving them 3 IP addresses also could be a workaround to consider.

"Dutch people are proud on their dredging company."
 
xaviote
just joined
Topic Author
Posts: 2
Joined: Sat Mar 27, 2021 7:28 am

Re: Three Subnets in one ethernet interface

Tue Mar 30, 2021 11:56 am

Hello,
Thank you all for your contributions, the problem is finally solved. As @mkx said just adding the addresses to the interface and proper configuration of the gateways does the trick.
The problem I had was with a legacy bridge+eoip which was f...ing the configuration.
Regarding the dhcp, as you say, and Cristopher Lambert once said, there can be only one. I already have imported all MAC addresses and I will run the server with a /16 mask until all is settled, hope it won't be long.
EIther way, I don't care if the clients can see each other, after all they will be in the same subnet shortly, but they must be able to reach services in any subnet.
Thank you!
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 214
Joined: Sun Jun 21, 2020 12:58 pm

Re: Three Subnets in one ethernet interface

Tue Mar 30, 2021 7:21 pm

But the clients cannot see each other. The router can see them all tough.
What exactly is the question? That clients should not see each other? That's impossible to achieve as long as they share same (unmanaged) ethernet network
For those interested in the details: Running more than one IP address on the same physical Ethernet interface is perfectly legal. Is is called a "Multi-homed" or "Multi-Netted" interface. All known OSes including Windows can be configured that way (see Advanced IPv4 settings of a Windows Network Adapter).
This is how we sent different IP subnets over the same wire years ago, before there were VLANs. The different subnets are separated on Layer 3, but share a common Layer 2 broadcast domain. Clients will be able to directly talk to each other using Layer2 Protocols only. But doing so requires Admin/Root on the clients. So depending on the environment, there might by security impact.

But of course running a dedicated VLAN for each IP Subnet eases network management, lowers broadcast traffic and makes DHCP a lot easier. But security is only improved for Clients running on untagged access ports where the Switch drops tagged packets.

This is an opportunity to fight a popular but wrong believe: VLANs on trunked/hybrid connections are only to improve network organization, NOT to improve security. Every malicious client can monitor network trunked/hybrid traffic for VLAN tags in use and join a VLAN of its choice. It is also no problem and just some minutes to just blindly automatically try all available 4096 VLAN IDs.
I saw many times Network admins running the tagged Mgmt VLAN in parallel to the untagged normal client traffic assuming an attacker not knowing the Mgmt VLAN Id adds security. It does not.

This is why it is very important to physically protect wires running trunked/hybrid connections and closely monitoring them for link status changes. Not knowing the VLANs in use does not change much for an attacker having physical access to the connection.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Three Subnets in one ethernet interface

Tue Mar 30, 2021 10:06 pm

Thanks for the clarification!!
 
millenium7
Long time Member
Long time Member
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

Re: Three Subnets in one ethernet interface

Wed Mar 31, 2021 3:36 am

We run something like a dozen subnets on our office LAN. It's totally legal and a very valid reason for doing so
The major use case for us is we deal with a lot of vendors equipment, all that equipment is usually setup for various static IP addresses out-of-the-box or we configure it to go into another environment, and we can configure it ahead of time with minimal fuss

We want this equipment on the same L2 broadcast domain so that discovery tools can see it, even if it isn't in the same subnet
Or we can get to it on its default IP of say 192.168.0.20 when our office might be 10.0.50.x/24. And we accomplish this by very simply adding all the subnets to the router, then setting a masquerade rule for traffic going to the LAN
So when we try and reach 192.168.0.20 it goes to the router, then the router sends it straight back to the main LAN (as often default gateway not configured) which allows us to login, change to DHCP then it'll show up on 10.0.50.x and be directly accessible

Trying to do this with VLAN's, dedicated ports, MAC-Based-VLAN's or whatever else is just ridiculous, a waste of time and makes everything just a bit more difficult. It's like renting an excavator when all you need to do is plant a small tree, just use a trowel and get the job done in 30 seconds! simple and effective is best. So many people want to overcomplicate and go 'by the book' for no beneficial practical purpose
Likewise I set my work laptop up much the same way, with IP addresses in many subnets so when I am looking for devices that may have been factory defaulted (or I just need to dig around) I can do pings and IP scans of multiple subnets simultaneously without relying on a router and all the proper routing rules set up. This is fully supported in Windows and all other operating systems i've encountered

Who is online

Users browsing this forum: lktompkins, menyarito, NxtGen [Bot] and 65 guests