Community discussions

MikroTik App
 
User avatar
spr41178
Member Candidate
Member Candidate
Topic Author
Posts: 114
Joined: Tue Apr 01, 2014 11:11 pm

Join two seperate subnets on a single router

Sat May 15, 2021 1:23 pm

Good afternoon,

I am trying to connect two different subnets on a rb1100 and i am facing the following issue.

I have a hotspot network that belongs to the rb1100 with a range of 172.21.0.0/16 on interface ether11 which in turn end up to a couple of access points for internet access.
On these access points i have created virtual ones and link them with the RB1100 with a VLAN and subnet 192.168.100.0/24.

Now there is a seperate network coming from a different router (not mikrotik but a simple ISP router) with a range of 192.168.30.0/24.

I want to make this network communicate both ways with 172.21.0.0/16 and 192.168.100.0/24.

What i did is i took a free IP address from the 192.168.30.0/24 network (192.168.30.80) and i run a wire to a free ethernet port on my RB1100 (ether10).
I added the address 192.168.30.80/24 to that port (ether10) which is not bridged with the rest of the network as the 30.0 network has its own DHCP server and i don't want conflicts.
I used scrnat ether10 masquerade and what i achieved with this is that the 172.21.0.0/16 and 192.168.100.0/24 can ping and communicate with the 192.168.30.0/24.
I can't seem to achieve the other way around. The 192.168.30.0/24 to ping to 172.21.0.0/16 and 192.168.100.0/24.

Other than the masquerade rule i haven't added any other rules or routes maybe i am missing out something there?

Thanks in advance.
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether10 ] comment="Management Link" l2mtu=1600 name=\
    10MGMLINK speed=100Mbps
set [ find default-name=ether1 ] name=WAN1 speed=100Mbps
set [ find default-name=ether2 ] name=WAN2 speed=100Mbps
set [ find default-name=ether3 ] name=WAN3 speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether11 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether12 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether13 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add comment=vlan100 interface=ether11 name=vlan100 vlan-id=100
/interface list
add name=OTE
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=""
/ip firewall layer7-protocol
add name=streaming regexp=videoplayback|video
add name=facebook regexp=facebook|fbcdn.net
/ip hotspot profile
set [ find default=yes ] login-by=http-chap,http-pap
add hotspot-address=172.21.1.1 login-by=http-chap,http-pap name=hsprof1 \
    radius-interim-update=2m use-radius=yes
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=no idle-timeout=2h keepalive-timeout=\
    2h shared-users=2
add add-mac-cookie=no idle-timeout=1h keepalive-timeout=1h \
    !mac-cookie-timeout name=uprof1 shared-users=10
add idle-timeout=2w keepalive-timeout=2w name=Free shared-users=1000
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=hs-pool-14 ranges=172.21.0.1-172.21.1.0,172.21.1.2-172.21.255.254
add name=vlan100 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=hs-pool-14 disabled=no interface=bridge1 lease-time=1d name=\
    dhcp1
add address-pool=vlan100 disabled=no interface=vlan100 lease-time=1d name=\
    vlan100
/ip hotspot
add address-pool=hs-pool-14 disabled=no idle-timeout=2h interface=bridge1 \
    keepalive-timeout=2h name=hotspot1 profile=hsprof1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 interface=ether11
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set tcp-syncookies=yes
/interface list member
add interface=WAN1 list=OTE
add interface=WAN2 list=OTE
add interface=WAN3 list=OTE
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.5/24 interface=WAN1 network=192.168.1.0
add address=192.168.2.5/24 interface=WAN2 network=192.168.2.0
add address=172.21.1.1/16 interface=bridge1 network=172.21.0.0
add address=192.168.3.5/24 interface=WAN3 network=192.168.3.0
add address=192.168.30.80/24 interface=10MGMLINK network=192.168.30.0
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=172.21.0.0/16 comment="hotspot network" gateway=172.21.1.1
add address=192.168.100.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=8192KiB \
    max-udp-packet-size=8192 servers=1.1.1.1,8.8.8.8
/ip dns static
add address=172.21.1.1 name=router.lan
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input dst-port=4002 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=WAN1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=WAN1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=WAN2 protocol=udp
add action=drop chain=input dst-port=53 in-interface=WAN2 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=WAN3 protocol=udp
add action=drop chain=input dst-port=53 in-interface=WAN3 protocol=tcp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=" fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=OTE
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 hotspot=auth \
    in-interface=bridge1
add action=accept chain=prerouting dst-address=192.168.2.0/24 hotspot=auth \
    in-interface=bridge1
add action=accept chain=prerouting dst-address=192.168.3.0/24 fragment=no \
    hotspot=auth in-interface=bridge1
add action=mark-connection chain=input hotspot=auth in-interface=WAN1 \
    new-connection-mark=WAN1_mark passthrough=yes
add action=mark-connection chain=input hotspot=auth in-interface=WAN2 \
    new-connection-mark=WAN2_mark passthrough=yes
add action=mark-connection chain=input hotspot=auth in-interface=WAN3 \
    new-connection-mark=WAN3_mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_mark hotspot=auth \
    new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_mark hotspot=auth \
    new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_mark hotspot=auth \
    new-routing-mark=to_ISP3 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=\
    auth in-interface=bridge1 new-connection-mark=WAN1_mark passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=\
    auth in-interface=bridge1 new-connection-mark=WAN2_mark passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=\
    auth in-interface=bridge1 new-connection-mark=WAN3_mark passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_mark hotspot=\
    auth in-interface=bridge1 new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_mark hotspot=\
    auth in-interface=bridge1 new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_mark hotspot=\
    auth in-interface=bridge1 new-routing-mark=to_ISP3 passthrough=yes
add action=mark-packet chain=prerouting comment="Mark Packet Streaming" \
    disabled=yes layer7-protocol=streaming new-packet-mark=streaming \
    passthrough=no
add action=mark-packet chain=prerouting comment="Mark Packet Facebook" \
    disabled=yes layer7-protocol=facebook new-packet-mark=facebook \
    passthrough=no
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge1 new-connection-mark=WAN1_mark passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge1 new-connection-mark=WAN2_mark passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge1 new-connection-mark=WAN3_mark passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_mark \
    in-interface=bridge1 new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_mark \
    in-interface=bridge1 new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_mark \
    in-interface=bridge1 new-routing-mark=to_ISP3 passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN3
add action=masquerade chain=srcnat out-interface=10MGMLINK
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.21.0.0/16
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip hotspot ip-binding
add mac-address=78:7E:61:BB:9E:07 type=bypassed
add mac-address=0C:77:1A:0A:D5:58 type=bypassed
add mac-address=D0:33:11:2E:1F:A4 type=bypassed
add mac-address=98:F1:70:5A:BC:4E type=bypassed
add address=172.21.10.99 comment="PC Reception" server=hotspot1 type=bypassed
add address=172.21.10.98 server=hotspot1 type=bypassed
add address=172.21.10.10-172.21.10.105 comment=Antennas_Switches server=\
    hotspot1 type=bypassed
add address=172.21.10.180 comment=CRS112 server=hotspot1 type=bypassed
/ip hotspot user
add name=stavros profile=uprof1
add name=takis profile=uprof1
add name=bluesky profile=Free server=hotspot1
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=to_ISP1
add distance=1 gateway=10.0.0.1 routing-mark=to_ISP1
add check-gateway=ping distance=2 gateway=221.132.112.8 routing-mark=to_ISP2
add distance=2 gateway=10.0.0.2 routing-mark=to_ISP2
add check-gateway=ping distance=3 gateway=8.8.4.4 routing-mark=to_ISP3
add distance=3 gateway=10.0.0.3 routing-mark=to_ISP3
add distance=1 gateway=10.0.0.1
add distance=2 gateway=10.0.0.2
add distance=3 gateway=10.0.0.3
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.3.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1 scope=10
add check-gateway=ping distance=1 dst-address=10.0.0.1/32 gateway=8.8.8.8 \
    scope=10
add check-gateway=ping distance=1 dst-address=10.0.0.2/32 gateway=\
    221.132.112.8 scope=10
add check-gateway=ping distance=1 dst-address=10.0.0.3/32 gateway=8.8.4.4 \
    scope=10
add distance=1 dst-address=221.132.112.8/32 gateway=192.168.2.1 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=4003
set ssh disabled=yes
set api disabled=yes
set winbox port=4002
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/radius
add address=11.0.0.1 disabled=yes service=hotspot
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Athens
/system identity
set name="Blue Sky"
/system note
set show-at-login=no
/system ntp client
set enabled=yes primary-ntp=194.177.210.54
/system ntp server
set enabled=yes manycast=no
/system scheduler
add interval=10m name=ip-cloud-forceupdate on-event="/ip cloud force-update" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/29/2018 start-time=18:05:49
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes
/tool romon port
add
.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Join two seperate subnets on a single router

Sat May 15, 2021 9:44 pm

I may be missing something, but a masquerade rule does exactly what its name suggests, it makes connections coming from both 172.21.0.0/16 and 192.168.100.0/24 appear to come from 192.168.30.80 to the rest of 192.168.30.0/24.

The connection tracking remembers this in each connection's context, so when a response packet arrives, it can determine by source address and port and destination port to which connection that response belongs, and un-src-nat it (i.e. change its destination address) back to the address from which the corresponding request came before.

As 192.168.30.80 is inside the 192.168.30.0/24 subnet, any device in that subnet sends packets for 192.168.30.80 directly to it, without using any gateway, so the responses from these devices always get to the RB1100.

But initial requests sent by any device in 192.168.30.0/24 to either 172.21.0.0/16 or 192.168.100.0/24 have to be routed; most of those devices probably have no own routing table, so they send packets for any destination except 192.168.30.0/24 to the default gateway, which is the ISP router for them. And that ISP router knows nothing about existence of 172.21.0.0/16 or 192.168.100.0/24, so it sends packets for these destinations down its own default route, which is via the WAN. And the ISP most likely drops them.

So far the explanation. Now something regarding possible solutions.

The easiest way would be to configure the ISP router with a route to 192.168.100.0/24 and another one to 172.21.0.0/16, both with 192.168.30.80 as their gateways. This may or may not be possible depending on the router model and your rights to alter its configuration. So at this point it stops being a Mikrotik question.

If it is not possible to set up routes at the ISP router, but you can disable the DHCP server on it, you might run a DHCP server at the RB1100 and indicate it as the default gateway to the devices in 192.168.30.0/24; then, you would have to set up policy routing for traffic coming from 192.168.30.0/24, using the ISP router's address in 192.168.30.0/24 as the default route for that traffic, but using the standard routing table for packets towards 192.168.100.0/24 and 172.21.0.0/16.

Depending on what devices are used in 192.168.30.0/24, you might also be able to use DHCP Option 121 (or Option 249 for Windows devices) to push a routing table to the devices, but not all devices support that. If all of them do support these options, you would send the default route via the ISP router and the routes to the two subnets hosted at the RB1100 via 192.168.30.80.

In any of the above cases, you wouldn't need the masquerade any more.
 
User avatar
spr41178
Member Candidate
Member Candidate
Topic Author
Posts: 114
Joined: Tue Apr 01, 2014 11:11 pm

Re: Join two seperate subnets on a single router

Mon May 17, 2021 11:38 am

I may be missing something, but a masquerade rule does exactly what its name suggests, it makes connections coming from both 172.21.0.0/16 and 192.168.100.0/24 appear to come from 192.168.30.80 to the rest of 192.168.30.0/24.

The connection tracking remembers this in each connection's context, so when a response packet arrives, it can determine by source address and port and destination port to which connection that response belongs, and un-src-nat it (i.e. change its destination address) back to the address from which the corresponding request came before.

As 192.168.30.80 is inside the 192.168.30.0/24 subnet, any device in that subnet sends packets for 192.168.30.80 directly to it, without using any gateway, so the responses from these devices always get to the RB1100.

But initial requests sent by any device in 192.168.30.0/24 to either 172.21.0.0/16 or 192.168.100.0/24 have to be routed; most of those devices probably have no own routing table, so they send packets for any destination except 192.168.30.0/24 to the default gateway, which is the ISP router for them. And that ISP router knows nothing about existence of 172.21.0.0/16 or 192.168.100.0/24, so it sends packets for these destinations down its own default route, which is via the WAN. And the ISP most likely drops them.

So far the explanation. Now something regarding possible solutions.

The easiest way would be to configure the ISP router with a route to 192.168.100.0/24 and another one to 172.21.0.0/16, both with 192.168.30.80 as their gateways. This may or may not be possible depending on the router model and your rights to alter its configuration. So at this point it stops being a Mikrotik question.

If it is not possible to set up routes at the ISP router, but you can disable the DHCP server on it, you might run a DHCP server at the RB1100 and indicate it as the default gateway to the devices in 192.168.30.0/24; then, you would have to set up policy routing for traffic coming from 192.168.30.0/24, using the ISP router's address in 192.168.30.0/24 as the default route for that traffic, but using the standard routing table for packets towards 192.168.100.0/24 and 172.21.0.0/16.

Depending on what devices are used in 192.168.30.0/24, you might also be able to use DHCP Option 121 (or Option 249 for Windows devices) to push a routing table to the devices, but not all devices support that. If all of them do support these options, you would send the default route via the ISP router and the routes to the two subnets hosted at the RB1100 via 192.168.30.80.

In any of the above cases, you wouldn't need the masquerade any more.
Good morning Sindy,

I will check the ISP router the next time i visit the premises if i have the option to set up routes on it,

If not i will install a seperate Mikrotik after the router and use that one as a dhcp server and i will follow up with you on the routing table procedure as i really
want to learn how to do this.

Thank you for your time and effort.

Who is online

Users browsing this forum: AkosGergely, araqiel, GoogleOther [Bot], Marc1963, miks and 81 guests