Community discussions

MikroTik App
 
auspat
just joined
Topic Author
Posts: 2
Joined: Tue Sep 14, 2021 6:45 pm

2 separate networks - no internet access

Tue Sep 14, 2021 10:35 pm

Hello, everyone.

I'm still new to the Mikrotik configuration. I have the following constellation:

Port Ether1: WAN / Internet via PPoE dial-in
Port Ether2: Internal network
Port Ether3: guest network

Access to the Internet is possible from Ether2, but not from Ether3. DHCP works in the "guest network" of Ether3. The config looks like this:
/interface bridge
add admin-mac=08:55:31:BA:74:C7 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-BA74CD wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-BA74CC wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
/ip pool
add comment="VLAN 1 - Intern" name=dhcp ranges=192.168.103.10-192.168.103.50
add comment=L2TP name=L2TP ranges=10.0.10.1-10.0.10.50
add comment="VLAN 20 - Guest" name=dhcp_pool3 ranges=\
10.18.100.2-10.18.103.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool3 disabled=no interface=ether3 name="DHCP Guest"
/ip ipsec mode-config
add address-pool=L2TP name=vpndhcpo
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.103.254 name=\
L2TP-VPN remote-address=L2TP use-encryption=required use-mpls=yes
set *FFFFFFFE bridge=bridge dns-server=192.168.103.100,8.8.8.8 local-address=\
192.168.103.254 remote-address=L2TP
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=Guest interface=ether3 list=LAN
/ip address
add address=192.168.103.254/24 comment=Intern interface=bridge network=\
192.168.103.0
add address=10.18.100.1 comment=Guest interface=ether3 network=10.18.100.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.103.41 client-id=1:7c:10:c9:44:cb:bb mac-address=\
7C:10:C9:44:CB:BB server=defconf
add address=192.168.103.40 client-id=1:7c:10:c9:44:1a:7b mac-address=\
7C:10:C9:44:1A:7B server=defconf
/ip dhcp-server network
add address=10.18.100.0/22 gateway=10.18.100.1
add address=192.168.103.0/24 comment=defconf dns-server=192.168.103.100 \
gateway=192.168.103.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.103.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="L2TP VPN erlauben" dst-port=500 \
protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment=" Drop Invalid connections" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat connection-type="" out-interface=ether1
add action=masquerade chain=srcnat comment=\
"Allen Traffic nach draussen Natten" out-interface=pppoe-out1
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ppp secret
/system clock
set time-zone-name=Europe/Vienna
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Is there a simple firewall rule missing here so that access to the Internet from Ether3 is possible?

Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 separate networks - no internet access

Wed Sep 15, 2021 4:29 pm

Oh that's obvious, clearly your IP address for ether3 is missing a mask which prevents any traffic!! :-) :-) :-)

add address=10.18.100.1/?? comment=Guest interface=ether3 network=10.18.100.0
Oh suggest something like 22 will work, pulling any number out of a hat........ ;-p :
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: 2 separate networks - no internet access

Wed Sep 15, 2021 4:46 pm

Oh suggest something like 22 will work, pulling any number out of a hat........ ;-p :

And that wisdom of yours has nothing to do with OP's setting in /ip dhcp-server network ... :wink:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 separate networks - no internet access

Wed Sep 15, 2021 4:51 pm

Oh suggest something like 22 will work, pulling any number out of a hat........ ;-p :

And that wisdom of yours has nothing to do with OP's setting in /ip dhcp-server network ... :wink:
Im assuming your alluding to the fact that the network mask should match the IP Pool?
22 seemed intuitively correct.......... Anav (yoda)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: 2 separate networks - no internet access

Wed Sep 15, 2021 5:36 pm

Im assuming your alluding to the fact that the network mask should match the IP Pool?

No, I'm alluding that it's a jolly good idea that client IP settings (i.e. subnet mask received from DHCP server, which is defined in /ip dhcp-server network section) match IP settings of their gateway. IP pool is only loosely related item (but it's again a good idea if it somehow fits the general setup).

While things can work if gateway's subnet mask is shorter (i.e. covers larger subnet) than client's subnet mask it still calls for trouble if network administrator is not alert enough. But things are guaranteed to break if gateway's subnet mask is longer than clients' subnet mask which likely means some clients IP addresses will fall outside gateway's perception of subnet.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 2 separate networks - no internet access

Wed Sep 15, 2021 6:54 pm

Something makes me coin a new term: two-duplicate-posts-and-go user
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 separate networks - no internet access

Wed Sep 15, 2021 7:52 pm

Actually in this case I will make an exception as my response was far better the second time around jajajaja

Who is online

Users browsing this forum: holvoetn and 71 guests