Community discussions

MikroTik App
 
daveharnett
just joined
Topic Author
Posts: 2
Joined: Tue Sep 21, 2021 2:06 am

Public AP behind p2p bridge

Tue Sep 21, 2021 2:16 am

Hi there,
I've offered to share an internet connection with a local community centre, which will be connected by a short range p2p connection. Given the physical network constraints, traffic from the public subnet will be flowing to the internet-connected router on the same physical interface as traffic from the private network.

I'm looking for the appropriate way to isolate traffic from the public subnet. Bonus points if I can throttle traffic from that subnet. I suspect the answer involves VLANs, but I'm real sketchy on the details. Should I be tagging traffic on all interfaces on the AC3, and starting from there?

Thanks
Untitled Diagram.png
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Public AP behind p2p bridge

Sat Sep 25, 2021 6:05 pm

So if I get you correctly, you've got a public subnet on the uplink from the ISP, and you want to extend that public subnet all the way to the comunity centre via the P2P link, whilst there is one more hAP ac2 between the one connected to the uplink and the SXTsq at your end?

If so, VLANs are one possible answer indeed. There's the great VLAN tutorial by @pcunite; there's also the clarification of the sometimes confusing vernacular regarding the bridge. Roughly, you'd make the physical WAN port on the hAP ac2 a member of the common bridge with pvid=10 (you can choose any number between 2 and 4094 inclusive), attach an /interface vlan with vlan-id=10 to the bridge and move the WAN IP configuration from the physical WAN port to the /interface vlan. This involves also addition of that /interface vlan item as a member of /interface list WAN so that the firewall rules worked as before. On all the ports on the path from your internet-facing hAP ac2 to the community centre's hAP ac3, VLAN 10 would be permitted as a tagged one. And the hAP ac3 would use another /interface vlan with vlan-id=10 as its WAN.

This solution is a clean and "traditional" one; however, bandwidth control on L2 is far from traditional in RouterOS, so it can easily cause a headache. Therefore you may prefer to use a "forth-and-back" NAT, using firewall rules that dst-nat whatever arrives to the CC's public address to some auxiliary private address, route that address towards the hAP ac3 and dst-nat it back to the public IP there (which may not be actually necessary, it depends on what they need the public IP for). You also have to use appropriate src-nat rules for connections initiated from the CC side. Whilst this method is "dirty", it allows you to implement bandwidth control at L3, which is somewhat easier, and it also permits not to use VLANs at all, although separating your LAN subnet from the interconnection subnet between internet-facing hAP ac2 and the hAP ac3 by means of VLANs is definitely recommended.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Public AP behind p2p bridge

Sat Sep 25, 2021 8:19 pm

edit duplicate
Last edited by anav on Sat Sep 25, 2021 8:24 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Public AP behind p2p bridge

Sat Sep 25, 2021 8:21 pm

All rather sounds complex to me,
I would run the local hapac3 at the community centre as a router and let it do all the CPU work for local clients.
Trunk port from home HAPAC2 router to hapac2 AP/Switch,
Trunk port WLAN between sxt units (carrying vlan for community centre (which will be its WAN IP and management vlan

VLANS all the way.
management vlan carried to ap/switch hapac and by SXT to manage SXTs and carred to HAPAC community centre to allow configuration.........
(ap/switch hapac2, and two SXTs IP address are on the management vlan)
Managment vlan with access to community hapac for remote config purposes via Input chain).

If you need to control the community centre use its vlan to do so, from the router hapac2, and you may be able to do stuff on the communiity hapac3 first since it will have full routing capabilities.

OKay so they will be getting a PRIVATE IP, not a public IP.............DOH

Passing them a PUBLIC IP means getting the public IP through successive devices to the IP client of the hapac 3
In this case also use a VLAN to do so..........
Not sure if you can do this from one WAN| POrt or you need too use two wan ports on hapac2 router??
 
daveharnett
just joined
Topic Author
Posts: 2
Joined: Tue Sep 21, 2021 2:06 am

Re: Public AP behind p2p bridge

Sat Sep 25, 2021 11:57 pm

Passing them a PUBLIC IP means getting the public IP through successive devices to the IP client of the hapac 3
In this case also use a VLAN to do so..........
Not sure if you can do this from one WAN| POrt or you need too use two wan ports on hapac2 router??
I've confused everyone - my bad. The community centre is not a 'Public' subnet in the sense that it's got public IP addresses or publicly available services. It's public in the sense that it'll allow guest access to untrusted devices. Devices which I obviously don't want to be able to connect to the internal services in my house :)

Thanks for all the pointers so far, this is really helpful
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Public AP behind p2p bridge

Sun Sep 26, 2021 12:10 am

The community centre is not a 'Public' subnet in the sense that it's got public IP addresses or publicly available services. It's public in the sense that it'll allow guest access to untrusted devices. Devices which I obviously don't want to be able to connect to the internal services in my house :)
I started suspecting that shortly after posting, but decided to leave it like that. OK, so a VLAN all the way from the internet-facing hAP ac2 to the handover point, hosting an interconnection subnet, and firewall rules on the hAP ac2 preventing traffic from that subnet from reaching any private address and/or from being forwarded to your LAN will do. Depending on who's managing the SXTsq link (you or the CC admin if it's not you as well), choose the handover point either on the "inner" hAP ac2 or on the "outer" SXTsq. And bandwidth control will be easy as it will be done while routing, not bridging.

Who is online

Users browsing this forum: Ahrefs [Bot], mkx and 99 guests