In this scenario you wouldn't need any additional configuration because the single router has a route to each destination already.This remind me of another scenario i'll have to manage :
What if routerboard A and B would be the same machine ??
Pratically I have eth1=192.168.1.1 and eth2=192.168.100.1 on a single routerboard each of this is IPSEC tunneled to two remote sites :
local networks 192.168.1.0 and 192.168.100.0 are wired to the same switch and the windows/linux machines I cannot modify, have both subnets configured on same nic.
as 192.168.1.1 is the default gateway , how can I add a route without adding the static one on the machines , like asked previously ?
Yes it would be simpler, but they asked me to keep as separated as possible (also physically) the two networks for future splitting of customer PCs (despite that for now they are connected together at L2) probably two different switches ....no no no - you're making this entirely more complicated than it needs to be.
If the two networks are running on the same switch, then whichever port on the Mikrotik is the lan port, just put two IP addresses on it.
Putting the second IP address on a second interface and plugging the second interface into the same switch will not break anything - so long as the ethernet switch ports aren't bridged / switched at layer 2.Yes it would be simpler, but they asked me to keep as separated as possible (also physically) the two networks for future splitting of customer PCs (despite that for now they are connected together at L2) probably two different switches ....
If there is no alternative solution I'll go temporarily for a single routerboard nic with two addresses....
Just checked with both addresses on the same routerboard ethernet as well as two addresses on each different routerboard ethernet:
No routing needs to be played with for this.
IP will naturally find the right way to go between the networks.
You may need to modify or duplicate some rules in the firewall for this - but you'll never need to open the ip > routes menu.
/ip address add address=220.127.116.11/24 interface=ether1 /ip address add address=18.104.22.168/24 interface=ether2 /ip route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 ADC 22.214.171.124/24 126.96.36.199 ether1 0 1 ADC 188.8.131.52/24 184.108.40.206 ether2 0
Yes to all points. It sounds like you understand what's going on.Thanks,
I was reading for different type of tunnels just now....
So , with just the simple IPSEC, is a new policy needed for every new subnet I need to manage ??
Then you suggest the use of GRE over IPSEC support, so a tunnel interface is added and I can manage all my routes upon , isn't it ?
GRE is just the tunnel. You either do like you did with static routes from there, or use a routing protocol like RIP or OSPF.Yeah....up and running easily with gre over ipsec....
But I suppose I need a manual static route for any subnet to manage through the other end of the tunnel (at least I had to do so...)
Haha. I use it internally because my network isn't big enough nor has enough routers for me to justify OSPF. It was dead simple to implement and with some carefully planned route prefixes, works perfect for my needs (which was just a means of redistributing static routes).And if you use RIP, then go sit in the corner until you're sorry for what you've done!
j/k RIP does have its place - a very unique, limited, specialized place....
Yep. RIP is just fine on networks that are fairly small and fairly stable.Haha. I use it internally because my network isn't big enough nor has enough routers for me to justify OSPF. It was dead simple to implement and with some carefully planned route prefixes, works perfect for my needs (which was just a means of redistributing static routes).
DSL Router needs to participate in RIP also.I have to manually add a static route 10.0.0.0/30 via 192.168.2.1 into DSL router to allow PC1 to ping 220.127.116.11 network
Is there a way to avoid this ?? (real DSLrouter is managed by ISP provider who don't want to modify config.)