Community discussions

MikroTik App
  4. RouterOS
  5. General

extremely ugly network bridging

Post Reply
 
dadaniel
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri May 14, 2010 11:51 pm

extremely ugly network bridging

Wed Mar 14, 2018 1:08 am

Please help me with the following situation:

I have two buildings:
A has one internet gateway and one IP camera(AC:CC:8E).
B has one internet gateway and a NAS(00:11:32).
It is possible to connect both buildings using ethernet wire.

Both internet gateways have the same non-changeable IP address, they also don't support static routes. I cannot replace them.

The IP camera of building A should be able to access the NAS of building B while maintaining internet connectivity through the internet gateway of building A. It should not use gateway from building B! It is not possible to assign more than one IP address to the camera!

I tried the following approach, but although I only allow the MAC address of NAS and camera, it is failing because they are sending wrong ARP broadcast replies for other devices when asked to the other network:
Code: Select all
/interface bridge port
add bridge=bridge1 hw=no interface=ether1
add bridge=bridge1 hw=no interface=ether2
/interface bridge filter
add action=accept chain=forward dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF src-mac-address=AC:CC:8E:??:??:??/FF:FF:FF:FF:FF:FF
add action=accept chain=forward dst-mac-address=00:11:32:??:??:??/FF:FF:FF:FF:FF:FF src-mac-address=AC:CC:8E:??:??:??/FF:FF:FF:FF:FF:FF
add action=accept chain=forward dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF src-mac-address=00:11:32:??:??:??/FF:FF:FF:FF:FF:FF
add action=accept chain=forward dst-mac-address=AC:CC:8E:??:??:??/FF:FF:FF:FF:FF:FF src-mac-address=00:11:32:??:??:??/FF:FF:FF:FF:FF:FF
add action=drop chain=forward
Please tell me if there is an other solution for this, I know this is very ugly but I cannot change the requirement at the moment.
Top
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1418
Joined: Tue Jun 23, 2015 2:35 pm

Re: extremely ugly network bridging

Wed Mar 14, 2018 1:44 am

if you have got on both side ISP, why you didn't try with VPN ,instead of ethernet wire.
Top
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:
Contact CZFan

Re: extremely ugly network bridging

Wed Mar 14, 2018 2:20 am

VPN can work, but might be slow due to VPN technology and will also eat into your internet bandwidth.

If distance between Ethernet cable end points is not more than 100meters you should be ok, else you will have to either add switches along the way or go fiber .

Then all you do is route from building a to build subnet and vica versa. And use a default rout to Internet gateway fro other traffic on both side
Top
 
dadaniel
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri May 14, 2010 11:51 pm

Re: extremely ugly network bridging

Wed Mar 14, 2018 7:38 am

VPN can work, but might be slow due to VPN technology and will also eat into your internet bandwidth.

Then all you do is route from building a to building b subnet and vica versa. And use a default route to Internet gateway for other traffic on both side
Yes, VPN is not an option because the internet bandwidth cannot handle the camera stream.

I wrote that the gateway does not support static routes, so how can I route here?
Top
 
Sans
just joined
Posts: 15
Joined: Sun Mar 11, 2018 1:47 am

Re: extremely ugly network bridging

Wed Mar 14, 2018 1:21 pm

Just thinking loud here: https://wiki.mikrotik.com/wiki/Manual:M ... ed_example is an option?

Is the stream to internet resulting from a request coming in through gateway A? Can src-address be used for routing?
Top
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: extremely ugly network bridging

Wed Mar 14, 2018 3:01 pm

Or just put there two routers that will handle the routing between those two ,their networks and their wans.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: extremely ugly network bridging

Thu Mar 15, 2018 3:49 am

If you can live with only direct connections from one address to another (no broadcasts), then proxy ARP is your friend. Lets say that you have:

192.168.1.10 - NAS
192.168.1.20 - camera
192.168.1.100 - router used to connect NAS and camera
LAN1 - primary LAN where router is connected to, all devices in this LAN can access router
LAN2 - secondary LAN, only selected devices can access router (in this case only camera)

Then this is the config (just this, nothing else):
Code: Select all
/ip address
add address=192.168.1.100/24 interface=LAN1 network=192.168.1.0 comment="standard config"
add address=192.168.1.100 interface=LAN2 network=192.168.1.20 comment="point to point to camera"
/ip arp
add address=192.168.1.20 interface=LAN1 published=yes comment="make camera visible on LAN1(*)"
add address=192.168.1.10 interface=LAN2 published=yes comment="make NAS visible on LAN2(*)"
(*) Even though every device on LAN1 can see camera (ARP will resolve), only NAS will be able to communicate with it, because camera won't see anything else from LAN1 except NAS and router.
Top
 
dadaniel
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri May 14, 2010 11:51 pm

Re: extremely ugly network bridging

Thu Mar 15, 2018 4:06 pm

@Sob:

Do I need static routes on NAS or camera in this case? Do I have to enable (local)proxy-arp in interface settings?

I cannot make this router the default gateway for any device on both LANs!
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: extremely ugly network bridging

Thu Mar 15, 2018 5:45 pm

No static routes and no additional proxy arp settings.

Both devices are still in same IP subnet, so they don't need gateway to communicate with each other. They will ask for the other one using arp and the only difference is that instead of real target device, the router will answer with its own MAC address. That's what proxy arp does.

And don't touch arp settings on interfaces. If you enable proxy arp there, it won't work correctly, because the router will answer even for other addresses. Using published addresses in "/ip arp" is selective, it only works for addresses you put there.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: extremely ugly network bridging

Thu Mar 15, 2018 5:48 pm

One more thing about entries in "/ip arp", if it's not clear, the example config assumes that NAS is in LAN1 and camera in LAN2.
Top
 
dadaniel
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri May 14, 2010 11:51 pm

Re: extremely ugly network bridging

Thu Mar 15, 2018 5:55 pm

That's seems to be a very easy and clean solution. I'll try it this weekend and report back, thank you very much!!
Top
 
dadaniel
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri May 14, 2010 11:51 pm

Re: extremely ugly network bridging

Fri Mar 16, 2018 11:42 pm

Thank you very much, it works perfectly!
Is it possible to allow NAS access for more than one camera? Do I just have to add an additional ip address and arp entry for another camera IP? (keeping the router IP unchanged, so have multiple entrys of it with only the network IP changed?)
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: extremely ugly network bridging

Sat Mar 17, 2018 2:49 am

Exactly, add as many as you need.
Top
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1418
Joined: Tue Jun 23, 2015 2:35 pm

Re: extremely ugly network bridging

Sat Mar 17, 2018 7:46 am

@dadaniel can i have your topology?
Top
 
dadaniel
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri May 14, 2010 11:51 pm

Re: extremely ugly network bridging

Sat Mar 17, 2018 11:30 am

@dadaniel can i have your topology?
I don't have a suitable network diagram ready, but you could ask me any question about topology that you don't find in first post.

Both LANs use 10.0.0.x/24, both Internet Gateways have the same address 10.0.0.138 and DHCP server active. The solution from Sob works great, as it doesn't bridge the two networks or forward broadcasts. Instead only selected devices from both networks could reach each other, all without the need of using static routes or such things. Simply clever :)
Top
Post Reply
  4. RouterOS
  5. General