Community discussions

MikroTik App
 
dalami
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Mon Dec 12, 2011 9:18 am

Routing without bridge

Thu Oct 21, 2021 2:46 am

Have to think my way through this - not easy while sitting down. Too much pressure on the brain.

If it matters I'm using a Hex S / RB760iGS as my gateway router. Port 1 is from my ISP. Port 2 goes to my VoIP server. And SFP1 goes to other networking devices starting with a CRS.

Port 1 is presently by itself - all other ports are in a bridge. As is typical, right?

This Hex S provides DHCP service for my LAN. However...that VoIP server on port 2 is a little badly behaved - it's offering DHCP as well (for a different subnet). I want to block that. At the moment I can't turn that off. So...how to accomplish that? If I write rules that target the interface - there will be an issue because the interface is in a bridge. If I block DHCP on the bridge - I'll lose DHCP service altogether.

So I'm thinking I should remove the port from the bridge. Reasonable - as this port shouldn't need to talk with the rest of my LAN. But - how then do I allow it to communicate with the Internet? As my existing NAT rules reference IP's, not interfaces, (except for my last src-nat rule for default Internet using eth1) - do I just remove the port from the bridge and everything will magically work?

I should mention the VoIP server has a manually assigned IP address so...I think...it's not dependent on a DHCP broadcast from my router. Although if it did...I guess I could create a dedicated DHCP server on the router just for that port?
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Routing without bridge

Thu Oct 21, 2021 3:07 am

Good Evening,
I will keep it simple, too avoid increasing your brain pressure =)

Solution A: Disable VOIP DHCP-Server
It's the easiest Solution, if you have access to your VOIP-Server.
Any other solution is a compromise....

Solution B: Disable ROUTER DHCP-Server
If the VOIP DHCP-Server is working properly...
You could simply deactivate the DHCP-Server on the Mikrotik..
At least until you get access to your VOIP-Server to deacivate the DHCP.

Solution C: Activate IP-Filtering on Bridge
It is possible to use the Firewall on a bridge...
But Performance/ throughput may suffer

Solution D: VLAN for VOIP-Server
You could "isolate" the VOIP-Server in a VLAN on the bridge.
Communication between the Networks via Routing.

Solution E: Two Network
Just like you suggested, you could remove "ether2" from your bridge.
And create a seperate Network just for the VOIP-Server


** Depending on the Network-Configuration of your VOIP-Server
Your will have to be very carefull , how you configure your mikrotik!
For exemple: the IP of your Mikrotik will have to be the same as the "Gateway-IP" of your VOIP-Server
 
dalami
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Mon Dec 12, 2011 9:18 am

Re: Routing without bridge

Thu Oct 21, 2021 3:23 am

Thank you for being gentle.

So, for solution "E" - two networks - do I have to do anything besides just removing the port from the bridge?

My LAN is on subnet 192.168.0.0/24. The router is 192.168.0.1, and the misbehaving VoIP is setup on 192.168.0.250. All I needed to do for internet access is the relevant NAT entries to allow the bridge to reach the external interface (and vice-versa). Since those are IP-based...does that mean just removing the port from the bridge is all I need?

Still trying to learn some concepts. I'm thinking that by removing the port from the bridge that will prevent any broadcasts from port 2 being seen on the bridge - but unless I explicitly set filters individual hosts can still reach the VoIP server? So any 192.168.0.0/24 host can reach 192.168.0.250...um...maybe I need to add an explicit route for 192.168.0.250 on the now independent port 2?
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Routing without bridge

Thu Oct 21, 2021 3:45 am

Do you have any additional information on the VOIP-Server ?
any IP-Addresses , Gateway, etc... ?
 
dalami
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Mon Dec 12, 2011 9:18 am

Re: Routing without bridge

Thu Oct 21, 2021 3:56 am

Thinking...experimenting...

To answer your question - the VoIP server is manually configured to be 192.168.0.250, gateway 192.168.0.1.

I've tried deactivating the port from the bridge - playing with various rules things don't quite work. Then I realized...having removed the port from the bridge - while the bridged ports have address 192.168.0.1 the now isolated port has no address. So...I tried assigning 192.168.0.10/24 to the port...and things break. I'm connecting to the router remotely, via SafeMode, and as soon as I set the address I lose connection.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Routing without bridge

Thu Oct 21, 2021 4:07 am

having multiple Network on a router with the same Network-Range, It isn't unheard of.....
But i wouldn't recommend it...

So if your bridge as an IP of 192.168.0.1/24,
You shouldn't use 192.168.0.10/24 on another interface.
Or anything else 192.168.0.XXX/24
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Routing without bridge  [SOLVED]

Thu Oct 21, 2021 4:13 am

So you are not able to deactivate the DHCP-Server on you VOIP-Server,
But are you able and confortable to,

A: Change the IP-Adress and Gateway of the VOIP-Server?
or
B: Change the IP-Range of your Mikrotik-Bridge?
 
dalami
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Mon Dec 12, 2011 9:18 am

Re: Routing without bridge

Thu Oct 21, 2021 9:06 am

I'm close. I don't know how - but I'm close. I found a page for routing with the same subnet - I tried to adapt from that. Here's the relevant lines - I think (with ether2 now removed from bridge).
/ip address
add address=192.168.0.1/24 comment="Primary LAN" interface=bridge network=192.168.0.0
add address=192.168.0.10 comment="Gateway for JustINA" interface=ether2-JustINA network=192.168.0.10
Right or wrong - note the 192.168.0.10 is a single address - not a /24. I fiddled with this until the dynamic route gave me something I wanted.

Dynamically, I have:
ADC  192.168.0.0/24     192.168.0.1     bridge                    0
ADC  192.168.0.10/32    192.168.0.10    ether2-JustINA            0
And then I explicitly give:
/ip route add distance=1 dst-address=192.168.0.250/32 gateway=ether2-JustINA pref-src=192.168.0.10
Then I added some mangle rules:
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.0.1 in-interface=bridge
add action=accept chain=prerouting dst-address=192.168.0.10 in-interface=ether2-JustINA
And some src-nat:
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether2-JustINA to-addresses=192.168.0.10
add action=src-nat chain=srcnat dst-address=192.168.0.0/24 out-interface=bridge to-addresses=192.168.0.1
And then...I went into the VoIP server and changed it's gateway to 192.168.0.10. So now what works:

The VoIP server, running on 192.168.0.250, can ping 192.168.0.10. It can also reach the internet through the router.
From my LAN I can ping 192.168.0.10.
From the router I can ping 192.168.0.250.

What doesn't work: can't ping 192.168.0.1 (bridged router LAN interface) from the VoIP server, and can't ping 192.168.0.250 (VoIP server) from the LAN.

So...there's still one minor magical item needed to make this "right". If there is another way to accomplish this via routing rules instead of any of the steps above I'd love to learn them. And I agree this is not how I *should* have things configured - but I'm working with what I have. I'm also getting to learn some new tricks.
 
dalami
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Mon Dec 12, 2011 9:18 am

Re: Routing without bridge

Thu Oct 21, 2021 9:21 am

Actually - I should correct one assumption I made above. I have OSPF running as well - and the LAN server I tested from also has OSPF. So the 192.168.0.10 route got pushed to that server - which allowed it to ping. My other workstations that only have 192.168.0.1 as their gateway are unable to ping 192.168.0.10.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Routing without bridge

Thu Oct 21, 2021 11:50 am

You've opened a can of worms ...

Devices on your "normal" 192.168.0.0/24 subnet will always try to communicate with addresses from same subnet (these include 192.168.0.10 and 192.168.0.250) directly. Since they don't get response with dst-MAC-address (because those two IP addresses are behind the outer) they fail to communicate.

What you could try is to enable proxy-arp on both bridge and ether2-JustINA ... I'm not exactly sure which interface needs it, probably ether2-JustINA because MT should answer with its own MAC address when LAN client asks for MAC address of device with one of "hidden" IP addresses.
 
dalami
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Mon Dec 12, 2011 9:18 am

Re: Routing without bridge

Thu Oct 21, 2021 9:55 pm

Getting closer...and what's nice is I *almost* exactly sort of kind of not really but maybe in a small way understand not only the how but the why.

Enabling proxy-arp on the bridge allows my LAN clients to reach 192.168.0.10. Enabling proxy-arp on the interface allows the VoIP server to reach 192.168.0.1 (and the rest of the LAN).

The one path I haven't been able to clear is from the LAN to the VoIP server on 192.168.0.250 through 192.168.0.10. I'm thinking...even though I have the explicit static route for 192.168.0.250 via 192.168.0.10 defined in the router I still need some additional router magic. I did try changing the scope of the 192.168.0.250 route to "5" from the default of "30" - no difference.

Do I need to implement either something in mangle or routing rules to ensure the 192.168.0.250 route is used in preference to the default 192.168.0.0/24 route?
 
dalami
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Mon Dec 12, 2011 9:18 am

Re: Routing without bridge

Sun Oct 24, 2021 5:53 am

I still want to learn how to solve my original setup - but as I did gain access I decided to go the easy way and use a different IP range for the VoIP server to router connection. Things seems to be working now - thanks for the help.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Routing without bridge

Sun Oct 24, 2021 7:31 pm

The solution most tightly solving your original problem would be solution C described by @ConnyMercier ... If done correctly it would cause performance hit for VoIP gateway traffic (but not the rest .. not directly at least). It would also depend on VoIP gateway being connected to ether2 (but so does the sollution of separate LAN).

Who is online

Users browsing this forum: Ahrefs [Bot], baragoon, Bing [Bot], fposavec, keithy, menyarito and 88 guests