Community discussions

MikroTik App
 
BLNetTech
just joined
Topic Author
Posts: 2
Joined: Wed Apr 06, 2022 10:00 pm

One Router 2 Subnets

Wed Apr 06, 2022 10:24 pm

Hello,

I'm sure it's been posted many times in the forums, and I've been reading to try and find it, but I just can't and I'm running out of time, so I regretfully ask something that's probably been answered before.
I have two subnets on one router, separated due to location, not due to permissions or security. (I know, why not just use a larger subnet and have all of them, shame on me)
I am unable to connect to shared windows drives from the other subnet, I've currently only got access to one side of the subnet and I am also unable to ping by hostname.
I just want to verify if I made a mistake in my router configuration. I would appreciate any assistance, or recommendations.
Trying to learn this, but for this current one I'm on a timeline.
/interface bridge
add admin-mac=4C:5E:0C:C0:90:37 arp=proxy-arp auto-mac=no fast-forward=no mtu=1500 name=bridge-lan
add name=bridge-tlan
add name=bridge-wan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=TLAN
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface ethernet switch port
set 6 vlan-mode=fallback
set 7 vlan-mode=fallback
set 8 vlan-mode=fallback
set 10 vlan-mode=fallback
set 12 vlan-mode=fallback
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=43 name=Unifi value=0x010440BA0A16
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=hgh-conv
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=hgh-conv pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.55.50-192.168.55.254
add name=highnorth ranges=192.168.88.10-192.168.88.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-lan lease-time=1d name=dhcp-lan
add address-pool=highnorth disabled=no interface=bridge-tlan lease-time=1h name=dhcp-highnorth
/interface bridge port
add bridge=bridge-lan hw=no interface=ether2
add bridge=bridge-lan hw=no interface=ether4
add bridge=bridge-lan hw=no interface=ether5
add bridge=bridge-lan hw=no interface=sfp1
add bridge=bridge-wan interface=ether1-gateway
add bridge=bridge-wan hw=no interface=ether3
add bridge=bridge-tlan interface=ether9
/interface list member
add interface=bridge-tlan list=LAN
add interface=bridge-lan list=LAN
/ip address
add address=192.168.55.1/24 comment="default configuration" interface=ether2 network=192.168.55.0
add address=192.168.88.1/24 interface=bridge-tlan network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=bridge-wan
/ip dhcp-server lease
add address=192.168.55.73 client-id=1:54:e1:40:61:63:c7 mac-address=54:E1:40:61:63:C7 server=dhcp-lan
add address=192.168.55.74 client-id=1:54:e1:40:61:67:47 mac-address=54:E1:40:61:67:47 server=dhcp-lan
add address=192.168.55.5 client-id=1:c0:74:ad:7d:b5:2a comment="Grandstream PBX" mac-address=C0:74:AD:7D:B5:2A server=dhcp-lan
add address=192.168.88.127 client-id=1:e0:9d:31:e0:96:e7 mac-address=E0:9D:31:E0:96:E7 server=dhcp-highnorth
add address=192.168.88.252 client-id=1:78:8a:20:7f:f0:18 mac-address=78:8A:20:7F:F0:18 server=dhcp-highnorth
/ip dhcp-server network
add address=192.168.55.0/24 comment="default configuration" dhcp-option=Unifi dns-server=192.168.55.1,192.168.88.1 gateway=192.168.55.1 netmask=24
add address=192.168.88.0/24 dhcp-option=Unifi dns-server=192.168.88.1,192.168.55.1 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=0.0.0.0/8 comment="Comment=RFC6890" list=not_in_internet
add address=192.168.0.0/16 comment="Comment=RFC6890" list=not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established
add action=accept chain=input comment="default configuration" connection-state=related
add action=accept chain=input dst-port=500,1701,4500 in-interface=bridge-wan protocol=udp
add action=accept chain=input in-interface=bridge-wan protocol=ipsec-esp
add action=accept chain=input in-interface-list=dynamic
add action=drop chain=input comment="default configuration" in-interface=bridge-wan
add action=accept chain=forward comment="default configuration" connection-state=established
add action=accept chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=accept chain=forward dst-address=192.168.55.0/24 src-address=192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=192.168.55.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=bridge-wan
add action=dst-nat chain=dstnat dst-port=35000 in-interface=bridge-wan protocol=tcp to-addresses=192.168.55.9 to-ports=35000
add action=dst-nat chain=dstnat dst-port=35000 in-interface=bridge-wan protocol=udp to-addresses=192.168.55.9 to-ports=35000
add action=masquerade chain=srcnat out-interface=bridge-tlan
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Halifax
/system identity
set name=TobinConv
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: One Router 2 Subnets

Thu Apr 07, 2022 7:11 pm

Dont have time for a thorough analysis but

(1) you are missing WAN (okay maybe you dont use it anywhere)
/interface list member
add interface=bridge-tlan list=LAN
add interface=bridge-lan list=LAN
???????????
/interface list
add name=LAN
????????

(2) What is wrong in this picture...... LOL
/ip address
add address=192.168.55.1/24 comment="default configuration" interface=ether2 network=192.168.55.0
add address=192.168.88.1/24 interface=bridge-tlan network=192.168.88.0

(3) what is the purpose of this command?
add action=masquerade chain=srcnat out-interface=bridge-tlan
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: One Router 2 Subnets

Thu Apr 07, 2022 7:43 pm

Very often it's not the router, but connected devices. They too can have own firewalls and may not allow access from other than local subnets. It's probably what happens here, firewall in posted config doesn't block anything.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5413
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: One Router 2 Subnets  [SOLVED]

Thu Apr 07, 2022 9:25 pm

Very often it's not the router, but connected devices. They too can have own firewalls and may not allow access from other than local subnets. It's probably what happens here, firewall in posted config doesn't block anything.
Windows equipment is notoriously known for that behavior ...
Try to ping a printer on the other subnet.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: One Router 2 Subnets

Thu Apr 07, 2022 10:19 pm

Very often it's not the router, but connected devices. They too can have own firewalls and may not allow access from other than local subnets. It's probably what happens here, firewall in posted config doesn't block anything.
Yes I made the same conclusion and to note that the two rules to allow traffic between subnets is not required because none of the rules in place block that traffic, which in my view is not the best approach (too much wide open). Hence the suggestion of other things blocking is probably close to the heart of the issues.........

It goes to show that the OP does not understand what the firewall rules actually do...................
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: One Router 2 Subnets

Thu Apr 07, 2022 10:22 pm

/ip firewall address-list
add address=0.0.0.0/8 comment="Comment=RFC6890" list=not_in_internet

SERIOUSLY???
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: One Router 2 Subnets

Thu Apr 07, 2022 10:26 pm

Yur settings have more holes than a gruyere...

Apparently you also have an old routerboard (i do not read the model) coming from old ROS version, than have more than ten holes...
I do not understand at what version is now.
 
BLNetTech
just joined
Topic Author
Posts: 2
Joined: Wed Apr 06, 2022 10:00 pm

Re: One Router 2 Subnets

Thu Apr 07, 2022 10:45 pm

I'm not going to lie, basically all of you have valid points.
A lot of the commands were left over as I was taking it over from someone else, and I wasn't able to take the site down long enough to just factory reset it.
It turned out it was a user error, one of the people had set their static IP to the same as my network gateway. (192.168.88.1/24) and screwed the entire site, but apparently no one told me that.

I appreciate all the answers, I'll try and clean it up the code a bit. :lol:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: One Router 2 Subnets

Thu Apr 07, 2022 10:49 pm

Highly recommend you use netinstall !! and put a fresh version on it.......
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: One Router 2 Subnets

Thu Apr 07, 2022 11:06 pm

agree
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: One Router 2 Subnets

Thu Apr 07, 2022 11:33 pm

@rextended: What do you have against 0.0.0.0/8? It's perfectly valid non-routable subnet that someone may want to block (except posted firewall doesn't actually do that).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: One Router 2 Subnets

Thu Apr 07, 2022 11:35 pm

Will ignore edge cases in the weeds, I will never trip over.....................
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: One Router 2 Subnets

Thu Apr 07, 2022 11:36 pm

the 0.0.0.0 and 255.255.255.255 must be never blocked...

for example dhcp discover / request have 0.0.0.0 as IP address until DHCP server do not assign one IP,
just for cite one....
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: One Router 2 Subnets

Fri Apr 08, 2022 12:14 am

Right, but last time I checked, DHCP server in RouterOS used raw sockets, so it doesn't care about IP firewall.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: One Router 2 Subnets

Fri Apr 08, 2022 12:16 am

Mmm... interesting...
I do not know that because I never try to block 0.0.0.0 or 255.255.255.255

Who is online

Users browsing this forum: carrionlee, infabo and 46 guests