Community discussions

MikroTik App
 
ofirule
newbie
Topic Author
Posts: 29
Joined: Tue Mar 26, 2019 6:19 pm

how to allow third party LAN access to my router without adding a route

Sun May 22, 2022 3:07 pm

In my router I generally have 3 networks: LAN, WAN and ThiirdPartyLAN (will be called VLAN10 from now on),

WAN and LAN are simple: WAN is conected to the internet and LAN is my network with my devices.
VLAN10 is a network which belongs to a third party company. I am given a static ip on this network (on my example: '192.168.55.1') and I treat comunication to this network diffrently. I `src-nat` with action `masqurade` traffic to it , and I allow devices from this network to access specific services on my network using dst-nat (on port 6080 on my config).

See exported config (with some obfuscation):
admin@MikroTik] > export 
# may/22/2022 08:39:16 by RouterOS 7.1.5
# software id = 0XLH-2FI8
#
# model = RB922UAGS-5HPacD
# serial number = ******
/interface lte
set [ find ] allow-roaming=yes name=lte1
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-XX country="united states" disabled=no installation=outdoor mode=ap-bridge rx-chains=0,1 ssid=nt-main tx-chains=0,1
/interface vlan
add interface=ether1 name=VLAN10 vlan-id=10
add interface=ether1 name=VLAN20 vlan-id=20
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] apn=wbdata use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=guest supplicant-identity=MikroTik
/interface wireless
add mac-address=4A:8F:5A:61:6D:11 master-interface=wlan1 name=wlan2 security-profile=guest ssid=nt-guest-ofir wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp-wlan1 ranges=10.7.0.100-10.7.0.254
add name=dhcp-ether-vlan20 ranges=10.5.0.100-10.5.0.254
add name=dhcp-wlan2 ranges=10.7.11.100-10.7.11.254
/ip dhcp-server
add address-pool=dhcp-wlan1 interface=wlan1 name=dhcp2
add address-pool=dhcp-ether-vlan20 interface=VLAN20 name=dhcp1
add address-pool=dhcp-wlan2 interface=wlan2 name=dhcp3
/port
set 0 baud-rate=auto name=usb1
/interface list member
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
add interface=VLAN20 list=LAN
add interface=lte1 list=WAN
/interface lte settings
set mode=mbim
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=192.168.88.0
add address=10.5.0.1/24 interface=VLAN20 network=10.5.0.0
add address=10.7.0.1/24 interface=wlan1 network=10.7.0.0
add address=10.7.11.1/24 interface=wlan2 network=10.7.11.0
add address=192.168.55.1/24 interface=VLAN10 network=192.168.55.0
/ip dhcp-server network
add address=10.5.0.0/24 gateway=10.5.0.1 netmask=24
add address=10.7.0.0/24 gateway=10.7.0.1 netmask=24
add address=10.7.11.0/24 gateway=10.7.11.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
# wlan2 not ready
add action=drop chain=forward comment="drop all from guest network not going to WAN" in-interface=wlan2 out-interface-list=!WAN
# wlan2 not ready
add action=drop chain=input comment="drop input from guest network" in-interface=wlan2
add action=drop chain=input in-interface=VLAN10
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=VLAN10
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=VLAN10
add action=dst-nat chain=dstnat comment="intersection manager UI" dst-port=6080 in-interface=VLAN10 protocol=tcp to-addresses=10.5.0.222 to-ports=6080
add action=dst-nat chain=dstnat comment="intersection manager BE API" dst-port=6081 in-interface=VLAN10 protocol=tcp to-addresses=10.5.0.222 to-ports=6081
/ip route
add disabled=no dst-address=10.40.40.40 gateway=192.168.55.22 routing-table=main suppress-hw-offload=no
add dst-address=10.41.41.41/32 gateway=192.168.55.22
/system clock
set time-zone-name=Europe/London
/system logging
add topics=lte
/system package update
set channel=long-term

Now if the third party device is in cidr 192.168.55.0/24 everything is working as expected (the device can ping and have access to my sevice on port 6080), but if the third party device is in another cidr e.g: 10.41.41.41/32 it won't have access to my service on port 6080 or even ping my router.
Adding a route to this address solves the issue. But, I would like to somehow configure my router to have the ability to serve incoming traffic from VLAN10 even if the ip isn't in cidr 192.168.55.0/24.
If for example I will put a simple router before VLAN10 which will src-nat with action masqurade the incoming traffic from the third party network to VLAN10 I won't have this problem, so I guess I want to do something similar without installing another router.
Is there a way to do this special type of masqurading, or a way to achieve access to my router regardless of the source ip on VLAN10 some other way?

Maybe I have used some wrong terminology, my apologies
Thanks in advance
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: how to allow third party LAN access to my router without adding a route

Sun May 22, 2022 3:50 pm

Dont understand, is this third party LAN coming from a router connected to your MT router on one of the etherports?
In other words it seems as though you dont have anything to do with this vlan10 (no dhcp etc).
 
ofirule
newbie
Topic Author
Posts: 29
Joined: Tue Mar 26, 2019 6:19 pm

Re: how to allow third party LAN access to my router without adding a route

Sun May 22, 2022 4:11 pm

Dont understand, is this third party LAN coming from a router connected to your MT router on one of the etherports?
In other words it seems as though you dont have anything to do with this vlan10 (no dhcp etc).
Correct it's connected to my MT router on one of the etherports. I don't know the internals of the third party LAN, all I know is that I am given a static ip and they will have devices on thier end sending requests to my router.

It's not related to dhcp, I am not in charge of their addresses by design. I am trying to configure a way for devices in a cidr not in my routing table to send requests to my router and recieve a response.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: how to allow third party LAN access to my router without adding a route  [SOLVED]

Sun May 22, 2022 5:55 pm

You need some route in any case, because routes are what tells router where to send packets. You don't necessarily have to know all third party subnets, it's possible to do "if connection from address X came from there, send responses back the same way" config using mangle rules. Mark incoming connections from VLAN10, then mark routing for responses to marked connections, to use default route in alternative routing table pointing to third party. It's basically dual-WAN port forwarding config.

Depending on network structure on their side, it may be problematic, but if it's something simpler, where you have connection to only single router, then it's ok. If so far you were able to access everything using routes with gateway=192.168.55.22, that should be the case.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: how to allow third party LAN access to my router without adding a route

Sun May 22, 2022 8:43 pm

Just to understand the use cases....
1. Users from the other router need access to your router on same subnet? (the other routers lan subnet) vlan10 only.
2. Users from the other router need access to your router on different subnet? ( your routers actual local subnets)
3. Users from the other router need access to the internet on your router?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
4. Local users on your MT need access to the other router on this third party subnet?
5. Local users on your MT need access to the other router on a different subnet on the other router?
6. Local users on your MT need access to the other routers internet connection?

Im assuming its ONLY #2. but want to make sure.
If so to clarify.
7. There are multiple subnets from the external router that need access to your server and not users on vlan10 subnet??

Q1. Assuming you have local users that require access to your server and thats why its not simply put on vlan10?
If true do you also have external users from the server coming from the internet through your local WANIP?
Do your users use the WANIP of your router or the local LANIP of the server to reach the server?

8. Assuming the other external router users are using your local server LANIP address to access the server??
 
ofirule
newbie
Topic Author
Posts: 29
Joined: Tue Mar 26, 2019 6:19 pm

Re: how to allow third party LAN access to my router without adding a route

Mon May 23, 2022 5:31 pm

You need some route in any case, because routes are what tells router where to send packets. You don't necessarily have to know all third party subnets, it's possible to do "if connection from address X came from there, send responses back the same way" config using mangle rules. Mark incoming connections from VLAN10, then mark routing for responses to marked connections, to use default route in alternative routing table pointing to third party. It's basically dual-WAN port forwarding config.

Depending on network structure on their side, it may be problematic, but if it's something simpler, where you have connection to only single router, then it's ok. If so far you were able to access everything using routes with gateway=192.168.55.22, that should be the case.
This solution led me to the answer.
Adding the following config, did the job:
/routing table
add disabled=no fib name=to_VLAN10

/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=VLAN10 new-connection-mark=VLAN10_con passthrough=yes
add action=mark-routing chain=output connection-mark=VLAN10_con new-routing-mark=to_VLAN10 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=VLAN10_con in-interface-list=LAN new-routing-mark=to_VLAN10

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=VLAN10 routing-table=to_VLAN10 suppress-hw-offload=no
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: how to allow third party LAN access to my router without adding a route

Mon May 23, 2022 11:19 pm

I don't think that gateway=<interface> should work with ethernet, but if it somehow does, there's no need to complain, I guess. :)

Who is online

Users browsing this forum: Amazon [Bot], britgent, sindy and 100 guests