Community discussions

MikroTik App
 
robvangils
just joined
Topic Author
Posts: 4
Joined: Sun Jan 17, 2021 4:52 pm

Creating 2 seperated LAN networks for 2 appartments

Wed Sep 28, 2022 6:53 pm

Hi, ive been trying to create 2 seperated networks for my rented appartment, we have to share the internet with our downstairs neighbour and i want to seperate our networks,

ive tried the following so far:
WAN: eth1 dhcp from ISP
i use the local bridge 2.0.0.x network (my network works fine)
neighbor uses onderburen bridge 192.168.0.x network (gets ip, but no connection to the internet)

config:
/interface bridge
add name=local
add name=onderburen
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=netherlands disabled=\
    no frequency=auto mode=ap-bridge ssid="Rob & Marcella 2.4G"
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no frequency=auto \
    mode=ap-bridge ssid="Rob & Marcella 5G"
/interface list
add name=listBridge
add name=list_onderburen
add name=listonderburen
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=pool_local ranges=2.0.0.21-2.0.0.200
add name=pool_onderburen ranges=192.168.0.200-192.168.1.10
/ip dhcp-server
add address-pool=pool_local disabled=no interface=local name=dhcp_local
add address-pool=pool_onderburen disabled=no interface=onderburen name=\
    dhcp_onderburen
/interface bridge port
add bridge=local interface=ether2
add bridge=local interface=ether3
add bridge=onderburen interface=ether4
add bridge=local interface=ether5
add bridge=local interface=wlan1
add bridge=local interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface list member
add interface=local list=listBridge
add interface=onderburen list=listonderburen
/ip address
add address=2.0.0.1/24 interface=local network=2.0.0.0
add address=192.168.0.1/24 interface=onderburen network=192.168.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=2.0.0.0/24 dns-server=2.0.0.1 gateway=2.0.0.1
add address=192.168.0.0/24 dns-server=2.0.0.1 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat in-interface=ether1 port=3389 protocol=tcp \
    to-addresses=192.168.88.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=RouterOS
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listonderburen
/tool mac-server mac-winbox
set allowed-interface-list=listonderburen
Maybe someone here has an idea on how to fix this,

and after that maybe some security things i forgot?


Thanks in advance
-Rob
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Creating 2 seperated LAN networks for 2 appartments

Wed Sep 28, 2022 7:43 pm

You obviously have stripped a bunch of information out of your configuration, so having to make some guesses. What router and RouterOS version? Those answers in some cases radically affect the configuration. I don't deal with bridges in RouterOS, so I will leave that part mostly to others. A couple things however:
I recommend NOT using 2.x.y.z for your network. That is a valid public IP range and you run the risk of not being able to get to some server on the Internet that just happens to use a 2.x.y.z address range.
You have zero firewall rules shown which means that you are giving the entire Internet full access to your router.
By default, RouterOS will route between networks - that's what it does. In order to prevent that (I assume you are needing to prevent the neighbors from access anything except their own devices) you need to establish some firewall rules. That might be in the bridge or outside of the bridge (remember my first comment about bridges).
As I understand it, IP addresses on bridges should be assigned to the bridge, not a specific interface.
If the neighbors are only using your network for their own devices, and you are only giving them one port on your router, what is the point of providing them a network? Sounds like a simple LAN switch and/or WiFi access point is all they need.
 
robvangils
just joined
Topic Author
Posts: 4
Joined: Sun Jan 17, 2021 4:52 pm

Re: Creating 2 seperated LAN networks for 2 appartments

Wed Sep 28, 2022 8:17 pm

You obviously have stripped a bunch of information out of your configuration, so having to make some guesses. What router and RouterOS version? Those answers in some cases radically affect the configuration. I don't deal with bridges in RouterOS, so I will leave that part mostly to others. A couple things however:
I recommend NOT using 2.x.y.z for your network. That is a valid public IP range and you run the risk of not being able to get to some server on the Internet that just happens to use a 2.x.y.z address range.
You have zero firewall rules shown which means that you are giving the entire Internet full access to your router.
By default, RouterOS will route between networks - that's what it does. In order to prevent that (I assume you are needing to prevent the neighbors from access anything except their own devices) you need to establish some firewall rules. That might be in the bridge or outside of the bridge (remember my first comment about bridges).
As I understand it, IP addresses on bridges should be assigned to the bridge, not a specific interface.
If the neighbors are only using your network for their own devices, and you are only giving them one port on your router, what is the point of providing them a network? Sounds like a simple LAN switch and/or WiFi access point is all they need.
i did not know i stripped so much info from the config

i'm using a HaP 3ac running RoS 6.48.6

the goal for me it to supply my neighbor with a network cable that he can plug into a dumb switch and or AP and that is just works for him, and that is seperated from my own network

The reason i have my own network set so 2.x.y.z is because i work in audiovisual technology. There its really common for devices to be in the 2.x.y.z range. makes it easy to work with the equiptment
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Creating 2 seperated LAN networks for 2 appartments

Wed Sep 28, 2022 10:02 pm

I cannot see anything in the configuration that would explain why a device connected to ether4 should not be able to access internet. There is no security whatsoever, so if you are getting a public IP on the WAN, the whole world can try how good your password is, and 2.0.0.0/24 is not a private subnet. But none of these should affect the ability of the host connected to ether4 to access the internet.

So try to connect your own device there, and check whether you can ping 8.8.8.8 from it, and whether it asks for DNS using DHCP or it has some static one.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], CGGXANNX and 62 guests