Community discussions

MikroTik App
 
novarob
just joined
Topic Author
Posts: 2
Joined: Sun Nov 13, 2022 1:47 pm

Mikrotik network not accessible from another network

Sun Nov 13, 2022 5:06 pm

Hello

I am a beginner and I am just learning how to use Mikrotik Router Os. I am stuck on one level and can't find a solution.

The structure of the network is like this:

Internet -> Router -> [Network A] -> TP-Link -)))) ((((- Mikrotik wAP -> Switch -> [Network B]

Network A 192.168.178.0
Network B 192.168.88.0

I have a Network A which is my main network. Internet is connected to my router, and different devices connected to this router. Among others a TP-Link EAP110 AP, which I use to connect the Network A with my second network (Network B) what is created by Mikrotik wAP Outdoor AP.
I did the basic configuration, both networks are working now and I have internet access on every device. From Network B I can reach every other device, the main router, I can ping, ssh, so on, all OK.
But I have one problem. From Network A I can't access Network B, I can't even ping it. I tried lot of setting, change firewall on Mikrotik, but nothing helped.

I have an idea, maybe the firewall of the Mikrotik, but I run out of energy for searching, maybe here someone could give me some hints.

Thank you.

This is the configuration of my the Mikrotik:
export hide-sensitive 
# nov/13/2022 15:10:04 by RouterOS 6.49.7
# software id = DFS5-8X6A
#
# model = RBwAPG-5HacD2HnD

/interface bridge
add admin-mac=18:FD:74:7A:7B:4F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=defcon
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=MikroTik-7A7B51 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX comment=defcon disabled=no distance=indoors frequency=2437 installation=outdoor wireless-protocol=802.11
/interface wireless manual-tx-power-table
set wlan1 comment=defcon
/interface wireless nstreme
set wlan1 comment=defcon
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 trusted=yes
add bridge=bridge comment=defconf interface=wlan2 trusted=yes
add bridge=bridge comment=defconf interface=ether1 trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=LAN lan-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wlan1 list=WAN
/interface wireless cap
set discovery-interfaces=bridge interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add disabled=no interface=wlan1
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defcon
/ip dhcp-server lease
add address=192.168.88.7 client-id=ff:d:96:8f:69:0:2:0:0:ab:11:aa:29:3d:fe:5c:45:d8:40 mac-address=00:1D:09:F0:E4:80 server=defcon
/ip dhcp-server network
add address=192.168.88.0/24 comment=defcon dns-server=8.8.8.8 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.178.0/24 list=allowed_to_router
add address=192.168.88.0/24 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" in-interface=wlan1 protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow Winbox" port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" port=22 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=wlan1
/ip pool
add name=dhcp next-pool=dhcp ranges=192.168.88.1-192.168.88.254
/ip route
add distance=1 gateway=192.168.178.1
/ip service
set ssh port=2200
set www-ssl disabled=no
set winbox address=192.168.88.0/24,192.168.178.0/24
/system identity
set name=RouterOS
/system ntp client
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik network not accessible from another network

Sun Nov 13, 2022 6:02 pm

You have the same basic config you'd have if the router was connected directly to internet/ISP. So you have LAN (bridge) and WAN (wlan1) and new connections from WAN are blocked. If you trust both networks and want to have unlimited access, simplest fix is to edit interface list and move wlan1 from WAN to LAN list.

You also have NAT (masquerade) that you most likely don't want to have. It makes all connections from network B appear as if they come from address that's on wlan1. But if you remove it, things might break, because devices in network A need to have route to network B, and it's possible that you don't have it. It would need to be configured either on individual devices, or on main router (route to 192.168.88.0/24 via whatever 192.168.178.x is on wlan1; you'd also want to make this address static, either manually configured on RB, or as DHCP reservation on main router).
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik network not accessible from another network

Sun Nov 13, 2022 6:05 pm

Traffic from network B gets source-NATed to the IP address of wAP's wlan1, which is an address from Network A assigned by the DHCP server on the main router. So the main router sends the responses to that address, and the wAP "un-src-nats" them and delivers them to the sender of the request in network B.

To be able to reach devices in Network B from devices in Network A, you have to add a route to Network B with the IP address of wAP's wlan1 as gateway to the main router. With that route in place, you can disable or even remove the action=masquerade rule on the wAP, because the same route will be used to deliver responses to requests coming from Network B.
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Mikrotik network not accessible from another network

Sun Nov 13, 2022 7:13 pm

Hi,
What about just allowing input and forward requests from 192.168.178.0/24 on in-interface =WAN?

Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik network not accessible from another network

Sun Nov 13, 2022 7:16 pm

That will be necessary too but not sufficient - the route on the main router to Network B via the WAN address of wAP is necessary.
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Mikrotik network not accessible from another network

Sun Nov 13, 2022 7:23 pm

That will be necessary too but not sufficient - the route on the main router to Network B via the WAN address of wAP is necessary.
oh yes, the route too
 
novarob
just joined
Topic Author
Posts: 2
Joined: Sun Nov 13, 2022 1:47 pm

Re: Mikrotik network not accessible from another network

Tue Nov 15, 2022 8:22 am

Hi All

Last night I found a configuration option on my router. It is called Route Table and I can enter subnet settings. That's what I set up here:
IP address: 192.168.88.0
Mask: 255.255.255.0
Gateway: 192.168.178.3

192.168.178.3 is the IP address that TP Link gives to Mikrotik

I moved wlan1 to LAN member.
I have disabled the NAT setting.

It seems to have fixed it. I can now access Network A from Network B.

Thanks very much for your help!

The only phenomenon is that with these settings I cannot reach TP-Link from Network B. But I have to check this again. Otherwise I can live with it.

One more question, is the current 'default' firewall settings sufficient. Should I change, add or remove anything?

Who is online

Users browsing this forum: 0xAA55, Semrush [Bot] and 40 guests