Community discussions

MUM Europe 2020
 
knowledgemonster
just joined
Topic Author
Posts: 7
Joined: Fri Dec 04, 2015 3:47 pm

2 way communication between 2 subnets 2 interfaces

Tue May 01, 2018 9:50 pm

Hi,

I need communication between 192.168.20.0 subnet and 192.168.0.0 subnet both ways. With the configuration i have now 192.168.20.0 can talk to 192.168.0.0 but not the other way around. Please let me know what need to be done. thanks.

I have an RB750Gr3.

I have default config loaded on this router and i just change 192.168.88.0 to 192.168.20.0 and as below.

ether1 internet coming in via PPPoE
ether2 master for 3,4 192.168.20.0/24 DHCP enabled on here.
ether5 192.168.0.223 (no dhcp, this port is connected to sonicwall router which has 192.168.0.1/24
# may/01/2018 14:43:23 by RouterOS 6.36.1
# software id = 6BQ5-QAQG
#
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=InternetPPPoE \
    password=********** user=*********
/ip neighbor discovery
set ether1 discover=no
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.20.100-192.168.20.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master name=\
    defconf
/ip address
add address=192.168.20.1/24 comment=defconf interface=ether2-master network=\
    192.168.20.0
add address=192.168.0.223/24 comment="ament" interface=ether5 network=\
    192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.20.0/24 comment=defconf gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.20.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=InternetPPPoE
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=InternetPPPoE
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=InternetPPPoE
add action=masquerade chain=srcnat disabled=yes out-interface=ether2-master
add action=masquerade chain=srcnat disabled=yes out-interface=ether5
add action=src-nat chain=srcnat disabled=yes dst-address=!192.168.0.0/24 \
    out-interface=ether5 protocol=tcp src-address=192.168.20.0/24 \
    to-addresses=192.168.0.0/24
add action=masquerade chain=srcnat
/system clock
set time-zone-name=America/Toronto
/system routerboard settings
set memory-frequency=1200DDR protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master
 
anav
Forum Guru
Forum Guru
Posts: 3140
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 2 way communication between 2 subnets 2 interfaces

Tue May 01, 2018 11:20 pm

First thing I would state is scrap your work and reset to latest software version 6.42.1
and then repost. But I do have the following comments.

add address=192.168.0.223/24 comment="ament" interface=ether5 network=\
192.168.0.0

Thats a weird setup? Why not....?
add address=192.168.0.1/24 comment="ament" interface=ether5 network=\
192.168.0.0

You are missing the IP Pool for your second LAN.
You are missing the DHCP server for your second LAN
You are missing the IP dns static rule for your second LAN

Would add this to the bottom of my INPUT Filter rules (its default rule that should be in place with latest software I think).
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid

Remove all your masquerade rules and the single srcnat rule except the first masquerade rule.

(in the new firmware I would put both LANs on the same bridge).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
anav
Forum Guru
Forum Guru
Posts: 3140
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 2 way communication between 2 subnets 2 interfaces

Tue May 01, 2018 11:27 pm

Hmm I missed the part about ether5 attached to a sonicwall.
My bad.
Still you should update your software.

What is the function of the sonicwall?
Is it in router mode and getting internet via the MIkrotik??

Assuming the above, clients on the sonicwall may be able to see the mickrotik LAN clients but
the sonicwall is a one way door in router mode, it blocks any view onto its LAN by mikrotik users.

Thus I think you are mistaken, the mickrotik 192.168.20.X devices will not be able to see the 192.168.0.x devices.
There is no way to break that barrier unless you frig with the sonicwall setup.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
knowledgemonster
just joined
Topic Author
Posts: 7
Joined: Fri Dec 04, 2015 3:47 pm

Re: 2 way communication between 2 subnets 2 interfaces

Tue May 01, 2018 11:47 pm

The sonicwall was is in router mode. I cannot mess with that one.

The sonicwall has its own internet source.
The mikrotic has its own internet source.
But the 2 networks need to talk to each other.

The way its setup now the mikrotik port5 is plugged into lan port on sonicwall.

Currently all mikrotik users can access everything on sonicwall side.
sonicwall users can access nothing on mikrotik side.

I am not mistaken about the access. .
Thanks.
 
anav
Forum Guru
Forum Guru
Posts: 3140
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 2 way communication between 2 subnets 2 interfaces

Wed May 02, 2018 12:06 am

Hi there,
Okay thanks for the additional info.
That means the sonicwall has been setup on its side with rules such that it can accept incoming from the mikrotik port (LAN traffic) and work with it.
Now the challenge is to do the same with the mikrotik.

So I see what you are trying to do now.
Create the same network infrastructure such that the interface/etherport has a fixed IP address as the SONICWALL LAN.

So you were attempting to ensure every lan device on the mikrotik would get its IP address changed to that of the SONICWALL LANIP assigned to ether5.
Thus be magically useable in the sonicwall.
However that means that traffic originating from the sonicwall will only be able to see and talk to the single ether5 IP and never get to the mikrotik devices...........

I see your problem and perhaps there is another way to solve this.........

2 LANS, 2 DIfferent Routers, 2 Different Subnets (connected by each others etherports).
Hmmmm, something tells me maybe routes is the key (static maybe?) Have to think on this one.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1455
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: 2 way communication between 2 subnets 2 interfaces

Wed May 02, 2018 12:24 am

Sonicwall is a firewall device, not a router although it does have limited routing capabilities.

I suspect your problem is on the sonicwall side, either firewall rules or routing, but without the necessary info from both devices, makes it difficult to help
MTCNA, MTCTCE, MTCRE & MTCINE
 
knowledgemonster
just joined
Topic Author
Posts: 7
Joined: Fri Dec 04, 2015 3:47 pm

Re: 2 way communication between 2 subnets 2 interfaces

Wed May 02, 2018 12:57 am

ok i can see if i can get access to sonicwall. what info do you need?
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1455
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: 2 way communication between 2 subnets 2 interfaces

Wed May 02, 2018 1:55 pm

For starters:

1. IP / Network Diagram
2. Full firewall (Filter / NAT / RAW) and route info from Mikrotik
3. Full routing, NATing and firewall rules of Sonicwall (You will have to do this via command line interface (CLI))

I doubt if the people responsible for the Sonicwall will give you this, actually I would hope not as it is a security device, so rather work with them and explain the problem, together you will be able resolve it
MTCNA, MTCTCE, MTCRE & MTCINE
 
knowledgemonster
just joined
Topic Author
Posts: 7
Joined: Fri Dec 04, 2015 3:47 pm

Re: 2 way communication between 2 subnets 2 interfaces

Fri May 04, 2018 6:07 am

thanks for the replys.

Solved.
Should anyone come across this in future this is how i got it to work. Not perfect but it works.

I made no changes to sonicwall because i did not really know what to change on there to allow sonicwall devices to see devices on mikrotik network.
So i just went to server network adapter and added 192.168.20.95 as an additional ip. and server can now see everything on mikrotik network and mikrotik devcies could already see everything on sonicwall and this now allows everything i needed.

The only reason i say not perfect is because i would have like to have done this without adding the addition ip to the server and but instead having the routers do the negotiating.


# may/03/2018 22:54:59 by RouterOS 6.42.1
# software id = 6BQ5-QAQG
#
# model = RouterBOARD 750G r3
# serial number = 6F3907287578
/interface bridge
add admin-mac=64:D1:54:94:B7:5A auto-mac=no fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface pppoe-client
add add-default-route=yes default-route-distance=0 disabled=no interface=\
    ether1 keepalive-timeout=60 name=InternetPPPoE password=toughpass \
    user=realusername
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.20.100-192.168.20.200
/ip dhcp-server
# DHCP server can not run on slave interface!
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no \
    interface=ether2-master name=defconf
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 interface=ether2-master
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=InternetPPPoE list=discover
add interface=bridge1 list=discover
add interface=ether2-master list=mactel
add interface=ether2-master list=mac-winbox
/ip address
add address=192.168.20.1/24 comment=defconf interface=ether2-master network=\
    192.168.20.0
add address=192.168.0.223/24 comment="Ament" interface=ether5 network=\
    192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.20.0/24 comment=defconf gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.20.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=InternetPPPoE
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=InternetPPPoE
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=InternetPPPoE
add action=masquerade chain=srcnat
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=America/Toronto
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

 
mkx
Forum Guru
Forum Guru
Posts: 3304
Joined: Thu Mar 03, 2016 10:23 pm

Re: 2 way communication between 2 subnets 2 interfaces

Fri May 04, 2018 8:04 am

The reason why your solution to the problem works is because you have both L3 (IP) subnets sharing same L2 (ethernet) network. Shoukd this change it will stop working.
Proper solution (apart from changing configuration on sonicwall) would be to add route on the said server (instead of adding IP address) saying that 192.168.20.0/24 is reacheable through gateway with address 192.168.0.223.
BR,
Metod
 
knowledgemonster
just joined
Topic Author
Posts: 7
Joined: Fri Dec 04, 2015 3:47 pm

Re: 2 way communication between 2 subnets 2 interfaces

Fri May 04, 2018 7:48 pm

Could you tell me how to do this:
"add route on the said server (instead of adding IP address) saying that 192.168.20.0/24 is reacheable through gateway with address 192.168.0.223."

Also is it possible to have a bridge with port 2 - 5 and have dhcp on that bridge but exclude port 5 from receiving dhcp?
 
mkx
Forum Guru
Forum Guru
Posts: 3304
Joined: Thu Mar 03, 2016 10:23 pm

Re: 2 way communication between 2 subnets 2 interfaces

Fri May 04, 2018 9:40 pm

Exact command to add a route highly depends on server's OS. I'm pretty sure you didn't mention it in this thread.

On linux command looks like this:
route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.0.233
But then, on linux, this solution works until server restart. Permanent change is done in server configuration, and that even more highly depends on OS and its variety.

Answer to your second question is: no, it can't be done. Not easily at least, perhaps it's possible by deploying some nasty layer2 filtering but I don't know if MT has such mechanisms.
BR,
Metod
 
knowledgemonster
just joined
Topic Author
Posts: 7
Joined: Fri Dec 04, 2015 3:47 pm

Re: 2 way communication between 2 subnets 2 interfaces  [SOLVED]

Tue May 29, 2018 6:09 am

Thank you to all that replied. im learning so much about networking and about mikrotik!

What ended up working perfectly for me was creating a route on the sonicwall to the 192.168.0.223 port which is on the mikrotik.
 
User avatar
MarHazK
just joined
Posts: 22
Joined: Wed Mar 29, 2017 8:31 pm

Re: 2 way communication between 2 subnets 2 interfaces

Tue Nov 13, 2018 10:13 am

may i know how did you solve these?

Who is online

Users browsing this forum: Majestic-12 [Bot] and 36 guests