Community discussions

MikroTik App
 
Spartacus
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Thu Apr 19, 2018 6:38 pm

Routing between 2 Subnets

Mon Nov 19, 2018 10:32 pm

Hi,
I have configured several Subnets on my RB3011. All Subnets cannot see each other, it is disabled by FW-Rule.

Now I would like to configure some exceptions. I have a local SIP Server on Subnet1 with IP: 192.168.1.10. Client on Subnet1 can connect correctly to the Server, but Clients on Subnet2(192.168.2.0/24) do not work. This works as expected.
How do I have to configure a common rule for Subent2 to get this working? I think I have to route UDP-Port 5060.
Can some help here?
Christian
 
anav
Forum Guru
Forum Guru
Posts: 4781
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Routing between 2 Subnets

Tue Nov 20, 2018 12:36 am

It would be useful to see/post your config to understand how your subnets are created.
I am assuming you are saying they are blocked by FW rules that you mean the last rule in your Foward Chain is drop all else rule??

/ip firewall
add chain=forward chain, action=accept log=yes prefix=AccessingSIPserver \
destination address=192.168.1.10 in-interface= (subnet indentifier for LAN2).

(there is no need for ports or protocols usually as the server doesnt do anything else and it would add rules for no gain).



Note: You should go to your duplicate post and edit it (erase everything and state Duplicate Post please ignore).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 4472
Joined: Thu Mar 03, 2016 10:23 pm

Re: Routing between 2 Subnets

Tue Nov 20, 2018 4:43 pm

Specific rule to allow SIP clients to connect server:
/ip firewall filter
add chain=forward action=accept comment="SIP clients from 192.168.2.0/24" src-address=192.168.2.0/24 dst-address=192.168.1.10 protocol=udp dst-port=5060
but make sure there's a rule accepting connection-state=established,related before the new rule. And move the new rule above the rule which currently prevents connectivity to happen.

@anav showed a rule which logs all conections triggering this rule. While it's fine to debug it shouldn't be set up for production ... it will litter the log with irrelevant entries making you miss the important ones.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 4781
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Routing between 2 Subnets

Tue Nov 20, 2018 6:49 pm

Good point mkx, yes the log prefix enabled was simply to verify if the forwarding is taking place as desired. Once up and running it should be removed.
As also demonstrated by MKXs rule, the originating source can be identified in a few ways.

1 - source address (an individual address or whole subnet)
2 - in-interface (the LAN where the request is coming from/originating)
(Ive used a combo of both in the past for better security but have been told its simply wasteful and thus the source address as shown is adequate).
3. Use of protocol and ports is a good idea in terms of limiting the ports and protocols allowed by the originating LAn to hit your server.
(seeing as there is no other functionality of the server, I tend to think that this simply wasteful as well unless someone can point out why otherwise ???
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 4472
Joined: Thu Mar 03, 2016 10:23 pm

Re: Routing between 2 Subnets

Tue Nov 20, 2018 8:17 pm

3. Use of protocol and ports is a good idea in terms of limiting the ports and protocols allowed by the originating LAn to hit your server.
(seeing as there is no other functionality of the server, I tend to think that this simply wasteful as well unless someone can point out why otherwise ???
Performance-wise it might indeed be wasteful. However, you never know if in future that same server might get some other functionality you don't want to expose to the said subnet. This case, however, is not similar to yours (filtering based on both physical port and IP address): in "my" case filter is only very specific (narrowing down possibilities) - but in this very particular case it may not be necessary to be that very specific. In "your" case, both filter criteria (physical port and IP address) are, strictly speaking, not related at all. Specifying both might narrow down the possibilities (possibly breaking L2 network in unlucky case) or it may broaden possibilities (in another unlucky case).
BR,
Metod
 
Spartacus
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Thu Apr 19, 2018 6:38 pm

Re: Routing between 2 Subnets

Tue Nov 20, 2018 9:15 pm

Hi,
many thanks for your replies and sorry for late response, but I am on business trip and limited access to internet and my router. I will check tomorrow and post my config.
Thanks for help,
Christian
 
anav
Forum Guru
Forum Guru
Posts: 4781
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Routing between 2 Subnets

Tue Nov 20, 2018 9:26 pm

No worries spartacus, in the meantime I am simply sparring with mkx over some minutia. :-)

So mkx,
The questions comes down to what is most efficient.
a. asking the CPU to inspect the forwarded packet for IP, protocol and port (and discarding those that do not fit) OR
b. asking the CPu to inspect the forwarded packet for IP only (and discarding those that do not fit).

The questions I have is why would anyone on the originating LAN be hitting that IP address with anything other than the right protocol and port?
Does the admin expect some folks on the originating LAN to try and hit the server with different types of traffic (hack in?) ?

c. What is more efficient wrt to CPU load?
To have a rule that inspects a packet for allowable IP (which it does) but it has wrong port or protocol and drops it?
VERSUS
The packet is passed to the server (allowable IP) but the packets hits a closed port, or even an open port but with the wrong protocol.
I believe the latter events are transparent to the CPU (no load).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 4472
Joined: Thu Mar 03, 2016 10:23 pm

Re: Routing between 2 Subnets

Tue Nov 20, 2018 11:13 pm

@anav, I don't see continuing the discussion being productive. The baseline is: how paranoid should network administrator be to keep networks safe and going versus available (and allowable) resources?

My stand is that administrator should be as paranoid as possible and that security of a network should not be based neither on users' friendliness nor assumptions about fair use (most of known exploits target such pitfalls).
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 4781
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Routing between 2 Subnets

Wed Nov 21, 2018 3:07 am

Ahh well okay, I sense you are raising the white flag on efficiency and diverting to the ole security trumps all standby. ;-)
Perhaps we can do combat another day.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 4472
Joined: Thu Mar 03, 2016 10:23 pm

Re: Routing between 2 Subnets

Wed Nov 21, 2018 2:09 pm

Ahh well okay, I sense you are raising the white flag on efficiency ...
You're free to sense it in any way it suits you ... :wink:
BR,
Metod
 
Spartacus
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Thu Apr 19, 2018 6:38 pm

Re: Routing between 2 Subnets

Tue Nov 27, 2018 2:50 pm

Hi everybody,
thanks for support. But it seems to be not working. The PC Client Software, Phoner, is working on the Client Subnet (192.168.2.0/24) and the Server IP is 192.168.1.10. I configured full access betwee the subnets without success:
/ip firewall filter add action=accept chain=forward dst-address-list=VlanFriends in-interface-list=LAN src-address-list=VlanFriends comment="Allow inter VLAN communication with VLAN friends"
Both networks are participants from VlanFriends.
Any ideas?
Christian
 
anav
Forum Guru
Forum Guru
Posts: 4781
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Routing between 2 Subnets

Tue Nov 27, 2018 3:21 pm

Yes post your config, looking at one rule you have is probably not all that helpful./
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Spartacus
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Thu Apr 19, 2018 6:38 pm

Re: Routing between 2 Subnets

Tue Nov 27, 2018 6:18 pm

Hi,
ok here it is, but it is not simplel!
Remark: Some rules are disabled!

Christian
# nov/27/2018 17:09:21 by RouterOS 6.43.4
# software id = UJ3A-L315
#

/ip firewall address-list
add address=192.168.1.0/24 list=PrivateSubnets
add address=192.168.10.0/24 list=PrivateSubnets
add address=192.168.20.0/24 list=PrivateSubnets
add address=192.168.1.0/24 list=AdminSubnet
add address=192.168.10.10 comment="Office. Odilo" list=VlanFriends
add address=192.168.20.0/24 list=VlanFriends
add address=192.168.1.0/24 comment="All Subnets" list=PrivateSubnets
add address=192.168.10.20 comment="Client B\FCro PC" list=AdminSubnet
add address=192.168.30.0/24 list=PrivateSubnets
add address=192.168.40.0/24 list=PrivateSubnets
add address=192.168.50.0/24 list=PrivateSubnets
add address=192.168.60.0/24 list=PrivateSubnets
add address=192.168.70.0/24 list=PrivateSubnets
add address=192.168.80.0/24 list=PrivateSubnets
add address=192.168.1.0/24 list=AlllowWAN
add address=192.168.20.0/24 list=AlllowWAN
add address=192.168.10.0/24 list=AlllowWAN
add address=192.168.30.0/24 list=AlllowWAN
add address=192.168.40.0/24 list=AlllowWAN
add address=192.168.50.0/24 list=AlllowWAN
add address=192.168.60.0/24 list=AlllowWAN
add address=192.168.70.0/24 list=AlllowWAN
add address=192.168.80.0/24 list=AlllowWAN
add address=192.168.1.0/24 list=AlllowWAN
add address=192.168.10.0/24 list=SonosControl
add address=192.168.60.0/24 list=VlanFriends
add address=192.168.40.0/24 list=VlanFriends
add address=192.168.10.40 comment=Spok list=AdminSubnet
add address=192.168.30.0/24 list=VlanFriends
add address=192.168.50.0/24 list=VlanFriends
add address=192.168.10.0/24 list=VlanFriends
add address=192.168.1.0/24 list=VlanFriends
add address=192.168.10.11 comment=HP4050 list=Printer
add address=192.168.10.12 comment=HP8620 list=Printer
add address=192.168.10.13 comment=HP477fdw list=Printer
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="VPN: allow udp 500 and 4500" disabled=\
    yes dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="VPN: allow ESP" disabled=yes \
    in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="allow AdminSubnet" in-interface-list=\
    LAN src-address-list=AdminSubnet
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN NTP queries" dst-port=123 \
    in-interface-list=LAN protocol=udp
add action=drop chain=input comment=" drop everything"
add action=fasttrack-connection chain=forward comment=\
    " fasttrack established,related" connection-state=established,related
add action=accept chain=forward comment=" accept established,related" \
    connection-state=established,related
add action=accept chain=forward comment="SIP clients from 192.168.10.0/24" \
    disabled=yes dst-address=192.168.20.10 dst-port=5060 log=yes log-prefix=\
    SIP protocol=udp src-address=192.168.10.0/24
add action=drop chain=forward comment="prevent SPAM" dst-port=25 \
    in-interface-list=LAN out-interface-list=WAN protocol=tcp
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment=\
    "only required for port forwarding from WAN" connection-nat-state=dstnat \
    disabled=yes in-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" disabled=\
    yes ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "SONOS. Forward UPnP Device Discovery events from Players" in-interface=\
    vlan30 out-interface-list="Sonos Control" port=1900,1901,6969 protocol=\
    udp
add action=accept chain=forward comment="SONOS: forward Multicast traffic" \
    dst-address=239.255.255.250 log-prefix=MultiCast
add action=accept chain=forward comment=\
    "SONOS: Forward Contoller events  from Players" in-interface-list=\
    "Sonos Control" log=yes log-prefix=FromPlayer out-interface=vlan30 port=\
    3400,3401,3500,4444,4070,5353 protocol=tcp
add action=accept chain=forward comment=\
    "SONOS: forward  Controller events to Players" dst-port="" in-interface=\
    vlan30 log-prefix=ToPlayer out-interface-list="Sonos Control" port=\
    3400,3401,3500,4444,4070,5353 protocol=tcp
add action=accept chain=forward comment=\
    "accept Internet Access from \"Allow WAN\"" in-interface-list=LAN \
    out-interface-list=WAN src-address-list=AlllowWAN
add action=accept chain=forward comment="Accept AdminSubnet-> PrivateSubnet" \
    dst-address-list=PrivateSubnets in-interface-list=LAN src-address-list=\
    AdminSubnet
add action=accept chain=forward comment=\
    "Allow inter VLAN communication with VLAN friends" dst-address-list=\
    VlanFriends in-interface-list=LAN src-address-list=VlanFriends
add action=drop chain=forward comment="drop everything" log=yes log-prefix=\
    drop
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
    new-connection-mark=TabS2 passthrough=yes src-mac-address=\
    xx:xx:xx:xx:xx:xx
add action=mark-packet chain=prerouting connection-mark=TabS2 disabled=yes \
    new-packet-mark=TabS2PacketMark passthrough=no
/ip firewall nat
add action=redirect chain=dstnat comment=\
    "Force Users to Router for DNS - TCP" dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment=\
    "Force Users to Router for DNS - UDP" dst-port=53 protocol=udp
add action=masquerade chain=srcnat comment="masquerade LAN->WAN" \
    out-interface=ether1 src-address-type=""
/ip firewall raw
add action=notrack chain=prerouting comment=\
    "Fasttrack BYPASS for IPSec traffic " disabled=yes dst-address=\
    192.168.1.0/24 src-address=192.168.2.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.2.0/24 \
    src-address=192.168.1.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes sip-timeout=20m
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
 
anav
Forum Guru
Forum Guru
Posts: 4781
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Routing between 2 Subnets

Tue Nov 27, 2018 7:52 pm

Hi I am very much interested in this rule.....
add action=accept chain=input comment="Allow LAN NTP queries" dst-port=123 \
in-interface-list=LAN protocol=udp

What is its purpose? I have a smart device (honeywell leak detector) that refuses to connect to honeywell via my CapAC wifi and hex router.
I do it through a consumer cisco linksys router with no problems. Some ubiquiti forums talk about NTP and port 123 but I dont block that at all in any forward rule.
Thus it intrigued me to see you have this as a lan to router (input rule). Perhaps I could try this to see if it works for my smart device???

+++++++++++++++++++++++++++++++++++++++++++++++++++++
Back to the show!!
The first thing is that your vlan config information is missing so that is not helpful

1. add action=drop chain=forward comment="prevent SPAM" dst-port=25 \
in-interface-list=LAN out-interface-list=WAN protocol=tcp

This blocks any attempt at email does it not???

2. add action=accept chain=forward comment=\
"only required for port forwarding from WAN" connection-nat-state=dstnat \
disabled=yes in-interface-list=WAN

Tells me port forwarding is off for now.

3. add action=accept chain=forward comment=\
"SONOS. Forward UPnP Device Discovery events from Players" in-interface=\
vlan30 out-interface-list="Sonos Control" port=1900,1901,6969 protocol=\
udp

This rule allows any queries coming from/originating on vlan30 (which has no structure (no config viewable) to (????? on the specific ports. Without the VLAN config I am lost here.............
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1724
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Routing between 2 Subnets

Tue Nov 27, 2018 11:56 pm

NTP = Network Time Protocol makes use of port 123
MTCNA, MTCTCE, MTCRE & MTCINE
 
anav
Forum Guru
Forum Guru
Posts: 4781
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Routing between 2 Subnets

Wed Nov 28, 2018 3:00 pm

Very good CZFAN, where is that emoji for a cookie, but that has nothing to do with my questions.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Spartacus
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Thu Apr 19, 2018 6:38 pm

Re: Routing between 2 Subnets

Wed Nov 28, 2018 4:35 pm

Hi,
here is my feedback.
- the NTP rule is necessary to accept NTP queries accross my subnets
- I do not use Port 25 for Email
- Port forwarding rule is disabled
- The SONOS Rules are only for my Sonos devices in VLAN30 (192.168.30.0). It is necessary for the UPNP Discovery and forwards the requests to and from the other Subnets. This works and has nothing to do with the SIP protocol. No SIP Client is in VLAN30.

VLAN Mapping Rule:
VLANnn=192.168.nn.0/24

Regards,
Christian
 
anav
Forum Guru
Forum Guru
Posts: 4781
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Routing between 2 Subnets

Wed Nov 28, 2018 5:43 pm

But your nTP rule is on the input chain??
If your devices need to query NTP dont they simply go out to the internet via the forward chain?? (in other words part of normal traffic and thus no rule required??)?


Okay so if NTP query is done on UDP, is that covered in forward chain rules? Does mikrotik recognize a device going on on UDP123 as a new connection and thus will be tracked??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Spartacus
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Thu Apr 19, 2018 6:38 pm

Re: Routing between 2 Subnets

Thu Nov 29, 2018 5:38 pm

Hi,
maybe there is a missunderstanding for the NTP-Rule:

NTP-Client (to sync RB with NTP-Servers in WAN) and NTP Server (for Clients in LAN) are running on RB3011 and all clients accross the different subnets can use the GW-Address of the current Subnet als NTP-Server to synchronize the time. Therefore I need the Input Rule on RB. It works!

Christian
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1724
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Routing between 2 Subnets

Fri Nov 30, 2018 11:48 pm

Hi,
I have configured several Subnets on my RB3011. All Subnets cannot see each other, it is disabled by FW-Rule.

Now I would like to configure some exceptions. I have a local SIP Server on Subnet1 with IP: 192.168.1.10. Client on Subnet1 can connect correctly to the Server, but Clients on Subnet2(192.168.2.0/24) do not work. This works as expected.
How do I have to configure a common rule for Subent2 to get this working? I think I have to route UDP-Port 5060.
Can some help here?
Christian
You will also need to open few rules for RTP (audio)
MTCNA, MTCTCE, MTCRE & MTCINE
 
RackKing
Member
Member
Posts: 381
Joined: Wed Oct 09, 2013 1:59 pm

Re: Routing between 2 Subnets

Sat Dec 01, 2018 9:56 pm

@Spartacus

I was thinking about your FW - nice. I have some questions to pile on :-).

Sonos - do those rules allow another user on one subnet to control and connect via the Sonos ap to the hardware on a different subnet? Seems like a good idea to keep the "noisy" sonos equipment on its own. It looks like your Sonos is in VLAN30 and your controllers are in 10? How much of an improvement have you noticed?

Interface-list=LAN.... do you have all your VLANs in this list or how did you set it up. My setup is similar to yours but your FW is much cleaner by using that LAN interface list. I can't seem to get it to work correctly.

Thanks for any info.
 
Spartacus
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Thu Apr 19, 2018 6:38 pm

Re: Routing between 2 Subnets

Mon Dec 03, 2018 10:28 am

Hi czfan,
thanks for the RTP audio tipp. But why do I need an additional rule for that. I add both subnets to my "VLAN-Friend"-List and everything is allowed between the both subnets. So I do not understand an additional rule for that,

@RackKing:
Yes, My Sonos Speakers are in VLAN30 and the controllers are accross different Subnets.It works for me, but sometimes it takes some time until a controller finds the Sonos players (especially the Android widget). For updates it is recommended to join one controller to VLAN30, otherwise you get errors. It is not really perfect!
Aditionally to the rules, you need to install PIM on the router in order to route Multicast.

I have round about 15 Sonos players/bridges on the subnet and It is difficult to notice improvements. But in my view, it seems to be more stable because players disappear less often then before.
For now, VLAN30 is also participant of "VlanFriends" and there are not really restrictions between "Player" and "Controller" Subnet. There is room for improvement regarding the routing. I am open for proposal :-)

Christian
 
RackKing
Member
Member
Posts: 381
Joined: Wed Oct 09, 2013 1:59 pm

Re: Routing between 2 Subnets

Mon Dec 03, 2018 4:28 pm

@RackKing:
Yes, My Sonos Speakers are in VLAN30 and the controllers are accross different Subnets.It works for me, but sometimes it takes some time until a controller finds the Sonos players (especially the Android widget). For updates it is recommended to join one controller to VLAN30, otherwise you get errors. It is not really perfect!
Aditionally to the rules, you need to install PIM on the router in order to route Multicast.

I have round about 15 Sonos players/bridges on the subnet and It is difficult to notice improvements. But in my view, it seems to be more stable because players disappear less often then before.
For now, VLAN30 is also participant of "VlanFriends" and there are not really restrictions between "Player" and "Controller" Subnet. There is room for improvement regarding the routing. I am open for proposal :-)

Christian
Hi Christian -

Thanks for your reply. Sounds like you have a nice Sonos system! I will give the approach a try and see what happens.

"Interface-list=LAN.... do you have all your VLANs in this list or how did you set it up. My setup is similar to yours but your FW is much cleaner by using that LAN interface list. I can't seem to get it to work correctly."

Any hints on how you set this up?

Thanks!

Who is online

Users browsing this forum: No registered users and 46 guests