Community discussions

 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

1wan + 2 lan isolated from each other

Thu Jul 11, 2019 2:43 pm

Hi,

I am new to RoS and networking but not to computers. I own a rb4011 and uploaded a script to have the following services at home: ipTV, voIP and Internet. All of them are working but I need to customize my network.

I get a public dynamic address from the telecom company. I have 1 lan. I have 1 bridge (includes ether2 till ether10). In ether10 I connect my AP ACLite.

I want to isolate ether10 (ACLite) from my lan. What is the best approach to do it?

Rgds
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Thu Jul 11, 2019 4:04 pm

After further research I found this post: viewtopic.php?t=125838.

I will try to set it up in this way leaving apart that I do not have a second router. Will report back.
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Thu Jul 11, 2019 9:03 pm

Ok, I reached my knowledge limit.
I attach a pic with some data of fw, lan, ... and the desired lan setup.
I have been reading here:
viewtopic.php?t=125838
viewtopic.php?t=132219
But since I start from a config (included firewall) to make ipTV work I guess there are some rules that don´t work with all I tried.
Maybe you can have a look at it and help me out which direction should I follow.
Rgds
Last edited by luka3 on Tue Jul 16, 2019 11:26 pm, edited 1 time in total.
 
mkx
Forum Guru
Forum Guru
Posts: 2944
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Thu Jul 11, 2019 10:20 pm

Post full configuration as shown by running command /export hide-sensitive from a terminal window ... when posting config, put it into [code] .. [/code] environment. Combined that with the network schematics we might have an idea or two.
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 12, 2019 12:23 am

/interface bridge
add comment=ISP igmp-snooping=yes name=bridge1
add comment=lan2 name=bridge2
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1-WAN
set [ find default-name=ether2 ] comment=LAN1
set [ find default-name=ether10 ] comment=LAN2
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=ether1-WAN name=vlan2 vlan-id=2
add interface=ether1-WAN name=vlan3 vlan-id=3
add interface=ether1-WAN name=vlan6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=vlan6 keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=pppoe-out1 use-peer-dns=yes user=xxxxxx
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=clientes
/ip dhcp-server option
add code=240 name=option_para_deco value="':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
/ip pool
add name=dhcp_pool_LAN1 ranges=192.168.1.220-192.168.1.230
add name=dhcp_pool_LAN2 ranges=172.16.24.100-172.16.24.110
/ip dhcp-server
add address-pool=dhcp_pool_LAN1 bootp-support=dynamic disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool_LAN2 disabled=no interface=bridge2 name=dhcp2
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 disabled=yes interface=ether6
add bridge=bridge1 disabled=yes interface=ether7
add bridge=bridge1 disabled=yes interface=ether8
add bridge=bridge1 disabled=yes interface=ether9
add bridge=bridge2 interface=ether10
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/interface list member
add interface=ether1-WAN list=WAN
add interface=bridge2 list=clientes
/ip address
add address=192.168.1.1/24 comment=LAN1 interface=bridge1 network=192.168.1.0
add address=192.168.100.10/24 interface=ether1-WAN network=192.168.100.0
add address=10.133.225.20/9 interface=vlan2 network=10.128.0.0
add address=172.16.24.1/24 comment=LAN2 interface=ether10 network=172.16.24.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.200 client-id=decozyxel dhcp-option=option_para_deco server=dhcp1
add address=192.168.1.40 client-id=1:40:16:7e:20:90:4a server=dhcp1
add address=192.168.1.50 client-id=1:0:e:c6:fa:6e:b4 server=dhcp1
/ip dhcp-server network
add address=172.16.24.0/24 gateway=172.16.24.1 netmask=24
add address=192.168.1.0/24 dns-server=80.58.61.254,80.58.61.250 gateway=192.168.1.1 netmask=24
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 netmask=24
/ip dns
set servers=80.58.61.250,80.58.61.254
/ip firewall address-list
add address=172.16.24.100-172.16.24.110 list=client
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward in-interface-list=clientes out-interface-list=clientes
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-WAN
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=vlan2 protocol=udp to-addresses=192.168.1.200
/ip route
add distance=255 gateway=255.255.255.255
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=pppoe-out1 type=external
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan2 upstream=yes
add interface=bridge1
/routing rip interface
add interface=vlan3 passive=yes receive=v2
add interface=vlan2 passive=yes receive=v2
/routing rip network
add network=10.0.0.0/8
add network=172.26.0.0/16
/system clock
set time-zone-autodetect=no time-zone-name=Europe/London
/system ntp client
set enabled=yes primary-ntp=193.145.15.15 secondary-ntp=147.156.7.26
/system ntp server
set broadcast=yes enabled=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
I did some tests, here are the results attached.
Last edited by luka3 on Thu Aug 01, 2019 12:40 pm, edited 1 time in total.
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 12, 2019 12:25 am

update of diagram..
Last edited by luka3 on Thu Aug 01, 2019 12:41 pm, edited 1 time in total.
 
mkx
Forum Guru
Forum Guru
Posts: 2944
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 12, 2019 9:58 am

Nothing much points out to me as wrong in your configuration. One thing, that might affect how things behave: LAN2 IP address should be bount do interface bridge2 - now it's bound to it's slave interface ether10.

Im' not sure you really need these set to yes:
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
They only work if intra-LAN traffic passes bridge ... which in your layout might if ACLite sends traffic between wireless clients to the main router instead of forwarding it locally. You don't need those settings if traffic between different subnets has to pass router's IP interface ... The way things are configured now, you don't need
use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
enabled, none of those should really pass any bridge from one port to another.

If you want to block traffic between LAN and LAN2, you need a pair of firewall rules similar to this:
/ip firewall filter
add action=drop chain=forward in-interface=bridge2 out-interface=bridge1
add action=drop chain=forward in-interface=bridge1 out-interface=bridge2
added to the end of your current firewall rules.

As they say, there are many ways to skin the sheep ... many forum users will argue that firewall filter rules as configured now are sub-optimal (myself included). The example rules I wrote above are supplementing what is currently configured ...
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 12, 2019 11:24 pm

Hi,

Thx for help. I did both:
LAN2 IP address should be bount do interface bridge2 - now it's bound to it's slave interface ether10.
and
If you want to block traffic between LAN and LAN2, you need a pair of firewall rules similar to this:
C
I rechecked and the rule was working as intended.

But I checked the setup of the Ubiquity AP and it was not correct. It was assigning to the connected devices IP´s in the range 172.16.24.xx BUT the AP itself was connected to 192.168.1.1. Once I tried to modified that in the Ubiquity software I was not allowed and the AP inmmediatly lost connection.

So I am now back to the original setup: 1 wan, 1bridge (ether2 till ether10), 1lan (192.168.1.0/24), 1 ip pool (192.168.1.210-250), AP connected to ether10.

Now that I can start from scratch, how would you recommend to design it in the optimal way? I want to isolate:
1)all the devices connected to the AP from a) each other and b) from the rest of the lan
2)some devices of the lan from the rest of the devices of the lan

Then I would like to create a vpn to connect to some devices in my lan from windows devices/android.

Basically that´s was I am looking for.

Rgds.
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 1wan + 2 lan isolated from each other

Fri Jul 12, 2019 11:27 pm

I use vlans for all subnets.
By their nature all vlans do not talk on layer 2
Thus all I do in the forward chain is state what I wish to allow, ie LAN to WAN for whatever vlans,
then Drop ALL as the last rule which kills any L3 routing between the vlans.
Done!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 12, 2019 11:47 pm

I use vlans for all subnets.
By their nature all vlans do not talk on layer 2
Thus all I do in the forward chain is state what I wish to allow, ie LAN to WAN for whatever vlans,
then Drop ALL as the last rule which kills any L3 routing between the vlans.
Done!
Looks a clean way to do it. Will read about vlans and come back if I have any doubt. Thx.
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Sat Jul 13, 2019 12:12 am

Well, was starting to read about vlans and found this post: viewtopic.php?t=114580
Forget VLANs. They are great when you want to have multiple separate networks on one cable, but you also need either a managed switch or end device (server) specifically configured for VLAN.
In your case, simply split router's switch into separae ports and assign a subnet to each one. Then use firewall to allow traffic from each LAN to internet and block the rest, i.e. communucation between LANs
After further looking into the options of RoS and the rb4011, I found "switch". In the case of the rb4011 it has 2 switches and each 5 ports assigned. There is an option called "port isolation" which allows to forward a port to any of the other ports or switches (not bridges).

How can I "split router's switch into separate ports and assign a subnet to each one"? After further reading this post, he mentions:
Thank you so much for your reply. Today I have been working with different subnets and for now it seems to work somehow.
ETH1=WAN (Address: Public Static IP)
ETH2=LAN (Address: 192.168.1.1/24 Network: 192.168.1.0 Subnet: 255.255.255.0)
ETH3=DISABLED
ETH4=DISABLED
ETH5=SERVER (Address 192.168.5.1/30 Network: 192.168.5.0 Subnet: 255.255.255.252)
All ETH ports are not linked and only acting as stand-alone ports.
Since I have bridge1 configured (includes ether2-ether10), should I create a new bridge2 and assign eth10 for my AP or just take eth10 out of bridge1? How can I make eth10 to be a stand alone port?

Still a bit confused which way to go.

EDIT1: also, can I run only VLANS using my rb4011 without using a switch?
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Sat Jul 13, 2019 9:37 pm

I use vlans for all subnets.
By their nature all vlans do not talk on layer 2
Thus all I do in the forward chain is state what I wish to allow, ie LAN to WAN for whatever vlans,
then Drop ALL as the last rule which kills any L3 routing between the vlans.
Done!
Hi anav!
Do I need a switch + my rb4011 for setting up the vlans? I read the realteck chip does not support vlan tables.
Rgds.
 
mkx
Forum Guru
Forum Guru
Posts: 2944
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Sat Jul 13, 2019 11:10 pm

No, you don't need anything special to set-up VLANs on RB4011, they are dealt by router's CPU. The price for that functionality is performance hit for traffic between different ethernet ports carrying same VLAN, which would be carried by switch chip if switch chip was at least half-decent. In your case with single ether port dedicated for second LAN performance won't degrade (all traffic will have to pass CPU anyways), but makes use of VLANs just for subnet separation meaningless.

N.b.: using VLANs seem to be answer to all questions for my buddy @anav :wink:

My guess is that you actually were on the right track, I just don't understand details of the problem you described with the following paragraph:
But I checked the setup of the Ubiquity AP and it was not correct. It was assigning to the connected devices IP´s in the range 172.16.24.xx BUT the AP itself was connected to 192.168.1.1. Once I tried to modified that in the Ubiquity software I was not allowed and the AP inmmediatly lost connection.
(specially the highlited part)?
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Sun Jul 14, 2019 2:21 am

No, you don't need anything special to set-up VLANs on RB4011, they are dealt by router's CPU. The price for that functionality is performance hit for traffic between different ethernet ports carrying same VLAN, which would be carried by switch chip if switch chip was at least half-decent. In your case with single ether port dedicated for second LAN performance won't degrade (all traffic will have to pass CPU anyways), but makes use of VLANs just for subnet separation meaningless.

N.b.: using VLANs seem to be answer to all questions for my buddy @anav :wink:

My guess is that you actually were on the right track, I just don't understand details of the problem you described with the following paragraph:
But I checked the setup of the Ubiquity AP and it was not correct. It was assigning to the connected devices IP´s in the range 172.16.24.xx BUT the AP itself was connected to 192.168.1.1. Once I tried to modified that in the Ubiquity software I was not allowed and the AP inmmediatly lost connection.
(specially the highlited part)?
I have been playing with vlans and I like them. I will keep an eye on them but before I want to finish what we were trying to setup.

I reverted to the last step I showed you. The problem is the AP is not working on bridge2. I attach a pic.


Also, where is this in winbox?
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes

Let me know if you need a print.

Rgds
Last edited by luka3 on Tue Jul 16, 2019 11:25 pm, edited 1 time in total.
 
mkx
Forum Guru
Forum Guru
Posts: 2944
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Sun Jul 14, 2019 9:47 am

[Also, where is this in winbox?
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
I don't know where in winbox that is, in webfig it's in bridge->settings


I reverted to the last step I showed you. The problem is the AP is not working on bridge2. I attach a pic.
I can't see any picture.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 1wan + 2 lan isolated from each other

Sun Jul 14, 2019 11:02 pm

Haha MKX, you know vlans are like catheters, you may not think you need them now but just wait a bit longer!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Mon Jul 15, 2019 10:45 pm

[Also, where is this in winbox?
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
I don't know where in winbox that is, in webfig it's in bridge->settings


I reverted to the last step I showed you. The problem is the AP is not working on bridge2. I attach a pic.
I can't see any picture.

I must misunderstanding some basics. I have everything up and running except isolating the traffic from the clients connected to the Access Point from the rest of the LAN. Basically (and not taking vlans into account ) I want to learn how to isolate some clients from others. I know there are several ways of doing it but I need to understand the basics. Let me explain what I tried so far:

I created bridge-ISP (includes all ether ports).

I connected to ether10 the access point. I configured the AP to have a static Ip (192.168.1.45).

I created 1 dhcp server in bridge-isp:
"dhcp1_LAN" and it uses "pool1_LAN (192.168.1.70-192.168.1.80)".

I created another pool for guests using wifi (dhcp_pool2_guests) us.ing 192.168.1.229-192.168.1.249

When I tried to create a 2nd dhcp server to assign "dhcp_pool2_guests" it tells me I can´t create it on bridge-isp neither on ether10 (since it is a slave of brigde-isp).

How can I do it?

I wanted then to create in Firewall>address list a "guests list" (with users onlyusing the ip pool of the access point).

Rgds.
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 1wan + 2 lan isolated from each other

Mon Jul 15, 2019 11:42 pm

Sigh.................. one can lead a horse to water......... A 'sob' story for sure!! ;-P
I started off using bridges and quickly discovered that one was limited in that the bridge could only be assigned one subnet.
In addition one starts loading the bridge to do everything and it just gets in the way in the long run.

Assign your vlans to the bridge, assign subnets to the vlans (with the required dhcp pools etc) and then all you need is firewall rules that are appropriate.
{forward chain}
- the default rules (established related, ipsec if you need it, drop invalid traffic)
- then add L3 rules where you want traffic flow examples are vlan to wan traffic, adminpc to vlans so that you can administer the Access points, etc.
- Last rule should be drop all other traffic to curtail any L3 connectivity between vlans etc........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Tue Jul 16, 2019 12:56 am

Anav, I tried to config the vlans. I did not post it before because I realised today that they did not work due to the lack proper firewall rules. I even tested yesterday a TP-SG108PE I had around.

I started off using bridges and quickly discovered that one was limited in that the bridge could only be assigned one subnet
I had to ask ... but I thought that would be the answer.

Assign your vlans to the bridge
I have already 3 vlans running on ether1(WAN): each one for IPTV, VOIP and Internet (PPPoe on vlan6).
Can I still create the new vlans on the bridge (instead of ether1)?

Rgds
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 1wan + 2 lan isolated from each other

Tue Jul 16, 2019 5:05 am

I have my internet coming in on vlanxx on my ether1 (bell fiber). IT HAS NOTHING TO DO WITH MY BRIDGES OR VLANS ON MY NETWORK.
You may have a more complicated setup?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 2944
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Tue Jul 16, 2019 8:50 am

From all of the talking it's not really clear to me how things are configured.

How about this: create configuration export from your RB4011 ... do it running command /export hide-sensitive inside a terminal window ... post the output here, but be sure to enclose it in [code]...[/code] environment. If your current physical network layout is different than presented in the last picture, please post the updated one.

And we'll need to know what IP address you set to AClite.

After that, please wait for the instructions what to do ... if you change things meanwhile then instructions might not be relevant anymore.

@anav: it doesn't seem that OP needs to use VLANs (at least not on the large scale), his network topology is quite simple. Probably we can make things work without using VLANs as he can dedicate ports on RB4011 for different subnets. It might proove that he needs VLANs after all, but we'll deal with it if that happens.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 1wan + 2 lan isolated from each other

Tue Jul 16, 2019 2:27 pm

Sure thing!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
stoser
Member Candidate
Member Candidate
Posts: 107
Joined: Sun Aug 21, 2016 12:04 am

Re: 1wan + 2 lan isolated from each other

Tue Jul 16, 2019 3:41 pm

If the requirement is simple isolation of bridge1 from bridge2, assign the IP address 176.16.24.1 to bridge2 (NOT to ether10) and use the rules already suggested by @mkx:
/ip firewall filter
add action=drop chain=forward in-interface=bridge2 out-interface=bridge1
add action=drop chain=forward in-interface=bridge1 out-interface=bridge2

OR, if you want to isolate specific IP ranges from each other, on the same OR different bridges, just isolate the IP ranges in the firewall (I put in the entire /24 range, you can restrict the range to a different subnet, the DHCP pool, address list, etc):
/ip firewall filter
add action=drop chain=forward dst-address=176.16.24.1/24 src-address=192.168.1.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=176.16.24.1/24
I hope I am not oversimplifying ...
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 1wan + 2 lan isolated from each other

Tue Jul 16, 2019 6:17 pm

Looks good to me, keeping it simple as mkx suggested but i would combine them.......... and iunclude both the interfaces and source, dest addresses.

/ip firewall filter
add action=drop chain=forward dst-address=176.16.24.1/24 src-address=192.168.1.0/24
in-interface=bridge2 out-interface=bridge1
add action=drop chain=forward dst-address=192.168.1.0/24 /src-address=176.16.24.1/24
in-interface=bridge1 out-interface=bridge2
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Tue Jul 16, 2019 9:57 pm

After that, please wait for the instructions what to do ... if you change things meanwhile then instructions might not be relevant anymore.

Let´s try again. At the beginning I posted I had problems with my access point not providing wifi. Again I tried to set up everything as it was. Here is my export file:
/interface bridge
add igmp-snooping=yes name=bridge1-ISP
add name=bridge2
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1-gateway
set [ find default-name=ether2 ] comment=LAN1
set [ find default-name=ether6 ] comment=LAN2
/interface vlan
add interface=ether1-gateway name=vlan2 vlan-id=2
add interface=ether1-gateway name=vlan3 vlan-id=3
add interface=ether1-gateway name=vlan6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=vlan6 keepalive-timeout=60 max-mru=1492 max-mtu=1492 \
    name=pppoe-out1 use-peer-dns=yes user=xxx
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/ip dhcp-server option
add code=240 name=option_para_deco value="':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
/ip pool
add name=dhcp_pool1 ranges=192.168.1.210-192.168.1.230
add name=dhcp_pool2 ranges=172.16.24.100-192.16.24.120
/ip dhcp-server
add address-pool=dhcp_pool1 bootp-support=dynamic disabled=no interface=bridge1-ISP name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=bridge2 name=dhcp2
/interface bridge port
add bridge=bridge1-ISP interface=ether2
add bridge=bridge1-ISP interface=ether3
add bridge=bridge1-ISP interface=ether4
add bridge=bridge1-ISP interface=ether5
add bridge=bridge2 interface=ether6
add bridge=bridge2 interface=ether7
add bridge=bridge2 interface=ether8
add bridge=bridge2 interface=ether9
add bridge=bridge2 interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/ip address
add address=192.168.1.1/24 comment=LAN1 interface=bridge1-ISP network=192.168.1.0
add address=192.168.100.10/24 comment=WAN interface=ether1-gateway network=192.168.100.0
add address=10.133.225.20/9 interface=vlan2 network=10.128.0.0
add address=172.16.24.1/24 comment=LAN2 interface=bridge2 network=172.16.24.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.200 client-id=XXX dhcp-option=option_para_deco mac-address=90:EF:68:E8:54:17 server=dhcp1
add address=192.168.1.40 client-id=1:XXX mac-address=XXX server=dhcp1
add address=192.168.1.50 client-id=XXX mac-address=XXX server=dhcp1
add address=172.16.24.2 client-id=1:XXX mac-address=XXX server=dhcp2
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=80.58.61.254,80.58.61.250 gateway=192.168.1.1 netmask=24
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=80.58.61.250,80.58.61.254
/ip firewall filter
add action=fasttrack-connection chain=forward
add action=accept chain=input log=yes protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=vlan2 protocol=\
    udp to-addresses=192.168.1.200
/ip upnp interfaces
add interface=bridge1-ISP type=internal
add interface=pppoe-out1 type=external
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan2 upstream=yes
add interface=bridge1-ISP
/routing rip interface
add interface=vlan3 passive=yes receive=v2
add interface=vlan2 passive=yes receive=v2
/routing rip network
add network=10.0.0.0/8
add network=172.26.0.0/16
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
I attach a pic of my desired network.

My access point is configured in Unify to obtain a static IP (172.16.24.2). And to use the network 172.16.24.0/24 (although microtik is the one assigning the IP´s to wifi clients via dhcp_pool2). I attach pictures. Fact is that the access point is not accessing internet (what I mentioned in one of my posts at the beginning).

While looking at the export file, I saw this:
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=80.58.61.254,80.58.61.250 gateway=192.168.1.1 netmask=24
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 netmask=24
I don´t see the address 172.16.24.0/24. So maybe this is the reason the access point is not accessing the gateway 192.168.1.1? Also, do I need to specify in the Unify the access point menu this gateway: 192.168.1.1?

Hope to clarify where I am now.

Rgds
Last edited by luka3 on Thu Aug 01, 2019 12:42 pm, edited 1 time in total.
 
stoser
Member Candidate
Member Candidate
Posts: 107
Joined: Sun Aug 21, 2016 12:04 am

Re: 1wan + 2 lan isolated from each other

Tue Jul 16, 2019 11:36 pm

One problem I see is the following: Look closely at the Ip range for dhcp_pool2:

/ip pool
add name=dhcp_pool1 ranges=192.168.1.210-192.168.1.230
add name=dhcp_pool2 ranges=172.16.24.100-192.16.24.120

Also, you should add the network 172.16.24.0/24, as you yourself stated
 
mkx
Forum Guru
Forum Guru
Posts: 2944
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Tue Jul 16, 2019 11:50 pm

First to routing and firewalling: I don't see anything in RB4011 config which would prevent connectivity from 172.16.24.2 to 192.168.1.1. Firewall is very permissive (allows just anything in chain=forward, also everything on chain=input except for connections originating from internet). I wonder why didn't you start with default firewall rules?

I can't say anything about routing. You have dynamic routing enabled (I don't think you need it if the network topology is indeed as simple as presented on the chart) and you should check what are actual routes active to see if those are getting in the way.

You can try some tests, run from RB4011:

  1. /ping src-address=172.16.24.1 172.16.24.2 count=4
    This one should succeed as both addresses are on directly connected subnet.
  2. /ping src-address=192.168.1.1 172.16.24.2 count=4
    This one shoukd succeed as well, if it doesnt, tgen there's something wrong on the AP.

If the above tests go through, you might want to run similar tests from AP (first ping RB4011 address on LAN2 and then try with the one on LAN1).

BTW, on the chart the AP has two IP addresses indicated. What does 192.168.1.45 do there? It shouldn't work because its in a wrong subnet.


To the DHCP server: settings in /ip dhcp-server network should agree with settings in /ip pool ... with shown settings, DHCP server dhcp2 should be marked as invalid. And yes, @stosser did spot a nasty error.
However, DHCP server settings should not affect AP's behaviour as it's got statically configured settings...
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 1:23 am

One problem I see is the following: Look closely at the Ip range for dhcp_pool2:

/ip pool
add name=dhcp_pool1 ranges=192.168.1.210-192.168.1.230
add name=dhcp_pool2 ranges=172.16.24.100-192.16.24.120

Also, you should add the network 172.16.24.0/24, as you yourself stated
My mistake. I also added the gateway: 172.16.24.1.
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 1:49 am

You can try some tests, run from RB4011
[] > /ping src-address=172.16.24.1 172.16.24.2 count=4
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                    
    0 172.16.24.2                                56  64 0ms  
    1 172.16.24.2                                56  64 0ms  
    2 172.16.24.2                                56  64 0ms  
    3 172.16.24.2                                56  64 0ms  
    sent=4 received=4 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms 

[] > /ping src-address=172.16.24.1 192.168.1.1 count=4
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                    
    0 192.168.1.1                                56  64 0ms  
    1 192.168.1.1                                56  64 0ms  
    2 192.168.1.1                                56  64 0ms  
    3 192.168.1.1                                56  64 0ms  
    sent=4 received=4 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms 
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 1:50 am


BTW, on the chart the AP has two IP addresses indicated. What does 192.168.1.45 do there? It shouldn't work because its in a wrong subnet.
It is from a previous config. Ignore it.
 
stoser
Member Candidate
Member Candidate
Posts: 107
Joined: Sun Aug 21, 2016 12:04 am

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 2:00 am

Based on the results of the pings, the 4011 can ping the Ubiquiti AP, and it can also ping the other interface on itself. Please do the following:

1- Try ping from Ubiquiti AP to 4011, and post results (172.16.24.2 to 172.16.24.1)
2 - Try tracert from Ubiquiti AP to an internet site (8.8.8.8 for ex) and post results

3 - Try ping from client device that is connected by WiFi to Ubiquiti AP to the 4011, and post results (172.16.24.x to 172.16.24.1)
4 - Try tracert from client device connected by WiFi to the Ubiquiti AP 4011 to an internet site (8.8.8.8 for ex) and post results

Also post dhcp active leases on the 4011, showing all of the connected client devices, including the one used for #3 and #4 above
 
stoser
Member Candidate
Member Candidate
Posts: 107
Joined: Sun Aug 21, 2016 12:04 am

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 2:03 am

  1. /ping src-address=172.16.24.1 172.16.24.2 count=4
    This one should succeed as both addresses are on directly connected subnet.
  2. /ping src-address=192.168.1.1 172.16.24.2 count=4
    This one shoukd succeed as well, if it doesnt, tgen there's something wrong on the AP.
Also you did not perform the second ping test requested.by @mkx (192.168.1.1 to 172.16.24.2)
 
mkx
Forum Guru
Forum Guru
Posts: 2944
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 8:38 am

[] > /ping src-address=172.16.24.1 192.168.1.1 count=4
This test showed that RB4011 can reach itself. :wink:
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 11:16 am

Hi, sorry for not replying further yesterday. Actually my laptop ran out of battery and did not want to charge again.
Will do the next tests later today.
One thing I noticed yesterday is that the access point did access the internet and also the wifi clients connected to it too. But the access point disappeared from the console in Unifi. Also, in Unify I had created 4 ssid's. Now my wifi clients do not connect to any of them. Instead I get a different ssid which I did not create.
Will post later more info about it.
Rgds
 
mkx
Forum Guru
Forum Guru
Posts: 2944
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 11:19 am

I guess the real issue here is how Unifi console wants to connect to AP (and vice versa) ... BTW, in which subnet is Unifi console sitting? Could be that AP wants permanent connection to Unifi console and if it looses it (due to some IP reconfig), it reverts to some kind of defaults?
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 8:09 pm

Also you did not perform the second ping test requested.by @mkx (192.168.1.1 to 172.16.24.2)
[XXX] > /ping src-address=192.168.1.1 172.16.24.2 count=4
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                    
    0 172.16.24.2                                56  64 0ms  
    1 172.16.24.2                                56  64 0ms  
    2 172.16.24.2                                56  64 0ms  
    3 172.16.24.2                                56  64 0ms  
    sent=4 received=4 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms 
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 8:16 pm

I have the following problem. I cannot access the Ubiquity AP.

If I connect the AP to bridge1 (192.168.1.0/24) it inmediatly is recognized by Unify. And I can access it with putty.

If I connect the AP to bridge2 (172.16.24.0/24) it is not recognized by Unify. And I cannot access it with putty.

I tried resetting the AP and reinstalling Unify.

So I cannot perform the missing ping tests required by stoser with the AP connected to bridge2.


Any ideas what should I do now?
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 8:23 pm

Although -after Unify install- I cannot access the AP, it automatically generated a wifi connection (name=FCECDA372809).
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 8:25 pm

1- Try ping from Ubiquiti AP to 4011, and post results (172.16.24.2 to 172.16.24.1)
[XXX] > /ping src-address=172.16.24.2 172.16.24.1 count=4            
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                    
    0                                                         could not make socket                                     
    1                                                         could not make socket                                     
    2                                                         could not make socket                                     
    3                                                         could not make socket                                     
    sent=4 received=0 packet-loss=100% 
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 8:32 pm

3 - Try ping from client device that is connected by WiFi to Ubiquiti AP to the 4011, and post results (172.16.24.x to 172.16.24.1)
Last edited by luka3 on Thu Aug 01, 2019 12:43 pm, edited 1 time in total.
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 8:41 pm

4 - Try tracert from client device connected by WiFi to the Ubiquiti AP 4011 to an internet site (8.8.8.8 for ex) and post results
Last edited by luka3 on Thu Aug 01, 2019 12:43 pm, edited 1 time in total.
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 8:43 pm

leases:
Last edited by luka3 on Thu Aug 01, 2019 12:44 pm, edited 1 time in total.
 
mkx
Forum Guru
Forum Guru
Posts: 2944
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 9:03 pm

I still think that Ubiquiti AP doesn't like address 172.16.24.2 for its management interface. And that RB config is fine regarding that.

What still confuses me is that it obviously falls back to some weird default configuration if it can't connect to management console after restart. Can't you configure it for management-console-free operations? Or is it that AP and management console should be in same broadcast domain (same LAN subnet)?

After you get AP working properly, you can tackle the issue of separating LANs 172.16.24.0/24 and 192.168.1.0/24 ...
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 9:41 pm

I still think that Ubiquiti AP doesn't like address 172.16.24.2 for its management interface. And that RB config is fine regarding that.

What still confuses me is that it obviously falls back to some weird default configuration if it can't connect to management console after restart. Can't you configure it for management-console-free operations? Or is it that AP and management console should be in same broadcast domain (same LAN subnet)?

After you get AP working properly, you can tackle the issue of separating LANs 172.16.24.0/24 and 192.168.1.0/24 ...
I think too the AP does not like 172.16.24.1.

Can you propose another scenario where I can still assign the Ap an IP within the range of 192.168.1.1 and isolate any clients connecting to the AP? I think it will be easier.

In case I need change something then I can move my nas and laptop/pc´s to 172.16.24.0.

Also, I am more interested now in having a functional AP connected to Unify and focus on setting up the firewall!
Last edited by luka3 on Thu Jul 18, 2019 12:42 am, edited 1 time in total.
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Wed Jul 17, 2019 11:48 pm

I still think that Ubiquiti AP doesn't like address 172.16.24.2 for its management interface. And that RB config is fine regarding that.

What still confuses me is that it obviously falls back to some weird default configuration if it can't connect to management console after restart. Can't you configure it for management-console-free operations? Or is it that AP and management console should be in same broadcast domain (same LAN subnet)?

After you get AP working properly, you can tackle the issue of separating LANs 172.16.24.0/24 and 192.168.1.0/24 ...
I was looking into the ubnt forum and found this:
If you can SSH into the AP, it's possible to do L3-adoption via CLI command:

1. Make sure the AP is running updated firmware. If it is not, see this guide: UniFi - Changing the Firmware of a UniFi Device.

2. Make sure the AP is in the factory default state. If it's not, do:

sudo syswrapper.sh restore-default
3. SSH into the device and type the following and hit enter:

set-inform http://ip-of-controller:8080/inform
4. After issuing the set-inform, the UniFi device will show up for adoption. Once you click adopt, the device will appear to go offline.

5. Once the device goes offline, issue the command set-inform in step 3 again. This will permanently save the inform address, and the device will start provisioning.
What should I put in the "ip-of-controller"?
EDIT: If I installed Unify_console in my laptop (192.168.1.50), I guess I must type:
set-inform http://192.168.1.50:8080/inform
but to do that I need to make sure port 8080/tcp is open in the firewall on the controller device. Can you let me know if in my firewall 8080 is open?
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Thu Jul 18, 2019 1:28 am

After you get AP working properly, you can tackle the issue of separating LANs 172.16.24.0/24 and 192.168.1.0/24 ...
Solved. Now Unify is up and running and the AP has a static IP of 172.16.24.120.

How should I proceed with the firewall to separate the lans?
 
stoser
Member Candidate
Member Candidate
Posts: 107
Joined: Sun Aug 21, 2016 12:04 am

Re: 1wan + 2 lan isolated from each other

Thu Jul 18, 2019 3:38 am

How should I proceed with the firewall to separate the lans?
see post #24 by @anav
 
mkx
Forum Guru
Forum Guru
Posts: 2944
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Thu Jul 18, 2019 8:31 am

How should I proceed with the firewall to separate the lans?
see post #24 by @anav

In addition to those 2 rules, add rule which allows necessary connectivity between management devices in 192.168.1.0/24 and AP (IP address 172.16.24.120) ... possibly limit the connectivity to only a few necessary ports.
Rules allowing this communication should be placed above the drop rules mentioned in @anav's post.

Beware that AP management is currently possibly wide open to devices in 172.16.24.0/24 network. If you don't trust all devices from mentioned subnet and if it's possible to restrict management access on the AP itself, then do it. If restriction is not possible on the AP itself, then you'll have to go the VLAN way ... how to implement it largely depends on how are VLANs supported by AP.
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Thu Jul 18, 2019 9:42 pm

/ip firewall filter
add action=drop chain=forward dst-address=176.16.24.1/24 src-address=192.168.1.0/24
in-interface=bridge2 out-interface=bridge1
add action=drop chain=forward dst-address=192.168.1.0/24 /src-address=176.16.24.1/24
in-interface=bridge1 out-interface=bridge2

I am still able to ping the other subnet:
  • from my laptop I can ping the AP:
    C:\Users\rafa>ping 172.16.24.120 -n 3
    Haciendo ping a 172.16.24.120 con 32 bytes de datos:
    Respuesta desde 172.16.24.120: bytes=32 tiempo<1m TTL=63
    Respuesta desde 172.16.24.120: bytes=32 tiempo<1m TTL=63
    Respuesta desde 172.16.24.120: bytes=32 tiempo<1m TTL=63
    
[listfrom the AP I can ping the router
C:\Users\rafa>ping 172.16.24.120 -n 3
Haciendo ping a 172.16.24.120 con 32 bytes de datos:
Respuesta desde 172.16.24.120: bytes=32 tiempo<1m TTL=63
Respuesta desde 172.16.24.120: bytes=32 tiempo<1m TTL=63
Respuesta desde 172.16.24.120: bytes=32 tiempo<1m TTL=63
][/list]
  • from a mobile wifi client I can ping the router and the AP

Firewal:

/ip firewall filter
add action=fasttrack-connection chain=forward
add action=accept chain=input log=yes protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
add action=drop chain=forward dst-address=192.168.1.0/24 in-interface=bridge1-ISP out-interface=bridge2 src-address=\
    172.16.24.0/24
add action=drop chain=forward dst-address=172.16.24.0/24 in-interface=bridge2 out-interface=bridge1-ISP src-address=\
    192.168.1.0/24
add action=drop chain=forward disabled=yes in-interface=bridge2 out-interface=bridge1-ISP
add action=drop chain=forward disabled=yes in-interface=bridge1-ISP out-interface=bridge2
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=vlan2 protocol=\
    udp to-addresses=192.168.1.200

When I ping 192.168.1.1 from the AP I get in the log:
Last edited by luka3 on Thu Aug 01, 2019 12:44 pm, edited 1 time in total.
 
mkx
Forum Guru
Forum Guru
Posts: 2944
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Thu Jul 18, 2019 10:36 pm

The top-most firewall rule accepts just everything and none of later rules for chain=forward don't restrict anything.

The default fast-track rule greediness is limited by condition connection-state=established,related. But fast-tracking also goes in the way of mangling, so you may want to disable the fast-track rule until you get everything working as desired and only then enable it (and fix it) if performance issuses require it.

The order of other rules is sub-optimal and overall messy. I suggest you to start over from default firewall filter rules and adapt them according to needs (vast majority of youtube tutorials are either crap or outdated, many of them are both).

Regarding the last image (log screenshot): router doesn't care which of its IP interfaces are targeted, if firewall rule allows connection to it, it will be allowed regardless dst-address. The processing of a received packet is approximately as follows:
  1. Router receives packet through one of interfaces
  2. Router performs dst-nat (if any of rules apply)
  3. Router determines whether that packet is targeting itself (input) or is just passing by (forward)
  4. Router consults appropriate firewall rule chain and drops packets not allowed
  5. a) If packet is passing, router optionally performs src-nat
    b) If packet is targeting router, it's passed to appropriate service
  6. Router consults routing tables and pushes it via appropriate interface
At step #3 it ignores correlation between input interface and own IP address at that interface, it only compares dst-address with the list of own addresses.

Ok, you might be able to block pinging from subnet 172.16.24.0/24 to 192.168.1.1 in step #4 by implementing a rule similar to this one:
add chain=input action=drop protocol=icmp src-address=172.16.24.0/24 dst-address=192.168.1.1
or similar but using in-interface instead of src-address (to prevent pinging if comming in through particular interface).
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 19, 2019 12:25 am

This worked to stop the AP pinging the router:
add action=drop chain=input dst-address=192.168.1.1 protocol=icmp src-address=172.16.24.0/24
I suggest you to start over from default firewall filter rules and adapt them according to needs
Since I did not start from the basic firewall after importing the first time a script (with the actual FW), where can I get it? I am reading here
.
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 19, 2019 1:07 am

I have impemented the previous steps.

Should I implement these too?:

-Make jumps to new chains
-Create tcp chain and deny some tcp ports in it
-Deny udp ports in udp chain
-Allow only needed icmp codes in icmp chain
-Bruteforce_login_prevention_(FTP_&_SSH)

Any other?
 
mkx
Forum Guru
Forum Guru
Posts: 2944
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 19, 2019 8:38 am

Using custom chains has certainly some good effects:
  • you can reuse same filters for multiple original chains (e.g. if you want to limit ICMP traffic to certain types and you want to do it for both chain=input and chain=forward) and you jump to the generic chain (filter rule execution returns to the original chain if none of special-chain rules apply)
  • you can optimize filter execution ... if you have a few filter rules which apply to same class of packets, then you can jump to special chain only for packets matching selection criteria ... the rest of packets won't get compared to filter criteria and thus will be processed faster
  • ...

The main reason against using custom chains is that they somehow reduce readability of filter list. In short: first make your filter list flat and linear. When everything works as desired, it's time to optimize for execution speed (which includes fast-tracking the bulk of packets and using custom chains).

The wiki you linked is only an example and firewall rules state there are not optimum. Quite better are rules from default setup. You can always get default setup using command /system default-configuration print and on my SOHO class devices current (ROS 6.45.1) default firewall filter rules are

/ip firewall
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

... and for compelteness sake ...
/ipv6 firewall
address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
address-list add list=bad_ipv6 address=::/104 comment="defconf: other"
address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"

The above listed default filter rules are a good starting point. Some would argue that the principle they follow is flawed ... keep in mind that there's the final implicit rule in each chain which accepts everything. When building firewall it's better to explicitly deny all connections as the ultimate filter rule and explicitly allow what's needed (this way you don't forget to deny something). And following this principle you don't need most of filter rules denying this and that, you only need filter rules for exceptions. Your additional filter rules would then go to the end of the list of default rules (and above the ultimate drop rule if you add it).
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 19, 2019 3:40 pm

Hi, thx for support.
One doubt I have is where to apply the initial drop everything except LAN: should I do that in ether1 or in Brigde1-ISP?
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Fri Jul 19, 2019 5:26 pm

Here is the actual status of the FW (without ipv6). A bit different from the default one but following the one in the wiki and comparing it line by line with the default one:
/ip firewall filter
add action=drop chain=input comment="ROUTER PROTECTION.Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow connections to router itself only from our local network" dst-port=46767 in-interface=\
    !ether1-gateway protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="CUSTOMER PROTECTION. Drop invalid connections" connection-state=invalid protocol=tcp
add action=accept chain=forward comment="Allow already established connections" connection-state=established
add action=accept chain=forward comment="Allow related connections" connection-state=related
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="Block \"bogon\" IP addresses" src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
Let me know what you think.
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Mon Jul 22, 2019 1:46 pm

Hi, after I tried to setup the new firewall I must have stopped the ipTV service. I have tried to find the problem but I cannot.

Maybe you can have a look and point me in the right direction...

old FW:

/ip dhcp-server option
add code=240 name=option_para_deco value="':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
/ip pool
add name=dhcp_pool1 ranges=192.168.1.210-192.168.1.230
add name=dhcp_pool2 ranges=172.16.24.100-192.16.24.120
/ip dhcp-server
add address-pool=dhcp_pool1 bootp-support=dynamic disabled=no interface=bridge1-ISP name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=bridge2 name=dhcp2
/ip address
add address=192.168.1.1/24 comment=LAN1 interface=bridge1-ISP network=192.168.1.0
add address=192.168.100.10/24 comment=WAN interface=ether1-gateway network=192.168.100.0
add address=10.133.225.20/9 interface=vlan2 network=10.128.0.0
add address=172.16.24.1/24 comment=LAN2 interface=bridge2 network=172.16.24.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.200 client-id=7a:79:78:65:6c:5f:44:54:54:37:31:30:35:2d:30:2e:32:5f:53:31:34:30:59:34:38:39:32:35:32:31:35 \
    dhcp-option=option_para_deco mac-address=xxx server=dhcp1
add address=192.168.1.40 client-id=xxx mac-address=xxx server=dhcp1
add address=192.168.1.50 client-id=xxx mac-address=xxx server=dhcp1
add address=172.16.24.2 client-id=xxx mac-address=xxx server=dhcp2
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=80.58.61.254,80.58.61.250 gateway=192.168.1.1 netmask=24
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=80.58.61.250,80.58.61.254
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/ip firewall filter
add action=fasttrack-connection chain=forward
add action=accept chain=input comment="deniego ICMP" log=yes protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=accept chain=input dst-port=8291 protocol=tcp src-address=192.168.1.50
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=vlan2 protocol=udp to-addresses=\
    192.168.1.200
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=221
set api disabled=yes
set winbox address=192.168.1.50/32 port=8291
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=bridge1-ISP type=internal
add interface=pppoe-out1 type=external


new FW:

/ip dhcp-server option
add code=240 name=option_para_deco value="':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
/ip pool
add name=pool1 ranges=192.168.1.210-192.168.1.230
add name=pool2 ranges=172.16.33.10-172.16.33.20
/ip dhcp-server
add address-pool=pool1 bootp-support=dynamic disabled=no interface=bridge1-ISP name=dhcp1
/ip address
add address=192.168.1.1/24 comment=LAN1 interface=bridge1-ISP network=192.168.1.0
add address=192.168.100.10/24 comment=WAN interface=ether1-gateway network=192.168.100.0
add address=10.133.225.20/9 interface=vlan2 network=10.128.0.0
add address=172.16.33.1/24 comment=LAN2 interface=bridge2 network=172.16.33.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.200 client-id=\
    7a:79:78:65:6c:5f:44:54:54:37:31:30:35:2d:30:2e:32:5f:53:31:34:30:59:34:38:39:32:35:32:31:35 \
    dhcp-option=option_para_deco mac-address=x server=dhcp1
add address=192.168.1.40  mac-address=x server=dhcp1
add address=192.168.1.50  mac-address=x server=dhcp1
add address=192.168.1.11  mac-address=x server=dhcp1
add address=192.168.1.47  mac-address=x server=dhcp1
add address=192.168.1.49  mac-address=x server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=80.58.61.254,80.58.61.250 gateway=192.168.1.1 netmask=24
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=80.58.61.250,80.58.61.254
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/ip firewall filter
add action=drop chain=input comment="ROUTER PROTECTION.Drop Invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow connections to router itself only from our local network" \
    dst-port="" in-interface=!ether1-gateway protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="CUSTOMER PROTECTION. Drop invalid connections" connection-state=\
    invalid protocol=tcp
add action=accept chain=forward comment="Allow already established connections" connection-state=established
add action=accept chain=forward comment="Allow related connections" connection-state=related
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="Block \"bogon\" IP addresses" src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=\
    vlan2 protocol=udp to-addresses=192.168.1.200
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=221
set api disabled=yes
set winbox address=192.168.1.50/32 port=8291
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=bridge1-ISP type=internal
add interface=pppoe-out1 type=external
Rgds
 
mkx
Forum Guru
Forum Guru
Posts: 2944
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Mon Jul 22, 2019 4:03 pm

I don't know what exactly you mean by "I must have stopped the ipTV service" ... but you don't have DHCP server running on LAN2 - you don't have corresponding /ip dhcp-server network nor /ip dhcp-server ...
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Mon Jul 22, 2019 9:17 pm

Hi, I reverted to the previous firewall I had and it works.
After changing the firewall something has an effect on vlan2 and 192.168.1.200 (the deco has this static ip).
You mentioned:
you don't have corresponding /ip dhcp-server network nor /ip dhcp-server ...
.

Maybe I don´t understand you but I think I do have the network:
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 \
    netmask=24
and no need for a dhcp-server since it is a static ip (192.168.1.200).

I can ping 192.168.1.200 from the router.

I have masquerade and nat in vlan2:
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=dst-nat chain=dstnat comment=VOD dst-address-type=local in-interface=vlan2 protocol=udp to-addresses=192.168.1.200

Maybe this is blocking it?
add action=accept chain=input comment="Allow connections to router itself only from our local network" in-interface=!ether1-gateway \
    protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment="Drop everything else"
This is the one I had before and tried this afternoon, and worked:
/ip firewall filter
add action=fasttrack-connection chain=forward
add action=accept chain=input log=yes protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
add action=drop chain=forward dst-address=192.168.1.0/24 in-interface=bridge1-ISP out-interface=bridge2 src-address=172.16.24.0/24
add action=drop chain=forward dst-address=172.16.24.0/24 in-interface=bridge2 out-interface=bridge1-ISP src-address=192.168.1.0/24
add action=drop chain=forward disabled=yes in-interface=bridge2 out-interface=bridge1-ISP
add action=drop chain=forward disabled=yes in-interface=bridge1-ISP out-interface=bridge2
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=iptv out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address=10.133.225.0 dst-address-list="" in-interface=vlan2 protocol=udp to-addresses=192.168.1.200
Wish you can see here anything. I am lost. Dont reallý want to go back to the original fw.
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 1wan + 2 lan isolated from each other

Mon Jul 22, 2019 9:46 pm

Ahhh, Luka you have discovered what I like to call the mkx infinite loop. Its a phenomena that often occurs. The Op slowly goes mad and ends up throwing his device against the wall at high velocity. It doesn't fix the configuration at all but it feels really really good at the time.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Mon Jul 22, 2019 9:51 pm

Ahhh, Luka you have discovered what I like to call the mkx infinite loop. Its a phenomena that often occurs. The Op slowly goes mad and ends up throwing his device against the wall at high velocity. It doesn't fix the configuration at all but it feels really really good at the time.
That´s a perfect definition :lol:
Thx GOD I can still revert to the original FW.

Anyway, I am sure it must be a little thing that I just can´t discover ... maybe if I add the log someone gets inspiration...
Last edited by luka3 on Thu Aug 01, 2019 12:45 pm, edited 1 time in total.
 
mkx
Forum Guru
Forum Guru
Posts: 2944
Joined: Thu Mar 03, 2016 10:23 pm

Re: 1wan + 2 lan isolated from each other

Mon Jul 22, 2019 10:18 pm

Sigh ...
You mentioned:
you don't have corresponding /ip dhcp-server network nor /ip dhcp-server ...
.

Maybe I don´t understand you but I think I do have the network:
add address=192.168.1.200/30 dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 \
    netmask=24
and no need for a dhcp-server since it is a static ip (192.168.1.200).

I was talking about LAN2 ... where router's got address 172.16.24.1/24

Anyway, sometimes I do notice that my well-meant advices and coments are not wellcome.

Have fun with @anav.
BR,
Metod
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other

Mon Jul 22, 2019 10:59 pm

Mkx, don´t let anav disturb you.

I am the one who is stuck and due to my limited knowledge even more.

Everything is there:

/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge2 name=dhcp2

add name=dhcp_pool2 ranges=172.16.24.100-172.16.24.119

/ip dhcp-server network
add address=172.16.24.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.24.1 netmask=24
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: 1wan + 2 lan isolated from each other

Tue Jul 23, 2019 12:07 am

I stepped back a long time ago on this thread MKX because you are more patient and more thorough and there was no point in confusing the OP with my fixation on vlans............
Don't let humour get in the way of a solution LoL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
luka3
newbie
Topic Author
Posts: 37
Joined: Thu Jul 04, 2019 6:34 pm

Re: 1wan + 2 lan isolated from each other[Solved]

Thu Aug 01, 2019 1:03 pm

After some testing I isolated succesfully:

>the AP and its clients by using the propietary function included in Unify ("guest isolation"). I tried what mkx proposed in POST#7 but isolation still did not work.

>a second subnet: following mkx and stoser advice in POST#7 and POST#23 and assigning a second subnet to specific clients, then adding this simple rule did the trick:
chain=forward src-address=192.168.2.0/24 dst-address=192.168.1.0
. None of this clients can ping each other neither the other subnet.

Thx for support guys!

Who is online

Users browsing this forum: No registered users and 34 guests