Community discussions

MikroTik App
 
deepsy
just joined
Topic Author
Posts: 1
Joined: Fri Oct 15, 2021 10:06 pm

Accessing device from another subnet

Sat Oct 16, 2021 12:24 am

Hello.
I've been struggling for the past few days to set up my home network with my Mikrotik hAP ac3.
What I want to accomplish is the following:

- wireless interfaces (wlan1, wlan2) are separated and they don't have access to ether3/4/5
- ether3/4/5 are separated and they don't have access to wi/fi
- ether2 should be accessible from both the wireless network and ether3/4/5 network (I want to host my DNS server with pi-hole here).

All of the above should have access to the internet.

So far I managed to create 2 bridges - 1 for wifi, 1 for ether3/4/5, added DHCP servers, IP pools, network addresses - both have internet access and work. I was planning to add the third bridge for the ether2 (pi-hole), but for testing purposes, I assigned ether 2 to the wifi bridge and added routes in IP/Routes (see image). In the IP->ARP I'm seeing that the IP assignment is successful, but I'm not able to reach the pi-hole (wi-fi bridge) from ether3 (ether3/4/5 bridge). What am I doing wrong? Is there a better way to do what I'm trying to do?

Image

Here's my config:
/interface bridge
add admin-mac=08:55:31:FD:FE:EF auto-mac=no comment=defconf name=bridge
add name=bridge-wifi
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=Venera wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=Venera wireless-protocol=802.11
/interface vlan
add interface=wlan1 name=vlan-private vlan-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=08874541551 \
    wpa2-pre-shared-key=08874541551
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=wifi-pool next-pool=dhcp ranges=192.168.89.100-192.168.89.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=wifi-pool disabled=no interface=bridge-wifi name=wifi-dhcp
/interface bridge port
add bridge=bridge-wifi comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge-wifi comment=defconf interface=wlan1
add bridge=bridge-wifi comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge-wifi list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.89.1/24 interface=bridge-wifi network=192.168.89.0
/ip arp
add address=192.168.88.253 interface=bridge mac-address=A0:BD:1D:E7:B0:A6
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.89.0/24 gateway=192.168.89.1 netmask=2
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward in-interface=bridge-wifi out-interface=bridge
add action=accept chain=forward in-interface=bridge out-interface=bridge-wifi
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=bridge-wifi pref-src=\
    192.168.89.1
add distance=1 dst-address=192.168.89.0/24 gateway=bridge pref-src=\
    192.168.89.1
/system clock
set time-zone-name=Europe/Sofia

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Who is online

Users browsing this forum: abdulschizo, ACHim, chrisk, DimoSK, mike7, RiStaR and 80 guests