Traffic between two LANs

Sharkboy221133 · Tue Nov 09, 2021 8:36 am

Sample config =>
IPS1(ppoe) => LAN1
ISP2(ppoe2) => LAN2

LAN1 clients go through ISP1 only and LAN2 through ISP2

But when i try to ping lan1 client from lan2 or vice versa, nothing works.
Can you help me figure it out?

# jan/02/1970 09:49:11 by RouterOS 6.49
# software id = 342Z-DE8Y
#
# model = RB760iGS
# serial number = E1F10D0B5C2B
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan1
set [ find default-name=ether2 ] name=ether2-wan2
/interface pppoe-client
add disabled=no interface=ether1-wan1 name=pppoe-amigo
add disabled=no interface=ether2-wan2 name=pppoe-byfly
/ip pool
add name=dhcp-amigo ranges=10.0.0.2-10.0.0.254
add name=dhcp-byfly ranges=10.0.1.2-10.0.1.254
/ip dhcp-server
add address-pool=dhcp-byfly disabled=no interface=ether3 name=dhcp-byfly
add address-pool=dhcp-amigo disabled=no interface=ether5 name=dhcp-amigo
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip address
add address=10.0.0.1/24 interface=ether5 network=10.0.0.0
add address=10.0.1.1/24 interface=ether3 network=10.0.1.0
/ip dhcp-server lease
add address=10.0.1.242 client-id=1:52:3e:aa:f1:41:14 mac-address=52:3E:AA:F1:41:14 server=dhcp-byfly
add address=10.0.1.241 client-id=1:52:3e:aa:f2:ea:3d mac-address=52:3E:AA:F2:EA:3D server=dhcp-byfly
add address=10.0.0.2 client-id=1:50:3e:aa:6:df:a7 mac-address=50:3E:AA:06:DF:A7 server=dhcp-amigo
add address=10.0.1.9 client-id=1:50:3e:aa:6:df:a7 mac-address=50:3E:AA:06:DF:A7 server=dhcp-byfly
add address=10.0.0.4 client-id=1:52:3e:aa:f1:41:14 mac-address=52:3E:AA:F1:41:14 server=dhcp-amigo
add address=10.0.0.5 client-id=1:52:3e:aa:f2:ea:3d mac-address=52:3E:AA:F2:EA:3D server=dhcp-amigo
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1 gateway=10.0.0.1
add address=10.0.1.0/24 dns-server=1.1.1.1 gateway=10.0.1.1
/ip firewall filter
add action=accept chain=forward dst-address=10.0.1.0/24 src-address=10.0.0.0/24
add action=accept chain=forward dst-address=10.0.0.0/24 src-address=10.0.1.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=LAN1 passthrough=yes src-address=10.0.0.0/24
add action=mark-routing chain=prerouting new-routing-mark=LAN2 passthrough=yes src-address=10.0.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether3
add action=masquerade chain=srcnat out-interface=ether5
add action=masquerade chain=srcnat out-interface=pppoe-amigo protocol=tcp
add action=masquerade chain=srcnat out-interface=pppoe-byfly
add action=dst-nat chain=dstnat in-interface=pppoe-byfly protocol=tcp to-addresses=10.0.1.241 to-ports=36100
/ip route
add distance=1 gateway=pppoe-amigo routing-mark=LAN1
add distance=1 gateway=pppoe-byfly routing-mark=LAN2
add distance=1 dst-address=10.0.0.0/24 gateway=ether3
add distance=1 dst-address=10.0.1.0/24 gateway=ether5
/system routerboard settings
set auto-upgrade=yes silent-boot=yes

anav · Sun Nov 14, 2021 6:22 pm

(1) I am confused by this rule and suggest you get rid of it.
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes

First, you are not even using a bridge and secondly only under rare circumstances would one contemplate using ip firewall settings in the bridge.
Stick to the MAIN IP firewall settings.

(2) If this device is connected to a modem, disconnect it right away as you have little to no firewall protection.

(3) You dont need the firewall rules you do have because there is nothing blocking LAN to LAN traffic,
as I said your firewall rules are sheite right now.
Put in the default settings..................... and you will be good to go.

(4) Your NAT rules need some modification.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether3 REMOVE
add action=masquerade chain=srcnat out-interface=ether5 REMOVE
add action=masquerade chain=srcnat out-interface=pppoe-amigo protocol=tcp
add action=masquerade chain=srcnat out-interface=pppoe-byfly
add action=dst-nat chain=dstnat in-interface=pppoe-byfly protocol=tcp \
dst-port=36100 to-addresses=10.0.1.241 to-ports=36100

Missing the destination port. If there is no port translation, then you dont need TO-Port setting as thus green (optional)

(5) IP ROUTES PART 1
/ip route
add distance=1 gateway=pppoe-amigo routing-mark=LAN1
add distance=1 gateway=pppoe-byfly routing-mark=LAN2
add distance=1 dst-address=10.0.0.0/24 gateway=ether3 REMOVE
add distance=1 dst-address=10.0.1.0/24 gateway=ether5 REMOVE

NOW RETRY your tests!!!

++++++++++++++++++++++++++++++++++++++++++

IP ROUTES PART 2

(6) You dont need to mangle and thus can still have the advantages of fast track (if you have them - come with default firewall rules)
Not even sure the mangling your doing would actually work........... or is that efficient, most mangles mark the first connection and then route mark off the connection mark.

Thus Recommend the Following.
Remove routing automatically via the PPOE settings so that you can see everything in the config (otherwise hidden).
/ip route
add distance=1 gateway=pppoe-amigo {basic route required} note when adding basic routes in winbox the dst address is 0.0.0.0/0
add distance=1 gateway=pppoe-byfly {basic route required}
add distance=1 gateway=pppoe-amigo routing-mark=USEWAN1
add distance=1 gateway=pppoe-byfly routing-mark=USEWAN2

Route Rule 1
source = 10.0.0.0/24
action= Lookup-only-in-table
table = USEWAN1

Route Rule 2
source= 10.0.1.0/24
action= Lookup-only-in table
table = USEWAN2

Traffic between two LANs

Traffic between two LANs

Re: Traffic between two LANs

Who is online