Hi
to simplify things, let's say I have bridge1 with port 1,2, dhcp, 192.168.1.0/24 and bridge2 with port 3,4, dhcp, 192.168.1.0/24 - same subnets, no mistake
in port 5 i have one printer, static ip, 192.168.1.200
how can i acces this printer from both bridges? i try with forward rules but without success
Thanks,
-
-
ConnyMercier
Forum Veteran
- Posts: 725
- Joined:
Re: port outside bridge
Having multiple Network on a Router with the same IP-Range,
is always going to be a PAIN in the A**!
Is it really necessary?
If yes, may i also know why ? (just curious)
I think it's possible to "mark" via Mangle
so the Router/Swtich knows from which "Bridge"
a Request came from...
I need to Test it...
is always going to be a PAIN in the A**!
Is it really necessary?
If yes, may i also know why ? (just curious)
I think it's possible to "mark" via Mangle
so the Router/Swtich knows from which "Bridge"
a Request came from...
I need to Test it...
Last edited by ConnyMercier on Fri Dec 10, 2021 9:17 pm, edited 1 time in total.
Re: port outside bridge
Please,
Two commercial companies that have so far shared an office floor and a subnet have separated,now each with its own ISP, with its own router and both kept the same subnet to avoid to reconfigure certain equipment and software.
The printer has remained common and must be accessed by both parties.
I cannot set firewall rules in order to drop dhcp and limit destination only to that printer ip because rules are set per bridge, not per port
Other idea is to create another bridge with 3 ports - one from each bridge and this printer ip but also, firewall rules doest not help me at all
Two commercial companies that have so far shared an office floor and a subnet have separated,now each with its own ISP, with its own router and both kept the same subnet to avoid to reconfigure certain equipment and software.
The printer has remained common and must be accessed by both parties.
I cannot set firewall rules in order to drop dhcp and limit destination only to that printer ip because rules are set per bridge, not per port
Other idea is to create another bridge with 3 ports - one from each bridge and this printer ip but also, firewall rules doest not help me at all
Re: port outside bridge
You mean, by design, but I'm afraid it is a mistake.no mistake
3 networks with the same range/subnet cannot communicate over a router (L3), as all members will always try to communicate directly for the same subnet (L2) and not via the router
You can try to fool that basic network rule, by fiddling with proxy-arp and/or hairpin NAT. Experiments required.
- L2 - With proxy ARP you make the router answer with it's own MAC address on the ARP-request (as part of the direct L2 communication) for some device on the other network. That "direct" communication will then be sent to the router (MAC).
- L3 - hair-pin will NAT/masquerade the communication initiator, as an off-range IP address from the router. Answer will return via the router.
If it is one address range why is it split by the router???
You could have identical addresses in bridge1 and bridge2. How to know who's talking to the printer?
If you like to have them look similar. e.g. 192.168.1.0 network, then split up the range in 3 parts, and make it 3 smaller networks networks.
Other option is to change the port 5 and printer IP address, and dstNAT/masquerade the connection from bridge1 and bridge2 devices to the printer.
Ideas like this: viewtopic.php?t=119134
Re: port outside bridge
OK. But I think you should make them to have different IP ranges while passing your router, so you can route and filter traffic as you want. Then NAT before sending out as in viewtopic.php?t=119134Two commercial companies that have so far shared an office floor and a subnet have separated,now each with its own ISP, with its own router and both kept the same subnet to avoid to reconfigure certain equipment and software.
Marking traffic based on the bridge where in comes from like in "routing marks" for load balancing, could also help. (Just an idea)
-
-
ConnyMercier
Forum Veteran
- Posts: 725
- Joined:
Re: port outside bridge
Ok... This is how i solved it in the LAB(Step-by-Step)
Step 1: Create Bridge
Step 2: Assign IP-Addresses
Step 3: Create Printer-Network
Step 4: Assign Static DHCP-Lease for Printer
Step 5: Create Routing
Step 6: Mangle
Step 7: NAT
Step 8: Assign Interfaces to Bridges
Interfaces assigned to bridge1 and bridge2
won`t be able to connect to the Router !!!
Be carefull not to lock yourself out !
Step 1: Create Bridge
Code: Select all
/interface bridge
add comment="Office A" name=bridge1
add comment="Office B" name=bridge2
add comment="Printer" name=bridge3Step 2: Assign IP-Addresses
Code: Select all
/ip address
add address=192.168.1.200/24 interface=bridge1 network=192.168.1.0
add address=192.168.1.200/24 interface=bridge2 network=192.168.1.0
add address=10.10.10.1/24 interface=bridge3 network=10.10.10.0Code: Select all
/ip pool
add name=dhcp_pool0 ranges=10.10.10.2-10.10.10.10
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge3 name=dhcp1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
/ip dns
set allow-remote-requests=yesCode: Select all
/ip dhcp-server lease
add address=10.10.10.10 client-id="c2:0:2:0:0:ab:11" mac-address=DC:A6:35:12:BF:4C server=dhcp1Code: Select all
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=bridge1 routing-mark=toOfficeA
add distance=1 dst-address=192.168.1.0/24 gateway=bridge2 routing-mark=toOfficeBCode: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=bridge1 new-connection-mark=CMarkOfficeA passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=bridge2 new-connection-mark=CMarkOfficeB passthrough=yes
add action=mark-routing chain=prerouting connection-mark=CMarkOfficeA new-routing-mark=toOfficeA passthrough=yes
add action=mark-routing chain=prerouting connection-mark=CMarkOfficeB new-routing-mark=toOfficeB passthrough=yesCode: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment="Foward All-Traffic from OfficeA to 10.10.10.10" in-interface=bridge1 to-addresses=10.10.10.10
add action=dst-nat chain=dstnat comment="Foward All-Traffic from OfficeB to 10.10.10.10" in-interface=bridge2 to-addresses=10.10.10.10
add action=masquerade chain=srcnat comment="NAT/Masquerade"Step 8: Assign Interfaces to Bridges
Interfaces assigned to bridge1 and bridge2
won`t be able to connect to the Router !!!
Be carefull not to lock yourself out !
Re: port outside bridge
Thanks,
Really appreciate your effort.
I hope now is more clear. I will connect at l2 this 2 networks through a cable so that those in Office A can print on the printer 192.168.1.200.
there are 3 problems to fight
- not have dhcp from office a to office b
- traffic from office a goes only to this printer
- traffic from office b does not go at all to office a
Inspired by your solution, I am thinking of making another bridge with 1 port,eth2, with cable from office a and add rules to drop dhcp udp 67 in out that bridge
But, how i will join/filter destination from this new bridge to existing bridge1?
I hope now is more clear. I will connect at l2 this 2 networks through a cable so that those in Office A can print on the printer 192.168.1.200.
there are 3 problems to fight
- not have dhcp from office a to office b
- traffic from office a goes only to this printer
- traffic from office b does not go at all to office a
Inspired by your solution, I am thinking of making another bridge with 1 port,eth2, with cable from office a and add rules to drop dhcp udp 67 in out that bridge
But, how i will join/filter destination from this new bridge to existing bridge1?
You do not have the required permissions to view the files attached to this post.
Re: port outside bridge
That's too difficult with too many possible problems. Simple and safe solution is:
- remove ether2 from bridge and make it separate port
- ask Office A for 192.168.1.X address that they definitely won't use in their network
- add point to point link to printer:
- make printer's address visible in Office B:
- use srcnat to make connections to printer work:
- tweak your firewall to allow connections from bridge1 to ether2, and block the opposite direction (depends on what you have now)
- remove ether2 from bridge and make it separate port
- ask Office A for 192.168.1.X address that they definitely won't use in their network
- add point to point link to printer:
Code: Select all
/ip address
add interface=ether2 address=192.168.1.X/32 network=192.168.1.200Code: Select all
/ip arp
add address=192.168.1.200 interface=bridge published=yesCode: Select all
/ip firewall nat
add chain=srcnat dst-address=192.168.1.200 action=masquerade
Re: port outside bridge
Thats all well and good but what does each rule actually do.
(1) Removing ethernet2 from the bridge is to isolate the traffic connection from the fortinet, from office b bridge users........
(2) Ask Fortinet for a free not to be used address and it goes only to ether2 where the printer is hooked up.
(3) Assign ethernet2 the IP address from the fortinet and here is the part that befudles me.... a network of 192.168.1.200
What does that in effect do as you are providing a network IP that is actually the IP of the printer ????
(4) The arp command what is that telling the router to do,,,,,,,,,, it seems like you are saying at that the printer is visible to the bridge users (is that L2 , like a switch )
(5) SRC NAT rule, is that for office A users or Office B users, how is that rule going to work??
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Assuming office A workers when printing will be looking for 192.168.1.200 BUT ether2 uses a different IP (but network of 192.168.1.200 ???)
What will be the result.
MT firewall rules.......
Due to the ARP rule assuming no issues office B users reaching the printer.....
Probably need a firewall rule to allow office A users to reach printer??
In-interface=ether2 dst-address= ????????????
how do you stop Office B users from reaching fortinet???
(1) Removing ethernet2 from the bridge is to isolate the traffic connection from the fortinet, from office b bridge users........
(2) Ask Fortinet for a free not to be used address and it goes only to ether2 where the printer is hooked up.
(3) Assign ethernet2 the IP address from the fortinet and here is the part that befudles me.... a network of 192.168.1.200
What does that in effect do as you are providing a network IP that is actually the IP of the printer ????
(4) The arp command what is that telling the router to do,,,,,,,,,, it seems like you are saying at that the printer is visible to the bridge users (is that L2 , like a switch )
(5) SRC NAT rule, is that for office A users or Office B users, how is that rule going to work??
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Assuming office A workers when printing will be looking for 192.168.1.200 BUT ether2 uses a different IP (but network of 192.168.1.200 ???)
What will be the result.
MT firewall rules.......
Due to the ARP rule assuming no issues office B users reaching the printer.....
Probably need a firewall rule to allow office A users to reach printer??
In-interface=ether2 dst-address= ????????????
how do you stop Office B users from reaching fortinet???
Re: port outside bridge
Welcome, I expected you to show up. 
(1) You don't want the networks directly connected, simple.
(2) Router needs some address for itself in Office A, and you need to make sure that it won't conflict with anything else, e.g. Office A's dhcp won't assign it to some other device.
(3) It's point to point addressing. Normally when used, you have:
And other side has the same, only with swapped addresses. Those addresses don't need to be related in any way, you can have e.g. 192.168.12.34 as one and 10.11.12.13 as the other, and it works. Other OSes also support it, Linux has:
Even non-ancient Windows (Vista and up) can use address with 255.255.255.255 mask and remote address as gateway.
In this case you need it only for communication between router and printer, because you don't need to access anything else in Office A. It doesn't matter that printer has regular /24 mask, it will still work, the important part is that both devices will respond to each other's ARP requests, and they will.
(4) It's simple proxy ARP, only not for whole interface, but only for single address.
(5) It will make all requests from Office B to printer look like they come from router (that one address from (2)).
-
- Both offices will use printer with 192.168.1.200.
- Firewall changes depend on what's there now. If it's default-deny, then it needs new rule to allow access from Office B (bridge1) to printer (ether2). If it's default-allow, it will work, but it's good idea to block new connections from Office A (ether2) to Office B (bridge1). There isn't any big danger, because bidirectional communication would work only from printer's address anyway, but why not do it properly when it's easy.
- Only address in Office A reachable from Office B is printer's, there's no route for others. And that's the whole point of this, to avoid having same /24 subnets on two interfaces, which is problematic. And not only technically (how to make the router deal with it) but also administratively (to not have to worry about address overlaps).
(1) You don't want the networks directly connected, simple.
(2) Router needs some address for itself in Office A, and you need to make sure that it won't conflict with anything else, e.g. Office A's dhcp won't assign it to some other device.
(3) It's point to point addressing. Normally when used, you have:
Code: Select all
/ip address add address=<local address>/32 network=<remote address> interface=<interface>Code: Select all
ip addr add <local address> peer <remote address> dev <interface>In this case you need it only for communication between router and printer, because you don't need to access anything else in Office A. It doesn't matter that printer has regular /24 mask, it will still work, the important part is that both devices will respond to each other's ARP requests, and they will.
(4) It's simple proxy ARP, only not for whole interface, but only for single address.
(5) It will make all requests from Office B to printer look like they come from router (that one address from (2)).
-
- Both offices will use printer with 192.168.1.200.
- Firewall changes depend on what's there now. If it's default-deny, then it needs new rule to allow access from Office B (bridge1) to printer (ether2). If it's default-allow, it will work, but it's good idea to block new connections from Office A (ether2) to Office B (bridge1). There isn't any big danger, because bidirectional communication would work only from printer's address anyway, but why not do it properly when it's easy.
- Only address in Office A reachable from Office B is printer's, there's no route for others. And that's the whole point of this, to avoid having same /24 subnets on two interfaces, which is problematic. And not only technically (how to make the router deal with it) but also administratively (to not have to worry about address overlaps).
Who is online
Users browsing this forum: Amazon [Bot] and 38 guests