Community discussions

MikroTik App
 
minigatts
just joined
Topic Author
Posts: 2
Joined: Tue Nov 01, 2022 3:07 pm

Advice for using hEX lite to access multiple subnets from one PC

Tue Nov 01, 2022 5:28 pm

Hi All,

I've been messing with a problem for a couple of days, and have been through the forums here as well as the wiki looking for examples for how to do what I am trying to do - but I am kind of stuck, and am hoping someone can point me in the right direction.

I'm VERY new to networking, until this probably the most complicated thing I'd ever had to do was change my IP4 address on my ethernet adapter in windows to match a device so I could read from it. Apologies in advance if I misuse any terminology here.

I'm not sure how much detail is needed, but here are the basics of my 'problem'.

I have three different types of field data acquisition systems (DAS), and each type has an IP address in a specific range and I want to be able to communicate with all of them from a laptop with a single ethernet port.
Network Diagram.jpg
So, on a given job I might have three data acquisition systems streaming simultaneously, but only one of each type - never multiples.
DAS 1 : 192.168.8.10
DAS 2 : 10.1.10.15
DAS 3 : 192.168.5.103

I've been trying to follow the examples from this highly recommended thread...
viewtopic.php?t=143620

But so far haven't been able to get anything to work.

I've also looked at this section of the Wiki and tried to follow the examples there.
https://help.mikrotik.com/docs/display/ ... +switching

Likewise, no luck. I haven't been able to successfully 'ping' any of the data source devices on ether3, 4, or 5.

Am I on the right track here thinking this needs to be set up as a VLAN? Or am I barking up the wrong tree. Really just looking for someone to point me in the right direction here.

Thanks in advance!
You do not have the required permissions to view the files attached to this post.
 
minigatts
just joined
Topic Author
Posts: 2
Joined: Tue Nov 01, 2022 3:07 pm

Re: Advice for using hEX lite to access multiple subnets from one PC

Tue Nov 01, 2022 8:06 pm

I may have gotten it working, actually.

I found some other posts that just used routing to do what I wanted, and dispensed with the VLAN stuff completely.

This seems to be working for me.
/interface bridge
add name=bridge1

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=pool1 ranges=192.168.88.10-192.168.88.240

/ip dhcp-server
add address-pool=pool1 disabled=no interface=bridge1 name=server1

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5

/ip address
add address=192.168.8.1/24 interface=bridge1 network=192.168.8.0
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0
add address=10.1.10.1/24 interface=bridge1 network=10.1.10.0
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
add dhcp-options=hostname,clientid disabled=no interface=bridge1

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1 netmask=8

/ip dns
set allow-remote-requests=yes servers=1.1.1.1

/ip route
add distance=1 dst-address=10.1.10.0/24 gateway=192.168.88.3
add distance=1 dst-address=192.168.8.0/24 gateway=192.168.88.2
Last edited by BartoszP on Tue Nov 01, 2022 9:37 pm, edited 1 time in total.
Reason: Use proper tags to make posts more readable
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19251
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Advice for using hEX lite to access multiple subnets from one PC

Wed Nov 02, 2022 12:15 am

Well the way I would do it is one bridge,
four vlans one trusted my laptop belongs too.
One for each subnet and thus datastream.

By firewall rules, the streams would only have access to the internet supposing they need it.
Only your pc on the trusted subnet/vlan would have access to the other 3 vlans.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 893
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Advice for using hEX lite to access multiple subnets from one PC  [SOLVED]

Wed Nov 02, 2022 6:55 am

@minigatts What you have, while it may "work", is not "best practice".

Copy/paste without understanding is not a good solution, in my opinion. It leads Frankenstein Chimera configs.

What you have is a single "broadcast domain" with the hEX lite's bridge (named bridge1) interface having 4 ip addresses/subnets defined. So there is no real separation between the devices connected to the hEX lite.

Whether this is a "good enough" config is up to you. If there is no outside access (i.e. the 4 devices are all on an "island by themselves" without any communication with anything off the island), then it probably isn't a security issue, but if you ever plan to have the hEX connected to something with internet access, you will need to modify the config significantly to make it safe.

What is your goal? To get something "working" in a stand alone environment and never touch it again, or is this a prototype for what you plan to deploy in other cases. If that's the case, then you should probably commit to learning more about networking, or hire someone to create your template config with good documentation on what needs to be adjusted when moving to a new environment.

In your case, I don't see any advantage in using vlans. @anav is a generalist, and has a general solution that works in many different cases, but that does not mean it is the best solution for those cases. An analogy would be that he prefers to use an adjustable end wrench instead of having to buy indiviual fixed size wrenches. Both have advantages/disadvantages.

In your case, I would remove the ports from the bridge device and configure the individual ports with a single ip address each. Then the devices attached to the hEX won't see each other's broadcast packets, and it would be possible to use the firewall in the hEX to enforce separation of the DAS devices.

But maybe your solution is "good enough" for your needs. I doubt the DAS systems generate much data, and they can coexist on the same broadcast domain without interferring with each other as long as they have their ip addresses statically assigned, and they are not in the same network. One thing that will not work in your configuration is trying to get dhcp to work, as if you connect a PC configured to obtain an IP address to any of the bridge ports, it will get an ip address from the 192.168.88.0/24 subnet.

Networking is more complex than most people realize, because a lot of the complexity is hidden from them due to dhcp auto configuration. But dhcp has its own set of assumptions, one being that there will be only one subnet per broadcast domain (in the simple case), or more complex rules that assume something about the mac (ethernet) addresses.

If you do want to learn about networking, [ur=https://www.practicalnetworking.net/ind ... -internet/]this[/url] is a good starting point that will provide the foundation to build on.

Who is online

Users browsing this forum: Ahrefs [Bot] and 21 guests