Community discussions

MikroTik App
 
larrybml
just joined
Topic Author
Posts: 13
Joined: Sun Dec 22, 2019 6:46 pm

Need your help with RB750r2

Thu Nov 10, 2022 12:39 pm

Hello guys , I need your help, I have an RB750r2 and I want to use is for some simple tasks, but don't know to start, maybe someone is kind enough to help me a little.
So I need like this : an DHCP server on any port from 2 to 5 for network 192.168.0.0/24 , gateway x.x.0.1 (this I know how to set) , and all traffic to be routed on port 1 witch is connected to another router that has ip 192.168.0.1 . And also I want to do some filtering between eth 1 and 2 like all not started connections from eth 2 clients to be dropped.
It can be done?

Also attached an picture with something that I want to achieve:
Network.jpg
Thank you in advance.
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need your help with RB750r2

Thu Nov 10, 2022 1:19 pm

Routing between two networks with same IP subnet is next to impossible. Not categorically impossible (it can be done with plenty of tricks), but almost.

So you have two possibilities:
  1. if your LAN (the network behind port2) really has to have subnet address 192.168.0.0/24, then you can bridge both ports together. But that also means you must not run your own DHCP server, the WAN side (has to provide it). You can still use firewall if you configure bridge to use ip firewall and you disable HW offload on bridge port1 (to make sure traffic to/from WAN passes software path), but you have to disable NAT.
    This option converts your router into a fancy switch (the fancy part is that it runs statefull firewall between different parts of same IP subnet).
  2. if your LAN devices are not that sensible when it comes to IP subnet, then use different IP subnet address on LAN side (192.168.y.0/24 where y is anything between 1 and 255). In this case you confiugre your router as normal (with DHCP server for LAN side and NAT any what not).

The alternative would be to use different subnet masks on the left and right side (thus dividing 192.168.0.0/24 into two halves). So you'd use address 192.168.0.x/25 on WAN interface (where x is anything between 2 and 62). And you'd use address 192.168.0.y/25 on LAN interface, where y is anything between 65 and 254 ... make sure DHCP address pool fits and that you use subnet mask of 25 everywhere. The feasibility depends on how WAN network looks like (can you affect selection of IP address for WAN side of your router so that it fits into /25 subnet?) and whether your LAN hosts need connectivity towards upper half of 192.168.0.0/24 on the WAN side.
If IP subnets can be arranged this way, then this alternative effectively becomes option #2 above.
 
larrybml
just joined
Topic Author
Posts: 13
Joined: Sun Dec 22, 2019 6:46 pm

Re: Need your help with RB750r2

Thu Nov 10, 2022 1:50 pm

First I want to thank you for fast answer.
The problem is that I have a class of IP's (/24) in a building that has gw through that 0.1, witch is on an interface of an cisco router that I can not access. I want to do DHCP for those IP's with fixed address only on my part of lan, not to 0.1 also, and to block traffic from that cisco router to internal LAN that was not first initiated by my DHCP clients. There is also NO NAT.
I did that until now with an suse linux server and a bridge between 2 ethernets , but is more expensive to keep online an server than an mikrotik that I thought it can do the same thing.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need your help with RB750r2

Thu Nov 10, 2022 3:33 pm

As I wrote, the scenario you described, requires a lot of hacking. If you follow the scenario #1 above, but you want to run DHCP server on "LAN" side of bridge, you have to introduce some very smart firewall rules to block any DHCP activity on WAN side of bridge.
You may want to re-think your decision to keep using "WAN" addresses on the LAN side of your router. If you can't trust "WAN" subnet (and you don't as it seems, or else you'd be using a simple switch instead) and you have to run statefull firewall, then NAT is only a minor nuisance ... performance wise it doesn't cause large performance drop as connection tracking (which is NAT's cornerstone) is already done because of firewall ... then it's only minor nuisance of configuring a few port forwards (but you have to deal with them this way or another if you want to have decent firewall). And then NAT is already in the picture, 192.168.0.0/16 are not publicly routable addresses. Indeed you may not have to deal with NAT, your ISP does it for you right now.
If the 192.160.0.0/24 is all yours, then you can still use another IP subnet inside your LAN and configure netmap-type of NAT ... which creates 1:1 mapping of the whole subnet (both src-address and dst-address properties must have same net mask). That would ease NAT administration but make routing trivial.

Who is online

Users browsing this forum: coffee1978, DanMos79, EsaqzpHot, icemending and 87 guests