telco <-> R1 <-> R2
R1 gets an IP from the telco router via dhcp on eth1. eth2-5 are bridged on 172.16.0.1/24 along with wlan1. There are two virtual wlans of 172.16.0.4/24 and 172.16.0.5/24 which are untrusted and don't need to access anything on 172.16.0.1/24 and vice-versa. eth5 is connected to R2 eth1.
R2 has a static IP of 172.16.0.2 on eth1. eth2 is connected to the trusted device (bob, now getting 172.16.100.2) on a bridge with wlan1 of R2 with address 172.16.100.0/24. There is a virtual wlan on another bridge on R2 with address 172.16.104.0/24 which only needs internet access and not access to any other subnet.
I have things mostly working. All the subnets have internet access and the untrusted subnets can't access any of the routers including the telco router or each other. The trusted devices on R2 are also able to access devices on the trusted subnet on R1. The problem is none of the trusted devices on R1 can access anything on R2. I can ping 172.16.0.2 from 172.16.0.1/24 obviously but not 172.16.100.1 or 172.16.100.2. I can only reach the router config on R2 from R1 if I use 172.16.0.2.
I first started putting R2 in bridge mode so that bob would get a 172.16.0.1/24 address which is ideal because I need samba access to it as well as some other port forwarding on R1. For some reason I could never get the virtual wlan with address 172.16.104.1/24 to access the internet in this configuration. I convinced myself this was impossible because I was trying to do L3 like routing on L2 bridges on R2. I realize switching to router behind router isn't ideal because of double-nat (not sure exacly why but I hear it all the time) and yes I realize vlan is sexy but I'm just looking for functionality at this point. I don't have the time or patients to convert both routers to vlans. I feel like what I have should work at this point but I seem to be missing some last detail. Here are the meaningful parts of the configs.
Code: Select all
R1 config:
# apr/29/2023 18:18:50 by RouterOS 6.33.3
# software id = 0S1K-08QJ
#
/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
ether5-slave-local
set [ find default-name=ether6 ] master-port=ether2-master-local name=\
ether6-slave-local
/interface wireless manual-tx-power-table
set wlan1 comment="physical wireless interface and lan master"
/ip pool
add name=dhcp ranges=172.16.0.32-172.16.0.254
add name=guest-tv ranges=172.16.4.32-172.16.4.254
add name=guest-wireless ranges=172.16.5.2-172.16.5.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=\
3d10m name=default
add address-pool=guest-tv disabled=no interface=wlan-tv lease-time=15m \
name=guest-tv
add address-pool=guest-wireless disabled=no interface=wlan-guest \
lease-time=30m name=guest-wireless
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=172.16.0.1/24 comment="default configuration" interface=\
ether2-master-local network=172.16.0.0
add address=172.16.0.10/22 disabled=yes interface=ether1-gateway \
network=172.16.0.0
add address=172.16.4.1/24 interface=wlan-tv network=172.16.4.0
add address=172.16.5.1/24 interface=wlan-guest network=172.16.5.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid \
disabled=no interface=ether1-gateway use-peer-dns=no
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.0.1 \
netmask=24
add address=172.16.4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.4.1 \
netmask=24
add address=172.16.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.5.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=172.16.1.1 name=router
/ip firewall address-list
add address=172.16.0.0/24 comment="home lan" list="internal trusted"
add address=172.16.4.0/24 comment="TVs and STB wireless" list=\
"untrusted devices"
add address=172.16.5.0/24 comment="guest wireless" list=\
"untrusted devices"
add address=172.16.104.0/24 comment="5G wifi on downstairs router" \
list="untrusted devices"
add address=172.16.100.0/24 comment="2nd router trusted" list=\
"internal trusted"
/ip firewall filter
add chain=input comment="default configuration - allow all icmp" \
disabled=yes protocol=icmp
add chain=input comment=\
"default configuration - accept established/related" \
connection-state=established,related log-prefix=in-esr
add action=drop chain=input comment="drop invalid connections" \
connection-state=invalid
add chain=input comment="accept from internal trusted to router - allow \
router config only from trusted devices" log-prefix="[cfg]" \
src-address-list="internal trusted"
add chain=input comment="accept from internal untrusted to router - don'\
t enable this or untrusted devices will have access to router config\
" disabled=yes src-address-list="untrusted devices"
add action=drop chain=input comment="drop all other input connections" \
log-prefix="[drop in]"
add action=fasttrack-connection chain=forward comment=\
"default configuration" connection-state=established,related
add chain=forward comment=\
"default configuration - accept established/related" \
connection-state=established,related
add action=drop chain=forward comment=\
"default configuration - drop invalid forward" connection-state=\
invalid
add chain=forward comment="accept internal trusted" log-prefix="[fwd]" \
out-interface=ether1-gateway src-address-list="internal trusted"
add chain=forward comment=\
"accept untrusted devices to everything on eth1-gateway but modem" \
dst-address=!192.168.100.1 out-interface=ether1-gateway \
src-address-list="untrusted devices"
add action=drop chain=forward comment=\
"drop all other forward connections" log-prefix="[drop fwd]"
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"default configuration ;; router nat to gateway" log-prefix="[NAT]" \
out-interface=ether1-gateway
/ip route
add disabled=yes distance=1 gateway=172.16.0.1
add distance=1 dst-address=172.16.100.0/24 gateway=ether5-slave-local \
pref-src=172.16.100.1
add disabled=yes distance=1 dst-address=172.16.104.0/24 gateway=\
ether5-slave-local
R2 config:
# apr/29/2023 18:43:56 by RouterOS 7.6
# software id = 1VR7-FHFT
/interface bridge
add comment=defconf name=bridge-local
add name=bridge-wlan1-tv
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp-local ranges=172.16.100.2-172.16.100.254
add name=dhcp-wlan1-tv ranges=172.16.104.2-172.16.104.254
/ip dhcp-server
add address-pool=dhcp-local authoritative=after-2sec-delay interface=bridge-local name=dhcp-local
add address-pool=dhcp-wlan1-tv interface=bridge-wlan1-tv name=dhcp-wlan1-tv
/interface bridge port
add bridge=bridge-local comment=defconf interface=ether2
add bridge=bridge-local comment=defconf interface=ether3
add bridge=bridge-local comment=defconf interface=ether4
add bridge=bridge-local comment=defconf interface=ether5
add bridge=bridge-local comment=defconf interface=ether6
add bridge=bridge-local comment=defconf interface=ether7
add bridge=bridge-local comment=defconf interface=ether8
add bridge=bridge-local comment=defconf interface=ether9
add bridge=bridge-local comment=defconf interface=ether10
add bridge=bridge-local comment=defconf interface=sfp-sfpplus1
add bridge=bridge-local comment=defconf interface=wlan1
add bridge=bridge-local comment=defconf interface=wlan2
add bridge=bridge-wlan1-tv interface=wlan1-tv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-local list=LAN
add comment=defconf interface=ether1-gateway list=WAN
add interface=bridge-wlan1-tv list=LAN
/ip address
add address=172.16.100.1/24 interface=bridge-local network=172.16.100.0
add address=172.16.104.1/24 interface=bridge-wlan1-tv network=172.16.104.0
add address=172.16.0.2/24 interface=ether1-gateway network=172.16.0.0
/ip dhcp-server network
add address=172.16.100.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 gateway=172.16.100.1 netmask=24
add address=172.16.104.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.104.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.16.100.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.0.0/24 list="trusted home LAN"
add address=172.16.104.0/24 comment="untrused wifi" list=wlan1-tv
add address=192.168.100.1 comment="telco router" list="restricted addresses"
add address=172.16.0.1 comment="upstairs router" list="restricted addresses"
add address=172.16.100.0/24 comment="2nd level trusted lan subnet" list="trusted home LAN"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked log-prefix="[acc]"
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="only accept input from local bridge" in-interface=bridge-local
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=accept chain=input comment="accept from 1st level trusted lan" disabled=yes dst-address=172.16.100.0/24 src-address=172.16.0.0/24
add action=accept chain=input comment="allow trusted lan connections to this router config" dst-address-type=local in-interface-list=WAN log-prefix="[cfg]" src-address-list=\
"trusted home LAN"
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=drop chain=input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="forward local trusted" out-interface=ether1-gateway src-address-list="trusted home LAN"
add action=accept chain=forward comment="forward anything from untrusted wifi except to the telco router" dst-address-list="!restricted addresses" in-interface=bridge-wlan1-tv \
out-interface=ether1-gateway
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.0.1 pref-src="" routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN